npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.15 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1513 -3
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +327 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +49 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +450 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +118 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +599 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +368 -258
package/dist/component/schema.js +23 -27
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +42 -7
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +70 -6
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +466 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +689 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1128 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +3 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +50 -35
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +44 -9
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +70 -6
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +320 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +466 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +340 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +689 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +56 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1128 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +432 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +486 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +1 -1
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signin.d.ts +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +4 -4
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +3 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +55 -71
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +1920 -3
package/src/component/index.ts +2 -0
package/src/component/model.ts +424 -0
package/src/component/public/enterprise.ts +654 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +951 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +117 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +47 -57
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +192 -9
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +916 -0
package/src/server/domains/sso.ts +1462 -0
package/src/server/enterpriseValidators.ts +88 -0
package/src/server/factory.ts +2168 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +712 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +3 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +251 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +85 -77
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/dist/server/domains/core.js ADDED Viewed

@@ -0,0 +1,466 @@
+import { AuthError, Fx } from "../fx.js";
+import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "../utils.js";
+import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "../keys.js";
+import { materializeProvider } from "../providers.js";
+import { signInImpl } from "../signin.js";
+//#region src/server/domains/core.ts
+/**
+* Build the core auth domains that back the canonical app API surface.
+*/
+function createCoreDomains(deps) {
+	const { config, getAuth, callInvalidateSessions, callCreateAccountFromCredentials, callRetrieveAccountWithCredentials, callModifyAccount, getEnrichCtx, inviteTokenAlphabet, inviteTokenLength } = deps;
+	const user = {
+		current: async (ctx, request) => {
+			const identity = await ctx.auth.getUserIdentity();
+			if (identity !== null) {
+				const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
+				return userId;
+			}
+			if (request !== void 0 && "runMutation" in ctx && ctx.runMutation) {
+				const authHeader = request.headers.get("Authorization");
+				if (authHeader?.startsWith("Bearer sk_")) {
+					const rawKey = authHeader.slice(7);
+					try {
+						return (await getAuth().key.verify(ctx, rawKey)).userId;
+					} catch {
+						return null;
+					}
+				}
+			}
+			return null;
+		},
+		require: async (ctx, request) => {
+			const userId = await user.current(ctx, request);
+			if (userId === null) throw new AuthError("NOT_SIGNED_IN").toConvexError();
+			return userId;
+		},
+		get: async (ctx, userId) => {
+			return await ctx.runQuery(config.component.public.userGetById, { userId });
+		},
+		list: async (ctx, opts = {}) => {
+			return await ctx.runQuery(config.component.public.userList, opts);
+		},
+		viewer: async (ctx) => {
+			const userId = await user.current(ctx);
+			if (userId === null) return null;
+			return await ctx.runQuery(config.component.public.userGetById, { userId });
+		},
+		patch: async (ctx, userId, data) => {
+			await ctx.runMutation(config.component.public.userPatch, {
+				userId,
+				data
+			});
+		},
+		setActiveGroup: async (ctx, opts) => {
+			const doc = await user.get(ctx, opts.userId);
+			const existingExtend = doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend) ? { ...doc.extend } : {};
+			if (opts.groupId === null) {
+				const { lastActiveGroup: _omit, ...rest } = existingExtend;
+				await user.patch(ctx, opts.userId, { extend: rest });
+				return;
+			}
+			await user.patch(ctx, opts.userId, { extend: {
+				...existingExtend,
+				lastActiveGroup: opts.groupId
+			} });
+		},
+		getActiveGroup: async (ctx, opts) => {
+			const doc = await user.get(ctx, opts.userId);
+			if (doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend)) {
+				const val = doc.extend.lastActiveGroup;
+				if (typeof val === "string") return val;
+			}
+			return null;
+		},
+		remove: async (ctx, userId, opts) => {
+			const cascade = opts?.cascade !== false;
+			const [sessions, accounts, keys, members, passkeys, totps] = await Promise.all([
+				ctx.runQuery(config.component.public.sessionListByUser, { userId }),
+				ctx.runQuery(config.component.public.accountListByUser, { userId }),
+				ctx.runQuery(config.component.public.keyListByUserId, { userId }),
+				ctx.runQuery(config.component.public.memberListByUser, { userId }),
+				ctx.runQuery(config.component.public.passkeyListByUserId, { userId }),
+				ctx.runQuery(config.component.public.totpListByUserId, { userId })
+			]);
+			const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
+			if (!cascade && totalLinked > 0) throw new AuthError("INVALID_PARAMETERS", `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`).toConvexError();
+			const deletions = [];
+			for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
+			for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
+			for (const k of keys) deletions.push(ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }));
+			for (const m of members) deletions.push(ctx.runMutation(config.component.public.memberRemove, { memberId: m._id }));
+			for (const p of passkeys) deletions.push(ctx.runMutation(config.component.public.passkeyDelete, { passkeyId: p._id }));
+			for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
+			await Promise.all(deletions);
+			await ctx.runMutation(config.component.public.userDelete, { userId });
+		}
+	};
+	const session = {
+		current: async (ctx) => {
+			const identity = await ctx.auth.getUserIdentity();
+			if (identity === null) return null;
+			const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
+			return sessionId;
+		},
+		invalidate: async (ctx, args) => callInvalidateSessions(ctx, args),
+		get: async (ctx, sessionId) => {
+			return await ctx.runQuery(config.component.public.sessionGetById, { sessionId });
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.sessionListByUser, { userId: opts.userId });
+		}
+	};
+	const account = {
+		create: async (ctx, args) => {
+			return await callCreateAccountFromCredentials(ctx, args);
+		},
+		get: async (ctx, args) => {
+			const result = await callRetrieveAccountWithCredentials(ctx, args);
+			if (typeof result === "string") throw new AuthError("ACCOUNT_NOT_FOUND", result).toConvexError();
+			return result;
+		},
+		update: async (ctx, args) => {
+			return await callModifyAccount(ctx, args);
+		},
+		remove: async (ctx, accountId) => {
+			const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
+			if (doc === null) throw new AuthError("ACCOUNT_NOT_FOUND", "Account not found.").toConvexError();
+			if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw new AuthError("INVALID_PARAMETERS", "Cannot unlink the user's only account. This would lock them out.").toConvexError();
+			await ctx.runMutation(config.component.public.accountDelete, { accountId });
+		},
+		listPasskeys: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
+		},
+		renamePasskey: async (ctx, passkeyId, name) => {
+			await ctx.runMutation(config.component.public.passkeyUpdateMeta, {
+				passkeyId,
+				data: { name }
+			});
+		},
+		removePasskey: async (ctx, passkeyId) => {
+			await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
+		},
+		listTotps: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.totpListByUserId, opts);
+		},
+		removeTotp: async (ctx, totpId) => {
+			await ctx.runMutation(config.component.public.totpDelete, { totpId });
+		}
+	};
+	const provider = { signIn: async (ctx, providerConfig, args) => {
+		const result = await signInImpl(getEnrichCtx()(ctx), materializeProvider(providerConfig), args, {
+			generateTokens: false,
+			allowExtraProviders: true
+		});
+		return result.kind === "signedIn" ? result.signedIn !== null ? {
+			userId: result.signedIn.userId,
+			sessionId: result.signedIn.sessionId
+		} : null : null;
+	} };
+	const group = {
+		create: async (ctx, data) => {
+			return await ctx.runMutation(config.component.public.groupCreate, data);
+		},
+		get: async (ctx, groupId) => {
+			return await ctx.runQuery(config.component.public.groupGet, { groupId });
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.groupList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		update: async (ctx, groupId, data) => {
+			await ctx.runMutation(config.component.public.groupUpdate, {
+				groupId,
+				data
+			});
+		},
+		delete: async (ctx, groupId) => {
+			await ctx.runMutation(config.component.public.groupDelete, { groupId });
+		},
+		ancestors: async (ctx, opts) => {
+			const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
+			const visited = /* @__PURE__ */ new Set();
+			const ancestors = [];
+			let cycleDetected = false;
+			let maxDepthReached = false;
+			let currentGroupId = opts.groupId;
+			let depth = 0;
+			let isFirst = true;
+			while (currentGroupId !== void 0) {
+				if (depth > maxDepth) {
+					maxDepthReached = true;
+					break;
+				}
+				if (visited.has(currentGroupId)) {
+					cycleDetected = true;
+					break;
+				}
+				visited.add(currentGroupId);
+				const doc = await group.get(ctx, currentGroupId);
+				if (doc === null) break;
+				if (isFirst) {
+					isFirst = false;
+					if (opts.includeSelf) ancestors.push(doc);
+					currentGroupId = doc.parentGroupId;
+					depth += 1;
+					continue;
+				}
+				ancestors.push(doc);
+				currentGroupId = doc.parentGroupId;
+				depth += 1;
+			}
+			return {
+				ancestors,
+				cycleDetected,
+				maxDepthReached
+			};
+		}
+	};
+	const member = {
+		add: async (ctx, data) => {
+			return await ctx.runMutation(config.component.public.memberAdd, data);
+		},
+		get: async (ctx, memberId) => {
+			return await ctx.runQuery(config.component.public.memberGet, { memberId });
+		},
+		getByUserAndGroup: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.memberGetByGroupAndUser, opts);
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.memberList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		remove: async (ctx, memberId) => {
+			await ctx.runMutation(config.component.public.memberRemove, { memberId });
+		},
+		update: async (ctx, memberId, data) => {
+			await ctx.runMutation(config.component.public.memberUpdate, {
+				memberId,
+				data
+			});
+		},
+		inherit: async (ctx, opts) => {
+			const roleFilter = opts.roles !== void 0 && opts.roles.length > 0 ? new Set(opts.roles) : null;
+			const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
+			const visited = /* @__PURE__ */ new Set();
+			const traversedGroupIds = [];
+			let currentGroupId = opts.groupId;
+			let depth = 0;
+			let cycleDetected = false;
+			let maxDepthReached = false;
+			while (currentGroupId !== void 0) {
+				if (depth > maxDepth) {
+					maxDepthReached = true;
+					break;
+				}
+				if (visited.has(currentGroupId)) {
+					cycleDetected = true;
+					break;
+				}
+				visited.add(currentGroupId);
+				traversedGroupIds.push(currentGroupId);
+				const membership = await member.getByUserAndGroup(ctx, {
+					userId: opts.userId,
+					groupId: currentGroupId
+				});
+				if (membership !== null && (roleFilter === null || roleFilter.has(membership.role))) return {
+					requestedGroupId: opts.groupId,
+					matchedGroupId: currentGroupId,
+					membership,
+					depth,
+					isDirect: depth === 0,
+					isInherited: depth > 0,
+					traversedGroupIds,
+					cycleDetected: false,
+					maxDepthReached: false
+				};
+				const doc = await group.get(ctx, currentGroupId);
+				if (doc === null || doc.parentGroupId === void 0) break;
+				currentGroupId = doc.parentGroupId;
+				depth += 1;
+			}
+			return {
+				requestedGroupId: opts.groupId,
+				matchedGroupId: null,
+				membership: null,
+				depth: null,
+				isDirect: false,
+				isInherited: false,
+				traversedGroupIds,
+				cycleDetected,
+				maxDepthReached
+			};
+		},
+		require: async (ctx, opts) => {
+			const result = await member.inherit(ctx, opts);
+			if (result.membership === null) throw new AuthError("FORBIDDEN", `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`).toConvexError();
+			return {
+				membership: result.membership,
+				matchedGroupId: result.matchedGroupId,
+				isDirect: result.isDirect,
+				isInherited: result.isInherited,
+				depth: result.depth
+			};
+		}
+	};
+	const invite = {
+		create: async (ctx, data) => {
+			const token = generateRandomString(inviteTokenLength, inviteTokenAlphabet);
+			const tokenHash = await sha256(token);
+			return {
+				inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
+					...data,
+					tokenHash,
+					status: "pending"
+				}),
+				token
+			};
+		},
+		get: async (ctx, inviteId) => {
+			return await ctx.runQuery(config.component.public.inviteGet, { inviteId });
+		},
+		token: {
+			get: async (ctx, token) => {
+				const tokenHash = await sha256(token);
+				return await ctx.runQuery(config.component.public.inviteGetByTokenHash, { tokenHash });
+			},
+			accept: async (ctx, args) => {
+				const tokenHash = await sha256(args.token);
+				return await ctx.runMutation(config.component.public.inviteAcceptByToken, {
+					tokenHash,
+					acceptedByUserId: args.acceptedByUserId
+				});
+			}
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.inviteList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		accept: async (ctx, inviteId, acceptedByUserId) => {
+			await ctx.runMutation(config.component.public.inviteAccept, {
+				inviteId,
+				...acceptedByUserId ? { acceptedByUserId } : {}
+			});
+		},
+		revoke: async (ctx, inviteId) => {
+			await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
+		}
+	};
+	const key = {
+		create: async (ctx, opts) => {
+			const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
+			return {
+				keyId: await ctx.runMutation(config.component.public.keyInsert, {
+					userId: opts.userId,
+					prefix: displayPrefix,
+					hashedKey,
+					name: opts.name,
+					scopes: opts.scopes,
+					rateLimit: opts.rateLimit,
+					expiresAt: opts.expiresAt,
+					metadata: opts.metadata
+				}),
+				raw
+			};
+		},
+		verify: async (ctx, rawKey) => {
+			const hashedKey = await hashApiKey(rawKey);
+			const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
+			return Fx.run(Fx.gen(function* () {
+				yield* Fx.guard(!doc, Fx.fail(new AuthError("INVALID_API_KEY")));
+				const k = doc;
+				yield* Fx.guard(k.revoked, Fx.fail(new AuthError("API_KEY_REVOKED")));
+				yield* Fx.guard(!!(k.expiresAt && k.expiresAt < Date.now()), Fx.fail(new AuthError("API_KEY_EXPIRED")));
+				const patchData = { lastUsedAt: Date.now() };
+				if (k.rateLimit) {
+					const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
+					yield* Fx.guard(limited, Fx.fail(new AuthError("API_KEY_RATE_LIMITED")));
+					patchData.rateLimitState = newState;
+				}
+				yield* Fx.promise(() => ctx.runMutation(config.component.public.keyPatch, {
+					keyId: k._id,
+					data: patchData
+				}));
+				return {
+					userId: k.userId,
+					keyId: k._id,
+					scopes: buildScopeChecker(k.scopes)
+				};
+			}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.keyList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		get: async (ctx, keyId) => {
+			return await ctx.runQuery(config.component.public.keyGetById, { keyId });
+		},
+		update: async (ctx, keyId, data) => {
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data
+			});
+		},
+		revoke: async (ctx, keyId) => {
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data: { revoked: true }
+			});
+		},
+		remove: async (ctx, keyId) => {
+			await ctx.runMutation(config.component.public.keyDelete, { keyId });
+		},
+		rotate: async (ctx, keyId, opts) => {
+			const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
+			if (!existing) throw new AuthError("INVALID_PARAMETERS", "API key not found.").toConvexError();
+			if (existing.revoked === true) throw new AuthError("API_KEY_REVOKED", "Cannot rotate a key that is already revoked.").toConvexError();
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data: { revoked: true }
+			});
+			return await key.create(ctx, {
+				userId: existing.userId,
+				name: opts?.name ?? existing.name,
+				scopes: existing.scopes ?? [],
+				rateLimit: existing.rateLimit,
+				expiresAt: opts?.expiresAt,
+				metadata: existing.metadata
+			});
+		}
+	};
+	return {
+		user,
+		session,
+		account,
+		provider,
+		group,
+		member,
+		invite,
+		key
+	};
+}
+//#endregion
+export { createCoreDomains };
+//# sourceMappingURL=core.js.map

package/dist/server/domains/core.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"core.js","names":[],"sources":["../../../src/server/domains/core.ts"],"sourcesContent":["import { Auth, GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { AuthError, Fx } from \"../fx\";\nimport {\n buildScopeChecker,\n checkKeyRateLimit,\n generateApiKey,\n hashApiKey,\n} from \"../keys\";\nimport { materializeProvider } from \"../providers\";\nimport { signInImpl } from \"../signin\";\nimport type {\n AuthProviderConfig,\n KeyDoc,\n KeyScope,\n ScopeChecker,\n UserOrderBy,\n UserWhere,\n} from \"../types\";\nimport {\n generateRandomString,\n sha256,\n TOKEN_SUB_CLAIM_DIVIDER,\n} from \"../utils\";\n\ntype ComponentCtx = Pick<\n GenericActionCtx<GenericDataModel>,\n \"runQuery\" | \"runMutation\"\n>;\ntype ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\ntype ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };\ntype AccountCredentials = { id: string; secret?: string };\ntype CreateAccountArgs = {\n provider: string;\n account: AccountCredentials;\n profile: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\ntype RetrieveAccountArgs = { provider: string; account: AccountCredentials };\ntype UpdateAccountCredentialsArgs = {\n provider: string;\n account: { id: string; secret: string };\n};\n\ntype CoreDeps = {\n config: any;\n getAuth: () => any;\n callInvalidateSessions: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => Promise<void>;\n callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => Promise<any>;\n callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => Promise<any>;\n callModifyAccount: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ) => Promise<void>;\n getEnrichCtx: () => <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n ) => any;\n inviteTokenAlphabet: string;\n inviteTokenLength: number;\n};\n\n/**\n * Build the core auth domains that back the canonical app API surface.\n */\nexport function createCoreDomains(deps: CoreDeps) {\n const {\n config,\n getAuth,\n callInvalidateSessions,\n callCreateAccountFromCredentials,\n callRetrieveAccountWithCredentials,\n callModifyAccount,\n getEnrichCtx,\n inviteTokenAlphabet,\n inviteTokenLength,\n } = deps;\n\n const user = {\n current: async (\n ctx: { auth: Auth } & Partial<ComponentCtx>,\n request?: Request,\n ): Promise<string | null> => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity !== null) {\n const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return userId;\n }\n if (request !== undefined && \"runMutation\" in ctx && ctx.runMutation) {\n const authHeader = request.headers.get(\"Authorization\");\n if (authHeader?.startsWith(\"Bearer sk_\")) {\n const rawKey = authHeader.slice(7);\n try {\n const result = await getAuth().key.verify(\n ctx as ComponentCtx,\n rawKey,\n );\n return result.userId;\n } catch {\n return null;\n }\n }\n }\n return null;\n },\n require: async (\n ctx: { auth: Auth } & Partial<ComponentCtx>,\n request?: Request,\n ): Promise<string> => {\n const userId = await user.current(ctx, request);\n if (userId === null) {\n throw new AuthError(\"NOT_SIGNED_IN\").toConvexError();\n }\n return userId;\n },\n get: async (ctx: ComponentReadCtx, userId: string) => {\n return await ctx.runQuery(config.component.public.userGetById, {\n userId,\n });\n },\n list: async (\n ctx: ComponentReadCtx,\n opts: {\n where?: UserWhere;\n limit?: number;\n cursor?: string | null;\n orderBy?: UserOrderBy;\n order?: \"asc\" | \"desc\";\n } = {},\n ) => {\n return await ctx.runQuery(config.component.public.userList, opts);\n },\n viewer: async (ctx: ComponentAuthReadCtx) => {\n const userId = await user.current(ctx);\n if (userId === null) return null;\n return await ctx.runQuery(config.component.public.userGetById, {\n userId,\n });\n },\n patch: async (\n ctx: ComponentCtx,\n userId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.userPatch, {\n userId,\n data,\n });\n },\n setActiveGroup: async (\n ctx: ComponentCtx,\n opts: { userId: string; groupId: string | null },\n ) => {\n const doc = await user.get(ctx, opts.userId);\n const existingExtend =\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ? { ...(doc.extend as Record<string, unknown>) }\n : {};\n if (opts.groupId === null) {\n const { lastActiveGroup: _omit, ...rest } = existingExtend;\n await user.patch(ctx, opts.userId, { extend: rest });\n return;\n }\n await user.patch(ctx, opts.userId, {\n extend: { ...existingExtend, lastActiveGroup: opts.groupId },\n });\n },\n getActiveGroup: async (\n ctx: ComponentReadCtx,\n opts: { userId: string },\n ): Promise<string | null> => {\n const doc = await user.get(ctx, opts.userId);\n if (\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ) {\n const val = (doc.extend as Record<string, unknown>).lastActiveGroup;\n if (typeof val === \"string\") return val;\n }\n return null;\n },\n remove: async (\n ctx: ComponentCtx,\n userId: string,\n opts?: { cascade?: boolean },\n ): Promise<void> => {\n const cascade = opts?.cascade !== false;\n const [sessions, accounts, keys, members, passkeys, totps] =\n await Promise.all([\n ctx.runQuery(config.component.public.sessionListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.accountListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.keyListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.memberListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.passkeyListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.totpListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ]);\n const totalLinked =\n sessions.length +\n accounts.length +\n keys.length +\n members.length +\n passkeys.length +\n totps.length;\n if (!cascade && totalLinked > 0) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`,\n ).toConvexError();\n }\n const deletions: Promise<unknown>[] = [];\n for (const s of sessions)\n deletions.push(\n ctx.runMutation(config.component.public.sessionDelete, {\n sessionId: s._id,\n }),\n );\n for (const a of accounts)\n deletions.push(\n ctx.runMutation(config.component.public.accountDelete, {\n accountId: a._id,\n }),\n );\n for (const k of keys)\n deletions.push(\n ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }),\n );\n for (const m of members)\n deletions.push(\n ctx.runMutation(config.component.public.memberRemove, {\n memberId: m._id,\n }),\n );\n for (const p of passkeys)\n deletions.push(\n ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId: p._id,\n }),\n );\n for (const t of totps)\n deletions.push(\n ctx.runMutation(config.component.public.totpDelete, {\n totpId: t._id,\n }),\n );\n await Promise.all(deletions);\n await ctx.runMutation(config.component.public.userDelete, { userId });\n },\n };\n\n const session = {\n current: async (ctx: { auth: Auth }) => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) return null;\n const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return sessionId as GenericId<\"Session\">;\n },\n invalidate: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => callInvalidateSessions(ctx, args),\n get: async (ctx: ComponentReadCtx, sessionId: string) => {\n return await ctx.runQuery(config.component.public.sessionGetById, {\n sessionId,\n });\n },\n list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.sessionListByUser, {\n userId: opts.userId,\n });\n },\n };\n\n const account = {\n create: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => {\n return await callCreateAccountFromCredentials(ctx, args);\n },\n get: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => {\n const result = await callRetrieveAccountWithCredentials(ctx, args);\n if (typeof result === \"string\") {\n throw new AuthError(\"ACCOUNT_NOT_FOUND\", result).toConvexError();\n }\n return result;\n },\n update: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ): Promise<void> => {\n return await callModifyAccount(ctx, args);\n },\n remove: async (ctx: ComponentCtx, accountId: string): Promise<void> => {\n const doc = await ctx.runQuery(config.component.public.accountGetById, {\n accountId,\n });\n if (doc === null) {\n throw new AuthError(\n \"ACCOUNT_NOT_FOUND\",\n \"Account not found.\",\n ).toConvexError();\n }\n const allAccounts = (await ctx.runQuery(\n config.component.public.accountListByUser,\n { userId: (doc as any).userId },\n )) as Array<{ _id: string }>;\n if (allAccounts.length <= 1) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Cannot unlink the user's only account. This would lock them out.\",\n ).toConvexError();\n }\n await ctx.runMutation(config.component.public.accountDelete, {\n accountId,\n });\n },\n listPasskeys: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(\n config.component.public.passkeyListByUserId,\n opts,\n );\n },\n renamePasskey: async (\n ctx: ComponentCtx,\n passkeyId: string,\n name: string,\n ) => {\n await ctx.runMutation(config.component.public.passkeyUpdateMeta, {\n passkeyId,\n data: { name },\n });\n },\n removePasskey: async (ctx: ComponentCtx, passkeyId: string) => {\n await ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId,\n });\n },\n listTotps: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.totpListByUserId, opts);\n },\n removeTotp: async (ctx: ComponentCtx, totpId: string) => {\n await ctx.runMutation(config.component.public.totpDelete, { totpId });\n },\n };\n\n const provider = {\n signIn: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n providerConfig: AuthProviderConfig,\n args: {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, unknown>;\n },\n ) => {\n const result = await signInImpl(\n getEnrichCtx()(ctx),\n materializeProvider(providerConfig),\n args as {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, any>;\n },\n { generateTokens: false, allowExtraProviders: true },\n );\n return result.kind === \"signedIn\"\n ? result.signedIn !== null\n ? {\n userId: result.signedIn.userId,\n sessionId: result.signedIn.sessionId,\n }\n : null\n : null;\n },\n };\n\n const group = {\n create: async (\n ctx: ComponentCtx,\n data: {\n name: string;\n slug?: string;\n type?: string;\n parentGroupId?: string;\n tags?: Array<{ key: string; value: string }>;\n extend?: Record<string, unknown>;\n },\n ): Promise<string> => {\n return (await ctx.runMutation(\n config.component.public.groupCreate,\n data,\n )) as string;\n },\n get: async (ctx: ComponentReadCtx, groupId: string) => {\n return await ctx.runQuery(config.component.public.groupGet, { groupId });\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n isRoot?: boolean;\n tagsAll?: Array<{ key: string; value: string }>;\n tagsAny?: Array<{ key: string; value: string }>;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.groupList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n update: async (\n ctx: ComponentCtx,\n groupId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.groupUpdate, {\n groupId,\n data,\n });\n },\n delete: async (ctx: ComponentCtx, groupId: string) => {\n await ctx.runMutation(config.component.public.groupDelete, { groupId });\n },\n ancestors: async (\n ctx: ComponentReadCtx,\n opts: { groupId: string; maxDepth?: number; includeSelf?: boolean },\n ) => {\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const visited = new Set<string>();\n const ancestors: any[] = [];\n let cycleDetected = false;\n let maxDepthReached = false;\n let currentGroupId: string | undefined = opts.groupId;\n let depth = 0;\n let isFirst = true;\n while (currentGroupId !== undefined) {\n if (depth > maxDepth) {\n maxDepthReached = true;\n break;\n }\n if (visited.has(currentGroupId)) {\n cycleDetected = true;\n break;\n }\n visited.add(currentGroupId);\n const doc = await group.get(ctx, currentGroupId);\n if (doc === null) break;\n if (isFirst) {\n isFirst = false;\n if (opts.includeSelf) ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n continue;\n }\n ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n }\n return { ancestors, cycleDetected, maxDepthReached };\n },\n };\n\n const member = {\n add: async (\n ctx: ComponentCtx,\n data: {\n groupId: string;\n userId: string;\n role?: string;\n status?: string;\n extend?: Record<string, unknown>;\n },\n ): Promise<string> => {\n return (await ctx.runMutation(\n config.component.public.memberAdd,\n data,\n )) as string;\n },\n get: async (ctx: ComponentReadCtx, memberId: string) => {\n return await ctx.runQuery(config.component.public.memberGet, {\n memberId,\n });\n },\n getByUserAndGroup: async (\n ctx: ComponentReadCtx,\n opts: { userId: string; groupId: string },\n ) => {\n return await ctx.runQuery(\n config.component.public.memberGetByGroupAndUser,\n opts,\n );\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n groupId?: string;\n userId?: string;\n role?: string;\n status?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"role\" | \"status\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.memberList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n remove: async (ctx: ComponentCtx, memberId: string) => {\n await ctx.runMutation(config.component.public.memberRemove, { memberId });\n },\n update: async (\n ctx: ComponentCtx,\n memberId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.memberUpdate, {\n memberId,\n data,\n });\n },\n inherit: async (\n ctx: ComponentReadCtx,\n opts: {\n userId: string;\n groupId: string;\n roles?: string[];\n maxDepth?: number;\n },\n ) => {\n const roleFilter =\n opts.roles !== undefined && opts.roles.length > 0\n ? new Set(opts.roles)\n : null;\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const visited = new Set<string>();\n const traversedGroupIds: string[] = [];\n let currentGroupId: string | undefined = opts.groupId;\n let depth = 0;\n let cycleDetected = false;\n let maxDepthReached = false;\n while (currentGroupId !== undefined) {\n if (depth > maxDepth) {\n maxDepthReached = true;\n break;\n }\n if (visited.has(currentGroupId)) {\n cycleDetected = true;\n break;\n }\n visited.add(currentGroupId);\n traversedGroupIds.push(currentGroupId);\n const membership = await member.getByUserAndGroup(ctx, {\n userId: opts.userId,\n groupId: currentGroupId,\n });\n if (\n membership !== null &&\n (roleFilter === null || roleFilter.has(membership.role))\n ) {\n return {\n requestedGroupId: opts.groupId,\n matchedGroupId: currentGroupId,\n membership,\n depth,\n isDirect: depth === 0,\n isInherited: depth > 0,\n traversedGroupIds,\n cycleDetected: false,\n maxDepthReached: false,\n };\n }\n const doc = await group.get(ctx, currentGroupId);\n if (doc === null || doc.parentGroupId === undefined) break;\n currentGroupId = doc.parentGroupId;\n depth += 1;\n }\n return {\n requestedGroupId: opts.groupId,\n matchedGroupId: null,\n membership: null,\n depth: null,\n isDirect: false,\n isInherited: false,\n traversedGroupIds,\n cycleDetected,\n maxDepthReached,\n };\n },\n require: async (\n ctx: ComponentReadCtx,\n opts: {\n userId: string;\n groupId: string;\n roles?: string[];\n maxDepth?: number;\n },\n ) => {\n const result = await member.inherit(ctx, opts);\n if (result.membership === null) {\n throw new AuthError(\n \"FORBIDDEN\",\n `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`,\n ).toConvexError();\n }\n return {\n membership: result.membership,\n matchedGroupId: result.matchedGroupId,\n isDirect: result.isDirect,\n isInherited: result.isInherited,\n depth: result.depth,\n };\n },\n };\n\n const invite = {\n create: async (\n ctx: ComponentCtx,\n data: {\n groupId?: string;\n invitedByUserId?: string;\n email?: string;\n role?: string;\n expiresTime?: number;\n extend?: Record<string, unknown>;\n },\n ): Promise<{ inviteId: string; token: string }> => {\n const token = generateRandomString(\n inviteTokenLength,\n inviteTokenAlphabet,\n );\n const tokenHash = await sha256(token);\n const inviteId = (await ctx.runMutation(\n config.component.public.inviteCreate,\n { ...data, tokenHash, status: \"pending\" },\n )) as string;\n return { inviteId, token };\n },\n get: async (ctx: ComponentReadCtx, inviteId: string) => {\n return await ctx.runQuery(config.component.public.inviteGet, {\n inviteId,\n });\n },\n token: {\n get: async (ctx: ComponentReadCtx, token: string) => {\n const tokenHash = await sha256(token);\n return await ctx.runQuery(\n config.component.public.inviteGetByTokenHash,\n { tokenHash },\n );\n },\n accept: async (\n ctx: ComponentCtx,\n args: { token: string; acceptedByUserId: string },\n ) => {\n const tokenHash = await sha256(args.token);\n return await ctx.runMutation(\n config.component.public.inviteAcceptByToken,\n { tokenHash, acceptedByUserId: args.acceptedByUserId },\n );\n },\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n role?: string;\n acceptedByUserId?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.inviteList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n accept: async (\n ctx: ComponentCtx,\n inviteId: string,\n acceptedByUserId?: string,\n ) => {\n await ctx.runMutation(config.component.public.inviteAccept, {\n inviteId,\n ...(acceptedByUserId ? { acceptedByUserId } : {}),\n });\n },\n revoke: async (ctx: ComponentCtx, inviteId: string) => {\n await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });\n },\n };\n\n const key = {\n create: async (\n ctx: ComponentCtx,\n opts: {\n userId: string;\n name: string;\n scopes: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n metadata?: Record<string, unknown>;\n },\n ): Promise<{ keyId: string; raw: string }> => {\n const { raw, hashedKey, displayPrefix } = await generateApiKey(\"sk_\");\n const keyId = (await ctx.runMutation(config.component.public.keyInsert, {\n userId: opts.userId,\n prefix: displayPrefix,\n hashedKey,\n name: opts.name,\n scopes: opts.scopes,\n rateLimit: opts.rateLimit,\n expiresAt: opts.expiresAt,\n metadata: opts.metadata,\n })) as string;\n return { keyId, raw };\n },\n verify: async (\n ctx: ComponentCtx,\n rawKey: string,\n ): Promise<{ userId: string; keyId: string; scopes: ScopeChecker }> => {\n const hashedKey = await hashApiKey(rawKey);\n const doc = (await ctx.runQuery(\n config.component.public.keyGetByHashedKey,\n { hashedKey },\n )) as KeyDoc | null;\n return Fx.run(\n Fx.gen(function* () {\n yield* Fx.guard(!doc, Fx.fail(new AuthError(\"INVALID_API_KEY\")));\n const k = doc!;\n yield* Fx.guard(k.revoked, Fx.fail(new AuthError(\"API_KEY_REVOKED\")));\n yield* Fx.guard(\n !!(k.expiresAt && k.expiresAt < Date.now()),\n Fx.fail(new AuthError(\"API_KEY_EXPIRED\")),\n );\n const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };\n if (k.rateLimit) {\n const { limited, newState } = checkKeyRateLimit(\n k.rateLimit,\n k.rateLimitState ?? undefined,\n );\n yield* Fx.guard(\n limited,\n Fx.fail(new AuthError(\"API_KEY_RATE_LIMITED\")),\n );\n patchData.rateLimitState = newState;\n }\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.keyPatch, {\n keyId: k._id,\n data: patchData,\n }),\n );\n return {\n userId: k.userId,\n keyId: k._id,\n scopes: buildScopeChecker(k.scopes),\n };\n }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n );\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.keyList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n get: async (\n ctx: ComponentReadCtx,\n keyId: string,\n ): Promise<KeyDoc | null> => {\n return (await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n },\n update: async (\n ctx: ComponentCtx,\n keyId: string,\n data: {\n name?: string;\n scopes?: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n },\n ) => {\n await ctx.runMutation(config.component.public.keyPatch, { keyId, data });\n },\n revoke: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n },\n remove: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyDelete, { keyId });\n },\n rotate: async (\n ctx: ComponentCtx,\n keyId: string,\n opts?: { name?: string; expiresAt?: number },\n ): Promise<{ keyId: string; raw: string }> => {\n const existing = await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n });\n if (!existing)\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"API key not found.\",\n ).toConvexError();\n if ((existing as any).revoked === true) {\n throw new AuthError(\n \"API_KEY_REVOKED\",\n \"Cannot rotate a key that is already revoked.\",\n ).toConvexError();\n }\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n return await key.create(ctx, {\n userId: (existing as any).userId,\n name: opts?.name ?? (existing as any).name,\n scopes: (existing as any).scopes ?? [],\n rateLimit: (existing as any).rateLimit,\n expiresAt: opts?.expiresAt,\n metadata: (existing as any).metadata,\n });\n },\n };\n\n return { user, session, account, provider, group, member, invite, key };\n}\n"],"mappings":";;;;;;;;;;AA2EA,SAAgB,kBAAkB,MAAgB;CAChD,MAAM,EACJ,QACA,SACA,wBACA,kCACA,oCACA,mBACA,cACA,qBACA,sBACE;CAEJ,MAAM,OAAO;EACX,SAAS,OACP,KACA,YAC2B;GAC3B,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,MAAM;IACrB,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;AAET,OAAI,YAAY,UAAa,iBAAiB,OAAO,IAAI,aAAa;IACpE,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,QAAI,YAAY,WAAW,aAAa,EAAE;KACxC,MAAM,SAAS,WAAW,MAAM,EAAE;AAClC,SAAI;AAKF,cAJe,MAAM,SAAS,CAAC,IAAI,OACjC,KACA,OACD,EACa;aACR;AACN,aAAO;;;;AAIb,UAAO;;EAET,SAAS,OACP,KACA,YACoB;GACpB,MAAM,SAAS,MAAM,KAAK,QAAQ,KAAK,QAAQ;AAC/C,OAAI,WAAW,KACb,OAAM,IAAI,UAAU,gBAAgB,CAAC,eAAe;AAEtD,UAAO;;EAET,KAAK,OAAO,KAAuB,WAAmB;AACpD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,MAAM,OACJ,KACA,OAMI,EAAE,KACH;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,KAAK;;EAEnE,QAAQ,OAAO,QAA8B;GAC3C,MAAM,SAAS,MAAM,KAAK,QAAQ,IAAI;AACtC,OAAI,WAAW,KAAM,QAAO;AAC5B,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,OAAO,OACL,KACA,QACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;IACvD;IACA;IACD,CAAC;;EAEJ,gBAAgB,OACd,KACA,SACG;GACH,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;GAC5C,MAAM,iBACJ,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,GACtB,EAAE,GAAI,IAAI,QAAoC,GAC9C,EAAE;AACR,OAAI,KAAK,YAAY,MAAM;IACzB,MAAM,EAAE,iBAAiB,OAAO,GAAG,SAAS;AAC5C,UAAM,KAAK,MAAM,KAAK,KAAK,QAAQ,EAAE,QAAQ,MAAM,CAAC;AACpD;;AAEF,SAAM,KAAK,MAAM,KAAK,KAAK,QAAQ,EACjC,QAAQ;IAAE,GAAG;IAAgB,iBAAiB,KAAK;IAAS,EAC7D,CAAC;;EAEJ,gBAAgB,OACd,KACA,SAC2B;GAC3B,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;AAC5C,OACE,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,EAC1B;IACA,MAAM,MAAO,IAAI,OAAmC;AACpD,QAAI,OAAO,QAAQ,SAAU,QAAO;;AAEtC,UAAO;;EAET,QAAQ,OACN,KACA,QACA,SACkB;GAClB,MAAM,UAAU,MAAM,YAAY;GAClC,MAAM,CAAC,UAAU,UAAU,MAAM,SAAS,UAAU,SAClD,MAAM,QAAQ,IAAI;IAChB,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,iBAAiB,EACpD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB,EACxD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACH,CAAC;GACJ,MAAM,cACJ,SAAS,SACT,SAAS,SACT,KAAK,SACL,QAAQ,SACR,SAAS,SACT,MAAM;AACR,OAAI,CAAC,WAAW,cAAc,EAC5B,OAAM,IAAI,UACR,sBACA,2BAA2B,YAAY,sGACxC,CAAC,eAAe;GAEnB,MAAM,YAAgC,EAAE;AACxC,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,KACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CACrE;AACH,QAAK,MAAM,KAAK,QACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EACpD,UAAU,EAAE,KACb,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,MACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAClD,QAAQ,EAAE,KACX,CAAC,CACH;AACH,SAAM,QAAQ,IAAI,UAAU;AAC5B,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;;EAExE;CAED,MAAM,UAAU;EACd,SAAS,OAAO,QAAwB;GACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,KAAM,QAAO;GAC9B,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,UAAO;;EAET,YAAY,OACV,KACA,SACG,uBAAuB,KAAK,KAAK;EACtC,KAAK,OAAO,KAAuB,cAAsB;AACvD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EAChE,WACD,CAAC;;EAEJ,MAAM,OAAO,KAAuB,SAA6B;AAC/D,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACnE,QAAQ,KAAK,QACd,CAAC;;EAEL;CAED,MAAM,UAAU;EACd,QAAQ,OACN,KACA,SACG;AACH,UAAO,MAAM,iCAAiC,KAAK,KAAK;;EAE1D,KAAK,OACH,KACA,SACG;GACH,MAAM,SAAS,MAAM,mCAAmC,KAAK,KAAK;AAClE,OAAI,OAAO,WAAW,SACpB,OAAM,IAAI,UAAU,qBAAqB,OAAO,CAAC,eAAe;AAElE,UAAO;;EAET,QAAQ,OACN,KACA,SACkB;AAClB,UAAO,MAAM,kBAAkB,KAAK,KAAK;;EAE3C,QAAQ,OAAO,KAAmB,cAAqC;GACrE,MAAM,MAAM,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EACrE,WACD,CAAC;AACF,OAAI,QAAQ,KACV,OAAM,IAAI,UACR,qBACA,qBACD,CAAC,eAAe;AAMnB,QAJqB,MAAM,IAAI,SAC7B,OAAO,UAAU,OAAO,mBACxB,EAAE,QAAS,IAAY,QAAQ,CAChC,EACe,UAAU,EACxB,OAAM,IAAI,UACR,sBACA,mEACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;;EAEJ,cAAc,OAAO,KAAuB,SAA6B;AACvE,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,qBACxB,KACD;;EAEH,eAAe,OACb,KACA,WACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,mBAAmB;IAC/D;IACA,MAAM,EAAE,MAAM;IACf,CAAC;;EAEJ,eAAe,OAAO,KAAmB,cAAsB;AAC7D,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;;EAEJ,WAAW,OAAO,KAAuB,SAA6B;AACpE,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,KAAK;;EAE3E,YAAY,OAAO,KAAmB,WAAmB;AACvD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;;EAExE;CAED,MAAM,WAAW,EACf,QAAQ,OACN,KACA,gBACA,SAIG;EACH,MAAM,SAAS,MAAM,WACnB,cAAc,CAAC,IAAI,EACnB,oBAAoB,eAAe,EACnC,MAIA;GAAE,gBAAgB;GAAO,qBAAqB;GAAM,CACrD;AACD,SAAO,OAAO,SAAS,aACnB,OAAO,aAAa,OAClB;GACE,QAAQ,OAAO,SAAS;GACxB,WAAW,OAAO,SAAS;GAC5B,GACD,OACF;IAEP;CAED,MAAM,QAAQ;EACZ,QAAQ,OACN,KACA,SAQoB;AACpB,UAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,aACxB,KACD;;EAEH,KAAK,OAAO,KAAuB,YAAoB;AACrD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,EAAE,SAAS,CAAC;;EAE1E,MAAM,OACJ,KACA,SAeG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW;IAC3D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,SACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa;IACzD;IACA;IACD,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,YAAoB;AACpD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa,EAAE,SAAS,CAAC;;EAEzE,WAAW,OACT,KACA,SACG;GACH,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,YAAmB,EAAE;GAC3B,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;GACtB,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,UAAU;AACd,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;IAC3B,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,KAAM;AAClB,QAAI,SAAS;AACX,eAAU;AACV,SAAI,KAAK,YAAa,WAAU,KAAK,IAAI;AACzC,sBAAiB,IAAI;AACrB,cAAS;AACT;;AAEF,cAAU,KAAK,IAAI;AACnB,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IAAE;IAAW;IAAe;IAAiB;;EAEvD;CAED,MAAM,SAAS;EACb,KAAK,OACH,KACA,SAOoB;AACpB,UAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,WACxB,KACD;;EAEH,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,mBAAmB,OACjB,KACA,SACG;AACH,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,yBACxB,KACD;;EAEH,MAAM,OACJ,KACA,SAYG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;EAE3E,QAAQ,OACN,KACA,UACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA;IACD,CAAC;;EAEJ,SAAS,OACP,KACA,SAMG;GACH,MAAM,aACJ,KAAK,UAAU,UAAa,KAAK,MAAM,SAAS,IAC5C,IAAI,IAAI,KAAK,MAAM,GACnB;GACN,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,oBAA8B,EAAE;GACtC,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;AACtB,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;AAC3B,sBAAkB,KAAK,eAAe;IACtC,MAAM,aAAa,MAAM,OAAO,kBAAkB,KAAK;KACrD,QAAQ,KAAK;KACb,SAAS;KACV,CAAC;AACF,QACE,eAAe,SACd,eAAe,QAAQ,WAAW,IAAI,WAAW,KAAK,EAEvD,QAAO;KACL,kBAAkB,KAAK;KACvB,gBAAgB;KAChB;KACA;KACA,UAAU,UAAU;KACpB,aAAa,QAAQ;KACrB;KACA,eAAe;KACf,iBAAiB;KAClB;IAEH,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,QAAQ,IAAI,kBAAkB,OAAW;AACrD,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IACL,kBAAkB,KAAK;IACvB,gBAAgB;IAChB,YAAY;IACZ,OAAO;IACP,UAAU;IACV,aAAa;IACb;IACA;IACA;IACD;;EAEH,SAAS,OACP,KACA,SAMG;GACH,MAAM,SAAS,MAAM,OAAO,QAAQ,KAAK,KAAK;AAC9C,OAAI,OAAO,eAAe,KACxB,OAAM,IAAI,UACR,aACA,QAAQ,KAAK,OAAO,8BAA8B,KAAK,QAAQ,oBAChE,CAAC,eAAe;AAEnB,UAAO;IACL,YAAY,OAAO;IACnB,gBAAgB,OAAO;IACvB,UAAU,OAAO;IACjB,aAAa,OAAO;IACpB,OAAO,OAAO;IACf;;EAEJ;CAED,MAAM,SAAS;EACb,QAAQ,OACN,KACA,SAQiD;GACjD,MAAM,QAAQ,qBACZ,mBACA,oBACD;GACD,MAAM,YAAY,MAAM,OAAO,MAAM;AAKrC,UAAO;IAAE,UAJS,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,cACxB;KAAE,GAAG;KAAM;KAAW,QAAQ;KAAW,CAC1C;IACkB;IAAO;;EAE5B,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,OAAO;GACL,KAAK,OAAO,KAAuB,UAAkB;IACnD,MAAM,YAAY,MAAM,OAAO,MAAM;AACrC,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,sBACxB,EAAE,WAAW,CACd;;GAEH,QAAQ,OACN,KACA,SACG;IACH,MAAM,YAAY,MAAM,OAAO,KAAK,MAAM;AAC1C,WAAO,MAAM,IAAI,YACf,OAAO,UAAU,OAAO,qBACxB;KAAE;KAAW,kBAAkB,KAAK;KAAkB,CACvD;;GAEJ;EACD,MAAM,OACJ,KACA,SAoBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,UACA,qBACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,GAAI,mBAAmB,EAAE,kBAAkB,GAAG,EAAE;IACjD,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;EAE5E;CAED,MAAM,MAAM;EACV,QAAQ,OACN,KACA,SAQ4C;GAC5C,MAAM,EAAE,KAAK,WAAW,kBAAkB,MAAM,eAAe,MAAM;AAWrE,UAAO;IAAE,OAVM,MAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;KACtE,QAAQ,KAAK;KACb,QAAQ;KACR;KACA,MAAM,KAAK;KACX,QAAQ,KAAK;KACb,WAAW,KAAK;KAChB,WAAW,KAAK;KAChB,UAAU,KAAK;KAChB,CAAC;IACc;IAAK;;EAEvB,QAAQ,OACN,KACA,WACqE;GACrE,MAAM,YAAY,MAAM,WAAW,OAAO;GAC1C,MAAM,MAAO,MAAM,IAAI,SACrB,OAAO,UAAU,OAAO,mBACxB,EAAE,WAAW,CACd;AACD,UAAO,GAAG,IACR,GAAG,IAAI,aAAa;AAClB,WAAO,GAAG,MAAM,CAAC,KAAK,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;IAChE,MAAM,IAAI;AACV,WAAO,GAAG,MAAM,EAAE,SAAS,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;AACrE,WAAO,GAAG,MACR,CAAC,EAAE,EAAE,aAAa,EAAE,YAAY,KAAK,KAAK,GAC1C,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAC1C;IACD,MAAM,YAAqC,EAAE,YAAY,KAAK,KAAK,EAAE;AACrE,QAAI,EAAE,WAAW;KACf,MAAM,EAAE,SAAS,aAAa,kBAC5B,EAAE,WACF,EAAE,kBAAkB,OACrB;AACD,YAAO,GAAG,MACR,SACA,GAAG,KAAK,IAAI,UAAU,uBAAuB,CAAC,CAC/C;AACD,eAAU,iBAAiB;;AAE7B,WAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KAChD,OAAO,EAAE;KACT,MAAM;KACP,CAAC,CACH;AACD,WAAO;KACL,QAAQ,EAAE;KACV,OAAO,EAAE;KACT,QAAQ,kBAAkB,EAAE,OAAO;KACpC;KACD,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;;EAEH,MAAM,OACJ,KACA,SAiBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;IACzD,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,KAAK,OACH,KACA,UAC2B;AAC3B,UAAQ,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EAC7D,OACD,CAAC;;EAEJ,QAAQ,OACN,KACA,OACA,SAKG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IAAE;IAAO;IAAM,CAAC;;EAE1E,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;;EAErE,QAAQ,OACN,KACA,OACA,SAC4C;GAC5C,MAAM,WAAW,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;AACF,OAAI,CAAC,SACH,OAAM,IAAI,UACR,sBACA,qBACD,CAAC,eAAe;AACnB,OAAK,SAAiB,YAAY,KAChC,OAAM,IAAI,UACR,mBACA,+CACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO,MAAM,IAAI,OAAO,KAAK;IAC3B,QAAS,SAAiB;IAC1B,MAAM,MAAM,QAAS,SAAiB;IACtC,QAAS,SAAiB,UAAU,EAAE;IACtC,WAAY,SAAiB;IAC7B,WAAW,MAAM;IACjB,UAAW,SAAiB;IAC7B,CAAC;;EAEL;AAED,QAAO;EAAE;EAAM;EAAS;EAAS;EAAU;EAAO;EAAQ;EAAQ;EAAK"}