@soulcraft/sdk 2.6.1 → 3.0.0

package/dist/modules/auth/request-middleware.js

@@ -0,0 +1,650 @@
+/**
+ * @module modules/auth/request-middleware
+ * @description Framework-agnostic auth middleware, session verification, and dev/guest
+ * utilities for Soulcraft product backends.
+ *
+ * All middleware uses Web Standard `Request`/`Response` — no framework dependency.
+ * Compatible with SvelteKit, Bun.serve, Deno, Cloudflare Workers, and any server
+ * that speaks the Web Standard APIs.
+ *
+ * ## Session verification strategies
+ *
+ * Products select the right session verifier for their deployment context:
+ *
+ * ```
+ * Production (all products):
+ *   createRemoteSessionVerifier({ idpUrl: 'https://auth.soulcraft.com' })
+ *
+ * Development (all products):
+ *   createDevSessionVerifier({ role: 'owner' })   // auto-login, no OAuth needed
+ * ```
+ *
+ * ## Middleware signature
+ *
+ * All middleware follows the universal pattern:
+ * ```
+ * (req: Request, next: () => Promise<Response>) => Promise<Response>
+ * ```
+ *
+ * ## User retrieval
+ *
+ * After middleware runs, retrieve the resolved user with `getUser(req)`:
+ * ```typescript
+ * const user = getUser(req) // SoulcraftSessionUser | null
+ * ```
+ *
+ * ## Dev and guest cookie verifiers
+ *
+ * - `createDevCookieVerifier` — reads the dev session cookie issued by
+ *   `createRequestDevLoginHandler`.
+ * - `createGuestCookieVerifier` — reads the guest session cookie issued by
+ *   `createRequestGuestSessionHandler`.
+ *
+ * @example SvelteKit hooks
+ * ```typescript
+ * import {
+ *   createRequestAuthMiddleware,
+ *   createRemoteSessionVerifier,
+ *   getUser,
+ * } from '@soulcraft/sdk/server'
+ *
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
+ *
+ * export const handle = async ({ event, resolve }) => {
+ *   const response = await requireAuth(event.request, () => resolve(event))
+ *   event.locals.user = getUser(event.request)
+ *   return response
+ * }
+ * ```
+ *
+ * @example Bun.serve
+ * ```typescript
+ * import {
+ *   createRequestAuthMiddleware,
+ *   createRemoteSessionVerifier,
+ *   getUser,
+ * } from '@soulcraft/sdk/server'
+ *
+ * const verifier = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { optionalAuth } = createRequestAuthMiddleware(verifier)
+ *
+ * Bun.serve({
+ *   fetch: (req) => optionalAuth(req, async () => {
+ *     const user = getUser(req)
+ *     return new Response(JSON.stringify({ user: user?.email ?? 'anonymous' }))
+ *   }),
+ * })
+ * ```
+ */
+import { LRUCache } from 'lru-cache';
+import { computeEmailHash } from './config.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// WeakMap user storage
+// ─────────────────────────────────────────────────────────────────────────────
+/** Internal WeakMap that associates a Request with its resolved user. */
+const userMap = new WeakMap();
+/**
+ * @description Retrieves the resolved Soulcraft user attached to a Request by
+ * the request auth middleware.
+ *
+ * Returns the `SoulcraftSessionUser` if the request was authenticated, `null` if
+ * the request passed through `optionalAuth` without a session, or `null` if no
+ * middleware has processed this request.
+ *
+ * @param req - The Web Standard Request that was processed by middleware.
+ * @returns The resolved user, or null if unauthenticated or not yet processed.
+ *
+ * @example
+ * ```typescript
+ * const response = await requireAuth(request, async () => {
+ *   const user = getUser(request)!
+ *   return new Response(`Hello ${user.name}`)
+ * })
+ * ```
+ */
+export function getUser(req) {
+    return userMap.get(req) ?? null;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Shared internal helpers
+// ─────────────────────────────────────────────────────────────────────────────
+/** Resolve a raw user record from a better-auth session into a `SoulcraftSessionUser`. */
+function _resolveUser(raw) {
+    const email = String(raw['email'] ?? '');
+    const emailHash = raw['emailHash']
+        ? String(raw['emailHash'])
+        : computeEmailHash(email);
+    return {
+        id: String(raw['id'] ?? ''),
+        email,
+        name: String(raw['name'] ?? ''),
+        image: raw['image'] ?? null,
+        platformRole: raw['platformRole'] ?? 'creator',
+        emailHash,
+        ...(raw['handle'] ? { handle: String(raw['handle']) } : {}),
+    };
+}
+/** Parse a simple `name=value` cookie from a raw cookie header string. */
+function _parseCookie(cookieHeader, name) {
+    for (const part of cookieHeader.split(';')) {
+        const [k, ...rest] = part.trim().split('=');
+        if (k?.trim() === name)
+            return rest.join('=').trim();
+    }
+    return undefined;
+}
+/** Encode a dev/guest session payload as a compact JSON+base64url string (unsigned). */
+function _encodeSessionCookie(session) {
+    return Buffer.from(JSON.stringify(session)).toString('base64url');
+}
+/** Decode a session payload encoded by `_encodeSessionCookie`. Returns null on any error. */
+function _decodeSessionCookie(value) {
+    try {
+        const raw = JSON.parse(Buffer.from(value, 'base64url').toString('utf-8'));
+        if (!raw.user || !raw.sessionId || !raw.expiresAt)
+            return null;
+        if (raw.expiresAt < Date.now())
+            return null;
+        return raw;
+    }
+    catch {
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createRemoteSessionVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a cached remote session verifier that proxies session lookups to
+ * the central IdP at `auth.soulcraft.com`.
+ *
+ * Used by products that operate as OIDC clients (Venue, Academy, and Workshop
+ * in production). Caches successful lookups in an LRU cache to avoid per-request
+ * HTTP round-trips to the IdP.
+ *
+ * The verifier sends the cookie header to the IdP's `/api/auth/get-session` endpoint
+ * and returns the resolved `SoulcraftSession` or `null` if the session is invalid.
+ *
+ * Pass the returned function to `createRequestAuthMiddleware`:
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
+ * ```
+ *
+ * @param options - IdP URL, cache TTL, and max cache size.
+ * @returns A `SessionVerifier` — async function that accepts a cookie header string.
+ *
+ * @example
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({
+ *   idpUrl: 'https://auth.soulcraft.com',
+ *   cacheTtlMs: 30_000,
+ * })
+ *
+ * const session = await verifySession(request.headers.get('cookie') ?? '')
+ * if (!session) return new Response('Unauthorized', { status: 401 })
+ * ```
+ */
+export function createRemoteSessionVerifier(options) {
+    const cacheTtl = options.cacheTtlMs ?? 30_000;
+    const cacheMax = options.cacheMax ?? 500;
+    const sessionUrl = `${options.idpUrl.replace(/\/$/, '')}/api/auth/get-session`;
+    const cache = new LRUCache({
+        max: cacheMax,
+        ttl: cacheTtl,
+    });
+    return async function verifyRemoteSession(cookieHeader) {
+        if (!cookieHeader)
+            return null;
+        // Use cookie header as cache key — it contains the session token
+        const cached = cache.get(cookieHeader);
+        if (cached !== undefined)
+            return cached;
+        let response;
+        try {
+            response = await fetch(sessionUrl, {
+                headers: { cookie: cookieHeader },
+                credentials: 'include',
+            });
+        }
+        catch {
+            return null;
+        }
+        if (!response.ok)
+            return null;
+        let data;
+        try {
+            data = await response.json();
+        }
+        catch {
+            return null;
+        }
+        // `get-session` returns the JSON literal `null` when no session is active.
+        // The fetch succeeds (200 OK) and `response.json()` parses it without error,
+        // but `data` is null — not an object. Guard before any property access.
+        if (!data || typeof data !== 'object')
+            return null;
+        const rawUser = data['user'];
+        const rawSession = data['session'];
+        if (!rawUser || !rawSession)
+            return null;
+        const email = String(rawUser['email'] ?? '');
+        const session = {
+            user: {
+                id: String(rawUser['id'] ?? ''),
+                email,
+                name: String(rawUser['name'] ?? ''),
+                image: rawUser['image'] ?? null,
+                platformRole: rawUser['platformRole'] ?? 'creator',
+                emailHash: rawUser['emailHash'] ? String(rawUser['emailHash']) : computeEmailHash(email),
+                ...(rawUser['handle'] ? { handle: String(rawUser['handle']) } : {}),
+            },
+            sessionId: String(rawSession['id'] ?? ''),
+            expiresAt: Number(rawSession['expiresAt'] ?? 0),
+        };
+        cache.set(cookieHeader, session);
+        return session;
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createDevSessionVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a session verifier that always resolves to a synthetic dev session.
+ *
+ * Intended for products that run as OIDC clients but need local development auth
+ * without OAuth, network calls, SQLite, or real cookies. The returned verifier always
+ * succeeds — any request resolves to the configured synthetic user.
+ *
+ * Designed as a drop-in replacement for `createRemoteSessionVerifier` in local dev:
+ *
+ * ```typescript
+ * const verifySession = process.env.SOULCRAFT_IDP_URL
+ *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
+ *   : createDevSessionVerifier({ role: 'owner' })
+ *
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
+ * ```
+ *
+ * **Never use in production.** The verifier performs no validation whatsoever.
+ *
+ * @param options - Optional synthetic user configuration.
+ * @returns A `SessionVerifier` with the same signature as `createRemoteSessionVerifier`.
+ *
+ * @example
+ * ```typescript
+ * const verifySession = process.env.SOULCRAFT_IDP_URL
+ *   ? createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL })
+ *   : createDevSessionVerifier({ role: 'owner' })
+ *
+ * export const handle = async ({ event, resolve }) => {
+ *   const session = await verifySession(event.request.headers.get('cookie') ?? '')
+ *   event.locals.session = session
+ *   return resolve(event)
+ * }
+ * ```
+ */
+export function createDevSessionVerifier(options = {}) {
+    const role = options.role ?? 'owner';
+    const email = options.email ?? 'dev@soulcraft.com';
+    const name = options.name ?? 'Dev User';
+    const session = {
+        user: {
+            id: 'dev-user-001',
+            email,
+            name,
+            image: null,
+            platformRole: role,
+            emailHash: computeEmailHash(email),
+            handle: 'dev',
+        },
+        sessionId: 'dev-session-001',
+        expiresAt: Date.now() + 30 * 24 * 60 * 60 * 1000,
+    };
+    return async function verifyDevSession() {
+        return session;
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createDevCookieVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a session verifier that reads the cookie issued by `createRequestDevLoginHandler`.
+ *
+ * Use this together with `createRequestDevLoginHandler` when you want dev role-switching
+ * (e.g. clicking "Login as Staff" in a dev UI) rather than a fixed synthetic user.
+ *
+ * The verifier decodes the base64url cookie value and returns the embedded session.
+ * Falls back to `null` (unauthenticated) if the cookie is absent or expired.
+ *
+ * ```typescript
+ * // Only one of these in dev — pick what fits your workflow:
+ *
+ * // Option A: Fixed dev user, no login UI needed
+ * const verifySession = createDevSessionVerifier({ role: 'owner' })
+ *
+ * // Option B: Role-switching dev login UI
+ * const loginHandler = createRequestDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] })
+ * const verifySession = createDevCookieVerifier()
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createRequestDevLoginHandler`. Default: `'soulcraft_dev_session'`.
+ * @returns A `SessionVerifier` compatible with `createRequestAuthMiddleware`.
+ */
+export function createDevCookieVerifier(cookieName = 'soulcraft_dev_session') {
+    return async function verifyDevCookie(cookieHeader) {
+        const value = _parseCookie(cookieHeader, cookieName);
+        if (!value)
+            return null;
+        return _decodeSessionCookie(value);
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createGuestCookieVerifier
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Creates a session verifier that reads the cookie issued by `createRequestGuestSessionHandler`.
+ *
+ * Returns the guest `SoulcraftSession` or `null` if no valid guest cookie is present.
+ * Compose with `createRemoteSessionVerifier` to allow both authenticated and guest access:
+ *
+ * ```typescript
+ * const verifyReal = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const verifyGuest = createGuestCookieVerifier()
+ *
+ * const { optionalAuth } = createRequestAuthMiddleware(async (cookie) =>
+ *   await verifyReal(cookie) ?? await verifyGuest(cookie)
+ * )
+ * ```
+ *
+ * @param cookieName - Must match the `cookieName` passed to `createRequestGuestSessionHandler`. Default: `'soulcraft_guest_session'`.
+ * @returns A `SessionVerifier` compatible with `createRequestAuthMiddleware`.
+ */
+export function createGuestCookieVerifier(cookieName = 'soulcraft_guest_session') {
+    return async function verifyGuestCookie(cookieHeader) {
+        const value = _parseCookie(cookieHeader, cookieName);
+        if (!value)
+            return null;
+        return _decodeSessionCookie(value);
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createRequestAuthMiddleware
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * @description Creates framework-agnostic auth middleware from a `SessionVerifier`
+ * function or a `BetterAuthLike` instance.
+ *
+ * Uses `WeakMap<Request, User>` to attach the resolved user to the request.
+ * Retrieve the resolved user after middleware with `getUser(req)`.
+ *
+ * **Preferred form (all products in OIDC-client mode):**
+ * Pass a `SessionVerifier` returned by `createRemoteSessionVerifier` or
+ * `createDevSessionVerifier`. The middleware reads the request cookie header and
+ * passes it to the verifier.
+ *
+ * **Legacy form (Workshop standalone mode):**
+ * Pass a `better-auth` instance directly. The middleware calls `auth.api.getSession`.
+ * In non-production environments and when `devAutoLogin` is enabled, a synthetic dev
+ * user is injected on failed lookups so local dev works without OAuth.
+ *
+ * @param authOrVerifier - A `better-auth` instance or a `SessionVerifier` function.
+ * @param options - Optional middleware configuration (only applies to `BetterAuthLike` form).
+ * @returns Middleware pair: `{ requireAuth, optionalAuth }`.
+ *
+ * @example Verifier form (Venue / Academy / Workshop in OIDC mode)
+ * ```typescript
+ * const verifySession = createRemoteSessionVerifier({ idpUrl: process.env.SOULCRAFT_IDP_URL! })
+ * const { requireAuth } = createRequestAuthMiddleware(verifySession)
+ *
+ * // Use in any server:
+ * const response = await requireAuth(request, () => handler(request))
+ * const user = getUser(request)!
+ * ```
+ *
+ * @example BetterAuth form (Workshop dev standalone)
+ * ```typescript
+ * import { auth } from './better-auth.js'
+ * const { requireAuth } = createRequestAuthMiddleware(auth)
+ * ```
+ */
+export function createRequestAuthMiddleware(authOrVerifier, options = {}) {
+    const isVerifier = typeof authOrVerifier === 'function';
+    if (isVerifier) {
+        const verify = authOrVerifier;
+        const requireAuth = async (req, next) => {
+            const cookieHeader = req.headers.get('cookie') ?? '';
+            const session = await verify(cookieHeader);
+            if (!session) {
+                return new Response(JSON.stringify({ error: 'Authentication required' }), {
+                    status: 401,
+                    headers: { 'Content-Type': 'application/json' },
+                });
+            }
+            userMap.set(req, session.user);
+            return next();
+        };
+        const optionalAuth = async (req, next) => {
+            const cookieHeader = req.headers.get('cookie') ?? '';
+            const session = await verify(cookieHeader);
+            userMap.set(req, session?.user ?? null);
+            return next();
+        };
+        return { requireAuth, optionalAuth };
+    }
+    // BetterAuthLike form (Workshop standalone)
+    const auth = authOrVerifier;
+    const devAutoLogin = options.devAutoLogin ?? true;
+    const isDev = process.env['NODE_ENV'] !== 'production';
+    const DEV_USER = {
+        id: 'dev-user-001',
+        email: 'dev@localhost',
+        name: 'Dev User',
+        image: null,
+        emailHash: computeEmailHash('dev@localhost'),
+        platformRole: 'creator',
+        handle: 'dev',
+    };
+    const requireAuth = async (req, next) => {
+        if (isDev && devAutoLogin) {
+            if (!userMap.has(req))
+                userMap.set(req, DEV_USER);
+            return next();
+        }
+        const session = await auth.api.getSession({ headers: req.headers });
+        if (!session?.user) {
+            return new Response(JSON.stringify({ error: 'Authentication required' }), {
+                status: 401,
+                headers: { 'Content-Type': 'application/json' },
+            });
+        }
+        userMap.set(req, _resolveUser(session.user));
+        return next();
+    };
+    const optionalAuth = async (req, next) => {
+        if (isDev && devAutoLogin) {
+            if (!userMap.has(req))
+                userMap.set(req, DEV_USER);
+            return next();
+        }
+        const session = await auth.api.getSession({ headers: req.headers });
+        if (session?.user) {
+            userMap.set(req, _resolveUser(session.user));
+        }
+        else {
+            userMap.set(req, null);
+        }
+        return next();
+    };
+    return { requireAuth, optionalAuth };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createRequestDevLoginHandler
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * @description Creates a framework-agnostic request handler for a dev login endpoint.
+ *
+ * Mount at `/api/dev/login` to get a role-switching endpoint for local development.
+ * Accepts `?role=<platformRole>` and optional `?email=` / `?name=` / `?redirect=`
+ * query params. Issues a base64url session cookie and returns an HTTP 302 redirect.
+ *
+ * **Guards against production use:** the handler returns HTTP 404 when
+ * `NODE_ENV === 'production'` — safe to leave mounted in all environments.
+ *
+ * @param options - Allowed roles, cookie name, and max-age.
+ * @returns A request handler function `(req: Request) => Response`.
+ *
+ * @example
+ * ```typescript
+ * import { createRequestDevLoginHandler } from '@soulcraft/sdk/server'
+ *
+ * const devLogin = createRequestDevLoginHandler({ allowedRoles: ['owner', 'staff', 'customer'] })
+ *
+ * // SvelteKit: export const GET = ({ request }) => devLogin(request)
+ * // Bun:       if (url.pathname === '/api/dev/login') return devLogin(req)
+ *
+ * // Usage: GET /api/dev/login?role=staff → sets cookie + redirects to /
+ * ```
+ */
+export function createRequestDevLoginHandler(options = {}) {
+    const DEFAULT_ROLES = [
+        'creator', 'viewer', 'customer', 'staff', 'manager', 'owner', 'learner', 'instructor',
+    ];
+    const allowedRoles = options.allowedRoles ?? DEFAULT_ROLES;
+    const cookieName = options.cookieName ?? 'soulcraft_dev_session';
+    const maxAgeSeconds = options.maxAgeSeconds ?? 86_400;
+    return function requestDevLoginHandler(req) {
+        if (process.env['NODE_ENV'] === 'production') {
+            return new Response(JSON.stringify({ error: 'Not found' }), {
+                status: 404,
+                headers: { 'Content-Type': 'application/json' },
+            });
+        }
+        const url = new URL(req.url);
+        const role = url.searchParams.get('role');
+        if (!role || !allowedRoles.includes(role)) {
+            return new Response(JSON.stringify({
+                error: `Invalid role. Allowed: ${allowedRoles.join(', ')}`,
+                allowedRoles,
+            }), {
+                status: 400,
+                headers: { 'Content-Type': 'application/json' },
+            });
+        }
+        const email = url.searchParams.get('email') ?? `dev-${role}@soulcraft.com`;
+        const name = url.searchParams.get('name') ?? `Dev ${role.charAt(0).toUpperCase() + role.slice(1)}`;
+        const redirect = url.searchParams.get('redirect') ?? '/';
+        const session = {
+            user: {
+                id: `dev-user-${role}`,
+                email,
+                name,
+                image: null,
+                platformRole: role,
+                emailHash: computeEmailHash(email),
+            },
+            sessionId: `dev-session-${Date.now()}`,
+            expiresAt: Date.now() + maxAgeSeconds * 1000,
+        };
+        const cookieValue = _encodeSessionCookie(session);
+        const cookieHeader = [
+            `${cookieName}=${cookieValue}`,
+            `Path=/`,
+            `HttpOnly`,
+            `SameSite=Lax`,
+            `Max-Age=${maxAgeSeconds}`,
+        ].join('; ');
+        return new Response(null, {
+            status: 302,
+            headers: {
+                Location: redirect,
+                'Set-Cookie': cookieHeader,
+            },
+        });
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// createRequestGuestSessionHandler
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * @description Creates a framework-agnostic request handler that issues a guest
+ * session cookie.
+ *
+ * Venue visitors can browse and initiate bookings without creating an account.
+ * Mount at e.g. `/api/guest/session` to issue a session cookie with
+ * `platformRole: 'guest'` and a unique guest ID on each call (if no valid guest
+ * session already exists).
+ *
+ * The guest session cookie can be verified using `createGuestCookieVerifier`,
+ * which returns a `SessionVerifier` compatible with `createRequestAuthMiddleware`.
+ *
+ * @param options - Cookie name, max-age, and optional `onGuestCreated` callback.
+ * @returns An async request handler function `(req: Request) => Promise<Response>`.
+ *
+ * @example
+ * ```typescript
+ * import { createRequestGuestSessionHandler, createGuestCookieVerifier } from '@soulcraft/sdk/server'
+ *
+ * const guestSession = createRequestGuestSessionHandler({
+ *   onGuestCreated: async (guestId) => {
+ *     await db.guests.insert({ id: guestId, createdAt: new Date() })
+ *   },
+ * })
+ *
+ * // SvelteKit: export const POST = ({ request }) => guestSession(request)
+ * // Bun:       if (url.pathname === '/api/guest/session') return guestSession(req)
+ * ```
+ */
+export function createRequestGuestSessionHandler(options = {}) {
+    const cookieName = options.cookieName ?? 'soulcraft_guest_session';
+    const maxAgeSeconds = options.maxAgeSeconds ?? 3_600;
+    const onGuestCreated = options.onGuestCreated;
+    return async function requestGuestSessionHandler(req) {
+        // Return existing guest session if still valid
+        const cookieHeader = req.headers.get('cookie') ?? '';
+        const existingValue = _parseCookie(cookieHeader, cookieName);
+        if (existingValue) {
+            const existing = _decodeSessionCookie(existingValue);
+            if (existing) {
+                return new Response(JSON.stringify({ guestId: existing.user.id, existing: true }), {
+                    status: 200,
+                    headers: { 'Content-Type': 'application/json' },
+                });
+            }
+        }
+        // Create a new guest session
+        const guestId = `guest-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
+        const email = `${guestId}@guest.soulcraft.com`;
+        const session = {
+            user: {
+                id: guestId,
+                email,
+                name: 'Guest',
+                image: null,
+                platformRole: 'guest',
+                emailHash: computeEmailHash(email),
+            },
+            sessionId: `guest-session-${Date.now()}`,
+            expiresAt: Date.now() + maxAgeSeconds * 1000,
+        };
+        if (onGuestCreated)
+            await onGuestCreated(guestId);
+        const cookieValue = _encodeSessionCookie(session);
+        const setCookieHeader = [
+            `${cookieName}=${cookieValue}`,
+            `Path=/`,
+            `HttpOnly`,
+            `SameSite=Lax`,
+            `Max-Age=${maxAgeSeconds}`,
+        ].join('; ');
+        return new Response(JSON.stringify({ guestId, existing: false }), {
+            status: 200,
+            headers: {
+                'Content-Type': 'application/json',
+                'Set-Cookie': setCookieHeader,
+            },
+        });
+    };
+}
+//# sourceMappingURL=request-middleware.js.map

package/dist/modules/auth/request-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-middleware.js","sourceRoot":"","sources":["../../../src/modules/auth/request-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8EG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AA6I9C,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,yEAAyE;AACzE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAwC,CAAA;AAEnE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,OAAO,CAAC,GAAY;IAClC,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;AACjC,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF,0FAA0F;AAC1F,SAAS,YAAY,CAAC,GAA4B;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACxC,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,CAAC;QAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC1B,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAA;IAE3B,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK;QACL,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC/B,KAAK,EAAG,GAAG,CAAC,OAAO,CAA+B,IAAI,IAAI;QAC1D,YAAY,EAAG,GAAG,CAAC,cAAc,CAA0C,IAAI,SAAS;QACxF,SAAS;QACT,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5D,CAAA;AACH,CAAC;AAED,0EAA0E;AAC1E,SAAS,YAAY,CAAC,YAAoB,EAAE,IAAY;IACtD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3C,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACtD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,wFAAwF;AACxF,SAAS,oBAAoB,CAAC,OAAyB;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACnE,CAAC;AAED,6FAA6F;AAC7F,SAAS,oBAAoB,CAAC,KAAa;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAqB,CAAA;QAC7F,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,SAAS;YAAE,OAAO,IAAI,CAAA;QAC9D,IAAI,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE;YAAE,OAAO,IAAI,CAAA;QAC3C,OAAO,GAAG,CAAA;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAqC;IAErC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAA;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,GAAG,CAAA;IACxC,MAAM,UAAU,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAA;IAE9E,MAAM,KAAK,GAAG,IAAI,QAAQ,CAA2B;QACnD,GAAG,EAAE,QAAQ;QACb,GAAG,EAAE,QAAQ;KACd,CAAC,CAAA;IAEF,OAAO,KAAK,UAAU,mBAAmB,CACvC,YAAoB;QAEpB,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAA;QAE9B,iEAAiE;QACjE,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACtC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,MAAM,CAAA;QAEvC,IAAI,QAAkB,CAAA;QACtB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBACjC,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;gBACjC,WAAW,EAAE,SAAS;aACvB,CAAC,CAAA;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAE7B,IAAI,IAA6B,CAAA;QACjC,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAA;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,wEAAwE;QACxE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAElD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAA;QACnE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAwC,CAAA;QAEzE,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAExC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QAC5C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,KAAK;gBACL,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;gBACnC,KAAK,EAAG,OAAO,CAAC,OAAO,CAA+B,IAAI,IAAI;gBAC9D,YAAY,EAAG,OAAO,CAAC,cAAc,CAA0C,IAAI,SAAS;gBAC5F,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,KAAK,CAAC;gBACxF,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpE;YACD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACzC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;SAChD,CAAA;QAED,KAAK,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QAChC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAA;IACpC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,CAAA;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,UAAU,CAAA;IAEvC,MAAM,OAAO,GAAqB;QAChC,IAAI,EAAE;YACJ,EAAE,EAAE,cAAc;YAClB,KAAK;YACL,IAAI;YACJ,KAAK,EAAE,IAAI;YACX,YAAY,EAAE,IAAI;YAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;YAClC,MAAM,EAAE,KAAK;SACd;QACD,SAAS,EAAE,iBAAiB;QAC5B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;KACjD,CAAA;IAED,OAAO,KAAK,UAAU,gBAAgB;QACpC,OAAO,OAAO,CAAA;IAChB,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAU,GAAG,uBAAuB;IAEpC,OAAO,KAAK,UAAU,eAAe,CAAC,YAAoB;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,yBAAyB,CACvC,UAAU,GAAG,yBAAyB;IAEtC,OAAO,KAAK,UAAU,iBAAiB,CAAC,YAAoB;QAC1D,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAA;IACpC,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAM,UAAU,2BAA2B,CACzC,cAAgD,EAChD,UAAiC,EAAE;IAEnC,MAAM,UAAU,GAAG,OAAO,cAAc,KAAK,UAAU,CAAA;IAEvD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,cAAiC,CAAA;QAEhD,MAAM,WAAW,GAAsB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACzD,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACpD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE;oBACxE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CAAC,CAAA;YACJ,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,CAAC,CAAA;YAC9B,OAAO,IAAI,EAAE,CAAA;QACf,CAAC,CAAA;QAED,MAAM,YAAY,GAAsB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YAC1D,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;YACpD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;YAC1C,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,CAAA;YACvC,OAAO,IAAI,EAAE,CAAA;QACf,CAAC,CAAA;QAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;IACtC,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAI,GAAG,cAAgC,CAAA;IAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAA;IACjD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,CAAA;IAEtD,MAAM,QAAQ,GAAyB;QACrC,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,gBAAgB,CAAC,eAAe,CAAC;QAC5C,YAAY,EAAE,SAAS;QACvB,MAAM,EAAE,KAAK;KACd,CAAA;IAED,MAAM,WAAW,GAAsB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzD,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YACjD,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACnE,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnB,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE;gBACxE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAA;QACJ,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAC5C,OAAO,IAAI,EAAE,CAAA;IACf,CAAC,CAAA;IAED,MAAM,YAAY,GAAsB,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC1D,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;YACjD,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;QACnE,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACxB,CAAC;QACD,OAAO,IAAI,EAAE,CAAA;IACf,CAAC,CAAA;IAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAA;AACtC,CAAC;AAED,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,4BAA4B,CAC1C,UAAkC,EAAE;IAEpC,MAAM,aAAa,GAA2C;QAC5D,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY;KACtF,CAAA;IACD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,aAAa,CAAA;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,uBAAuB,CAAA;IAChE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,MAAM,CAAA;IAErD,OAAO,SAAS,sBAAsB,CAAC,GAAY;QACjD,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;YAC7C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,EAAE;gBAC1D,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAgD,CAAA;QACxF,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,0BAA0B,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC1D,YAAY;aACb,CAAC,EACF;gBACE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CACF,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,gBAAgB,CAAA;QAC1E,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAA;QAClG,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAA;QAExD,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,YAAY,IAAI,EAAE;gBACtB,KAAK;gBACL,IAAI;gBACJ,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,eAAe,IAAI,CAAC,GAAG,EAAE,EAAE;YACtC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,YAAY,GAAG;YACnB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,QAAQ;gBAClB,YAAY,EAAE,YAAY;aAC3B;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,mCAAmC;AACnC,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,UAAU,gCAAgC,CAC9C,UAAsC,EAAE;IAExC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,yBAAyB,CAAA;IAClE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,KAAK,CAAA;IACpD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,CAAA;IAE7C,OAAO,KAAK,UAAU,0BAA0B,CAAC,GAAY;QAC3D,+CAA+C;QAC/C,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QACpD,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;QAC5D,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAA;YACpD,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE;oBACjF,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,MAAM,OAAO,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAA;QAC5F,MAAM,KAAK,GAAG,GAAG,OAAO,sBAAsB,CAAA;QAE9C,MAAM,OAAO,GAAqB;YAChC,IAAI,EAAE;gBACJ,EAAE,EAAE,OAAO;gBACX,KAAK;gBACL,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,OAAO;gBACrB,SAAS,EAAE,gBAAgB,CAAC,KAAK,CAAC;aACnC;YACD,SAAS,EAAE,iBAAiB,IAAI,CAAC,GAAG,EAAE,EAAE;YACxC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;SAC7C,CAAA;QAED,IAAI,cAAc;YAAE,MAAM,cAAc,CAAC,OAAO,CAAC,CAAA;QAEjD,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAA;QACjD,MAAM,eAAe,GAAG;YACtB,GAAG,UAAU,IAAI,WAAW,EAAE;YAC9B,QAAQ;YACR,UAAU;YACV,cAAc;YACd,WAAW,aAAa,EAAE;SAC3B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE;YAChE,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,YAAY,EAAE,eAAe;aAC9B;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}