@pan-sec/notebooklm-mcp 2026.2.11 → 2026.3.1

package/README.md

@@ -7,7 +7,7 @@
 **Zero-hallucination answers • Gemini Deep Research • 17 Security Layers • Enterprise Compliance**
 
 [![npm](https://img.shields.io/npm/v/@pan-sec/notebooklm-mcp?color=blue)](https://www.npmjs.com/package/@pan-sec/notebooklm-mcp)
-[![CalVer](https://img.shields.io/badge/CalVer-2026.x.x-blue.svg)](https://calver.org/)
+[![CalVer](https://img.shields.io/badge/CalVer-2026.3.1-blue.svg)](https://calver.org/)
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.x-blue.svg)](https://www.typescriptlang.org/)
 [![MCP](https://img.shields.io/badge/MCP-2026-green.svg)](https://modelcontextprotocol.io/)
 [![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20macOS%20%7C%20Windows-lightgrey.svg)](#cross-platform-support)
@@ -17,7 +17,7 @@
 [![Documents](https://img.shields.io/badge/Documents-API%20Upload-34A853.svg)](#-document-api-v190)
 [![Notebooks](https://img.shields.io/badge/Notebooks-Create%20%26%20Manage-orange.svg)](#programmatic-notebook-creation-v170)
 [![Compliance](https://img.shields.io/badge/Compliance%20Ready-GDPR%20%7C%20SOC2%20%7C%20CSSF-blue.svg)](./docs/COMPLIANCE-SPEC.md)
-[![Tests](https://img.shields.io/badge/Tests-168%20Passing-brightgreen.svg)](./tests/)
+[![Tests](https://img.shields.io/badge/Tests-609%20Passing-brightgreen.svg)](./tests/)
 
 [**What's New 2026**](#-whats-new-in-2026) • [**Deep Research**](#-gemini-deep-research) • [**Document API**](#-document-api) • [**Create Notebooks**](#programmatic-notebook-creation) • [**Security**](#security-features) • [**Install**](#installation)
 
@@ -44,10 +44,12 @@
 
 ## 🚀 What's New in 2026
 
-**Latest: v2026.2.10** — 17 security layers, handler architecture overhaul, secure-by-default auth
+**Latest: v2026.3.1** — All 334 audit issues resolved. 631 tests. Full MCP protocol compliance.
 
 | Version | Highlights |
 |---------|------------|
+| **v2026.3.1** | **Security Audit Complete** — All 334 issues from the independent audit resolved. Tests: 609 → 631. Code quality: URL resolution deduplicated, handler extraction, non-null assertions eliminated. Test gaps closed: `validateNotebookId`, error body shape, `delete_document` confirm guard, sanitized throws, log rotation, rate-limiter memory bound, range clamping. |
+| **v2026.3.0** | **The Security Audit Release** — Four parallel AI code reviews (security, protocol, architecture, testing) against 334 issues. All highs and mediums resolved. Tests: 139 → 609 across 50 files (4.4×). Full MCP protocol compliance: structuredContent, isError, transport tags. Schema bounds on all 48 tools. Annotation correctness. Webhook SSRF fix. Audit log integrity (hash chain, concurrent write lock, rotation continuity). Per-page mutex. HandlerContext DI. Cert pinning retracted (claims aligned with implementation). |
 | **v2026.2.10** | **The Hardening Release** — 3 new security layers (14→17): secure-by-default auth, exponential backoff lockout, credential isolation. Architecture overhaul: 3,611-line handler split into 9 domain modules, tool registry pattern. Gemini API retry with backoff. Multi-stage Docker build. Token CLI (`token show/rotate`). 168 tests. |
 | **v2026.2.9** | `performSetup` no longer wipes credentials before Chrome opens — prevents auth destruction on failed launch |
 | **v2026.2.8** | `cleanup_data` never deletes auth dirs (`browser_state/`, `chrome_profile/`) — auth survives all cleanup paths |
@@ -80,13 +82,50 @@ claude mcp add notebooklm -- npx @pan-sec/notebooklm-mcp@latest
 | Create notebooks programmatically | ❌ | ✅ **UNIQUE** |
 | Gemini Deep Research | ❌ | ✅ **EXCLUSIVE** |
 | Document API (no browser) | ❌ | ✅ **EXCLUSIVE** |
-| Post-quantum encryption | ❌ | ✅ **Future-proof** |
+| Post-quantum encryption | ❌ | ✅ **Hybrid PQ at-rest** |
 | Enterprise compliance | ❌ | ✅ **GDPR/SOC2/CSSF-ready** |
 | Video Overview generation | ❌ | ✅ **NEW** |
 | Data Table extraction | ❌ | ✅ **NEW** |
 | Chat history extraction | ❌ | ✅ |
 | Deep health verification | ❌ | ✅ |
 
+---
+
+## 🔬 Security Audit 2026 — What We Found and Fixed
+
+In April 2026, we commissioned a parallel deep-audit of v2026.2.11 (`main @ 2973097`) using four specialised AI code reviewers, each focused on a different attack surface: **security vulnerabilities**, **protocol correctness**, **architecture quality**, and **testing gaps and edge cases**. The four reviewers operated independently so their findings wouldn't influence each other. Together they produced a **334-item master issue list** covering protocol correctness, security vulnerabilities, architecture flaws, test gaps, and documentation accuracy. All 334 issues are resolved across v2026.3.0 and v2026.3.1.
+
+### Audit by the Numbers
+
+| Metric | Before (v2026.2.11) | After (v2026.3.1) |
+|--------|---------------------|--------------------|
+| Tests | 139 | **631 across 50 files** |
+| Test suites | ~6 | **50** |
+| TypeScript errors (`tsc --noEmit`) | 0 | **0 (maintained)** |
+| npm audit vulnerabilities | 0 | **0 (maintained)** |
+| MCP protocol compliance | Partial | **Full** (structuredContent, isError, transport tags) |
+| Audit log integrity | Basic | **Hash-chain verified on read** |
+| Concurrent write safety | ❌ | **✅ Write-locked** |
+| Webhook SSRF | ❌ | **✅ Blocked** |
+
+### What the Four Reviewers Found
+
+**Security reviewer:** Identified the `forceAuth` bypass in `validateToken()` allowing unauthenticated access to filesystem tools; webhook SSRF via unvalidated delivery targets; audit log hash chain not verified on read; concurrent audit writes interleaving entries; auth token salt not persisted (tokens invalidated on restart).
+
+**Protocol reviewer:** Found 38 tools returning incorrect response shapes (missing `structuredContent`, wrong `isError` semantics, transport tags leaking into content); all 48 tools had incorrect or missing `readOnlyHint`/`idempotentHint`/`destructiveHint` annotations; 9 tool schemas lacked numeric bounds, enabling out-of-range inputs.
+
+**Architecture reviewer:** Flagged the 3,611-line `handlers.ts` as a maintenance liability; singleton imports throughout domain functions preventing unit testing; the 500-line `switch/case` dispatch adding O(n) overhead and making tool registration error-prone.
+
+**Testing & edge-case reviewer:** Found test suite at 139 tests with minimal coverage of security-critical modules; `mcp-auth.ts` at near-zero coverage; no tests for prompt injection patterns, audit log tampering, or concurrent browser session state; the DSAR handler had an undetected race condition.
+
+### Key Fixes
+
+- **17 security vulnerabilities** addressed (auth bypass, SSRF, audit integrity, race conditions, selector injection vectors)
+- **MCP protocol fully compliant** — all 48 tools return correct `structuredContent`/`isError` shapes; annotations accurate; schema bounds enforced
+- **Architecture decomposed** — `handlers.ts` split into 9 domain modules with HandlerContext dependency injection; 100% unit-testable without process mocks
+- **Test coverage** — 15 new security-critical test suites including browser session, auth, prompt injection, audit log, webhook, DSAR, and compliance
+- **Claims aligned** — certificate pinning removed (implementation was retracted in Day 1 of the audit); PQ encryption scope documented accurately; compliance language uses "controls implemented" not "certified"
+
 <details>
 <summary><b>📋 Full Feature List (48 Tools)</b></summary>
 
@@ -208,7 +247,7 @@ Run deep research in the background and check progress:
 
 ```
 ┌──────────────────────────────────────────────────────────────────────────────┐
-│                      NotebookLM MCP Server v2026.2.x                         │
+│                      NotebookLM MCP Server v2026.3.x                         │
 ├──────────────────────────────────────────────────────────────────────────────┤
 │                                                                              │
 │  ┌────────────────────────────────┐    ┌──────────────────────────────────┐  │
@@ -237,7 +276,7 @@ Run deep research in the background and check progress:
 │                      ┌─────────────────────────────────┐                     │
 │                      │       17 SECURITY LAYERS        │                     │
 │                      │   Post-Quantum • Audit Logs     │                     │
-│                      │   Cert Pinning • Memory Wipe    │                     │
+│                      │   Secrets Scan • Memory Wipe    │                     │
 │                      │  GDPR • SOC2 • CSSF Ready*      │                     │
 │                      └─────────────────────────────────┘                     │
 └──────────────────────────────────────────────────────────────────────────────┘
@@ -644,9 +683,8 @@ This fork adds **17 security hardening layers** to protect that data.
 
 | Layer | Feature | Protection |
 |-------|---------|------------|
-| 🔐 | **Post-Quantum Encryption** | ML-KEM-768 + ChaCha20-Poly1305 hybrid |
+| 🔐 | **Post-Quantum Encryption** | ML-KEM-768 + ChaCha20-Poly1305 hybrid (local at-rest) |
 | 🔍 | **Secrets Scanning** | Detects 30+ credential patterns (AWS, GitHub, Slack...) |
-| 📌 | **Certificate Pinning** | Blocks MITM attacks on Google connections |
 | 🧹 | **Memory Scrubbing** | Zeros sensitive data after use |
 | 📝 | **Audit Logging** | Tamper-evident logs with hash chains |
 | ⏱️ | **Session Timeout** | 8h hard limit + 30m inactivity auto-logout |
@@ -661,9 +699,9 @@ This fork adds **17 security hardening layers** to protect that data.
 | 📈 | **Exponential Backoff** | Lockout escalation: 5min → 15min → 45min → 4hr cap |
 | 🗝️ | **Credential Isolation** | SecureCredential TTL + env var scrubbing from process.env |
 
-### Post-Quantum Ready
+### Post-Quantum Primitives (Local At-Rest)
 
-Traditional encryption (RSA, ECDH) will be broken by quantum computers. This fork uses **hybrid encryption**:
+Encryption of secrets on disk uses hybrid post-quantum primitives:
 
 ```
 ML-KEM-768 (Kyber) + ChaCha20-Poly1305
@@ -672,7 +710,12 @@ ML-KEM-768 (Kyber) + ChaCha20-Poly1305
 - **ML-KEM-768**: NIST-standardized post-quantum key encapsulation
 - **ChaCha20-Poly1305**: Modern stream cipher (immune to timing attacks)
 
-Even if one algorithm is broken, the other remains secure.
+**Scope, honestly:** this is **local at-rest** encryption. Both keys live
+on the same machine — the PQ secret key is wrapped with a classical key
+derived from a machine-bound secret, not held by a remote recipient.
+This protects against offline theft of individual encrypted files, not
+against Harvest-Now-Decrypt-Later attacks (those require a remote PQ
+recipient holding the unwrap key).
 
 ### Cross-Platform Support
 
@@ -688,7 +731,7 @@ All sensitive files (encryption keys, auth tokens, audit logs) are automatically
 
 ### Enterprise Compliance-Ready Architecture (v1.6.0+)
 
-Built to the standards required for regulated industries. All controls are implemented — formal certification (SOC2 Type II report, GDPR registration, CSSF submission) requires a third-party audit engagement.
+Built to the standards required for regulated industries. All code-level technical controls are implemented — full compliance also requires organizational process controls (policies, training, vendor management). Formal certification (SOC2 Type II report, GDPR registration, CSSF submission) requires a third-party audit engagement.
 
 | Regulation | Controls Implemented |
 |------------|----------|
@@ -733,6 +776,8 @@ All core NotebookLM features work immediately with just browser authentication:
 
 **Optional:** Add `GEMINI_API_KEY` for bonus features like `deep_research`, `gemini_query`, and `upload_document`.
 
+For repeatable authenticated validation, see the [Authenticated Testing Runbook](./docs/testing-runbook.md).
+
 ---
 
 ### Claude Code
@@ -989,7 +1034,7 @@ Go to [notebooklm.google.com](https://notebooklm.google.com) → Create notebook
 | Browser cookies | Post-quantum encrypted at rest |
 | Session tokens | Auto-expire + memory scrubbing |
 | Query history | Audit logged with tamper detection |
-| Google connection | Certificate pinned (MITM blocked) |
+| Google connection | TLS with response validation |
 | Log output | Credentials auto-redacted |
 | API responses | Scanned for leaked secrets |
 | Gemini API key | Secure memory handling |
@@ -1029,9 +1074,6 @@ NLMCP_SECRETS_SCANNING=true
 NLMCP_SECRETS_BLOCK=false         # Block on detection
 NLMCP_SECRETS_REDACT=true         # Auto-redact
 
-# Certificate Pinning
-NLMCP_CERT_PINNING=true
-
 # Audit Logging
 NLMCP_AUDIT_ENABLED=true
 
@@ -1111,9 +1153,8 @@ Or integrate in CI/CD:
 | Feature | Others | @pan-sec/notebooklm-mcp |
 |---------|--------|-------------------------|
 | Cross-platform (Linux/macOS/Windows) | ⚠️ Partial | ✅ Full |
-| **Post-quantum encryption** | ❌ | ✅ ML-KEM-768 + ChaCha20 |
+| **Post-quantum encryption** | ❌ | ✅ ML-KEM-768 + ChaCha20 (local at-rest) |
 | **Secrets scanning** | ❌ | ✅ 30+ patterns |
-| **Certificate pinning** | ❌ | ✅ Google MITM protection |
 | **Memory scrubbing** | ❌ | ✅ Zero-on-free |
 | **Audit logging** | ❌ | ✅ Hash-chained |
 | **MCP authentication** | ❌ | ✅ Token + lockout |
@@ -1122,7 +1163,7 @@ Or integrate in CI/CD:
 | **SOC2 Type II** | ❌ | ✅ Controls implemented* |
 | **CSSF (Luxembourg)** | ❌ | ✅ Controls implemented* |
 
-> \* Compliance-ready: all required controls are implemented. Formal certification (SOC2 Type II report, GDPR registration, CSSF submission) requires a third-party audit engagement.
+> \* Compliance-ready: code-level technical controls are implemented. Full compliance also requires organizational process controls and formal certification via third-party audit.
 
 > **Bottom line**: If you need more than basic queries, or care about security, there's only one choice.
 
@@ -1132,6 +1173,8 @@ Or integrate in CI/CD:
 
 | Version | Highlights |
 |---------|------------|
+| **v2026.3.1** | ✅ **Security Audit Complete** — All 334 issues resolved. Tests 609→631. Code quality + test gap phase. |
+| **v2026.3.0** | 🔬 **Security Audit Release** — 334-issue independent audit. Tests 139→609 (50 files). Full MCP protocol compliance. Webhook SSRF fix. Audit log hash-chain verified on read. Per-page mutex. HandlerContext DI. Cert pinning retracted. |
 | **v2026.2.9** | 🔐 `performSetup` no longer destroys credentials before Chrome opens — last root cause of auth loop fixed |
 | **v2026.2.8** | 🛡️ `cleanup_data` excludes `browser_state/` and `chrome_profile/` from all deletion paths — auth survives cleanup |
 | **v2026.2.7** | 🚫 Block headless `setup_auth`; `auth-now.mjs` standalone script handles Chrome profile locks and silent save failures |

package/SECURITY.md

@@ -2,27 +2,33 @@
 
 This is a security-hardened fork of [PleasePrompto/notebooklm-mcp](https://github.com/PleasePrompto/notebooklm-mcp), maintained by [Pantheon Security](https://pantheonsecurity.io).
 
-**Version**: 1.5.1
-**Security Features**: 14 hardening layers
+**Version**: 2026.3.1
+**Security Features**: 17 hardening layers
 **Platforms**: Linux, macOS, Windows
 
+> **v2026.3.1 — Security Audit Complete.** In April 2026 we ran a parallel deep-audit of this codebase using four specialised AI code reviewers, each independently focused on a different attack surface. They produced a 334-item master issue list. All 334 issues are resolved across v2026.3.0 and v2026.3.1. See [CHANGELOG.md](./CHANGELOG.md) for the full list.
+
 ## Security Features Overview
 
 | Feature | Status | Description |
 |---------|--------|-------------|
-| Input Validation | ✅ | URL whitelisting, sanitization |
+| Input Validation | ✅ | URL whitelisting, Zod schemas, injection prevention |
 | Rate Limiting | ✅ | Per-session request throttling |
-| Log Sanitization | ✅ | Credential masking |
-| Audit Logging | ✅ | Tamper-evident event logging |
+| Log Sanitization | ✅ | Credential masking, PII redaction |
+| Audit Logging | ✅ | Hash-chained tamper-evident logs, verified on read |
 | Session Timeout | ✅ | Hard lifetime + inactivity limits |
-| MCP Authentication | ✅ | Token-based auth with lockout |
-| Response Validation | ✅ | Prompt injection detection |
-| **Post-Quantum Encryption** | ✅ | ML-KEM-768 + ChaCha20-Poly1305 |
-| **Secrets Scanning** | ✅ | Detect API keys, tokens, passwords |
-| **Certificate Pinning** | ✅ | Google TLS MITM protection |
-| **Memory Scrubbing** | ✅ | Zero sensitive data after use |
-| **MEDUSA Integration** | ✅ | Automated security scanning |
+| MCP Authentication | ✅ | Token-based auth with persistent salt + lockout |
+| Response Validation | ✅ | Prompt injection detection, suspicious URL blocking |
+| **Post-Quantum Encryption** | ✅ | ML-KEM-768 + ChaCha20-Poly1305 (local at-rest) |
+| **Secrets Scanning** | ✅ | Detect 30+ credential patterns (AWS, GitHub, Slack…) |
+| **Memory Scrubbing** | ✅ | Zero sensitive data after use, FinalizationRegistry cleanup |
+| **MEDUSA Integration** | ✅ | Automated security scanning in CI |
 | **Cross-Platform Permissions** | ✅ | Secure file permissions on all OSes |
+| **Secure-by-Default Auth** | ✅ | Auth enabled without configuration; explicit opt-out via `NLMCP_AUTH_DISABLED=true` |
+| **Exponential Backoff Lockout** | ✅ | Failed auth lockouts escalate 5min → 15min → 45min → 4hr; `lockoutCount` persists |
+| **Credential Isolation** | ✅ | `LOGIN_PASSWORD` and `GEMINI_API_KEY` wrapped in `SecureCredential` with 30-min TTL; env vars scrubbed from `process.env` |
+| **Webhook SSRF Protection** | ✅ | Delivery targets validated against SSRF blocklist; HMAC signing on all deliveries |
+| **Per-Page Mutex** | ✅ | Browser page operations serialised per-page to prevent race conditions |
 
 ---
 
@@ -58,16 +64,23 @@ All sensitive files are automatically protected with owner-only permissions:
 
 ---
 
-## Post-Quantum Encryption
-
-### Why Post-Quantum?
+## Post-Quantum Encryption (Local At-Rest)
 
-Recent events (including alleged quantum computer attacks on major infrastructure) highlight the urgency of preparing for "Q-Day" - when quantum computers can break classical encryption.
+### Scope
 
-This MCP uses **hybrid post-quantum encryption** that combines:
+Secrets written to disk (cookies, session state, auth tokens, PQ key pair) are encrypted with hybrid post-quantum primitives:
 - **ML-KEM-768 (Kyber)** - NIST-standardized post-quantum key encapsulation
 - **ChaCha20-Poly1305** - Modern stream cipher (NOT AES-GCM)
 
+### What this does and does not protect against
+
+This is **local at-rest** encryption. Both keys live on the same machine: the PQ secret key is wrapped with a classical key derived from a machine-bound secret, not held by a remote recipient.
+
+- ✅ Protects against **offline theft** of individual encrypted files (backup leak, misplaced disk)
+- ✅ Defence-in-depth on top of the underlying filesystem permissions
+- ❌ Does **NOT** protect against Harvest-Now-Decrypt-Later attacks — that threat model requires a remote PQ recipient holding the unwrap key, which this implementation does not have
+- ❌ Does **NOT** protect against an attacker who compromises the host — they can read the machine-derived key and unwrap the PQ secret key in the same step
+
 ### Why ChaCha20-Poly1305 over AES-GCM?
 
 | Property | ChaCha20-Poly1305 | AES-GCM |
@@ -158,41 +171,6 @@ NLMCP_SECRETS_IGNORE=pattern1,pattern2  # Ignore specific patterns
 
 ---
 
-## Certificate Pinning
-
-Protects HTTPS connections to Google by validating server certificate chains against known-good SPKI hashes.
-
-### Why Certificate Pinning?
-
-Prevents man-in-the-middle attacks even if:
-- A rogue CA certificate is installed on the system
-- Corporate proxies attempt SSL inspection
-- DNS is compromised
-
-### Pinned Certificates
-
-- **GTS Root R1-R4** - Google Trust Services roots
-- **GlobalSign Root CA R2** - Backup root
-- **DigiCert Global Root G2** - Backup root
-
-### Configuration
-
-```bash
-NLMCP_CERT_PINNING=true          # Enable pinning (default: true)
-NLMCP_CERT_FAIL_OPEN=false       # Allow on failure (default: false)
-NLMCP_CERT_REPORT_ONLY=false     # Log but don't block (default: false)
-```
-
-### Violation Response
-
-```
-🔒 Certificate pinning violation for notebooklm.google.com
-   Chain hashes: abc123...
-   Expected one of: hxqRlP..., Vfd95B...
-```
-
----
-
 ## Memory Scrubbing
 
 Sensitive data is securely wiped from memory after use to prevent:
@@ -431,7 +409,7 @@ This MCP uses browser automation (Patchright) which:
 The Chrome profile directory itself is not fully encrypted:
 - `~/.local/share/notebooklm-mcp/chrome_profile/`
 
-The sensitive state files (cookies, session) ARE encrypted with post-quantum cryptography.
+The sensitive state files (cookies, session) ARE encrypted with hybrid post-quantum primitives for at-rest protection. See [Post-Quantum Encryption (Local At-Rest)](#post-quantum-encryption-local-at-rest) above for the exact threat model this covers.
 
 ---
 
@@ -493,18 +471,10 @@ import {
   scanAndRedactSecrets,
 } from './utils/secrets-scanner.js';
 
-// Certificate pinning
-import {
-  CertificatePinningManager,
-  getCertificatePinningManager,
-  validateCertificatePin,
-} from './utils/cert-pinning.js';
-
 // Memory security
 import {
   SecureString,
   SecureCredential,
-  SecureObject,
   zeroBuffer,
   withSecureCredential,
   secureCompare,

package/dist/auth/auth-manager.d.ts

@@ -11,6 +11,7 @@
  *
  * Based on the Python implementation from auth.py
  */
+/// <reference types="node" resolution-mode="require"/>
 import type { BrowserContext, Page } from "patchright";
 import type { ProgressCallback } from "../types.js";
 export declare class AuthManager {
@@ -94,7 +95,7 @@ export declare class AuthManager {
      *
      * SIMPLE & RELIABLE: Just wait for URL to change to notebooklm.google.com
      */
-    performLogin(page: Page, sendProgress?: ProgressCallback): Promise<boolean>;
+    performLogin(page: Page, sendProgress?: ProgressCallback, signal?: AbortSignal): Promise<boolean>;
     /**
      * Attempt to authenticate using configured credentials
      */

package/dist/auth/auth-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAYvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAoBpD,qBAAa,WAAW;IACtB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,YAAY,CAAS;;IAa7B;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAsD9E;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;IAKvC;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAQ7B;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAejD;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IAuBlE;;OAEG;IACG,aAAa,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAoC9D;;OAEG;IACG,qBAAqB,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAiDtE;;;;;;;;;;;;;;;;OAgBG;IACG,iBAAiB,CACrB,OAAO,EAAE,cAAc,EACvB,UAAU,SAAI,GACb,OAAO,CAAC,OAAO,CAAC;IAmDnB;;;OAGG;YACW,mBAAmB;IAYjC;;;;OAIG;YACW,cAAc;IAa5B;;;;OAIG;YACW,sBAAsB;IAoBpC;;;OAGG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IA+BxC;;;;;OAKG;IACG,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAmFjF;;OAEG;IACG,oBAAoB,CACxB,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,IAAI,EACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IA2InB;;;;;OAKG;YACW,yBAAyB;IA4BvC;;;;;OAKG;YACW,eAAe;IAsB7B;;OAEG;YACW,oBAAoB;IA+BlC;;OAEG;YACW,cAAc;IA2H5B;;OAEG;YACW,YAAY;IA+F1B;;OAEG;YACW,SAAS;IAuBvB;;;OAGG;IACG,aAAa,CAAC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiCjF;;;;;;;;;;;;;;;;OAgBG;IACG,YAAY,CAAC,YAAY,CAAC,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAmFjG;;;;;;;;;;OAUG;IACG,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAmDvC;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAkBpC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;CAgDzC"}
+{"version":3,"file":"auth-manager.d.ts","sourceRoot":"","sources":["../../src/auth/auth-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAYvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AA6BpD,qBAAa,WAAW;IACtB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,YAAY,CAAS;;IAa7B;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;IAoD9E;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;IAKvC;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAQ7B;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAejD;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IA4BlE;;OAEG;IACG,aAAa,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAoC9D;;OAEG;IACG,qBAAqB,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAiDtE;;;;;;;;;;;;;;;;OAgBG;IACG,iBAAiB,CACrB,OAAO,EAAE,cAAc,EACvB,UAAU,SAAI,GACb,OAAO,CAAC,OAAO,CAAC;IAmDnB;;;OAGG;YACW,mBAAmB;IAajC;;;;OAIG;YACW,cAAc;IAc5B;;;;OAIG;YACW,sBAAsB;IAmBpC;;;OAGG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAgCxC;;;;;OAKG;IACG,YAAY,CAChB,IAAI,EAAE,IAAI,EACV,YAAY,CAAC,EAAE,gBAAgB,EAC/B,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,OAAO,CAAC;IAgHnB;;OAEG;IACG,oBAAoB,CACxB,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,IAAI,EACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAqJnB;;;;;OAKG;YACW,yBAAyB;IA6BvC;;;;;OAKG;YACW,eAAe;IAuB7B;;OAEG;YACW,oBAAoB;IAgClC;;OAEG;YACW,cAAc;IAiI5B;;OAEG;YACW,YAAY;IAkG1B;;OAEG;YACW,SAAS;IAwBvB;;;OAGG;IACG,aAAa,CAAC,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiCjF;;;;;;;;;;;;;;;;OAgBG;IACG,YAAY,CAAC,YAAY,CAAC,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IA6FjG;;;;;;;;;;OAUG;IACG,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAoDvC;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAkBpC;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;CAmDzC"}