@opendatalabs/service-auth 1.0.0-next.1

package/dist/registration/manifest.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Manifest loading + Hydra-shape translation.
+ *
+ * `loadManifest(path)` reads a YAML file from disk and runs it
+ * through the zod schema; `manifestToHydraClient(manifest)` returns
+ * the body shape Hydra v2.x accepts at
+ * `POST /admin/clients` / `PUT /admin/clients/{id}`.
+ *
+ * Hydra v2.x mapping
+ * ------------------
+ *
+ *   client_id: <hydra_client_id>
+ *   client_name: <service_id>
+ *   token_endpoint_auth_method: private_key_jwt
+ *   jwks_uri: <jwks_uri>
+ *   grant_types: <grant_types>
+ *   audience: <allowed_audiences>
+ *   scope: <allowed_scopes joined by space>
+ *   access_token_strategy: jwt
+ *   metadata: { owner_team, key_rotation_policy }
+ *
+ * `access_token_strategy` is the per-client knob Hydra v2.x exposes
+ * (server-wide default of `opaque` is overridden here). See Hydra docs
+ * referenced in package README.
+ */
+import { serviceAuthManifestSchema, type ServiceAuthManifest } from "./schema";
+export type { ServiceAuthManifest };
+export { serviceAuthManifestSchema };
+export declare class ManifestValidationError extends Error {
+    readonly path: string;
+    readonly issues: Array<{
+        path: string;
+        message: string;
+    }>;
+    constructor(path: string, issues: Array<{
+        path: string;
+        message: string;
+    }>);
+}
+export declare function parseManifestText(text: string, sourcePath?: string): ServiceAuthManifest;
+export declare function loadManifest(filePath: string): Promise<ServiceAuthManifest>;
+/**
+ * Hydra v2.x OAuth2 client body. We don't import the @ory/client SDK
+ * to keep this package zero-runtime-dep on Ory tooling; the shape is
+ * a stable HTTP contract.
+ */
+export interface HydraClientBody {
+    client_id: string;
+    client_name: string;
+    token_endpoint_auth_method: "private_key_jwt";
+    jwks_uri: string;
+    grant_types: string[];
+    audience: string[];
+    scope: string;
+    access_token_strategy: "jwt";
+    metadata: Record<string, unknown>;
+}
+export declare function manifestToHydraClient(manifest: ServiceAuthManifest): HydraClientBody;
+/**
+ * Diff a desired client body against an existing one. Returns the
+ * subset of keys whose values changed; empty object means "no-op".
+ *
+ * Comparison is JSON-value equality with array order-sensitivity
+ * preserved (Hydra returns arrays in registration order).
+ */
+export declare function diffHydraClient(desired: HydraClientBody, existing: Partial<HydraClientBody> | null): Record<string, {
+    from: unknown;
+    to: unknown;
+}>;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/registration/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/registration/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH,OAAO,EACL,yBAAyB,EACzB,KAAK,mBAAmB,EACzB,MAAM,UAAU,CAAC;AAElB,YAAY,EAAE,mBAAmB,EAAE,CAAC;AACpC,OAAO,EAAE,yBAAyB,EAAE,CAAC;AAErC,qBAAa,uBAAwB,SAAQ,KAAK;IAChD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;gBAC9C,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAU3E;AAED,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,UAAU,SAAa,GACtB,mBAAmB,CAwBrB;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,mBAAmB,CAAC,CAG9B;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,0BAA0B,EAAE,iBAAiB,CAAC;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,qBAAqB,EAAE,KAAK,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,mBAAmB,GAC5B,eAAe,CAgBjB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,eAAe,EACxB,QAAQ,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,GACxC,MAAM,CAAC,MAAM,EAAE;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,EAAE,EAAE,OAAO,CAAA;CAAE,CAAC,CAchD"}

package/dist/registration/manifest.js

@@ -0,0 +1,105 @@
+/**
+ * Manifest loading + Hydra-shape translation.
+ *
+ * `loadManifest(path)` reads a YAML file from disk and runs it
+ * through the zod schema; `manifestToHydraClient(manifest)` returns
+ * the body shape Hydra v2.x accepts at
+ * `POST /admin/clients` / `PUT /admin/clients/{id}`.
+ *
+ * Hydra v2.x mapping
+ * ------------------
+ *
+ *   client_id: <hydra_client_id>
+ *   client_name: <service_id>
+ *   token_endpoint_auth_method: private_key_jwt
+ *   jwks_uri: <jwks_uri>
+ *   grant_types: <grant_types>
+ *   audience: <allowed_audiences>
+ *   scope: <allowed_scopes joined by space>
+ *   access_token_strategy: jwt
+ *   metadata: { owner_team, key_rotation_policy }
+ *
+ * `access_token_strategy` is the per-client knob Hydra v2.x exposes
+ * (server-wide default of `opaque` is overridden here). See Hydra docs
+ * referenced in package README.
+ */
+import { readFile } from "node:fs/promises";
+import { parse as parseYaml } from "yaml";
+import { serviceAuthManifestSchema, } from "./schema";
+export { serviceAuthManifestSchema };
+export class ManifestValidationError extends Error {
+    path;
+    issues;
+    constructor(path, issues) {
+        super(`service-auth: manifest ${path} failed validation: ${issues
+            .map((i) => `${i.path}: ${i.message}`)
+            .join("; ")}`);
+        this.name = "ManifestValidationError";
+        this.path = path;
+        this.issues = issues;
+    }
+}
+export function parseManifestText(text, sourcePath = "<inline>") {
+    let raw;
+    try {
+        raw = parseYaml(text);
+    }
+    catch (err) {
+        throw new ManifestValidationError(sourcePath, [
+            {
+                path: "<root>",
+                message: err instanceof Error ? err.message : "yaml parse failed",
+            },
+        ]);
+    }
+    const parsed = serviceAuthManifestSchema.safeParse(raw);
+    if (!parsed.success) {
+        throw new ManifestValidationError(sourcePath, parsed.error.issues.map((i) => ({
+            path: i.path.join(".") || "<root>",
+            message: i.message,
+        })));
+    }
+    return parsed.data;
+}
+export async function loadManifest(filePath) {
+    const text = await readFile(filePath, "utf8");
+    return parseManifestText(text, filePath);
+}
+export function manifestToHydraClient(manifest) {
+    return {
+        client_id: manifest.hydra_client_id,
+        client_name: manifest.service_id,
+        token_endpoint_auth_method: "private_key_jwt",
+        jwks_uri: manifest.jwks_uri,
+        grant_types: [...manifest.grant_types],
+        audience: [...manifest.allowed_audiences],
+        scope: manifest.allowed_scopes.join(" "),
+        access_token_strategy: "jwt",
+        metadata: {
+            owner_team: manifest.owner_team,
+            key_rotation_policy: manifest.key_rotation_policy,
+            service_id: manifest.service_id,
+        },
+    };
+}
+/**
+ * Diff a desired client body against an existing one. Returns the
+ * subset of keys whose values changed; empty object means "no-op".
+ *
+ * Comparison is JSON-value equality with array order-sensitivity
+ * preserved (Hydra returns arrays in registration order).
+ */
+export function diffHydraClient(desired, existing) {
+    if (!existing) {
+        return Object.fromEntries(Object.entries(desired).map(([k, v]) => [k, { from: undefined, to: v }]));
+    }
+    const out = {};
+    for (const [key, want] of Object.entries(desired)) {
+        const have = existing[key];
+        if (JSON.stringify(have) !== JSON.stringify(want)) {
+            out[key] = { from: have, to: want };
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=manifest.js.map

package/dist/registration/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../../src/registration/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EACL,yBAAyB,GAE1B,MAAM,UAAU,CAAC;AAGlB,OAAO,EAAE,yBAAyB,EAAE,CAAC;AAErC,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IACvC,IAAI,CAAS;IACb,MAAM,CAA2C;IAC1D,YAAY,IAAY,EAAE,MAAgD;QACxE,KAAK,CACH,0BAA0B,IAAI,uBAAuB,MAAM;aACxD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aACrC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,IAAY,EACZ,UAAU,GAAG,UAAU;IAEvB,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,uBAAuB,CAAC,UAAU,EAAE;YAC5C;gBACE,IAAI,EAAE,QAAQ;gBACd,OAAO,EACL,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB;aAC3D;SACF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,MAAM,GAAG,yBAAyB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,UAAU,EACV,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC9B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ;YAClC,OAAO,EAAE,CAAC,CAAC,OAAO;SACnB,CAAC,CAAC,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB;IAEhB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC9C,OAAO,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAmBD,MAAM,UAAU,qBAAqB,CACnC,QAA6B;IAE7B,OAAO;QACL,SAAS,EAAE,QAAQ,CAAC,eAAe;QACnC,WAAW,EAAE,QAAQ,CAAC,UAAU;QAChC,0BAA0B,EAAE,iBAAiB;QAC7C,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAC,WAAW,CAAC;QACtC,QAAQ,EAAE,CAAC,GAAG,QAAQ,CAAC,iBAAiB,CAAC;QACzC,KAAK,EAAE,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;QACxC,qBAAqB,EAAE,KAAK;QAC5B,QAAQ,EAAE;YACR,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;YACjD,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAwB,EACxB,QAAyC;IAEzC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CACzE,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAmD,EAAE,CAAC;IAC/D,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,GAAI,QAAoC,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/registration/provision.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Hydra-client provisioning. INTERNAL Vana package.
+ *
+ * Takes a parsed manifest and reconciles it against a Hydra admin API:
+ *
+ *   1. GET /admin/clients/{client_id}
+ *      -> 404: create via POST /admin/clients
+ *      -> 200: PUT /admin/clients/{client_id} with the full desired
+ *              body (Hydra v2.x semantics: PUT replaces).
+ *   2. Logs the planned diff before any write.
+ *   3. Returns the resulting client config.
+ *
+ * `dryRun: true` performs steps 1 and 2 only.
+ *
+ * Auth
+ * ----
+ *
+ * The caller passes a `fetch` and (for the prod Hydra admin behind
+ * Cloud IAP) an `authHeaderFor(audience)` async hook. The hook
+ * returns the `Authorization` header value (e.g. `"Bearer <ID
+ * token>"`); a local Hydra in dev returns `null` and no header is
+ * sent. We do NOT import Account's `hydra-admin.ts` directly here
+ * because this package must not depend on apps/*.
+ */
+import { type HydraClientBody, type ServiceAuthManifest } from "./manifest";
+export type ProvisionFetch = (input: string, init?: RequestInit) => Promise<Response>;
+export interface ProvisionOptions {
+    /** Hydra admin base URL, e.g. `https://oauth-admin-dev.vana.org`. */
+    adminUrl: string;
+    /**
+     * Audience to mint an auth header for (Cloud IAP id-token aud, or
+     * the admin URL itself). Same value Account's hydra-admin.ts uses.
+     */
+    adminAudience: string;
+    /**
+     * Returns the value of the `Authorization` header for an outbound
+     * admin request, or null/undefined to send no header (local dev).
+     * Typically wraps `fetchGoogleIdTokenForAudience` from Account.
+     */
+    authHeaderFor?: (audience: string) => Promise<string | null | undefined> | string | null | undefined;
+    /** Test/dev seam. */
+    fetch?: ProvisionFetch;
+    /**
+     * Sink for human-readable plan output. Defaults to console.log; tests
+     * pass an array.push.
+     */
+    log?: (line: string) => void;
+    /** If true, skip writes. */
+    dryRun?: boolean;
+}
+export type ProvisionAction = "create" | "update" | "noop";
+export interface ProvisionResult {
+    action: ProvisionAction;
+    client: HydraClientBody;
+    diff: Record<string, {
+        from: unknown;
+        to: unknown;
+    }>;
+    dryRun: boolean;
+}
+declare class HydraAdminApiError extends Error {
+    readonly status: number;
+    readonly body: unknown;
+    constructor(status: number, body: unknown, hint: string);
+}
+export declare function provisionServiceClient(manifest: ServiceAuthManifest, options: ProvisionOptions): Promise<ProvisionResult>;
+export { HydraAdminApiError };
+//# sourceMappingURL=provision.d.ts.map

package/dist/registration/provision.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../../src/registration/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAEL,KAAK,eAAe,EAEpB,KAAK,mBAAmB,EACzB,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,cAAc,GAAG,CAC3B,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE,WAAW,KACf,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEvB,MAAM,WAAW,gBAAgB;IAC/B,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,aAAa,CAAC,EAAE,CACd,QAAQ,EAAE,MAAM,KACb,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IACpE,qBAAqB;IACrB,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB;;;OAGG;IACH,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,4BAA4B;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAE3D,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,eAAe,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,EAAE,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACrD,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,cAAM,kBAAmB,SAAQ,KAAK;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;gBACX,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM;CAMxD;AA2BD,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,mBAAmB,EAC7B,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,eAAe,CAAC,CAwF1B;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/registration/provision.js

@@ -0,0 +1,132 @@
+/**
+ * Hydra-client provisioning. INTERNAL Vana package.
+ *
+ * Takes a parsed manifest and reconciles it against a Hydra admin API:
+ *
+ *   1. GET /admin/clients/{client_id}
+ *      -> 404: create via POST /admin/clients
+ *      -> 200: PUT /admin/clients/{client_id} with the full desired
+ *              body (Hydra v2.x semantics: PUT replaces).
+ *   2. Logs the planned diff before any write.
+ *   3. Returns the resulting client config.
+ *
+ * `dryRun: true` performs steps 1 and 2 only.
+ *
+ * Auth
+ * ----
+ *
+ * The caller passes a `fetch` and (for the prod Hydra admin behind
+ * Cloud IAP) an `authHeaderFor(audience)` async hook. The hook
+ * returns the `Authorization` header value (e.g. `"Bearer <ID
+ * token>"`); a local Hydra in dev returns `null` and no header is
+ * sent. We do NOT import Account's `hydra-admin.ts` directly here
+ * because this package must not depend on apps/*.
+ */
+import { diffHydraClient, manifestToHydraClient, } from "./manifest";
+class HydraAdminApiError extends Error {
+    status;
+    body;
+    constructor(status, body, hint) {
+        super(`service-auth provision: hydra admin ${hint} failed (${status})`);
+        this.name = "HydraAdminApiError";
+        this.status = status;
+        this.body = body;
+    }
+}
+function trimSlash(url) {
+    return url.replace(/\/+$/, "");
+}
+async function buildHeaders(options) {
+    const headers = { accept: "application/json" };
+    if (options.authHeaderFor) {
+        const value = await options.authHeaderFor(options.adminAudience);
+        if (value)
+            headers.authorization = value;
+    }
+    return headers;
+}
+async function parseBody(response) {
+    const text = await response.text();
+    if (!text)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { raw: text };
+    }
+}
+export async function provisionServiceClient(manifest, options) {
+    const adminUrl = trimSlash(options.adminUrl);
+    const fetchImpl = options.fetch ?? fetch;
+    const log = options.log ?? ((line) => console.log(line));
+    const dryRun = options.dryRun === true;
+    const desired = manifestToHydraClient(manifest);
+    log(`-> service: ${manifest.service_id}`);
+    log(`-> hydra client_id: ${desired.client_id}`);
+    log(`-> admin: ${adminUrl}`);
+    // 1. Read existing.
+    const getUrl = `${adminUrl}/admin/clients/${encodeURIComponent(desired.client_id)}`;
+    const headers = await buildHeaders(options);
+    const getResp = await fetchImpl(getUrl, { method: "GET", headers });
+    let existing = null;
+    if (getResp.status === 200) {
+        existing = (await parseBody(getResp));
+    }
+    else if (getResp.status === 404) {
+        existing = null;
+    }
+    else {
+        throw new HydraAdminApiError(getResp.status, await parseBody(getResp), `GET ${getUrl}`);
+    }
+    const diff = diffHydraClient(desired, existing);
+    const action = existing
+        ? Object.keys(diff).length === 0
+            ? "noop"
+            : "update"
+        : "create";
+    log(`-> action: ${action}`);
+    if (action === "noop") {
+        log("-> no changes; client is up to date.");
+        return { action, client: desired, diff, dryRun };
+    }
+    log("-> planned diff:");
+    for (const [key, { from, to }] of Object.entries(diff)) {
+        log(`     ${key}: ${JSON.stringify(from)} -> ${JSON.stringify(to)}`);
+    }
+    if (dryRun) {
+        log("-> dryRun=true; not writing.");
+        return { action, client: desired, diff, dryRun };
+    }
+    // 2. Write.
+    if (action === "create") {
+        const resp = await fetchImpl(`${adminUrl}/admin/clients`, {
+            method: "POST",
+            headers: {
+                ...headers,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify(desired),
+        });
+        if (!resp.ok) {
+            throw new HydraAdminApiError(resp.status, await parseBody(resp), `POST /admin/clients`);
+        }
+    }
+    else {
+        const resp = await fetchImpl(`${adminUrl}/admin/clients/${encodeURIComponent(desired.client_id)}`, {
+            method: "PUT",
+            headers: {
+                ...headers,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify(desired),
+        });
+        if (!resp.ok) {
+            throw new HydraAdminApiError(resp.status, await parseBody(resp), `PUT /admin/clients/${desired.client_id}`);
+        }
+    }
+    log(`-> ${action} complete.`);
+    return { action, client: desired, diff, dryRun };
+}
+export { HydraAdminApiError };
+//# sourceMappingURL=provision.js.map

package/dist/registration/provision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision.js","sourceRoot":"","sources":["../../src/registration/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EACL,eAAe,EAEf,qBAAqB,GAEtB,MAAM,YAAY,CAAC;AA2CpB,MAAM,kBAAmB,SAAQ,KAAK;IAC3B,MAAM,CAAS;IACf,IAAI,CAAU;IACvB,YAAY,MAAc,EAAE,IAAa,EAAE,IAAY;QACrD,KAAK,CAAC,uCAAuC,IAAI,YAAY,MAAM,GAAG,CAAC,CAAC;QACxE,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,SAAS,SAAS,CAAC,GAAW;IAC5B,OAAO,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACjC,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAAyB;IAEzB,MAAM,OAAO,GAA2B,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IACvE,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACjE,IAAI,KAAK;YAAE,OAAO,CAAC,aAAa,GAAG,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,QAAkB;IACzC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;IACvB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAA6B,EAC7B,OAAyB;IAEzB,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IACjE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC;IAEvC,MAAM,OAAO,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAChD,GAAG,CAAC,eAAe,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;IAC1C,GAAG,CAAC,uBAAuB,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IAChD,GAAG,CAAC,aAAa,QAAQ,EAAE,CAAC,CAAC;IAE7B,oBAAoB;IACpB,MAAM,MAAM,GAAG,GAAG,QAAQ,kBAAkB,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACpE,IAAI,QAAQ,GAAoC,IAAI,CAAC;IACrD,IAAI,OAAO,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC3B,QAAQ,GAAG,CAAC,MAAM,SAAS,CAAC,OAAO,CAAC,CAA6B,CAAC;IACpE,CAAC;SAAM,IAAI,OAAO,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAClC,QAAQ,GAAG,IAAI,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,kBAAkB,CAC1B,OAAO,CAAC,MAAM,EACd,MAAM,SAAS,CAAC,OAAO,CAAC,EACxB,OAAO,MAAM,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAoB,QAAQ;QACtC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;YAC9B,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,QAAQ;QACZ,CAAC,CAAC,QAAQ,CAAC;IAEb,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;IAC5B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,GAAG,CAAC,sCAAsC,CAAC,CAAC;QAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACnD,CAAC;IACD,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACxB,KAAK,MAAM,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,GAAG,CAAC,QAAQ,GAAG,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,MAAM,EAAE,CAAC;QACX,GAAG,CAAC,8BAA8B,CAAC,CAAC;QACpC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACnD,CAAC;IAED,YAAY;IACZ,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ,gBAAgB,EAAE;YACxD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,GAAG,OAAO;gBACV,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,kBAAkB,CAC1B,IAAI,CAAC,MAAM,EACX,MAAM,SAAS,CAAC,IAAI,CAAC,EACrB,qBAAqB,CACtB,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,GAAG,MAAM,SAAS,CAC1B,GAAG,QAAQ,kBAAkB,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EACpE;YACE,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,GAAG,OAAO;gBACV,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CACF,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,kBAAkB,CAC1B,IAAI,CAAC,MAAM,EACX,MAAM,SAAS,CAAC,IAAI,CAAC,EACrB,sBAAsB,OAAO,CAAC,SAAS,EAAE,CAC1C,CAAC;QACJ,CAAC;IACH,CAAC;IACD,GAAG,CAAC,MAAM,MAAM,YAAY,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AACnD,CAAC;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAC"}

package/dist/registration/schema.d.ts

@@ -0,0 +1,65 @@
+/**
+ * service-auth.yaml manifest schema. INTERNAL Vana package.
+ *
+ * Every service that authenticates to Vana lives as a manifest in
+ * `service-manifests/<service-id>.yaml`. CI validates this shape; the
+ * provisioning script consumes it and emits a Hydra client config.
+ *
+ * Schema rationale
+ * ----------------
+ *
+ *   - `service_id` is the human label; `hydra_client_id` is what
+ *     actually gets registered. Keeping them separate lets us evolve
+ *     the user-facing name without touching Hydra.
+ *   - `allowed_audiences` mirrors Hydra v2.x `audience` on the client
+ *     and is enforced when a `client_credentials` token is requested.
+ *   - `access_token_strategy: jwt` is REQUIRED. Opaque tokens would
+ *     defeat the whole point of the package (local JWKS verification).
+ *   - `grant_types` is fixed at `["client_credentials"]` for now; we
+ *     reject any manifest that asks for `authorization_code` etc. so
+ *     the package's blast radius is exactly the service-to-service
+ *     case. If we need to broaden later, lift this constraint.
+ *   - `key_rotation_policy` is captured but not enforced by code; it
+ *     gives ops a single source of truth for "is this key overdue".
+ */
+import { z } from "zod";
+export declare const serviceAuthManifestSchema: z.ZodObject<{
+    service_id: z.ZodString;
+    hydra_client_id: z.ZodString;
+    token_endpoint_auth_method: z.ZodLiteral<"private_key_jwt">;
+    jwks_uri: z.ZodString;
+    allowed_audiences: z.ZodArray<z.ZodString, "many">;
+    allowed_scopes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    access_token_strategy: z.ZodLiteral<"jwt">;
+    grant_types: z.ZodDefault<z.ZodArray<z.ZodLiteral<"client_credentials">, "many">>;
+    owner_team: z.ZodString;
+    key_rotation_policy: z.ZodDefault<z.ZodString>;
+    /** Optional human description; ignored by the provisioner. */
+    description: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    service_id: string;
+    hydra_client_id: string;
+    token_endpoint_auth_method: "private_key_jwt";
+    jwks_uri: string;
+    allowed_audiences: string[];
+    allowed_scopes: string[];
+    access_token_strategy: "jwt";
+    grant_types: "client_credentials"[];
+    owner_team: string;
+    key_rotation_policy: string;
+    description?: string | undefined;
+}, {
+    service_id: string;
+    hydra_client_id: string;
+    token_endpoint_auth_method: "private_key_jwt";
+    jwks_uri: string;
+    allowed_audiences: string[];
+    access_token_strategy: "jwt";
+    owner_team: string;
+    allowed_scopes?: string[] | undefined;
+    grant_types?: "client_credentials"[] | undefined;
+    key_rotation_policy?: string | undefined;
+    description?: string | undefined;
+}>;
+export type ServiceAuthManifest = z.infer<typeof serviceAuthManifestSchema>;
+//# sourceMappingURL=schema.d.ts.map

package/dist/registration/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/registration/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,yBAAyB;;;;;;;;;;;IA4BlC,8DAA8D;;;;;;;;;;;;;;;;;;;;;;;;;;EAGvD,CAAC;AAEZ,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC"}

package/dist/registration/schema.js

@@ -0,0 +1,59 @@
+/**
+ * service-auth.yaml manifest schema. INTERNAL Vana package.
+ *
+ * Every service that authenticates to Vana lives as a manifest in
+ * `service-manifests/<service-id>.yaml`. CI validates this shape; the
+ * provisioning script consumes it and emits a Hydra client config.
+ *
+ * Schema rationale
+ * ----------------
+ *
+ *   - `service_id` is the human label; `hydra_client_id` is what
+ *     actually gets registered. Keeping them separate lets us evolve
+ *     the user-facing name without touching Hydra.
+ *   - `allowed_audiences` mirrors Hydra v2.x `audience` on the client
+ *     and is enforced when a `client_credentials` token is requested.
+ *   - `access_token_strategy: jwt` is REQUIRED. Opaque tokens would
+ *     defeat the whole point of the package (local JWKS verification).
+ *   - `grant_types` is fixed at `["client_credentials"]` for now; we
+ *     reject any manifest that asks for `authorization_code` etc. so
+ *     the package's blast radius is exactly the service-to-service
+ *     case. If we need to broaden later, lift this constraint.
+ *   - `key_rotation_policy` is captured but not enforced by code; it
+ *     gives ops a single source of truth for "is this key overdue".
+ */
+import { z } from "zod";
+const KEY_ROTATION_PATTERN = /^\d+(d|w|m|y)$/;
+export const serviceAuthManifestSchema = z
+    .object({
+    service_id: z
+        .string()
+        .min(1)
+        .regex(/^[a-z0-9][a-z0-9-]*$/u, {
+        message: "service_id must be lowercase kebab-case",
+    }),
+    hydra_client_id: z
+        .string()
+        .min(1)
+        .regex(/^[a-zA-Z0-9][a-zA-Z0-9-]*$/u),
+    token_endpoint_auth_method: z.literal("private_key_jwt"),
+    jwks_uri: z.string().url(),
+    allowed_audiences: z.array(z.string().min(1)).min(1),
+    allowed_scopes: z.array(z.string()).default([]),
+    access_token_strategy: z.literal("jwt"),
+    grant_types: z
+        .array(z.literal("client_credentials"))
+        .min(1)
+        .default(["client_credentials"]),
+    owner_team: z.string().min(1),
+    key_rotation_policy: z
+        .string()
+        .regex(KEY_ROTATION_PATTERN, {
+        message: "key_rotation_policy must look like '90d', '12w', '6m', or '1y'",
+    })
+        .default("90d"),
+    /** Optional human description; ignored by the provisioner. */
+    description: z.string().optional(),
+})
+    .strict();
+//# sourceMappingURL=schema.js.map

package/dist/registration/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/registration/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAE9C,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC;KACvC,MAAM,CAAC;IACN,UAAU,EAAE,CAAC;SACV,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,KAAK,CAAC,uBAAuB,EAAE;QAC9B,OAAO,EAAE,yCAAyC;KACnD,CAAC;IACJ,eAAe,EAAE,CAAC;SACf,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,KAAK,CAAC,6BAA6B,CAAC;IACvC,0BAA0B,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACxD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC1B,iBAAiB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC/C,qBAAqB,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACvC,WAAW,EAAE,CAAC;SACX,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;SACtC,GAAG,CAAC,CAAC,CAAC;SACN,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7B,mBAAmB,EAAE,CAAC;SACnB,MAAM,EAAE;SACR,KAAK,CAAC,oBAAoB,EAAE;QAC3B,OAAO,EAAE,gEAAgE;KAC1E,CAAC;SACD,OAAO,CAAC,KAAK,CAAC;IACjB,8DAA8D;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC;KACD,MAAM,EAAE,CAAC"}

package/dist/resource-server/index.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Resource-server middleware. INTERNAL Vana package.
+ *
+ * Validates an inbound `Authorization: Bearer <jwt>` header against
+ * Hydra's published JWKS, enforces `iss`/`aud`/`exp`/`nbf`/`alg`, and
+ * returns a structured success or failure. Two surfaces:
+ *
+ *   - `validateAccessToken(authHeader, opts?)`  --  pure function. Use
+ *     this when you control the response shape.
+ *   - `requireJwt({ requiredScopes? })`  --  Next.js-style middleware
+ *     wrapper that returns a `Response` on rejection.
+ *
+ * Compliance
+ * ----------
+ *
+ *   - RFC 9068 access token shape. We do NOT invent Vana-specific
+ *     claim names; we read `aud`, `iss`, `client_id`, `scope`, `sub`.
+ *   - Algorithm allowlist defaults to `["RS256", "ES256"]`. Hydra's
+ *     defaults are `ES256` for access tokens; allowing both lets
+ *     services bring their own key shape without our code knowing.
+ */
+import { type JSONWebKeySet, type JWTPayload } from "jose";
+export type ServiceAuthAllowedAlgorithm = "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512";
+export interface ServiceAuthValidatorOptions {
+    /** Either jwksUri or jwks must be set. */
+    jwksUri?: string;
+    /** Inline JWKS (test seam). */
+    jwks?: JSONWebKeySet;
+    /** Expected `iss` claim, e.g. `"https://oauth-dev.vana.org"`. */
+    issuer: string;
+    /**
+     * Expected resource audience. The token's `aud` (string or string[])
+     * must include this value.
+     */
+    audience: string;
+    /** Defaults to `["RS256", "ES256"]`. */
+    allowedAlgorithms?: ServiceAuthAllowedAlgorithm[];
+    /** Clock-skew tolerance in seconds; default 30. */
+    clockToleranceSec?: number;
+}
+export type AccessTokenValidationResult = {
+    valid: true;
+    claims: JWTPayload & {
+        client_id?: string;
+        sub?: string;
+        scope?: string;
+    };
+    clientId: string;
+} | {
+    valid: false;
+    reason: "not_bearer" | "not_a_jwt" | "expired" | "wrong_issuer" | "wrong_audience" | "wrong_algorithm" | "bad_signature" | "missing_claims" | "insufficient_scope" | "verify_error";
+    detail?: string;
+};
+export interface ValidateAccessTokenInput {
+    /** Required scopes; ALL must be present in the token's `scope`. */
+    requiredScopes?: string[];
+}
+export interface ServiceAuthValidator {
+    validateAccessToken(authorizationHeader: string | null | undefined, input?: ValidateAccessTokenInput): Promise<AccessTokenValidationResult>;
+    requireJwt(input?: ValidateAccessTokenInput): (request: Request) => Promise<{
+        ok: true;
+        result: Extract<AccessTokenValidationResult, {
+            valid: true;
+        }>;
+    } | {
+        ok: false;
+        response: Response;
+    }>;
+}
+/** Test-only: drop cached resolvers between tests. */
+export declare function _resetJwksCacheForTests(): void;
+export declare function createServiceAuthValidator(options: ServiceAuthValidatorOptions): ServiceAuthValidator;
+//# sourceMappingURL=index.d.ts.map

package/dist/resource-server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/resource-server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAIL,KAAK,aAAa,EAClB,KAAK,UAAU,EAEhB,MAAM,MAAM,CAAC;AAId,MAAM,MAAM,2BAA2B,GACnC,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,CAAC;AAEZ,MAAM,WAAW,2BAA2B;IAC1C,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,IAAI,CAAC,EAAE,aAAa,CAAC;IACrB,iEAAiE;IACjE,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,iBAAiB,CAAC,EAAE,2BAA2B,EAAE,CAAC;IAClD,mDAAmD;IACnD,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,MAAM,2BAA2B,GACnC;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,MAAM,EAAE,UAAU,GAAG;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,QAAQ,EAAE,MAAM,CAAC;CAClB,GACD;IACE,KAAK,EAAE,KAAK,CAAC;IACb,MAAM,EACF,YAAY,GACZ,WAAW,GACX,SAAS,GACT,cAAc,GACd,gBAAgB,GAChB,iBAAiB,GACjB,eAAe,GACf,gBAAgB,GAChB,oBAAoB,GACpB,cAAc,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEN,MAAM,WAAW,wBAAwB;IACvC,mEAAmE;IACnE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,mBAAmB,CACjB,mBAAmB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC9C,KAAK,CAAC,EAAE,wBAAwB,GAC/B,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACxC,UAAU,CACR,KAAK,CAAC,EAAE,wBAAwB,GAC/B,CACD,OAAO,EAAE,OAAO,KACb,OAAO,CACV;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC,2BAA2B,EAAE;YAAE,KAAK,EAAE,IAAI,CAAA;SAAE,CAAC,CAAA;KAAE,GACzE;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,QAAQ,EAAE,QAAQ,CAAA;KAAE,CACpC,CAAC;CACH;AAmBD,sDAAsD;AACtD,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AAqCD,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,2BAA2B,GACnC,oBAAoB,CA+EtB"}