@shin1ohno/sage 0.2.4 → 0.5.3

package/dist/oauth/oauth-server.d.ts

@@ -0,0 +1,165 @@
+/**
+ * OAuth 2.1 Server
+ * Requirements: 21-31 (OAuth 2.1 Authentication)
+ *
+ * Main OAuth server that coordinates all OAuth components and handles requests.
+ */
+import { AuthorizationServerMetadata, ProtectedResourceMetadata, AuthorizationRequest, TokenResponse, OAuthError, OAuthClient, ClientRegistrationRequest, VerifyTokenResult, OAuthUser, UserSession } from './types.js';
+import { ClientRegistrationResult } from './client-store.js';
+/**
+ * OAuth Server Configuration
+ */
+export interface OAuthServerConfig {
+    issuer: string;
+    accessTokenExpiry?: string;
+    refreshTokenExpiry?: string;
+    authorizationCodeExpiry?: string;
+    allowedRedirectUris?: string[];
+    users?: OAuthUser[];
+    privateKey?: string;
+    publicKey?: string;
+}
+/**
+ * Authorization Pending Request (stored during consent flow)
+ */
+interface PendingAuthRequest {
+    request: AuthorizationRequest;
+    client: OAuthClient;
+    createdAt: number;
+}
+/**
+ * OAuth Server Class
+ */
+export declare class OAuthServer {
+    private config;
+    private tokenService;
+    private codeStore;
+    private refreshTokenStore;
+    private clientStore;
+    private sessionStore;
+    private users;
+    private pendingAuthRequests;
+    private loginAttempts;
+    private privateKey;
+    private publicKey;
+    constructor(config: OAuthServerConfig, keys?: {
+        privateKey: string;
+        publicKey: string;
+    });
+    /**
+     * Initialize the server with generated keys if not provided
+     */
+    initialize(): Promise<void>;
+    private parseExpiryToSeconds;
+    /**
+     * Get Protected Resource Metadata (RFC 9728)
+     * Requirement 22.1-22.3
+     */
+    getProtectedResourceMetadata(): ProtectedResourceMetadata;
+    /**
+     * Get Authorization Server Metadata (RFC 8414)
+     * Requirement 23.1-23.9
+     */
+    getAuthorizationServerMetadata(): AuthorizationServerMetadata;
+    /**
+     * Get WWW-Authenticate header for 401 responses
+     * Requirement 22.4, 22.5
+     */
+    getWWWAuthenticateHeader(): string;
+    /**
+     * Register a new client (Dynamic Client Registration)
+     * Requirement 24.1-24.7
+     */
+    registerClient(request: ClientRegistrationRequest): Promise<ClientRegistrationResult>;
+    /**
+     * Get a registered client
+     */
+    getClient(clientId: string): Promise<OAuthClient | null>;
+    /**
+     * Delete a client (Requirement 24.8)
+     */
+    deleteClient(clientId: string): Promise<boolean>;
+    /**
+     * Validate an authorization request
+     * Requirement 25.1-25.8
+     */
+    validateAuthorizationRequest(request: AuthorizationRequest): Promise<{
+        valid: boolean;
+        error?: OAuthError;
+        client?: OAuthClient;
+    }>;
+    /**
+     * Store a pending authorization request (for consent flow)
+     */
+    storePendingAuthRequest(requestId: string, request: AuthorizationRequest, client: OAuthClient): void;
+    /**
+     * Get a pending authorization request
+     */
+    getPendingAuthRequest(requestId: string): PendingAuthRequest | null;
+    /**
+     * Complete authorization and generate code
+     * Requirement 25.9, 25.10
+     */
+    completeAuthorization(request: AuthorizationRequest, userId: string): Promise<string>;
+    /**
+     * Exchange authorization code for tokens
+     * Requirement 26.1-26.7
+     */
+    exchangeAuthorizationCode(code: string, clientId: string, redirectUri: string, codeVerifier: string, resource?: string): Promise<{
+        success: boolean;
+        tokens?: TokenResponse;
+        error?: OAuthError;
+    }>;
+    /**
+     * Exchange refresh token for new tokens
+     * Requirement 26.3, 26.8
+     */
+    exchangeRefreshToken(refreshToken: string, clientId: string, scope?: string): Promise<{
+        success: boolean;
+        tokens?: TokenResponse;
+        error?: OAuthError;
+    }>;
+    /**
+     * Verify an access token
+     * Requirement 27.1-27.5
+     */
+    verifyAccessToken(token: string, expectedAudience?: string): Promise<VerifyTokenResult>;
+    /**
+     * Extract token from Authorization header
+     * Requirement 27.1
+     */
+    extractTokenFromHeader(header: string | undefined): string | null;
+    /**
+     * Authenticate a user (Requirement 29.1-29.5)
+     */
+    authenticateUser(username: string, password: string): Promise<{
+        success: boolean;
+        session?: UserSession;
+        error?: string;
+    }>;
+    /**
+     * Validate a session
+     */
+    validateSession(sessionId: string): UserSession | null;
+    /**
+     * Logout user
+     */
+    logout(sessionId: string): void;
+    /**
+     * Check if a scope includes another scope
+     */
+    hasScope(tokenScope: string, requiredScope: string): boolean;
+    /**
+     * Get scope descriptions for consent UI
+     */
+    getScopeDescriptions(scopes: string): Array<{
+        scope: string;
+        description: string;
+    }>;
+}
+/**
+ * Create an OAuth Server instance
+ */
+export declare function createOAuthServer(config: OAuthServerConfig): Promise<OAuthServer>;
+export {};
+//# sourceMappingURL=oauth-server.d.ts.map

package/dist/oauth/oauth-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-server.d.ts","sourceRoot":"","sources":["../../src/oauth/oauth-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,EACzB,oBAAoB,EACpB,aAAa,EACb,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,iBAAiB,EACjB,SAAS,EACT,WAAW,EAIZ,MAAM,YAAY,CAAC;AAIpB,OAAO,EAAkC,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAG7F;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,KAAK,CAAC,EAAE,SAAS,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA8CD;;GAEG;AACH,UAAU,kBAAkB;IAC1B,OAAO,EAAE,oBAAoB,CAAC;IAC9B,MAAM,EAAE,WAAW,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,SAAS,CAAyB;IAC1C,OAAO,CAAC,iBAAiB,CAAoB;IAC7C,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,KAAK,CAAyB;IACtC,OAAO,CAAC,mBAAmB,CAA8C;IACzE,OAAO,CAAC,aAAa,CAAkE;IAEvF,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;gBAEd,MAAM,EAAE,iBAAiB,EAAE,IAAI,CAAC,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE;IAoCvF;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBjC,OAAO,CAAC,oBAAoB;IAiB5B;;;OAGG;IACH,4BAA4B,IAAI,yBAAyB;IASzD;;;OAGG;IACH,8BAA8B,IAAI,2BAA2B;IAgB7D;;;OAGG;IACH,wBAAwB,IAAI,MAAM;IAIlC;;;OAGG;IACG,cAAc,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAI3F;;OAEG;IACG,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC;IAI9D;;OAEG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMtD;;;OAGG;IACG,4BAA4B,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC;QACzE,KAAK,EAAE,OAAO,CAAC;QACf,KAAK,CAAC,EAAE,UAAU,CAAC;QACnB,MAAM,CAAC,EAAE,WAAW,CAAC;KACtB,CAAC;IA2EF;;OAEG;IACH,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,WAAW,GAAG,IAAI;IAgBpG;;OAEG;IACH,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI;IAInE;;;OAGG;IACG,qBAAqB,CACzB,OAAO,EAAE,oBAAoB,EAC7B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC;IAclB;;;OAGG;IACG,yBAAyB,CAC7B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,aAAa,CAAC;QAAC,KAAK,CAAC,EAAE,UAAU,CAAA;KAAE,CAAC;IAuE5E;;;OAGG;IACG,oBAAoB,CACxB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,aAAa,CAAC;QAAC,KAAK,CAAC,EAAE,UAAU,CAAA;KAAE,CAAC;IA+C5E;;;OAGG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAI7F;;;OAGG;IACH,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI;IAIjE;;OAEG;IACG,gBAAgB,CACpB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,WAAW,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IA0CvE;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI;IAItD;;OAEG;IACH,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO;IAK5D;;OAEG;IACH,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;CAMpF;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,WAAW,CAAC,CAItB"}

package/dist/oauth/oauth-server.js

@@ -0,0 +1,489 @@
+/**
+ * OAuth 2.1 Server
+ * Requirements: 21-31 (OAuth 2.1 Authentication)
+ *
+ * Main OAuth server that coordinates all OAuth components and handles requests.
+ */
+import { randomBytes, createHash } from 'crypto';
+import { SCOPE_DEFINITIONS, DEFAULT_TOKEN_EXPIRY, CLAUDE_CALLBACK_URLS, } from './types.js';
+import { createTokenService, generateKeyPair } from './token-service.js';
+import { createAuthorizationCodeStore } from './code-store.js';
+import { createRefreshTokenStore } from './refresh-token-store.js';
+import { createClientStore } from './client-store.js';
+import { verifyCodeChallenge } from './pkce.js';
+/**
+ * In-memory Session Store
+ */
+class InMemorySessionStore {
+    sessions = new Map();
+    sessionExpiryMs = 24 * 60 * 60 * 1000; // 24 hours
+    createSession(userId) {
+        const sessionId = randomBytes(32).toString('hex');
+        const now = Date.now();
+        const session = {
+            sessionId,
+            userId,
+            createdAt: now,
+            expiresAt: now + this.sessionExpiryMs,
+        };
+        this.sessions.set(sessionId, session);
+        return session;
+    }
+    getSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session)
+            return null;
+        if (Date.now() > session.expiresAt) {
+            this.sessions.delete(sessionId);
+            return null;
+        }
+        return session;
+    }
+    deleteSession(sessionId) {
+        this.sessions.delete(sessionId);
+    }
+}
+/**
+ * OAuth Server Class
+ */
+export class OAuthServer {
+    config;
+    tokenService;
+    codeStore;
+    refreshTokenStore;
+    clientStore;
+    sessionStore;
+    users;
+    pendingAuthRequests = new Map();
+    loginAttempts = new Map();
+    privateKey;
+    publicKey;
+    constructor(config, keys) {
+        this.config = config;
+        this.privateKey = keys?.privateKey || '';
+        this.publicKey = keys?.publicKey || '';
+        // Parse expiry durations to seconds
+        const refreshTokenExpirySec = this.parseExpiryToSeconds(config.refreshTokenExpiry || DEFAULT_TOKEN_EXPIRY.refreshToken);
+        const authCodeExpirySec = this.parseExpiryToSeconds(config.authorizationCodeExpiry || DEFAULT_TOKEN_EXPIRY.authorizationCode);
+        // Initialize stores
+        this.codeStore = createAuthorizationCodeStore({ expirySeconds: authCodeExpirySec });
+        this.refreshTokenStore = createRefreshTokenStore({ expirySeconds: refreshTokenExpirySec });
+        this.clientStore = createClientStore({
+            allowedRedirectUris: [...(config.allowedRedirectUris || []), ...CLAUDE_CALLBACK_URLS],
+        });
+        this.sessionStore = new InMemorySessionStore();
+        // Initialize token service (will be updated when keys are available)
+        this.tokenService = createTokenService({
+            issuer: config.issuer,
+            privateKey: this.privateKey,
+            publicKey: this.publicKey,
+            accessTokenExpiry: config.accessTokenExpiry || DEFAULT_TOKEN_EXPIRY.accessToken,
+        });
+        // Store users
+        this.users = new Map();
+        for (const user of config.users || []) {
+            this.users.set(user.username, user);
+        }
+    }
+    /**
+     * Initialize the server with generated keys if not provided
+     */
+    async initialize() {
+        if (!this.privateKey || !this.publicKey) {
+            const keys = await generateKeyPair();
+            this.privateKey = keys.privateKey;
+            this.publicKey = keys.publicKey;
+            // Recreate token service with new keys
+            this.tokenService = createTokenService({
+                issuer: this.config.issuer,
+                privateKey: this.privateKey,
+                publicKey: this.publicKey,
+                accessTokenExpiry: this.config.accessTokenExpiry || DEFAULT_TOKEN_EXPIRY.accessToken,
+            });
+        }
+    }
+    parseExpiryToSeconds(expiry) {
+        const match = expiry.match(/^(\d+)([smhdw])$/);
+        if (!match)
+            return 3600;
+        const value = parseInt(match[1], 10);
+        const unit = match[2];
+        switch (unit) {
+            case 's': return value;
+            case 'm': return value * 60;
+            case 'h': return value * 3600;
+            case 'd': return value * 86400;
+            case 'w': return value * 604800;
+            default: return 3600;
+        }
+    }
+    /**
+     * Get Protected Resource Metadata (RFC 9728)
+     * Requirement 22.1-22.3
+     */
+    getProtectedResourceMetadata() {
+        return {
+            resource: this.config.issuer,
+            authorization_servers: [this.config.issuer],
+            scopes_supported: Object.keys(SCOPE_DEFINITIONS),
+            bearer_methods_supported: ['header'],
+        };
+    }
+    /**
+     * Get Authorization Server Metadata (RFC 8414)
+     * Requirement 23.1-23.9
+     */
+    getAuthorizationServerMetadata() {
+        return {
+            issuer: this.config.issuer,
+            authorization_endpoint: `${this.config.issuer}/oauth/authorize`,
+            token_endpoint: `${this.config.issuer}/oauth/token`,
+            registration_endpoint: `${this.config.issuer}/oauth/register`,
+            scopes_supported: Object.keys(SCOPE_DEFINITIONS),
+            response_types_supported: ['code'],
+            response_modes_supported: ['query'],
+            grant_types_supported: ['authorization_code', 'refresh_token'],
+            token_endpoint_auth_methods_supported: ['none', 'client_secret_post'],
+            code_challenge_methods_supported: ['S256'],
+            service_documentation: 'https://github.com/shin1ohno/sage',
+        };
+    }
+    /**
+     * Get WWW-Authenticate header for 401 responses
+     * Requirement 22.4, 22.5
+     */
+    getWWWAuthenticateHeader() {
+        return `Bearer realm="sage", resource_metadata="${this.config.issuer}/.well-known/oauth-protected-resource"`;
+    }
+    /**
+     * Register a new client (Dynamic Client Registration)
+     * Requirement 24.1-24.7
+     */
+    async registerClient(request) {
+        return this.clientStore.registerClient(request);
+    }
+    /**
+     * Get a registered client
+     */
+    async getClient(clientId) {
+        return this.clientStore.getClient(clientId);
+    }
+    /**
+     * Delete a client (Requirement 24.8)
+     */
+    async deleteClient(clientId) {
+        // Also revoke all refresh tokens for this client
+        await this.refreshTokenStore.revokeAllForClient(clientId);
+        return this.clientStore.deleteClient(clientId);
+    }
+    /**
+     * Validate an authorization request
+     * Requirement 25.1-25.8
+     */
+    async validateAuthorizationRequest(request) {
+        // Requirement 25.2: Only support response_type=code
+        if (request.response_type !== 'code') {
+            return {
+                valid: false,
+                error: {
+                    error: 'unsupported_response_type',
+                    error_description: 'Only response_type=code is supported',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.3: client_id is required
+        const client = await this.clientStore.getClient(request.client_id);
+        if (!client) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_client',
+                    error_description: 'Unknown client_id',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.4: Validate redirect_uri
+        if (!await this.clientStore.isValidRedirectUri(request.client_id, request.redirect_uri)) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'Invalid redirect_uri',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.5, 25.6: PKCE is required, only S256
+        if (!request.code_challenge) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'code_challenge is required',
+                    state: request.state,
+                },
+            };
+        }
+        if (request.code_challenge_method !== 'S256') {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'Only code_challenge_method=S256 is supported',
+                    state: request.state,
+                },
+            };
+        }
+        // Requirement 25.7: state is required
+        if (!request.state) {
+            return {
+                valid: false,
+                error: {
+                    error: 'invalid_request',
+                    error_description: 'state is required',
+                },
+            };
+        }
+        return { valid: true, client };
+    }
+    /**
+     * Store a pending authorization request (for consent flow)
+     */
+    storePendingAuthRequest(requestId, request, client) {
+        this.pendingAuthRequests.set(requestId, {
+            request,
+            client,
+            createdAt: Date.now(),
+        });
+        // Cleanup old requests (older than 10 minutes)
+        const cutoff = Date.now() - 10 * 60 * 1000;
+        for (const [id, pending] of this.pendingAuthRequests.entries()) {
+            if (pending.createdAt < cutoff) {
+                this.pendingAuthRequests.delete(id);
+            }
+        }
+    }
+    /**
+     * Get a pending authorization request
+     */
+    getPendingAuthRequest(requestId) {
+        return this.pendingAuthRequests.get(requestId) || null;
+    }
+    /**
+     * Complete authorization and generate code
+     * Requirement 25.9, 25.10
+     */
+    async completeAuthorization(request, userId) {
+        const code = await this.codeStore.generateCode({
+            clientId: request.client_id,
+            redirectUri: request.redirect_uri,
+            scope: request.scope || '',
+            codeChallenge: request.code_challenge,
+            codeChallengeMethod: request.code_challenge_method,
+            userId,
+            resource: request.resource,
+        });
+        return code;
+    }
+    /**
+     * Exchange authorization code for tokens
+     * Requirement 26.1-26.7
+     */
+    async exchangeAuthorizationCode(code, clientId, redirectUri, codeVerifier, resource) {
+        // Consume code (marks it as used)
+        const codeResult = await this.codeStore.consumeCode(code, clientId);
+        if (!codeResult.valid || !codeResult.codeData) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid or expired authorization code',
+                },
+            };
+        }
+        // Verify redirect_uri matches
+        if (codeResult.codeData.redirect_uri !== redirectUri) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'redirect_uri does not match',
+                },
+            };
+        }
+        // Verify PKCE code_verifier (Requirement 26.4)
+        if (!verifyCodeChallenge(codeVerifier, codeResult.codeData.code_challenge, 'S256')) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid code_verifier',
+                },
+            };
+        }
+        // Verify resource if specified (Requirement 26.5)
+        if (resource && codeResult.codeData.resource && resource !== codeResult.codeData.resource) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'resource does not match',
+                },
+            };
+        }
+        // Generate access token
+        const accessTokenResponse = await this.tokenService.generateAccessToken({
+            clientId,
+            userId: codeResult.codeData.user_id,
+            scope: codeResult.codeData.scope,
+            audience: resource || this.config.issuer,
+        });
+        // Generate refresh token (Requirement 21.6)
+        const refreshToken = await this.refreshTokenStore.generateToken({
+            clientId,
+            userId: codeResult.codeData.user_id,
+            scope: codeResult.codeData.scope,
+        });
+        return {
+            success: true,
+            tokens: {
+                ...accessTokenResponse,
+                refresh_token: refreshToken,
+            },
+        };
+    }
+    /**
+     * Exchange refresh token for new tokens
+     * Requirement 26.3, 26.8
+     */
+    async exchangeRefreshToken(refreshToken, clientId, scope) {
+        // Rotate refresh token (Requirement 26.8)
+        const newRefreshToken = await this.refreshTokenStore.rotateToken(refreshToken, clientId);
+        if (!newRefreshToken) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid or expired refresh token',
+                },
+            };
+        }
+        // Get the original token data before it was rotated
+        const tokenResult = await this.refreshTokenStore.validateToken(newRefreshToken, clientId);
+        if (!tokenResult.valid || !tokenResult.tokenData) {
+            return {
+                success: false,
+                error: {
+                    error: 'invalid_grant',
+                    error_description: 'Invalid refresh token',
+                },
+            };
+        }
+        // Use requested scope or original scope
+        const effectiveScope = scope || tokenResult.tokenData.scope;
+        // Generate new access token
+        const accessTokenResponse = await this.tokenService.generateAccessToken({
+            clientId,
+            userId: tokenResult.tokenData.user_id,
+            scope: effectiveScope,
+            audience: this.config.issuer,
+        });
+        return {
+            success: true,
+            tokens: {
+                ...accessTokenResponse,
+                refresh_token: newRefreshToken,
+            },
+        };
+    }
+    /**
+     * Verify an access token
+     * Requirement 27.1-27.5
+     */
+    async verifyAccessToken(token, expectedAudience) {
+        return this.tokenService.verifyAccessToken(token, expectedAudience);
+    }
+    /**
+     * Extract token from Authorization header
+     * Requirement 27.1
+     */
+    extractTokenFromHeader(header) {
+        return this.tokenService.extractTokenFromHeader(header);
+    }
+    /**
+     * Authenticate a user (Requirement 29.1-29.5)
+     */
+    async authenticateUser(username, password) {
+        // Rate limiting (Requirement 29.5)
+        const key = username;
+        const attempts = this.loginAttempts.get(key) || { count: 0, lastAttempt: 0 };
+        // Reset attempts after 15 minutes
+        if (Date.now() - attempts.lastAttempt > 15 * 60 * 1000) {
+            attempts.count = 0;
+        }
+        if (attempts.count >= 5) {
+            return { success: false, error: 'Too many login attempts. Please try again later.' };
+        }
+        const user = this.users.get(username);
+        if (!user) {
+            attempts.count++;
+            attempts.lastAttempt = Date.now();
+            this.loginAttempts.set(key, attempts);
+            return { success: false, error: 'Invalid username or password' };
+        }
+        // Verify password (Requirement 29.4: passwords should be hashed)
+        // For simplicity, we'll compare against the stored hash
+        // In production, use bcrypt or similar
+        const passwordHash = createHash('sha256').update(password).digest('hex');
+        if (passwordHash !== user.passwordHash) {
+            attempts.count++;
+            attempts.lastAttempt = Date.now();
+            this.loginAttempts.set(key, attempts);
+            return { success: false, error: 'Invalid username or password' };
+        }
+        // Reset login attempts on success
+        this.loginAttempts.delete(key);
+        // Create session
+        const session = this.sessionStore.createSession(user.id);
+        return { success: true, session };
+    }
+    /**
+     * Validate a session
+     */
+    validateSession(sessionId) {
+        return this.sessionStore.getSession(sessionId);
+    }
+    /**
+     * Logout user
+     */
+    logout(sessionId) {
+        this.sessionStore.deleteSession(sessionId);
+    }
+    /**
+     * Check if a scope includes another scope
+     */
+    hasScope(tokenScope, requiredScope) {
+        const tokenScopes = tokenScope.split(' ');
+        return tokenScopes.includes(requiredScope);
+    }
+    /**
+     * Get scope descriptions for consent UI
+     */
+    getScopeDescriptions(scopes) {
+        return scopes.split(' ').filter(s => s in SCOPE_DEFINITIONS).map(scope => ({
+            scope,
+            description: SCOPE_DEFINITIONS[scope],
+        }));
+    }
+}
+/**
+ * Create an OAuth Server instance
+ */
+export async function createOAuthServer(config) {
+    const server = new OAuthServer(config);
+    await server.initialize();
+    return server;
+}
+//# sourceMappingURL=oauth-server.js.map

package/dist/oauth/oauth-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-server.js","sourceRoot":"","sources":["../../src/oauth/oauth-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAWL,iBAAiB,EACjB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,kBAAkB,EAAgB,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACvF,OAAO,EAAE,4BAA4B,EAA0B,MAAM,iBAAiB,CAAC;AACvF,OAAO,EAAE,uBAAuB,EAAqB,MAAM,0BAA0B,CAAC;AACtF,OAAO,EAAE,iBAAiB,EAAyC,MAAM,mBAAmB,CAAC;AAC7F,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAyBhD;;GAEG;AACH,MAAM,oBAAoB;IAChB,QAAQ,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC/C,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;IAE1D,aAAa,CAAC,MAAc;QAC1B,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAgB;YAC3B,SAAS;YACT,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,eAAe;SACtC,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACtC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,UAAU,CAAC,SAAiB;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC1B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACnC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,aAAa,CAAC,SAAiB;QAC7B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;CACF;AAWD;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,MAAM,CAAoB;IAC1B,YAAY,CAAe;IAC3B,SAAS,CAAyB;IAClC,iBAAiB,CAAoB;IACrC,WAAW,CAAc;IACzB,YAAY,CAAe;IAC3B,KAAK,CAAyB;IAC9B,mBAAmB,GAAoC,IAAI,GAAG,EAAE,CAAC;IACjE,aAAa,GAAwD,IAAI,GAAG,EAAE,CAAC;IAE/E,UAAU,CAAS;IACnB,SAAS,CAAS;IAE1B,YAAY,MAAyB,EAAE,IAAgD;QACrF,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,EAAE,CAAC;QAEvC,oCAAoC;QACpC,MAAM,qBAAqB,GAAG,IAAI,CAAC,oBAAoB,CACrD,MAAM,CAAC,kBAAkB,IAAI,oBAAoB,CAAC,YAAY,CAC/D,CAAC;QACF,MAAM,iBAAiB,GAAG,IAAI,CAAC,oBAAoB,CACjD,MAAM,CAAC,uBAAuB,IAAI,oBAAoB,CAAC,iBAAiB,CACzE,CAAC;QAEF,oBAAoB;QACpB,IAAI,CAAC,SAAS,GAAG,4BAA4B,CAAC,EAAE,aAAa,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACpF,IAAI,CAAC,iBAAiB,GAAG,uBAAuB,CAAC,EAAE,aAAa,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAC3F,IAAI,CAAC,WAAW,GAAG,iBAAiB,CAAC;YACnC,mBAAmB,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,mBAAmB,IAAI,EAAE,CAAC,EAAE,GAAG,oBAAoB,CAAC;SACtF,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAE/C,qEAAqE;QACrE,IAAI,CAAC,YAAY,GAAG,kBAAkB,CAAC;YACrC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,oBAAoB,CAAC,WAAW;SAChF,CAAC,CAAC;QAEH,cAAc;QACd,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,MAAM,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YAClC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAEhC,uCAAuC;YACvC,IAAI,CAAC,YAAY,GAAG,kBAAkB,CAAC;gBACrC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;gBAC1B,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,oBAAoB,CAAC,WAAW;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,oBAAoB,CAAC,MAAc;QACzC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/C,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,CAAC;YACvB,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,EAAE,CAAC;YAC5B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC;YAC9B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,KAAK,CAAC;YAC/B,KAAK,GAAG,CAAC,CAAC,OAAO,KAAK,GAAG,MAAM,CAAC;YAChC,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,4BAA4B;QAC1B,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC5B,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YAC3C,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,8BAA8B;QAC5B,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,sBAAsB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,kBAAkB;YAC/D,cAAc,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,cAAc;YACnD,qBAAqB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,iBAAiB;YAC7D,gBAAgB,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;YAChD,wBAAwB,EAAE,CAAC,MAAM,CAAC;YAClC,wBAAwB,EAAE,CAAC,OAAO,CAAC;YACnC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YAC9D,qCAAqC,EAAE,CAAC,MAAM,EAAE,oBAAoB,CAAC;YACrE,gCAAgC,EAAE,CAAC,MAAM,CAAC;YAC1C,qBAAqB,EAAE,mCAAmC;SAC3D,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,wBAAwB;QACtB,OAAO,2CAA2C,IAAI,CAAC,MAAM,CAAC,MAAM,wCAAwC,CAAC;IAC/G,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc,CAAC,OAAkC;QACrD,OAAO,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,QAAgB;QACjC,iDAAiD;QACjD,MAAM,IAAI,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,4BAA4B,CAAC,OAA6B;QAK9D,oDAAoD;QACpD,IAAI,OAAO,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACrC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,2BAA2B;oBAClC,iBAAiB,EAAE,sCAAsC;oBACzD,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,gBAAgB;oBACvB,iBAAiB,EAAE,mBAAmB;oBACtC,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,0CAA0C;QAC1C,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACxF,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,sBAAsB;oBACzC,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,4BAA4B;oBAC/C,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,qBAAqB,KAAK,MAAM,EAAE,CAAC;YAC7C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,8CAA8C;oBACjE,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACnB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,mBAAmB;iBACvC;aACF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,uBAAuB,CAAC,SAAiB,EAAE,OAA6B,EAAE,MAAmB;QAC3F,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,EAAE;YACtC,OAAO;YACP,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC,CAAC;QAEH,+CAA+C;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/D,IAAI,OAAO,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;gBAC/B,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,qBAAqB,CAAC,SAAiB;QACrC,OAAO,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC;IACzD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,qBAAqB,CACzB,OAA6B,EAC7B,MAAc;QAEd,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;YAC7C,QAAQ,EAAE,OAAO,CAAC,SAAS;YAC3B,WAAW,EAAE,OAAO,CAAC,YAAY;YACjC,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;YAC1B,aAAa,EAAE,OAAO,CAAC,cAAc;YACrC,mBAAmB,EAAE,OAAO,CAAC,qBAAqB;YAClD,MAAM;YACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,yBAAyB,CAC7B,IAAY,EACZ,QAAgB,EAChB,WAAmB,EACnB,YAAoB,EACpB,QAAiB;QAEjB,kCAAkC;QAClC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAEpE,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC9C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uCAAuC;iBAC3D;aACF,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,UAAU,CAAC,QAAQ,CAAC,YAAY,KAAK,WAAW,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,6BAA6B;iBACjD;aACF,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,UAAU,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,EAAE,CAAC;YACnF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uBAAuB;iBAC3C;aACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,QAAQ,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,IAAI,QAAQ,KAAK,UAAU,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAC1F,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,yBAAyB;iBAC7C;aACF,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC;YACtE,QAAQ;YACR,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK;YAChC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM;SACzC,CAAC,CAAC;QAEH,4CAA4C;QAC5C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC;YAC9D,QAAQ;YACR,MAAM,EAAE,UAAU,CAAC,QAAQ,CAAC,OAAO;YACnC,KAAK,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN,GAAG,mBAAmB;gBACtB,aAAa,EAAE,YAAY;aAC5B;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,oBAAoB,CACxB,YAAoB,EACpB,QAAgB,EAChB,KAAc;QAEd,0CAA0C;QAC1C,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAEzF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,kCAAkC;iBACtD;aACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,aAAa,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAE1F,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YACjD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,uBAAuB;iBAC3C;aACF,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,MAAM,cAAc,GAAG,KAAK,IAAI,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC;QAE5D,4BAA4B;QAC5B,MAAM,mBAAmB,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC;YACtE,QAAQ;YACR,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC,OAAO;YACrC,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;SAC7B,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE;gBACN,GAAG,mBAAmB;gBACtB,aAAa,EAAE,eAAe;aAC/B;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,gBAAyB;QAC9D,OAAO,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACtE,CAAC;IAED;;;OAGG;IACH,sBAAsB,CAAC,MAA0B;QAC/C,OAAO,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,QAAgB,EAChB,QAAgB;QAEhB,mCAAmC;QACnC,MAAM,GAAG,GAAG,QAAQ,CAAC;QACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;QAE7E,kCAAkC;QAClC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YACvD,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC;QACrB,CAAC;QAED,IAAI,QAAQ,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,kDAAkD,EAAE,CAAC;QACvF,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjB,QAAQ,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACnE,CAAC;QAED,iEAAiE;QACjE,wDAAwD;QACxD,uCAAuC;QACvC,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzE,IAAI,YAAY,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;YACvC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACjB,QAAQ,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACtC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;QACnE,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAE/B,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,SAAiB;QAC/B,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,SAAiB;QACtB,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,UAAkB,EAAE,aAAqB;QAChD,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,oBAAoB,CAAC,MAAc;QACjC,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YACzE,KAAK;YACL,WAAW,EAAE,iBAAiB,CAAC,KAAuC,CAAC;SACxE,CAAC,CAAC,CAAC;IACN,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAyB;IAEzB,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC"}