@stackmemoryai/stackmemory 0.2.9 → 0.3.0

package/dist/servers/production/auth-middleware.js

@@ -0,0 +1,513 @@
+import jwt from "jsonwebtoken";
+import jwksRsa from "jwks-rsa";
+import { RateLimiterRedis } from "rate-limiter-flexible";
+import Redis from "ioredis";
+import BetterSqlite3 from "better-sqlite3";
+import { logger } from "../../core/monitoring/logger.js";
+import { metrics } from "../../core/monitoring/metrics.js";
+import { getUserModel } from "../../models/user.model.js";
+class AuthMiddleware {
+  constructor(config) {
+    this.config = config;
+    this.redis = new Redis(config.redisUrl);
+    const dbPath = config.dbPath || process.env.STACKMEMORY_DB || ".stackmemory/auth.db";
+    this.db = new BetterSqlite3(dbPath);
+    this.userModel = getUserModel(this.db);
+    this.jwksClient = jwksRsa({
+      jwksUri: `https://${config.auth0Domain}/.well-known/jwks.json`,
+      cache: true,
+      cacheMaxAge: 6e5,
+      // 10 minutes
+      rateLimit: true,
+      jwksRequestsPerMinute: 5
+    });
+    this.initializeRateLimiters();
+    this.setupTokenBlacklistSync();
+  }
+  jwksClient;
+  redis;
+  rateLimiters;
+  blacklistedTokens = /* @__PURE__ */ new Set();
+  userModel;
+  db;
+  mockUser;
+  mockUserInitializing = false;
+  initializeRateLimiters() {
+    this.rateLimiters = /* @__PURE__ */ new Map([
+      [
+        "free",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:free",
+          points: 100,
+          // requests
+          duration: 900,
+          // per 15 minutes
+          blockDuration: 900
+          // block for 15 minutes
+        })
+      ],
+      [
+        "pro",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:pro",
+          points: 1e3,
+          duration: 900,
+          blockDuration: 300
+        })
+      ],
+      [
+        "enterprise",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:enterprise",
+          points: 1e4,
+          duration: 900,
+          blockDuration: 60
+        })
+      ]
+    ]);
+    this.rateLimiters.set(
+      "auth",
+      new RateLimiterRedis({
+        storeClient: this.redis,
+        keyPrefix: "rl:auth",
+        points: 10,
+        // Only 10 auth attempts
+        duration: 900,
+        blockDuration: 3600
+        // Block for 1 hour on excessive auth attempts
+      })
+    );
+  }
+  setupTokenBlacklistSync() {
+    const subscriber = new Redis(this.config.redisUrl);
+    subscriber.subscribe("token:revoked");
+    subscriber.on("message", (channel, token) => {
+      if (channel === "token:revoked") {
+        this.blacklistedTokens.add(token);
+        if (this.blacklistedTokens.size > 1e4) {
+          this.blacklistedTokens.clear();
+        }
+      }
+    });
+  }
+  async getSigningKey(kid) {
+    return new Promise((resolve, reject) => {
+      this.jwksClient.getSigningKey(kid, (err, key) => {
+        if (err) {
+          reject(err);
+        } else {
+          const signingKey = key?.getPublicKey();
+          if (!signingKey) {
+            reject(new Error("No signing key found"));
+          } else {
+            resolve(signingKey);
+          }
+        }
+      });
+    });
+  }
+  /**
+   * Main authentication middleware
+   */
+  authenticate = async (req, res, next) => {
+    const startTime = Date.now();
+    try {
+      if (req.path === "/health" || req.path === "/metrics") {
+        return next();
+      }
+      if (this.config.bypassAuth && process.env.NODE_ENV === "development") {
+        req.user = this.getMockUser();
+        return next();
+      }
+      const token = this.extractToken(req);
+      const apiKey = this.extractApiKey(req);
+      if (!token && !apiKey) {
+        metrics.increment("auth.missing_credentials");
+        return res.status(401).json({
+          error: "Authentication required",
+          code: "MISSING_CREDENTIALS"
+        });
+      }
+      if (apiKey) {
+        const user2 = await this.userModel.validateApiKey(apiKey);
+        if (!user2) {
+          metrics.increment("auth.invalid_api_key");
+          return res.status(401).json({
+            error: "Invalid API key",
+            code: "INVALID_API_KEY"
+          });
+        }
+        req.user = {
+          id: user2.id,
+          sub: user2.sub,
+          email: user2.email,
+          name: user2.name,
+          picture: user2.avatar,
+          tier: user2.tier,
+          permissions: user2.permissions,
+          organizations: user2.organizations.map((org) => org.id),
+          metadata: { ...user2.metadata, authMethod: "api_key" }
+        };
+        metrics.increment("auth.api_key_success");
+        await metrics.timing("auth.api_key_duration", Date.now() - startTime);
+        return next();
+      }
+      if (token && this.blacklistedTokens.has(token)) {
+        metrics.increment("auth.blacklisted_token");
+        return res.status(401).json({
+          error: "Token has been revoked",
+          code: "TOKEN_REVOKED"
+        });
+      }
+      if (!token) {
+        return res.status(401).json({
+          error: "No token provided",
+          code: "NO_TOKEN"
+        });
+      }
+      const decoded = jwt.decode(token, { complete: true });
+      if (!decoded) {
+        metrics.increment("auth.invalid_token");
+        return res.status(401).json({
+          error: "Invalid token format",
+          code: "INVALID_TOKEN"
+        });
+      }
+      const signingKey = await this.getSigningKey(decoded.header.kid);
+      const verified = jwt.verify(token, signingKey, {
+        algorithms: ["RS256"],
+        audience: this.config.auth0Audience,
+        issuer: `https://${this.config.auth0Domain}/`
+      });
+      const user = await this.loadUser(verified.sub, verified);
+      if (!user) {
+        metrics.increment("auth.user_not_found");
+        return res.status(403).json({
+          error: "User not found",
+          code: "USER_NOT_FOUND"
+        });
+      }
+      if (user.metadata?.suspended) {
+        metrics.increment("auth.user_suspended");
+        return res.status(403).json({
+          error: "Account suspended",
+          code: "ACCOUNT_SUSPENDED"
+        });
+      }
+      const rateLimiter = this.rateLimiters.get(user.tier) || this.rateLimiters.get("free");
+      try {
+        const rateLimitRes = await rateLimiter.consume(user.id);
+        req.rateLimitInfo = rateLimitRes;
+        res.setHeader("X-RateLimit-Limit", rateLimiter.points.toString());
+        res.setHeader(
+          "X-RateLimit-Remaining",
+          rateLimitRes.remainingPoints.toString()
+        );
+        res.setHeader(
+          "X-RateLimit-Reset",
+          new Date(Date.now() + rateLimitRes.msBeforeNext).toISOString()
+        );
+      } catch (rateLimitError) {
+        metrics.increment("auth.rate_limited");
+        res.setHeader(
+          "Retry-After",
+          Math.round(rateLimitError.msBeforeNext / 1e3).toString()
+        );
+        return res.status(429).json({
+          error: "Too many requests",
+          code: "RATE_LIMITED",
+          retryAfter: rateLimitError.msBeforeNext
+        });
+      }
+      req.user = user;
+      metrics.increment("auth.success", { tier: user.tier });
+      metrics.timing("auth.duration", Date.now() - startTime);
+      logger.info("Authentication successful", {
+        userId: user.id,
+        tier: user.tier,
+        path: req.path
+      });
+      next();
+    } catch (error) {
+      metrics.increment("auth.error");
+      logger.error("Authentication error", error);
+      if (error.name === "TokenExpiredError") {
+        return res.status(401).json({
+          error: "Token expired",
+          code: "TOKEN_EXPIRED"
+        });
+      }
+      if (error.name === "JsonWebTokenError") {
+        return res.status(401).json({
+          error: "Invalid token",
+          code: "INVALID_TOKEN"
+        });
+      }
+      res.status(500).json({
+        error: "Authentication failed",
+        code: "AUTH_ERROR"
+      });
+    }
+  };
+  /**
+   * WebSocket authentication handler
+   */
+  authenticateWebSocket = async (token) => {
+    try {
+      const decoded = jwt.decode(token, { complete: true });
+      if (!decoded || this.blacklistedTokens.has(token)) {
+        return null;
+      }
+      const signingKey = await this.getSigningKey(decoded.header.kid);
+      const verified = jwt.verify(token, signingKey, {
+        algorithms: ["RS256"],
+        audience: this.config.auth0Audience,
+        issuer: `https://${this.config.auth0Domain}/`
+      });
+      return await this.loadUser(verified.sub, verified);
+    } catch (error) {
+      logger.error(
+        "WebSocket authentication failed",
+        error instanceof Error ? error : void 0
+      );
+      return null;
+    }
+  };
+  /**
+   * Permission checking middleware
+   */
+  requirePermission = (permission) => {
+    return (req, res, next) => {
+      if (!req.user) {
+        return res.status(401).json({
+          error: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+      }
+      if (!req.user.permissions.includes(permission)) {
+        metrics.increment("auth.permission_denied", { permission });
+        return res.status(403).json({
+          error: "Insufficient permissions",
+          code: "PERMISSION_DENIED",
+          required: permission
+        });
+      }
+      return next();
+    };
+  };
+  /**
+   * Organization access middleware
+   */
+  requireOrganization = (req, res, next) => {
+    const orgId = req.params.orgId || req.query.orgId;
+    if (!req.user || !orgId) {
+      return res.status(401).json({
+        error: "Authentication required",
+        code: "NOT_AUTHENTICATED"
+      });
+    }
+    if (!req.user.organizations?.includes(orgId)) {
+      return res.status(403).json({
+        error: "Organization access denied",
+        code: "ORG_ACCESS_DENIED"
+      });
+    }
+    return next();
+  };
+  extractApiKey(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer sk-")) {
+      return authHeader.substring(7);
+    }
+    const apiKeyHeader = req.headers["x-api-key"];
+    if (apiKeyHeader?.startsWith("sk-")) {
+      return apiKeyHeader;
+    }
+    return null;
+  }
+  extractToken(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ") && !authHeader.startsWith("Bearer sk-")) {
+      return authHeader.substring(7);
+    }
+    return req.cookies?.access_token || null;
+  }
+  async loadUser(sub, tokenPayload) {
+    const cached = await this.redis.get(`user:${sub}`);
+    if (cached) {
+      const cachedUser = JSON.parse(cached);
+      this.userModel.updateLastLogin(cachedUser.id).catch((err) => logger.error("Failed to update last login", err));
+      return cachedUser;
+    }
+    let dbUser = await this.userModel.findUserBySub(sub);
+    if (!dbUser && tokenPayload) {
+      dbUser = await this.userModel.createUser({
+        sub,
+        email: tokenPayload.email || `${sub}@auth.local`,
+        name: tokenPayload.name,
+        avatar: tokenPayload.picture,
+        tier: this.determineTier(tokenPayload),
+        permissions: this.determinePermissions(tokenPayload),
+        organizations: this.extractOrganizations(tokenPayload),
+        metadata: {
+          auth0: tokenPayload,
+          signupSource: "auth0",
+          createdVia: "auth-middleware"
+        }
+      });
+      logger.info("Auto-created user from auth token", {
+        sub,
+        email: dbUser.email
+      });
+    }
+    if (!dbUser) {
+      return null;
+    }
+    await this.userModel.updateLastLogin(dbUser.id);
+    const user = {
+      id: dbUser.id,
+      sub: dbUser.sub,
+      email: dbUser.email,
+      name: dbUser.name,
+      picture: dbUser.avatar,
+      tier: dbUser.tier,
+      permissions: dbUser.permissions,
+      organizations: dbUser.organizations.map((org) => org.id),
+      metadata: dbUser.metadata
+    };
+    await this.redis.setex(`user:${sub}`, 300, JSON.stringify(user));
+    return user;
+  }
+  determineTier(tokenPayload) {
+    if (tokenPayload["https://stackmemory.ai/tier"]) {
+      return tokenPayload["https://stackmemory.ai/tier"];
+    }
+    if (tokenPayload.subscription?.plan) {
+      const plan = tokenPayload.subscription.plan.toLowerCase();
+      if (plan.includes("enterprise")) return "enterprise";
+      if (plan.includes("pro") || plan.includes("premium")) return "pro";
+    }
+    return "free";
+  }
+  determinePermissions(tokenPayload) {
+    const permissions = ["read", "write"];
+    if (tokenPayload["https://stackmemory.ai/permissions"]) {
+      return tokenPayload["https://stackmemory.ai/permissions"];
+    }
+    if (tokenPayload.permissions && Array.isArray(tokenPayload.permissions)) {
+      return tokenPayload.permissions;
+    }
+    if (tokenPayload.roles && Array.isArray(tokenPayload.roles)) {
+      if (tokenPayload.roles.includes("admin")) {
+        permissions.push("admin", "delete");
+      }
+      if (tokenPayload.roles.includes("moderator")) {
+        permissions.push("moderate");
+      }
+    }
+    return permissions;
+  }
+  extractOrganizations(tokenPayload) {
+    const orgs = [];
+    if (tokenPayload["https://stackmemory.ai/organizations"]) {
+      return tokenPayload["https://stackmemory.ai/organizations"];
+    }
+    if (tokenPayload.org_id) {
+      orgs.push({
+        id: tokenPayload.org_id,
+        name: tokenPayload.org_name || tokenPayload.org_id,
+        role: tokenPayload.org_role || "member"
+      });
+    }
+    return orgs;
+  }
+  async initializeMockUser() {
+    const mockSub = "dev-sub";
+    let dbUser = await this.userModel.findUserBySub(mockSub);
+    if (!dbUser) {
+      dbUser = await this.userModel.createUser({
+        sub: mockSub,
+        email: "dev@stackmemory.local",
+        name: "Development User",
+        tier: "enterprise",
+        permissions: ["read", "write", "admin", "delete"],
+        organizations: [
+          {
+            id: "dev-org",
+            name: "Development Organization",
+            role: "admin"
+          }
+        ],
+        metadata: {
+          isDevelopmentUser: true,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+      logger.info("Created development mock user");
+    }
+    return {
+      id: dbUser.id,
+      sub: dbUser.sub,
+      email: dbUser.email,
+      name: dbUser.name,
+      picture: dbUser.avatar,
+      tier: dbUser.tier,
+      permissions: dbUser.permissions,
+      organizations: dbUser.organizations.map((org) => org.id),
+      metadata: dbUser.metadata
+    };
+  }
+  getMockUser() {
+    if (this.mockUser) {
+      return this.mockUser;
+    }
+    if (!this.mockUserInitializing) {
+      this.mockUserInitializing = true;
+      this.initializeMockUser().then((user) => {
+        this.mockUser = user;
+        this.mockUserInitializing = false;
+        logger.info("Mock user initialized and cached");
+      }).catch((err) => {
+        logger.error("Failed to initialize mock user", err);
+        this.mockUserInitializing = false;
+      });
+    }
+    return {
+      id: "temp-dev-user-id",
+      sub: "dev-sub",
+      email: "dev@stackmemory.local",
+      name: "Development User",
+      tier: "enterprise",
+      permissions: ["read", "write", "admin", "delete"],
+      organizations: ["dev-org"],
+      metadata: { temporary: true }
+    };
+  }
+  /**
+   * Revoke a token (add to blacklist)
+   */
+  async revokeToken(token) {
+    this.blacklistedTokens.add(token);
+    await this.redis.publish("token:revoked", token);
+    const decoded = jwt.decode(token);
+    if (decoded?.exp) {
+      const ttl = decoded.exp - Math.floor(Date.now() / 1e3);
+      if (ttl > 0) {
+        await this.redis.setex(`blacklist:${token}`, ttl, "1");
+      }
+    }
+  }
+  /**
+   * Cleanup resources
+   */
+  async close() {
+    await this.redis.quit();
+  }
+}
+export {
+  AuthMiddleware
+};
+//# sourceMappingURL=auth-middleware.js.map

package/dist/servers/production/auth-middleware.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/servers/production/auth-middleware.ts"],
+  "sourcesContent": ["/**\n * Production Authentication Middleware for Runway MCP Server\n * Implements JWT validation with Auth0, refresh tokens, and rate limiting\n */\n\nimport jwt from 'jsonwebtoken';\nimport jwksRsa from 'jwks-rsa';\nimport { Request, Response, NextFunction } from 'express';\nimport { RateLimiterRedis, RateLimiterRes } from 'rate-limiter-flexible';\nimport Redis from 'ioredis';\nimport BetterSqlite3 from 'better-sqlite3';\nimport { logger } from '../../core/monitoring/logger.js';\nimport { metrics } from '../../core/monitoring/metrics.js';\nimport { getUserModel, UserModel, User } from '../../models/user.model.js';\n\nexport interface AuthUser {\n  id: string;\n  email: string;\n  sub: string;\n  name?: string;\n  picture?: string;\n  tier: 'free' | 'pro' | 'enterprise';\n  organizations?: string[];\n  permissions: string[];\n  metadata?: Record<string, any>;\n}\n\nexport interface AuthRequest extends Request {\n  user?: AuthUser;\n  rateLimitInfo?: RateLimiterRes;\n}\n\nexport class AuthMiddleware {\n  private jwksClient: jwksRsa.JwksClient;\n  private redis: Redis;\n  private rateLimiters!: Map<string, RateLimiterRedis>;\n  private blacklistedTokens: Set<string> = new Set();\n  private userModel: UserModel;\n  private db: BetterSqlite3.Database;\n  private mockUser?: AuthUser;\n  private mockUserInitializing = false;\n\n  constructor(\n    private config: {\n      auth0Domain: string;\n      auth0Audience: string;\n      redisUrl: string;\n      jwtSecret?: string;\n      bypassAuth?: boolean; // For testing\n      dbPath?: string; // Path to SQLite database\n    }\n  ) {\n    this.redis = new Redis(config.redisUrl);\n\n    // Initialize database\n    const dbPath =\n      config.dbPath || process.env.STACKMEMORY_DB || '.stackmemory/auth.db';\n    this.db = new BetterSqlite3(dbPath);\n    this.userModel = getUserModel(this.db);\n\n    this.jwksClient = jwksRsa({\n      jwksUri: `https://${config.auth0Domain}/.well-known/jwks.json`,\n      cache: true,\n      cacheMaxAge: 600000, // 10 minutes\n      rateLimit: true,\n      jwksRequestsPerMinute: 5,\n    });\n\n    this.initializeRateLimiters();\n    this.setupTokenBlacklistSync();\n  }\n\n  private initializeRateLimiters(): void {\n    // Different rate limits for different tiers\n    this.rateLimiters = new Map([\n      [\n        'free',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:free',\n          points: 100, // requests\n          duration: 900, // per 15 minutes\n          blockDuration: 900, // block for 15 minutes\n        }),\n      ],\n      [\n        'pro',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:pro',\n          points: 1000,\n          duration: 900,\n          blockDuration: 300,\n        }),\n      ],\n      [\n        'enterprise',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:enterprise',\n          points: 10000,\n          duration: 900,\n          blockDuration: 60,\n        }),\n      ],\n    ]);\n\n    // Special rate limiter for auth endpoints\n    this.rateLimiters.set(\n      'auth',\n      new RateLimiterRedis({\n        storeClient: this.redis,\n        keyPrefix: 'rl:auth',\n        points: 10, // Only 10 auth attempts\n        duration: 900,\n        blockDuration: 3600, // Block for 1 hour on excessive auth attempts\n      })\n    );\n  }\n\n  private setupTokenBlacklistSync(): void {\n    // Subscribe to token revocation events\n    const subscriber = new Redis(this.config.redisUrl);\n    subscriber.subscribe('token:revoked');\n\n    subscriber.on('message', (channel, token) => {\n      if (channel === 'token:revoked') {\n        this.blacklistedTokens.add(token);\n        // Clean up old tokens periodically\n        if (this.blacklistedTokens.size > 10000) {\n          this.blacklistedTokens.clear();\n        }\n      }\n    });\n  }\n\n  private async getSigningKey(kid: string): Promise<string> {\n    return new Promise((resolve, reject) => {\n      this.jwksClient.getSigningKey(kid, (err, key) => {\n        if (err) {\n          reject(err);\n        } else {\n          const signingKey = key?.getPublicKey();\n          if (!signingKey) {\n            reject(new Error('No signing key found'));\n          } else {\n            resolve(signingKey);\n          }\n        }\n      });\n    });\n  }\n\n  /**\n   * Main authentication middleware\n   */\n  public authenticate = async (\n    req: AuthRequest,\n    res: Response,\n    next: NextFunction\n  ): Promise<any> => {\n    const startTime = Date.now();\n\n    try {\n      // Bypass auth for health checks\n      if (req.path === '/health' || req.path === '/metrics') {\n        return next();\n      }\n\n      // Development bypass\n      if (this.config.bypassAuth && process.env.NODE_ENV === 'development') {\n        req.user = this.getMockUser();\n        return next();\n      }\n\n      // Extract token or API key\n      const token = this.extractToken(req);\n      const apiKey = this.extractApiKey(req);\n\n      if (!token && !apiKey) {\n        metrics.increment('auth.missing_credentials');\n        return res.status(401).json({\n          error: 'Authentication required',\n          code: 'MISSING_CREDENTIALS',\n        });\n      }\n\n      // API Key authentication\n      if (apiKey) {\n        const user = await this.userModel.validateApiKey(apiKey);\n        if (!user) {\n          metrics.increment('auth.invalid_api_key');\n          return res.status(401).json({\n            error: 'Invalid API key',\n            code: 'INVALID_API_KEY',\n          });\n        }\n\n        // Convert to AuthUser format\n        req.user = {\n          id: user.id,\n          sub: user.sub,\n          email: user.email,\n          name: user.name,\n          picture: user.avatar,\n          tier: user.tier,\n          permissions: user.permissions,\n          organizations: user.organizations.map((org) => org.id),\n          metadata: { ...user.metadata, authMethod: 'api_key' },\n        };\n\n        metrics.increment('auth.api_key_success');\n        await metrics.timing('auth.api_key_duration', Date.now() - startTime);\n        return next();\n      }\n\n      // Check blacklist for JWT tokens\n      if (token && this.blacklistedTokens.has(token)) {\n        metrics.increment('auth.blacklisted_token');\n        return res.status(401).json({\n          error: 'Token has been revoked',\n          code: 'TOKEN_REVOKED',\n        });\n      }\n\n      // Ensure token exists for JWT processing\n      if (!token) {\n        // This should not happen as we checked earlier, but TypeScript needs this\n        return res.status(401).json({\n          error: 'No token provided',\n          code: 'NO_TOKEN',\n        });\n      }\n\n      // Decode and verify token\n      const decoded = jwt.decode(token, { complete: true }) as any;\n      if (!decoded) {\n        metrics.increment('auth.invalid_token');\n        return res.status(401).json({\n          error: 'Invalid token format',\n          code: 'INVALID_TOKEN',\n        });\n      }\n\n      // Get signing key and verify\n      const signingKey = await this.getSigningKey(decoded.header.kid);\n      const verified = jwt.verify(token, signingKey, {\n        algorithms: ['RS256'],\n        audience: this.config.auth0Audience,\n        issuer: `https://${this.config.auth0Domain}/`,\n      }) as any;\n\n      // Load user from database or cache\n      const user = await this.loadUser(verified.sub, verified);\n      if (!user) {\n        metrics.increment('auth.user_not_found');\n        return res.status(403).json({\n          error: 'User not found',\n          code: 'USER_NOT_FOUND',\n        });\n      }\n\n      // Check user suspension\n      if (user.metadata?.suspended) {\n        metrics.increment('auth.user_suspended');\n        return res.status(403).json({\n          error: 'Account suspended',\n          code: 'ACCOUNT_SUSPENDED',\n        });\n      }\n\n      // Apply rate limiting\n      const rateLimiter =\n        this.rateLimiters.get(user.tier) || this.rateLimiters.get('free')!;\n      try {\n        const rateLimitRes = await rateLimiter.consume(user.id);\n        req.rateLimitInfo = rateLimitRes;\n\n        // Add rate limit headers\n        res.setHeader('X-RateLimit-Limit', rateLimiter.points.toString());\n        res.setHeader(\n          'X-RateLimit-Remaining',\n          rateLimitRes.remainingPoints.toString()\n        );\n        res.setHeader(\n          'X-RateLimit-Reset',\n          new Date(Date.now() + rateLimitRes.msBeforeNext).toISOString()\n        );\n      } catch (rateLimitError: any) {\n        metrics.increment('auth.rate_limited');\n        res.setHeader(\n          'Retry-After',\n          Math.round(rateLimitError.msBeforeNext / 1000).toString()\n        );\n        return res.status(429).json({\n          error: 'Too many requests',\n          code: 'RATE_LIMITED',\n          retryAfter: rateLimitError.msBeforeNext,\n        });\n      }\n\n      // Attach user to request\n      req.user = user;\n\n      // Track metrics\n      metrics.increment('auth.success', { tier: user.tier });\n      metrics.timing('auth.duration', Date.now() - startTime);\n\n      logger.info('Authentication successful', {\n        userId: user.id,\n        tier: user.tier,\n        path: req.path,\n      });\n\n      next();\n    } catch (error: any) {\n      metrics.increment('auth.error');\n      logger.error('Authentication error', error);\n\n      if (error.name === 'TokenExpiredError') {\n        return res.status(401).json({\n          error: 'Token expired',\n          code: 'TOKEN_EXPIRED',\n        });\n      }\n\n      if (error.name === 'JsonWebTokenError') {\n        return res.status(401).json({\n          error: 'Invalid token',\n          code: 'INVALID_TOKEN',\n        });\n      }\n\n      res.status(500).json({\n        error: 'Authentication failed',\n        code: 'AUTH_ERROR',\n      });\n    }\n  };\n\n  /**\n   * WebSocket authentication handler\n   */\n  public authenticateWebSocket = async (\n    token: string\n  ): Promise<AuthUser | null> => {\n    try {\n      const decoded = jwt.decode(token, { complete: true }) as any;\n      if (!decoded || this.blacklistedTokens.has(token)) {\n        return null;\n      }\n\n      const signingKey = await this.getSigningKey(decoded.header.kid);\n      const verified = jwt.verify(token, signingKey, {\n        algorithms: ['RS256'],\n        audience: this.config.auth0Audience,\n        issuer: `https://${this.config.auth0Domain}/`,\n      }) as any;\n\n      return await this.loadUser(verified.sub, verified);\n    } catch (error) {\n      logger.error(\n        'WebSocket authentication failed',\n        error instanceof Error ? error : undefined\n      );\n      return null;\n    }\n  };\n\n  /**\n   * Permission checking middleware\n   */\n  public requirePermission = (permission: string) => {\n    return (req: AuthRequest, res: Response, next: NextFunction) => {\n      if (!req.user) {\n        return res.status(401).json({\n          error: 'Authentication required',\n          code: 'NOT_AUTHENTICATED',\n        });\n      }\n\n      if (!req.user.permissions.includes(permission)) {\n        metrics.increment('auth.permission_denied', { permission });\n        return res.status(403).json({\n          error: 'Insufficient permissions',\n          code: 'PERMISSION_DENIED',\n          required: permission,\n        });\n      }\n\n      return next();\n    };\n  };\n\n  /**\n   * Organization access middleware\n   */\n  public requireOrganization = (\n    req: AuthRequest,\n    res: Response,\n    next: NextFunction\n  ) => {\n    const orgId = req.params.orgId || req.query.orgId;\n\n    if (!req.user || !orgId) {\n      return res.status(401).json({\n        error: 'Authentication required',\n        code: 'NOT_AUTHENTICATED',\n      });\n    }\n\n    if (!req.user.organizations?.includes(orgId as string)) {\n      return res.status(403).json({\n        error: 'Organization access denied',\n        code: 'ORG_ACCESS_DENIED',\n      });\n    }\n\n    return next();\n  };\n\n  private extractApiKey(req: Request): string | null {\n    // Check Authorization header for API key\n    const authHeader = req.headers.authorization;\n    if (authHeader?.startsWith('Bearer sk-')) {\n      return authHeader.substring(7);\n    }\n\n    // Check X-API-Key header\n    const apiKeyHeader = req.headers['x-api-key'] as string;\n    if (apiKeyHeader?.startsWith('sk-')) {\n      return apiKeyHeader;\n    }\n\n    // Query parameter support removed for security reasons\n    // API keys should only be sent via headers to prevent:\n    // - URL logging exposure\n    // - Browser history leakage\n    // - Referer header transmission\n\n    return null;\n  }\n\n  private extractToken(req: Request): string | null {\n    const authHeader = req.headers.authorization;\n    if (\n      authHeader?.startsWith('Bearer ') &&\n      !authHeader.startsWith('Bearer sk-')\n    ) {\n      return authHeader.substring(7);\n    }\n\n    // Also check cookie for web clients\n    return req.cookies?.access_token || null;\n  }\n\n  private async loadUser(\n    sub: string,\n    tokenPayload?: any\n  ): Promise<AuthUser | null> {\n    // Try cache first\n    const cached = await this.redis.get(`user:${sub}`);\n    if (cached) {\n      const cachedUser = JSON.parse(cached);\n      // Update last login time in background\n      this.userModel\n        .updateLastLogin(cachedUser.id)\n        .catch((err) => logger.error('Failed to update last login', err));\n      return cachedUser;\n    }\n\n    // Load from database\n    let dbUser = await this.userModel.findUserBySub(sub);\n\n    // If user doesn't exist, create from token payload\n    if (!dbUser && tokenPayload) {\n      dbUser = await this.userModel.createUser({\n        sub,\n        email: tokenPayload.email || `${sub}@auth.local`,\n        name: tokenPayload.name,\n        avatar: tokenPayload.picture,\n        tier: this.determineTier(tokenPayload),\n        permissions: this.determinePermissions(tokenPayload),\n        organizations: this.extractOrganizations(tokenPayload),\n        metadata: {\n          auth0: tokenPayload,\n          signupSource: 'auth0',\n          createdVia: 'auth-middleware',\n        },\n      });\n      logger.info('Auto-created user from auth token', {\n        sub,\n        email: dbUser.email,\n      });\n    }\n\n    if (!dbUser) {\n      return null;\n    }\n\n    // Update last login\n    await this.userModel.updateLastLogin(dbUser.id);\n\n    // Convert to AuthUser format\n    const user: AuthUser = {\n      id: dbUser.id,\n      sub: dbUser.sub,\n      email: dbUser.email,\n      name: dbUser.name,\n      picture: dbUser.avatar,\n      tier: dbUser.tier,\n      permissions: dbUser.permissions,\n      organizations: dbUser.organizations.map((org) => org.id),\n      metadata: dbUser.metadata,\n    };\n\n    // Cache for 5 minutes\n    await this.redis.setex(`user:${sub}`, 300, JSON.stringify(user));\n\n    return user;\n  }\n\n  private determineTier(tokenPayload: any): 'free' | 'pro' | 'enterprise' {\n    // Check custom claims or metadata\n    if (tokenPayload['https://stackmemory.ai/tier']) {\n      return tokenPayload['https://stackmemory.ai/tier'];\n    }\n\n    // Check for subscription info\n    if (tokenPayload.subscription?.plan) {\n      const plan = tokenPayload.subscription.plan.toLowerCase();\n      if (plan.includes('enterprise')) return 'enterprise';\n      if (plan.includes('pro') || plan.includes('premium')) return 'pro';\n    }\n\n    // Default to free\n    return 'free';\n  }\n\n  private determinePermissions(tokenPayload: any): string[] {\n    const permissions: string[] = ['read', 'write'];\n\n    // Check custom permissions claim\n    if (tokenPayload['https://stackmemory.ai/permissions']) {\n      return tokenPayload['https://stackmemory.ai/permissions'];\n    }\n\n    // Check standard permissions\n    if (tokenPayload.permissions && Array.isArray(tokenPayload.permissions)) {\n      return tokenPayload.permissions;\n    }\n\n    // Check roles\n    if (tokenPayload.roles && Array.isArray(tokenPayload.roles)) {\n      if (tokenPayload.roles.includes('admin')) {\n        permissions.push('admin', 'delete');\n      }\n      if (tokenPayload.roles.includes('moderator')) {\n        permissions.push('moderate');\n      }\n    }\n\n    return permissions;\n  }\n\n  private extractOrganizations(\n    tokenPayload: any\n  ): Array<{ id: string; name: string; role: string }> {\n    const orgs: Array<{ id: string; name: string; role: string }> = [];\n\n    // Check custom organization claim\n    if (tokenPayload['https://stackmemory.ai/organizations']) {\n      return tokenPayload['https://stackmemory.ai/organizations'];\n    }\n\n    // Check Auth0 organizations\n    if (tokenPayload.org_id) {\n      orgs.push({\n        id: tokenPayload.org_id,\n        name: tokenPayload.org_name || tokenPayload.org_id,\n        role: tokenPayload.org_role || 'member',\n      });\n    }\n\n    return orgs;\n  }\n\n  private async initializeMockUser(): Promise<AuthUser> {\n    const mockSub = 'dev-sub';\n\n    // Check if user exists in database\n    let dbUser = await this.userModel.findUserBySub(mockSub);\n\n    if (!dbUser) {\n      // Create mock user in database\n      dbUser = await this.userModel.createUser({\n        sub: mockSub,\n        email: 'dev@stackmemory.local',\n        name: 'Development User',\n        tier: 'enterprise',\n        permissions: ['read', 'write', 'admin', 'delete'],\n        organizations: [\n          {\n            id: 'dev-org',\n            name: 'Development Organization',\n            role: 'admin',\n          },\n        ],\n        metadata: {\n          isDevelopmentUser: true,\n          createdAt: new Date().toISOString(),\n        },\n      });\n      logger.info('Created development mock user');\n    }\n\n    return {\n      id: dbUser.id,\n      sub: dbUser.sub,\n      email: dbUser.email,\n      name: dbUser.name,\n      picture: dbUser.avatar,\n      tier: dbUser.tier,\n      permissions: dbUser.permissions,\n      organizations: dbUser.organizations.map((org) => org.id),\n      metadata: dbUser.metadata,\n    };\n  }\n\n  private getMockUser(): AuthUser {\n    // Return cached mock user if available\n    if (this.mockUser) {\n      return this.mockUser;\n    }\n\n    // Initialize mock user synchronously to prevent race conditions\n    // This runs during constructor or first use\n    if (!this.mockUserInitializing) {\n      this.mockUserInitializing = true;\n\n      // Initialize asynchronously but return a temporary user immediately\n      this.initializeMockUser()\n        .then((user) => {\n          this.mockUser = user;\n          this.mockUserInitializing = false;\n          logger.info('Mock user initialized and cached');\n        })\n        .catch((err) => {\n          logger.error('Failed to initialize mock user', err);\n          this.mockUserInitializing = false;\n        });\n    }\n\n    // Return temporary mock user while initialization is in progress\n    return {\n      id: 'temp-dev-user-id',\n      sub: 'dev-sub',\n      email: 'dev@stackmemory.local',\n      name: 'Development User',\n      tier: 'enterprise',\n      permissions: ['read', 'write', 'admin', 'delete'],\n      organizations: ['dev-org'],\n      metadata: { temporary: true },\n    };\n  }\n\n  /**\n   * Revoke a token (add to blacklist)\n   */\n  public async revokeToken(token: string): Promise<void> {\n    this.blacklistedTokens.add(token);\n    await this.redis.publish('token:revoked', token);\n\n    // Also store in Redis with TTL matching token expiry\n    const decoded = jwt.decode(token) as any;\n    if (decoded?.exp) {\n      const ttl = decoded.exp - Math.floor(Date.now() / 1000);\n      if (ttl > 0) {\n        await this.redis.setex(`blacklist:${token}`, ttl, '1');\n      }\n    }\n  }\n\n  /**\n   * Cleanup resources\n   */\n  public async close(): Promise<void> {\n    await this.redis.quit();\n  }\n}\n"],
+  "mappings": "AAKA,OAAO,SAAS;AAChB,OAAO,aAAa;AAEpB,SAAS,wBAAwC;AACjD,OAAO,WAAW;AAClB,OAAO,mBAAmB;AAC1B,SAAS,cAAc;AACvB,SAAS,eAAe;AACxB,SAAS,oBAAqC;AAmBvC,MAAM,eAAe;AAAA,EAU1B,YACU,QAQR;AARQ;AASR,SAAK,QAAQ,IAAI,MAAM,OAAO,QAAQ;AAGtC,UAAM,SACJ,OAAO,UAAU,QAAQ,IAAI,kBAAkB;AACjD,SAAK,KAAK,IAAI,cAAc,MAAM;AAClC,SAAK,YAAY,aAAa,KAAK,EAAE;AAErC,SAAK,aAAa,QAAQ;AAAA,MACxB,SAAS,WAAW,OAAO,WAAW;AAAA,MACtC,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAED,SAAK,uBAAuB;AAC5B,SAAK,wBAAwB;AAAA,EAC/B;AAAA,EArCQ;AAAA,EACA;AAAA,EACA;AAAA,EACA,oBAAiC,oBAAI,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA,uBAAuB;AAAA,EAgCvB,yBAA+B;AAErC,SAAK,eAAe,oBAAI,IAAI;AAAA,MAC1B;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA;AAAA,UACR,UAAU;AAAA;AAAA,UACV,eAAe;AAAA;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,MACA;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,eAAe;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,MACA;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,eAAe;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,IACF,CAAC;AAGD,SAAK,aAAa;AAAA,MAChB;AAAA,MACA,IAAI,iBAAiB;AAAA,QACnB,aAAa,KAAK;AAAA,QAClB,WAAW;AAAA,QACX,QAAQ;AAAA;AAAA,QACR,UAAU;AAAA,QACV,eAAe;AAAA;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEQ,0BAAgC;AAEtC,UAAM,aAAa,IAAI,MAAM,KAAK,OAAO,QAAQ;AACjD,eAAW,UAAU,eAAe;AAEpC,eAAW,GAAG,WAAW,CAAC,SAAS,UAAU;AAC3C,UAAI,YAAY,iBAAiB;AAC/B,aAAK,kBAAkB,IAAI,KAAK;AAEhC,YAAI,KAAK,kBAAkB,OAAO,KAAO;AACvC,eAAK,kBAAkB,MAAM;AAAA,QAC/B;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,cAAc,KAA8B;AACxD,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,WAAK,WAAW,cAAc,KAAK,CAAC,KAAK,QAAQ;AAC/C,YAAI,KAAK;AACP,iBAAO,GAAG;AAAA,QACZ,OAAO;AACL,gBAAM,aAAa,KAAK,aAAa;AACrC,cAAI,CAAC,YAAY;AACf,mBAAO,IAAI,MAAM,sBAAsB,CAAC;AAAA,UAC1C,OAAO;AACL,oBAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKO,eAAe,OACpB,KACA,KACA,SACiB;AACjB,UAAM,YAAY,KAAK,IAAI;AAE3B,QAAI;AAEF,UAAI,IAAI,SAAS,aAAa,IAAI,SAAS,YAAY;AACrD,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,KAAK,OAAO,cAAc,QAAQ,IAAI,aAAa,eAAe;AACpE,YAAI,OAAO,KAAK,YAAY;AAC5B,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,QAAQ,KAAK,aAAa,GAAG;AACnC,YAAM,SAAS,KAAK,cAAc,GAAG;AAErC,UAAI,CAAC,SAAS,CAAC,QAAQ;AACrB,gBAAQ,UAAU,0BAA0B;AAC5C,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,QAAQ;AACV,cAAMA,QAAO,MAAM,KAAK,UAAU,eAAe,MAAM;AACvD,YAAI,CAACA,OAAM;AACT,kBAAQ,UAAU,sBAAsB;AACxC,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YAC1B,OAAO;AAAA,YACP,MAAM;AAAA,UACR,CAAC;AAAA,QACH;AAGA,YAAI,OAAO;AAAA,UACT,IAAIA,MAAK;AAAA,UACT,KAAKA,MAAK;AAAA,UACV,OAAOA,MAAK;AAAA,UACZ,MAAMA,MAAK;AAAA,UACX,SAASA,MAAK;AAAA,UACd,MAAMA,MAAK;AAAA,UACX,aAAaA,MAAK;AAAA,UAClB,eAAeA,MAAK,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,UACrD,UAAU,EAAE,GAAGA,MAAK,UAAU,YAAY,UAAU;AAAA,QACtD;AAEA,gBAAQ,UAAU,sBAAsB;AACxC,cAAM,QAAQ,OAAO,yBAAyB,KAAK,IAAI,IAAI,SAAS;AACpE,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,SAAS,KAAK,kBAAkB,IAAI,KAAK,GAAG;AAC9C,gBAAQ,UAAU,wBAAwB;AAC1C,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,CAAC,OAAO;AAEV,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,UAAU,IAAI,OAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,UAAI,CAAC,SAAS;AACZ,gBAAQ,UAAU,oBAAoB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,aAAa,MAAM,KAAK,cAAc,QAAQ,OAAO,GAAG;AAC9D,YAAM,WAAW,IAAI,OAAO,OAAO,YAAY;AAAA,QAC7C,YAAY,CAAC,OAAO;AAAA,QACpB,UAAU,KAAK,OAAO;AAAA,QACtB,QAAQ,WAAW,KAAK,OAAO,WAAW;AAAA,MAC5C,CAAC;AAGD,YAAM,OAAO,MAAM,KAAK,SAAS,SAAS,KAAK,QAAQ;AACvD,UAAI,CAAC,MAAM;AACT,gBAAQ,UAAU,qBAAqB;AACvC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,KAAK,UAAU,WAAW;AAC5B,gBAAQ,UAAU,qBAAqB;AACvC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,cACJ,KAAK,aAAa,IAAI,KAAK,IAAI,KAAK,KAAK,aAAa,IAAI,MAAM;AAClE,UAAI;AACF,cAAM,eAAe,MAAM,YAAY,QAAQ,KAAK,EAAE;AACtD,YAAI,gBAAgB;AAGpB,YAAI,UAAU,qBAAqB,YAAY,OAAO,SAAS,CAAC;AAChE,YAAI;AAAA,UACF;AAAA,UACA,aAAa,gBAAgB,SAAS;AAAA,QACxC;AACA,YAAI;AAAA,UACF;AAAA,UACA,IAAI,KAAK,KAAK,IAAI,IAAI,aAAa,YAAY,EAAE,YAAY;AAAA,QAC/D;AAAA,MACF,SAAS,gBAAqB;AAC5B,gBAAQ,UAAU,mBAAmB;AACrC,YAAI;AAAA,UACF;AAAA,UACA,KAAK,MAAM,eAAe,eAAe,GAAI,EAAE,SAAS;AAAA,QAC1D;AACA,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,UACN,YAAY,eAAe;AAAA,QAC7B,CAAC;AAAA,MACH;AAGA,UAAI,OAAO;AAGX,cAAQ,UAAU,gBAAgB,EAAE,MAAM,KAAK,KAAK,CAAC;AACrD,cAAQ,OAAO,iBAAiB,KAAK,IAAI,IAAI,SAAS;AAEtD,aAAO,KAAK,6BAA6B;AAAA,QACvC,QAAQ,KAAK;AAAA,QACb,MAAM,KAAK;AAAA,QACX,MAAM,IAAI;AAAA,MACZ,CAAC;AAED,WAAK;AAAA,IACP,SAAS,OAAY;AACnB,cAAQ,UAAU,YAAY;AAC9B,aAAO,MAAM,wBAAwB,KAAK;AAE1C,UAAI,MAAM,SAAS,qBAAqB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,MAAM,SAAS,qBAAqB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACnB,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,wBAAwB,OAC7B,UAC6B;AAC7B,QAAI;AACF,YAAM,UAAU,IAAI,OAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,UAAI,CAAC,WAAW,KAAK,kBAAkB,IAAI,KAAK,GAAG;AACjD,eAAO;AAAA,MACT;AAEA,YAAM,aAAa,MAAM,KAAK,cAAc,QAAQ,OAAO,GAAG;AAC9D,YAAM,WAAW,IAAI,OAAO,OAAO,YAAY;AAAA,QAC7C,YAAY,CAAC,OAAO;AAAA,QACpB,UAAU,KAAK,OAAO;AAAA,QACtB,QAAQ,WAAW,KAAK,OAAO,WAAW;AAAA,MAC5C,CAAC;AAED,aAAO,MAAM,KAAK,SAAS,SAAS,KAAK,QAAQ;AAAA,IACnD,SAAS,OAAO;AACd,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,oBAAoB,CAAC,eAAuB;AACjD,WAAO,CAAC,KAAkB,KAAe,SAAuB;AAC9D,UAAI,CAAC,IAAI,MAAM;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,IAAI,KAAK,YAAY,SAAS,UAAU,GAAG;AAC9C,gBAAQ,UAAU,0BAA0B,EAAE,WAAW,CAAC;AAC1D,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,UACN,UAAU;AAAA,QACZ,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,sBAAsB,CAC3B,KACA,KACA,SACG;AACH,UAAM,QAAQ,IAAI,OAAO,SAAS,IAAI,MAAM;AAE5C,QAAI,CAAC,IAAI,QAAQ,CAAC,OAAO;AACvB,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,KAAK,eAAe,SAAS,KAAe,GAAG;AACtD,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,cAAc,KAA6B;AAEjD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,YAAY,WAAW,YAAY,GAAG;AACxC,aAAO,WAAW,UAAU,CAAC;AAAA,IAC/B;AAGA,UAAM,eAAe,IAAI,QAAQ,WAAW;AAC5C,QAAI,cAAc,WAAW,KAAK,GAAG;AACnC,aAAO;AAAA,IACT;AAQA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,KAA6B;AAChD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QACE,YAAY,WAAW,SAAS,KAChC,CAAC,WAAW,WAAW,YAAY,GACnC;AACA,aAAO,WAAW,UAAU,CAAC;AAAA,IAC/B;AAGA,WAAO,IAAI,SAAS,gBAAgB;AAAA,EACtC;AAAA,EAEA,MAAc,SACZ,KACA,cAC0B;AAE1B,UAAM,SAAS,MAAM,KAAK,MAAM,IAAI,QAAQ,GAAG,EAAE;AACjD,QAAI,QAAQ;AACV,YAAM,aAAa,KAAK,MAAM,MAAM;AAEpC,WAAK,UACF,gBAAgB,WAAW,EAAE,EAC7B,MAAM,CAAC,QAAQ,OAAO,MAAM,+BAA+B,GAAG,CAAC;AAClE,aAAO;AAAA,IACT;AAGA,QAAI,SAAS,MAAM,KAAK,UAAU,cAAc,GAAG;AAGnD,QAAI,CAAC,UAAU,cAAc;AAC3B,eAAS,MAAM,KAAK,UAAU,WAAW;AAAA,QACvC;AAAA,QACA,OAAO,aAAa,SAAS,GAAG,GAAG;AAAA,QACnC,MAAM,aAAa;AAAA,QACnB,QAAQ,aAAa;AAAA,QACrB,MAAM,KAAK,cAAc,YAAY;AAAA,QACrC,aAAa,KAAK,qBAAqB,YAAY;AAAA,QACnD,eAAe,KAAK,qBAAqB,YAAY;AAAA,QACrD,UAAU;AAAA,UACR,OAAO;AAAA,UACP,cAAc;AAAA,UACd,YAAY;AAAA,QACd;AAAA,MACF,CAAC;AACD,aAAO,KAAK,qCAAqC;AAAA,QAC/C;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AAGA,UAAM,KAAK,UAAU,gBAAgB,OAAO,EAAE;AAG9C,UAAM,OAAiB;AAAA,MACrB,IAAI,OAAO;AAAA,MACX,KAAK,OAAO;AAAA,MACZ,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,eAAe,OAAO,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,MACvD,UAAU,OAAO;AAAA,IACnB;AAGA,UAAM,KAAK,MAAM,MAAM,QAAQ,GAAG,IAAI,KAAK,KAAK,UAAU,IAAI,CAAC;AAE/D,WAAO;AAAA,EACT;AAAA,EAEQ,cAAc,cAAkD;AAEtE,QAAI,aAAa,6BAA6B,GAAG;AAC/C,aAAO,aAAa,6BAA6B;AAAA,IACnD;AAGA,QAAI,aAAa,cAAc,MAAM;AACnC,YAAM,OAAO,aAAa,aAAa,KAAK,YAAY;AACxD,UAAI,KAAK,SAAS,YAAY,EAAG,QAAO;AACxC,UAAI,KAAK,SAAS,KAAK,KAAK,KAAK,SAAS,SAAS,EAAG,QAAO;AAAA,IAC/D;AAGA,WAAO;AAAA,EACT;AAAA,EAEQ,qBAAqB,cAA6B;AACxD,UAAM,cAAwB,CAAC,QAAQ,OAAO;AAG9C,QAAI,aAAa,oCAAoC,GAAG;AACtD,aAAO,aAAa,oCAAoC;AAAA,IAC1D;AAGA,QAAI,aAAa,eAAe,MAAM,QAAQ,aAAa,WAAW,GAAG;AACvE,aAAO,aAAa;AAAA,IACtB;AAGA,QAAI,aAAa,SAAS,MAAM,QAAQ,aAAa,KAAK,GAAG;AAC3D,UAAI,aAAa,MAAM,SAAS,OAAO,GAAG;AACxC,oBAAY,KAAK,SAAS,QAAQ;AAAA,MACpC;AACA,UAAI,aAAa,MAAM,SAAS,WAAW,GAAG;AAC5C,oBAAY,KAAK,UAAU;AAAA,MAC7B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,qBACN,cACmD;AACnD,UAAM,OAA0D,CAAC;AAGjE,QAAI,aAAa,sCAAsC,GAAG;AACxD,aAAO,aAAa,sCAAsC;AAAA,IAC5D;AAGA,QAAI,aAAa,QAAQ;AACvB,WAAK,KAAK;AAAA,QACR,IAAI,aAAa;AAAA,QACjB,MAAM,aAAa,YAAY,aAAa;AAAA,QAC5C,MAAM,aAAa,YAAY;AAAA,MACjC,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,qBAAwC;AACpD,UAAM,UAAU;AAGhB,QAAI,SAAS,MAAM,KAAK,UAAU,cAAc,OAAO;AAEvD,QAAI,CAAC,QAAQ;AAEX,eAAS,MAAM,KAAK,UAAU,WAAW;AAAA,QACvC,KAAK;AAAA,QACL,OAAO;AAAA,QACP,MAAM;AAAA,QACN,MAAM;AAAA,QACN,aAAa,CAAC,QAAQ,SAAS,SAAS,QAAQ;AAAA,QAChD,eAAe;AAAA,UACb;AAAA,YACE,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,MAAM;AAAA,UACR;AAAA,QACF;AAAA,QACA,UAAU;AAAA,UACR,mBAAmB;AAAA,UACnB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QACpC;AAAA,MACF,CAAC;AACD,aAAO,KAAK,+BAA+B;AAAA,IAC7C;AAEA,WAAO;AAAA,MACL,IAAI,OAAO;AAAA,MACX,KAAK,OAAO;AAAA,MACZ,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,eAAe,OAAO,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,MACvD,UAAU,OAAO;AAAA,IACnB;AAAA,EACF;AAAA,EAEQ,cAAwB;AAE9B,QAAI,KAAK,UAAU;AACjB,aAAO,KAAK;AAAA,IACd;AAIA,QAAI,CAAC,KAAK,sBAAsB;AAC9B,WAAK,uBAAuB;AAG5B,WAAK,mBAAmB,EACrB,KAAK,CAAC,SAAS;AACd,aAAK,WAAW;AAChB,aAAK,uBAAuB;AAC5B,eAAO,KAAK,kCAAkC;AAAA,MAChD,CAAC,EACA,MAAM,CAAC,QAAQ;AACd,eAAO,MAAM,kCAAkC,GAAG;AAClD,aAAK,uBAAuB;AAAA,MAC9B,CAAC;AAAA,IACL;AAGA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,OAAO;AAAA,MACP,MAAM;AAAA,MACN,MAAM;AAAA,MACN,aAAa,CAAC,QAAQ,SAAS,SAAS,QAAQ;AAAA,MAChD,eAAe,CAAC,SAAS;AAAA,MACzB,UAAU,EAAE,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,YAAY,OAA8B;AACrD,SAAK,kBAAkB,IAAI,KAAK;AAChC,UAAM,KAAK,MAAM,QAAQ,iBAAiB,KAAK;AAG/C,UAAM,UAAU,IAAI,OAAO,KAAK;AAChC,QAAI,SAAS,KAAK;AAChB,YAAM,MAAM,QAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACtD,UAAI,MAAM,GAAG;AACX,cAAM,KAAK,MAAM,MAAM,aAAa,KAAK,IAAI,KAAK,GAAG;AAAA,MACvD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,QAAuB;AAClC,UAAM,KAAK,MAAM,KAAK;AAAA,EACxB;AACF;",
+  "names": ["user"]
+}