@portel/photon 1.22.1 → 1.23.0

package/dist/serv/auth/jwt.js

@@ -4,22 +4,103 @@
  * Handles JWT generation and validation for SERV sessions
  * Uses HMAC-SHA256 for simplicity; can be upgraded to RSA/EC for production
  */
-import { createHmac, randomBytes, timingSafeEqual } from 'crypto';
+import { createHash, createHmac, createSign, createVerify, createPrivateKey, createPublicKey, randomBytes, timingSafeEqual, } from 'crypto';
 const DEFAULT_CONFIG = {
     expirySeconds: 15 * 60, // 15 minutes
     algorithm: 'HS256',
 };
+function isAsymmetric(alg) {
+    return alg === 'RS256' || alg === 'ES256';
+}
 // ============================================================================
 // JWT Implementation
 // ============================================================================
 export class JwtService {
     config;
+    privateKey;
+    publicKey;
     constructor(config) {
-        this.config = { ...DEFAULT_CONFIG, ...config };
-        if (this.config.secret.length < 32) {
+        this.config = { ...DEFAULT_CONFIG, ...config, secret: config.secret ?? '' };
+        if (isAsymmetric(this.config.algorithm)) {
+            if (!this.config.privateKey) {
+                throw new Error(`JWT algorithm ${this.config.algorithm} requires a privateKey`);
+            }
+            this.privateKey = createPrivateKey(this.config.privateKey);
+            this.publicKey = this.config.publicKey
+                ? createPublicKey(this.config.publicKey)
+                : createPublicKey(this.privateKey);
+        }
+        else if (this.config.secret.length < 32) {
             console.warn('JWT secret is less than 32 characters. Consider using a stronger secret.');
         }
     }
+    /**
+     * Export the public JWK for publication at `/.well-known/jwks.json`.
+     * Only meaningful for asymmetric algorithms.
+     */
+    exportJwk() {
+        if (!this.publicKey)
+            return null;
+        const jwk = this.publicKey.export({ format: 'jwk' });
+        jwk.alg = this.config.algorithm;
+        jwk.use = 'sig';
+        if (this.config.kid)
+            jwk.kid = this.config.kid;
+        return jwk;
+    }
+    /**
+     * Generate an OAuth access token JWT for the token endpoint.
+     *
+     * This is a lower-level variant of `generateSessionToken` that accepts
+     * the minimal fields needed for an OAuth 2.1 bearer token: `sub`, `scope`,
+     * `client_id`, `tenant_id`, plus a TTL. No `Session` object required.
+     */
+    generateAccessToken(args) {
+        const nowSec = Math.floor((args.now?.getTime() ?? Date.now()) / 1000);
+        const payload = {
+            iss: this.config.issuer,
+            sub: args.sub,
+            aud: `${this.config.issuer}/mcp`,
+            exp: nowSec + args.expiresInSeconds,
+            iat: nowSec,
+            jti: args.jti ?? randomBytes(16).toString('base64url'),
+            tenant_id: args.tenantId,
+            client_id: args.clientId,
+            scope: args.scope,
+        };
+        return this.sign(payload);
+    }
+    /**
+     * Sign a custom payload (used by RFC 8693 token exchange, where the
+     * caller fully controls the claim set including `aud`, `act`, etc.).
+     * Caller is responsible for including `iss`, `exp`, `iat`.
+     */
+    exchangeSign(payload) {
+        return this.sign(payload);
+    }
+    /**
+     * Generate an OpenID Connect id_token per OIDC Core §3.1.3.7.
+     *
+     * Identity assertion about the end-user. Issued when `openid` scope is
+     * granted at /token. Signed with the same key/algorithm as access tokens.
+     * `azp` (authorized party) claim identifies the client that requested it.
+     */
+    generateIdToken(args) {
+        const nowSec = Math.floor((args.now?.getTime() ?? Date.now()) / 1000);
+        const payload = {
+            iss: this.config.issuer,
+            sub: args.sub,
+            aud: args.clientId, // RFC: id_token audience is the client, not the resource
+            azp: args.clientId,
+            exp: nowSec + args.expiresInSeconds,
+            iat: nowSec,
+            tenant_id: args.tenantId,
+            ...(args.profile ?? {}),
+        };
+        if (args.nonce)
+            payload.nonce = args.nonce;
+        return this.sign(payload);
+    }
     /**
      * Generate a session token
      */
@@ -103,6 +184,8 @@ export class JwtService {
             alg: this.config.algorithm,
             typ: 'JWT',
         };
+        if (this.config.kid)
+            header.kid = this.config.kid;
         const headerB64 = base64UrlEncode(JSON.stringify(header));
         const payloadB64 = base64UrlEncode(JSON.stringify(payload));
         const signatureInput = `${headerB64}.${payloadB64}`;
@@ -117,39 +200,83 @@ export class JwtService {
         if (parts.length !== 3)
             return null;
         const [headerB64, payloadB64, signatureB64] = parts;
-        // Verify signature
         const signatureInput = `${headerB64}.${payloadB64}`;
-        const expectedSignature = this.createSignature(signatureInput);
-        // Timing-safe comparison
-        const signatureBuffer = Buffer.from(signatureB64, 'base64url');
-        const expectedBuffer = Buffer.from(expectedSignature, 'base64url');
-        if (signatureBuffer.length !== expectedBuffer.length) {
-            return null;
+        if (isAsymmetric(this.config.algorithm)) {
+            if (!this.publicKey)
+                return null;
+            try {
+                const verifier = createVerify(this.hashName());
+                verifier.update(signatureInput);
+                verifier.end();
+                const raw = Buffer.from(signatureB64, 'base64url');
+                // ES256/384/512 carry IEEE-P1363 r||s per RFC 7518 §3.4. Node's verifier
+                // expects DER internally on some runtimes (Bun in particular), so we
+                // convert P1363→DER before calling verify. `dsaEncoding: 'ieee-p1363'`
+                // option is Node-only and errors on Bun.
+                const signature = this.config.algorithm === 'ES256' ? p1363ToDer(raw) : raw;
+                const ok = verifier.verify(this.publicKey, signature);
+                if (!ok)
+                    return null;
+            }
+            catch {
+                return null;
+            }
         }
-        if (!timingSafeEqual(signatureBuffer, expectedBuffer)) {
-            return null;
+        else {
+            const expectedSignature = this.createSignature(signatureInput);
+            const signatureBuffer = Buffer.from(signatureB64, 'base64url');
+            const expectedBuffer = Buffer.from(expectedSignature, 'base64url');
+            if (signatureBuffer.length !== expectedBuffer.length)
+                return null;
+            if (!timingSafeEqual(signatureBuffer, expectedBuffer))
+                return null;
         }
-        // Parse payload
         try {
             return JSON.parse(base64UrlDecode(payloadB64));
         }
         catch {
-            return null; // malformed payload
+            return null;
         }
     }
     /**
-     * Create HMAC signature
+     * Create JWS signature. HMAC for symmetric algs, RSA-PSS / ECDSA for asymmetric.
      */
     createSignature(input) {
-        const algorithm = this.config.algorithm === 'HS256'
-            ? 'sha256'
-            : this.config.algorithm === 'HS384'
-                ? 'sha384'
-                : 'sha512';
-        const hmac = createHmac(algorithm, this.config.secret);
+        if (isAsymmetric(this.config.algorithm)) {
+            if (!this.privateKey) {
+                throw new Error('asymmetric JWT signing requires privateKey');
+            }
+            const signer = createSign(this.hashName());
+            signer.update(input);
+            signer.end();
+            // Node.js signs ECDSA with DER by default. RFC 7518 §3.4 requires
+            // the IEEE-P1363 r||s concatenation for JWS, so we convert after
+            // signing. The `dsaEncoding: 'ieee-p1363'` sign option would work
+            // on Node but throws on Bun ("Length out of range"), so we do the
+            // conversion manually for runtime-agnosticism.
+            const der = signer.sign(this.privateKey);
+            if (this.config.algorithm === 'ES256') {
+                return derToP1363(der, 32).toString('base64url');
+            }
+            return der.toString('base64url');
+        }
+        const hmac = createHmac(this.hashName(), this.config.secret);
         hmac.update(input);
         return hmac.digest('base64url');
     }
+    hashName() {
+        switch (this.config.algorithm) {
+            case 'HS384':
+                return 'sha384';
+            case 'HS512':
+                return 'sha512';
+            case 'HS256':
+            case 'RS256':
+            case 'ES256':
+            default:
+                return 'sha256';
+        }
+    }
 }
 // ============================================================================
 // PKCE Utilities
@@ -161,11 +288,11 @@ export function generateCodeVerifier() {
     return randomBytes(32).toString('base64url');
 }
 /**
- * Generate a code challenge from a verifier
+ * Generate a code challenge from a verifier (RFC 7636 §4.2, S256 method)
+ * code_challenge = BASE64URL-ENCODE(SHA256(code_verifier))
  */
 export function generateCodeChallenge(verifier) {
-    const hash = createHmac('sha256', '').update(verifier).digest();
-    return hash.toString('base64url');
+    return createHash('sha256').update(verifier).digest('base64url');
 }
 /**
  * Verify a code verifier against a challenge
@@ -220,6 +347,81 @@ function base64UrlDecode(str) {
     return Buffer.from(str, 'base64url').toString('utf-8');
 }
 // ============================================================================
+// ECDSA signature encoding (DER ↔ IEEE-P1363)
+// ============================================================================
+/**
+ * Convert a DER-encoded ECDSA signature (Node's default output from
+ * `createSign().sign()`) into the IEEE-P1363 r||s encoding required by
+ * RFC 7518 §3.4 for JWS ES256/ES384/ES512.
+ *
+ * DER layout: 0x30 [totalLen] 0x02 [rLen] [r...] 0x02 [sLen] [s...]
+ * r and s are encoded as signed integers — DER prepends 0x00 if the high
+ * bit of the first byte would otherwise make them negative. P1363 strips
+ * that padding and left-zero-pads each component to `componentLen` bytes.
+ */
+function derToP1363(der, componentLen) {
+    if (der[0] !== 0x30) {
+        throw new Error('invalid DER signature: missing SEQUENCE');
+    }
+    // Skip SEQUENCE header (1-byte length for signatures we produce).
+    let offset = 2;
+    if ((der[1] & 0x80) !== 0) {
+        offset += der[1] & 0x7f;
+    }
+    const readInt = () => {
+        if (der[offset] !== 0x02) {
+            throw new Error('invalid DER signature: expected INTEGER');
+        }
+        const len = der[offset + 1];
+        const start = offset + 2;
+        let value = der.subarray(start, start + len);
+        offset = start + len;
+        // Strip leading 0x00 padding that keeps DER integers positive.
+        while (value.length > 1 && value[0] === 0x00) {
+            value = value.subarray(1);
+        }
+        if (value.length > componentLen) {
+            throw new Error(`ECDSA component overflow: ${value.length} > ${componentLen}`);
+        }
+        return value;
+    };
+    const r = readInt();
+    const s = readInt();
+    const out = Buffer.alloc(componentLen * 2);
+    r.copy(out, componentLen - r.length);
+    s.copy(out, componentLen * 2 - s.length);
+    return out;
+}
+/**
+ * Convert a P1363 r||s signature into DER for Node's `verifier.verify()`.
+ * Inverse of `derToP1363`. Used on the verify path so signatures received
+ * in spec-compliant JWS form can still be handed to Node's DER-only API.
+ */
+function p1363ToDer(p1363) {
+    if (p1363.length % 2 !== 0) {
+        throw new Error('invalid P1363 signature: odd length');
+    }
+    const half = p1363.length / 2;
+    const encodeInt = (value) => {
+        // Strip leading zeros (but leave at least one byte).
+        let v = value;
+        while (v.length > 1 && v[0] === 0x00) {
+            v = v.subarray(1);
+        }
+        // If high bit is set, prepend 0x00 so DER reads it as positive.
+        if ((v[0] & 0x80) !== 0) {
+            v = Buffer.concat([Buffer.from([0x00]), v]);
+        }
+        return Buffer.concat([Buffer.from([0x02, v.length]), v]);
+    };
+    const r = encodeInt(p1363.subarray(0, half));
+    const s = encodeInt(p1363.subarray(half));
+    const body = Buffer.concat([r, s]);
+    return Buffer.concat([Buffer.from([0x30, body.length]), body]);
+}
+/** Internal exports for tests only. */
+export const __test_ecdsa__ = { derToP1363, p1363ToDer };
+// ============================================================================
 // Factory Function
 // ============================================================================
 let jwtServiceInstance = null;

package/dist/serv/auth/jwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/serv/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAkBlE,MAAM,cAAc,GAAuB;IACzC,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,aAAa;IACrC,SAAS,EAAE,OAAO;CACnB,CAAC;AAEF,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,OAAO,UAAU;IACb,MAAM,CAAY;IAE1B,YAAY,MAA+D;QACzE,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAe,CAAC;QAE5D,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,OAAgB,EAChB,MAAc,EACd,IAAW,EACX,UAAuB;QAEvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QAE3D,MAAM,OAAO,GAA4B;YACvC,kBAAkB;YAClB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,IAAI,EAAE,EAAE,IAAI,aAAa,OAAO,CAAC,EAAE,EAAE;YAC1C,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;YAC/B,GAAG;YACH,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,OAAO,CAAC,EAAE;YAEf,cAAc;YACd,SAAS,EAAE,MAAM,CAAC,EAAE;YACpB,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,OAAO,EAAE,IAAI,EAAE,EAAE;YACjB,IAAI,EAAE,UAAU,EAAE,IAAI;YACtB,cAAc,EAAE,OAAO,CAAC,EAAE;SAC3B,CAAC;QAEF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,KAAa;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAE1B,2BAA2B;YAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAa,CAAC;YAClC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;gBACd,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,OAAO,OAAuB,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,MAAc;QAClC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,MAAM,CAAC;QACvD,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,OAAgC;QAC3C,MAAM,MAAM,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAC1B,GAAG,EAAE,KAAK;SACX,CAAC;QAEF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAEvD,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAa;QAC1B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAE/D,yBAAyB;QACzB,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC/D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,IAAI,eAAe,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,cAAc,CAAC,EAAE,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gBAAgB;QAChB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,oBAAoB;QACnC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,KAAa;QACnC,MAAM,SAAS,GACb,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO;YAC/B,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO;gBACjC,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,QAAQ,CAAC;QAEjB,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAClC,CAAC;CACF;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IAChE,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,SAAiB;IACrE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAeD;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAE,MAAc;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAE3C,OAAO,eAAe,CAAC,GAAG,OAAO,IAAI,SAAS,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAAc;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAExC,mBAAmB;QACnB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrB,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEnD,IAAI,SAAS,KAAK,iBAAiB;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;QAEhD,qCAAqC;QACrC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,gCAAgC;IAC/C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,IAAI,kBAAkB,GAAsB,IAAI,CAAC;AAEjD,MAAM,UAAU,aAAa,CAC3B,MAAgE;IAEhE,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,MAA+D;IAE/D,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,eAAe;IAC7B,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC"}
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/serv/auth/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,UAAU,EACV,UAAU,EACV,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,eAAe,GAEhB,MAAM,QAAQ,CAAC;AA+BhB,MAAM,cAAc,GAAuB;IACzC,aAAa,EAAE,EAAE,GAAG,EAAE,EAAE,aAAa;IACrC,SAAS,EAAE,OAAO;CACnB,CAAC;AAEF,SAAS,YAAY,CAAC,GAA2B;IAC/C,OAAO,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,OAAO,CAAC;AAC5C,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,OAAO,UAAU;IACb,MAAM,CAAY;IAClB,UAAU,CAAa;IACvB,SAAS,CAAa;IAE9B,YAAY,MAAgE;QAC1E,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE,EAAe,CAAC;QAEzF,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,CAAC,MAAM,CAAC,SAAS,wBAAwB,CAAC,CAAC;YAClF,CAAC;YACD,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS;gBACpC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;gBACxC,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS;QACP,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA4B,CAAC;QAChF,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;QAChC,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;QAChB,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG;YAAE,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC;QAC/C,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,CAAC,IASnB;QACC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACtE,MAAM,OAAO,GAA4B;YACvC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,MAAM;YAChC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC,gBAAgB;YACnC,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YACtD,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;QACF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACH,YAAY,CAAC,OAAgC;QAC3C,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,IAUf;QACC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACtE,MAAM,OAAO,GAA4B;YACvC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,yDAAyD;YAC7E,GAAG,EAAE,IAAI,CAAC,QAAQ;YAClB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC,gBAAgB;YACnC,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;SACxB,CAAC;QACF,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAC3C,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,oBAAoB,CAClB,OAAgB,EAChB,MAAc,EACd,IAAW,EACX,UAAuB;QAEvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;QAE3D,MAAM,OAAO,GAA4B;YACvC,kBAAkB;YAClB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,IAAI,EAAE,EAAE,IAAI,aAAa,OAAO,CAAC,EAAE,EAAE;YAC1C,GAAG,EAAE,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;YAC/B,GAAG;YACH,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,OAAO,CAAC,EAAE;YAEf,cAAc;YACd,SAAS,EAAE,MAAM,CAAC,EAAE;YACpB,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,OAAO,EAAE,IAAI,EAAE,EAAE;YACjB,IAAI,EAAE,UAAU,EAAE,IAAI;YACtB,cAAc,EAAE,OAAO,CAAC,EAAE;SAC3B,CAAC;QAEF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,KAAa;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAC;YAE1B,2BAA2B;YAC3B,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACjF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAa,CAAC;YAClC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;gBACd,OAAO,IAAI,CAAC;YACd,CAAC;YAED,eAAe;YACf,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,OAAkC,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,OAAO,OAAuB,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,MAAc;QAClC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YACjC,OAAO,WAAW,MAAM,CAAC,QAAQ,CAAC,YAAY,MAAM,CAAC;QACvD,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,OAAgC;QAC3C,MAAM,MAAM,GAA4B;YACtC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAC1B,GAAG,EAAE,KAAK;SACX,CAAC;QACF,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG;YAAE,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC;QAElD,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAEvD,OAAO,GAAG,cAAc,IAAI,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,KAAa;QAC1B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QACpD,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAEpD,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC/C,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;gBAChC,QAAQ,CAAC,GAAG,EAAE,CAAC;gBACf,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;gBACnD,yEAAyE;gBACzE,qEAAqE;gBACrE,uEAAuE;gBACvE,yCAAyC;gBACzC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC5E,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;gBACtD,IAAI,CAAC,EAAE;oBAAE,OAAO,IAAI,CAAC;YACvB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,iBAAiB,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;YAC/D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;YAC/D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;YACnE,IAAI,eAAe,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YAClE,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,cAAc,CAAC;gBAAE,OAAO,IAAI,CAAC;QACrE,CAAC;QAED,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,KAAa;QACnC,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChE,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrB,MAAM,CAAC,GAAG,EAAE,CAAC;YACb,kEAAkE;YAClE,iEAAiE;YACjE,kEAAkE;YAClE,kEAAkE;YAClE,+CAA+C;YAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACzC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;gBACtC,OAAO,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACnC,CAAC;QACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAClC,CAAC;IAEO,QAAQ;QACd,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC9B,KAAK,OAAO;gBACV,OAAO,QAAQ,CAAC;YAClB,KAAK,OAAO;gBACV,OAAO,QAAQ,CAAC;YAClB,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb,KAAK,OAAO,CAAC;YACb;gBACE,OAAO,QAAQ,CAAC;QACpB,CAAC;IACH,CAAC;CACF;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,SAAiB;IACrE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,QAAQ,KAAK,SAAS,CAAC;AAChC,CAAC;AAeD;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAiB,EAAE,MAAc;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAE3C,OAAO,eAAe,CAAC,GAAG,OAAO,IAAI,SAAS,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,MAAc;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAExC,mBAAmB;QACnB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACrB,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEnD,IAAI,SAAS,KAAK,iBAAiB;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;QAEhD,qCAAqC;QACrC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,gCAAgC;IAC/C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,+EAA+E;AAC/E,8CAA8C;AAC9C,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,SAAS,UAAU,CAAC,GAAW,EAAE,YAAoB;IACnD,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,kEAAkE;IAClE,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAC1B,CAAC;IACD,MAAM,OAAO,GAAG,GAAW,EAAE;QAC3B,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC5B,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,CAAC;QACzB,IAAI,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,GAAG,CAAC,CAAC;QAC7C,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC;QACrB,+DAA+D;QAC/D,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC7C,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,CAAC,MAAM,MAAM,YAAY,EAAE,CAAC,CAAC;QACjF,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IACF,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;IACpB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,KAAa;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9B,MAAM,SAAS,GAAG,CAAC,KAAa,EAAU,EAAE;QAC1C,qDAAqD;QACrD,IAAI,CAAC,GAAG,KAAK,CAAC;QACd,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACrC,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QACD,gEAAgE;QAChE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC;IACF,MAAM,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;IAC7C,MAAM,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,uCAAuC;AACvC,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC;AAEzD,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,IAAI,kBAAkB,GAAsB,IAAI,CAAC;AAEjD,MAAM,UAAU,aAAa,CAC3B,MAAgE;IAEhE,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,MAA+D;IAE/D,IAAI,kBAAkB;QAAE,OAAO,kBAAkB,CAAC;IAClD,kBAAkB,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,eAAe;IAC7B,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC"}

package/dist/serv/auth/oauth-sqlite-stores.d.ts

@@ -0,0 +1,48 @@
+/**
+ * SQLite-backed implementations of `ElicitationStore` and `GrantStore`.
+ *
+ * These hold OAuth state that currently goes through `MemoryElicitationStore`
+ * and `MemoryGrantStore` in `oauth.ts` — elicitation requests (short-lived,
+ * waiting for a user to complete the upstream OAuth flow) and photon grants
+ * (long-lived, encrypted refresh tokens for upstream APIs like Stripe/GitHub).
+ *
+ * Without persistent storage, every daemon restart forces users to re-auth
+ * against every upstream provider because the grants live in memory only.
+ * Moving grants to SQLite fixes that; elicitations benefit because pending
+ * approvals survive a crash of the daemon during the redirect window.
+ *
+ * Runtime-agnostic via `src/shared/sqlite-runtime.ts`:
+ * - Under Bun: uses built-in `bun:sqlite`
+ * - Under Node: falls back to `better-sqlite3`
+ */
+import type { ElicitationRequest, PhotonGrant } from '../types/index.js';
+import type { ElicitationStore, GrantStore } from './oauth.js';
+import { type SqliteDatabase } from '../../shared/sqlite-runtime.js';
+export declare function openOauthDatabase(path: string): Promise<SqliteDatabase>;
+export declare class SqliteElicitationStore implements ElicitationStore {
+    private insert;
+    private select;
+    private updateStmt;
+    private remove;
+    private sweepStmt;
+    constructor(db: SqliteDatabase);
+    create(data: Omit<ElicitationRequest, 'id' | 'createdAt'>): Promise<ElicitationRequest>;
+    get(id: string): Promise<ElicitationRequest | null>;
+    update(id: string, data: Partial<ElicitationRequest>): Promise<void>;
+    delete(id: string): Promise<void>;
+    cleanup(): Promise<number>;
+}
+export declare class SqliteGrantStore implements GrantStore {
+    private insert;
+    private selectByKey;
+    private selectByUser;
+    private updateStmt;
+    private remove;
+    constructor(db: SqliteDatabase);
+    find(tenantId: string, photonId: string, provider: string, userId?: string): Promise<PhotonGrant | null>;
+    create(data: Omit<PhotonGrant, 'id' | 'createdAt' | 'updatedAt'>): Promise<PhotonGrant>;
+    update(id: string, data: Partial<PhotonGrant>): Promise<void>;
+    delete(id: string): Promise<void>;
+    findByUser(tenantId: string, userId: string): Promise<PhotonGrant[]>;
+}
+//# sourceMappingURL=oauth-sqlite-stores.d.ts.map

package/dist/serv/auth/oauth-sqlite-stores.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-sqlite-stores.d.ts","sourceRoot":"","sources":["../../../src/serv/auth/oauth-sqlite-stores.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACzE,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAC/D,OAAO,EAEL,KAAK,cAAc,EAEpB,MAAM,gCAAgC,CAAC;AA0CxC,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAE7E;AAMD,qBAAa,sBAAuB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,UAAU,CAAkB;IACpC,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,SAAS,CAAkB;gBAEvB,EAAE,EAAE,cAAc;IAmBxB,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE,IAAI,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAqBvF,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAWnD,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAMpE,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC;CAIjC;AAqBD,qBAAa,gBAAiB,YAAW,UAAU;IACjD,OAAO,CAAC,MAAM,CAAkB;IAChC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,YAAY,CAAkB;IACtC,OAAO,CAAC,UAAU,CAAkB;IACpC,OAAO,CAAC,MAAM,CAAkB;gBAEpB,EAAE,EAAE,cAAc;IA6BxB,IAAI,CACR,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAWxB,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAwBvF,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAY7D,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjC,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;CAI3E"}

package/dist/serv/auth/oauth-sqlite-stores.js

@@ -0,0 +1,212 @@
+/**
+ * SQLite-backed implementations of `ElicitationStore` and `GrantStore`.
+ *
+ * These hold OAuth state that currently goes through `MemoryElicitationStore`
+ * and `MemoryGrantStore` in `oauth.ts` — elicitation requests (short-lived,
+ * waiting for a user to complete the upstream OAuth flow) and photon grants
+ * (long-lived, encrypted refresh tokens for upstream APIs like Stripe/GitHub).
+ *
+ * Without persistent storage, every daemon restart forces users to re-auth
+ * against every upstream provider because the grants live in memory only.
+ * Moving grants to SQLite fixes that; elicitations benefit because pending
+ * approvals survive a crash of the daemon during the redirect window.
+ *
+ * Runtime-agnostic via `src/shared/sqlite-runtime.ts`:
+ * - Under Bun: uses built-in `bun:sqlite`
+ * - Under Node: falls back to `better-sqlite3`
+ */
+import { randomBytes } from 'crypto';
+import { openSqlite, } from '../../shared/sqlite-runtime.js';
+// ============================================================================
+// Schema + open
+// ============================================================================
+function initSchema(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS elicitations (
+      id TEXT PRIMARY KEY,
+      session_id TEXT NOT NULL,
+      photon_id TEXT NOT NULL,
+      provider TEXT NOT NULL,
+      required_scopes TEXT NOT NULL,
+      status TEXT NOT NULL,
+      redirect_uri TEXT NOT NULL,
+      code_verifier TEXT,
+      created_at INTEGER NOT NULL,
+      expires_at INTEGER NOT NULL
+    );
+    CREATE INDEX IF NOT EXISTS idx_elicitations_session ON elicitations(session_id);
+    CREATE INDEX IF NOT EXISTS idx_elicitations_expires ON elicitations(expires_at);
+
+    CREATE TABLE IF NOT EXISTS photon_grants (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      user_id TEXT,
+      photon_id TEXT NOT NULL,
+      provider TEXT NOT NULL,
+      scopes TEXT NOT NULL,
+      access_token_encrypted TEXT NOT NULL,
+      refresh_token_encrypted TEXT,
+      token_expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL,
+      UNIQUE (tenant_id, photon_id, provider, user_id)
+    );
+    CREATE INDEX IF NOT EXISTS idx_grants_user ON photon_grants(tenant_id, user_id);
+    CREATE INDEX IF NOT EXISTS idx_grants_expires ON photon_grants(token_expires_at);
+  `);
+}
+export async function openOauthDatabase(path) {
+    return openSqlite(path, initSchema);
+}
+// ============================================================================
+// SqliteElicitationStore
+// ============================================================================
+export class SqliteElicitationStore {
+    insert;
+    select;
+    updateStmt;
+    remove;
+    sweepStmt;
+    constructor(db) {
+        this.insert = db.prepare(`
+      INSERT INTO elicitations
+        (id, session_id, photon_id, provider, required_scopes, status,
+         redirect_uri, code_verifier, created_at, expires_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.select = db.prepare('SELECT * FROM elicitations WHERE id = ?');
+        this.updateStmt = db.prepare(`
+      UPDATE elicitations
+      SET status = COALESCE(?, status),
+          code_verifier = COALESCE(?, code_verifier),
+          expires_at = COALESCE(?, expires_at)
+      WHERE id = ?
+    `);
+        this.remove = db.prepare('DELETE FROM elicitations WHERE id = ?');
+        this.sweepStmt = db.prepare('DELETE FROM elicitations WHERE expires_at < ?');
+    }
+    async create(data) {
+        const request = {
+            ...data,
+            id: randomBytes(16).toString('hex'),
+            createdAt: new Date(),
+        };
+        this.insert.run(request.id, request.sessionId, request.photonId, request.provider, JSON.stringify(request.requiredScopes), request.status, request.redirectUri, request.codeVerifier ?? null, request.createdAt.getTime(), request.expiresAt.getTime());
+        return request;
+    }
+    async get(id) {
+        const row = this.select.get(id);
+        if (!row)
+            return null;
+        const expiresAt = new Date(row.expires_at);
+        if (expiresAt.getTime() < Date.now()) {
+            this.remove.run(id);
+            return null;
+        }
+        return rowToElicitation(row);
+    }
+    async update(id, data) {
+        // Only status / codeVerifier / expiresAt are mutated in practice
+        const expiresAt = data.expiresAt ? data.expiresAt.getTime() : null;
+        this.updateStmt.run(data.status ?? null, data.codeVerifier ?? null, expiresAt, id);
+    }
+    async delete(id) {
+        this.remove.run(id);
+    }
+    async cleanup() {
+        const result = this.sweepStmt.run(Date.now());
+        return result.changes ?? 0;
+    }
+}
+function rowToElicitation(row) {
+    return {
+        id: row.id,
+        sessionId: row.session_id,
+        photonId: row.photon_id,
+        provider: row.provider,
+        requiredScopes: JSON.parse(row.required_scopes),
+        status: row.status,
+        redirectUri: row.redirect_uri,
+        codeVerifier: row.code_verifier ?? undefined,
+        createdAt: new Date(row.created_at),
+        expiresAt: new Date(row.expires_at),
+    };
+}
+// ============================================================================
+// SqliteGrantStore
+// ============================================================================
+export class SqliteGrantStore {
+    insert;
+    selectByKey;
+    selectByUser;
+    updateStmt;
+    remove;
+    constructor(db) {
+        this.insert = db.prepare(`
+      INSERT OR REPLACE INTO photon_grants
+        (id, tenant_id, user_id, photon_id, provider, scopes,
+         access_token_encrypted, refresh_token_encrypted, token_expires_at,
+         created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.selectByKey = db.prepare(`
+      SELECT * FROM photon_grants
+      WHERE tenant_id = ? AND photon_id = ? AND provider = ?
+        AND (user_id = ? OR (user_id IS NULL AND ? IS NULL))
+      LIMIT 1
+    `);
+        this.selectByUser = db.prepare('SELECT * FROM photon_grants WHERE tenant_id = ? AND user_id = ?');
+        this.updateStmt = db.prepare(`
+      UPDATE photon_grants
+      SET access_token_encrypted = COALESCE(?, access_token_encrypted),
+          refresh_token_encrypted = COALESCE(?, refresh_token_encrypted),
+          scopes = COALESCE(?, scopes),
+          token_expires_at = COALESCE(?, token_expires_at),
+          updated_at = ?
+      WHERE id = ?
+    `);
+        this.remove = db.prepare('DELETE FROM photon_grants WHERE id = ?');
+    }
+    async find(tenantId, photonId, provider, userId) {
+        const row = this.selectByKey.get(tenantId, photonId, provider, userId ?? null, userId ?? null);
+        return row ? rowToGrant(row) : null;
+    }
+    async create(data) {
+        const now = new Date();
+        const grant = {
+            ...data,
+            id: randomBytes(16).toString('hex'),
+            createdAt: now,
+            updatedAt: now,
+        };
+        this.insert.run(grant.id, grant.tenantId, grant.userId ?? null, grant.photonId, grant.provider, JSON.stringify(grant.scopes), grant.accessTokenEncrypted, grant.refreshTokenEncrypted ?? null, grant.tokenExpiresAt.getTime(), grant.createdAt.getTime(), grant.updatedAt.getTime());
+        return grant;
+    }
+    async update(id, data) {
+        const expiresAt = data.tokenExpiresAt ? data.tokenExpiresAt.getTime() : null;
+        this.updateStmt.run(data.accessTokenEncrypted ?? null, data.refreshTokenEncrypted ?? null, data.scopes ? JSON.stringify(data.scopes) : null, expiresAt, Date.now(), id);
+    }
+    async delete(id) {
+        this.remove.run(id);
+    }
+    async findByUser(tenantId, userId) {
+        const rows = this.selectByUser.all(tenantId, userId);
+        return rows.map((r) => rowToGrant(r));
+    }
+}
+function rowToGrant(row) {
+    return {
+        id: row.id,
+        tenantId: row.tenant_id,
+        userId: row.user_id ?? undefined,
+        photonId: row.photon_id,
+        provider: row.provider,
+        scopes: JSON.parse(row.scopes),
+        accessTokenEncrypted: row.access_token_encrypted,
+        refreshTokenEncrypted: row.refresh_token_encrypted ?? undefined,
+        tokenExpiresAt: new Date(row.token_expires_at),
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+    };
+}
+//# sourceMappingURL=oauth-sqlite-stores.js.map

package/dist/serv/auth/oauth-sqlite-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-sqlite-stores.js","sourceRoot":"","sources":["../../../src/serv/auth/oauth-sqlite-stores.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAGrC,OAAO,EACL,UAAU,GAGX,MAAM,gCAAgC,CAAC;AAExC,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,SAAS,UAAU,CAAC,EAAkB;IACpC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCP,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAClD,OAAO,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AACtC,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,MAAM,CAAkB;IACxB,MAAM,CAAkB;IACxB,UAAU,CAAkB;IAC5B,MAAM,CAAkB;IACxB,SAAS,CAAkB;IAEnC,YAAY,EAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;KAKxB,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,yCAAyC,CAAC,CAAC;QACpE,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;KAM5B,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC;QAClE,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;IAC/E,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAkD;QAC7D,MAAM,OAAO,GAAuB;YAClC,GAAG,IAAI;YACP,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,OAAO,CAAC,EAAE,EACV,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,QAAQ,EAChB,OAAO,CAAC,QAAQ,EAChB,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,CAAC,EACtC,OAAO,CAAC,MAAM,EACd,OAAO,CAAC,WAAW,EACnB,OAAO,CAAC,YAAY,IAAI,IAAI,EAC5B,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,EAC3B,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,CAC5B,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,EAAU;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAwC,CAAC;QACvE,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC,CAAC;QACrD,IAAI,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACpB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,IAAiC;QACxD,iEAAiE;QACjE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACnE,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,EAAE,IAAI,CAAC,YAAY,IAAI,IAAI,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC9C,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;CACF;AAED,SAAS,gBAAgB,CAAC,GAA4B;IACpD,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,SAAS,EAAE,GAAG,CAAC,UAAoB;QACnC,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,QAAQ,EAAE,GAAG,CAAC,QAAkB;QAChC,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,eAAyB,CAAa;QACrE,MAAM,EAAE,GAAG,CAAC,MAAsC;QAClD,WAAW,EAAE,GAAG,CAAC,YAAsB;QACvC,YAAY,EAAG,GAAG,CAAC,aAA+B,IAAI,SAAS;QAC/D,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;QAC7C,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAkB;IACxB,WAAW,CAAkB;IAC7B,YAAY,CAAkB;IAC9B,UAAU,CAAkB;IAC5B,MAAM,CAAkB;IAEhC,YAAY,EAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;KAMxB,CAAC,CAAC;QACH,IAAI,CAAC,WAAW,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;KAK7B,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,EAAE,CAAC,OAAO,CAC5B,iEAAiE,CAClE,CAAC;QACF,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ5B,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,wCAAwC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,IAAI,CACR,QAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,MAAe;QAEf,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAC9B,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,MAAM,IAAI,IAAI,EACd,MAAM,IAAI,IAAI,CACwB,CAAC;QACzC,OAAO,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAyD;QACpE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAgB;YACzB,GAAG,IAAI;YACP,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACnC,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,GAAG,CACb,KAAK,CAAC,EAAE,EACR,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,MAAM,IAAI,IAAI,EACpB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,QAAQ,EACd,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,EAC5B,KAAK,CAAC,oBAAoB,EAC1B,KAAK,CAAC,qBAAqB,IAAI,IAAI,EACnC,KAAK,CAAC,cAAc,CAAC,OAAO,EAAE,EAC9B,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,EACzB,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE,CAC1B,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU,EAAE,IAA0B;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC7E,IAAI,CAAC,UAAU,CAAC,GAAG,CACjB,IAAI,CAAC,oBAAoB,IAAI,IAAI,EACjC,IAAI,CAAC,qBAAqB,IAAI,IAAI,EAClC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAChD,SAAS,EACT,IAAI,CAAC,GAAG,EAAE,EACV,EAAE,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,QAAgB,EAAE,MAAc;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAA8B,CAAC;QAClF,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;CACF;AAED,SAAS,UAAU,CAAC,GAA4B;IAC9C,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAY;QACpB,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,MAAM,EAAG,GAAG,CAAC,OAAyB,IAAI,SAAS;QACnD,QAAQ,EAAE,GAAG,CAAC,SAAmB;QACjC,QAAQ,EAAE,GAAG,CAAC,QAAkB;QAChC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAgB,CAAa;QACpD,oBAAoB,EAAE,GAAG,CAAC,sBAAgC;QAC1D,qBAAqB,EAAG,GAAG,CAAC,uBAAyC,IAAI,SAAS;QAClF,cAAc,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,gBAA0B,CAAC;QACxD,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;QAC7C,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAoB,CAAC;KAC9C,CAAC;AACJ,CAAC"}