@prabhask5/stellar-engine 1.1.6 → 1.1.8

package/dist/auth/offlineCredentials.d.ts

@@ -1,41 +1,158 @@
 /**
- * Offline Credentials Management
- * Handles caching, retrieval, and verification of user credentials for offline login
+ * @fileoverview Offline Credentials Management
+ *
+ * Handles caching, retrieval, verification, and update of user credentials
+ * in IndexedDB for offline login support. When the user successfully
+ * authenticates online via Supabase, their credentials are cached locally
+ * (with the password SHA-256-hashed) so they can log in again while offline.
+ *
+ * Architecture:
+ * - Credentials are stored as a singleton record (key: `'current_user'`) in the
+ *   `offlineCredentials` IndexedDB table.
+ * - Only one set of credentials is cached at a time. In multi-user apps, the
+ *   last successfully authenticated user's credentials are stored.
+ * - The profile blob is extracted via the host app's `profileExtractor` config
+ *   callback, or falls back to raw Supabase `user_metadata`.
+ *
+ * Security considerations:
+ * - Passwords are **always** hashed with SHA-256 before storage. The plaintext
+ *   password is never persisted.
+ * - Legacy plaintext credentials (from before the hashing migration) are
+ *   supported in `verifyOfflineCredentials` via the `isAlreadyHashed` check,
+ *   but new writes always hash.
+ * - A paranoid read-back verification is performed after `cacheOfflineCredentials`
+ *   to ensure the password was actually persisted (guards against silent
+ *   IndexedDB write failures).
+ * - Credentials are cleared on logout via `clearOfflineCredentials`.
+ *
+ * @module auth/offlineCredentials
  */
 import type { OfflineCredentials } from '../types';
 import type { User, Session } from '@supabase/supabase-js';
 /**
- * Cache user credentials for offline login
- * Called after successful Supabase login
+ * Cache user credentials for offline login.
+ *
+ * Called after a successful Supabase login to persist a hashed copy of the
+ * user's credentials in IndexedDB. Subsequent offline logins will verify
+ * against these cached credentials.
+ *
+ * @param email    - The user's email address (used for offline identity matching).
+ * @param password - The user's plaintext password. Will be SHA-256-hashed before storage.
+ * @param user     - The Supabase `User` object, used to extract `userId` and profile data.
+ * @param _session - The Supabase `Session` object. Currently unused but accepted for
+ *                   API symmetry with the online auth flow (reserved for future use).
+ *
+ * @throws {Error} If `email` or `password` is empty (prevents storing incomplete credentials).
+ * @throws {Error} If the write-back verification fails (password not persisted in IndexedDB).
+ *
+ * @example
+ * ```ts
+ * const { data } = await supabase.auth.signInWithPassword({ email, password });
+ * if (data.user && data.session) {
+ *   await cacheOfflineCredentials(email, password, data.user, data.session);
+ * }
+ * ```
+ *
+ * @see {@link getOfflineCredentials} to retrieve the cached credentials.
+ * @see {@link clearOfflineCredentials} to remove them on logout.
  */
 export declare function cacheOfflineCredentials(email: string, password: string, user: User, _session: Session): Promise<void>;
 /**
- * Get cached offline credentials
- * Returns null if no credentials are cached or if credentials are in old format
+ * Get cached offline credentials from IndexedDB.
+ *
+ * Returns the singleton `OfflineCredentials` record, or `null` if no
+ * credentials have been cached (e.g., user has never logged in online
+ * on this device).
+ *
+ * @returns The cached credentials, or `null` if none exist.
+ *
+ * @example
+ * ```ts
+ * const creds = await getOfflineCredentials();
+ * if (creds) {
+ *   console.log('Cached user:', creds.email);
+ * }
+ * ```
  */
 export declare function getOfflineCredentials(): Promise<OfflineCredentials | null>;
 /**
- * Verify email and password against cached credentials
- * @param email - The email to verify
- * @param password - The password to verify
- * @param expectedUserId - The userId that the credentials should belong to
- * @returns Object with valid boolean and optional reason for failure
+ * Verify email and password against cached credentials.
+ *
+ * Performs a multi-field comparison:
+ * 1. Checks that cached credentials exist.
+ * 2. Verifies the `userId` matches (prevents cross-user attacks).
+ * 3. Verifies the `email` matches (prevents credential reuse across accounts).
+ * 4. Verifies the password by hashing the input and comparing against the
+ *    stored hash (or plaintext for legacy records).
+ *
+ * @param email          - The email to verify against cached credentials.
+ * @param password       - The plaintext password to verify.
+ * @param expectedUserId - The Supabase user ID that the credentials should belong to.
+ *                          Prevents offline login with credentials cached from a
+ *                          different user.
+ * @returns An object with `valid: true` on success, or `valid: false` with a
+ *          `reason` string identifying which check failed.
+ *
+ * @example
+ * ```ts
+ * const result = await verifyOfflineCredentials(email, password, userId);
+ * if (result.valid) {
+ *   await createOfflineSession(userId);
+ * } else {
+ *   console.warn('Verification failed:', result.reason);
+ * }
+ * ```
+ *
+ * @see {@link cacheOfflineCredentials} for how credentials are stored.
  */
 export declare function verifyOfflineCredentials(email: string, password: string, expectedUserId: string): Promise<{
     valid: boolean;
     reason?: string;
 }>;
 /**
- * Update the cached password (after online password change)
- * @param newPassword - The new password to cache
+ * Update the cached password hash after an online password change.
+ *
+ * Should be called whenever the user changes their password while online,
+ * so the offline cache stays in sync and the login guard does not flag
+ * the old hash as stale.
+ *
+ * @param newPassword - The new plaintext password. Will be SHA-256-hashed before storage.
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.updateUser({ password: newPassword });
+ * await updateOfflineCredentialsPassword(newPassword);
+ * ```
  */
 export declare function updateOfflineCredentialsPassword(newPassword: string): Promise<void>;
 /**
- * Update user profile in cached credentials (after online profile update)
+ * Update the user profile in cached credentials after an online profile update.
+ *
+ * Replaces the entire `profile` blob with the provided object and updates
+ * the `cachedAt` timestamp.
+ *
+ * @param profile - The new profile data to cache (e.g., `{ firstName, lastName, avatar }`).
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.updateUser({ data: { firstName: 'Jane' } });
+ * await updateOfflineCredentialsProfile({ firstName: 'Jane', lastName: 'Doe' });
+ * ```
  */
 export declare function updateOfflineCredentialsProfile(profile: Record<string, unknown>): Promise<void>;
 /**
- * Clear all cached offline credentials (on logout)
+ * Clear all cached offline credentials from IndexedDB.
+ *
+ * Must be called on logout to ensure no stale credentials remain on the
+ * device that could be used for unauthorized offline access.
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.signOut();
+ * await clearOfflineCredentials();
+ * ```
+ *
+ * @see {@link cacheOfflineCredentials} for storing credentials on login.
  */
 export declare function clearOfflineCredentials(): Promise<void>;
 //# sourceMappingURL=offlineCredentials.d.ts.map

package/dist/auth/offlineCredentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"offlineCredentials.d.ts","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAM3D;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,EACV,QAAQ,EAAE,OAAO,GAChB,OAAO,CAAC,IAAI,CAAC,CAmCf;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAQhF;AAED;;;;;;GAMG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8C9C;AAED;;;GAGG;AACH,wBAAsB,gCAAgC,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED;;GAEG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;GAEG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,IAAI,CAAC,CAG7D"}
+{"version":3,"file":"offlineCredentials.d.ts","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAmB3D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,IAAI,EACV,QAAQ,EAAE,OAAO,GAChB,OAAO,CAAC,IAAI,CAAC,CAyCf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAQhF;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkD9C;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gCAAgC,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAYzF;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,+BAA+B,CACnD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,OAAO,CAAC,IAAI,CAAC,CAWf;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,IAAI,CAAC,CAG7D"}

package/dist/auth/offlineCredentials.js

@@ -1,24 +1,86 @@
 /**
- * Offline Credentials Management
- * Handles caching, retrieval, and verification of user credentials for offline login
+ * @fileoverview Offline Credentials Management
+ *
+ * Handles caching, retrieval, verification, and update of user credentials
+ * in IndexedDB for offline login support. When the user successfully
+ * authenticates online via Supabase, their credentials are cached locally
+ * (with the password SHA-256-hashed) so they can log in again while offline.
+ *
+ * Architecture:
+ * - Credentials are stored as a singleton record (key: `'current_user'`) in the
+ *   `offlineCredentials` IndexedDB table.
+ * - Only one set of credentials is cached at a time. In multi-user apps, the
+ *   last successfully authenticated user's credentials are stored.
+ * - The profile blob is extracted via the host app's `profileExtractor` config
+ *   callback, or falls back to raw Supabase `user_metadata`.
+ *
+ * Security considerations:
+ * - Passwords are **always** hashed with SHA-256 before storage. The plaintext
+ *   password is never persisted.
+ * - Legacy plaintext credentials (from before the hashing migration) are
+ *   supported in `verifyOfflineCredentials` via the `isAlreadyHashed` check,
+ *   but new writes always hash.
+ * - A paranoid read-back verification is performed after `cacheOfflineCredentials`
+ *   to ensure the password was actually persisted (guards against silent
+ *   IndexedDB write failures).
+ * - Credentials are cleared on logout via `clearOfflineCredentials`.
+ *
+ * @module auth/offlineCredentials
  */
 import { getEngineConfig } from '../config';
 import { debugWarn, debugError } from '../debug';
 import { hashValue, isAlreadyHashed } from './crypto';
+// =============================================================================
+// CONSTANTS
+// =============================================================================
+/**
+ * Singleton key used to store and retrieve the cached credentials record
+ * in the `offlineCredentials` IndexedDB table. Only one credential set is
+ * cached at any time.
+ */
 const CREDENTIALS_ID = 'current_user';
+// =============================================================================
+// PUBLIC API -- Cache & Retrieve
+// =============================================================================
 /**
- * Cache user credentials for offline login
- * Called after successful Supabase login
+ * Cache user credentials for offline login.
+ *
+ * Called after a successful Supabase login to persist a hashed copy of the
+ * user's credentials in IndexedDB. Subsequent offline logins will verify
+ * against these cached credentials.
+ *
+ * @param email    - The user's email address (used for offline identity matching).
+ * @param password - The user's plaintext password. Will be SHA-256-hashed before storage.
+ * @param user     - The Supabase `User` object, used to extract `userId` and profile data.
+ * @param _session - The Supabase `Session` object. Currently unused but accepted for
+ *                   API symmetry with the online auth flow (reserved for future use).
+ *
+ * @throws {Error} If `email` or `password` is empty (prevents storing incomplete credentials).
+ * @throws {Error} If the write-back verification fails (password not persisted in IndexedDB).
+ *
+ * @example
+ * ```ts
+ * const { data } = await supabase.auth.signInWithPassword({ email, password });
+ * if (data.user && data.session) {
+ *   await cacheOfflineCredentials(email, password, data.user, data.session);
+ * }
+ * ```
+ *
+ * @see {@link getOfflineCredentials} to retrieve the cached credentials.
+ * @see {@link clearOfflineCredentials} to remove them on logout.
  */
 export async function cacheOfflineCredentials(email, password, user, _session) {
-    // Validate inputs to prevent storing incomplete credentials
+    /* Validate inputs to prevent storing incomplete credentials that would
+       cause confusing verification failures later. */
     if (!email || !password) {
         debugError('[Auth] Cannot cache credentials: email or password is empty');
         throw new Error('Cannot cache credentials: email or password is empty');
     }
     const config = getEngineConfig();
     const db = config.db;
-    // Extract profile using config's profileExtractor, or use raw metadata
+    /* Extract a normalized profile using the host app's profileExtractor,
+       or fall back to raw Supabase user_metadata. This allows the host app
+       to control which fields are available offline (e.g., firstName, role). */
     const profile = config.auth?.profileExtractor
         ? config.auth.profileExtractor(user.user_metadata || {})
         : user.user_metadata || {};
@@ -31,9 +93,12 @@ export async function cacheOfflineCredentials(email, password, user, _session) {
         profile,
         cachedAt: new Date().toISOString()
     };
-    // Use put to insert or update the singleton record
+    /* Use put (upsert) to insert or update the singleton record. */
     await db.table('offlineCredentials').put(credentials);
-    // Verify the credentials were stored correctly (paranoid check)
+    /* Paranoid read-back: verify the credentials were stored correctly.
+       IndexedDB writes can silently fail in quota-exceeded or private-browsing
+       scenarios; catching this early gives a clear error instead of a mysterious
+       "wrong password" on the next offline login. */
     const stored = await db.table('offlineCredentials').get(CREDENTIALS_ID);
     if (!stored || !stored.password) {
         debugError('[Auth] Credentials were not stored correctly - password missing');
@@ -41,8 +106,21 @@ export async function cacheOfflineCredentials(email, password, user, _session) {
     }
 }
 /**
- * Get cached offline credentials
- * Returns null if no credentials are cached or if credentials are in old format
+ * Get cached offline credentials from IndexedDB.
+ *
+ * Returns the singleton `OfflineCredentials` record, or `null` if no
+ * credentials have been cached (e.g., user has never logged in online
+ * on this device).
+ *
+ * @returns The cached credentials, or `null` if none exist.
+ *
+ * @example
+ * ```ts
+ * const creds = await getOfflineCredentials();
+ * if (creds) {
+ *   console.log('Cached user:', creds.email);
+ * }
+ * ```
  */
 export async function getOfflineCredentials() {
     const db = getEngineConfig().db;
@@ -52,12 +130,38 @@ export async function getOfflineCredentials() {
     }
     return credentials;
 }
+// =============================================================================
+// PUBLIC API -- Verification
+// =============================================================================
 /**
- * Verify email and password against cached credentials
- * @param email - The email to verify
- * @param password - The password to verify
- * @param expectedUserId - The userId that the credentials should belong to
- * @returns Object with valid boolean and optional reason for failure
+ * Verify email and password against cached credentials.
+ *
+ * Performs a multi-field comparison:
+ * 1. Checks that cached credentials exist.
+ * 2. Verifies the `userId` matches (prevents cross-user attacks).
+ * 3. Verifies the `email` matches (prevents credential reuse across accounts).
+ * 4. Verifies the password by hashing the input and comparing against the
+ *    stored hash (or plaintext for legacy records).
+ *
+ * @param email          - The email to verify against cached credentials.
+ * @param password       - The plaintext password to verify.
+ * @param expectedUserId - The Supabase user ID that the credentials should belong to.
+ *                          Prevents offline login with credentials cached from a
+ *                          different user.
+ * @returns An object with `valid: true` on success, or `valid: false` with a
+ *          `reason` string identifying which check failed.
+ *
+ * @example
+ * ```ts
+ * const result = await verifyOfflineCredentials(email, password, userId);
+ * if (result.valid) {
+ *   await createOfflineSession(userId);
+ * } else {
+ *   console.warn('Verification failed:', result.reason);
+ * }
+ * ```
+ *
+ * @see {@link cacheOfflineCredentials} for how credentials are stored.
  */
 export async function verifyOfflineCredentials(email, password, expectedUserId) {
     const credentials = await getOfflineCredentials();
@@ -65,7 +169,9 @@ export async function verifyOfflineCredentials(email, password, expectedUserId)
         debugWarn('[Auth] No credentials found in database');
         return { valid: false, reason: 'no_credentials' };
     }
-    // SECURITY: Verify all fields match
+    /* SECURITY: Verify all identity fields match. Checking userId AND email
+       provides defense-in-depth -- even if one field is spoofed, the other
+       must also match. */
     if (credentials.userId !== expectedUserId) {
         debugWarn('[Auth] Credential userId mismatch:', credentials.userId, '!==', expectedUserId);
         return { valid: false, reason: 'user_mismatch' };
@@ -78,15 +184,17 @@ export async function verifyOfflineCredentials(email, password, expectedUserId)
         debugWarn('[Auth] No password stored in credentials');
         return { valid: false, reason: 'no_stored_password' };
     }
-    // Compare passwords: if stored password is hashed, hash the input and compare;
-    // if legacy plaintext, compare directly for backwards compatibility
+    /* Compare passwords: if the stored password is a 64-char hex string, it is
+       a SHA-256 hash -- hash the input and compare. Otherwise, treat it as a
+       legacy plaintext value for backward compatibility. */
     let passwordMatch;
     if (isAlreadyHashed(credentials.password)) {
         const hashedInput = await hashValue(password);
         passwordMatch = credentials.password === hashedInput;
     }
     else {
-        // Legacy plaintext comparison
+        /* Legacy plaintext comparison -- only applies to credentials cached before
+           the SHA-256 migration. New caches always store hashed passwords. */
         passwordMatch = credentials.password === password;
     }
     if (!passwordMatch) {
@@ -95,9 +203,23 @@ export async function verifyOfflineCredentials(email, password, expectedUserId)
     }
     return { valid: true };
 }
+// =============================================================================
+// PUBLIC API -- Update & Clear
+// =============================================================================
 /**
- * Update the cached password (after online password change)
- * @param newPassword - The new password to cache
+ * Update the cached password hash after an online password change.
+ *
+ * Should be called whenever the user changes their password while online,
+ * so the offline cache stays in sync and the login guard does not flag
+ * the old hash as stale.
+ *
+ * @param newPassword - The new plaintext password. Will be SHA-256-hashed before storage.
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.updateUser({ password: newPassword });
+ * await updateOfflineCredentialsPassword(newPassword);
+ * ```
  */
 export async function updateOfflineCredentialsPassword(newPassword) {
     const credentials = await getOfflineCredentials();
@@ -112,7 +234,18 @@ export async function updateOfflineCredentialsPassword(newPassword) {
     });
 }
 /**
- * Update user profile in cached credentials (after online profile update)
+ * Update the user profile in cached credentials after an online profile update.
+ *
+ * Replaces the entire `profile` blob with the provided object and updates
+ * the `cachedAt` timestamp.
+ *
+ * @param profile - The new profile data to cache (e.g., `{ firstName, lastName, avatar }`).
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.updateUser({ data: { firstName: 'Jane' } });
+ * await updateOfflineCredentialsProfile({ firstName: 'Jane', lastName: 'Doe' });
+ * ```
  */
 export async function updateOfflineCredentialsProfile(profile) {
     const credentials = await getOfflineCredentials();
@@ -126,7 +259,18 @@ export async function updateOfflineCredentialsProfile(profile) {
     });
 }
 /**
- * Clear all cached offline credentials (on logout)
+ * Clear all cached offline credentials from IndexedDB.
+ *
+ * Must be called on logout to ensure no stale credentials remain on the
+ * device that could be used for unauthorized offline access.
+ *
+ * @example
+ * ```ts
+ * await supabase.auth.signOut();
+ * await clearOfflineCredentials();
+ * ```
+ *
+ * @see {@link cacheOfflineCredentials} for storing credentials on login.
  */
 export async function clearOfflineCredentials() {
     const db = getEngineConfig().db;

package/dist/auth/offlineCredentials.js.map

@@ -1 +1 @@
-{"version":3,"file":"offlineCredentials.js","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAG5C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEtD,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,QAAgB,EAChB,IAAU,EACV,QAAiB;IAEjB,4DAA4D;IAC5D,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxB,UAAU,CAAC,6DAA6D,CAAC,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAG,CAAC;IAEtB,uEAAuE;IACvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,gBAAgB;QAC3C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;QACxD,CAAC,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;IAE7B,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEjD,MAAM,WAAW,GAAuB;QACtC,EAAE,EAAE,cAAc;QAClB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,cAAc;QACxB,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;IAEF,mDAAmD;IACnD,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAEtD,gEAAgE;IAChE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACxE,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,UAAU,CAAC,iEAAiE,CAAC,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,WAAiC,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,QAAgB,EAChB,cAAsB;IAEtB,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,SAAS,CAAC,yCAAyC,CAAC,CAAC;QACrD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpD,CAAC;IAED,oCAAoC;IACpC,IAAI,WAAW,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QAC1C,SAAS,CAAC,oCAAoC,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QAC3F,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAChC,SAAS,CAAC,mCAAmC,EAAE,WAAW,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1B,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACxD,CAAC;IAED,+EAA+E;IAC/E,oEAAoE;IACpE,IAAI,aAAsB,CAAC;IAC3B,IAAI,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,aAAa,GAAG,WAAW,CAAC,QAAQ,KAAK,WAAW,CAAC;IACvD,CAAC;SAAM,CAAC;QACN,8BAA8B;QAC9B,aAAa,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,SAAS,CACP,0CAA0C,EAC1C,WAAW,CAAC,QAAQ,CAAC,MAAM,EAC3B,mBAAmB,EACnB,QAAQ,CAAC,MAAM,EACf,GAAG,CACJ,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,WAAmB;IACxE,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE;QAC1D,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAgC;IAEhC,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE;QAC1D,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAC9D,CAAC"}
+{"version":3,"file":"offlineCredentials.js","sourceRoot":"","sources":["../../src/auth/offlineCredentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAG5C,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEtD,gFAAgF;AAChF,YAAY;AACZ,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC,gFAAgF;AAChF,iCAAiC;AACjC,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAAa,EACb,QAAgB,EAChB,IAAU,EACV,QAAiB;IAEjB;sDACkD;IAClD,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxB,UAAU,CAAC,6DAA6D,CAAC,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAG,CAAC;IAEtB;;gFAE4E;IAC5E,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,gBAAgB;QAC3C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;QACxD,CAAC,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;IAE7B,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEjD,MAAM,WAAW,GAAuB;QACtC,EAAE,EAAE,cAAc;QAClB,MAAM,EAAE,IAAI,CAAC,EAAE;QACf,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,cAAc;QACxB,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;IAEF,gEAAgE;IAChE,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAEtD;;;qDAGiD;IACjD,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACxE,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAChC,UAAU,CAAC,iEAAiE,CAAC,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7E,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,WAAiC,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAChF,6BAA6B;AAC7B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAAa,EACb,QAAgB,EAChB,cAAsB;IAEtB,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,SAAS,CAAC,yCAAyC,CAAC,CAAC;QACrD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpD,CAAC;IAED;;0BAEsB;IACtB,IAAI,WAAW,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QAC1C,SAAS,CAAC,oCAAoC,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QAC3F,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QAChC,SAAS,CAAC,mCAAmC,EAAE,WAAW,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;QAChF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1B,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACtD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IACxD,CAAC;IAED;;4DAEwD;IACxD,IAAI,aAAsB,CAAC;IAC3B,IAAI,eAAe,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1C,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,aAAa,GAAG,WAAW,CAAC,QAAQ,KAAK,WAAW,CAAC;IACvD,CAAC;SAAM,CAAC;QACN;8EACsE;QACtE,aAAa,GAAG,WAAW,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACpD,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,SAAS,CACP,0CAA0C,EAC1C,WAAW,CAAC,QAAQ,CAAC,MAAM,EAC3B,mBAAmB,EACnB,QAAQ,CAAC,MAAM,EACf,GAAG,CACJ,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,WAAmB;IACxE,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE;QAC1D,QAAQ,EAAE,cAAc;QACxB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,+BAA+B,CACnD,OAAgC;IAEhC,MAAM,WAAW,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAClD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,EAAE;QAC1D,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB;IAC3C,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC,EAAG,CAAC;IACjC,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAC9D,CAAC"}

package/dist/auth/offlineLogin.d.ts

@@ -1,33 +1,119 @@
 /**
- * Offline Login
+ * @fileoverview Offline Login Orchestrator
  *
- * Provides high-level offline sign-in and credential info functions,
- * absorbing the login page's direct use of offline auth internals.
+ * Provides high-level offline sign-in and credential info functions, serving as
+ * the primary entry point for offline authentication. This module absorbs the
+ * login page's direct use of offline auth internals, offering a clean API that
+ * coordinates credential retrieval, verification, and session creation.
+ *
+ * Architecture:
+ * - `signInOffline` is the main flow: fetch cached credentials, verify them,
+ *   create an offline session, and validate it was persisted.
+ * - `getOfflineLoginInfo` is a read-only helper that exposes non-sensitive
+ *   display data (email, name) for pre-populating the offline login UI.
+ * - Both functions are designed to never throw -- they return structured result
+ *   objects with typed error reasons for the caller to handle.
+ *
+ * Security considerations:
+ * - Offline login is inherently less secure than online Supabase authentication.
+ *   It relies on SHA-256-hashed credentials stored in IndexedDB, which a
+ *   sufficiently motivated attacker with device access could extract.
+ * - The offline session token (`offlineToken`) is a random UUID that serves as
+ *   a local-only proof of authentication. It is NOT a JWT and carries no claims.
+ * - `getOfflineLoginInfo` intentionally excludes the password hash and userId
+ *   from its return value to minimize exposure of sensitive data.
+ *
+ * @module auth/offlineLogin
+ */
+/**
+ * Structured result returned by {@link signInOffline}.
+ *
+ * On success: `{ success: true }`.
+ * On failure: `{ success: false, reason }` where `reason` identifies which
+ * step of the offline login flow failed.
  */
 interface OfflineLoginResult {
+    /** Whether the offline login succeeded. */
     success: boolean;
+    /** Human-readable error message (currently unused; `reason` is preferred). */
     error?: string;
+    /**
+     * Machine-readable failure reason, used by the login UI to display
+     * context-appropriate error messages.
+     *
+     * - `'no_credentials'` -- No cached credentials exist on this device.
+     * - `'no_stored_password'` -- Credentials exist but the password hash is missing.
+     * - `'user_mismatch'` -- The cached userId does not match the expected user.
+     * - `'email_mismatch'` -- The entered email does not match the cached email.
+     * - `'password_mismatch'` -- The entered password does not match the cached hash.
+     * - `'session_failed'` -- Credential verification passed but session creation
+     *   or persistence failed.
+     */
     reason?: 'no_credentials' | 'no_stored_password' | 'user_mismatch' | 'email_mismatch' | 'password_mismatch' | 'session_failed';
 }
 /**
  * Sign in offline using cached credentials.
  *
- * 1. Fetches cached offline credentials
- * 2. Verifies email + password against cached credentials
- * 3. Creates offline session
- * 4. Validates session was persisted
- * 5. Returns structured result with typed error reasons
+ * Executes the full offline authentication flow:
+ * 1. Fetches cached offline credentials from IndexedDB.
+ * 2. Verifies the provided email + password against cached credentials.
+ * 3. Creates an offline session (random UUID token) in IndexedDB.
+ * 4. Validates the session was actually persisted (read-back check).
+ * 5. Returns a structured result with a typed error reason on failure.
+ *
+ * @param email    - The email address entered by the user.
+ * @param password - The plaintext password entered by the user.
+ * @returns A promise resolving to an {@link OfflineLoginResult}.
+ *
+ * @example
+ * ```ts
+ * const result = await signInOffline(email, password);
+ * if (result.success) {
+ *   router.push('/dashboard');
+ * } else if (result.reason === 'no_credentials') {
+ *   showError('You must log in online at least once before using offline mode.');
+ * } else {
+ *   showError('Incorrect email or password.');
+ * }
+ * ```
+ *
+ * @see {@link getOfflineLoginInfo} to check if offline credentials are available.
+ * @see {@link verifyOfflineCredentials} for the underlying verification logic.
+ * @see {@link createOfflineSession} for session creation details.
  */
 export declare function signInOffline(email: string, password: string): Promise<OfflineLoginResult>;
 /**
  * Get non-sensitive display info about cached offline credentials.
- * Returns null if no credentials cached.
- * Used by login page to show "Sign in as X" offline UI.
+ *
+ * Used by the login page to show an "offline mode" UI with the cached
+ * user's name and email (e.g., "Sign in as jane@example.com").
+ *
+ * Returns `null` if no credentials are cached, meaning the user has never
+ * logged in online on this device and offline login is unavailable.
+ *
+ * @returns An object containing `hasCredentials`, `email`, `firstName`, and
+ *          `lastName`, or `null` if no credentials exist.
+ *
+ * @example
+ * ```ts
+ * const info = await getOfflineLoginInfo();
+ * if (info?.hasCredentials) {
+ *   showOfflineLoginUI(info.email, info.firstName);
+ * } else {
+ *   showOnlineOnlyMessage();
+ * }
+ * ```
+ *
+ * @see {@link signInOffline} to perform the actual offline login.
  */
 export declare function getOfflineLoginInfo(): Promise<{
+    /** Whether cached credentials exist on this device. */
     hasCredentials: boolean;
+    /** The cached user's email address. */
     email?: string;
+    /** The cached user's first name (from profile). */
     firstName?: string;
+    /** The cached user's last name (from profile). */
     lastName?: string;
 } | null>;
 export {};

package/dist/auth/offlineLogin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"offlineLogin.d.ts","sourceRoot":"","sources":["../../src/auth/offlineLogin.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,UAAU,kBAAkB;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EACH,gBAAgB,GAChB,oBAAoB,GACpB,eAAe,GACf,gBAAgB,GAChB,mBAAmB,GACnB,gBAAgB,CAAC;CACtB;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAoChG;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC;IACnD,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,IAAI,CAAC,CAiBR"}
+{"version":3,"file":"offlineLogin.d.ts","sourceRoot":"","sources":["../../src/auth/offlineLogin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAUH;;;;;;GAMG;AACH,UAAU,kBAAkB;IAC1B,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IAEjB,8EAA8E;IAC9E,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,EACH,gBAAgB,GAChB,oBAAoB,GACpB,eAAe,GACf,gBAAgB,GAChB,mBAAmB,GACnB,gBAAgB,CAAC;CACtB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAsChG;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC;IACnD,uDAAuD;IACvD,cAAc,EAAE,OAAO,CAAC;IACxB,uCAAuC;IACvC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mDAAmD;IACnD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,IAAI,CAAC,CAkBR"}