@shin1ohno/sage 0.2.4 → 0.5.3

package/dist/oauth/pkce.d.ts

@@ -0,0 +1,48 @@
+/**
+ * OAuth PKCE (S256) Implementation
+ * Requirements: 21.2, 26.4
+ *
+ * Implements PKCE (Proof Key for Code Exchange) using S256 method.
+ * Based on RFC 7636.
+ */
+import { CodeChallengeMethod } from './types.js';
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * @param length - Length of the verifier (default: 64, min: 43, max: 128)
+ * @returns A random code verifier string
+ */
+export declare function generateCodeVerifier(length?: number): string;
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param codeVerifier - The code verifier to hash
+ * @returns Base64URL encoded SHA256 hash of the verifier
+ */
+export declare function generateCodeChallenge(codeVerifier: string): string;
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param codeVerifier - The code verifier from the token request
+ * @param codeChallenge - The code challenge from the authorization request
+ * @param method - The code challenge method (only 'S256' is supported)
+ * @returns True if the verifier matches the challenge
+ */
+export declare function verifyCodeChallenge(codeVerifier: string, codeChallenge: string, method: CodeChallengeMethod): boolean;
+/**
+ * Validate code verifier format
+ *
+ * @param codeVerifier - The code verifier to validate
+ * @returns True if the verifier has valid format
+ */
+export declare function isValidCodeVerifier(codeVerifier: string): boolean;
+/**
+ * Validate code challenge format
+ *
+ * @param codeChallenge - The code challenge to validate
+ * @returns True if the challenge has valid format
+ */
+export declare function isValidCodeChallenge(codeChallenge: string): boolean;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/oauth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/oauth/pkce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAkBjD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,MAAgC,GAAG,MAAM,CAYrF;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CASlE;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAQT;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAajE;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAanE"}

package/dist/oauth/pkce.js

@@ -0,0 +1,106 @@
+/**
+ * OAuth PKCE (S256) Implementation
+ * Requirements: 21.2, 26.4
+ *
+ * Implements PKCE (Proof Key for Code Exchange) using S256 method.
+ * Based on RFC 7636.
+ */
+import { createHash, randomBytes } from 'crypto';
+/**
+ * Characters allowed in code verifier (unreserved characters per RFC 7636)
+ */
+const UNRESERVED_CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+/**
+ * Default code verifier length
+ */
+const DEFAULT_VERIFIER_LENGTH = 64;
+/**
+ * Minimum and maximum verifier length per RFC 7636
+ */
+const MIN_VERIFIER_LENGTH = 43;
+const MAX_VERIFIER_LENGTH = 128;
+/**
+ * Generate a cryptographically random code verifier
+ *
+ * @param length - Length of the verifier (default: 64, min: 43, max: 128)
+ * @returns A random code verifier string
+ */
+export function generateCodeVerifier(length = DEFAULT_VERIFIER_LENGTH) {
+    // Clamp length to valid range
+    const validLength = Math.max(MIN_VERIFIER_LENGTH, Math.min(MAX_VERIFIER_LENGTH, length));
+    const bytes = randomBytes(validLength);
+    let verifier = '';
+    for (let i = 0; i < validLength; i++) {
+        verifier += UNRESERVED_CHARS[bytes[i] % UNRESERVED_CHARS.length];
+    }
+    return verifier;
+}
+/**
+ * Generate a code challenge from a code verifier using S256 method
+ *
+ * S256: BASE64URL(SHA256(code_verifier))
+ *
+ * @param codeVerifier - The code verifier to hash
+ * @returns Base64URL encoded SHA256 hash of the verifier
+ */
+export function generateCodeChallenge(codeVerifier) {
+    // Calculate SHA256 hash
+    const hash = createHash('sha256').update(codeVerifier, 'ascii').digest();
+    // Convert to base64url encoding (no padding)
+    const base64 = hash.toString('base64');
+    const base64url = base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+    return base64url;
+}
+/**
+ * Verify a code verifier against a code challenge
+ *
+ * @param codeVerifier - The code verifier from the token request
+ * @param codeChallenge - The code challenge from the authorization request
+ * @param method - The code challenge method (only 'S256' is supported)
+ * @returns True if the verifier matches the challenge
+ */
+export function verifyCodeChallenge(codeVerifier, codeChallenge, method) {
+    if (method !== 'S256') {
+        throw new Error('Only S256 code challenge method is supported');
+    }
+    // Generate challenge from verifier and compare
+    const expectedChallenge = generateCodeChallenge(codeVerifier);
+    return expectedChallenge === codeChallenge;
+}
+/**
+ * Validate code verifier format
+ *
+ * @param codeVerifier - The code verifier to validate
+ * @returns True if the verifier has valid format
+ */
+export function isValidCodeVerifier(codeVerifier) {
+    if (!codeVerifier) {
+        return false;
+    }
+    // Check length
+    if (codeVerifier.length < MIN_VERIFIER_LENGTH || codeVerifier.length > MAX_VERIFIER_LENGTH) {
+        return false;
+    }
+    // Check characters (unreserved characters only)
+    const validPattern = /^[A-Za-z0-9\-._~]+$/;
+    return validPattern.test(codeVerifier);
+}
+/**
+ * Validate code challenge format
+ *
+ * @param codeChallenge - The code challenge to validate
+ * @returns True if the challenge has valid format
+ */
+export function isValidCodeChallenge(codeChallenge) {
+    if (!codeChallenge) {
+        return false;
+    }
+    // S256 challenge should be base64url encoded SHA256 hash (43 characters)
+    if (codeChallenge.length !== 43) {
+        return false;
+    }
+    // Check base64url format (no padding)
+    const validPattern = /^[A-Za-z0-9\-_]+$/;
+    return validPattern.test(codeChallenge);
+}
+//# sourceMappingURL=pkce.js.map

package/dist/oauth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/oauth/pkce.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAGjD;;GAEG;AACH,MAAM,gBAAgB,GAAG,oEAAoE,CAAC;AAE9F;;GAEG;AACH,MAAM,uBAAuB,GAAG,EAAE,CAAC;AAEnC;;GAEG;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,SAAiB,uBAAuB;IAC3E,8BAA8B;IAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,CAAC;IAEzF,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACvC,IAAI,QAAQ,GAAG,EAAE,CAAC;IAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,YAAoB;IACxD,wBAAwB;IACxB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEpF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,YAAoB,EACpB,aAAqB,EACrB,MAA2B;IAE3B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,+CAA+C;IAC/C,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC9D,OAAO,iBAAiB,KAAK,aAAa,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,eAAe;IACf,IAAI,YAAY,CAAC,MAAM,GAAG,mBAAmB,IAAI,YAAY,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAC3F,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IAChD,MAAM,YAAY,GAAG,qBAAqB,CAAC;IAC3C,OAAO,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,aAAqB;IACxD,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yEAAyE;IACzE,IAAI,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sCAAsC;IACtC,MAAM,YAAY,GAAG,mBAAmB,CAAC;IACzC,OAAO,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;AAC1C,CAAC"}

package/dist/oauth/refresh-token-store.d.ts

@@ -0,0 +1,45 @@
+/**
+ * OAuth Refresh Token Store
+ * Requirements: 21.6, 26.3, 26.8
+ *
+ * Manages refresh token generation, storage, validation, and rotation.
+ */
+import { RefreshToken } from './types.js';
+/**
+ * Configuration for Refresh Token Store
+ */
+export interface RefreshTokenStoreConfig {
+    expirySeconds: number;
+}
+/**
+ * Options for generating a refresh token
+ */
+export interface GenerateRefreshTokenOptions {
+    clientId: string;
+    userId: string;
+    scope: string;
+}
+/**
+ * Result of validating a refresh token
+ */
+export interface RefreshTokenValidationResult {
+    valid: boolean;
+    tokenData?: RefreshToken;
+    error?: string;
+}
+/**
+ * Refresh Token Store Interface
+ */
+export interface RefreshTokenStore {
+    generateToken(options: GenerateRefreshTokenOptions): Promise<string>;
+    validateToken(token: string, clientId: string): Promise<RefreshTokenValidationResult>;
+    rotateToken(token: string, clientId: string): Promise<string | null>;
+    revokeToken(token: string): Promise<void>;
+    revokeAllForClient(clientId: string): Promise<void>;
+    cleanup(): Promise<number>;
+}
+/**
+ * Create a Refresh Token Store instance
+ */
+export declare function createRefreshTokenStore(config: RefreshTokenStoreConfig): RefreshTokenStore;
+//# sourceMappingURL=refresh-token-store.d.ts.map

package/dist/oauth/refresh-token-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.d.ts","sourceRoot":"","sources":["../../src/oauth/refresh-token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE1C;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,CAAC,EAAE,YAAY,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,OAAO,EAAE,2BAA2B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACrE,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACtF,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACrE,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5B;AA6GD;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,iBAAiB,CAE1F"}

package/dist/oauth/refresh-token-store.js

@@ -0,0 +1,98 @@
+/**
+ * OAuth Refresh Token Store
+ * Requirements: 21.6, 26.3, 26.8
+ *
+ * Manages refresh token generation, storage, validation, and rotation.
+ */
+import { randomBytes } from 'crypto';
+/**
+ * In-memory Refresh Token Store Implementation
+ */
+class InMemoryRefreshTokenStore {
+    tokens = new Map();
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    async generateToken(options) {
+        // Generate secure random token
+        const token = randomBytes(32).toString('base64url');
+        const now = Date.now();
+        const expiresAt = now + this.config.expirySeconds * 1000;
+        const tokenData = {
+            token,
+            client_id: options.clientId,
+            user_id: options.userId,
+            scope: options.scope,
+            created_at: now,
+            expires_at: expiresAt,
+            rotated: false,
+        };
+        this.tokens.set(token, tokenData);
+        return token;
+    }
+    async validateToken(token, clientId) {
+        const tokenData = this.tokens.get(token);
+        if (!tokenData) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Check if token has been rotated
+        if (tokenData.rotated) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Check if token has expired
+        if (Date.now() > tokenData.expires_at) {
+            this.tokens.delete(token);
+            return { valid: false, error: 'invalid_grant' };
+        }
+        // Verify client_id matches
+        if (tokenData.client_id !== clientId) {
+            return { valid: false, error: 'invalid_grant' };
+        }
+        return { valid: true, tokenData };
+    }
+    async rotateToken(token, clientId) {
+        const validationResult = await this.validateToken(token, clientId);
+        if (!validationResult.valid || !validationResult.tokenData) {
+            return null;
+        }
+        // Mark old token as rotated (Requirement 26.8)
+        const oldTokenData = this.tokens.get(token);
+        oldTokenData.rotated = true;
+        // Generate new token with same scope
+        const newToken = await this.generateToken({
+            clientId: validationResult.tokenData.client_id,
+            userId: validationResult.tokenData.user_id,
+            scope: validationResult.tokenData.scope,
+        });
+        return newToken;
+    }
+    async revokeToken(token) {
+        this.tokens.delete(token);
+    }
+    async revokeAllForClient(clientId) {
+        for (const [token, data] of this.tokens.entries()) {
+            if (data.client_id === clientId) {
+                this.tokens.delete(token);
+            }
+        }
+    }
+    async cleanup() {
+        const now = Date.now();
+        let cleanedCount = 0;
+        for (const [token, data] of this.tokens.entries()) {
+            if (data.expires_at < now || data.rotated) {
+                this.tokens.delete(token);
+                cleanedCount++;
+            }
+        }
+        return cleanedCount;
+    }
+}
+/**
+ * Create a Refresh Token Store instance
+ */
+export function createRefreshTokenStore(config) {
+    return new InMemoryRefreshTokenStore(config);
+}
+//# sourceMappingURL=refresh-token-store.js.map

package/dist/oauth/refresh-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-token-store.js","sourceRoot":"","sources":["../../src/oauth/refresh-token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAwCrC;;GAEG;AACH,MAAM,yBAAyB;IACrB,MAAM,GAA8B,IAAI,GAAG,EAAE,CAAC;IAC9C,MAAM,CAA0B;IAExC,YAAY,MAA+B;QACzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAoC;QACtD,+BAA+B;QAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;QAEzD,MAAM,SAAS,GAAiB;YAC9B,KAAK;YACL,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,OAAO,EAAE,OAAO,CAAC,MAAM;YACvB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,UAAU,EAAE,GAAG;YACf,UAAU,EAAE,SAAS;YACrB,OAAO,EAAE,KAAK;SACf,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAElC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa,EAAE,QAAgB;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEzC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,kCAAkC;QAClC,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,2BAA2B;QAC3B,IAAI,SAAS,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa,EAAE,QAAgB;QAC/C,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEnE,IAAI,CAAC,gBAAgB,CAAC,KAAK,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+CAA+C;QAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAE,CAAC;QAC7C,YAAY,CAAC,OAAO,GAAG,IAAI,CAAC;QAE5B,qCAAqC;QACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC;YACxC,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,SAAS;YAC9C,MAAM,EAAE,gBAAgB,CAAC,SAAS,CAAC,OAAO;YAC1C,KAAK,EAAE,gBAAgB,CAAC,SAAS,CAAC,KAAK;SACxC,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB;QACvC,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,IAAI,CAAC,UAAU,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC1B,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAA+B;IACrE,OAAO,IAAI,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC"}

package/dist/oauth/token-service.d.ts

@@ -0,0 +1,46 @@
+/**
+ * OAuth Token Service
+ * Requirements: 21.4, 21.5, 26.6, 26.7, 27.1-27.5
+ *
+ * Implements JWT access token generation and verification using RS256 signing.
+ */
+import { TokenResponse, VerifyTokenResult } from './types.js';
+/**
+ * Token Service Configuration
+ */
+export interface TokenServiceConfig {
+    issuer: string;
+    privateKey: string;
+    publicKey: string;
+    accessTokenExpiry: string;
+}
+/**
+ * Access Token Generation Options
+ */
+export interface GenerateAccessTokenOptions {
+    clientId: string;
+    userId: string;
+    scope: string;
+    audience: string;
+}
+/**
+ * Token Service Interface
+ */
+export interface TokenService {
+    generateAccessToken(options: GenerateAccessTokenOptions): Promise<TokenResponse>;
+    verifyAccessToken(token: string, expectedAudience?: string): Promise<VerifyTokenResult>;
+    extractTokenFromHeader(header: string | undefined): string | null;
+}
+/**
+ * Create a Token Service instance
+ */
+export declare function createTokenService(config: TokenServiceConfig): TokenService;
+/**
+ * Generate RSA key pair for JWT signing
+ * Requirement: RS256 signing
+ */
+export declare function generateKeyPair(): Promise<{
+    privateKey: string;
+    publicKey: string;
+}>;
+//# sourceMappingURL=token-service.d.ts.map

package/dist/oauth/token-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.d.ts","sourceRoot":"","sources":["../../src/oauth/token-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAqB,aAAa,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEjF;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,mBAAmB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACjF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACxF,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAAC;CACnE;AAgND;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,YAAY,CAE3E;AAED;;;GAGG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAc1F"}

package/dist/oauth/token-service.js

@@ -0,0 +1,199 @@
+/**
+ * OAuth Token Service
+ * Requirements: 21.4, 21.5, 26.6, 26.7, 27.1-27.5
+ *
+ * Implements JWT access token generation and verification using RS256 signing.
+ */
+import { createSign, createVerify, generateKeyPairSync, randomUUID } from 'crypto';
+/**
+ * Parse duration string to seconds
+ * Supports: s (seconds), m (minutes), h (hours), d (days), w (weeks)
+ */
+function parseDuration(duration) {
+    const match = duration.match(/^(\d+)([smhdw])$/);
+    if (!match) {
+        throw new Error(`Invalid duration format: ${duration}`);
+    }
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    switch (unit) {
+        case 's':
+            return value;
+        case 'm':
+            return value * 60;
+        case 'h':
+            return value * 3600;
+        case 'd':
+            return value * 86400;
+        case 'w':
+            return value * 604800;
+        default:
+            throw new Error(`Unknown duration unit: ${unit}`);
+    }
+}
+/**
+ * Base64URL encode a string
+ */
+function base64UrlEncode(data) {
+    const base64 = typeof data === 'string' ? Buffer.from(data).toString('base64') : data.toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+/**
+ * Base64URL decode a string
+ */
+function base64UrlDecode(data) {
+    // Add padding if needed
+    const padding = 4 - (data.length % 4);
+    const padded = padding < 4 ? data + '='.repeat(padding) : data;
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    return Buffer.from(base64, 'base64');
+}
+/**
+ * Create JWT token using RS256
+ */
+function createJWT(payload, privateKey) {
+    // Header
+    const header = {
+        alg: 'RS256',
+        typ: 'JWT',
+    };
+    // Encode header and payload
+    const encodedHeader = base64UrlEncode(JSON.stringify(header));
+    const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+    // Create signature input
+    const signatureInput = `${encodedHeader}.${encodedPayload}`;
+    // Sign using RS256
+    const sign = createSign('RSA-SHA256');
+    sign.update(signatureInput);
+    const signature = sign.sign(privateKey);
+    // Encode signature
+    const encodedSignature = base64UrlEncode(signature);
+    return `${signatureInput}.${encodedSignature}`;
+}
+/**
+ * Verify JWT token using RS256
+ */
+function verifyJWT(token, publicKey) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        return { valid: false, error: 'Invalid token format' };
+    }
+    const [encodedHeader, encodedPayload, encodedSignature] = parts;
+    try {
+        // Decode and verify header
+        const header = JSON.parse(base64UrlDecode(encodedHeader).toString());
+        if (header.alg !== 'RS256') {
+            return { valid: false, error: 'Invalid algorithm' };
+        }
+        // Verify signature
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const signature = base64UrlDecode(encodedSignature);
+        const verify = createVerify('RSA-SHA256');
+        verify.update(signatureInput);
+        const isValid = verify.verify(publicKey, signature);
+        if (!isValid) {
+            return { valid: false, error: 'Invalid signature' };
+        }
+        // Decode payload
+        const payload = JSON.parse(base64UrlDecode(encodedPayload).toString());
+        return { valid: true, payload };
+    }
+    catch (error) {
+        return { valid: false, error: error instanceof Error ? error.message : 'Token verification failed' };
+    }
+}
+/**
+ * Token Service Implementation
+ */
+class TokenServiceImpl {
+    config;
+    expirySeconds;
+    constructor(config) {
+        this.config = config;
+        this.expirySeconds = parseDuration(config.accessTokenExpiry);
+    }
+    async generateAccessToken(options) {
+        const now = Math.floor(Date.now() / 1000);
+        const exp = now + this.expirySeconds;
+        const claims = {
+            iss: this.config.issuer,
+            sub: options.userId,
+            aud: options.audience,
+            exp,
+            iat: now,
+            jti: randomUUID(),
+            client_id: options.clientId,
+            scope: options.scope,
+        };
+        const accessToken = createJWT(claims, this.config.privateKey);
+        return {
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: this.expirySeconds,
+            scope: options.scope,
+        };
+    }
+    async verifyAccessToken(token, expectedAudience) {
+        const result = verifyJWT(token, this.config.publicKey);
+        if (!result.valid) {
+            return { valid: false, error: result.error };
+        }
+        const payload = result.payload;
+        // Verify issuer
+        if (payload.iss !== this.config.issuer) {
+            return { valid: false, error: 'Invalid issuer' };
+        }
+        // Verify expiration
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp < now) {
+            return { valid: false, error: 'Token expired' };
+        }
+        // Verify audience if specified
+        if (expectedAudience && payload.aud !== expectedAudience) {
+            return { valid: false, error: 'Invalid audience' };
+        }
+        return { valid: true, claims: payload };
+    }
+    extractTokenFromHeader(header) {
+        if (!header) {
+            return null;
+        }
+        const parts = header.split(' ');
+        if (parts.length !== 2) {
+            return null;
+        }
+        if (parts[0].toLowerCase() !== 'bearer') {
+            return null;
+        }
+        const token = parts[1];
+        if (!token || token.trim() === '') {
+            return null;
+        }
+        return token;
+    }
+}
+/**
+ * Create a Token Service instance
+ */
+export function createTokenService(config) {
+    return new TokenServiceImpl(config);
+}
+/**
+ * Generate RSA key pair for JWT signing
+ * Requirement: RS256 signing
+ */
+export async function generateKeyPair() {
+    const { privateKey, publicKey } = generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: {
+            type: 'spki',
+            format: 'pem',
+        },
+        privateKeyEncoding: {
+            type: 'pkcs8',
+            format: 'pem',
+        },
+    });
+    return { privateKey, publicKey };
+}
+//# sourceMappingURL=token-service.js.map

package/dist/oauth/token-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-service.js","sourceRoot":"","sources":["../../src/oauth/token-service.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,mBAAmB,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAgCnF;;;GAGG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACjD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAEtB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,IAAI,CAAC;QACtB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,KAAK,CAAC;QACvB,KAAK,GAAG;YACN,OAAO,KAAK,GAAG,MAAM,CAAC;QACxB;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,MAAM,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzG,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY;IACnC,wBAAwB;IACxB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,OAAgC,EAAE,UAAkB;IACrE,SAAS;IACT,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,4BAA4B;IAC5B,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAEhE,yBAAyB;IACzB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;IAE5D,mBAAmB;IACnB,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAExC,mBAAmB;IACnB,MAAM,gBAAgB,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAEpD,OAAO,GAAG,cAAc,IAAI,gBAAgB,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAChB,KAAa,EACb,SAAiB;IAEjB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,gBAAgB,CAAC,GAAG,KAAK,CAAC;IAEhE,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACrE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;QAC5D,MAAM,SAAS,GAAG,eAAe,CAAC,gBAAgB,CAAC,CAAC;QAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEpD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACtD,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEvE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,EAAE,CAAC;IACvG,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,gBAAgB;IACZ,MAAM,CAAqB;IAC3B,aAAa,CAAS;IAE9B,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,OAAmC;QAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC;QAErC,MAAM,MAAM,GAAsB;YAChC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,GAAG;YACH,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,UAAU,EAAE;YACjB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QAEF,MAAM,WAAW,GAAG,SAAS,CAAC,MAA4C,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEpG,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,aAAa;YAC9B,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,gBAAyB;QAC9D,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEvD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;QAC/C,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAuC,CAAC;QAE/D,gBAAgB;QAChB,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;QACnD,CAAC;QAED,oBAAoB;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,+BAA+B;QAC/B,IAAI,gBAAgB,IAAI,OAAO,CAAC,GAAG,KAAK,gBAAgB,EAAE,CAAC;YACzD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC1C,CAAC;IAED,sBAAsB,CAAC,MAA0B;QAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAA0B;IAC3D,OAAO,IAAI,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;QAC3D,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE;YACjB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,KAAK;SACd;QACD,kBAAkB,EAAE;YAClB,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,KAAK;SACd;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC"}