@portaidentity/cli 0.1.0

package/dist/auth/browser-flow.d.ts

@@ -0,0 +1,42 @@
+/**
+ * OIDC Authorization Code + PKCE browser flow orchestration.
+ *
+ * Orchestrates the complete CLI login flow:
+ *   1. Discover admin metadata (client_id, issuer) from the server
+ *   2. Generate PKCE code_verifier + code_challenge (S256)
+ *   3. Start a temporary localhost HTTP server to receive the callback
+ *   4. Open the user's browser to the authorization endpoint
+ *   5. Wait for the callback with the authorization code
+ *   6. Exchange the code for tokens at the token endpoint
+ *   7. Decode the ID token for user identity
+ *   8. Return the complete AuthFlowResult
+ *
+ * Supports two modes:
+ *   - **Browser mode**: Opens browser, starts callback server
+ *   - **Manual mode**: Prints URL, user pastes callback URL
+ *
+ * @module auth/browser-flow
+ */
+import type { AuthFlowResult } from './types.js';
+/** Options for the browser flow */
+export interface BrowserFlowOptions {
+    /** Porta server URL */
+    server: string;
+    /** Override the auto-discovered client ID */
+    clientId?: string;
+    /** Force manual mode (print URL instead of opening browser) */
+    noBrowser?: boolean;
+}
+/**
+ * Execute the OIDC Authorization Code + PKCE login flow.
+ *
+ * This is the main entry point for CLI authentication. It handles
+ * both browser-based and manual (Docker/headless) login modes.
+ *
+ * @param options - Login flow options
+ * @param log - Logging callback for status messages
+ * @returns Complete auth flow result ready to store as credentials
+ * @throws Error on any failure (connectivity, auth, token exchange)
+ */
+export declare function executeBrowserFlow(options: BrowserFlowOptions, log?: (message: string) => void): Promise<AuthFlowResult>;
+//# sourceMappingURL=browser-flow.d.ts.map

package/dist/auth/browser-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-flow.d.ts","sourceRoot":"","sources":["../../src/auth/browser-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAaH,OAAO,KAAK,EAAE,cAAc,EAAiB,MAAM,YAAY,CAAC;AAahE,mCAAmC;AACnC,MAAM,WAAW,kBAAkB;IACjC,uBAAuB;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAsDD;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,kBAAkB,EAC3B,GAAG,GAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAkB,GAC3C,OAAO,CAAC,cAAc,CAAC,CA2HzB"}

package/dist/auth/browser-flow.js

@@ -0,0 +1,193 @@
+/**
+ * OIDC Authorization Code + PKCE browser flow orchestration.
+ *
+ * Orchestrates the complete CLI login flow:
+ *   1. Discover admin metadata (client_id, issuer) from the server
+ *   2. Generate PKCE code_verifier + code_challenge (S256)
+ *   3. Start a temporary localhost HTTP server to receive the callback
+ *   4. Open the user's browser to the authorization endpoint
+ *   5. Wait for the callback with the authorization code
+ *   6. Exchange the code for tokens at the token endpoint
+ *   7. Decode the ID token for user identity
+ *   8. Return the complete AuthFlowResult
+ *
+ * Supports two modes:
+ *   - **Browser mode**: Opens browser, starts callback server
+ *   - **Manual mode**: Prints URL, user pastes callback URL
+ *
+ * @module auth/browser-flow
+ */
+import { URL } from 'node:url';
+import { decodeJwt } from 'jose';
+import { generateCodeVerifier, generateCodeChallenge, generateState } from './pkce.js';
+import { fetchAdminMetadata } from './metadata.js';
+import { startCallbackServer, parseCallbackUrl, MANUAL_REDIRECT_URI, isContainerized, } from './callback-server.js';
+import { question } from '../prompt.js';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** OIDC scopes requested during the login flow */
+const SCOPES = 'openid profile email offline_access';
+// ---------------------------------------------------------------------------
+// Token Exchange
+// ---------------------------------------------------------------------------
+/**
+ * Exchange an authorization code for tokens at the OIDC token endpoint.
+ *
+ * Sends a POST request with the authorization code, PKCE code_verifier,
+ * and redirect URI to complete the Authorization Code flow.
+ *
+ * @param params - Token exchange parameters
+ * @returns Token response with access, refresh, and ID tokens
+ * @throws Error if the token exchange fails
+ */
+async function exchangeCode(params) {
+    const tokenUrl = `${params.server}/${params.orgSlug}/token`;
+    const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: params.code,
+            redirect_uri: params.redirectUri,
+            client_id: params.clientId,
+            code_verifier: params.codeVerifier,
+        }),
+    });
+    if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        const desc = errorData.error_description ||
+            errorData.error ||
+            `HTTP ${response.status}`;
+        throw new Error(`Token exchange failed: ${desc}`);
+    }
+    return response.json();
+}
+// ---------------------------------------------------------------------------
+// Flow Orchestration
+// ---------------------------------------------------------------------------
+/**
+ * Execute the OIDC Authorization Code + PKCE login flow.
+ *
+ * This is the main entry point for CLI authentication. It handles
+ * both browser-based and manual (Docker/headless) login modes.
+ *
+ * @param options - Login flow options
+ * @param log - Logging callback for status messages
+ * @returns Complete auth flow result ready to store as credentials
+ * @throws Error on any failure (connectivity, auth, token exchange)
+ */
+export async function executeBrowserFlow(options, log = console.log) {
+    const { server, noBrowser } = options;
+    // ---------------------------------------------------------------
+    // Step 1: Determine login mode (browser vs. manual)
+    // ---------------------------------------------------------------
+    const manualMode = noBrowser || isContainerized();
+    if (manualMode && !noBrowser) {
+        log('Container environment detected — using manual login mode.\n');
+    }
+    // ---------------------------------------------------------------
+    // Step 2: Discover admin metadata (client ID + org slug)
+    // ---------------------------------------------------------------
+    let clientId;
+    let orgSlug;
+    if (options.clientId) {
+        clientId = options.clientId;
+        orgSlug = 'porta-admin';
+    }
+    else {
+        const metadata = await fetchAdminMetadata(server);
+        clientId = metadata.clientId;
+        orgSlug = metadata.orgSlug;
+    }
+    // ---------------------------------------------------------------
+    // Step 3: Generate PKCE parameters
+    // ---------------------------------------------------------------
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = generateCodeChallenge(codeVerifier);
+    const state = generateState();
+    // ---------------------------------------------------------------
+    // Step 4: Set up redirect URI — mode-dependent
+    // ---------------------------------------------------------------
+    let redirectUri;
+    let authCode;
+    if (manualMode) {
+        redirectUri = MANUAL_REDIRECT_URI;
+        authCode = undefined;
+    }
+    else {
+        const callbackServer = await startCallbackServer(state);
+        redirectUri = `http://127.0.0.1:${callbackServer.port}/callback`;
+        authCode = callbackServer.authCode;
+    }
+    // ---------------------------------------------------------------
+    // Step 5: Build the authorization URL
+    // ---------------------------------------------------------------
+    const authUrl = new URL(`${server}/${orgSlug}/auth`);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('client_id', clientId);
+    authUrl.searchParams.set('redirect_uri', redirectUri);
+    authUrl.searchParams.set('scope', SCOPES);
+    authUrl.searchParams.set('code_challenge', codeChallenge);
+    authUrl.searchParams.set('code_challenge_method', 'S256');
+    authUrl.searchParams.set('state', state);
+    // ---------------------------------------------------------------
+    // Step 6: Open browser or print URL + collect auth code
+    // ---------------------------------------------------------------
+    let code;
+    if (manualMode) {
+        log('Open this URL in your browser to log in:\n');
+        log(`  ${authUrl.toString()}\n`);
+        log('After logging in, your browser will redirect to a page that won\'t load.');
+        log('Copy the full URL from your browser\'s address bar and paste it below.\n');
+        const pastedUrl = await question('Paste the callback URL: ');
+        code = parseCallbackUrl(pastedUrl, state);
+    }
+    else {
+        log('Opening browser for authentication...');
+        try {
+            // Dynamic import — `open` is an ESM-only package
+            const { default: openUrl } = await import('open');
+            await openUrl(authUrl.toString());
+        }
+        catch {
+            log('\nCould not open browser. Open this URL manually:\n');
+            log(`  ${authUrl.toString()}\n`);
+        }
+        log('Waiting for authentication...');
+        code = await authCode;
+    }
+    // ---------------------------------------------------------------
+    // Step 7: Exchange the authorization code for tokens
+    // ---------------------------------------------------------------
+    const tokens = await exchangeCode({
+        server,
+        orgSlug,
+        code,
+        redirectUri,
+        clientId,
+        codeVerifier,
+    });
+    // ---------------------------------------------------------------
+    // Step 8: Decode the ID token to extract user identity
+    // ---------------------------------------------------------------
+    const claims = decodeJwt(tokens.id_token);
+    // ---------------------------------------------------------------
+    // Step 9: Build and return the auth flow result
+    // ---------------------------------------------------------------
+    return {
+        server,
+        orgSlug,
+        clientId,
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        idToken: tokens.id_token,
+        expiresAt: new Date(Date.now() + tokens.expires_in * 1000).toISOString(),
+        userInfo: {
+            sub: claims.sub ?? '',
+            email: claims.email ?? '',
+            name: claims.name ?? undefined,
+        },
+    };
+}
+//# sourceMappingURL=browser-flow.js.map

package/dist/auth/browser-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-flow.js","sourceRoot":"","sources":["../../src/auth/browser-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAGxC,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,kDAAkD;AAClD,MAAM,MAAM,GAAG,qCAAqC,CAAC;AAgBrD,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,KAAK,UAAU,YAAY,CAAC,MAO3B;IACC,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,QAAQ,CAAC;IAE5D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,eAAe,CAAC;YACxB,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,YAAY,EAAE,MAAM,CAAC,WAAW;YAChC,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;SACnC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1D,MAAM,IAAI,GACP,SAAoC,CAAC,iBAAiB;YACtD,SAAoC,CAAC,KAAK;YAC3C,QAAQ,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA4B,CAAC;AACnD,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAA2B,EAC3B,MAAiC,OAAO,CAAC,GAAG;IAE5C,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAEtC,kEAAkE;IAClE,oDAAoD;IACpD,kEAAkE;IAClE,MAAM,UAAU,GAAG,SAAS,IAAI,eAAe,EAAE,CAAC;IAElD,IAAI,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,GAAG,CAAC,6DAA6D,CAAC,CAAC;IACrE,CAAC;IAED,kEAAkE;IAClE,yDAAyD;IACzD,kEAAkE;IAClE,IAAI,QAAgB,CAAC;IACrB,IAAI,OAAe,CAAC;IAEpB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAC5B,OAAO,GAAG,aAAa,CAAC;IAC1B,CAAC;SAAM,CAAC;QACN,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAClD,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC;QAC7B,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC7B,CAAC;IAED,kEAAkE;IAClE,mCAAmC;IACnC,kEAAkE;IAClE,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,kEAAkE;IAClE,+CAA+C;IAC/C,kEAAkE;IAClE,IAAI,WAAmB,CAAC;IACxB,IAAI,QAAyB,CAAC;IAE9B,IAAI,UAAU,EAAE,CAAC;QACf,WAAW,GAAG,mBAAmB,CAAC;QAClC,QAAQ,GAAG,SAAuC,CAAC;IACrD,CAAC;SAAM,CAAC;QACN,MAAM,cAAc,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC;QACxD,WAAW,GAAG,oBAAoB,cAAc,CAAC,IAAI,WAAW,CAAC;QACjE,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC;IACrC,CAAC;IAED,kEAAkE;IAClE,sCAAsC;IACtC,kEAAkE;IAClE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,GAAG,MAAM,IAAI,OAAO,OAAO,CAAC,CAAC;IACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAEzC,kEAAkE;IAClE,wDAAwD;IACxD,kEAAkE;IAClE,IAAI,IAAY,CAAC;IAEjB,IAAI,UAAU,EAAE,CAAC;QACf,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAClD,GAAG,CAAC,KAAK,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACjC,GAAG,CAAC,0EAA0E,CAAC,CAAC;QAChF,GAAG,CAAC,0EAA0E,CAAC,CAAC;QAEhF,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,0BAA0B,CAAC,CAAC;QAC7D,IAAI,GAAG,gBAAgB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,uCAAuC,CAAC,CAAC;QAC7C,IAAI,CAAC;YACH,iDAAiD;YACjD,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;YAClD,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,qDAAqD,CAAC,CAAC;YAC3D,GAAG,CAAC,KAAK,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;QAED,GAAG,CAAC,+BAA+B,CAAC,CAAC;QACrC,IAAI,GAAG,MAAM,QAAQ,CAAC;IACxB,CAAC;IAED,kEAAkE;IAClE,qDAAqD;IACrD,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,MAAM;QACN,OAAO;QACP,IAAI;QACJ,WAAW;QACX,QAAQ;QACR,YAAY;KACb,CAAC,CAAC;IAEH,kEAAkE;IAClE,uDAAuD;IACvD,kEAAkE;IAClE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE1C,kEAAkE;IAClE,gDAAgD;IAChD,kEAAkE;IAClE,OAAO;QACL,MAAM;QACN,OAAO;QACP,QAAQ;QACR,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,OAAO,EAAE,MAAM,CAAC,QAAQ;QACxB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACxE,QAAQ,EAAE;YACR,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,EAAE;YACrB,KAAK,EAAG,MAAM,CAAC,KAAgB,IAAI,EAAE;YACrC,IAAI,EAAG,MAAM,CAAC,IAAe,IAAI,SAAS;SAC3C;KACF,CAAC;AACJ,CAAC"}

package/dist/auth/callback-server.d.ts

@@ -0,0 +1,81 @@
+/**
+ * OAuth callback server and manual URL parsing.
+ *
+ * Provides two mechanisms for receiving the OAuth authorization code:
+ *
+ * 1. **Browser mode**: A temporary localhost HTTP server that receives
+ *    the redirect callback. Binds to 127.0.0.1 on a random port.
+ *
+ * 2. **Manual mode**: URL parsing for Docker/headless environments where
+ *    the user pastes the callback URL from their browser's address bar.
+ *
+ * Security:
+ *   - Callback server binds to 127.0.0.1 only (loopback)
+ *   - State parameter validated on every callback (CSRF protection)
+ *   - 5-minute timeout prevents abandoned login sessions
+ *
+ * @module auth/callback-server
+ */
+/**
+ * Fixed redirect URI used in manual (no-browser) mode.
+ *
+ * The port number is arbitrary — nothing actually listens on it. The user's
+ * browser will fail to load this page after authentication, but the full URL
+ * (including the authorization code in the query string) will be visible in
+ * the browser's address bar for the user to copy and paste back.
+ *
+ * Per RFC 8252 §7.3, node-oidc-provider allows flexible port matching for
+ * native clients using loopback redirect URIs, so any port works as long as
+ * the base pattern (`http://127.0.0.1/callback`) is registered.
+ */
+export declare const MANUAL_REDIRECT_URI = "http://127.0.0.1:11111/callback";
+/**
+ * Result from starting the callback server.
+ */
+export interface CallbackServerResult {
+    /** Port the server is listening on */
+    port: number;
+    /** Promise that resolves with the authorization code */
+    authCode: Promise<string>;
+    /** Close the server (for cleanup on error) */
+    close: () => void;
+}
+/**
+ * Start a temporary HTTP server to receive the OAuth callback.
+ *
+ * Binds to 127.0.0.1 on a random available port. Validates the
+ * state parameter and extracts the authorization code from the
+ * callback URL query parameters.
+ *
+ * The server automatically shuts down after receiving a callback
+ * (success or error) or after the 5-minute timeout.
+ *
+ * @param expectedState - The state parameter to validate against
+ * @returns Object with the assigned port and a promise that resolves with the auth code
+ */
+export declare function startCallbackServer(expectedState: string): Promise<CallbackServerResult>;
+/**
+ * Parse the authorization code and state from a pasted callback URL.
+ *
+ * In manual mode the user pastes the full URL from their browser's address
+ * bar after authentication. This function extracts the `code` and `state`
+ * query parameters and validates the state against the expected value.
+ *
+ * @param pastedUrl - The full callback URL pasted by the user
+ * @param expectedState - The state value to validate against (CSRF protection)
+ * @returns The authorization code extracted from the URL
+ * @throws Error if the URL is malformed, state mismatches, or code is missing
+ */
+export declare function parseCallbackUrl(pastedUrl: string, expectedState: string): string;
+/**
+ * Detect whether the process is running inside a Docker container.
+ *
+ * Checks for the `/.dockerenv` sentinel file that Docker creates in every
+ * container. Also honours the `PORTA_CONTAINER` environment variable so
+ * users can force manual mode in other containerized runtimes (Podman,
+ * Kubernetes, etc.) by setting `PORTA_CONTAINER=1`.
+ *
+ * @returns true if running inside a container
+ */
+export declare function isContainerized(): boolean;
+//# sourceMappingURL=callback-server.d.ts.map

package/dist/auth/callback-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.d.ts","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAaH;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,oCAAoC,CAAC;AAMrE;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1B,8CAA8C;IAC9C,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,oBAAoB,CAAC,CA+F/B;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,MAAM,GACpB,MAAM,CA8BR;AAMD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,IAAI,OAAO,CAUzC"}

package/dist/auth/callback-server.js

@@ -0,0 +1,193 @@
+/**
+ * OAuth callback server and manual URL parsing.
+ *
+ * Provides two mechanisms for receiving the OAuth authorization code:
+ *
+ * 1. **Browser mode**: A temporary localhost HTTP server that receives
+ *    the redirect callback. Binds to 127.0.0.1 on a random port.
+ *
+ * 2. **Manual mode**: URL parsing for Docker/headless environments where
+ *    the user pastes the callback URL from their browser's address bar.
+ *
+ * Security:
+ *   - Callback server binds to 127.0.0.1 only (loopback)
+ *   - State parameter validated on every callback (CSRF protection)
+ *   - 5-minute timeout prevents abandoned login sessions
+ *
+ * @module auth/callback-server
+ */
+import { createServer } from 'node:http';
+import { existsSync } from 'node:fs';
+import { URL } from 'node:url';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Login flow timeout — 5 minutes to complete browser authentication */
+const LOGIN_TIMEOUT_MS = 5 * 60 * 1000;
+/**
+ * Fixed redirect URI used in manual (no-browser) mode.
+ *
+ * The port number is arbitrary — nothing actually listens on it. The user's
+ * browser will fail to load this page after authentication, but the full URL
+ * (including the authorization code in the query string) will be visible in
+ * the browser's address bar for the user to copy and paste back.
+ *
+ * Per RFC 8252 §7.3, node-oidc-provider allows flexible port matching for
+ * native clients using loopback redirect URIs, so any port works as long as
+ * the base pattern (`http://127.0.0.1/callback`) is registered.
+ */
+export const MANUAL_REDIRECT_URI = 'http://127.0.0.1:11111/callback';
+/**
+ * Start a temporary HTTP server to receive the OAuth callback.
+ *
+ * Binds to 127.0.0.1 on a random available port. Validates the
+ * state parameter and extracts the authorization code from the
+ * callback URL query parameters.
+ *
+ * The server automatically shuts down after receiving a callback
+ * (success or error) or after the 5-minute timeout.
+ *
+ * @param expectedState - The state parameter to validate against
+ * @returns Object with the assigned port and a promise that resolves with the auth code
+ */
+export function startCallbackServer(expectedState) {
+    return new Promise((resolveSetup) => {
+        let resolveCode;
+        let rejectCode;
+        // Promise that resolves when the callback is received with a valid code
+        const authCode = new Promise((resolve, reject) => {
+            resolveCode = resolve;
+            rejectCode = reject;
+        });
+        const server = createServer((req, res) => {
+            const url = new URL(req.url ?? '/', 'http://127.0.0.1');
+            // Only handle the /callback path — reject anything else
+            if (url.pathname !== '/callback') {
+                res.writeHead(404);
+                res.end('Not Found');
+                return;
+            }
+            const code = url.searchParams.get('code');
+            const returnedState = url.searchParams.get('state');
+            const errorParam = url.searchParams.get('error');
+            // Case 1: OIDC provider returned an error (user cancelled, etc.)
+            if (errorParam) {
+                const desc = url.searchParams.get('error_description') || errorParam;
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end('<html><body><h1>Login Failed</h1>' +
+                    '<p>You can close this tab.</p></body></html>');
+                server.close();
+                rejectCode(new Error(`Authentication failed: ${desc}`));
+                return;
+            }
+            // Case 2: State mismatch — possible CSRF attack
+            if (returnedState !== expectedState) {
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end('<html><body><h1>Security Error</h1>' +
+                    '<p>State mismatch. Please try again.</p></body></html>');
+                server.close();
+                rejectCode(new Error('Security error: state mismatch. Login aborted.'));
+                return;
+            }
+            // Case 3: No authorization code in the callback
+            if (!code) {
+                res.writeHead(200, { 'Content-Type': 'text/html' });
+                res.end('<html><body><h1>Error</h1>' +
+                    '<p>No authorization code received.</p></body></html>');
+                server.close();
+                rejectCode(new Error('No authorization code received'));
+                return;
+            }
+            // Case 4: Success — valid code and matching state
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end('<html><body><h1>Login Successful</h1>' +
+                '<p>You can close this tab and return to the terminal.</p></body></html>');
+            server.close();
+            resolveCode(code);
+        });
+        // Timeout: abort the login after 5 minutes of inactivity
+        const timeout = setTimeout(() => {
+            server.close();
+            rejectCode(new Error('Login timed out after 5 minutes'));
+        }, LOGIN_TIMEOUT_MS);
+        // Unref the timeout so it doesn't keep the Node.js process alive
+        timeout.unref();
+        // Listen on random available port, loopback interface only
+        server.listen(0, '127.0.0.1', () => {
+            const addr = server.address();
+            const port = typeof addr === 'object' && addr ? addr.port : 0;
+            resolveSetup({
+                port,
+                authCode,
+                close: () => server.close(),
+            });
+        });
+    });
+}
+// ---------------------------------------------------------------------------
+// Manual URL Parsing (Docker / headless mode)
+// ---------------------------------------------------------------------------
+/**
+ * Parse the authorization code and state from a pasted callback URL.
+ *
+ * In manual mode the user pastes the full URL from their browser's address
+ * bar after authentication. This function extracts the `code` and `state`
+ * query parameters and validates the state against the expected value.
+ *
+ * @param pastedUrl - The full callback URL pasted by the user
+ * @param expectedState - The state value to validate against (CSRF protection)
+ * @returns The authorization code extracted from the URL
+ * @throws Error if the URL is malformed, state mismatches, or code is missing
+ */
+export function parseCallbackUrl(pastedUrl, expectedState) {
+    let url;
+    try {
+        url = new URL(pastedUrl.trim());
+    }
+    catch {
+        throw new Error('Invalid URL. Please copy the full URL from your browser\'s address bar.');
+    }
+    // Check for OIDC error response in the callback URL
+    const errorParam = url.searchParams.get('error');
+    if (errorParam) {
+        const desc = url.searchParams.get('error_description') || errorParam;
+        throw new Error(`Authentication failed: ${desc}`);
+    }
+    // Validate state parameter (CSRF protection)
+    const returnedState = url.searchParams.get('state');
+    if (returnedState !== expectedState) {
+        throw new Error('Security error: state mismatch. Login aborted.');
+    }
+    // Extract the authorization code
+    const code = url.searchParams.get('code');
+    if (!code) {
+        throw new Error('No authorization code found in the URL.');
+    }
+    return code;
+}
+// ---------------------------------------------------------------------------
+// Environment Detection
+// ---------------------------------------------------------------------------
+/**
+ * Detect whether the process is running inside a Docker container.
+ *
+ * Checks for the `/.dockerenv` sentinel file that Docker creates in every
+ * container. Also honours the `PORTA_CONTAINER` environment variable so
+ * users can force manual mode in other containerized runtimes (Podman,
+ * Kubernetes, etc.) by setting `PORTA_CONTAINER=1`.
+ *
+ * @returns true if running inside a container
+ */
+export function isContainerized() {
+    // Explicit override via environment variable
+    if (process.env.PORTA_CONTAINER === '1')
+        return true;
+    // Docker sentinel file — present in every Docker container
+    try {
+        return existsSync('/.dockerenv');
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=callback-server.js.map

package/dist/auth/callback-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback-server.js","sourceRoot":"","sources":["../../src/auth/callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,YAAY,EAAe,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,wEAAwE;AACxE,MAAM,gBAAgB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEvC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,iCAAiC,CAAC;AAkBrE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CACjC,aAAqB;IAErB,OAAO,IAAI,OAAO,CAAC,CAAC,YAAY,EAAE,EAAE;QAClC,IAAI,WAAmC,CAAC;QACxC,IAAI,UAAgC,CAAC;QAErC,wEAAwE;QACxE,MAAM,QAAQ,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACvD,WAAW,GAAG,OAAO,CAAC;YACtB,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAExD,wDAAwD;YACxD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC1C,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACpD,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEjD,iEAAiE;YACjE,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,IAAI,GACR,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,UAAU,CAAC;gBAC1D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CACL,mCAAmC;oBACjC,8CAA8C,CACjD,CAAC;gBACF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CAAC,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,gDAAgD;YAChD,IAAI,aAAa,KAAK,aAAa,EAAE,CAAC;gBACpC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CACL,qCAAqC;oBACnC,wDAAwD,CAC3D,CAAC;gBACF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CACR,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAC5D,CAAC;gBACF,OAAO;YACT,CAAC;YAED,gDAAgD;YAChD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CACL,4BAA4B;oBAC1B,sDAAsD,CACzD,CAAC;gBACF,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,UAAU,CAAC,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,kDAAkD;YAClD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;YACpD,GAAG,CAAC,GAAG,CACL,uCAAuC;gBACrC,yEAAyE,CAC5E,CAAC;YACF,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,WAAW,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QAEH,yDAAyD;QACzD,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE;YAC9B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC,CAAC;QAC3D,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAErB,iEAAiE;QACjE,OAAO,CAAC,KAAK,EAAE,CAAC;QAEhB,2DAA2D;QAC3D,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9D,YAAY,CAAC;gBACX,IAAI;gBACJ,QAAQ;gBACR,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,gBAAgB,CAC9B,SAAiB,EACjB,aAAqB;IAErB,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,UAAU,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,6CAA6C;IAC7C,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACpD,IAAI,aAAa,KAAK,aAAa,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,iCAAiC;IACjC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe;IAC7B,6CAA6C;IAC7C,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAErD,2DAA2D;IAC3D,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,aAAa,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/auth/metadata.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Admin metadata and server discovery.
+ *
+ * Fetches server metadata from the unauthenticated endpoint
+ * `GET /api/admin/metadata` to discover the OIDC client_id,
+ * issuer URL, and organization slug needed for the login flow.
+ *
+ * Also provides a health check fetch for the `doctor` command.
+ *
+ * @module auth/metadata
+ */
+import type { AdminMetadata } from './types.js';
+/**
+ * Fetch admin metadata from the Porta server.
+ *
+ * Calls `GET /api/admin/metadata` — an unauthenticated endpoint
+ * that only exposes public info needed to initiate the login flow.
+ *
+ * @param server - Porta server base URL (e.g., "https://porta.local:3443")
+ * @returns Admin metadata (issuer, clientId, orgSlug)
+ * @throws Error if the server is not reachable or not initialized
+ */
+export declare function fetchAdminMetadata(server: string): Promise<AdminMetadata>;
+/**
+ * Health check response from `GET /health`.
+ */
+export interface HealthResponse {
+    /** Overall status */
+    status: string;
+    /** Individual service statuses */
+    services?: Record<string, string>;
+}
+/**
+ * Check server health via `GET /health`.
+ *
+ * This is an unauthenticated endpoint — no credentials needed.
+ * Used by the `doctor` command to verify server connectivity.
+ *
+ * @param server - Porta server base URL
+ * @returns Health response or null if server is unreachable
+ */
+export declare function fetchHealthStatus(server: string): Promise<HealthResponse | null>;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/auth/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/auth/metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAMhD;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAahC"}

package/dist/auth/metadata.js

@@ -0,0 +1,66 @@
+/**
+ * Admin metadata and server discovery.
+ *
+ * Fetches server metadata from the unauthenticated endpoint
+ * `GET /api/admin/metadata` to discover the OIDC client_id,
+ * issuer URL, and organization slug needed for the login flow.
+ *
+ * Also provides a health check fetch for the `doctor` command.
+ *
+ * @module auth/metadata
+ */
+// ---------------------------------------------------------------------------
+// Metadata Fetch
+// ---------------------------------------------------------------------------
+/**
+ * Fetch admin metadata from the Porta server.
+ *
+ * Calls `GET /api/admin/metadata` — an unauthenticated endpoint
+ * that only exposes public info needed to initiate the login flow.
+ *
+ * @param server - Porta server base URL (e.g., "https://porta.local:3443")
+ * @returns Admin metadata (issuer, clientId, orgSlug)
+ * @throws Error if the server is not reachable or not initialized
+ */
+export async function fetchAdminMetadata(server) {
+    let response;
+    try {
+        response = await fetch(`${server}/api/admin/metadata`, {
+            signal: AbortSignal.timeout(10_000), // 10s timeout
+        });
+    }
+    catch {
+        throw new Error(`Cannot connect to ${server}. Is the server running?`);
+    }
+    if (!response.ok) {
+        if (response.status === 503) {
+            throw new Error('Server not initialized. Run "porta init" on the server first.');
+        }
+        throw new Error(`Cannot fetch admin metadata: HTTP ${response.status}`);
+    }
+    return response.json();
+}
+/**
+ * Check server health via `GET /health`.
+ *
+ * This is an unauthenticated endpoint — no credentials needed.
+ * Used by the `doctor` command to verify server connectivity.
+ *
+ * @param server - Porta server base URL
+ * @returns Health response or null if server is unreachable
+ */
+export async function fetchHealthStatus(server) {
+    try {
+        const response = await fetch(`${server}/health`, {
+            signal: AbortSignal.timeout(5_000), // 5s timeout
+        });
+        if (response.ok) {
+            return response.json();
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=metadata.js.map

package/dist/auth/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../../src/auth/metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAc;IAEd,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,qBAAqB,EAAE;YACrD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,cAAc;SACpD,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,0BAA0B,CACtD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA4B,CAAC;AACnD,CAAC;AAgBD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,SAAS,EAAE;YAC/C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,aAAa;SAClD,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,QAAQ,CAAC,IAAI,EAA6B,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}