npm - @selvajs/local-provider - Versions diffs - 0.11.0 - Mend

@selvajs/local-provider 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/LICENSE +21 -0
package/README.md +123 -0
package/dist/auth/LocalAuthProvider.d.ts +28 -0
package/dist/auth/LocalAuthProvider.d.ts.map +1 -0
package/dist/auth/LocalAuthProvider.js +142 -0
package/dist/auth/LocalAuthProvider.js.map +1 -0
package/dist/auth/__tests__/conformance.test.d.ts +2 -0
package/dist/auth/__tests__/conformance.test.d.ts.map +1 -0
package/dist/auth/__tests__/conformance.test.js +36 -0
package/dist/auth/__tests__/conformance.test.js.map +1 -0
package/dist/auth/hmac.d.ts +18 -0
package/dist/auth/hmac.d.ts.map +1 -0
package/dist/auth/hmac.js +41 -0
package/dist/auth/hmac.js.map +1 -0
package/dist/auth/index.d.ts +6 -0
package/dist/auth/index.d.ts.map +1 -0
package/dist/auth/index.js +4 -0
package/dist/auth/index.js.map +1 -0
package/dist/auth/users.d.ts +38 -0
package/dist/auth/users.d.ts.map +1 -0
package/dist/auth/users.js +100 -0
package/dist/auth/users.js.map +1 -0
package/dist/compute/FilesystemComputeProvider.d.ts +16 -0
package/dist/compute/FilesystemComputeProvider.d.ts.map +1 -0
package/dist/compute/FilesystemComputeProvider.js +51 -0
package/dist/compute/FilesystemComputeProvider.js.map +1 -0
package/dist/compute/SingleComputeServerProvider.d.ts +15 -0
package/dist/compute/SingleComputeServerProvider.d.ts.map +1 -0
package/dist/compute/SingleComputeServerProvider.js +26 -0
package/dist/compute/SingleComputeServerProvider.js.map +1 -0
package/dist/compute/types.d.ts +30 -0
package/dist/compute/types.d.ts.map +1 -0
package/dist/compute/types.js +2 -0
package/dist/compute/types.js.map +1 -0
package/dist/computeServer/FilesystemComputeServerStore.d.ts +14 -0
package/dist/computeServer/FilesystemComputeServerStore.d.ts.map +1 -0
package/dist/computeServer/FilesystemComputeServerStore.js +35 -0
package/dist/computeServer/FilesystemComputeServerStore.js.map +1 -0
package/dist/computeServer/LocalComputeServerProvider.d.ts +18 -0
package/dist/computeServer/LocalComputeServerProvider.d.ts.map +1 -0
package/dist/computeServer/LocalComputeServerProvider.js +29 -0
package/dist/computeServer/LocalComputeServerProvider.js.map +1 -0
package/dist/computeServer/__tests__/conformance.test.d.ts +2 -0
package/dist/computeServer/__tests__/conformance.test.d.ts.map +1 -0
package/dist/computeServer/__tests__/conformance.test.js +20 -0
package/dist/computeServer/__tests__/conformance.test.js.map +1 -0
package/dist/computeServer/index.d.ts +2 -0
package/dist/computeServer/index.d.ts.map +1 -0
package/dist/computeServer/index.js +2 -0
package/dist/computeServer/index.js.map +1 -0
package/dist/data/LocalComputeServerStore.d.ts +72 -0
package/dist/data/LocalComputeServerStore.d.ts.map +1 -0
package/dist/data/LocalComputeServerStore.js +207 -0
package/dist/data/LocalComputeServerStore.js.map +1 -0
package/dist/data/LocalDataProvider.d.ts +47 -0
package/dist/data/LocalDataProvider.d.ts.map +1 -0
package/dist/data/LocalDataProvider.js +118 -0
package/dist/data/LocalDataProvider.js.map +1 -0
package/dist/data/LocalDefinitionMetaProvider.d.ts +22 -0
package/dist/data/LocalDefinitionMetaProvider.d.ts.map +1 -0
package/dist/data/LocalDefinitionMetaProvider.js +131 -0
package/dist/data/LocalDefinitionMetaProvider.js.map +1 -0
package/dist/data/LocalDefinitionStore.d.ts +33 -0
package/dist/data/LocalDefinitionStore.d.ts.map +1 -0
package/dist/data/LocalDefinitionStore.js +274 -0
package/dist/data/LocalDefinitionStore.js.map +1 -0
package/dist/data/LocalInviteStore.d.ts +23 -0
package/dist/data/LocalInviteStore.d.ts.map +1 -0
package/dist/data/LocalInviteStore.js +98 -0
package/dist/data/LocalInviteStore.js.map +1 -0
package/dist/data/LocalOrgStore.d.ts +67 -0
package/dist/data/LocalOrgStore.d.ts.map +1 -0
package/dist/data/LocalOrgStore.js +255 -0
package/dist/data/LocalOrgStore.js.map +1 -0
package/dist/data/LocalPlatformProjectGrantStore.d.ts +14 -0
package/dist/data/LocalPlatformProjectGrantStore.d.ts.map +1 -0
package/dist/data/LocalPlatformProjectGrantStore.js +62 -0
package/dist/data/LocalPlatformProjectGrantStore.js.map +1 -0
package/dist/data/LocalProjectStore.d.ts +30 -0
package/dist/data/LocalProjectStore.d.ts.map +1 -0
package/dist/data/LocalProjectStore.js +171 -0
package/dist/data/LocalProjectStore.js.map +1 -0
package/dist/data/LocalShareLinkStore.d.ts +39 -0
package/dist/data/LocalShareLinkStore.d.ts.map +1 -0
package/dist/data/LocalShareLinkStore.js +108 -0
package/dist/data/LocalShareLinkStore.js.map +1 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.d.ts +2 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.d.ts.map +1 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.js +21 -0
package/dist/data/__tests__/LocalDefinitionMetaProvider.test.js.map +1 -0
package/dist/data/__tests__/cascade.test.d.ts +2 -0
package/dist/data/__tests__/cascade.test.d.ts.map +1 -0
package/dist/data/__tests__/cascade.test.js +265 -0
package/dist/data/__tests__/cascade.test.js.map +1 -0
package/dist/data/__tests__/compute-server-conformance.test.d.ts +2 -0
package/dist/data/__tests__/compute-server-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/compute-server-conformance.test.js +21 -0
package/dist/data/__tests__/compute-server-conformance.test.js.map +1 -0
package/dist/data/__tests__/compute-server-encryption.test.d.ts +2 -0
package/dist/data/__tests__/compute-server-encryption.test.d.ts.map +1 -0
package/dist/data/__tests__/compute-server-encryption.test.js +131 -0
package/dist/data/__tests__/compute-server-encryption.test.js.map +1 -0
package/dist/data/__tests__/definition-conformance.test.d.ts +2 -0
package/dist/data/__tests__/definition-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/definition-conformance.test.js +20 -0
package/dist/data/__tests__/definition-conformance.test.js.map +1 -0
package/dist/data/__tests__/event-sink-conformance.test.d.ts +2 -0
package/dist/data/__tests__/event-sink-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/event-sink-conformance.test.js +24 -0
package/dist/data/__tests__/event-sink-conformance.test.js.map +1 -0
package/dist/data/__tests__/invite-conformance.test.d.ts +2 -0
package/dist/data/__tests__/invite-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/invite-conformance.test.js +21 -0
package/dist/data/__tests__/invite-conformance.test.js.map +1 -0
package/dist/data/__tests__/org-conformance.test.d.ts +2 -0
package/dist/data/__tests__/org-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/org-conformance.test.js +36 -0
package/dist/data/__tests__/org-conformance.test.js.map +1 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.d.ts +2 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.js +20 -0
package/dist/data/__tests__/platform-project-grant-conformance.test.js.map +1 -0
package/dist/data/__tests__/project-conformance.test.d.ts +2 -0
package/dist/data/__tests__/project-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/project-conformance.test.js +53 -0
package/dist/data/__tests__/project-conformance.test.js.map +1 -0
package/dist/data/__tests__/rules.test.d.ts +2 -0
package/dist/data/__tests__/rules.test.d.ts.map +1 -0
package/dist/data/__tests__/rules.test.js +484 -0
package/dist/data/__tests__/rules.test.js.map +1 -0
package/dist/data/__tests__/share-link-conformance.test.d.ts +2 -0
package/dist/data/__tests__/share-link-conformance.test.d.ts.map +1 -0
package/dist/data/__tests__/share-link-conformance.test.js +20 -0
package/dist/data/__tests__/share-link-conformance.test.js.map +1 -0
package/dist/data/fsJson.d.ts +12 -0
package/dist/data/fsJson.d.ts.map +1 -0
package/dist/data/fsJson.js +29 -0
package/dist/data/fsJson.js.map +1 -0
package/dist/data/index.d.ts +13 -0
package/dist/data/index.d.ts.map +1 -0
package/dist/data/index.js +9 -0
package/dist/data/index.js.map +1 -0
package/dist/data/pagination.d.ts +15 -0
package/dist/data/pagination.d.ts.map +1 -0
package/dist/data/pagination.js +36 -0
package/dist/data/pagination.js.map +1 -0
package/dist/data/secretCrypto.d.ts +23 -0
package/dist/data/secretCrypto.d.ts.map +1 -0
package/dist/data/secretCrypto.js +64 -0
package/dist/data/secretCrypto.js.map +1 -0
package/dist/data/userData.d.ts +40 -0
package/dist/data/userData.d.ts.map +1 -0
package/dist/data/userData.js +84 -0
package/dist/data/userData.js.map +1 -0
package/dist/definitions/LocalDefinitionMetaProvider.d.ts +27 -0
package/dist/definitions/LocalDefinitionMetaProvider.d.ts.map +1 -0
package/dist/definitions/LocalDefinitionMetaProvider.js +188 -0
package/dist/definitions/LocalDefinitionMetaProvider.js.map +1 -0
package/dist/definitions/__tests__/conformance.test.d.ts +2 -0
package/dist/definitions/__tests__/conformance.test.d.ts.map +1 -0
package/dist/definitions/__tests__/conformance.test.js +20 -0
package/dist/definitions/__tests__/conformance.test.js.map +1 -0
package/dist/definitions/index.d.ts +2 -0
package/dist/definitions/index.d.ts.map +1 -0
package/dist/definitions/index.js +2 -0
package/dist/definitions/index.js.map +1 -0
package/dist/definitions/providers/filesystem-files.d.ts +24 -0
package/dist/definitions/providers/filesystem-files.d.ts.map +1 -0
package/dist/definitions/providers/filesystem-files.js +170 -0
package/dist/definitions/providers/filesystem-files.js.map +1 -0
package/dist/definitions/providers/filesystem-meta.d.ts +17 -0
package/dist/definitions/providers/filesystem-meta.d.ts.map +1 -0
package/dist/definitions/providers/filesystem-meta.js +216 -0
package/dist/definitions/providers/filesystem-meta.js.map +1 -0
package/dist/fsJson.d.ts +12 -0
package/dist/fsJson.d.ts.map +1 -0
package/dist/fsJson.js +29 -0
package/dist/fsJson.js.map +1 -0
package/dist/index.d.ts +13 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/invites/LocalInviteProvider.d.ts +24 -0
package/dist/invites/LocalInviteProvider.d.ts.map +1 -0
package/dist/invites/LocalInviteProvider.js +89 -0
package/dist/invites/LocalInviteProvider.js.map +1 -0
package/dist/invites/__tests__/conformance.test.d.ts +2 -0
package/dist/invites/__tests__/conformance.test.d.ts.map +1 -0
package/dist/invites/__tests__/conformance.test.js +21 -0
package/dist/invites/__tests__/conformance.test.js.map +1 -0
package/dist/organizations/LocalOrganizationProvider.d.ts +41 -0
package/dist/organizations/LocalOrganizationProvider.d.ts.map +1 -0
package/dist/organizations/LocalOrganizationProvider.js +198 -0
package/dist/organizations/LocalOrganizationProvider.js.map +1 -0
package/dist/organizations/__tests__/conformance.test.d.ts +2 -0
package/dist/organizations/__tests__/conformance.test.d.ts.map +1 -0
package/dist/organizations/__tests__/conformance.test.js +20 -0
package/dist/organizations/__tests__/conformance.test.js.map +1 -0
package/dist/organizations/index.d.ts +2 -0
package/dist/organizations/index.d.ts.map +1 -0
package/dist/organizations/index.js +2 -0
package/dist/organizations/index.js.map +1 -0
package/dist/pagination.d.ts +15 -0
package/dist/pagination.d.ts.map +1 -0
package/dist/pagination.js +36 -0
package/dist/pagination.js.map +1 -0
package/dist/permissions/LocalPlatformPermissionStore.d.ts +39 -0
package/dist/permissions/LocalPlatformPermissionStore.d.ts.map +1 -0
package/dist/permissions/LocalPlatformPermissionStore.js +117 -0
package/dist/permissions/LocalPlatformPermissionStore.js.map +1 -0
package/dist/permissions/__tests__/conformance.test.d.ts +2 -0
package/dist/permissions/__tests__/conformance.test.d.ts.map +1 -0
package/dist/permissions/__tests__/conformance.test.js +37 -0
package/dist/permissions/__tests__/conformance.test.js.map +1 -0
package/dist/permissions/index.d.ts +2 -0
package/dist/permissions/index.d.ts.map +1 -0
package/dist/permissions/index.js +2 -0
package/dist/permissions/index.js.map +1 -0
package/dist/projects/LocalProjectProvider.d.ts +21 -0
package/dist/projects/LocalProjectProvider.d.ts.map +1 -0
package/dist/projects/LocalProjectProvider.js +125 -0
package/dist/projects/LocalProjectProvider.js.map +1 -0
package/dist/projects/__tests__/conformance.test.d.ts +2 -0
package/dist/projects/__tests__/conformance.test.d.ts.map +1 -0
package/dist/projects/__tests__/conformance.test.js +44 -0
package/dist/projects/__tests__/conformance.test.js.map +1 -0
package/dist/projects/index.d.ts +2 -0
package/dist/projects/index.d.ts.map +1 -0
package/dist/projects/index.js +2 -0
package/dist/projects/index.js.map +1 -0
package/dist/storage/LocalStorageProvider.d.ts +27 -0
package/dist/storage/LocalStorageProvider.d.ts.map +1 -0
package/dist/storage/LocalStorageProvider.js +74 -0
package/dist/storage/LocalStorageProvider.js.map +1 -0
package/dist/storage/__tests__/conformance.test.d.ts +2 -0
package/dist/storage/__tests__/conformance.test.d.ts.map +1 -0
package/dist/storage/__tests__/conformance.test.js +20 -0
package/dist/storage/__tests__/conformance.test.js.map +1 -0
package/dist/storage/index.d.ts +2 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +2 -0
package/dist/storage/index.js.map +1 -0
package/dist/userProfile/LocalUserProfileProvider.d.ts +25 -0
package/dist/userProfile/LocalUserProfileProvider.d.ts.map +1 -0
package/dist/userProfile/LocalUserProfileProvider.js +110 -0
package/dist/userProfile/LocalUserProfileProvider.js.map +1 -0
package/dist/userProfile/__tests__/conformance.test.d.ts +2 -0
package/dist/userProfile/__tests__/conformance.test.d.ts.map +1 -0
package/dist/userProfile/__tests__/conformance.test.js +40 -0
package/dist/userProfile/__tests__/conformance.test.js.map +1 -0
package/dist/userProfile/index.d.ts +2 -0
package/dist/userProfile/index.d.ts.map +1 -0
package/dist/userProfile/index.js +2 -0
package/dist/userProfile/index.js.map +1 -0
package/package.json +70 -0
package/src/README.md +37 -0
package/src/auth/LocalAuthProvider.ts +165 -0
package/src/auth/__tests__/conformance.test.ts +40 -0
package/src/auth/hmac.ts +53 -0
package/src/auth/index.ts +5 -0
package/src/auth/users.ts +151 -0
package/src/data/LocalComputeServerStore.ts +290 -0
package/src/data/LocalDataProvider.ts +148 -0
package/src/data/LocalDefinitionStore.ts +369 -0
package/src/data/LocalInviteStore.ts +117 -0
package/src/data/LocalOrgStore.ts +356 -0
package/src/data/LocalPlatformProjectGrantStore.ts +85 -0
package/src/data/LocalProjectStore.ts +274 -0
package/src/data/LocalShareLinkStore.ts +138 -0
package/src/data/__tests__/cascade.test.ts +300 -0
package/src/data/__tests__/compute-server-conformance.test.ts +26 -0
package/src/data/__tests__/compute-server-encryption.test.ts +185 -0
package/src/data/__tests__/definition-conformance.test.ts +23 -0
package/src/data/__tests__/event-sink-conformance.test.ts +28 -0
package/src/data/__tests__/invite-conformance.test.ts +24 -0
package/src/data/__tests__/org-conformance.test.ts +43 -0
package/src/data/__tests__/platform-project-grant-conformance.test.ts +24 -0
package/src/data/__tests__/project-conformance.test.ts +64 -0
package/src/data/__tests__/rules.test.ts +682 -0
package/src/data/__tests__/share-link-conformance.test.ts +23 -0
package/src/data/fsJson.ts +28 -0
package/src/data/index.ts +16 -0
package/src/data/pagination.ts +48 -0
package/src/data/secretCrypto.ts +69 -0
package/src/data/userData.ts +134 -0
package/src/index.ts +42 -0
package/src/permissions/LocalPlatformPermissionStore.ts +129 -0
package/src/permissions/__tests__/conformance.test.ts +40 -0
package/src/permissions/index.ts +1 -0
package/src/storage/LocalStorageProvider.ts +78 -0
package/src/storage/__tests__/conformance.test.ts +23 -0
package/src/storage/index.ts +1 -0
package/src/userProfile/LocalUserProfileProvider.ts +135 -0
package/src/userProfile/__tests__/conformance.test.ts +43 -0
package/src/userProfile/index.ts +1 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 Selva FelixBrunold VektorNode
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,123 @@
+# @selvajs/local-provider
+Filesystem + JSON + HMAC implementation of the `@selvajs/platform` interfaces.
+The default provider for development and small single-instance deployments. All state — users, orgs, projects, definitions, compute config, uploaded `.gh` files — lives under one directory on disk. No database, no external services.
+For production-scale or multi-instance deployments, use [`@selvajs/supabase-provider`](../supabase/README.md) instead.
+---
+## Table of contents
+- [When to use this provider](#when-to-use-this-provider)
+- [Environment variables](#environment-variables)
+- [On-disk layout](#on-disk-layout)
+- [Wiring into `selva.config.ts`](#wiring-into-selvaconfigts)
+- [Architecture notes](#architecture-notes)
+---
+## When to use this provider
+Pick local when:
+- You're developing or evaluating Selva
+- You're running a single-tenant, single-instance deployment (one VM, PM2)
+- You want zero external dependencies — no DB, no S3
+- You're OK with simple file-based backups (`tar` the data dir)
+Pick [Supabase](../supabase/README.md) when:
+- You need multiple selva app instances behind a load balancer
+- You want managed auth (password reset, MFA, OAuth)
+- You want managed Postgres + storage with backups + RLS
+- You need atomic counters across processes
+---
+## Environment variables
+All env vars are documented in [`packages/selva/.env.example`](../../selva/.env.example) — copy that file to `.env` and edit it. The local provider reads `DATA_PATH`, `SELVA_HMAC_KEY` (signs sessions + tokens), and `SELVA_AT_REST_KEY` (encrypts the Rhino.Compute API key on disk) from there.
+The first admin user is created through the in-app setup page on first boot — there is no env-var fallback login.
+Rhino.Compute server URL + API key are configured in `/admin/compute` and persisted to `compute.config.json` — not env vars.
+---
+## On-disk layout
+```
+$DATA_PATH/
+├── users.json                    # users + hashed passwords + platform permissions
+├── local-org.json                # organizations, projects, and their memberships
+├── definitions-config.json       # definition metadata + version history
+├── share-links.json              # per-definition share tokens (HMAC-hashed)
+├── invites.json                  # pending invite tokens
+├── compute.config.json           # registered Rhino.Compute servers
+└── definitions/                  # uploaded .gh / .ghx + cover images
+    └── <definition-guid>/
+        ├── versions/v{n}.{ext}
+        └── cover.webp
+```
+All JSON files are written atomically (temp file + rename) so a crash mid-write leaves either the old or new file — never a partial. Image uploads are transcoded to WebP (1200px max, quality 85) via `sharp`.
+**Backups:** `tar -czf backup.tar.gz $DATA_PATH`. Restore is the reverse — no schema migrations, no DB to bring up.
+**Caveats:**
+- Not safe across **processes** — no file locking. One selva app instance per data dir.
+- Read-modify-write on JSON files (`incrementRunCount`, etc.) can lose updates under concurrent solves on the same definition. Acceptable for typical single-user workloads; switch to Supabase if you need exact counts under contention.
+---
+## Wiring into `selva.config.ts`
+This is the default config in [`selva.config.ts`](../../../selva.config.ts) at the repo root:
+```ts
+import { defineConfig } from '@selvajs/platform';
+import * as local from '@selvajs/local-provider';
+export default defineConfig((env) => ({
+	tenancy: 'single' as const,
+	flags: {
+		ALLOW_CROSS_ORG_PUBLIC: false,
+		ALLOW_ORG_COMPUTE_OVERRIDE: false,
+		ALLOW_ORG_CREATION: false
+	},
+	auth: local.LocalAuthProvider.fromEnv(env),
+	data: local.LocalDataProvider.fromEnv(env),
+	storage: local.LocalStorageProvider.fromEnv(env)
+}));
+```
+`LocalDataProvider` internally wires every store — orgs, projects, definitions, share-links, invites, compute server, user profile, platform permissions.
+To switch to Supabase, see [`@selvajs/supabase-provider`](../supabase/README.md#wiring-into-selvaconfigts).
+---
+## Architecture notes
+### Auth
+`LocalAuthProvider` issues HMAC-signed session tokens (no JWT library; see [`auth/`](src/auth/)). Tokens carry `{ userId, expiresAt }` and are verified on every request.
+Users live in `users.json` with `PBKDF2-SHA256` password hashes and platform permissions. The first admin is bootstrapped through the in-app setup page on a fresh install.
+### Data
+Each store (`LocalOrgStore`, `LocalProjectStore`, `LocalDefinitionStore`, `LocalInviteStore`, `LocalComputeServerStore`) reads its JSON file fully into memory on each call, mutates, and writes back. Fine at config-scale; not for high-churn data.
+Access control is enforced **in-process** by inspecting `RequestContext.adapterContext` — there's no RLS layer to lean on. Tests for these checks live alongside each store.
+### Storage
+`LocalStorageProvider` writes blobs under `$DATA_PATH/<path>` (e.g. `$DATA_PATH/definitions/<guid>/versions/v1.gh`) — the caller's storage path is appended directly to the data root, with `..` rejected. `getPublicUrl` returns `/api/files/<path>`, which the selva app proxies after an auth check. Image uploads pass through the shared `transcodeImageIfNeeded` helper from `@selvajs/platform/storage` — same WebP output as Supabase.
+### Shared helpers
+`src/fsJson.ts` centralizes the read/atomic-write pattern every store uses. See [src/README.md](src/README.md) for details on the helper API.

package/dist/auth/LocalAuthProvider.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type { IAuthProvider, IPasswordAuth, AuthUser, UserManagementResult, ListOptions, Page } from '@selvajs/platform';
+export interface LocalAuthProviderConfig {
+    /** HMAC signing secret. Pass from env (SELVA_HMAC_KEY). */
+    hmacSecret: string;
+    /**
+     * Absolute path to auth-users.json — identity-only storage. Per-user app
+     * state (permissions, profile, starred defs, recent runs) lives in
+     * `user-data.json`, owned by `LocalDataProvider`. The two files key on
+     * the same user ID and are written independently.
+     */
+    usersFilePath?: string;
+}
+export declare class LocalAuthProvider implements IAuthProvider {
+    private readonly hmacSecret;
+    private readonly users?;
+    readonly name = "Local";
+    readonly passwordAuth: IPasswordAuth;
+    constructor(config: LocalAuthProviderConfig);
+    static fromEnv(env: Record<string, string | undefined>): LocalAuthProvider;
+    /** Verify an HMAC session token and return the live user record. */
+    verifyToken(token: string): Promise<AuthUser | null>;
+    touchLastLogin(id: string): Promise<void>;
+    getUser(id: string): Promise<AuthUser | null>;
+    listUsers(opts?: ListOptions): Promise<Page<AuthUser> | null>;
+    deleteUser(id: string): Promise<UserManagementResult>;
+    disableUser(id: string): Promise<UserManagementResult>;
+}
+//# sourceMappingURL=LocalAuthProvider.d.ts.map

package/dist/auth/LocalAuthProvider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"LocalAuthProvider.d.ts","sourceRoot":"","sources":["../../src/auth/LocalAuthProvider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACX,aAAa,EACb,aAAa,EACb,QAAQ,EAER,oBAAoB,EACpB,WAAW,EACX,IAAI,EACJ,MAAM,mBAAmB,CAAC;AAqB3B,MAAM,WAAW,uBAAuB;IACvC,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAuCD,qBAAa,iBAAkB,YAAW,aAAa;IACtD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAqB;IAE5C,QAAQ,CAAC,IAAI,WAAW;IACxB,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC;gBAEzB,MAAM,EAAE,uBAAuB;IAU3C,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAAG,iBAAiB;IAS1E,oEAAoE;IAC9D,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAUpD,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAKzC,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAM7C,SAAS,CAAC,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IAM7D,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiBrD,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAc5D"}

package/dist/auth/LocalAuthProvider.js ADDED Viewed

@@ -0,0 +1,142 @@
+import * as path from 'node:path';
+import { ProviderError } from '@selvajs/platform';
+import { signHmacToken, verifyHmacToken } from './hmac.js';
+import { verifyPasswordHash, createLocalAuthUserStore } from './users.js';
+import { paginate } from '../data/pagination.js';
+const SESSION_MAX_AGE_MS = 8 * 60 * 60 * 1000; // 8 hours
+function toAuthUser(u) {
+    return {
+        id: u.id,
+        email: u.email,
+        createdAt: u.createdAt,
+        lastLoginAt: u.lastLoginAt,
+        disabled: u.disabled
+    };
+}
+class LocalPasswordAuth {
+    users;
+    mintToken;
+    constructor(users, mintToken) {
+        this.users = users;
+        this.mintToken = mintToken;
+    }
+    async verifyLogin(email, password) {
+        if (!this.users)
+            return { kind: 'failed', reason: 'invalid_credentials' };
+        const user = await this.users.findByEmail(email);
+        if (!user)
+            return { kind: 'failed', reason: 'invalid_credentials' };
+        if (user.disabled)
+            return { kind: 'failed', reason: 'disabled' };
+        if (!user.passwordHash || !(await verifyPasswordHash(password, user.passwordHash))) {
+            return { kind: 'failed', reason: 'invalid_credentials' };
+        }
+        await this.users.touchLastLogin(user.id).catch(() => { });
+        const auth = toAuthUser(user);
+        return { kind: 'success', user: auth, sessionToken: this.mintToken(auth) };
+    }
+    async createUserWithPassword(email, password) {
+        if (!this.users) {
+            throw new ProviderError('createUserWithPassword requires a users.json backend (DATA_PATH)', 500);
+        }
+        // Identity-only — platform permissions and the user-data row are seeded
+        // separately via `IDataProvider.ensureUser` + `IPlatformPermissionStore.set`.
+        return toAuthUser(await this.users.createUser(email, password));
+    }
+    async registerUser(email, password) {
+        if (!this.users)
+            return null;
+        return toAuthUser(await this.users.createUser(email, password));
+    }
+}
+export class LocalAuthProvider {
+    hmacSecret;
+    users;
+    name = 'Local';
+    passwordAuth;
+    constructor(config) {
+        this.hmacSecret = config.hmacSecret;
+        if (config.usersFilePath) {
+            this.users = createLocalAuthUserStore(config.usersFilePath);
+        }
+        this.passwordAuth = new LocalPasswordAuth(this.users, (user) => signHmacToken(this.hmacSecret, user.id, SESSION_MAX_AGE_MS));
+    }
+    static fromEnv(env) {
+        const hmacSecret = env.SELVA_HMAC_KEY;
+        if (!hmacSecret)
+            throw new Error('Missing required env var: SELVA_HMAC_KEY');
+        return new LocalAuthProvider({
+            hmacSecret,
+            usersFilePath: env.DATA_PATH ? path.join(env.DATA_PATH, 'auth-users.json') : undefined
+        });
+    }
+    /** Verify an HMAC session token and return the live user record. */
+    async verifyToken(token) {
+        const { valid, userId } = verifyHmacToken(token, this.hmacSecret);
+        if (!valid)
+            return null;
+        if (!this.users)
+            return null;
+        const u = await this.users.findById(userId);
+        if (!u || u.disabled)
+            return null;
+        await this.users.touchLastLogin(u.id).catch(() => { });
+        return toAuthUser(u);
+    }
+    async touchLastLogin(id) {
+        if (!this.users)
+            return;
+        await this.users.touchLastLogin(id);
+    }
+    async getUser(id) {
+        if (!this.users)
+            return null;
+        const u = await this.users.findById(id);
+        return u ? toAuthUser(u) : null;
+    }
+    async listUsers(opts) {
+        if (!this.users)
+            return null;
+        const users = await this.users.listUsers();
+        return paginate(users.map(toAuthUser), opts);
+    }
+    async deleteUser(id) {
+        // Identity-only delete. The §2 sole-`instance_admin` invariant is
+        // enforced by the caller via `IPlatformPermissionStore.countInstanceAdminsExcluding`
+        // before this method is called. The caller is also responsible for
+        // removing the user-data row via `LocalDataProvider`'s cascade hook.
+        if (!this.users)
+            return 'not_supported';
+        const target = await this.users.findById(id);
+        if (!target)
+            return 'not_found';
+        try {
+            await this.users.deleteUser(id);
+            return 'ok';
+        }
+        catch (err) {
+            if (err instanceof ProviderError && err.statusCode === 404)
+                return 'not_found';
+            throw err;
+        }
+    }
+    async disableUser(id) {
+        // Identity-only disable. The §2 sole-`instance_admin` invariant is
+        // enforced by the caller, same as `deleteUser`.
+        if (!this.users)
+            return 'not_supported';
+        const target = await this.users.findById(id);
+        if (!target)
+            return 'not_found';
+        try {
+            await this.users.setDisabled(id, true);
+            return 'ok';
+        }
+        catch (err) {
+            if (err instanceof ProviderError && err.statusCode === 404)
+                return 'not_found';
+            throw err;
+        }
+    }
+}
+//# sourceMappingURL=LocalAuthProvider.js.map

package/dist/auth/LocalAuthProvider.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"LocalAuthProvider.js","sourceRoot":"","sources":["../../src/auth/LocalAuthProvider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAUlC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAEzD,SAAS,UAAU,CAClB,CAAkF;IAElF,OAAO;QACN,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;KACpB,CAAC;AACH,CAAC;AAcD,MAAM,iBAAiB;IAEJ;IACA;IAFlB,YACkB,KAAqC,EACrC,SAAqC;QADrC,UAAK,GAAL,KAAK,CAAgC;QACrC,cAAS,GAAT,SAAS,CAA4B;IACpD,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,QAAgB;QAChD,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;QAC1E,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;QACpE,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;QACjE,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACpF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;QAC1D,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACzD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;QAC9B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;IAC5E,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,KAAa,EAAE,QAAgB;QAC3D,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,aAAa,CACtB,kEAAkE,EAClE,GAAG,CACH,CAAC;QACH,CAAC;QACD,wEAAwE;QACxE,8EAA8E;QAC9E,OAAO,UAAU,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,QAAgB;QACjD,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,OAAO,UAAU,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;CACD;AAED,MAAM,OAAO,iBAAiB;IACZ,UAAU,CAAS;IACnB,KAAK,CAAsB;IAEnC,IAAI,GAAG,OAAO,CAAC;IACf,YAAY,CAAgB;IAErC,YAAY,MAA+B;QAC1C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,GAAG,wBAAwB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAC9D,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,EAAE,kBAAkB,CAAC,CAC3D,CAAC;IACH,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,GAAuC;QACrD,MAAM,UAAU,GAAG,GAAG,CAAC,cAAc,CAAC;QACtC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC7E,OAAO,IAAI,iBAAiB,CAAC;YAC5B,UAAU;YACV,aAAa,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,SAAS;SACtF,CAAC,CAAC;IACJ,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,WAAW,CAAC,KAAa;QAC9B,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAClE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAClC,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACtD,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,EAAU;QAC9B,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QACxB,MAAM,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,EAAU;QACvB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,MAAM,CAAC,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAkB;QACjC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QAC3C,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,EAAU;QAC1B,kEAAkE;QAClE,qFAAqF;QACrF,mEAAmE;QACnE,qEAAqE;QACrE,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,eAAe,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM;YAAE,OAAO,WAAW,CAAC;QAChC,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG;gBAAE,OAAO,WAAW,CAAC;YAC/E,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,EAAU;QAC3B,mEAAmE;QACnE,gDAAgD;QAChD,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO,eAAe,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM;YAAE,OAAO,WAAW,CAAC;QAChC,IAAI,CAAC;YACJ,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,IAAI,GAAG,YAAY,aAAa,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG;gBAAE,OAAO,WAAW,CAAC;YAC/E,MAAM,GAAG,CAAC;QACX,CAAC;IACF,CAAC;CACD"}

package/dist/auth/__tests__/conformance.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=conformance.test.d.ts.map

package/dist/auth/__tests__/conformance.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"conformance.test.d.ts","sourceRoot":"","sources":["../../../src/auth/__tests__/conformance.test.ts"],"names":[],"mappings":""}

package/dist/auth/__tests__/conformance.test.js ADDED Viewed

@@ -0,0 +1,36 @@
+import { describe, beforeEach, afterEach } from 'vitest';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { runAuthProviderConformance } from '@selvajs/platform/testing';
+import { LocalAuthProvider } from '../LocalAuthProvider.js';
+const TEST_SECRET = 'test-hmac-secret-for-conformance';
+const ADMIN_EMAIL = 'conformance-admin@example.com';
+const ADMIN_PASSWORD = 'test-admin-password';
+describe('LocalAuthProvider — auth-users.json mode', () => {
+    let tempDir;
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'selva-auth-test-'));
+    });
+    afterEach(async () => {
+        await fs.rm(tempDir, { recursive: true, force: true });
+    });
+    runAuthProviderConformance({
+        name: 'LocalAuthProvider/auth-users-json',
+        createProvider: async () => {
+            const provider = new LocalAuthProvider({
+                hmacSecret: TEST_SECRET,
+                usersFilePath: path.join(tempDir, 'auth-users.json')
+            });
+            // Idempotent seed — the conformance suite calls createProvider per test,
+            // but a single test may invoke it more than once.
+            const existing = await provider.passwordAuth.verifyLogin(ADMIN_EMAIL, ADMIN_PASSWORD);
+            if (existing.kind !== 'success') {
+                await provider.passwordAuth.createUserWithPassword(ADMIN_EMAIL, ADMIN_PASSWORD);
+            }
+            return { provider, adminEmail: ADMIN_EMAIL, adminPassword: ADMIN_PASSWORD };
+        },
+        userManagement: true
+    });
+});
+//# sourceMappingURL=conformance.test.js.map

package/dist/auth/__tests__/conformance.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"conformance.test.js","sourceRoot":"","sources":["../../../src/auth/__tests__/conformance.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,0BAA0B,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAE5D,MAAM,WAAW,GAAG,kCAAkC,CAAC;AACvD,MAAM,WAAW,GAAG,+BAA+B,CAAC;AACpD,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAE7C,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACzD,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,KAAK,IAAI,EAAE;QACrB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,0BAA0B,CAAC;QAC1B,IAAI,EAAE,mCAAmC;QACzC,cAAc,EAAE,KAAK,IAAI,EAAE;YAC1B,MAAM,QAAQ,GAAG,IAAI,iBAAiB,CAAC;gBACtC,UAAU,EAAE,WAAW;gBACvB,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC;aACpD,CAAC,CAAC;YACH,yEAAyE;YACzE,kDAAkD;YAClD,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;YACtF,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACjC,MAAM,QAAQ,CAAC,YAAY,CAAC,sBAAsB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;YACjF,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,CAAC;QAC7E,CAAC;QACD,cAAc,EAAE,IAAI;KACpB,CAAC,CAAC;AACJ,CAAC,CAAC,CAAC"}

package/dist/auth/hmac.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Token format: base64url(userId + ':' + expiry) + '.' + hmac(payload)
+ *
+ * The userId is embedded so verifyToken can look up the live user record
+ * (and therefore always reflect the current permissions, not stale ones
+ * baked into the token at login time).
+ */
+export declare function signHmacToken(secret: string, userId: string, maxAgeMs?: number): string;
+export interface HmacTokenPayload {
+    userId: string;
+    valid: boolean;
+}
+/**
+ * Verify an HMAC token. Returns the userId if valid and unexpired, or
+ * { valid: false } if the signature is wrong or the token has expired.
+ */
+export declare function verifyHmacToken(token: string, secret: string): HmacTokenPayload;
+//# sourceMappingURL=hmac.d.ts.map

package/dist/auth/hmac.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../../src/auth/hmac.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC5B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,QAAQ,SAAqB,GAC3B,MAAM,CAKR;AAED,MAAM,WAAW,gBAAgB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;CACf;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAqB/E"}

package/dist/auth/hmac.js ADDED Viewed

@@ -0,0 +1,41 @@
+import { timingSafeEqual, createHmac } from 'node:crypto';
+const DEFAULT_MAX_AGE_MS = 8 * 60 * 60 * 1000; // 8 hours
+/**
+ * Token format: base64url(userId + ':' + expiry) + '.' + hmac(payload)
+ *
+ * The userId is embedded so verifyToken can look up the live user record
+ * (and therefore always reflect the current permissions, not stale ones
+ * baked into the token at login time).
+ */
+export function signHmacToken(secret, userId, maxAgeMs = DEFAULT_MAX_AGE_MS) {
+    const expiry = Date.now() + maxAgeMs;
+    const payload = Buffer.from(`${userId}:${expiry}`).toString('base64url');
+    const sig = createHmac('sha256', secret).update(payload).digest('base64url');
+    return `${payload}.${sig}`;
+}
+/**
+ * Verify an HMAC token. Returns the userId if valid and unexpired, or
+ * { valid: false } if the signature is wrong or the token has expired.
+ */
+export function verifyHmacToken(token, secret) {
+    const dot = token.lastIndexOf('.');
+    if (dot === -1)
+        return { userId: '', valid: false };
+    const payload = token.slice(0, dot);
+    const sig = token.slice(dot + 1);
+    const expectedSig = createHmac('sha256', secret).update(payload).digest('base64url');
+    const a = Buffer.from(sig);
+    const b = Buffer.from(expectedSig);
+    if (a.length !== b.length || !timingSafeEqual(a, b))
+        return { userId: '', valid: false };
+    const decoded = Buffer.from(payload, 'base64url').toString();
+    const colon = decoded.lastIndexOf(':');
+    if (colon === -1)
+        return { userId: '', valid: false };
+    const userId = decoded.slice(0, colon);
+    const expiry = parseInt(decoded.slice(colon + 1), 10);
+    if (!Number.isFinite(expiry) || Date.now() >= expiry)
+        return { userId: '', valid: false };
+    return { userId, valid: true };
+}
+//# sourceMappingURL=hmac.js.map

package/dist/auth/hmac.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"hmac.js","sourceRoot":"","sources":["../../src/auth/hmac.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE1D,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,UAAU;AAEzD;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC5B,MAAc,EACd,MAAc,EACd,QAAQ,GAAG,kBAAkB;IAE7B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC;IACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7E,OAAO,GAAG,OAAO,IAAI,GAAG,EAAE,CAAC;AAC5B,CAAC;AAOD;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa,EAAE,MAAc;IAC5D,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEpD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IACjC,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAErF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEzF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,KAAK,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAEtD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM;QAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAE1F,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAChC,CAAC"}

package/dist/auth/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { LocalAuthProvider } from './LocalAuthProvider.js';
+export type { LocalAuthProviderConfig } from './LocalAuthProvider.js';
+export { signHmacToken, verifyHmacToken } from './hmac.js';
+export { hashPassword, verifyPasswordHash, createLocalAuthUserStore } from './users.js';
+export type { StoredAuthUser, AuthUsersFile, LocalAuthUserStore } from './users.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,YAAY,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AACxF,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/index.js ADDED Viewed

@@ -0,0 +1,4 @@
+export { LocalAuthProvider } from './LocalAuthProvider.js';
+export { signHmacToken, verifyHmacToken } from './hmac.js';
+export { hashPassword, verifyPasswordHash, createLocalAuthUserStore } from './users.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAE3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC"}

package/dist/auth/users.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Identity-only on-disk shape. Per-user app state (permissions, profile,
+ * starred definitions, recent runs) lives in `user-data.json`, owned by
+ * `LocalDataProvider`. This split lets `LocalAuthProvider` be paired with any
+ * data provider, and any auth provider be paired with `LocalDataProvider`,
+ * without one stepping on the other.
+ */
+export interface StoredAuthUser {
+    id: string;
+    email: string;
+    /**
+     * "pbkdf2:sha256:<iterations>:<salt>:<hash>" — all binary values base64url encoded.
+     * Null for OAuth-only users (allowlisted email, no password stored).
+     */
+    passwordHash: string | null;
+    createdAt: string;
+    /** ISO 8601 — most recent successful credential login or token verification. */
+    lastLoginAt?: string;
+    /** When true, the provider MUST refuse to authenticate this user. */
+    disabled?: boolean;
+}
+export interface AuthUsersFile {
+    users: StoredAuthUser[];
+}
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPasswordHash(password: string, storedHash: string): Promise<boolean>;
+export interface LocalAuthUserStore {
+    findByEmail(email: string): Promise<StoredAuthUser | null>;
+    findById(id: string): Promise<StoredAuthUser | null>;
+    listUsers(): Promise<Omit<StoredAuthUser, 'passwordHash'>[]>;
+    /** password null = OAuth allowlist entry (no password stored) */
+    createUser(email: string, password: string | null): Promise<StoredAuthUser>;
+    setDisabled(id: string, disabled: boolean): Promise<void>;
+    touchLastLogin(id: string): Promise<void>;
+    deleteUser(id: string): Promise<void>;
+}
+export declare function createLocalAuthUserStore(usersFilePath: string): LocalAuthUserStore;
+//# sourceMappingURL=users.d.ts.map

package/dist/auth/users.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"users.d.ts","sourceRoot":"","sources":["../../src/auth/users.ts"],"names":[],"mappings":"AAKA;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qEAAqE;IACrE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACnB;AAKD,MAAM,WAAW,aAAa;IAC7B,KAAK,EAAE,cAAc,EAAE,CAAC;CACxB;AASD,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQpE;AAED,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAgB/F;AAUD,MAAM,WAAW,kBAAkB;IAClC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IAC3D,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IACrD,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,cAAc,CAAC,EAAE,CAAC,CAAC;IAC7D,iEAAiE;IACjE,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAC5E,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1D,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACtC;AAED,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,kBAAkB,CA8DlF"}

package/dist/auth/users.js ADDED Viewed

@@ -0,0 +1,100 @@
+import * as crypto from 'node:crypto';
+import { randomUUID } from 'node:crypto';
+import { ProviderError } from '@selvajs/platform';
+import { readJsonFile, writeJsonFile } from '../data/fsJson.js';
+/** Debounce window for lastLoginAt writes — skip if prior stamp is newer than this. */
+const LAST_LOGIN_DEBOUNCE_MS = 60_000;
+// ============================================================================
+// PBKDF2 password hashing
+// ============================================================================
+const PBKDF2_ITERATIONS = 100_000;
+const PBKDF2_KEYLEN = 32;
+const PBKDF2_DIGEST = 'sha256';
+export async function hashPassword(password) {
+    const salt = crypto.randomBytes(16).toString('base64url');
+    const hash = await new Promise((resolve, reject) => crypto.pbkdf2(password, salt, PBKDF2_ITERATIONS, PBKDF2_KEYLEN, PBKDF2_DIGEST, (err, key) => err ? reject(err) : resolve(key)));
+    return `pbkdf2:${PBKDF2_DIGEST}:${PBKDF2_ITERATIONS}:${salt}:${hash.toString('base64url')}`;
+}
+export async function verifyPasswordHash(password, storedHash) {
+    const parts = storedHash.split(':');
+    if (parts.length !== 5 || parts[0] !== 'pbkdf2')
+        return false;
+    const [, digest, iterStr, salt, expectedHashB64] = parts;
+    const iterations = parseInt(iterStr, 10);
+    if (!Number.isFinite(iterations) || iterations <= 0)
+        return false;
+    const expected = Buffer.from(expectedHashB64, 'base64url');
+    const actual = await new Promise((resolve, reject) => crypto.pbkdf2(password, salt, iterations, PBKDF2_KEYLEN, digest, (err, key) => err ? reject(err) : resolve(key)));
+    if (actual.length !== expected.length)
+        return false;
+    return crypto.timingSafeEqual(actual, expected);
+}
+// ============================================================================
+// CRUD
+// ============================================================================
+// Fresh object per call — `readJsonFile` returns its fallback by reference
+// when the file is missing, so a shared singleton would let one test (or
+// one process write) mutate state visible to the next read.
+const empty = () => ({ users: [] });
+export function createLocalAuthUserStore(usersFilePath) {
+    return {
+        async findByEmail(email) {
+            const { users } = await readJsonFile(usersFilePath, empty());
+            return users.find((u) => u.email.toLowerCase() === email.toLowerCase()) ?? null;
+        },
+        async findById(id) {
+            const { users } = await readJsonFile(usersFilePath, empty());
+            return users.find((u) => u.id === id) ?? null;
+        },
+        async listUsers() {
+            const { users } = await readJsonFile(usersFilePath, empty());
+            return users.map(({ passwordHash: _ph, ...rest }) => rest);
+        },
+        async createUser(email, password) {
+            const file = await readJsonFile(usersFilePath, empty());
+            if (file.users.some((u) => u.email.toLowerCase() === email.toLowerCase())) {
+                throw new ProviderError(`User with email "${email}" already exists`, 409);
+            }
+            const user = {
+                id: randomUUID(),
+                email,
+                passwordHash: password !== null ? await hashPassword(password) : null,
+                createdAt: new Date().toISOString()
+            };
+            file.users.push(user);
+            await writeJsonFile(usersFilePath, file);
+            return user;
+        },
+        async setDisabled(id, disabled) {
+            const file = await readJsonFile(usersFilePath, empty());
+            const user = file.users.find((u) => u.id === id);
+            if (!user)
+                throw new ProviderError(`User "${id}" not found`, 404);
+            user.disabled = disabled;
+            await writeJsonFile(usersFilePath, file);
+        },
+        async touchLastLogin(id) {
+            const file = await readJsonFile(usersFilePath, empty());
+            const user = file.users.find((u) => u.id === id);
+            if (!user)
+                return;
+            const now = Date.now();
+            if (user.lastLoginAt) {
+                const prev = Date.parse(user.lastLoginAt);
+                if (Number.isFinite(prev) && now - prev < LAST_LOGIN_DEBOUNCE_MS)
+                    return;
+            }
+            user.lastLoginAt = new Date(now).toISOString();
+            await writeJsonFile(usersFilePath, file);
+        },
+        async deleteUser(id) {
+            const file = await readJsonFile(usersFilePath, empty());
+            const before = file.users.length;
+            file.users = file.users.filter((u) => u.id !== id);
+            if (file.users.length === before)
+                throw new ProviderError(`User "${id}" not found`, 404);
+            await writeJsonFile(usersFilePath, file);
+        }
+    };
+}
+//# sourceMappingURL=users.js.map

package/dist/auth/users.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"users.js","sourceRoot":"","sources":["../../src/auth/users.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAwBhE,uFAAuF;AACvF,MAAM,sBAAsB,GAAG,MAAM,CAAC;AAMtC,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAC/E,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,aAAa,GAAG,EAAE,CAAC;AACzB,MAAM,aAAa,GAAG,QAAQ,CAAC;AAE/B,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IAClD,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC1D,MAAM,IAAI,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CAC1D,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC3F,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAChC,CACD,CAAC;IACF,OAAO,UAAU,aAAa,IAAI,iBAAiB,IAAI,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AAC7F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB,EAAE,UAAkB;IAC5E,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9D,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,eAAe,CAAC,GAAG,KAAK,CAAC;IACzD,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAElE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CAC5D,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC7E,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAChC,CACD,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACpD,OAAO,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC;AAED,+EAA+E;AAC/E,OAAO;AACP,+EAA+E;AAC/E,2EAA2E;AAC3E,yEAAyE;AACzE,4DAA4D;AAC5D,MAAM,KAAK,GAAG,GAAkB,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;AAanD,MAAM,UAAU,wBAAwB,CAAC,aAAqB;IAC7D,OAAO;QACN,KAAK,CAAC,WAAW,CAAC,KAAK;YACtB,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,IAAI,CAAC;QACjF,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,EAAE;YAChB,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,IAAI,CAAC;QAC/C,CAAC;QAED,KAAK,CAAC,SAAS;YACd,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5D,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,QAAQ;YAC/B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,aAAa,CAAC,oBAAoB,KAAK,kBAAkB,EAAE,GAAG,CAAC,CAAC;YAC3E,CAAC;YACD,MAAM,IAAI,GAAmB;gBAC5B,EAAE,EAAE,UAAU,EAAE;gBAChB,KAAK;gBACL,YAAY,EAAE,QAAQ,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI;gBACrE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACnC,CAAC;YACF,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,MAAM,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,EAAE,EAAE,QAAQ;YAC7B,MAAM,IAAI,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,MAAM,IAAI,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,CAAC,CAAC;YAClE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;YACzB,MAAM,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,KAAK,CAAC,cAAc,CAAC,EAAE;YACtB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI;gBAAE,OAAO;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBAC1C,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,IAAI,GAAG,sBAAsB;oBAAE,OAAO;YAC1E,CAAC;YACD,IAAI,CAAC,WAAW,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/C,MAAM,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,EAAE;YAClB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAgB,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YACnD,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM;gBAAE,MAAM,IAAI,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,GAAG,CAAC,CAAC;YACzF,MAAM,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;KACD,CAAC;AACH,CAAC"}