@powerhousedao/reactor-api 6.0.0-dev.15 → 6.0.0-dev.150

package/dist/src/services/auth.service.d.ts

@@ -1,10 +1,6 @@
-import type { NextFunction, Request, Response } from "express";
 export interface AuthConfig {
     enabled: boolean;
-    guests: string[];
-    users: string[];
     admins: string[];
-    freeEntry: boolean;
     cacheTtl?: number;
     skipCredentialVerification?: boolean;
 }
@@ -13,20 +9,15 @@ export interface User {
     chainId: number;
     networkId: string;
 }
-export interface AuthenticatedRequest extends Request {
+export interface AuthContext {
     user?: User;
     admins: string[];
-    users: string[];
-    guests: string[];
-    freeEntry: boolean;
+    auth_enabled: boolean;
 }
 export declare class AuthService {
     private readonly config;
     constructor(config: AuthConfig);
-    /**
-     * Middleware function to authenticate requests
-     */
-    authenticate(req: AuthenticatedRequest, res: Response, next: NextFunction): Promise<void>;
+    authenticateRequest(request: globalThis.Request): Promise<AuthContext | globalThis.Response>;
     authenticateWebSocketConnection(connectionParams: Record<string, unknown>): Promise<User | null>;
     /**
      * Verify the auth bearer token
@@ -36,16 +27,10 @@ export declare class AuthService {
      * Extract user information from verification result
      */
     private extractUserFromVerification;
-    /**
-     * Check if user address is in allowed lists
-     */
-    private isUserAllowed;
     /**
      * Get additional context fields for GraphQL
      */
     getAdditionalContextFields(): {
-        isGuest: (address: string) => boolean;
-        isUser: (address: string) => boolean;
         isAdmin: (address: string) => boolean;
     };
     /**

package/dist/src/services/auth.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../../../src/services/auth.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,IAAI;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;CACpB;AAOD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;gBAExB,MAAM,EAAE,UAAU;IAI9B;;OAEG;IACG,YAAY,CAChB,GAAG,EAAE,oBAAoB,EACzB,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,IAAI,CAAC;IA0EV,+BAA+B,CACnC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACxC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IAsDvB;;OAEG;YACW,WAAW;IAIzB;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA6BnC;;OAEG;IACH,OAAO,CAAC,aAAa;IASrB;;OAEG;IACH,0BAA0B;2BAGD,MAAM;0BACP,MAAM;2BACL,MAAM;;IAkB/B;;OAEG;IACH,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI;;;;;;;;;IAY1B;;OAEG;YACW,sBAAsB;CA6CrC"}
+{"version":3,"file":"auth.service.d.ts","sourceRoot":"","sources":["../../../src/services/auth.service.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AAED,MAAM,WAAW,IAAI;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAa;gBAExB,MAAM,EAAE,UAAU;IAIxB,mBAAmB,CACvB,OAAO,EAAE,UAAU,CAAC,OAAO,GAC1B,OAAO,CAAC,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC;IAsDvC,+BAA+B,CACnC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACxC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;IA4CvB;;OAEG;YACW,WAAW;IAIzB;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAqBnC;;OAEG;IACH,0BAA0B;2BAQH,MAAM;;IAM7B;;OAEG;IACH,cAAc,CAAC,IAAI,CAAC,EAAE,IAAI;;;;;;;;;IAY1B;;OAEG;YACW,sBAAsB;CAgCrC"}

package/dist/src/services/auth.service.js

@@ -1,61 +1,54 @@
-import { verifyAuthBearerToken } from "@renown/sdk";
+import { verifyAuthBearerToken, } from "@renown/sdk";
 export class AuthService {
     config;
     constructor(config) {
         this.config = config;
     }
-    /**
-     * Middleware function to authenticate requests
-     */
-    async authenticate(req, res, next) {
-        if (!this.config.enabled ||
-            req.method === "OPTIONS" ||
-            req.method === "GET") {
-            next();
-            return;
-        }
-        // Set auth lists on request
-        req.admins = this.config.admins;
-        req.users = this.config.users;
-        req.guests = this.config.guests;
-        req.auth_enabled = this.config.enabled;
-        req.freeEntry = this.config.freeEntry;
-        const token = req.headers.authorization?.split(" ")[1];
+    async authenticateRequest(request) {
+        if (!this.config.enabled) {
+            return { user: undefined, admins: [], auth_enabled: false };
+        }
+        const method = request.method;
+        if (method === "OPTIONS" || method === "GET") {
+            return {
+                user: undefined,
+                admins: this.config.admins,
+                auth_enabled: true,
+            };
+        }
+        const token = request.headers.get("authorization")?.split(" ")[1];
         if (!token) {
-            res.status(400).json({ error: "Missing authorization token" });
-            return;
+            return {
+                user: undefined,
+                admins: this.config.admins,
+                auth_enabled: true,
+            };
         }
         try {
-            const verified = (await this.verifyToken(token));
+            const verified = await this.verifyToken(token);
             if (!verified) {
-                res.status(401).json({ error: "Verification failed" });
-                return;
+                return new Response(JSON.stringify({ error: "Verification failed" }), {
+                    status: 401,
+                });
             }
             const user = this.extractUserFromVerification(verified);
             if (!user) {
-                res.status(401).json({ error: "Missing credentials" });
-                return;
+                return new Response(JSON.stringify({ error: "Missing credentials" }), {
+                    status: 401,
+                });
             }
-            // Verify that the credentials still exist on the Renown API
-            // This can be skipped via config (useful for testing or when Renown API is unavailable)
             if (!this.config.skipCredentialVerification) {
                 const credentialExists = await this.verifyCredentialExists(user.address, user.chainId, verified.issuer);
                 if (!credentialExists) {
-                    res.status(401).json({ error: "Credentials no longer valid" });
-                    return;
+                    return new Response(JSON.stringify({ error: "Credentials no longer valid" }), { status: 401 });
                 }
             }
-            req.user = user;
-            // Note: We no longer block users here based on global allowed lists.
-            // The resolver layer handles authorization based on:
-            // 1. Global roles (admin/user/guest) for unrestricted access
-            // 2. Document-level permissions (direct or via groups) for specific documents
-            // This allows users who have document-specific permissions (e.g., via groups)
-            // to access those documents even if they're not in the global allowed lists.
-            next();
+            return { user, admins: this.config.admins, auth_enabled: true };
         }
         catch {
-            res.status(401).json({ error: "Authentication failed" });
+            return new Response(JSON.stringify({ error: "Authentication failed" }), {
+                status: 401,
+            });
         }
     }
     async authenticateWebSocketConnection(connectionParams) {
@@ -70,7 +63,7 @@ export class AuthService {
         if (!token) {
             throw new Error("Invalid authorization format");
         }
-        const verified = (await this.verifyToken(token));
+        const verified = await this.verifyToken(token);
         if (!verified) {
             throw new Error("Token verification failed");
         }
@@ -100,10 +93,8 @@ export class AuthService {
      * Extract user information from verification result
      */
     extractUserFromVerification(verified) {
-        if (!verified)
-            return null;
         try {
-            const { address, chainId, networkId } = verified.verifiableCredential?.credentialSubject || {};
+            const { address, chainId, networkId } = verified.verifiableCredential.credentialSubject;
             if (!address || !chainId || !networkId) {
                 return null;
             }
@@ -117,34 +108,16 @@ export class AuthService {
             return null;
         }
     }
-    /**
-     * Check if user address is in allowed lists
-     */
-    isUserAllowed(address) {
-        const all = [
-            ...this.config.admins,
-            ...this.config.users,
-            ...this.config.guests,
-        ];
-        return all.includes(address.toLocaleLowerCase()) || this.config.freeEntry;
-    }
     /**
      * Get additional context fields for GraphQL
      */
     getAdditionalContextFields() {
         if (!this.config.enabled) {
             return {
-                isGuest: (address) => true,
-                isUser: (address) => true,
-                isAdmin: (address) => true,
+                isAdmin: () => true,
             };
         }
         return {
-            isGuest: (address) => this.config.enabled &&
-                (this.config.freeEntry ||
-                    this.config.guests?.includes(address.toLowerCase())),
-            isUser: (address) => this.config.enabled &&
-                this.config.users?.includes(address.toLowerCase()),
             isAdmin: (address) => this.config.enabled &&
                 this.config.admins?.includes(address.toLowerCase()),
         };
@@ -166,28 +139,21 @@ export class AuthService {
     /**
      * Verify that the credential still exists on the Renown API
      */
-    async verifyCredentialExists(address, chainId, connectId) {
-        const url = `https://www.renown.id/api/auth/credential?address=${address}&chainId=${chainId}&connectId=${connectId}`;
-        console.log("url", url);
+    async verifyCredentialExists(address, chainId, appId) {
+        const url = `https://www.renown.id/api/auth/credential?address=${address}&chainId=${chainId}&connectId=${appId}&appId=${appId}`;
         try {
             const response = await fetch(url, {
                 method: "GET",
             });
             const body = (await response.json());
             const credential = body.credential;
-            const connectIdVerfied = credential.credentialSubject.id;
+            const appIdVerfied = credential.credentialSubject.id;
             const addressVerfied = credential.issuer.id.split(":")[4];
             const chainIdVerfied = credential.issuer.id.split(":")[3];
             if (response.status !== 200) {
                 return false;
             }
-            console.log("connectIdVerfied", connectIdVerfied);
-            console.log("connectId", connectId);
-            console.log("addressVerfied", addressVerfied);
-            console.log("address", address);
-            console.log("chainIdVerfied", chainIdVerfied);
-            console.log("chainId", chainId);
-            return (connectIdVerfied === connectId &&
+            return (appIdVerfied === appId &&
                 addressVerfied.toLocaleLowerCase() === address.toLocaleLowerCase() &&
                 chainIdVerfied === chainId.toString());
         }

package/dist/src/services/auth.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../../src/services/auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAgCpD,MAAM,OAAO,WAAW;IACL,MAAM,CAAa;IAEpC,YAAY,MAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,GAAyB,EACzB,GAAa,EACb,IAAkB;QAElB,IACE,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO;YACpB,GAAG,CAAC,MAAM,KAAK,SAAS;YACxB,GAAG,CAAC,MAAM,KAAK,KAAK,EACpB,CAAC;YACD,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,4BAA4B;QAC5B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAChC,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;QAC9B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAChC,GAAG,CAAC,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;QACvC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;QACtC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAS9C,CAAC;YAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBACvD,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;gBACvD,OAAO;YACT,CAAC;YAED,4DAA4D;YAC5D,wFAAwF;YACxF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;gBAC5C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,QAAQ,CAAC,MAAM,CAChB,CAAC;gBACF,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACtB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;oBAC/D,OAAO;gBACT,CAAC;YACH,CAAC;YAED,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;YAEhB,qEAAqE;YACrE,qDAAqD;YACrD,6DAA6D;YAC7D,8EAA8E;YAC9E,8EAA8E;YAC9E,6EAA6E;YAE7E,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,gBAAyC;QAEzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAmC,CAAC;QACxE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAS9C,CAAC;QAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,4DAA4D;QAC5D,wFAAwF;QACxF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;YAC5C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,QAAQ,CAAC,MAAM,CAChB,CAAC;YACF,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,gFAAgF;QAEhF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,WAAW,CAAC,KAAa;QACrC,OAAO,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,2BAA2B,CAAC,QAQnC;QACC,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GACnC,QAAQ,CAAC,oBAAoB,EAAE,iBAAiB,IAAI,EAAE,CAAC;YAEzD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,OAAO;gBACP,OAAO;gBACP,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,OAAe;QACnC,MAAM,GAAG,GAAG;YACV,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM;YACrB,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK;YACpB,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM;SACtB,CAAC;QACF,OAAO,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IAC5E,CAAC;IAED;;OAEG;IACH,0BAA0B;QACxB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;gBACL,OAAO,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,IAAI;gBAClC,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,IAAI;gBACjC,OAAO,EAAE,CAAC,OAAe,EAAE,EAAE,CAAC,IAAI;aACnC,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,OAAe,EAAE,EAAE,CAC3B,IAAI,CAAC,MAAM,CAAC,OAAO;gBACnB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS;oBACpB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YACxD,MAAM,EAAE,CAAC,OAAe,EAAE,EAAE,CAC1B,IAAI,CAAC,MAAM,CAAC,OAAO;gBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YACpD,OAAO,EAAE,CAAC,OAAe,EAAE,EAAE,CAC3B,IAAI,CAAC,MAAM,CAAC,OAAO;gBACnB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;SACtD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAW;QACxB,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QAErB,OAAO;YACL,IAAI,EAAE;gBACJ,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAClC,OAAe,EACf,OAAe,EACf,SAAiB;QAEjB,MAAM,GAAG,GAAG,qDAAqD,OAAO,YAAY,OAAO,cAAc,SAAS,EAAE,CAAC;QACrH,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAY,CAAC;YAChD,MAAM,UAAU,GACd,IAMD,CAAC,UAAU,CAAC;YAEb,MAAM,gBAAgB,GAAG,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACzD,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAE1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAChC,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAEhC,OAAO,CACL,gBAAgB,KAAK,SAAS;gBAC9B,cAAc,CAAC,iBAAiB,EAAE,KAAK,OAAO,CAAC,iBAAiB,EAAE;gBAClE,cAAc,KAAK,OAAO,CAAC,QAAQ,EAAE,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"auth.service.js","sourceRoot":"","sources":["../../../src/services/auth.service.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,qBAAqB,GAEtB,MAAM,aAAa,CAAC;AAyBrB,MAAM,OAAO,WAAW;IACL,MAAM,CAAa;IAEpC,YAAY,MAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,OAA2B;QAE3B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QAC9D,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC9B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC7C,OAAO;gBACL,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,YAAY,EAAE,IAAI;aACnB,CAAC;QACJ,CAAC;QACD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,YAAY,EAAE,IAAI;aACnB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,EAAE;oBACpE,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAC;YACL,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,CAAC;YACxD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,EAAE;oBACpE,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAC;YACL,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;gBAC5C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,QAAQ,CAAC,MAAM,CAChB,CAAC;gBACF,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACtB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,EACxD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,EAAE;gBACtE,MAAM,EAAE,GAAG;aACZ,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,gBAAyC;QAEzC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAmC,CAAC;QACxE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACzC,CAAC;QAED,4DAA4D;QAC5D,wFAAwF;QACxF,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,0BAA0B,EAAE,CAAC;YAC5C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACxD,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,QAAQ,CAAC,MAAM,CAChB,CAAC;YACF,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,gFAAgF;QAEhF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,WAAW,CAAC,KAAa;QACrC,OAAO,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,2BAA2B,CACjC,QAA4B;QAE5B,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GACnC,QAAQ,CAAC,oBAAoB,CAAC,iBAAiB,CAAC;YAElD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,OAAO;gBACP,OAAO;gBACP,SAAS;aACV,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,0BAA0B;QACxB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO;gBACL,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;aACpB,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,OAAe,EAAE,EAAE,CAC3B,IAAI,CAAC,MAAM,CAAC,OAAO;gBACnB,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;SACtD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,IAAW;QACxB,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QAErB,OAAO;YACL,IAAI,EAAE;gBACJ,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAClC,OAAe,EACf,OAAe,EACf,KAAa;QAEb,MAAM,GAAG,GAAG,qDAAqD,OAAO,YAAY,OAAO,cAAc,KAAK,UAAU,KAAK,EAAE,CAAC;QAChI,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAChC,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAElC,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YAEnC,MAAM,YAAY,GAAG,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrD,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAE1D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,CACL,YAAY,KAAK,KAAK;gBACtB,cAAc,CAAC,iBAAiB,EAAE,KAAK,OAAO,CAAC,iBAAiB,EAAE;gBAClE,cAAc,KAAK,OAAO,CAAC,QAAQ,EAAE,CACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/src/services/authorization.service.d.ts

@@ -0,0 +1,70 @@
+import type { DocumentPermissionService, GetParentIdsFn } from "./document-permission.service.js";
+export interface AuthorizationConfig {
+    admins: string[];
+    defaultProtection: boolean;
+}
+/**
+ * Central authorization service — single source of truth for all permission checks.
+ *
+ * Authorization model:
+ * 1. Supreme admin (ADMINS env) → ALLOW ALL
+ * 2. Is document protected?
+ *    a. NOT protected:
+ *       - READ: anyone (even anonymous) → ALLOW
+ *       - WRITE: authenticated user → ALLOW
+ *    b. PROTECTED:
+ *       - READ: requires explicit READ/WRITE/ADMIN grant (direct or via group/parent)
+ *       - WRITE: requires explicit WRITE/ADMIN grant (direct or via group/parent)
+ * 3. Operation restricted? → Check OperationUserPermission
+ * 4. Document owner = implicit ADMIN
+ * 5. Drive protected = all children effectively protected
+ */
+export declare class AuthorizationService {
+    private readonly documentPermissionService;
+    readonly config: AuthorizationConfig;
+    constructor(documentPermissionService: DocumentPermissionService, config: AuthorizationConfig);
+    /**
+     * Check if a user is a supreme admin (from ADMINS env var).
+     */
+    isSupremeAdmin(userAddress?: string): boolean;
+    /**
+     * Check if a user can read a document.
+     *
+     * - Supreme admin → yes
+     * - Not protected → anyone can read (even anonymous)
+     * - Protected → requires READ/WRITE/ADMIN grant (direct, group, or parent inheritance)
+     * - Owner → yes (implicit ADMIN)
+     */
+    canRead(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
+    /**
+     * Check if a user can write to a document.
+     *
+     * - Supreme admin → yes
+     * - Not protected → anyone can write (even anonymous)
+     * - Protected → requires authentication + WRITE/ADMIN grant
+     * - Owner → yes (implicit ADMIN)
+     */
+    canWrite(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
+    /**
+     * Check if a user can manage a document (change permissions, protection, transfer ownership).
+     *
+     * - Supreme admin → yes
+     * - Owner → yes
+     * - Has ADMIN grant → yes
+     */
+    canManage(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
+    /**
+     * Check if a user can execute a specific operation.
+     * If the operation is not restricted, falls through to the standard write check.
+     * If the operation is restricted, requires an explicit OperationUserPermission grant.
+     */
+    canExecuteOperation(documentId: string, operationType: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
+    /**
+     * Combined check for mutations: can the user write + execute the operation?
+     * This enables READ-only users with operation grants to execute specific operations.
+     * For restricted operations, only the operation grant is checked (bypasses write check),
+     * allowing READ-only users with an explicit operation grant to execute that operation.
+     */
+    canMutate(documentId: string, operationType: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
+}
+//# sourceMappingURL=authorization.service.d.ts.map

package/dist/src/services/authorization.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.service.d.ts","sourceRoot":"","sources":["../../../src/services/authorization.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,yBAAyB,EACzB,cAAc,EACf,MAAM,kCAAkC,CAAC;AAE1C,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,oBAAoB;IAI7B,OAAO,CAAC,QAAQ,CAAC,yBAAyB;IAH5C,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAC;gBAGlB,yBAAyB,EAAE,yBAAyB,EACrE,MAAM,EAAE,mBAAmB;IAK7B;;OAEG;IACH,cAAc,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO;IAK7C;;;;;;;OAOG;IACG,OAAO,CACX,UAAU,EAAE,MAAM,EAClB,WAAW,CAAC,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,cAAc,GAC5B,OAAO,CAAC,OAAO,CAAC;IAqCnB;;;;;;;OAOG;IACG,QAAQ,CACZ,UAAU,EAAE,MAAM,EAClB,WAAW,CAAC,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,cAAc,GAC5B,OAAO,CAAC,OAAO,CAAC;IAqCnB;;;;;;OAMG;IACG,SAAS,CACb,UAAU,EAAE,MAAM,EAClB,WAAW,CAAC,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,cAAc,GAC5B,OAAO,CAAC,OAAO,CAAC;IAkBnB;;;;OAIG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,cAAc,GAC5B,OAAO,CAAC,OAAO,CAAC;IAwBnB;;;;;OAKG;IACG,SAAS,CACb,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,CAAC,EAAE,MAAM,EACpB,YAAY,CAAC,EAAE,cAAc,GAC5B,OAAO,CAAC,OAAO,CAAC;CAwBpB"}

package/dist/src/services/authorization.service.js

@@ -0,0 +1,155 @@
+/**
+ * Central authorization service — single source of truth for all permission checks.
+ *
+ * Authorization model:
+ * 1. Supreme admin (ADMINS env) → ALLOW ALL
+ * 2. Is document protected?
+ *    a. NOT protected:
+ *       - READ: anyone (even anonymous) → ALLOW
+ *       - WRITE: authenticated user → ALLOW
+ *    b. PROTECTED:
+ *       - READ: requires explicit READ/WRITE/ADMIN grant (direct or via group/parent)
+ *       - WRITE: requires explicit WRITE/ADMIN grant (direct or via group/parent)
+ * 3. Operation restricted? → Check OperationUserPermission
+ * 4. Document owner = implicit ADMIN
+ * 5. Drive protected = all children effectively protected
+ */
+export class AuthorizationService {
+    documentPermissionService;
+    config;
+    constructor(documentPermissionService, config) {
+        this.documentPermissionService = documentPermissionService;
+        this.config = config;
+    }
+    /**
+     * Check if a user is a supreme admin (from ADMINS env var).
+     */
+    isSupremeAdmin(userAddress) {
+        if (!userAddress)
+            return false;
+        return this.config.admins.includes(userAddress.toLowerCase());
+    }
+    /**
+     * Check if a user can read a document.
+     *
+     * - Supreme admin → yes
+     * - Not protected → anyone can read (even anonymous)
+     * - Protected → requires READ/WRITE/ADMIN grant (direct, group, or parent inheritance)
+     * - Owner → yes (implicit ADMIN)
+     */
+    async canRead(documentId, userAddress, getParentIds) {
+        // Supreme admin bypasses all
+        if (this.isSupremeAdmin(userAddress))
+            return true;
+        // Check protection status (walks parent chain if getParentIds provided)
+        const isProtected = getParentIds
+            ? await this.documentPermissionService.isProtectedWithAncestors(documentId, getParentIds)
+            : await this.documentPermissionService.isDocumentProtected(documentId);
+        // Unprotected documents are readable by anyone
+        if (!isProtected)
+            return true;
+        // Protected document — requires authentication
+        if (!userAddress)
+            return false;
+        // Owner has implicit ADMIN
+        const owner = await this.documentPermissionService.getDocumentOwner(documentId);
+        if (owner && owner === userAddress.toLowerCase())
+            return true;
+        // Check grant (READ/WRITE/ADMIN all allow reading)
+        if (getParentIds) {
+            return this.documentPermissionService.canRead(documentId, userAddress, getParentIds);
+        }
+        return this.documentPermissionService.canReadDocument(documentId, userAddress);
+    }
+    /**
+     * Check if a user can write to a document.
+     *
+     * - Supreme admin → yes
+     * - Not protected → anyone can write (even anonymous)
+     * - Protected → requires authentication + WRITE/ADMIN grant
+     * - Owner → yes (implicit ADMIN)
+     */
+    async canWrite(documentId, userAddress, getParentIds) {
+        // Supreme admin bypasses all
+        if (this.isSupremeAdmin(userAddress))
+            return true;
+        // Check protection status
+        const isProtected = getParentIds
+            ? await this.documentPermissionService.isProtectedWithAncestors(documentId, getParentIds)
+            : await this.documentPermissionService.isDocumentProtected(documentId);
+        // Unprotected documents are writable by anyone (even anonymous)
+        if (!isProtected)
+            return true;
+        // Protected document — requires authentication
+        if (!userAddress)
+            return false;
+        // Owner has implicit ADMIN
+        const owner = await this.documentPermissionService.getDocumentOwner(documentId);
+        if (owner && owner === userAddress.toLowerCase())
+            return true;
+        // Check grant (WRITE/ADMIN allow writing)
+        if (getParentIds) {
+            return this.documentPermissionService.canWrite(documentId, userAddress, getParentIds);
+        }
+        return this.documentPermissionService.canWriteDocument(documentId, userAddress);
+    }
+    /**
+     * Check if a user can manage a document (change permissions, protection, transfer ownership).
+     *
+     * - Supreme admin → yes
+     * - Owner → yes
+     * - Has ADMIN grant → yes
+     */
+    async canManage(documentId, userAddress, getParentIds) {
+        // Supreme admin bypasses all
+        if (this.isSupremeAdmin(userAddress))
+            return true;
+        if (!userAddress)
+            return false;
+        // Owner has implicit ADMIN
+        const owner = await this.documentPermissionService.getDocumentOwner(documentId);
+        if (owner && owner === userAddress.toLowerCase())
+            return true;
+        // Check ADMIN grant
+        return this.documentPermissionService.canManageDocument(documentId, userAddress);
+    }
+    /**
+     * Check if a user can execute a specific operation.
+     * If the operation is not restricted, falls through to the standard write check.
+     * If the operation is restricted, requires an explicit OperationUserPermission grant.
+     */
+    async canExecuteOperation(documentId, operationType, userAddress, getParentIds) {
+        // Supreme admin bypasses all
+        if (this.isSupremeAdmin(userAddress))
+            return true;
+        // Check if operation is restricted
+        const isRestricted = await this.documentPermissionService.isOperationRestricted(documentId, operationType);
+        if (!isRestricted) {
+            // Operation not restricted — standard write check applies
+            return this.canWrite(documentId, userAddress, getParentIds);
+        }
+        // Operation is restricted — user needs explicit operation grant
+        return this.documentPermissionService.canExecuteOperation(documentId, operationType, userAddress?.toLowerCase());
+    }
+    /**
+     * Combined check for mutations: can the user write + execute the operation?
+     * This enables READ-only users with operation grants to execute specific operations.
+     * For restricted operations, only the operation grant is checked (bypasses write check),
+     * allowing READ-only users with an explicit operation grant to execute that operation.
+     */
+    async canMutate(documentId, operationType, userAddress, getParentIds) {
+        // Supreme admin bypasses all
+        if (this.isSupremeAdmin(userAddress))
+            return true;
+        // Check if the operation is restricted
+        const isRestricted = await this.documentPermissionService.isOperationRestricted(documentId, operationType);
+        if (isRestricted) {
+            // For restricted operations, only the operation grant matters
+            // This allows READ-only users with operation grants to execute
+            return this.documentPermissionService.canExecuteOperation(documentId, operationType, userAddress?.toLowerCase());
+        }
+        // For unrestricted operations, standard write check applies
+        return this.canWrite(documentId, userAddress, getParentIds);
+    }
+}
+//# sourceMappingURL=authorization.service.js.map

package/dist/src/services/authorization.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.service.js","sourceRoot":"","sources":["../../../src/services/authorization.service.ts"],"names":[],"mappings":"AAUA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,oBAAoB;IAIZ;IAHV,MAAM,CAAsB;IAErC,YACmB,yBAAoD,EACrE,MAA2B;QADV,8BAAyB,GAAzB,yBAAyB,CAA2B;QAGrE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,cAAc,CAAC,WAAoB;QACjC,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAC/B,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;IAChE,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,OAAO,CACX,UAAkB,EAClB,WAAoB,EACpB,YAA6B;QAE7B,6BAA6B;QAC7B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,wEAAwE;QACxE,MAAM,WAAW,GAAG,YAAY;YAC9B,CAAC,CAAC,MAAM,IAAI,CAAC,yBAAyB,CAAC,wBAAwB,CAC3D,UAAU,EACV,YAAY,CACb;YACH,CAAC,CAAC,MAAM,IAAI,CAAC,yBAAyB,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;QAEzE,+CAA+C;QAC/C,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,+CAA+C;QAC/C,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAE/B,2BAA2B;QAC3B,MAAM,KAAK,GACT,MAAM,IAAI,CAAC,yBAAyB,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QACpE,IAAI,KAAK,IAAI,KAAK,KAAK,WAAW,CAAC,WAAW,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9D,mDAAmD;QACnD,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAC3C,UAAU,EACV,WAAW,EACX,YAAY,CACb,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,yBAAyB,CAAC,eAAe,CACnD,UAAU,EACV,WAAW,CACZ,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CACZ,UAAkB,EAClB,WAAoB,EACpB,YAA6B;QAE7B,6BAA6B;QAC7B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,0BAA0B;QAC1B,MAAM,WAAW,GAAG,YAAY;YAC9B,CAAC,CAAC,MAAM,IAAI,CAAC,yBAAyB,CAAC,wBAAwB,CAC3D,UAAU,EACV,YAAY,CACb;YACH,CAAC,CAAC,MAAM,IAAI,CAAC,yBAAyB,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;QAEzE,gEAAgE;QAChE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,+CAA+C;QAC/C,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAE/B,2BAA2B;QAC3B,MAAM,KAAK,GACT,MAAM,IAAI,CAAC,yBAAyB,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QACpE,IAAI,KAAK,IAAI,KAAK,KAAK,WAAW,CAAC,WAAW,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9D,0CAA0C;QAC1C,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAC5C,UAAU,EACV,WAAW,EACX,YAAY,CACb,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,yBAAyB,CAAC,gBAAgB,CACpD,UAAU,EACV,WAAW,CACZ,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,SAAS,CACb,UAAkB,EAClB,WAAoB,EACpB,YAA6B;QAE7B,6BAA6B;QAC7B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAE/B,2BAA2B;QAC3B,MAAM,KAAK,GACT,MAAM,IAAI,CAAC,yBAAyB,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QACpE,IAAI,KAAK,IAAI,KAAK,KAAK,WAAW,CAAC,WAAW,EAAE;YAAE,OAAO,IAAI,CAAC;QAE9D,oBAAoB;QACpB,OAAO,IAAI,CAAC,yBAAyB,CAAC,iBAAiB,CACrD,UAAU,EACV,WAAW,CACZ,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,mBAAmB,CACvB,UAAkB,EAClB,aAAqB,EACrB,WAAoB,EACpB,YAA6B;QAE7B,6BAA6B;QAC7B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,mCAAmC;QACnC,MAAM,YAAY,GAChB,MAAM,IAAI,CAAC,yBAAyB,CAAC,qBAAqB,CACxD,UAAU,EACV,aAAa,CACd,CAAC;QAEJ,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,0DAA0D;YAC1D,OAAO,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;QAC9D,CAAC;QAED,gEAAgE;QAChE,OAAO,IAAI,CAAC,yBAAyB,CAAC,mBAAmB,CACvD,UAAU,EACV,aAAa,EACb,WAAW,EAAE,WAAW,EAAE,CAC3B,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CACb,UAAkB,EAClB,aAAqB,EACrB,WAAoB,EACpB,YAA6B;QAE7B,6BAA6B;QAC7B,IAAI,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAElD,uCAAuC;QACvC,MAAM,YAAY,GAChB,MAAM,IAAI,CAAC,yBAAyB,CAAC,qBAAqB,CACxD,UAAU,EACV,aAAa,CACd,CAAC;QAEJ,IAAI,YAAY,EAAE,CAAC;YACjB,8DAA8D;YAC9D,+DAA+D;YAC/D,OAAO,IAAI,CAAC,yBAAyB,CAAC,mBAAmB,CACvD,UAAU,EACV,aAAa,EACb,WAAW,EAAE,WAAW,EAAE,CAC3B,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,OAAO,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/dist/src/services/document-permission.service.d.ts

@@ -42,6 +42,12 @@ export interface OperationGroupPermissionEntry {
  * This is injected to avoid circular dependencies with the reactor client
  */
 export type GetParentIdsFn = (documentId: string) => Promise<string[]>;
+/**
+ * Configuration for the DocumentPermissionService
+ */
+export interface DocumentPermissionConfig {
+    defaultProtection: boolean;
+}
 /**
  * Service for managing document-level permissions.
  *
@@ -52,16 +58,11 @@ export type GetParentIdsFn = (documentId: string) => Promise<string[]>;
  *
  * Operation permissions:
  * - Users and groups can be granted permission to execute specific operations
- *
- * Global roles (via environment variables):
- * - AUTH_ENABLED: Enables authorization checks
- * - ADMINS: Comma-separated list of admin addresses (full access)
- * - USERS: Comma-separated list of user addresses (read/write access)
- * - GUESTS: Comma-separated list of guest addresses (read access)
  */
 export declare class DocumentPermissionService {
     private readonly db;
-    constructor(db: Kysely<DocumentPermissionDatabase>);
+    readonly config: DocumentPermissionConfig;
+    constructor(db: Kysely<DocumentPermissionDatabase>, config?: DocumentPermissionConfig);
     /**
      * Get the permission level for a user on a specific document.
      * Returns null if no permission is set.
@@ -197,5 +198,44 @@ export declare class DocumentPermissionService {
      * Check if an operation has any permissions set (is restricted)
      */
     isOperationRestricted(documentId: string, operationType: string): Promise<boolean>;
+    /**
+     * Check if a specific document has a protection row set to true.
+     * Falls back to `config.defaultProtection` if no row exists.
+     */
+    isDocumentProtected(documentId: string): Promise<boolean>;
+    /**
+     * Walk the parent chain: if the document itself or any ancestor is protected, return true.
+     * Collects all ancestor IDs first (with cycle detection), then batch-checks protection.
+     */
+    isProtectedWithAncestors(documentId: string, getParentIds: GetParentIdsFn): Promise<boolean>;
+    /**
+     * Collect all ancestor IDs (including the document itself) with cycle detection.
+     */
+    private collectAncestorIds;
+    /**
+     * Upsert protection status for a document.
+     */
+    setDocumentProtection(documentId: string, isProtected: boolean): Promise<void>;
+    /**
+     * Get the owner address for a document, or null if not set.
+     */
+    getDocumentOwner(documentId: string): Promise<string | null>;
+    /**
+     * Upsert owner address for a document.
+     */
+    setDocumentOwner(documentId: string, ownerAddress: string): Promise<void>;
+    /**
+     * Initialize protection for a newly created document.
+     * Sets protection status and grants ADMIN to the owner.
+     */
+    initializeDocumentProtection(documentId: string, ownerAddress: string, defaultProtection?: boolean): Promise<void>;
+    /**
+     * Get the full protection info for a document.
+     */
+    getDocumentProtection(documentId: string): Promise<{
+        documentId: string;
+        protected: boolean;
+        ownerAddress: string | null;
+    }>;
 }
 //# sourceMappingURL=document-permission.service.d.ts.map

package/dist/src/services/document-permission.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"document-permission.service.d.ts","sourceRoot":"","sources":["../../../src/services/document-permission.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,KAAK,EACV,0BAA0B,EAC1B,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AAExB,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,uBAAuB,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,uBAAuB,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEvE;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,yBAAyB;IACxB,OAAO,CAAC,QAAQ,CAAC,EAAE;gBAAF,EAAE,EAAE,MAAM,CAAC,0BAA0B,CAAC;IAMnE;;;OAGG;IACG,iBAAiB,CACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAW1C;;OAEG;IACG,sBAAsB,CAC1B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,uBAAuB,EAAE,CAAC;IAiBrC;;OAEG;IACG,gBAAgB,CACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,EAAE,CAAC;IAiBrC;;OAEG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,uBAAuB,EACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,uBAAuB,CAAC;IAwCnC;;OAEG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA0BrE;;;OAGG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAsBnB;;;OAGG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAsBnB;;;OAGG;IACG,iBAAiB,CACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IA0BnB;;;OAGG;IACG,OAAO,CACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,OAAO,CAAC;IAuBnB;;;OAGG;IACG,QAAQ,CACZ,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,OAAO,CAAC;IAuBnB;;OAEG;IACG,uBAAuB,CAC3B,WAAW,EAAE,MAAM,EAAE,EACrB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,MAAM,EAAE,CAAC;IAiBpB;;OAEG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAsBrE;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuBjD;;OAEG;IACG,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;IAUtD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;IAOpC;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAezE;;OAEG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAe1D;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAczD;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,uBAAuB,EACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,4BAA4B,CAAC;IAuCxC;;OAEG;IACG,qBAAqB,CACzB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,2BAA2B,CAC/B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,4BAA4B,EAAE,CAAC;IAe1C;;OAEG;IACG,sBAAsB,CAC1B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IA2B1C;;OAEG;IACG,wBAAwB,CAC5B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,4BAA4B,CAAC;IAmCxC;;OAEG;IACG,yBAAyB,CAC7B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAShB;;OAEG;IACG,6BAA6B,CACjC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,6BAA6B,CAAC;IAkCzC;;OAEG;IACG,8BAA8B,CAClC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAShB;;OAEG;IACG,2BAA2B,CAC/B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,4BAA4B,EAAE,CAAC;IAe1C;;OAEG;IACG,4BAA4B,CAChC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,6BAA6B,EAAE,CAAC;IAe3C;;;OAGG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAqCnB;;OAEG;IACG,qBAAqB,CACzB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,OAAO,CAAC;CAqBpB"}
+{"version":3,"file":"document-permission.service.d.ts","sourceRoot":"","sources":["../../../src/services/document-permission.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAErC,OAAO,KAAK,EACV,0BAA0B,EAC1B,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AAExB,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,uBAAuB,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,uBAAuB,CAAC;IACpC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,6BAA6B;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;;;;;;;;;GAUG;AACH,qBAAa,yBAAyB;IAIlC,OAAO,CAAC,QAAQ,CAAC,EAAE;IAHrB,QAAQ,CAAC,MAAM,EAAE,wBAAwB,CAAC;gBAGvB,EAAE,EAAE,MAAM,CAAC,0BAA0B,CAAC,EACvD,MAAM,GAAE,wBAAuD;IASjE;;;OAGG;IACG,iBAAiB,CACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IAW1C;;OAEG;IACG,sBAAsB,CAC1B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,uBAAuB,EAAE,CAAC;IAiBrC;;OAEG;IACG,gBAAgB,CACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,EAAE,CAAC;IAiBrC;;OAEG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,uBAAuB,EACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,uBAAuB,CAAC;IAwCnC;;OAEG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA0BrE;;;OAGG;IACG,eAAe,CACnB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAsBnB;;;OAGG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAsBnB;;;OAGG;IACG,iBAAiB,CACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IA0BnB;;;OAGG;IACG,OAAO,CACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,OAAO,CAAC;IAuBnB;;;OAGG;IACG,QAAQ,CACZ,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,OAAO,CAAC;IAuBnB;;OAEG;IACG,uBAAuB,CAC3B,WAAW,EAAE,MAAM,EAAE,EACrB,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,MAAM,EAAE,CAAC;IAiBpB;;OAEG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAsBrE;;OAEG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuBjD;;OAEG;IACG,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;IAUtD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;IAOpC;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAezE;;OAEG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAe1D;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAczD;;OAEG;IACG,oBAAoB,CACxB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,uBAAuB,EACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,4BAA4B,CAAC;IAuCxC;;OAEG;IACG,qBAAqB,CACzB,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAQhB;;OAEG;IACG,2BAA2B,CAC/B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,4BAA4B,EAAE,CAAC;IAe1C;;OAEG;IACG,sBAAsB,CAC1B,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;IA2B1C;;OAEG;IACG,wBAAwB,CAC5B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,4BAA4B,CAAC;IAmCxC;;OAEG;IACG,yBAAyB,CAC7B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAShB;;OAEG;IACG,6BAA6B,CACjC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,6BAA6B,CAAC;IAkCzC;;OAEG;IACG,8BAA8B,CAClC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC;IAShB;;OAEG;IACG,2BAA2B,CAC/B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,4BAA4B,EAAE,CAAC;IAe1C;;OAEG;IACG,4BAA4B,CAChC,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,6BAA6B,EAAE,CAAC;IAe3C;;;OAGG;IACG,mBAAmB,CACvB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAAG,SAAS,GAC9B,OAAO,CAAC,OAAO,CAAC;IAqCnB;;OAEG;IACG,qBAAqB,CACzB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,OAAO,CAAC;IA0BnB;;;OAGG;IACG,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAc/D;;;OAGG;IACG,wBAAwB,CAC5B,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,cAAc,GAC3B,OAAO,CAAC,OAAO,CAAC;IA4BnB;;OAEG;YACW,kBAAkB;IAuBhC;;OAEG;IACG,qBAAqB,CACzB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,IAAI,CAAC;IAqBhB;;OAEG;IACG,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAUlE;;OAEG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,IAAI,CAAC;IAsBhB;;;OAGG;IACG,4BAA4B,CAChC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,EACpB,iBAAiB,CAAC,EAAE,OAAO,GAC1B,OAAO,CAAC,IAAI,CAAC;IA+BhB;;OAEG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC;QACvD,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,OAAO,CAAC;QACnB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;KAC7B,CAAC;CAiBH"}