@slashfi/agents-sdk 0.24.2 → 0.24.4

package/dist/cjs/jwt.js

@@ -0,0 +1,207 @@
+"use strict";
+/**
+ * JWT utilities for auth tokens.
+ *
+ * Supports two modes:
+ * - ES256 (asymmetric) — for production / cross-registry trust
+ * - HS256 (HMAC) — for backward compat / simple single-server setups
+ *
+ * Uses `jose` library for all crypto operations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSigningKey = generateSigningKey;
+exports.exportSigningKey = exportSigningKey;
+exports.importSigningKey = importSigningKey;
+exports.buildJwks = buildJwks;
+exports.signJwtES256 = signJwtES256;
+exports.verifyJwtLocal = verifyJwtLocal;
+exports.verifyJwtFromIssuer = verifyJwtFromIssuer;
+exports.signJwt = signJwt;
+exports.verifyJwt = verifyJwt;
+const jose_1 = require("jose");
+// ============================================
+// Key Generation
+// ============================================
+/**
+ * Generate a new ES256 signing key pair.
+ */
+async function generateSigningKey(kid) {
+    const { privateKey, publicKey } = await (0, jose_1.generateKeyPair)("ES256", {
+        extractable: true,
+    });
+    return {
+        kid: kid ?? `key-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        privateKey,
+        publicKey,
+        alg: "ES256",
+        status: "active",
+        createdAt: Date.now(),
+    };
+}
+/**
+ * Export a signing key to JWK format (for storage).
+ */
+async function exportSigningKey(key) {
+    const privateKeyJwk = await (0, jose_1.exportJWK)(key.privateKey);
+    const publicKeyJwk = await (0, jose_1.exportJWK)(key.publicKey);
+    return {
+        kid: key.kid,
+        alg: key.alg,
+        privateKeyJwk,
+        publicKeyJwk,
+        status: key.status,
+        createdAt: key.createdAt,
+    };
+}
+/**
+ * Import a signing key from stored JWK format.
+ */
+async function importSigningKey(exported) {
+    const privateKey = (await (0, jose_1.importJWK)(exported.privateKeyJwk, exported.alg));
+    const publicKey = (await (0, jose_1.importJWK)(exported.publicKeyJwk, exported.alg));
+    return {
+        kid: exported.kid,
+        privateKey,
+        publicKey,
+        alg: exported.alg,
+        status: exported.status,
+        createdAt: exported.createdAt,
+    };
+}
+/**
+ * Build a JWKS (JSON Web Key Set) from signing keys.
+ * Only includes public keys.
+ */
+async function buildJwks(keys) {
+    const jwks = [];
+    for (const key of keys) {
+        if (key.status === "revoked")
+            continue;
+        const jwk = await (0, jose_1.exportJWK)(key.publicKey);
+        jwk.kid = key.kid;
+        jwk.alg = key.alg;
+        jwk.use = "sig";
+        jwks.push(jwk);
+    }
+    return { keys: jwks };
+}
+// ============================================
+// Signing (ES256)
+// ============================================
+/**
+ * Sign a JWT with ES256 using the server's private key.
+ */
+async function signJwtES256(payload, privateKey, kid, issuer, expiresIn) {
+    let builder = new jose_1.SignJWT(payload)
+        .setProtectedHeader({ alg: "ES256", kid })
+        .setIssuedAt();
+    if (issuer)
+        builder = builder.setIssuer(issuer);
+    if (payload.sub)
+        builder = builder.setSubject(payload.sub);
+    if (expiresIn) {
+        builder = builder.setExpirationTime(expiresIn);
+    }
+    else if (payload.exp) {
+        builder = builder.setExpirationTime(payload.exp);
+    }
+    else {
+        builder = builder.setExpirationTime("1h");
+    }
+    return builder.sign(privateKey);
+}
+// ============================================
+// Verification
+// ============================================
+/**
+ * Verify a JWT against a local public key.
+ */
+async function verifyJwtLocal(token, publicKey) {
+    try {
+        const { payload } = await (0, jose_1.jwtVerify)(token, publicKey);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/** JWKS cache for remote issuers */
+const jwksCache = new Map();
+/**
+ * Verify a JWT against a remote issuer's JWKS.
+ * Fetches and caches the JWKS from the issuer's /.well-known/jwks.json
+ */
+async function verifyJwtFromIssuer(token, issuerUrl) {
+    try {
+        const jwksUrl = `${issuerUrl.replace(/\/$/, "")}/.well-known/jwks.json`;
+        let jwks = jwksCache.get(jwksUrl);
+        if (!jwks) {
+            jwks = (0, jose_1.createRemoteJWKSet)(new URL(jwksUrl));
+            jwksCache.set(jwksUrl, jwks);
+        }
+        const { payload } = await (0, jose_1.jwtVerify)(token, jwks);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+// ============================================
+// Legacy HMAC (backward compat)
+// ============================================
+const encoder = new TextEncoder();
+function base64UrlEncode(data) {
+    const str = btoa(String.fromCharCode(...data));
+    return str.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+    const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+    const binary = atob(padded);
+    return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+async function hmacSign(data, secret) {
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+    return new Uint8Array(sig);
+}
+async function hmacVerify(data, signature, secret) {
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["verify"]);
+    return crypto.subtle.verify("HMAC", key, signature.buffer, encoder.encode(data));
+}
+/**
+ * Sign a JWT with HMAC-SHA256 (legacy).
+ * @deprecated Use signJwtES256 for new code.
+ */
+async function signJwt(payload, secret) {
+    const header = { alg: "HS256", typ: "JWT" };
+    const headerB64 = base64UrlEncode(encoder.encode(JSON.stringify(header)));
+    const payloadB64 = base64UrlEncode(encoder.encode(JSON.stringify(payload)));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signature = await hmacSign(signingInput, secret);
+    return `${signingInput}.${base64UrlEncode(signature)}`;
+}
+/**
+ * Verify and decode a JWT (HMAC-SHA256, legacy).
+ * @deprecated Use verifyJwtLocal or verifyJwtFromIssuer for new code.
+ */
+async function verifyJwt(token, secret) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const signingInput = `${headerB64}.${payloadB64}`;
+    try {
+        const signature = base64UrlDecode(signatureB64);
+        const valid = await hmacVerify(signingInput, signature, secret);
+        if (!valid)
+            return null;
+        const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadB64)));
+        if (payload.exp && payload.exp < Date.now() / 1000)
+            return null;
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=jwt.js.map

package/dist/cjs/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/jwt.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAwEH,gDAYC;AAKD,4CAaC;AAKD,4CAmBC;AAMD,8BAWC;AASD,oCAyBC;AASD,wCAUC;AASD,kDAgBC;AA0DD,0BAUC;AAMD,8BAoBC;AAzTD,+BASc;AAsDd,+CAA+C;AAC/C,iBAAiB;AACjB,+CAA+C;AAE/C;;GAEG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAY;IACnD,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,OAAO,EAAE;QAC/D,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IACH,OAAO;QACL,GAAG,EAAE,GAAG,IAAI,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QACzE,UAAU;QACV,SAAS;QACT,GAAG,EAAE,OAAO;QACZ,MAAM,EAAE,QAAQ;QAChB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CACpC,GAAe;IAEf,MAAM,aAAa,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpD,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,GAAG,EAAE,GAAG,CAAC,GAAG;QACZ,aAAa;QACb,YAAY;QACZ,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CACpC,QAAyB;IAEzB,MAAM,UAAU,GAAG,CAAC,MAAM,IAAA,gBAAS,EACjC,QAAQ,CAAC,aAAa,EACtB,QAAQ,CAAC,GAAG,CACb,CAAc,CAAC;IAChB,MAAM,SAAS,GAAG,CAAC,MAAM,IAAA,gBAAS,EAChC,QAAQ,CAAC,YAAY,EACrB,QAAQ,CAAC,GAAG,CACb,CAAc,CAAC;IAChB,OAAO;QACL,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,UAAU;QACV,SAAS;QACT,GAAG,EAAE,QAAQ,CAAC,GAAG;QACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,SAAS,EAAE,QAAQ,CAAC,SAAS;KAC9B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,SAAS,CAAC,IAAkB;IAChD,MAAM,IAAI,GAAU,EAAE,CAAC;IACvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS;YAAE,SAAS;QACvC,MAAM,GAAG,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QAClB,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;QAClB,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC;QAChB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,+CAA+C;AAC/C,kBAAkB;AAClB,+CAA+C;AAE/C;;GAEG;AACI,KAAK,UAAU,YAAY,CAChC,OAGC,EACD,UAAqB,EACrB,GAAW,EACX,MAAe,EACf,SAAkB;IAElB,IAAI,OAAO,GAAG,IAAI,cAAO,CAAC,OAAgC,CAAC;SACxD,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;SACzC,WAAW,EAAE,CAAC;IAEjB,IAAI,MAAM;QAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,GAAG;QAAE,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;SAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAED,+CAA+C;AAC/C,eAAe;AACf,+CAA+C;AAE/C;;GAEG;AACI,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,SAAoB;IAEpB,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QACtD,OAAO,OAAqC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oCAAoC;AACpC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAiD,CAAC;AAE3E;;;GAGG;AACI,KAAK,UAAU,mBAAmB,CACvC,KAAa,EACb,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,wBAAwB,CAAC;QACxE,IAAI,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,IAAA,yBAAkB,EAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;YAC5C,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAA,gBAAS,EAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,OAAqC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+CAA+C;AAC/C,gCAAgC;AAChC,+CAA+C;AAE/C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,SAAS,eAAe,CAAC,IAAgB;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/C,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IAClD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACxE,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,IAAY,EACZ,SAAqB,EACrB,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACF,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,SAAS,CAAC,MAAqB,EAC/B,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;AACJ,CAAC;AAKD;;;GAGG;AACI,KAAK,UAAU,OAAO,CAC3B,OAAwB,EACxB,MAAc;IAEd,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACvD,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC;AACzD,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,eAAe,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAChE,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CACnC,CAAC;QACrB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAAE,OAAO,IAAI,CAAC;QAChE,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/cjs/key-manager.js

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * JWKS Key Manager
+ *
+ * Manages ES256 signing keys with automatic rotation and revocation.
+ * Store-agnostic — provide a KeyStore implementation for your DB.
+ *
+ * Features:
+ * - Automatic key rotation on a configurable schedule
+ * - Key lifecycle: active → deprecated → revoked → cleaned up
+ * - Multi-instance safe: checks DB before rotating (another instance may have already rotated)
+ * - Periodic background checks (configurable interval)
+ * - Exposes JWKS for /.well-known/jwks.json
+ * - Signs JWTs with the active key
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeyManager = createKeyManager;
+const jose_1 = require("jose");
+// ── Constants ──
+const FIVE_MINUTES = 5 * 60 * 1000;
+const ONE_HOUR = 60 * 60 * 1000;
+const TWO_HOURS = 2 * ONE_HOUR;
+const ALG = "ES256";
+// ── Key generation ──
+function generateKid() {
+    return `key-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+async function generateNewKey(keyLifetimeMs) {
+    const { privateKey, publicKey } = await (0, jose_1.generateKeyPair)(ALG, {
+        extractable: true,
+    });
+    const kid = generateKid();
+    const publicJwk = await (0, jose_1.exportJWK)(publicKey);
+    publicJwk.kid = kid;
+    publicJwk.alg = ALG;
+    publicJwk.use = "sig";
+    const privateJwk = await (0, jose_1.exportJWK)(privateKey);
+    privateJwk.kid = kid;
+    privateJwk.alg = ALG;
+    return {
+        kid,
+        alg: ALG,
+        status: "active",
+        publicJwk,
+        privateJwk,
+        createdAt: new Date(),
+        expiresAt: new Date(Date.now() + keyLifetimeMs),
+    };
+}
+async function toCachedKey(stored) {
+    const privateKey = (await (0, jose_1.importJWK)(stored.privateJwk, ALG));
+    return { ...stored, privateKey };
+}
+// ── Key Manager ──
+async function createKeyManager(opts) {
+    const { store, issuer, checkIntervalMs = FIVE_MINUTES, rotationThresholdMs = ONE_HOUR, keyLifetimeMs = TWO_HOURS, tokenTtlSeconds = 300, enableRotation = true, } = opts;
+    let keys = [];
+    /** Generate a new key, deprecate old ones, cleanup expired, refresh cache — all in one transaction */
+    async function rotate() {
+        await store.transaction(async () => {
+            const newKey = await generateNewKey(keyLifetimeMs);
+            await store.deprecateAllActive();
+            await store.insertKey(newKey);
+            await store.cleanupExpired();
+            const updated = await store.loadKeys();
+            keys = await Promise.all(updated.map(toCachedKey));
+        });
+    }
+    /** Check if rotation is needed and rotate if so — all within a single transaction */
+    async function checkAndRotate() {
+        // Quick check against cache — no DB/store hit if key is fresh
+        const cached = keys.find((k) => k.status === "active");
+        if (cached) {
+            const age = Date.now() - cached.createdAt.getTime();
+            if (age < rotationThresholdMs)
+                return;
+        }
+        // Cache says stale (or empty) — take a lock via transaction to check + rotate atomically
+        await store.transaction(async () => {
+            const stored = await store.loadKeys();
+            const active = stored.find((k) => k.status === "active");
+            if (active) {
+                const age = Date.now() - active.createdAt.getTime();
+                if (age < rotationThresholdMs) {
+                    // Another instance already rotated — just update our cache
+                    keys = await Promise.all(stored.map(toCachedKey));
+                    return;
+                }
+            }
+            // Still stale (or no active key) — rotate within this tx
+            const newKey = await generateNewKey(keyLifetimeMs);
+            await store.deprecateAllActive();
+            await store.insertKey(newKey);
+            await store.cleanupExpired();
+            // Refresh cache inside the tx for a consistent read
+            const updated = await store.loadKeys();
+            keys = await Promise.all(updated.map(toCachedKey));
+        });
+    }
+    // Initial load + ensure we have at least one key
+    // Initial load from store
+    const stored = await store.loadKeys();
+    keys = await Promise.all(stored.map(toCachedKey));
+    if (!keys.some((k) => k.status === "active")) {
+        if (enableRotation) {
+            await rotate();
+        }
+        else {
+            // Read-only mode: generate a key in memory only (no store writes)
+            // This ensures signJwt works even without rotation enabled
+            const newKey = await generateNewKey(keyLifetimeMs);
+            keys.push(await toCachedKey(newKey));
+        }
+    }
+    else if (enableRotation) {
+        await checkAndRotate();
+    }
+    // Periodic background check (only if rotation enabled)
+    const interval = enableRotation
+        ? setInterval(async () => {
+            try {
+                await checkAndRotate();
+            }
+            catch (err) {
+                console.error("[key-manager] Check/rotation failed:", err);
+            }
+        }, checkIntervalMs)
+        : null;
+    function getActiveKey() {
+        const active = keys.find((k) => k.status === "active");
+        if (!active)
+            throw new Error("[key-manager] No active signing key");
+        return active;
+    }
+    return {
+        getJwks() {
+            return {
+                keys: keys
+                    .filter((k) => k.status !== "revoked")
+                    .map((k) => k.publicJwk),
+            };
+        },
+        async signJwt(claims) {
+            const key = getActiveKey();
+            return new jose_1.SignJWT({ ...claims })
+                .setProtectedHeader({ alg: ALG, kid: key.kid })
+                .setIssuer(issuer)
+                .setIssuedAt()
+                .setExpirationTime(`${tokenTtlSeconds}s`)
+                .sign(key.privateKey);
+        },
+        async rotate() {
+            await rotate();
+        },
+        stop() {
+            if (interval)
+                clearInterval(interval);
+        },
+    };
+}
+//# sourceMappingURL=key-manager.js.map

package/dist/cjs/key-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-manager.js","sourceRoot":"","sources":["../../src/key-manager.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAsHH,4CA2HC;AA/OD,+BAAgF;AAsEhF,kBAAkB;AAElB,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACnC,MAAM,QAAQ,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAChC,MAAM,SAAS,GAAG,CAAC,GAAG,QAAQ,CAAC;AAC/B,MAAM,GAAG,GAAG,OAAO,CAAC;AAEpB,uBAAuB;AAEvB,SAAS,WAAW;IAClB,OAAO,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;AACvE,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,aAAqB;IACjD,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,sBAAe,EAAC,GAAG,EAAE;QAC3D,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;IAE1B,MAAM,SAAS,GAAG,MAAM,IAAA,gBAAS,EAAC,SAAS,CAAC,CAAC;IAC7C,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC;IACpB,SAAS,CAAC,GAAG,GAAG,GAAG,CAAC;IACpB,SAAS,CAAC,GAAG,GAAG,KAAK,CAAC;IAEtB,MAAM,UAAU,GAAG,MAAM,IAAA,gBAAS,EAAC,UAAU,CAAC,CAAC;IAC/C,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC;IACrB,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC;IAErB,OAAO;QACL,GAAG;QACH,GAAG,EAAE,GAAG;QACR,MAAM,EAAE,QAAQ;QAChB,SAAS;QACT,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC;KAChD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,MAAiB;IAC1C,MAAM,UAAU,GAAG,CAAC,MAAM,IAAA,gBAAS,EAAC,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,CAAc,CAAC;IAC1E,OAAO,EAAE,GAAG,MAAM,EAAE,UAAU,EAAE,CAAC;AACnC,CAAC;AAED,oBAAoB;AAEb,KAAK,UAAU,gBAAgB,CACpC,IAAuB;IAEvB,MAAM,EACJ,KAAK,EACL,MAAM,EACN,eAAe,GAAG,YAAY,EAC9B,mBAAmB,GAAG,QAAQ,EAC9B,aAAa,GAAG,SAAS,EACzB,eAAe,GAAG,GAAG,EACrB,cAAc,GAAG,IAAI,GACtB,GAAG,IAAI,CAAC;IAET,IAAI,IAAI,GAAgB,EAAE,CAAC;IAE3B,sGAAsG;IACtG,KAAK,UAAU,MAAM;QACnB,MAAM,KAAK,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACjC,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;YACnD,MAAM,KAAK,CAAC,kBAAkB,EAAE,CAAC;YACjC,MAAM,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC9B,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC;YACvC,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,qFAAqF;IACrF,KAAK,UAAU,cAAc;QAC3B,8DAA8D;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;QACvD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACpD,IAAI,GAAG,GAAG,mBAAmB;gBAAE,OAAO;QACxC,CAAC;QAED,yFAAyF;QACzF,MAAM,KAAK,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACjC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;YAEzD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;gBACpD,IAAI,GAAG,GAAG,mBAAmB,EAAE,CAAC;oBAC9B,2DAA2D;oBAC3D,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;oBAClD,OAAO;gBACT,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;YACnD,MAAM,KAAK,CAAC,kBAAkB,EAAE,CAAC;YACjC,MAAM,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC9B,MAAM,KAAK,CAAC,cAAc,EAAE,CAAC;YAE7B,oDAAoD;YACpD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC;YACvC,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,iDAAiD;IACjD,0BAA0B;IAC1B,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC;IACtC,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IAClD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC7C,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,MAAM,EAAE,CAAC;QACjB,CAAC;aAAM,CAAC;YACN,kEAAkE;YAClE,2DAA2D;YAC3D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;YACnD,IAAI,CAAC,IAAI,CAAC,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;SAAM,IAAI,cAAc,EAAE,CAAC;QAC1B,MAAM,cAAc,EAAE,CAAC;IACzB,CAAC;IAED,uDAAuD;IACvD,MAAM,QAAQ,GAAG,cAAc;QAC7B,CAAC,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACrB,IAAI,CAAC;gBACH,MAAM,cAAc,EAAE,CAAC;YACzB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,EAAE,eAAe,CAAC;QACrB,CAAC,CAAC,IAAI,CAAC;IAET,SAAS,YAAY;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACpE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO;QACL,OAAO;YACL,OAAO;gBACL,IAAI,EAAE,IAAI;qBACP,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC;qBACrC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;aAC3B,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,MAA+B;YAC3C,MAAM,GAAG,GAAG,YAAY,EAAE,CAAC;YAC3B,OAAO,IAAI,cAAO,CAAC,EAAE,GAAG,MAAM,EAAS,CAAC;iBACrC,kBAAkB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;iBAC9C,SAAS,CAAC,MAAM,CAAC;iBACjB,WAAW,EAAE;iBACb,iBAAiB,CAAC,GAAG,eAAe,GAAG,CAAC;iBACxC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;QAED,KAAK,CAAC,MAAM;YACV,MAAM,MAAM,EAAE,CAAC;QACjB,CAAC;QAED,IAAI;YACF,IAAI,QAAQ;gBAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/cjs/oidc-signin.js

@@ -0,0 +1,141 @@
+"use strict";
+/**
+ * OIDC Sign-In Provider
+ *
+ * Implements the full OIDC authorization code flow for user sign-in.
+ * The server acts as an OIDC Relying Party — users authenticate with
+ * an external Identity Provider and receive a server-signed JWT.
+ *
+ * Flow:
+ *   GET  /signin/authorize  → 302 redirect to IdP
+ *   GET  /signin/callback   → exchange code → fetch userinfo → sign JWT → return
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOIDCSignIn = createOIDCSignIn;
+const jwt_js_1 = require("./jwt.js");
+function createOIDCSignIn(config) {
+    let discoveryCache = null;
+    const pendingFlows = new Map();
+    async function fetchDiscovery() {
+        if (discoveryCache)
+            return discoveryCache;
+        const url = `${config.issuer}/.well-known/openid-configuration`;
+        const res = await fetch(url);
+        if (!res.ok)
+            throw new Error(`OIDC discovery failed: ${res.status}`);
+        discoveryCache = (await res.json());
+        return discoveryCache;
+    }
+    function generateState() {
+        const bytes = crypto.getRandomValues(new Uint8Array(24));
+        return Buffer.from(bytes).toString("base64url");
+    }
+    return {
+        async handleRequest(req, { baseUrl, signingKey, issuerUrl }) {
+            const url = new URL(req.url);
+            // ── GET /signin/authorize → redirect to IdP ──
+            if (url.pathname === "/signin/authorize" && req.method === "GET") {
+                const redirectUri = url.searchParams.get("redirect_uri") ?? "";
+                if (!redirectUri) {
+                    return Response.json({
+                        error: "invalid_request",
+                        error_description: "Missing redirect_uri",
+                    }, { status: 400 });
+                }
+                const discovery = await fetchDiscovery();
+                const state = generateState();
+                const nonce = generateState();
+                pendingFlows.set(state, {
+                    redirectUri,
+                    nonce,
+                    createdAt: Date.now(),
+                });
+                // Clean up stale flows (> 10 min)
+                const now = Date.now();
+                for (const [k, v] of pendingFlows) {
+                    if (now - v.createdAt > 600_000)
+                        pendingFlows.delete(k);
+                }
+                const scopes = config.scopes ?? ["openid", "email", "profile"];
+                const callbackUrl = `${baseUrl}/signin/callback`;
+                const authUrl = new URL(discovery.authorization_endpoint);
+                authUrl.searchParams.set("response_type", "code");
+                authUrl.searchParams.set("client_id", config.clientId);
+                authUrl.searchParams.set("redirect_uri", callbackUrl);
+                authUrl.searchParams.set("scope", scopes.join(" "));
+                authUrl.searchParams.set("state", state);
+                authUrl.searchParams.set("nonce", nonce);
+                return Response.redirect(authUrl.toString(), 302);
+            }
+            // ── GET /signin/callback → exchange code → userinfo → JWT ──
+            if (url.pathname === "/signin/callback" && req.method === "GET") {
+                const code = url.searchParams.get("code");
+                const state = url.searchParams.get("state");
+                const error = url.searchParams.get("error");
+                if (error) {
+                    return Response.json({
+                        error,
+                        error_description: url.searchParams.get("error_description") ?? "",
+                    }, { status: 400 });
+                }
+                if (!code || !state) {
+                    return Response.json({
+                        error: "invalid_request",
+                        error_description: "Missing code or state",
+                    }, { status: 400 });
+                }
+                const flow = pendingFlows.get(state);
+                if (!flow) {
+                    return Response.json({
+                        error: "invalid_state",
+                        error_description: "Unknown or expired state",
+                    }, { status: 400 });
+                }
+                pendingFlows.delete(state);
+                const discovery = await fetchDiscovery();
+                const callbackUrl = `${baseUrl}/signin/callback`;
+                // Exchange code for tokens
+                const tokenRes = await fetch(discovery.token_endpoint, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({
+                        grant_type: "authorization_code",
+                        code,
+                        redirect_uri: callbackUrl,
+                        client_id: config.clientId,
+                        client_secret: config.clientSecret,
+                    }),
+                });
+                if (!tokenRes.ok) {
+                    const text = await tokenRes.text();
+                    return Response.json({ error: "token_exchange_failed", error_description: text }, { status: 502 });
+                }
+                const tokens = (await tokenRes.json());
+                // Fetch userinfo
+                const userinfoRes = await fetch(discovery.userinfo_endpoint, {
+                    headers: { Authorization: `Bearer ${tokens.access_token}` },
+                });
+                if (!userinfoRes.ok) {
+                    return Response.json({
+                        error: "userinfo_failed",
+                        error_description: `Status ${userinfoRes.status}`,
+                    }, { status: 502 });
+                }
+                const userinfo = (await userinfoRes.json());
+                // Sign server JWT with user's identity
+                const jwt = await (0, jwt_js_1.signJwtES256)({
+                    sub: userinfo.sub ?? "unknown",
+                    name: userinfo.name ?? "unknown",
+                    scopes: ["*"],
+                    iss: issuerUrl,
+                }, signingKey.privateKey, signingKey.kid, issuerUrl, "1h");
+                // Redirect back to the caller with the JWT
+                const sep = flow.redirectUri.includes("?") ? "&" : "?";
+                return Response.redirect(`${flow.redirectUri}${sep}token=${jwt}`, 302);
+            }
+            // Not a signin route
+            return null;
+        },
+    };
+}
+//# sourceMappingURL=oidc-signin.js.map

package/dist/cjs/oidc-signin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-signin.js","sourceRoot":"","sources":["../../src/oidc-signin.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAyCH,4CA2KC;AAlND,qCAAyD;AAuCzD,SAAgB,gBAAgB,CAC9B,MAA0B;IAE1B,IAAI,cAAc,GAAyB,IAAI,CAAC;IAChD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEpD,KAAK,UAAU,cAAc;QAC3B,IAAI,cAAc;YAAE,OAAO,cAAc,CAAC;QAC1C,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,mCAAmC,CAAC;QAChE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,cAAc,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;QACrD,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,SAAS,aAAa;QACpB,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QACzD,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IAED,OAAO;QACL,KAAK,CAAC,aAAa,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE;YACzD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAE7B,gDAAgD;YAChD,IAAI,GAAG,CAAC,QAAQ,KAAK,mBAAmB,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACjE,MAAM,WAAW,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;gBAC/D,IAAI,CAAC,WAAW,EAAE,CAAC;oBACjB,OAAO,QAAQ,CAAC,IAAI,CAClB;wBACE,KAAK,EAAE,iBAAiB;wBACxB,iBAAiB,EAAE,sBAAsB;qBAC1C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBAED,MAAM,SAAS,GAAG,MAAM,cAAc,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;gBAC9B,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;gBAE9B,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE;oBACtB,WAAW;oBACX,KAAK;oBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,CAAC,CAAC;gBAEH,kCAAkC;gBAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC;oBAClC,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,GAAG,OAAO;wBAAE,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC1D,CAAC;gBAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;gBAC/D,MAAM,WAAW,GAAG,GAAG,OAAO,kBAAkB,CAAC;gBACjD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;gBAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;gBAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACvD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;gBACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBACpD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBACzC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;gBAEzC,OAAO,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;YACpD,CAAC;YAED,8DAA8D;YAC9D,IAAI,GAAG,CAAC,QAAQ,KAAK,kBAAkB,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBAChE,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE5C,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,QAAQ,CAAC,IAAI,CAClB;wBACE,KAAK;wBACL,iBAAiB,EACf,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE;qBAClD,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBACpB,OAAO,QAAQ,CAAC,IAAI,CAClB;wBACE,KAAK,EAAE,iBAAiB;wBACxB,iBAAiB,EAAE,uBAAuB;qBAC3C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACrC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,OAAO,QAAQ,CAAC,IAAI,CAClB;wBACE,KAAK,EAAE,eAAe;wBACtB,iBAAiB,EAAE,0BAA0B;qBAC9C,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBACD,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAE3B,MAAM,SAAS,GAAG,MAAM,cAAc,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,GAAG,OAAO,kBAAkB,CAAC;gBAEjD,2BAA2B;gBAC3B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,cAAc,EAAE;oBACrD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;oBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,UAAU,EAAE,oBAAoB;wBAChC,IAAI;wBACJ,YAAY,EAAE,WAAW;wBACzB,SAAS,EAAE,MAAM,CAAC,QAAQ;wBAC1B,aAAa,EAAE,MAAM,CAAC,YAAY;qBACnC,CAAC;iBACH,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBACnC,OAAO,QAAQ,CAAC,IAAI,CAClB,EAAE,KAAK,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,IAAI,EAAE,EAC3D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBAED,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA6B,CAAC;gBAEnE,iBAAiB;gBACjB,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,iBAAiB,EAAE;oBAC3D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE;iBAC5D,CAAC,CAAC;gBAEH,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;oBACpB,OAAO,QAAQ,CAAC,IAAI,CAClB;wBACE,KAAK,EAAE,iBAAiB;wBACxB,iBAAiB,EAAE,UAAU,WAAW,CAAC,MAAM,EAAE;qBAClD,EACD,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;gBACJ,CAAC;gBAED,MAAM,QAAQ,GAAG,CAAC,MAAM,WAAW,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAEvE,uCAAuC;gBACvC,MAAM,GAAG,GAAG,MAAM,IAAA,qBAAY,EAC5B;oBACE,GAAG,EAAG,QAAQ,CAAC,GAAc,IAAI,SAAS;oBAC1C,IAAI,EAAG,QAAQ,CAAC,IAAe,IAAI,SAAS;oBAC5C,MAAM,EAAE,CAAC,GAAG,CAAC;oBACb,GAAG,EAAE,SAAS;iBACuB,EACvC,UAAU,CAAC,UAAU,EACrB,UAAU,CAAC,GAAG,EACd,SAAS,EACT,IAAI,CACL,CAAC;gBAEF,2CAA2C;gBAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACvD,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,GAAG,GAAG,SAAS,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;YACzE,CAAC;YAED,qBAAqB;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC"}