@optimizely-opal/opal-tool-ocp-sdk 0.0.0-beta.1 → 0.0.0-beta.10

package/README.md

@@ -10,7 +10,7 @@ A TypeScript SDK for building Opal tools in Optimizely Connect Platform. This SD
 - 🔧 **Type-safe Development** - Full TypeScript support with comprehensive type definitions  
 - 🏗️ **Abstract Base Classes** - Extend `ToolFunction` for standardized request processing
 - 🔐 **Authentication Support** - OptiID authentication
-- 🛡️ **Authorization Support** - Bearer token tool authorization
+- 🛡️ **Authorization Support** - OptiID token tool authorization
 - 📝 **Parameter Validation** - Define and validate tool parameters with types
 - 🧪 **Comprehensive Testing** - Fully tested with Jest
 
@@ -34,11 +34,6 @@ Create a tool function class by extending `ToolFunction` and registering your to
 import { ToolFunction, tool, interaction, ParameterType, InteractionResult, OptiIdAuthData } from '@optimizely-opal/opal-tool-ocp-sdk';
 
 export class MyToolFunction extends ToolFunction {
-  // Implement required bearer token validation method
-  validateBearerToken(token: string): boolean {
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
 
   // Register a simple tool without authentication
   @tool({
@@ -120,7 +115,7 @@ export class MyToolFunction extends ToolFunction {
 Your function class inherits a `perform()` method from `ToolFunction` that serves as the main entry point for handling all incoming requests. When called, the SDK automatically:
 
 - **Routes requests** to your registered tools and interactions based on endpoints
-- **Handles authentication** and bearer token validation before calling your methods  
+- **Handles authentication** and OptiID token validation before calling your methods  
 - **Provides discovery** at `/discovery` endpoint for OCP platform integration
 - **Returns proper HTTP responses** with correct status codes and JSON formatting
 
@@ -174,27 +169,18 @@ interface AuthRequirementConfig {
 }
 ```
 
-#### Bearer Token Support
+#### OptiID Token Authorization
 
-The SDK automatically extracts Bearer tokens from the `authorization` header for tool authorization. When users register tools in Opal, they can specify a Bearer token that Opal will include in requests to validate the tool's identity.
+The SDK automatically handles OptiID token validation for tool authorization. OptiID tokens provide both user authentication and authorization for tools, ensuring that only authenticated users with proper permissions can access your tools.
 
 **Token Validation:**
-- Bearer tokens are extracted from the `authorization: Bearer <token>` header
-- Empty strings and `undefined` tokens are treated as missing (no validation performed)
-- Implement the abstract `validateBearerToken(token: string): boolean` method to define your validation logic
+- The SDK extracts and validates OptiID tokens from the request body
+- Validation includes verifying that requests come from the same organization
+- If validation fails, returns HTTP 403 Unauthorized before reaching your handler methods
+- No additional configuration needed - validation is handled automatically
 
 ```typescript
 export class MyToolFunction extends ToolFunction {
-  // Implement the required bearer token validation method
-  validateBearerToken(token: string): boolean {
-    // If you don't need bearer token validation, simply return true
-    // return true;
-    
-    // For actual validation, compare against expected token
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
-
   @tool({
     name: 'secure_tool',
     description: 'Tool that validates requests from Opal',
@@ -218,14 +204,6 @@ export class MyToolFunction extends ToolFunction {
 }
 ```
 
-**Bearer Token Usage:**
-- Set by users when registering tools in Opal
-- Used to authorize tool requests from Opal instances  
-- Validates that requests are coming from trusted Opal sources
-- Requires implementing the abstract `validateBearerToken(token: string): boolean` method
-- If validation fails, returns HTTP 403 Forbidden before reaching your handler methods
-
-
 ## API Reference
 
 ### Handler Function Signatures
@@ -242,8 +220,6 @@ async handlerMethod(
 - **params**: The input parameters for tools, or interaction data for webhooks
 - **authData**: Available when OptiID user authentication is configured and successful
 
-**Note**: Bearer token validation is handled automatically by the base class. If a bearer token is present and fails validation, the request is rejected before reaching your handler methods.
-
 ### Decorators
 
 #### `@tool(config: ToolConfig)`
@@ -279,12 +255,12 @@ Abstract base class for OCP functions:
 
 ```typescript
 export abstract class ToolFunction extends Function {
+  protected ready(): Promise<boolean>;
   public async perform(): Promise<Response>;
-  protected abstract validateBearerToken(token: string): boolean;
 }
 ```
 
-Extend this class and implement your OCP function. The `perform` method automatically routes requests to registered tools and handles bearer token validation. You must implement the `validateBearerToken` method to define how bearer tokens should be validated for your tools.
+Extend this class and implement your OCP function. The `perform` method automatically routes requests to registered tools.
 
 ### Models
 
@@ -297,9 +273,13 @@ Key model classes with generic type support:
 - `InteractionResult` - Response from interactions
 - `OptiIdAuthData` - OptiID specific authentication data
 
-## Discovery Endpoint
+## Discovery and Ready Endpoints
+
+The SDK automatically provides two important endpoints:
 
-The SDK automatically provides a discovery endpoint at `/discovery` that returns all registered tools in the proper OCP format:
+### Discovery Endpoint (`/discovery`)
+
+Returns all registered tools in the proper OCP format for platform integration:
 
 ```json
 {
@@ -349,6 +329,21 @@ The SDK automatically provides a discovery endpoint at `/discovery` that returns
 }
 ```
 
+### Ready Endpoint (`/ready`)
+
+Returns the current readiness status of your function:
+
+```json
+{
+  "ready": true
+}
+```
+
+This endpoint calls your function's `ready()` method and returns:
+- `{ready: true}` when the function is ready to process requests
+- `{ready: false}` when the function is not ready (missing configuration, external services unavailable, etc.)
+- HTTP 200 status code regardless of ready state (the ready status is in the response body)
+
 ## Development
 
 ### Prerequisites
@@ -389,15 +384,6 @@ yarn lint
 import { ToolFunction, tool, interaction, ParameterType, OptiIdAuthData, InteractionResult } from '@optimizely-opal/opal-ocp-sdk';
 
 export class AuthenticatedFunction extends ToolFunction {
-  // Implement required bearer token validation
-  validateBearerToken(token: string): boolean {
-    // If you don't need bearer token validation, simply return true
-    // return true;
-    
-    // For actual validation, compare against expected token
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
 
   // OptiID authentication example
   @tool({
@@ -559,12 +545,6 @@ import { ToolFunction } from '@optimizely-opal/opal-ocp-sdk';
 import * from './tools';
 
 export class MyToolFunction extends ToolFunction {
-
-  // Implement required bearer token validation method
-  validateBearerToken(token: string): boolean {
-    const expectedToken = process.env.OPAL_TOOL_TOKEN;
-    return token === expectedToken;
-  }
 }
 ```
 
@@ -574,3 +554,78 @@ This approach provides several benefits:
 - **Reusability**: Tools can be shared across different ToolFunction classes
 - **Team collaboration**: Different developers can work on different tool files
 - **Testing**: Each tool class can be unit tested independently
+
+## Decorator Behavior and Instance Context
+
+The `@tool` and `@interaction` decorators provide intelligent instance context management that behaves differently depending on where the decorated methods are defined:
+
+### ToolFunction Subclass Context
+
+When decorators are used in a class that extends `ToolFunction`, the decorators can reuse the existing ToolFunction instance when called through the `perform()` method:
+
+```typescript
+export class MyToolFunction extends ToolFunction {
+  private secretKey = process.env.SECRET_KEY;
+
+  @tool({
+    name: 'process_data',
+    description: 'Processes data using instance context',
+    endpoint: '/process-data',
+    parameters: [
+      { name: 'data', type: ParameterType.String, description: 'Data to process', required: true }
+    ]
+  })
+  async processData(params: { data: string }) {
+    // ✅ Can access instance properties and methods
+    // ✅ Can access this.request (inherited from ToolFunction)
+    // ✅ Shares state with other methods in the same request
+
+    const userAgent = this.request.headers.get('user-agent');
+    return {
+      processedData: this.encryptData(params.data),
+      userAgent,
+      timestamp: Date.now()
+    };
+  }
+
+  private encryptData(data: string): string {
+    // Uses instance property
+    return `encrypted_${data}_${this.secretKey}`;
+  }
+}
+```
+
+### Standalone Class Context
+
+When decorators are used in classes that don't extend `ToolFunction`, the decorators create new instances for each handler call:
+
+```typescript
+export class StandaloneToolService {
+  private config = { apiKey: 'standalone-key' };
+
+  @tool({
+    name: 'standalone_operation',
+    description: 'Standalone operation without ToolFunction',
+    endpoint: '/standalone',
+    parameters: [
+      { name: 'input', type: ParameterType.String, description: 'Input data', required: true }
+    ]
+  })
+  async standaloneOperation(params: { input: string }) {
+    // ✅ Can access instance properties and methods
+    // ❌ Cannot access this.request (not inherited from ToolFunction)
+    // ❌ No shared state with ToolFunction lifecycle
+
+    return {
+      result: `${this.helperMethod()}: ${params.input}`,
+      source: 'standalone'
+    };
+  }
+
+  private helperMethod() {
+    return this.config.apiKey;
+  }
+}
+```
+
+This behavior ensures that your tools can be both flexible (working in any class) and powerful (leveraging ToolFunction features when available).

package/dist/auth/TokenVerifier.d.ts

@@ -0,0 +1,31 @@
+export declare class TokenVerifier {
+    private static instance;
+    private jwksUri?;
+    private issuer?;
+    private jwks?;
+    private initialized;
+    /**
+     * Verify the provided Optimizely JWT token string
+     * @param token JWT token string to verify
+     * @returns boolean true if verification successful, false otherwise
+     * @throws Error if token is null, empty, or verifier is not properly configured
+     */
+    verify(token: string | undefined): Promise<boolean>;
+    private static getInstance;
+    /**
+     * Get singleton instance of TokenVerifier and ensure it's initialized
+     * @returns Promise<TokenVerifier> - initialized singleton instance
+     */
+    static getInitializedInstance(): Promise<TokenVerifier>;
+    /**
+     * Initialize the TokenVerifier with discovery document from well-known endpoint
+     */
+    private initialize;
+    /**
+     * Fetch discovery document from well-known endpoint
+     */
+    private fetchDiscoveryDocument;
+    private verifyToken;
+}
+export declare const getTokenVerifier: () => Promise<TokenVerifier>;
+//# sourceMappingURL=TokenVerifier.d.ts.map

package/dist/auth/TokenVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.d.ts","sourceRoot":"","sources":["../../src/auth/TokenVerifier.ts"],"names":[],"mappings":"AAkCA,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAA8B;IACrD,OAAO,CAAC,OAAO,CAAC,CAAS;IACzB,OAAO,CAAC,MAAM,CAAC,CAAS;IACxB,OAAO,CAAC,IAAI,CAAC,CAAwC;IACrD,OAAO,CAAC,WAAW,CAAkB;IAErC;;;;;OAKG;IACU,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAQhE,OAAO,CAAC,MAAM,CAAC,WAAW;IAO1B;;;OAGG;WACiB,sBAAsB,IAAI,OAAO,CAAC,aAAa,CAAC;IAQpE;;OAEG;YACW,UAAU;IAyBxB;;OAEG;YACW,sBAAsB;YAetB,WAAW;CAsB1B;AAED,eAAO,MAAM,gBAAgB,QAAa,OAAO,CAAC,aAAa,CAA2C,CAAC"}

package/dist/auth/TokenVerifier.js

@@ -0,0 +1,127 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTokenVerifier = exports.TokenVerifier = void 0;
+const jose_1 = require("jose");
+const app_sdk_1 = require("@zaiusinc/app-sdk");
+/**
+ * Default JWKS cache expiration time in milliseconds (1 hour)
+ */
+const DEFAULT_JWKS_EXPIRES_IN = 60 * 60 * 1000;
+/**
+ * Default clock skew tolerance in seconds
+ */
+const DEFAULT_LEEWAY = 30;
+/**
+ * Expected JWT audience for token validation
+ */
+const AUDIENCE = 'api://default';
+/**
+ * Prep Base URL for Optimizely OAuth2 endpoints
+ */
+const PREP_BASE_URL = 'https://prep.login.optimizely.com/oauth2/default';
+/**
+ * Prod Base URL for Optimizely OAuth2 endpoints
+ */
+const PROD_BASE_URL = 'https://login.optimizely.com/oauth2/default';
+class TokenVerifier {
+    static instance = null;
+    jwksUri;
+    issuer;
+    jwks;
+    initialized = false;
+    /**
+     * Verify the provided Optimizely JWT token string
+     * @param token JWT token string to verify
+     * @returns boolean true if verification successful, false otherwise
+     * @throws Error if token is null, empty, or verifier is not properly configured
+     */
+    async verify(token) {
+        if (!token || token.trim().length === 0) {
+            throw new Error('Token cannot be null or empty');
+        }
+        return this.verifyToken(token);
+    }
+    static getInstance() {
+        if (!TokenVerifier.instance) {
+            TokenVerifier.instance = new TokenVerifier();
+        }
+        return TokenVerifier.instance;
+    }
+    /**
+     * Get singleton instance of TokenVerifier and ensure it's initialized
+     * @returns Promise<TokenVerifier> - initialized singleton instance
+     */
+    static async getInitializedInstance() {
+        const instance = TokenVerifier.getInstance();
+        if (!instance.initialized) {
+            await instance.initialize();
+        }
+        return instance;
+    }
+    /**
+     * Initialize the TokenVerifier with discovery document from well-known endpoint
+     */
+    async initialize() {
+        if (this.initialized) {
+            return;
+        }
+        try {
+            // Use prep URL when environment variable is set to 'staging', otherwise use prod
+            const environment = process.env.environment || 'production';
+            const baseUrl = environment === 'staging' ? PREP_BASE_URL : PROD_BASE_URL;
+            const discoveryDocument = await this.fetchDiscoveryDocument(baseUrl);
+            this.issuer = discoveryDocument.issuer;
+            this.jwksUri = discoveryDocument.jwks_uri;
+            this.jwks = (0, jose_1.createRemoteJWKSet)(new URL(this.jwksUri), {
+                cacheMaxAge: DEFAULT_JWKS_EXPIRES_IN,
+                cooldownDuration: DEFAULT_JWKS_EXPIRES_IN
+            });
+            this.initialized = true;
+            app_sdk_1.logger.info(`TokenVerifier initialized with issuer: ${this.issuer} (environment: ${environment})`);
+        }
+        catch (error) {
+            app_sdk_1.logger.error('Failed to initialize TokenVerifier', error);
+            // Re-throw the original error to preserve specific error messages for tests
+            throw error;
+        }
+    }
+    /**
+     * Fetch discovery document from well-known endpoint
+     */
+    async fetchDiscoveryDocument(baseUrl) {
+        const wellKnownUrl = `${baseUrl}/.well-known/oauth-authorization-server`;
+        const response = await fetch(wellKnownUrl);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch discovery document: ${response.status} ${response.statusText}`);
+        }
+        const discoveryDocument = await response.json();
+        if (!discoveryDocument.issuer || !discoveryDocument.jwks_uri) {
+            throw new Error('Invalid discovery document: missing issuer or jwks_uri');
+        }
+        return discoveryDocument;
+    }
+    async verifyToken(token) {
+        if (!this.initialized) {
+            throw new Error('TokenVerifier not initialized. Call initialize() first.');
+        }
+        if (!this.jwks || !this.issuer) {
+            throw new Error('TokenVerifier not properly configured.');
+        }
+        try {
+            await (0, jose_1.jwtVerify)(token, this.jwks, {
+                issuer: this.issuer,
+                audience: AUDIENCE,
+                clockTolerance: DEFAULT_LEEWAY,
+            });
+            return true;
+        }
+        catch (error) {
+            app_sdk_1.logger.error('Token verification failed:', error);
+            return false;
+        }
+    }
+}
+exports.TokenVerifier = TokenVerifier;
+const getTokenVerifier = async () => TokenVerifier.getInitializedInstance();
+exports.getTokenVerifier = getTokenVerifier;
+//# sourceMappingURL=TokenVerifier.js.map

package/dist/auth/TokenVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.js","sourceRoot":"","sources":["../../src/auth/TokenVerifier.ts"],"names":[],"mappings":";;;AAAA,+BAAqD;AACrD,+CAA2C;AAE3C;;GAEG;AACH,MAAM,uBAAuB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE/C;;GAEG;AACH,MAAM,cAAc,GAAG,EAAE,CAAC;AAE1B;;GAEG;AACH,MAAM,QAAQ,GAAG,eAAe,CAAC;AAEjC;;GAEG;AACH,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAEzE;;GAEG;AACH,MAAM,aAAa,GAAG,6CAA6C,CAAC;AAQpE,MAAa,aAAa;IAChB,MAAM,CAAC,QAAQ,GAAyB,IAAI,CAAC;IAC7C,OAAO,CAAU;IACjB,MAAM,CAAU;IAChB,IAAI,CAAyC;IAC7C,WAAW,GAAY,KAAK,CAAC;IAErC;;;;;OAKG;IACI,KAAK,CAAC,MAAM,CAAC,KAAyB;QAC3C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAEO,MAAM,CAAC,WAAW;QACxB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5B,aAAa,CAAC,QAAQ,GAAG,IAAI,aAAa,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO,aAAa,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED;;;OAGG;IACI,MAAM,CAAC,KAAK,CAAC,sBAAsB;QACxC,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC1B,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC9B,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU;QACtB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,iFAAiF;YACjF,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,YAAY,CAAC;YAC5D,MAAM,OAAO,GAAG,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,CAAC;YAC1E,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;YACrE,IAAI,CAAC,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC;YACvC,IAAI,CAAC,OAAO,GAAG,iBAAiB,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;gBACpD,WAAW,EAAE,uBAAuB;gBACpC,gBAAgB,EAAE,uBAAuB;aAC1C,CAAC,CAAC;YACH,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,gBAAM,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,MAAM,kBAAkB,WAAW,GAAG,CAAC,CAAC;QACrG,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YAC1D,4EAA4E;YAC5E,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAAC,OAAe;QAClD,MAAM,YAAY,GAAG,GAAG,OAAO,yCAAyC,CAAC;QAEzE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACnG,CAAC;QACD,MAAM,iBAAiB,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAuB,CAAC;QACrE,IAAI,CAAC,iBAAiB,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC5E,CAAC;QAED,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,KAAa;QACrC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE;gBAChC,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,QAAQ;gBAClB,cAAc,EAAE,cAAc;aAC/B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YAClD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;;AA1GH,sCA4GC;AAEM,MAAM,gBAAgB,GAAG,KAAK,IAA4B,EAAE,CAAC,aAAa,CAAC,sBAAsB,EAAE,CAAC;AAA9F,QAAA,gBAAgB,oBAA8E"}

package/dist/auth/TokenVerifier.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=TokenVerifier.test.d.ts.map

package/dist/auth/TokenVerifier.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.test.d.ts","sourceRoot":"","sources":["../../src/auth/TokenVerifier.test.ts"],"names":[],"mappings":""}

package/dist/auth/TokenVerifier.test.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const TokenVerifier_1 = require("./TokenVerifier");
+// Test constants
+const TEST_ISSUER = 'https://prep.login.optimizely.com/oauth2/default';
+const TEST_JWKS_URI = 'https://prep.login.optimizely.com/oauth2/v1/keys';
+// Mock fetch globally
+global.fetch = jest.fn();
+describe('TokenVerifier', () => {
+    beforeEach(() => {
+        // Reset fetch mock
+        global.fetch.mockReset();
+        // Reset singleton instance for each test
+        TokenVerifier_1.TokenVerifier.instance = null;
+    });
+    describe('getInitializedInstance', () => {
+        it('should initialize successfully', async () => {
+            // Mock fetch for OAuth2 authorization server discovery
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            const tokenVerifier = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(tokenVerifier).toBeInstanceOf(TokenVerifier_1.TokenVerifier);
+        });
+        it('should throw error when discovery document is invalid', async () => {
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                // Missing issuer and jwks_uri
+                })
+            });
+            await expect(TokenVerifier_1.TokenVerifier.getInitializedInstance()).rejects.toThrow('Invalid discovery document: missing issuer or jwks_uri');
+        });
+        it('should throw error when discovery endpoint is unreachable', async () => {
+            global.fetch.mockResolvedValue({
+                ok: false,
+                status: 404,
+                statusText: 'Not Found'
+            });
+            await expect(TokenVerifier_1.TokenVerifier.getInitializedInstance()).rejects.toThrow('Failed to fetch discovery document: 404 Not Found');
+        });
+    });
+    describe('token verification', () => {
+        let tokenVerifier;
+        beforeEach(async () => {
+            // Mock successful initialization
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            tokenVerifier = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+        });
+        it('should throw error for empty token', async () => {
+            await expect(tokenVerifier.verify('')).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should throw error for undefined token', async () => {
+            await expect(tokenVerifier.verify(undefined)).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should throw error for whitespace-only token', async () => {
+            await expect(tokenVerifier.verify('   ')).rejects.toThrow('Token cannot be null or empty');
+        });
+        it('should return false for invalid token format', async () => {
+            const result = await tokenVerifier.verify('invalid.jwt.token');
+            expect(result).toBe(false);
+        });
+    });
+    describe('singleton pattern', () => {
+        it('should return same instance when called multiple times', async () => {
+            // Mock successful initialization
+            global.fetch.mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            const instance1 = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            const instance2 = await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(instance1).toBe(instance2);
+        });
+        it('should call correct prod OAuth2 authorization server discovery URL', async () => {
+            const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(fetchSpy).toHaveBeenCalledWith('https://login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server');
+        });
+        it('should call correct prep OAuth2 authorization server discovery URL', async () => {
+            // Set environment variable to staging
+            process.env.environment = 'staging';
+            const fetchSpy = jest.spyOn(global, 'fetch').mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    issuer: TEST_ISSUER,
+                    jwks_uri: TEST_JWKS_URI
+                })
+            });
+            await TokenVerifier_1.TokenVerifier.getInitializedInstance();
+            expect(fetchSpy).toHaveBeenCalledWith('https://prep.login.optimizely.com/oauth2/default/.well-known/oauth-authorization-server');
+        });
+    });
+});
+//# sourceMappingURL=TokenVerifier.test.js.map

package/dist/auth/TokenVerifier.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.test.js","sourceRoot":"","sources":["../../src/auth/TokenVerifier.test.ts"],"names":[],"mappings":";;AAAA,mDAAgD;AAEhD,iBAAiB;AACjB,MAAM,WAAW,GAAG,kDAAkD,CAAC;AACvE,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAEzE,sBAAsB;AACtB,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;AAEzB,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;IAC7B,UAAU,CAAC,GAAG,EAAE;QACd,mBAAmB;QAClB,MAAM,CAAC,KAAmB,CAAC,SAAS,EAAE,CAAC;QAExC,yCAAyC;QACxC,6BAAqB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,uDAAuD;YACtD,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,aAAa,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YACnE,MAAM,CAAC,aAAa,CAAC,CAAC,cAAc,CAAC,6BAAa,CAAC,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAChC,8BAA8B;iBAC/B,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,MAAM,CAAC,6BAAa,CAAC,sBAAsB,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAClE,wDAAwD,CACzD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG;gBACX,UAAU,EAAE,WAAW;aACxB,CAAC,CAAC;YAEH,MAAM,MAAM,CAAC,6BAAa,CAAC,sBAAsB,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAClE,mDAAmD,CACpD,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,IAAI,aAA4B,CAAC;QAEjC,UAAU,CAAC,KAAK,IAAI,EAAE;YACpB,iCAAiC;YAChC,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,aAAa,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACpD,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC3D,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACvD,+BAA+B,CAChC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;YAC/D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACtE,iCAAiC;YAChC,MAAM,CAAC,KAAmB,CAAC,iBAAiB,CAAC;gBAC5C,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACH,CAAC,CAAC;YAEH,MAAM,SAAS,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAC/D,MAAM,SAAS,GAAG,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAC/D,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,iBAAiB,CAAC;gBAC7D,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACoB,CAAC,CAAC;YAE1B,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,oFAAoF,CACrF,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YAClF,sCAAsC;YACtC,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,SAAS,CAAC;YAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,iBAAiB,CAAC;gBAC7D,EAAE,EAAE,IAAI;gBACR,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;oBAChC,MAAM,EAAE,WAAW;oBACnB,QAAQ,EAAE,aAAa;iBACxB,CAAC;aACoB,CAAC,CAAC;YAE1B,MAAM,6BAAa,CAAC,sBAAsB,EAAE,CAAC;YAE7C,MAAM,CAAC,QAAQ,CAAC,CAAC,oBAAoB,CACnC,yFAAyF,CAC1F,CAAC;QAEJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AAEL,CAAC,CAAC,CAAC"}

package/dist/decorator/Decorator.d.ts

@@ -36,11 +36,13 @@ export interface InteractionConfig {
 /**
  * Decorator for registering tool functions
  * Immediately registers the tool with the global ToolsService
+ * The handler will have access to 'this' context when called
  */
-export declare function tool(config: ToolConfig): (_target: any, _propertyKey: string, descriptor: PropertyDescriptor) => void;
+export declare function tool(config: ToolConfig): (target: any, _propertyKey: string, descriptor: PropertyDescriptor) => void;
 /**
  * Decorator for registering interaction functions
  * Immediately registers the interaction with the global ToolsService
+ * The handler will have access to 'this' context when called
  */
-export declare function interaction(config: InteractionConfig): (_target: any, _propertyKey: string, descriptor: PropertyDescriptor) => void;
+export declare function interaction(config: InteractionConfig): (target: any, _propertyKey: string, descriptor: PropertyDescriptor) => void;
 //# sourceMappingURL=Decorator.d.ts.map

package/dist/decorator/Decorator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Decorator.d.ts","sourceRoot":"","sources":["../../src/decorator/Decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8B,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAG5E;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,gBAAgB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IAC3C,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,aAAa,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,IAAI,CAAC,MAAM,EAAE,UAAU,IACrB,SAAS,GAAG,EAAE,cAAc,MAAM,EAAE,YAAY,kBAAkB,UAqBnF;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,iBAAiB,IACnC,SAAS,GAAG,EAAE,cAAc,MAAM,EAAE,YAAY,kBAAkB,UAQnF"}
+{"version":3,"file":"Decorator.d.ts","sourceRoot":"","sources":["../../src/decorator/Decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8B,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAG5E;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,eAAe,EAAE,CAAC;IAC9B,gBAAgB,CAAC,EAAE,qBAAqB,EAAE,CAAC;IAC3C,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,aAAa,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAgB,IAAI,CAAC,MAAM,EAAE,UAAU,IACrB,QAAQ,GAAG,EAAE,cAAc,MAAM,EAAE,YAAY,kBAAkB,UAkClF;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,iBAAiB,IACnC,QAAQ,GAAG,EAAE,cAAc,MAAM,EAAE,YAAY,kBAAkB,UAqBlF"}

package/dist/decorator/Decorator.js

@@ -7,25 +7,47 @@ const Service_1 = require("../service/Service");
 /**
  * Decorator for registering tool functions
  * Immediately registers the tool with the global ToolsService
+ * The handler will have access to 'this' context when called
  */
 function tool(config) {
-    return function (_target, _propertyKey, descriptor) {
+    return function (target, _propertyKey, descriptor) {
         // Convert parameter configs to Parameter instances
         const parameters = (config.parameters || []).map((p) => new Models_1.Parameter(p.name, p.type, p.description, p.required));
         // Convert auth requirement configs to AuthRequirement instances
         const authRequirements = (config.authRequirements || []).map((a) => new Models_1.AuthRequirement(a.provider, a.scopeBundle, a.required));
+        const originalMethod = descriptor.value;
+        const boundHandler = function (functionContext, params, authData) {
+            // Check if we're being called from within a ToolFunction instance context
+            // If so, use that instance; otherwise create a new one
+            const instance = (functionContext && functionContext instanceof target.constructor) ?
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+                functionContext : new target.constructor();
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+            return originalMethod.call(instance, params, authData);
+        };
         // Immediately register with global ToolsService
-        Service_1.toolsService.registerTool(config.name, config.description, descriptor.value, parameters, config.endpoint, authRequirements);
+        Service_1.toolsService.registerTool(config.name, config.description, boundHandler, parameters, config.endpoint, authRequirements);
     };
 }
 /**
  * Decorator for registering interaction functions
  * Immediately registers the interaction with the global ToolsService
+ * The handler will have access to 'this' context when called
  */
 function interaction(config) {
-    return function (_target, _propertyKey, descriptor) {
+    return function (target, _propertyKey, descriptor) {
+        const originalMethod = descriptor.value;
+        const boundHandler = function (functionContext, data, authData) {
+            // Check if we're being called from within a ToolFunction instance context
+            // If so, use that instance; otherwise create a new one
+            const instance = (functionContext && functionContext instanceof target.constructor) ?
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+                functionContext : new target.constructor();
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+            return originalMethod.call(instance, data, authData);
+        };
         // Immediately register with global ToolsService
-        Service_1.toolsService.registerInteraction(config.name, descriptor.value, config.endpoint);
+        Service_1.toolsService.registerInteraction(config.name, boundHandler, config.endpoint);
     };
 }
 //# sourceMappingURL=Decorator.js.map

package/dist/decorator/Decorator.js.map

@@ -1 +1 @@
-{"version":3,"file":"Decorator.js","sourceRoot":"","sources":["../../src/decorator/Decorator.ts"],"names":[],"mappings":";;AA6CA,oBAsBC;AAMD,kCASC;AAlFD,4CAA4E;AAC5E,gDAAkD;AAwClD;;;GAGG;AACH,SAAgB,IAAI,CAAC,MAAkB;IACrC,OAAO,UAAS,OAAY,EAAE,YAAoB,EAAE,UAA8B;QAChF,mDAAmD;QACnD,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,IAAI,kBAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CACzD,CAAC;QAEF,gEAAgE;QAChE,MAAM,gBAAgB,GAAG,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACjE,IAAI,wBAAe,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAC3D,CAAC;QAEF,gDAAgD;QAChD,sBAAY,CAAC,YAAY,CACvB,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,WAAW,EAClB,UAAU,CAAC,KAAK,EAChB,UAAU,EACV,MAAM,CAAC,QAAQ,EACf,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,WAAW,CAAC,MAAyB;IACnD,OAAO,UAAS,OAAY,EAAE,YAAoB,EAAE,UAA8B;QAChF,gDAAgD;QAChD,sBAAY,CAAC,mBAAmB,CAC9B,MAAM,CAAC,IAAI,EACX,UAAU,CAAC,KAAK,EAChB,MAAM,CAAC,QAAQ,CAChB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"Decorator.js","sourceRoot":"","sources":["../../src/decorator/Decorator.ts"],"names":[],"mappings":";;AA8CA,oBAmCC;AAOD,kCAsBC;AA9GD,4CAA4E;AAC5E,gDAAkD;AAwClD;;;;GAIG;AACH,SAAgB,IAAI,CAAC,MAAkB;IACrC,OAAO,UAAS,MAAW,EAAE,YAAoB,EAAE,UAA8B;QAC/E,mDAAmD;QACnD,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACrD,IAAI,kBAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CACzD,CAAC;QAEF,gEAAgE;QAChE,MAAM,gBAAgB,GAAG,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACjE,IAAI,wBAAe,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAC3D,CAAC;QAEF,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC;QAExC,MAAM,YAAY,GAAG,UAAS,eAAoB,EAAE,MAAW,EAAE,QAAa;YAC5E,0EAA0E;YAC1E,uDAAuD;YACvD,MAAM,QAAQ,GAAG,CAAC,eAAe,IAAI,eAAe,YAAY,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;gBACnF,6DAA6D;gBAC7D,eAAe,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;YAE7C,6DAA6D;YAC7D,OAAO,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACzD,CAAC,CAAC;QAEF,gDAAgD;QAChD,sBAAY,CAAC,YAAY,CACvB,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,WAAW,EAClB,YAAY,EACZ,UAAU,EACV,MAAM,CAAC,QAAQ,EACf,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,WAAW,CAAC,MAAyB;IACnD,OAAO,UAAS,MAAW,EAAE,YAAoB,EAAE,UAA8B;QAC/E,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC;QAExC,MAAM,YAAY,GAAG,UAAS,eAAoB,EAAE,IAAS,EAAE,QAAc;YAC3E,0EAA0E;YAC1E,uDAAuD;YACvD,MAAM,QAAQ,GAAG,CAAC,eAAe,IAAI,eAAe,YAAY,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;gBACnF,6DAA6D;gBAC7D,eAAe,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;YAE7C,6DAA6D;YAC7D,OAAO,cAAc,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,gDAAgD;QAChD,sBAAY,CAAC,mBAAmB,CAC9B,MAAM,CAAC,IAAI,EACX,YAAY,EACZ,MAAM,CAAC,QAAQ,CAChB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}