@plumbus/core 0.1.0

package/dist/audit/service.js

@@ -0,0 +1,28 @@
+import { auditRecords } from './schema.js';
+/**
+ * Creates a persistent AuditService that writes records to PostgreSQL.
+ */
+export function createAuditService(config) {
+    const { db, auth, component = 'system' } = config;
+    return {
+        async record(eventType, metadata) {
+            const outcome = metadata?.outcome ?? 'success';
+            const maskedFields = metadata?._maskedFields ?? undefined;
+            // Strip internal meta keys from stored metadata
+            const storedMetadata = metadata ? { ...metadata } : undefined;
+            if (storedMetadata) {
+                delete storedMetadata._maskedFields;
+            }
+            await db.insert(auditRecords).values({
+                actor: auth.userId ?? 'anonymous',
+                tenantId: auth.tenantId ?? null,
+                component,
+                action: eventType,
+                outcome,
+                metadata: storedMetadata ?? null,
+                maskedFields: maskedFields ?? null,
+            });
+        },
+    };
+}
+//# sourceMappingURL=service.js.map

package/dist/audit/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../src/audit/service.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAS3C;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAA0B;IAC3D,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,GAAG,QAAQ,EAAE,GAAG,MAAM,CAAC;IAElD,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,QAAkC;YAChE,MAAM,OAAO,GAAI,QAAQ,EAAE,OAAkB,IAAI,SAAS,CAAC;YAC3D,MAAM,YAAY,GAAI,QAAQ,EAAE,aAA0B,IAAI,SAAS,CAAC;YAExE,gDAAgD;YAChD,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO,cAAc,CAAC,aAAa,CAAC;YACtC,CAAC;YAED,MAAM,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;gBACnC,KAAK,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW;gBACjC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;gBAC/B,SAAS;gBACT,MAAM,EAAE,SAAS;gBACjB,OAAO;gBACP,QAAQ,EAAE,cAAc,IAAI,IAAI;gBAChC,YAAY,EAAE,YAAY,IAAI,IAAI;aACnC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/__tests__/adapter.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=adapter.test.d.ts.map

package/dist/auth/__tests__/adapter.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/adapter.test.ts"],"names":[],"mappings":""}

package/dist/auth/__tests__/adapter.test.js

@@ -0,0 +1,218 @@
+import { createHmac } from 'node:crypto';
+import { describe, expect, it } from 'vitest';
+import { createJwtAdapter, signJwt } from '../adapter.js';
+const TEST_SECRET = 'test-secret';
+/** Helper: create a properly HMAC-signed JWT with an arbitrary payload. */
+function signedJwt(secret, payload) {
+    const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+    const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const sig = createHmac('sha256', secret).update(`${header}.${body}`).digest('base64url');
+    return `${header}.${body}.${sig}`;
+}
+/** Helper: create a fake-signed JWT (invalid signature). */
+function fakeJwt(payload) {
+    const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' })).toString('base64url');
+    const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const sig = createHmac('sha256', 'not-the-real-secret')
+        .update(`${header}.${body}`)
+        .digest('base64url');
+    return `${header}.${body}.${sig}`;
+}
+describe('createJwtAdapter', () => {
+    const adapter = createJwtAdapter({ secret: TEST_SECRET });
+    it('returns null for missing authorization header', async () => {
+        const result = await adapter.authenticate(undefined);
+        expect(result).toBeNull();
+    });
+    it('returns null for non-Bearer token', async () => {
+        const result = await adapter.authenticate('Basic abc123');
+        expect(result).toBeNull();
+    });
+    it('returns null for malformed JWT', async () => {
+        const result = await adapter.authenticate('Bearer not.a.valid.jwt');
+        expect(result).toBeNull();
+    });
+    it('returns null for invalid signature', async () => {
+        const token = fakeJwt({
+            sub: 'user-42',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).toBeNull();
+    });
+    it('returns null for token signed with wrong secret', async () => {
+        const token = signedJwt('wrong-secret', {
+            sub: 'user-42',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).toBeNull();
+    });
+    it('extracts AuthContext from valid JWT claims', async () => {
+        const token = signedJwt(TEST_SECRET, {
+            sub: 'user-42',
+            roles: ['admin', 'editor'],
+            scope: 'read write',
+            tenant_id: 't-1',
+            iat: Math.floor(Date.now() / 1000) - 60,
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).not.toBeNull();
+        expect(result?.userId).toBe('user-42');
+        expect(result?.roles).toEqual(['admin', 'editor']);
+        expect(result?.scopes).toEqual(['read', 'write']);
+        expect(result?.tenantId).toBe('t-1');
+        expect(result?.provider).toBe('jwt');
+    });
+    it('handles space-separated scopes', async () => {
+        const token = signedJwt(TEST_SECRET, {
+            sub: 'u1',
+            scope: 'read write delete',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.scopes).toEqual(['read', 'write', 'delete']);
+    });
+    it('handles comma-separated roles', async () => {
+        const token = signedJwt(TEST_SECRET, {
+            sub: 'u1',
+            roles: 'admin,editor',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.roles).toEqual(['admin', 'editor']);
+    });
+    it('returns null for expired tokens', async () => {
+        const token = signedJwt(TEST_SECRET, {
+            sub: 'u1',
+            exp: Math.floor(Date.now() / 1000) - 60,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).toBeNull();
+    });
+    it('validates issuer when configured', async () => {
+        const strictAdapter = createJwtAdapter({
+            secret: 's',
+            issuer: 'my-app',
+        });
+        const token = signedJwt('s', {
+            sub: 'u1',
+            iss: 'wrong-issuer',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await strictAdapter.authenticate(`Bearer ${token}`);
+        expect(result).toBeNull();
+    });
+    it('allows matching issuer', async () => {
+        const strictAdapter = createJwtAdapter({
+            secret: 's',
+            issuer: 'my-app',
+        });
+        const token = signedJwt('s', {
+            sub: 'u1',
+            iss: 'my-app',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await strictAdapter.authenticate(`Bearer ${token}`);
+        expect(result).not.toBeNull();
+    });
+    it('validates audience when configured', async () => {
+        const audAdapter = createJwtAdapter({
+            secret: 's',
+            audience: 'api',
+        });
+        const token = signedJwt('s', {
+            sub: 'u1',
+            aud: 'other-service',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await audAdapter.authenticate(`Bearer ${token}`);
+        expect(result).toBeNull();
+    });
+    it('supports custom claim mapping', async () => {
+        const customAdapter = createJwtAdapter({
+            secret: 's',
+            claimMapping: {
+                userId: 'user_id',
+                roles: 'permissions',
+                scopes: 'grants',
+                tenantId: 'org_id',
+            },
+        });
+        const token = signedJwt('s', {
+            user_id: 'custom-user',
+            permissions: ['superadmin'],
+            grants: 'all',
+            org_id: 'org-99',
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await customAdapter.authenticate(`Bearer ${token}`);
+        expect(result?.userId).toBe('custom-user');
+        expect(result?.roles).toEqual(['superadmin']);
+        expect(result?.tenantId).toBe('org-99');
+    });
+    it('sets authenticatedAt from iat claim', async () => {
+        const iat = Math.floor(Date.now() / 1000) - 300;
+        const token = signedJwt(TEST_SECRET, {
+            sub: 'u1',
+            iat,
+            exp: Math.floor(Date.now() / 1000) + 3600,
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.authenticatedAt).toEqual(new Date(iat * 1000));
+    });
+});
+describe('signJwt', () => {
+    it('produces a valid 3-part JWT', () => {
+        const token = signJwt({ secret: 'test', sub: 'user-1' });
+        expect(token.split('.')).toHaveLength(3);
+    });
+    it('includes sub claim', () => {
+        const token = signJwt({ secret: 'test', sub: 'user-1' });
+        const payload = JSON.parse(Buffer.from(token.split('.')[1] ?? '', 'base64url').toString('utf-8'));
+        expect(payload.sub).toBe('user-1');
+    });
+    it('includes roles and scopes', () => {
+        const token = signJwt({
+            secret: 'test',
+            sub: 'user-1',
+            roles: ['admin', 'user'],
+            scopes: ['read', 'write'],
+        });
+        const payload = JSON.parse(Buffer.from(token.split('.')[1] ?? '', 'base64url').toString('utf-8'));
+        expect(payload.roles).toEqual(['admin', 'user']);
+        expect(payload.scope).toBe('read write');
+    });
+    it('includes tenantId', () => {
+        const token = signJwt({
+            secret: 'test',
+            sub: 'user-1',
+            tenantId: 'tenant-42',
+        });
+        const payload = JSON.parse(Buffer.from(token.split('.')[1] ?? '', 'base64url').toString('utf-8'));
+        expect(payload.tenant_id).toBe('tenant-42');
+    });
+    it('sets expiration', () => {
+        const token = signJwt({ secret: 'test', sub: 'user-1', expiresIn: 3600 });
+        const payload = JSON.parse(Buffer.from(token.split('.')[1] ?? '', 'base64url').toString('utf-8'));
+        expect(payload.exp).toBeGreaterThan(Math.floor(Date.now() / 1000));
+    });
+    it('roundtrips through createJwtAdapter', async () => {
+        const secret = 'shared-secret';
+        const token = signJwt({
+            secret,
+            sub: 'user-42',
+            roles: ['owner'],
+            tenantId: 'tenant-1',
+            issuer: 'memoir-ai',
+        });
+        const adapter = createJwtAdapter({ secret, issuer: 'memoir-ai' });
+        const auth = await adapter.authenticate(`Bearer ${token}`);
+        expect(auth).not.toBeNull();
+        expect(auth?.userId).toBe('user-42');
+        expect(auth?.roles).toEqual(['owner']);
+        expect(auth?.tenantId).toBe('tenant-1');
+    });
+});
+//# sourceMappingURL=adapter.test.js.map

package/dist/auth/__tests__/adapter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/adapter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAE1D,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,2EAA2E;AAC3E,SAAS,SAAS,CAAC,MAAc,EAAE,OAAgC;IACjE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/F,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACzF,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,4DAA4D;AAC5D,SAAS,OAAO,CAAC,OAAgC;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/F,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,qBAAqB,CAAC;SACpD,MAAM,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC;SAC3B,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IAE1D,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,wBAAwB,CAAC,CAAC;QACpE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC;YACpB,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,KAAK,GAAG,SAAS,CAAC,cAAc,EAAE;YACtC,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE;YACnC,GAAG,EAAE,SAAS;YACd,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC;YAC1B,KAAK,EAAE,YAAY;YACnB,SAAS,EAAE,KAAK;YAChB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;YACvC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAE7D,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE;YACnC,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,mBAAmB;YAC1B,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE;YACnC,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,cAAc;YACrB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE;YACnC,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE;SACxC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,aAAa,GAAG,gBAAgB,CAAC;YACrC,MAAM,EAAE,GAAG;YACX,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,EAAE;YAC3B,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,cAAc;YACnB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,aAAa,GAAG,gBAAgB,CAAC;YACrC,MAAM,EAAE,GAAG;YACX,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,EAAE;YAC3B,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,UAAU,GAAG,gBAAgB,CAAC;YAClC,MAAM,EAAE,GAAG;YACX,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,EAAE;YAC3B,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,eAAe;YACpB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAChE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,aAAa,GAAG,gBAAgB,CAAC;YACrC,MAAM,EAAE,GAAG;YACX,YAAY,EAAE;gBACZ,MAAM,EAAE,SAAS;gBACjB,KAAK,EAAE,aAAa;gBACpB,MAAM,EAAE,QAAQ;gBAChB,QAAQ,EAAE,QAAQ;aACnB;SACF,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,CAAC,YAAY,CAAC;YAC3B,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,QAAQ;YAChB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;QAChD,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE;YACnC,GAAG,EAAE,IAAI;YACT,GAAG;YACH,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;SAC1C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;IACvB,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzD,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CACtE,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC;YACpB,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,QAAQ;YACb,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;YACxB,MAAM,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;SAC1B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CACtE,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QACjD,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,KAAK,GAAG,OAAO,CAAC;YACpB,MAAM,EAAE,MAAM;YACd,GAAG,EAAE,QAAQ;YACb,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CACtE,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE;QACzB,MAAM,KAAK,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CACtE,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,GAAG,eAAe,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC;YACpB,MAAM;YACN,GAAG,EAAE,SAAS;YACd,KAAK,EAAE,CAAC,OAAO,CAAC;YAChB,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,WAAW;SACpB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,gBAAgB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAClE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/__tests__/oidc-adapter.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oidc-adapter.test.d.ts.map

package/dist/auth/__tests__/oidc-adapter.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-adapter.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/oidc-adapter.test.ts"],"names":[],"mappings":""}

package/dist/auth/__tests__/oidc-adapter.test.js

@@ -0,0 +1,232 @@
+import { generateKeyPairSync, sign } from 'node:crypto';
+import { describe, expect, it, vi } from 'vitest';
+import { createOidcAdapter } from '../oidc-adapter.js';
+const ISSUER = 'https://auth.example.com';
+const AUDIENCE = 'my-app';
+// Generate a test RSA key pair
+const { publicKey: rsaPublicKey, privateKey: rsaPrivateKey } = generateKeyPairSync('rsa', {
+    modulusLength: 2048,
+});
+const rsaJwk = rsaPublicKey.export({ format: 'jwk' });
+rsaJwk.kid = 'test-rsa-key';
+rsaJwk.use = 'sig';
+rsaJwk.alg = 'RS256';
+// Generate a test EC key pair
+const { publicKey: ecPublicKey, privateKey: ecPrivateKey } = generateKeyPairSync('ec', {
+    namedCurve: 'P-256',
+});
+const ecJwk = ecPublicKey.export({ format: 'jwk' });
+ecJwk.kid = 'test-ec-key';
+ecJwk.use = 'sig';
+ecJwk.alg = 'ES256';
+/** Sign a JWT with the RSA private key. */
+function signRsaJwt(payload, kid = 'test-rsa-key') {
+    const header = Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT', kid })).toString('base64url');
+    const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = sign('RSA-SHA256', Buffer.from(`${header}.${body}`), rsaPrivateKey);
+    return `${header}.${body}.${signature.toString('base64url')}`;
+}
+/** Sign a JWT with the EC private key. */
+function signEcJwt(payload, kid = 'test-ec-key') {
+    const header = Buffer.from(JSON.stringify({ alg: 'ES256', typ: 'JWT', kid })).toString('base64url');
+    const body = Buffer.from(JSON.stringify(payload)).toString('base64url');
+    const signature = sign('SHA256', Buffer.from(`${header}.${body}`), ecPrivateKey);
+    return `${header}.${body}.${signature.toString('base64url')}`;
+}
+/** Build a mock fetch that serves discovery + JWKS. */
+function mockFetch(jwksKeys = [rsaJwk, ecJwk]) {
+    return vi.fn(async (input) => {
+        const url = typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url;
+        if (url.includes('.well-known/openid-configuration')) {
+            return new Response(JSON.stringify({
+                issuer: ISSUER,
+                jwks_uri: `${ISSUER}/.well-known/jwks.json`,
+            }), { status: 200 });
+        }
+        if (url.includes('jwks.json')) {
+            return new Response(JSON.stringify({ keys: jwksKeys }), { status: 200 });
+        }
+        return new Response('Not Found', { status: 404 });
+    });
+}
+function validPayload(overrides = {}) {
+    return {
+        sub: 'user-42',
+        iss: ISSUER,
+        aud: AUDIENCE,
+        exp: Math.floor(Date.now() / 1000) + 3600,
+        iat: Math.floor(Date.now() / 1000),
+        roles: ['admin'],
+        scope: 'read write',
+        tenant_id: 'tenant-1',
+        ...overrides,
+    };
+}
+describe('createOidcAdapter', () => {
+    it('returns null for missing authorization header', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        expect(await adapter.authenticate(undefined)).toBeNull();
+    });
+    it('returns null for non-Bearer token', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        expect(await adapter.authenticate('Basic abc123')).toBeNull();
+    });
+    it('returns null for malformed JWT', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        expect(await adapter.authenticate('Bearer not-a-jwt')).toBeNull();
+    });
+    it('validates RS256-signed tokens', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signRsaJwt(validPayload());
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).not.toBeNull();
+        expect(result?.userId).toBe('user-42');
+        expect(result?.roles).toEqual(['admin']);
+        expect(result?.scopes).toEqual(['read', 'write']);
+        expect(result?.tenantId).toBe('tenant-1');
+        expect(result?.provider).toBe('oidc');
+    });
+    it('validates ES256-signed tokens', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signEcJwt(validPayload());
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result).not.toBeNull();
+        expect(result?.userId).toBe('user-42');
+        expect(result?.provider).toBe('oidc');
+    });
+    it('rejects expired tokens', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signRsaJwt(validPayload({ exp: Math.floor(Date.now() / 1000) - 60 }));
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('rejects tokens with wrong issuer', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signRsaJwt(validPayload({ iss: 'https://evil.example.com' }));
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('rejects tokens with wrong audience', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signRsaJwt(validPayload({ aud: 'wrong-audience' }));
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('rejects tokens signed with unknown key', async () => {
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            fetchFn: mockFetch([]),
+        });
+        const token = signRsaJwt(validPayload());
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('rejects unsupported algorithms', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        // Forge a token with HS256 alg (not supported by OIDC adapter)
+        const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT', kid: 'test-rsa-key' })).toString('base64url');
+        const body = Buffer.from(JSON.stringify(validPayload())).toString('base64url');
+        const sig = 'fake-signature';
+        expect(await adapter.authenticate(`Bearer ${header}.${body}.${sig}`)).toBeNull();
+    });
+    it('uses explicit jwksUri when provided', async () => {
+        const fetchFn = mockFetch();
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            jwksUri: `${ISSUER}/custom/jwks`,
+            fetchFn,
+        });
+        const token = signRsaJwt(validPayload());
+        await adapter.authenticate(`Bearer ${token}`);
+        // Should NOT call discovery endpoint
+        expect(fetchFn).not.toHaveBeenCalledWith(expect.stringContaining('.well-known/openid-configuration'));
+    });
+    it('caches JWKS keys', async () => {
+        const fetchFn = mockFetch();
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            jwksUri: `${ISSUER}/.well-known/jwks.json`,
+            fetchFn,
+        });
+        const token1 = signRsaJwt(validPayload());
+        const token2 = signRsaJwt(validPayload({ sub: 'user-99' }));
+        await adapter.authenticate(`Bearer ${token1}`);
+        await adapter.authenticate(`Bearer ${token2}`);
+        // JWKS should be fetched only once (cached)
+        const jwksCalls = fetchFn.mock.calls.filter((call) => String(call[0]).includes('jwks.json'));
+        expect(jwksCalls).toHaveLength(1);
+    });
+    it('refreshes cache on key rotation (unknown kid)', async () => {
+        // Start with empty JWKS (simulates key not yet published)
+        let callCount = 0;
+        const fetchFn = vi.fn(async (input) => {
+            const url = typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url;
+            if (url.includes('jwks.json')) {
+                callCount++;
+                // Second call returns the actual key
+                const keys = callCount > 1 ? [rsaJwk] : [];
+                return new Response(JSON.stringify({ keys }), { status: 200 });
+            }
+            return new Response('Not Found', { status: 404 });
+        });
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            jwksUri: `${ISSUER}/.well-known/jwks.json`,
+            fetchFn,
+        });
+        const token = signRsaJwt(validPayload());
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.userId).toBe('user-42');
+        expect(callCount).toBe(2); // Fetched twice due to cache miss + refresh
+    });
+    it('supports custom claim mapping', async () => {
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            fetchFn: mockFetch(),
+            claimMapping: {
+                userId: 'email',
+                roles: 'groups',
+                tenantId: 'org_id',
+            },
+        });
+        const token = signRsaJwt({
+            ...validPayload(),
+            email: 'user@example.com',
+            groups: ['editors'],
+            org_id: 'org-123',
+        });
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.userId).toBe('user@example.com');
+        expect(result?.roles).toEqual(['editors']);
+        expect(result?.tenantId).toBe('org-123');
+    });
+    it('returns null when JWKS fetch fails', async () => {
+        const fetchFn = vi.fn(async () => new Response('Server Error', { status: 500 }));
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            jwksUri: `${ISSUER}/.well-known/jwks.json`,
+            fetchFn,
+        });
+        const token = signRsaJwt(validPayload());
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('returns null when discovery fails', async () => {
+        const fetchFn = vi.fn(async () => new Response('Not Found', { status: 404 }));
+        const adapter = createOidcAdapter({
+            issuer: ISSUER,
+            audience: AUDIENCE,
+            fetchFn,
+        });
+        const token = signRsaJwt(validPayload());
+        expect(await adapter.authenticate(`Bearer ${token}`)).toBeNull();
+    });
+    it('handles multi-value audience', async () => {
+        const adapter = createOidcAdapter({ issuer: ISSUER, audience: AUDIENCE, fetchFn: mockFetch() });
+        const token = signRsaJwt(validPayload({ aud: ['other-app', AUDIENCE] }));
+        const result = await adapter.authenticate(`Bearer ${token}`);
+        expect(result?.userId).toBe('user-42');
+    });
+});
+//# sourceMappingURL=oidc-adapter.test.js.map

package/dist/auth/__tests__/oidc-adapter.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-adapter.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/oidc-adapter.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAEvD,MAAM,MAAM,GAAG,0BAA0B,CAAC;AAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC;AAE1B,+BAA+B;AAC/B,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;IACxF,aAAa,EAAE,IAAI;CACpB,CAAC,CAAC;AAEH,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA4B,CAAC;AACjF,MAAM,CAAC,GAAG,GAAG,cAAc,CAAC;AAC5B,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC;AACnB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC;AAErB,8BAA8B;AAC9B,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,mBAAmB,CAAC,IAAI,EAAE;IACrF,UAAU,EAAE,OAAO;CACpB,CAAC,CAAC;AAEH,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA4B,CAAC;AAC/E,KAAK,CAAC,GAAG,GAAG,aAAa,CAAC;AAC1B,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC;AAClB,KAAK,CAAC,GAAG,GAAG,OAAO,CAAC;AAEpB,2CAA2C;AAC3C,SAAS,UAAU,CAAC,OAAgC,EAAE,GAAG,GAAG,cAAc;IACxE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CACpF,WAAW,CACZ,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC;IACtF,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AAChE,CAAC;AAED,0CAA0C;AAC1C,SAAS,SAAS,CAAC,OAAgC,EAAE,GAAG,GAAG,aAAa;IACtE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,CACpF,WAAW,CACZ,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,IAAI,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;IACjF,OAAO,GAAG,MAAM,IAAI,IAAI,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AAChE,CAAC;AAED,uDAAuD;AACvD,SAAS,SAAS,CAAC,WAAsC,CAAC,MAAM,EAAE,KAAK,CAAC;IACtE,OAAO,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,KAA6B,EAAE,EAAE;QACnD,MAAM,GAAG,GACP,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;QAE1F,IAAI,GAAG,CAAC,QAAQ,CAAC,kCAAkC,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,MAAM;gBACd,QAAQ,EAAE,GAAG,MAAM,wBAAwB;aAC5C,CAAC,EACF,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACpD,CAAC,CAAiB,CAAC;AACrB,CAAC;AAED,SAAS,YAAY,CAAC,YAAqC,EAAE;IAC3D,OAAO;QACL,GAAG,EAAE,SAAS;QACd,GAAG,EAAE,MAAM;QACX,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI;QACzC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAClC,KAAK,EAAE,CAAC,OAAO,CAAC;QAChB,KAAK,EAAE,YAAY;QACnB,SAAS,EAAE,UAAU;QACrB,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAChG,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAChG,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAChG,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAE7D,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAE7D,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QACpF,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,0BAA0B,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;SACvB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAChG,+DAA+D;QAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CACxB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC,CAClE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC/E,MAAM,GAAG,GAAG,gBAAgB,CAAC;QAC7B,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,MAAM,IAAI,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,MAAM,cAAc;YAChC,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAE9C,qCAAqC;QACrC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,oBAAoB,CACtC,MAAM,CAAC,gBAAgB,CAAC,kCAAkC,CAAC,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kBAAkB,EAAE,KAAK,IAAI,EAAE;QAChC,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,MAAM,wBAAwB;YAC1C,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QAE5D,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,MAAM,EAAE,CAAC,CAAC;QAC/C,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,MAAM,EAAE,CAAC,CAAC;QAE/C,4CAA4C;QAC5C,MAAM,SAAS,GAAI,OAAoC,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAe,EAAE,EAAE,CAC5F,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CACtC,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,0DAA0D;QAC1D,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,KAA6B,EAAE,EAAE;YAC5D,MAAM,GAAG,GACP,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;YAC1F,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9B,SAAS,EAAE,CAAC;gBACZ,qCAAqC;gBACrC,MAAM,IAAI,GAAG,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,CAAC,CAAiB,CAAC;QAEnB,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,MAAM,wBAAwB;YAC1C,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAE7D,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,4CAA4C;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,SAAS,EAAE;YACpB,YAAY,EAAE;gBACZ,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,QAAQ;aACnB;SACF,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,GAAG,YAAY,EAAE;YACjB,KAAK,EAAE,kBAAkB;YACzB,MAAM,EAAE,CAAC,SAAS,CAAC;YACnB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAChD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,CACnB,KAAK,IAAI,EAAE,CAAC,IAAI,QAAQ,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAC1C,CAAC;QAElB,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,MAAM,wBAAwB;YAC1C,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAiB,CAAC;QAE9F,MAAM,OAAO,GAAG,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO;SACR,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAEhG,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/__tests__/password.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=password.test.d.ts.map

package/dist/auth/__tests__/password.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/password.test.ts"],"names":[],"mappings":""}

package/dist/auth/__tests__/password.test.js

@@ -0,0 +1,30 @@
+import { describe, expect, it } from 'vitest';
+import { hashPassword, verifyPassword } from '../password.js';
+describe('password helpers', () => {
+    it('hashes passwords into salt:hash format', async () => {
+        const hashed = await hashPassword('correct horse battery staple');
+        const parts = hashed.split(':');
+        expect(parts).toHaveLength(2);
+        expect(parts[0]).toHaveLength(32);
+        expect(parts[1]?.length).toBeGreaterThan(0);
+    });
+    it('verifies the original password', async () => {
+        const password = 'correct horse battery staple';
+        const hashed = await hashPassword(password);
+        await expect(verifyPassword(password, hashed)).resolves.toBe(true);
+    });
+    it('rejects an invalid password', async () => {
+        const hashed = await hashPassword('correct horse battery staple');
+        await expect(verifyPassword('wrong password', hashed)).resolves.toBe(false);
+    });
+    it('rejects malformed stored hashes', async () => {
+        await expect(verifyPassword('password', 'not-a-valid-hash')).resolves.toBe(false);
+    });
+    it('supports custom key length options', async () => {
+        const password = 'custom-options-password';
+        const hashed = await hashPassword(password, { keyLength: 32, saltBytes: 8 });
+        await expect(verifyPassword(password, hashed, { keyLength: 32 })).resolves.toBe(true);
+        await expect(verifyPassword(password, hashed)).resolves.toBe(false);
+    });
+});
+//# sourceMappingURL=password.test.js.map

package/dist/auth/__tests__/password.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/password.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAE9D,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,8BAA8B,CAAC,CAAC;QAClE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEhC,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,QAAQ,GAAG,8BAA8B,CAAC;QAChD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QAE5C,MAAM,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,8BAA8B,CAAC,CAAC;QAElE,MAAM,MAAM,CAAC,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,QAAQ,GAAG,yBAAyB,CAAC;QAC3C,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;QAE7E,MAAM,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtF,MAAM,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/auth/__tests__/saml-adapter.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=saml-adapter.test.d.ts.map

package/dist/auth/__tests__/saml-adapter.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml-adapter.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/saml-adapter.test.ts"],"names":[],"mappings":""}