@stackmemoryai/stackmemory 0.5.57 → 0.5.59

package/dist/src/models/user.model.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/models/user.model.ts"],
+  "sourcesContent": ["import BetterSqlite3 from 'better-sqlite3';\nimport { v4 as uuidv4 } from 'uuid';\nimport * as bcrypt from 'bcryptjs';\nimport { logger } from '../core/monitoring/logger.js';\n\ntype Database = BetterSqlite3.Database;\n\ninterface UserRow {\n  id: string;\n  sub: string;\n  email: string;\n  name?: string;\n  avatar?: string;\n  tier: 'free' | 'pro' | 'enterprise';\n  permissions: string;\n  organizations: string;\n  api_keys: string;\n  created_at: number;\n  updated_at: number;\n  last_login_at?: number;\n  metadata?: string;\n}\n\ninterface SessionRow {\n  id: string;\n  user_id: string;\n  token: string;\n  expires_at: number;\n  created_at: number;\n  metadata?: string;\n}\n\nexport interface User {\n  id: string;\n  sub: string; // Subject identifier from auth provider\n  email: string;\n  name?: string;\n  avatar?: string;\n  tier: 'free' | 'pro' | 'enterprise';\n  permissions: string[];\n  organizations: Array<{\n    id: string;\n    name: string;\n    role: string;\n  }>;\n  apiKeys?: string[];\n  createdAt: Date;\n  updatedAt: Date;\n  lastLoginAt?: Date;\n  metadata?: Record<string, unknown>;\n}\n\nexport interface UserSession {\n  id: string;\n  userId: string;\n  token: string;\n  expiresAt: Date;\n  createdAt: Date;\n  metadata?: Record<string, unknown>;\n}\n\nexport class UserModel {\n  private db: Database;\n\n  constructor(db: Database) {\n    this.db = db;\n    this.initialize();\n  }\n\n  private initialize(): void {\n    // Create users table\n    this.db.exec(`\n      CREATE TABLE IF NOT EXISTS users (\n        id TEXT PRIMARY KEY,\n        sub TEXT UNIQUE NOT NULL,\n        email TEXT UNIQUE NOT NULL,\n        name TEXT,\n        avatar TEXT,\n        tier TEXT DEFAULT 'free',\n        permissions TEXT DEFAULT '[\"read\", \"write\"]',\n        organizations TEXT DEFAULT '[]',\n        api_keys TEXT DEFAULT '[]',\n        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n        updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n        last_login_at DATETIME,\n        metadata TEXT DEFAULT '{}'\n      )\n    `);\n\n    // Create sessions table\n    this.db.exec(`\n      CREATE TABLE IF NOT EXISTS user_sessions (\n        id TEXT PRIMARY KEY,\n        user_id TEXT NOT NULL,\n        token TEXT UNIQUE NOT NULL,\n        expires_at DATETIME NOT NULL,\n        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n        metadata TEXT DEFAULT '{}',\n        FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE\n      )\n    `);\n\n    // Create api_keys table for efficient lookup\n    this.db.exec(`\n      CREATE TABLE IF NOT EXISTS api_keys (\n        id TEXT PRIMARY KEY,\n        user_id TEXT NOT NULL,\n        key_hash TEXT UNIQUE NOT NULL,\n        name TEXT,\n        last_used_at DATETIME,\n        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,\n        expires_at DATETIME,\n        metadata TEXT DEFAULT '{}',\n        FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE\n      )\n    `);\n\n    // Create indexes\n    this.db.exec(`\n      CREATE INDEX IF NOT EXISTS idx_users_sub ON users(sub);\n      CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);\n      CREATE INDEX IF NOT EXISTS idx_sessions_token ON user_sessions(token);\n      CREATE INDEX IF NOT EXISTS idx_sessions_user ON user_sessions(user_id);\n      CREATE INDEX IF NOT EXISTS idx_sessions_expires ON user_sessions(expires_at);\n      CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash);\n      CREATE INDEX IF NOT EXISTS idx_api_keys_user ON api_keys(user_id);\n    `);\n\n    logger.info('User database schema initialized');\n  }\n\n  async createUser(userData: Partial<User>): Promise<User> {\n    if (!userData.sub || !userData.email) {\n      throw new Error('User sub and email are required');\n    }\n\n    const user: User = {\n      id: userData.id || uuidv4(),\n      sub: userData.sub,\n      email: userData.email,\n      name: userData.name,\n      avatar: userData.avatar,\n      tier: userData.tier || 'free',\n      permissions: userData.permissions || ['read', 'write'],\n      organizations: userData.organizations || [],\n      apiKeys: userData.apiKeys || [],\n      createdAt: new Date(),\n      updatedAt: new Date(),\n      metadata: userData.metadata || {},\n    };\n\n    const stmt = this.db.prepare(`\n      INSERT INTO users (\n        id, sub, email, name, avatar, tier, permissions, \n        organizations, api_keys, created_at, updated_at, metadata\n      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n    `);\n\n    stmt.run(\n      user.id,\n      user.sub,\n      user.email,\n      user.name,\n      user.avatar,\n      user.tier,\n      JSON.stringify(user.permissions),\n      JSON.stringify(user.organizations),\n      JSON.stringify(user.apiKeys),\n      user.createdAt.toISOString(),\n      user.updatedAt.toISOString(),\n      JSON.stringify(user.metadata)\n    );\n\n    logger.info('User created', { userId: user.id, email: user.email });\n    return user;\n  }\n\n  async findUserBySub(sub: string): Promise<User | null> {\n    const stmt = this.db.prepare('SELECT * FROM users WHERE sub = ?');\n    const row = stmt.get(sub) as UserRow | undefined;\n\n    if (!row) {\n      return null;\n    }\n\n    return this.rowToUser(row);\n  }\n\n  async findUserByEmail(email: string): Promise<User | null> {\n    const stmt = this.db.prepare('SELECT * FROM users WHERE email = ?');\n    const row = stmt.get(email) as UserRow | undefined;\n\n    if (!row) {\n      return null;\n    }\n\n    return this.rowToUser(row);\n  }\n\n  async findUserById(id: string): Promise<User | null> {\n    const stmt = this.db.prepare('SELECT * FROM users WHERE id = ?');\n    const row = stmt.get(id) as UserRow | undefined;\n\n    if (!row) {\n      return null;\n    }\n\n    return this.rowToUser(row);\n  }\n\n  async updateUser(id: string, updates: Partial<User>): Promise<User | null> {\n    const user = await this.findUserById(id);\n    if (!user) {\n      return null;\n    }\n\n    const updatedUser = {\n      ...user,\n      ...updates,\n      updatedAt: new Date(),\n    };\n\n    const stmt = this.db.prepare(`\n      UPDATE users SET\n        email = ?, name = ?, avatar = ?, tier = ?, \n        permissions = ?, organizations = ?, api_keys = ?,\n        updated_at = ?, last_login_at = ?, metadata = ?\n      WHERE id = ?\n    `);\n\n    stmt.run(\n      updatedUser.email,\n      updatedUser.name,\n      updatedUser.avatar,\n      updatedUser.tier,\n      JSON.stringify(updatedUser.permissions),\n      JSON.stringify(updatedUser.organizations),\n      JSON.stringify(updatedUser.apiKeys),\n      updatedUser.updatedAt.toISOString(),\n      updatedUser.lastLoginAt?.toISOString(),\n      JSON.stringify(updatedUser.metadata),\n      id\n    );\n\n    logger.info('User updated', { userId: id });\n    return updatedUser;\n  }\n\n  async deleteUser(id: string): Promise<boolean> {\n    const stmt = this.db.prepare('DELETE FROM users WHERE id = ?');\n    const result = stmt.run(id);\n\n    if (result.changes > 0) {\n      logger.info('User deleted', { userId: id });\n      return true;\n    }\n\n    return false;\n  }\n\n  async updateLastLogin(id: string): Promise<void> {\n    const stmt = this.db.prepare(\n      'UPDATE users SET last_login_at = ? WHERE id = ?'\n    );\n    stmt.run(new Date().toISOString(), id);\n  }\n\n  // Session management\n  async createSession(userId: string, expiresIn = 86400): Promise<UserSession> {\n    const session: UserSession = {\n      id: uuidv4(),\n      userId,\n      token: this.generateSessionToken(),\n      expiresAt: new Date(Date.now() + expiresIn * 1000),\n      createdAt: new Date(),\n      metadata: {},\n    };\n\n    const stmt = this.db.prepare(`\n      INSERT INTO user_sessions (id, user_id, token, expires_at, created_at, metadata)\n      VALUES (?, ?, ?, ?, ?, ?)\n    `);\n\n    stmt.run(\n      session.id,\n      session.userId,\n      session.token,\n      session.expiresAt.toISOString(),\n      session.createdAt.toISOString(),\n      JSON.stringify(session.metadata)\n    );\n\n    logger.info('Session created', { sessionId: session.id, userId });\n    return session;\n  }\n\n  async findSessionByToken(token: string): Promise<UserSession | null> {\n    const stmt = this.db.prepare('SELECT * FROM user_sessions WHERE token = ?');\n    const row = stmt.get(token) as SessionRow | undefined;\n\n    if (!row) {\n      return null;\n    }\n\n    return this.rowToSession(row);\n  }\n\n  async validateSession(token: string): Promise<User | null> {\n    const session = await this.findSessionByToken(token);\n\n    if (!session) {\n      return null;\n    }\n\n    // Check if session is expired\n    if (new Date(session.expiresAt) < new Date()) {\n      await this.deleteSession(session.id);\n      return null;\n    }\n\n    // Get the user\n    return await this.findUserById(session.userId);\n  }\n\n  async deleteSession(id: string): Promise<boolean> {\n    const stmt = this.db.prepare('DELETE FROM user_sessions WHERE id = ?');\n    const result = stmt.run(id);\n    return result.changes > 0;\n  }\n\n  async deleteExpiredSessions(): Promise<number> {\n    const stmt = this.db.prepare(\n      'DELETE FROM user_sessions WHERE expires_at < ?'\n    );\n    const result = stmt.run(new Date().toISOString());\n\n    if (result.changes > 0) {\n      logger.info('Expired sessions deleted', { count: result.changes });\n    }\n\n    return result.changes;\n  }\n\n  // API Key management\n  async generateApiKey(userId: string, name?: string): Promise<string> {\n    const user = await this.findUserById(userId);\n    if (!user) {\n      throw new Error('User not found');\n    }\n\n    const apiKey = `sk-${this.generateToken(32)}`;\n    const hashedKey = await bcrypt.hash(apiKey, 10);\n\n    // Store in dedicated api_keys table\n    const stmt = this.db.prepare(`\n      INSERT INTO api_keys (id, user_id, key_hash, name, created_at)\n      VALUES (?, ?, ?, ?, ?)\n    `);\n\n    const apiKeyId = uuidv4();\n    stmt.run(\n      apiKeyId,\n      userId,\n      hashedKey,\n      name || 'API Key',\n      new Date().toISOString()\n    );\n\n    logger.info('API key generated', { userId, apiKeyId });\n    return apiKey;\n  }\n\n  async validateApiKey(apiKey: string): Promise<User | null> {\n    // Efficient lookup using indexed api_keys table\n    const stmt = this.db.prepare(`\n      SELECT u.*, ak.id as api_key_id, ak.key_hash\n      FROM api_keys ak\n      JOIN users u ON ak.user_id = u.id\n      WHERE (ak.expires_at IS NULL OR ak.expires_at > datetime('now'))\n    `);\n\n    const rows = stmt.all() as SessionRow[];\n\n    for (const row of rows) {\n      if (await bcrypt.compare(apiKey, row.key_hash)) {\n        // Update last used timestamp\n        const updateStmt = this.db.prepare(\n          'UPDATE api_keys SET last_used_at = ? WHERE id = ?'\n        );\n        updateStmt.run(new Date().toISOString(), row.api_key_id);\n\n        return this.rowToUser(row);\n      }\n    }\n\n    return null;\n  }\n\n  async revokeApiKey(userId: string, apiKeyId: string): Promise<boolean> {\n    const stmt = this.db.prepare(\n      'DELETE FROM api_keys WHERE id = ? AND user_id = ?'\n    );\n    const result = stmt.run(apiKeyId, userId);\n\n    if (result.changes > 0) {\n      logger.info('API key revoked', { userId, apiKeyId });\n      return true;\n    }\n\n    return false;\n  }\n\n  async listApiKeys(\n    userId: string\n  ): Promise<\n    Array<{ id: string; name: string; lastUsed?: Date; createdAt: Date }>\n  > {\n    const stmt = this.db.prepare(`\n      SELECT id, name, last_used_at, created_at\n      FROM api_keys\n      WHERE user_id = ?\n      ORDER BY created_at DESC\n    `);\n\n    const rows = stmt.all(userId) as SessionRow[];\n    return rows.map((row) => ({\n      id: row.id,\n      name: row.name,\n      lastUsed: row.last_used_at ? new Date(row.last_used_at) : undefined,\n      createdAt: new Date(row.created_at),\n    }));\n  }\n\n  // Helper methods\n  private rowToUser(row: UserRow): User {\n    return {\n      id: row.id,\n      sub: row.sub,\n      email: row.email,\n      name: row.name,\n      avatar: row.avatar,\n      tier: row.tier,\n      permissions: JSON.parse(row.permissions),\n      organizations: JSON.parse(row.organizations),\n      apiKeys: JSON.parse(row.api_keys || '[]'),\n      createdAt: new Date(row.created_at),\n      updatedAt: new Date(row.updated_at),\n      lastLoginAt: row.last_login_at ? new Date(row.last_login_at) : undefined,\n      metadata: JSON.parse(row.metadata || '{}'),\n    };\n  }\n\n  private rowToSession(row: SessionRow): UserSession {\n    return {\n      id: row.id,\n      userId: row.user_id,\n      token: row.token,\n      expiresAt: new Date(row.expires_at),\n      createdAt: new Date(row.created_at),\n      metadata: JSON.parse(row.metadata || '{}'),\n    };\n  }\n\n  private generateSessionToken(): string {\n    return this.generateToken(48);\n  }\n\n  private generateToken(length: number): string {\n    const chars =\n      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';\n    let token = '';\n    for (let i = 0; i < length; i++) {\n      token += chars.charAt(Math.floor(Math.random() * chars.length));\n    }\n    return token;\n  }\n}\n\n// Singleton instance management\nlet userModelInstance: UserModel | null = null;\n\nexport function getUserModel(db: BetterSqlite3.Database): UserModel {\n  if (!userModelInstance) {\n    userModelInstance = new UserModel(db);\n  }\n  return userModelInstance;\n}\n"],
+  "mappings": ";;;;AACA,SAAS,MAAM,cAAc;AAC7B,YAAY,YAAY;AACxB,SAAS,cAAc;AA0DhB,MAAM,UAAU;AAAA,EACb;AAAA,EAER,YAAY,IAAc;AACxB,SAAK,KAAK;AACV,SAAK,WAAW;AAAA,EAClB;AAAA,EAEQ,aAAmB;AAEzB,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAgBZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAYZ;AAGD,SAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAQZ;AAED,WAAO,KAAK,kCAAkC;AAAA,EAChD;AAAA,EAEA,MAAM,WAAW,UAAwC;AACvD,QAAI,CAAC,SAAS,OAAO,CAAC,SAAS,OAAO;AACpC,YAAM,IAAI,MAAM,iCAAiC;AAAA,IACnD;AAEA,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,MAAM,OAAO;AAAA,MAC1B,KAAK,SAAS;AAAA,MACd,OAAO,SAAS;AAAA,MAChB,MAAM,SAAS;AAAA,MACf,QAAQ,SAAS;AAAA,MACjB,MAAM,SAAS,QAAQ;AAAA,MACvB,aAAa,SAAS,eAAe,CAAC,QAAQ,OAAO;AAAA,MACrD,eAAe,SAAS,iBAAiB,CAAC;AAAA,MAC1C,SAAS,SAAS,WAAW,CAAC;AAAA,MAC9B,WAAW,oBAAI,KAAK;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,UAAU,SAAS,YAAY,CAAC;AAAA,IAClC;AAEA,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAK5B;AAED,SAAK;AAAA,MACH,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK,UAAU,KAAK,WAAW;AAAA,MAC/B,KAAK,UAAU,KAAK,aAAa;AAAA,MACjC,KAAK,UAAU,KAAK,OAAO;AAAA,MAC3B,KAAK,UAAU,YAAY;AAAA,MAC3B,KAAK,UAAU,YAAY;AAAA,MAC3B,KAAK,UAAU,KAAK,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,gBAAgB,EAAE,QAAQ,KAAK,IAAI,OAAO,KAAK,MAAM,CAAC;AAClE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,KAAmC;AACrD,UAAM,OAAO,KAAK,GAAG,QAAQ,mCAAmC;AAChE,UAAM,MAAM,KAAK,IAAI,GAAG;AAExB,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,gBAAgB,OAAqC;AACzD,UAAM,OAAO,KAAK,GAAG,QAAQ,qCAAqC;AAClE,UAAM,MAAM,KAAK,IAAI,KAAK;AAE1B,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,aAAa,IAAkC;AACnD,UAAM,OAAO,KAAK,GAAG,QAAQ,kCAAkC;AAC/D,UAAM,MAAM,KAAK,IAAI,EAAE;AAEvB,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,UAAU,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,WAAW,IAAY,SAA8C;AACzE,UAAM,OAAO,MAAM,KAAK,aAAa,EAAE;AACvC,QAAI,CAAC,MAAM;AACT,aAAO;AAAA,IACT;AAEA,UAAM,cAAc;AAAA,MAClB,GAAG;AAAA,MACH,GAAG;AAAA,MACH,WAAW,oBAAI,KAAK;AAAA,IACtB;AAEA,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAM5B;AAED,SAAK;AAAA,MACH,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,KAAK,UAAU,YAAY,WAAW;AAAA,MACtC,KAAK,UAAU,YAAY,aAAa;AAAA,MACxC,KAAK,UAAU,YAAY,OAAO;AAAA,MAClC,YAAY,UAAU,YAAY;AAAA,MAClC,YAAY,aAAa,YAAY;AAAA,MACrC,KAAK,UAAU,YAAY,QAAQ;AAAA,MACnC;AAAA,IACF;AAEA,WAAO,KAAK,gBAAgB,EAAE,QAAQ,GAAG,CAAC;AAC1C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,IAA8B;AAC7C,UAAM,OAAO,KAAK,GAAG,QAAQ,gCAAgC;AAC7D,UAAM,SAAS,KAAK,IAAI,EAAE;AAE1B,QAAI,OAAO,UAAU,GAAG;AACtB,aAAO,KAAK,gBAAgB,EAAE,QAAQ,GAAG,CAAC;AAC1C,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,IAA2B;AAC/C,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB;AAAA,IACF;AACA,SAAK,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,EAAE;AAAA,EACvC;AAAA;AAAA,EAGA,MAAM,cAAc,QAAgB,YAAY,OAA6B;AAC3E,UAAM,UAAuB;AAAA,MAC3B,IAAI,OAAO;AAAA,MACX;AAAA,MACA,OAAO,KAAK,qBAAqB;AAAA,MACjC,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,YAAY,GAAI;AAAA,MACjD,WAAW,oBAAI,KAAK;AAAA,MACpB,UAAU,CAAC;AAAA,IACb;AAEA,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,SAAK;AAAA,MACH,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ,UAAU,YAAY;AAAA,MAC9B,QAAQ,UAAU,YAAY;AAAA,MAC9B,KAAK,UAAU,QAAQ,QAAQ;AAAA,IACjC;AAEA,WAAO,KAAK,mBAAmB,EAAE,WAAW,QAAQ,IAAI,OAAO,CAAC;AAChE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,mBAAmB,OAA4C;AACnE,UAAM,OAAO,KAAK,GAAG,QAAQ,6CAA6C;AAC1E,UAAM,MAAM,KAAK,IAAI,KAAK;AAE1B,QAAI,CAAC,KAAK;AACR,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,aAAa,GAAG;AAAA,EAC9B;AAAA,EAEA,MAAM,gBAAgB,OAAqC;AACzD,UAAM,UAAU,MAAM,KAAK,mBAAmB,KAAK;AAEnD,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,QAAI,IAAI,KAAK,QAAQ,SAAS,IAAI,oBAAI,KAAK,GAAG;AAC5C,YAAM,KAAK,cAAc,QAAQ,EAAE;AACnC,aAAO;AAAA,IACT;AAGA,WAAO,MAAM,KAAK,aAAa,QAAQ,MAAM;AAAA,EAC/C;AAAA,EAEA,MAAM,cAAc,IAA8B;AAChD,UAAM,OAAO,KAAK,GAAG,QAAQ,wCAAwC;AACrE,UAAM,SAAS,KAAK,IAAI,EAAE;AAC1B,WAAO,OAAO,UAAU;AAAA,EAC1B;AAAA,EAEA,MAAM,wBAAyC;AAC7C,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB;AAAA,IACF;AACA,UAAM,SAAS,KAAK,KAAI,oBAAI,KAAK,GAAE,YAAY,CAAC;AAEhD,QAAI,OAAO,UAAU,GAAG;AACtB,aAAO,KAAK,4BAA4B,EAAE,OAAO,OAAO,QAAQ,CAAC;AAAA,IACnE;AAEA,WAAO,OAAO;AAAA,EAChB;AAAA;AAAA,EAGA,MAAM,eAAe,QAAgB,MAAgC;AACnE,UAAM,OAAO,MAAM,KAAK,aAAa,MAAM;AAC3C,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,gBAAgB;AAAA,IAClC;AAEA,UAAM,SAAS,MAAM,KAAK,cAAc,EAAE,CAAC;AAC3C,UAAM,YAAY,MAAM,OAAO,KAAK,QAAQ,EAAE;AAG9C,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAG5B;AAED,UAAM,WAAW,OAAO;AACxB,SAAK;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,OACR,oBAAI,KAAK,GAAE,YAAY;AAAA,IACzB;AAEA,WAAO,KAAK,qBAAqB,EAAE,QAAQ,SAAS,CAAC;AACrD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,eAAe,QAAsC;AAEzD,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAK5B;AAED,UAAM,OAAO,KAAK,IAAI;AAEtB,eAAW,OAAO,MAAM;AACtB,UAAI,MAAM,OAAO,QAAQ,QAAQ,IAAI,QAAQ,GAAG;AAE9C,cAAM,aAAa,KAAK,GAAG;AAAA,UACzB;AAAA,QACF;AACA,mBAAW,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,IAAI,UAAU;AAEvD,eAAO,KAAK,UAAU,GAAG;AAAA,MAC3B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,aAAa,QAAgB,UAAoC;AACrE,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB;AAAA,IACF;AACA,UAAM,SAAS,KAAK,IAAI,UAAU,MAAM;AAExC,QAAI,OAAO,UAAU,GAAG;AACtB,aAAO,KAAK,mBAAmB,EAAE,QAAQ,SAAS,CAAC;AACnD,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,YACJ,QAGA;AACA,UAAM,OAAO,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAK5B;AAED,UAAM,OAAO,KAAK,IAAI,MAAM;AAC5B,WAAO,KAAK,IAAI,CAAC,SAAS;AAAA,MACxB,IAAI,IAAI;AAAA,MACR,MAAM,IAAI;AAAA,MACV,UAAU,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI;AAAA,MAC1D,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,IACpC,EAAE;AAAA,EACJ;AAAA;AAAA,EAGQ,UAAU,KAAoB;AACpC,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,KAAK,IAAI;AAAA,MACT,OAAO,IAAI;AAAA,MACX,MAAM,IAAI;AAAA,MACV,QAAQ,IAAI;AAAA,MACZ,MAAM,IAAI;AAAA,MACV,aAAa,KAAK,MAAM,IAAI,WAAW;AAAA,MACvC,eAAe,KAAK,MAAM,IAAI,aAAa;AAAA,MAC3C,SAAS,KAAK,MAAM,IAAI,YAAY,IAAI;AAAA,MACxC,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,MAClC,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,MAClC,aAAa,IAAI,gBAAgB,IAAI,KAAK,IAAI,aAAa,IAAI;AAAA,MAC/D,UAAU,KAAK,MAAM,IAAI,YAAY,IAAI;AAAA,IAC3C;AAAA,EACF;AAAA,EAEQ,aAAa,KAA8B;AACjD,WAAO;AAAA,MACL,IAAI,IAAI;AAAA,MACR,QAAQ,IAAI;AAAA,MACZ,OAAO,IAAI;AAAA,MACX,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,MAClC,WAAW,IAAI,KAAK,IAAI,UAAU;AAAA,MAClC,UAAU,KAAK,MAAM,IAAI,YAAY,IAAI;AAAA,IAC3C;AAAA,EACF;AAAA,EAEQ,uBAA+B;AACrC,WAAO,KAAK,cAAc,EAAE;AAAA,EAC9B;AAAA,EAEQ,cAAc,QAAwB;AAC5C,UAAM,QACJ;AACF,QAAI,QAAQ;AACZ,aAAS,IAAI,GAAG,IAAI,QAAQ,KAAK;AAC/B,eAAS,MAAM,OAAO,KAAK,MAAM,KAAK,OAAO,IAAI,MAAM,MAAM,CAAC;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AACF;AAGA,IAAI,oBAAsC;AAEnC,SAAS,aAAa,IAAuC;AAClE,MAAI,CAAC,mBAAmB;AACtB,wBAAoB,IAAI,UAAU,EAAE;AAAA,EACtC;AACA,SAAO;AACT;",
+  "names": []
+}

package/dist/src/servers/production/auth-middleware.js

@@ -0,0 +1,528 @@
+import { fileURLToPath as __fileURLToPath } from 'url';
+import { dirname as __pathDirname } from 'path';
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import jwt from "jsonwebtoken";
+import jwksRsa from "jwks-rsa";
+import { RateLimiterRedis } from "rate-limiter-flexible";
+import Redis from "ioredis";
+import BetterSqlite3 from "better-sqlite3";
+import { logger } from "../../core/monitoring/logger.js";
+import { metrics } from "../../core/monitoring/metrics.js";
+import { getUserModel } from "../../models/user.model.js";
+function getEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0) {
+    if (defaultValue !== void 0) return defaultValue;
+    throw new Error(`Environment variable ${key} is required`);
+  }
+  return value;
+}
+function getOptionalEnv(key) {
+  return process.env[key];
+}
+class AuthMiddleware {
+  constructor(config) {
+    this.config = config;
+    this.redis = new Redis(config.redisUrl);
+    const dbPath = config.dbPath || process.env["STACKMEMORY_DB"] || ".stackmemory/auth.db";
+    this.db = new BetterSqlite3(dbPath);
+    this.userModel = getUserModel(this.db);
+    this.jwksClient = jwksRsa({
+      jwksUri: `https://${config.auth0Domain}/.well-known/jwks.json`,
+      cache: true,
+      cacheMaxAge: 6e5,
+      // 10 minutes
+      rateLimit: true,
+      jwksRequestsPerMinute: 5
+    });
+    this.initializeRateLimiters();
+    this.setupTokenBlacklistSync();
+  }
+  jwksClient;
+  redis;
+  rateLimiters;
+  blacklistedTokens = /* @__PURE__ */ new Set();
+  userModel;
+  db;
+  mockUser;
+  mockUserInitializing = false;
+  initializeRateLimiters() {
+    this.rateLimiters = /* @__PURE__ */ new Map([
+      [
+        "free",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:free",
+          points: 100,
+          // requests
+          duration: 900,
+          // per 15 minutes
+          blockDuration: 900
+          // block for 15 minutes
+        })
+      ],
+      [
+        "pro",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:pro",
+          points: 1e3,
+          duration: 900,
+          blockDuration: 300
+        })
+      ],
+      [
+        "enterprise",
+        new RateLimiterRedis({
+          storeClient: this.redis,
+          keyPrefix: "rl:enterprise",
+          points: 1e4,
+          duration: 900,
+          blockDuration: 60
+        })
+      ]
+    ]);
+    this.rateLimiters.set(
+      "auth",
+      new RateLimiterRedis({
+        storeClient: this.redis,
+        keyPrefix: "rl:auth",
+        points: 10,
+        // Only 10 auth attempts
+        duration: 900,
+        blockDuration: 3600
+        // Block for 1 hour on excessive auth attempts
+      })
+    );
+  }
+  setupTokenBlacklistSync() {
+    const subscriber = new Redis(this.config.redisUrl);
+    subscriber.subscribe("token:revoked");
+    subscriber.on("message", (channel, token) => {
+      if (channel === "token:revoked") {
+        this.blacklistedTokens.add(token);
+        if (this.blacklistedTokens.size > 1e4) {
+          this.blacklistedTokens.clear();
+        }
+      }
+    });
+  }
+  async getSigningKey(kid) {
+    return new Promise((resolve, reject) => {
+      this.jwksClient.getSigningKey(kid, (err, key) => {
+        if (err) {
+          reject(err);
+        } else {
+          const signingKey = key?.getPublicKey();
+          if (!signingKey) {
+            reject(new Error("No signing key found"));
+          } else {
+            resolve(signingKey);
+          }
+        }
+      });
+    });
+  }
+  /**
+   * Main authentication middleware
+   */
+  authenticate = async (req, res, next) => {
+    const startTime = Date.now();
+    try {
+      if (req.path === "/health" || req.path === "/metrics") {
+        return next();
+      }
+      if (this.config.bypassAuth && process.env["NODE_ENV"] === "development") {
+        req.user = this.getMockUser();
+        return next();
+      }
+      const token = this.extractToken(req);
+      const apiKey = this.extractApiKey(req);
+      if (!token && !apiKey) {
+        metrics.increment("auth.missing_credentials");
+        return res.status(401).json({
+          error: "Authentication required",
+          code: "MISSING_CREDENTIALS"
+        });
+      }
+      if (apiKey) {
+        const user2 = await this.userModel.validateApiKey(apiKey);
+        if (!user2) {
+          metrics.increment("auth.invalid_api_key");
+          return res.status(401).json({
+            error: "Invalid API key",
+            code: "INVALID_API_KEY"
+          });
+        }
+        req.user = {
+          id: user2.id,
+          sub: user2.sub,
+          email: user2.email,
+          name: user2.name,
+          picture: user2.avatar,
+          tier: user2.tier,
+          permissions: user2.permissions,
+          organizations: user2.organizations.map((org) => org.id),
+          metadata: { ...user2.metadata, authMethod: "api_key" }
+        };
+        metrics.increment("auth.api_key_success");
+        await metrics.timing("auth.api_key_duration", Date.now() - startTime);
+        return next();
+      }
+      if (token && this.blacklistedTokens.has(token)) {
+        metrics.increment("auth.blacklisted_token");
+        return res.status(401).json({
+          error: "Token has been revoked",
+          code: "TOKEN_REVOKED"
+        });
+      }
+      if (!token) {
+        return res.status(401).json({
+          error: "No token provided",
+          code: "NO_TOKEN"
+        });
+      }
+      const decoded = jwt.decode(token, { complete: true });
+      if (!decoded) {
+        metrics.increment("auth.invalid_token");
+        return res.status(401).json({
+          error: "Invalid token format",
+          code: "INVALID_TOKEN"
+        });
+      }
+      const signingKey = await this.getSigningKey(decoded.header.kid);
+      const verified = jwt.verify(token, signingKey, {
+        algorithms: ["RS256"],
+        audience: this.config.auth0Audience,
+        issuer: `https://${this.config.auth0Domain}/`
+      });
+      const user = await this.loadUser(verified.sub, verified);
+      if (!user) {
+        metrics.increment("auth.user_not_found");
+        return res.status(403).json({
+          error: "User not found",
+          code: "USER_NOT_FOUND"
+        });
+      }
+      if (user.metadata?.suspended) {
+        metrics.increment("auth.user_suspended");
+        return res.status(403).json({
+          error: "Account suspended",
+          code: "ACCOUNT_SUSPENDED"
+        });
+      }
+      const rateLimiter = this.rateLimiters.get(user.tier) || this.rateLimiters.get("free");
+      try {
+        const rateLimitRes = await rateLimiter.consume(user.id);
+        req.rateLimitInfo = rateLimitRes;
+        res.setHeader("X-RateLimit-Limit", rateLimiter.points.toString());
+        res.setHeader(
+          "X-RateLimit-Remaining",
+          rateLimitRes.remainingPoints.toString()
+        );
+        res.setHeader(
+          "X-RateLimit-Reset",
+          new Date(Date.now() + rateLimitRes.msBeforeNext).toISOString()
+        );
+      } catch (rateLimitError) {
+        metrics.increment("auth.rate_limited");
+        res.setHeader(
+          "Retry-After",
+          Math.round(rateLimitError.msBeforeNext / 1e3).toString()
+        );
+        return res.status(429).json({
+          error: "Too many requests",
+          code: "RATE_LIMITED",
+          retryAfter: rateLimitError.msBeforeNext
+        });
+      }
+      req.user = user;
+      metrics.increment("auth.success", { tier: user.tier });
+      metrics.timing("auth.duration", Date.now() - startTime);
+      logger.info("Authentication successful", {
+        userId: user.id,
+        tier: user.tier,
+        path: req.path
+      });
+      next();
+    } catch (error) {
+      metrics.increment("auth.error");
+      logger.error("Authentication error", error);
+      if (error.name === "TokenExpiredError") {
+        return res.status(401).json({
+          error: "Token expired",
+          code: "TOKEN_EXPIRED"
+        });
+      }
+      if (error.name === "JsonWebTokenError") {
+        return res.status(401).json({
+          error: "Invalid token",
+          code: "INVALID_TOKEN"
+        });
+      }
+      res.status(500).json({
+        error: "Authentication failed",
+        code: "AUTH_ERROR"
+      });
+    }
+  };
+  /**
+   * WebSocket authentication handler
+   */
+  authenticateWebSocket = async (token) => {
+    try {
+      const decoded = jwt.decode(token, { complete: true });
+      if (!decoded || this.blacklistedTokens.has(token)) {
+        return null;
+      }
+      const signingKey = await this.getSigningKey(decoded.header.kid);
+      const verified = jwt.verify(token, signingKey, {
+        algorithms: ["RS256"],
+        audience: this.config.auth0Audience,
+        issuer: `https://${this.config.auth0Domain}/`
+      });
+      return await this.loadUser(verified.sub, verified);
+    } catch (error) {
+      logger.error(
+        "WebSocket authentication failed",
+        error instanceof Error ? error : void 0
+      );
+      return null;
+    }
+  };
+  /**
+   * Permission checking middleware
+   */
+  requirePermission = (permission) => {
+    return (req, res, next) => {
+      if (!req.user) {
+        return res.status(401).json({
+          error: "Authentication required",
+          code: "NOT_AUTHENTICATED"
+        });
+      }
+      if (!req.user.permissions.includes(permission)) {
+        metrics.increment("auth.permission_denied", { permission });
+        return res.status(403).json({
+          error: "Insufficient permissions",
+          code: "PERMISSION_DENIED",
+          required: permission
+        });
+      }
+      return next();
+    };
+  };
+  /**
+   * Organization access middleware
+   */
+  requireOrganization = (req, res, next) => {
+    const orgId = req.params.orgId || req.query.orgId;
+    if (!req.user || !orgId) {
+      return res.status(401).json({
+        error: "Authentication required",
+        code: "NOT_AUTHENTICATED"
+      });
+    }
+    if (!req.user.organizations?.includes(orgId)) {
+      return res.status(403).json({
+        error: "Organization access denied",
+        code: "ORG_ACCESS_DENIED"
+      });
+    }
+    return next();
+  };
+  extractApiKey(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer sk-")) {
+      return authHeader.substring(7);
+    }
+    const apiKeyHeader = req.headers["x-api-key"];
+    if (apiKeyHeader?.startsWith("sk-")) {
+      return apiKeyHeader;
+    }
+    return null;
+  }
+  extractToken(req) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ") && !authHeader.startsWith("Bearer sk-")) {
+      return authHeader.substring(7);
+    }
+    return req.cookies?.access_token || null;
+  }
+  async loadUser(sub, tokenPayload) {
+    const cached = await this.redis.get(`user:${sub}`);
+    if (cached) {
+      const cachedUser = JSON.parse(cached);
+      this.userModel.updateLastLogin(cachedUser.id).catch((err) => logger.error("Failed to update last login", err));
+      return cachedUser;
+    }
+    let dbUser = await this.userModel.findUserBySub(sub);
+    if (!dbUser && tokenPayload) {
+      dbUser = await this.userModel.createUser({
+        sub,
+        email: tokenPayload.email || `${sub}@auth.local`,
+        name: tokenPayload.name,
+        avatar: tokenPayload.picture,
+        tier: this.determineTier(tokenPayload),
+        permissions: this.determinePermissions(tokenPayload),
+        organizations: this.extractOrganizations(tokenPayload),
+        metadata: {
+          auth0: tokenPayload,
+          signupSource: "auth0",
+          createdVia: "auth-middleware"
+        }
+      });
+      logger.info("Auto-created user from auth token", {
+        sub,
+        email: dbUser.email
+      });
+    }
+    if (!dbUser) {
+      return null;
+    }
+    await this.userModel.updateLastLogin(dbUser.id);
+    const user = {
+      id: dbUser.id,
+      sub: dbUser.sub,
+      email: dbUser.email,
+      name: dbUser.name,
+      picture: dbUser.avatar,
+      tier: dbUser.tier,
+      permissions: dbUser.permissions,
+      organizations: dbUser.organizations.map((org) => org.id),
+      metadata: dbUser.metadata
+    };
+    await this.redis.setex(`user:${sub}`, 300, JSON.stringify(user));
+    return user;
+  }
+  determineTier(tokenPayload) {
+    if (tokenPayload["https://stackmemory.ai/tier"]) {
+      return tokenPayload["https://stackmemory.ai/tier"];
+    }
+    if (tokenPayload.subscription?.plan) {
+      const plan = tokenPayload.subscription.plan.toLowerCase();
+      if (plan.includes("enterprise")) return "enterprise";
+      if (plan.includes("pro") || plan.includes("premium")) return "pro";
+    }
+    return "free";
+  }
+  determinePermissions(tokenPayload) {
+    const permissions = ["read", "write"];
+    if (tokenPayload["https://stackmemory.ai/permissions"]) {
+      return tokenPayload["https://stackmemory.ai/permissions"];
+    }
+    if (tokenPayload.permissions && Array.isArray(tokenPayload.permissions)) {
+      return tokenPayload.permissions;
+    }
+    if (tokenPayload.roles && Array.isArray(tokenPayload.roles)) {
+      if (tokenPayload.roles.includes("admin")) {
+        permissions.push("admin", "delete");
+      }
+      if (tokenPayload.roles.includes("moderator")) {
+        permissions.push("moderate");
+      }
+    }
+    return permissions;
+  }
+  extractOrganizations(tokenPayload) {
+    const orgs = [];
+    if (tokenPayload["https://stackmemory.ai/organizations"]) {
+      return tokenPayload["https://stackmemory.ai/organizations"];
+    }
+    if (tokenPayload.org_id) {
+      orgs.push({
+        id: tokenPayload.org_id,
+        name: tokenPayload.org_name || tokenPayload.org_id,
+        role: tokenPayload.org_role || "member"
+      });
+    }
+    return orgs;
+  }
+  async initializeMockUser() {
+    const mockSub = "dev-sub";
+    let dbUser = await this.userModel.findUserBySub(mockSub);
+    if (!dbUser) {
+      dbUser = await this.userModel.createUser({
+        sub: mockSub,
+        email: "dev@stackmemory.local",
+        name: "Development User",
+        tier: "enterprise",
+        permissions: ["read", "write", "admin", "delete"],
+        organizations: [
+          {
+            id: "dev-org",
+            name: "Development Organization",
+            role: "admin"
+          }
+        ],
+        metadata: {
+          isDevelopmentUser: true,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+      logger.info("Created development mock user");
+    }
+    return {
+      id: dbUser.id,
+      sub: dbUser.sub,
+      email: dbUser.email,
+      name: dbUser.name,
+      picture: dbUser.avatar,
+      tier: dbUser.tier,
+      permissions: dbUser.permissions,
+      organizations: dbUser.organizations.map((org) => org.id),
+      metadata: dbUser.metadata
+    };
+  }
+  getMockUser() {
+    if (this.mockUser) {
+      return this.mockUser;
+    }
+    if (!this.mockUserInitializing) {
+      this.mockUserInitializing = true;
+      this.initializeMockUser().then((user) => {
+        this.mockUser = user;
+        this.mockUserInitializing = false;
+        logger.info("Mock user initialized and cached");
+      }).catch((err) => {
+        logger.error("Failed to initialize mock user", err);
+        this.mockUserInitializing = false;
+      });
+    }
+    return {
+      id: "temp-dev-user-id",
+      sub: "dev-sub",
+      email: "dev@stackmemory.local",
+      name: "Development User",
+      tier: "enterprise",
+      permissions: ["read", "write", "admin", "delete"],
+      organizations: ["dev-org"],
+      metadata: { temporary: true }
+    };
+  }
+  /**
+   * Revoke a token (add to blacklist)
+   */
+  async revokeToken(token) {
+    this.blacklistedTokens.add(token);
+    await this.redis.publish("token:revoked", token);
+    const decoded = jwt.decode(token);
+    if (decoded?.exp) {
+      const ttl = decoded.exp - Math.floor(Date.now() / 1e3);
+      if (ttl > 0) {
+        await this.redis.setex(`blacklist:${token}`, ttl, "1");
+      }
+    }
+  }
+  /**
+   * Cleanup resources
+   */
+  async close() {
+    await this.redis.quit();
+  }
+}
+export {
+  AuthMiddleware
+};
+//# sourceMappingURL=auth-middleware.js.map

package/dist/src/servers/production/auth-middleware.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../src/servers/production/auth-middleware.ts"],
+  "sourcesContent": ["/**\n * Production Authentication Middleware for Runway MCP Server\n * Implements JWT validation with Auth0, refresh tokens, and rate limiting\n */\n\nimport jwt from 'jsonwebtoken';\nimport jwksRsa from 'jwks-rsa';\nimport { Request, Response, NextFunction } from 'express';\nimport { RateLimiterRedis, RateLimiterRes } from 'rate-limiter-flexible';\nimport Redis from 'ioredis';\nimport BetterSqlite3 from 'better-sqlite3';\nimport { logger } from '../../core/monitoring/logger.js';\nimport { metrics } from '../../core/monitoring/metrics.js';\nimport { getUserModel, UserModel, User } from '../../models/user.model.js';\n// Type-safe environment variable access\nfunction getEnv(key: string, defaultValue?: string): string {\n  const value = process.env[key];\n  if (value === undefined) {\n    if (defaultValue !== undefined) return defaultValue;\n    throw new Error(`Environment variable ${key} is required`);\n  }\n  return value;\n}\n\nfunction getOptionalEnv(key: string): string | undefined {\n  return process.env[key];\n}\n\nexport interface AuthUser {\n  id: string;\n  email: string;\n  sub: string;\n  name?: string;\n  picture?: string;\n  tier: 'free' | 'pro' | 'enterprise';\n  organizations?: string[];\n  permissions: string[];\n  metadata?: Record<string, any>;\n}\n\nexport interface AuthRequest extends Request {\n  user?: AuthUser;\n  rateLimitInfo?: RateLimiterRes;\n}\n\nexport class AuthMiddleware {\n  private jwksClient: jwksRsa.JwksClient;\n  private redis: Redis;\n  private rateLimiters!: Map<string, RateLimiterRedis>;\n  private blacklistedTokens: Set<string> = new Set();\n  private userModel: UserModel;\n  private db: BetterSqlite3.Database;\n  private mockUser?: AuthUser;\n  private mockUserInitializing = false;\n\n  constructor(\n    private config: {\n      auth0Domain: string;\n      auth0Audience: string;\n      redisUrl: string;\n      jwtSecret?: string;\n      bypassAuth?: boolean; // For testing\n      dbPath?: string; // Path to SQLite database\n    }\n  ) {\n    this.redis = new Redis(config.redisUrl);\n\n    // Initialize database\n    const dbPath =\n      config.dbPath || process.env['STACKMEMORY_DB'] || '.stackmemory/auth.db';\n    this.db = new BetterSqlite3(dbPath);\n    this.userModel = getUserModel(this.db);\n\n    this.jwksClient = jwksRsa({\n      jwksUri: `https://${config.auth0Domain}/.well-known/jwks.json`,\n      cache: true,\n      cacheMaxAge: 600000, // 10 minutes\n      rateLimit: true,\n      jwksRequestsPerMinute: 5,\n    });\n\n    this.initializeRateLimiters();\n    this.setupTokenBlacklistSync();\n  }\n\n  private initializeRateLimiters(): void {\n    // Different rate limits for different tiers\n    this.rateLimiters = new Map([\n      [\n        'free',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:free',\n          points: 100, // requests\n          duration: 900, // per 15 minutes\n          blockDuration: 900, // block for 15 minutes\n        }),\n      ],\n      [\n        'pro',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:pro',\n          points: 1000,\n          duration: 900,\n          blockDuration: 300,\n        }),\n      ],\n      [\n        'enterprise',\n        new RateLimiterRedis({\n          storeClient: this.redis,\n          keyPrefix: 'rl:enterprise',\n          points: 10000,\n          duration: 900,\n          blockDuration: 60,\n        }),\n      ],\n    ]);\n\n    // Special rate limiter for auth endpoints\n    this.rateLimiters.set(\n      'auth',\n      new RateLimiterRedis({\n        storeClient: this.redis,\n        keyPrefix: 'rl:auth',\n        points: 10, // Only 10 auth attempts\n        duration: 900,\n        blockDuration: 3600, // Block for 1 hour on excessive auth attempts\n      })\n    );\n  }\n\n  private setupTokenBlacklistSync(): void {\n    // Subscribe to token revocation events\n    const subscriber = new Redis(this.config.redisUrl);\n    subscriber.subscribe('token:revoked');\n\n    subscriber.on('message', (channel, token) => {\n      if (channel === 'token:revoked') {\n        this.blacklistedTokens.add(token);\n        // Clean up old tokens periodically\n        if (this.blacklistedTokens.size > 10000) {\n          this.blacklistedTokens.clear();\n        }\n      }\n    });\n  }\n\n  private async getSigningKey(kid: string): Promise<string> {\n    return new Promise((resolve, reject) => {\n      this.jwksClient.getSigningKey(kid, (err, key) => {\n        if (err) {\n          reject(err);\n        } else {\n          const signingKey = key?.getPublicKey();\n          if (!signingKey) {\n            reject(new Error('No signing key found'));\n          } else {\n            resolve(signingKey);\n          }\n        }\n      });\n    });\n  }\n\n  /**\n   * Main authentication middleware\n   */\n  public authenticate = async (\n    req: AuthRequest,\n    res: Response,\n    next: NextFunction\n  ): Promise<any> => {\n    const startTime = Date.now();\n\n    try {\n      // Bypass auth for health checks\n      if (req.path === '/health' || req.path === '/metrics') {\n        return next();\n      }\n\n      // Development bypass\n      if (this.config.bypassAuth && process.env['NODE_ENV'] === 'development') {\n        req.user = this.getMockUser();\n        return next();\n      }\n\n      // Extract token or API key\n      const token = this.extractToken(req);\n      const apiKey = this.extractApiKey(req);\n\n      if (!token && !apiKey) {\n        metrics.increment('auth.missing_credentials');\n        return res.status(401).json({\n          error: 'Authentication required',\n          code: 'MISSING_CREDENTIALS',\n        });\n      }\n\n      // API Key authentication\n      if (apiKey) {\n        const user = await this.userModel.validateApiKey(apiKey);\n        if (!user) {\n          metrics.increment('auth.invalid_api_key');\n          return res.status(401).json({\n            error: 'Invalid API key',\n            code: 'INVALID_API_KEY',\n          });\n        }\n\n        // Convert to AuthUser format\n        req.user = {\n          id: user.id,\n          sub: user.sub,\n          email: user.email,\n          name: user.name,\n          picture: user.avatar,\n          tier: user.tier,\n          permissions: user.permissions,\n          organizations: user.organizations.map((org) => org.id),\n          metadata: { ...user.metadata, authMethod: 'api_key' },\n        };\n\n        metrics.increment('auth.api_key_success');\n        await metrics.timing('auth.api_key_duration', Date.now() - startTime);\n        return next();\n      }\n\n      // Check blacklist for JWT tokens\n      if (token && this.blacklistedTokens.has(token)) {\n        metrics.increment('auth.blacklisted_token');\n        return res.status(401).json({\n          error: 'Token has been revoked',\n          code: 'TOKEN_REVOKED',\n        });\n      }\n\n      // Ensure token exists for JWT processing\n      if (!token) {\n        // This should not happen as we checked earlier, but TypeScript needs this\n        return res.status(401).json({\n          error: 'No token provided',\n          code: 'NO_TOKEN',\n        });\n      }\n\n      // Decode and verify token\n      const decoded = jwt.decode(token, { complete: true }) as any;\n      if (!decoded) {\n        metrics.increment('auth.invalid_token');\n        return res.status(401).json({\n          error: 'Invalid token format',\n          code: 'INVALID_TOKEN',\n        });\n      }\n\n      // Get signing key and verify\n      const signingKey = await this.getSigningKey(decoded.header.kid);\n      const verified = jwt.verify(token, signingKey, {\n        algorithms: ['RS256'],\n        audience: this.config.auth0Audience,\n        issuer: `https://${this.config.auth0Domain}/`,\n      }) as any;\n\n      // Load user from database or cache\n      const user = await this.loadUser(verified.sub, verified);\n      if (!user) {\n        metrics.increment('auth.user_not_found');\n        return res.status(403).json({\n          error: 'User not found',\n          code: 'USER_NOT_FOUND',\n        });\n      }\n\n      // Check user suspension\n      if (user.metadata?.suspended) {\n        metrics.increment('auth.user_suspended');\n        return res.status(403).json({\n          error: 'Account suspended',\n          code: 'ACCOUNT_SUSPENDED',\n        });\n      }\n\n      // Apply rate limiting\n      const rateLimiter =\n        this.rateLimiters.get(user.tier) || this.rateLimiters.get('free')!;\n      try {\n        const rateLimitRes = await rateLimiter.consume(user.id);\n        req.rateLimitInfo = rateLimitRes;\n\n        // Add rate limit headers\n        res.setHeader('X-RateLimit-Limit', rateLimiter.points.toString());\n        res.setHeader(\n          'X-RateLimit-Remaining',\n          rateLimitRes.remainingPoints.toString()\n        );\n        res.setHeader(\n          'X-RateLimit-Reset',\n          new Date(Date.now() + rateLimitRes.msBeforeNext).toISOString()\n        );\n      } catch (rateLimitError: any) {\n        metrics.increment('auth.rate_limited');\n        res.setHeader(\n          'Retry-After',\n          Math.round(rateLimitError.msBeforeNext / 1000).toString()\n        );\n        return res.status(429).json({\n          error: 'Too many requests',\n          code: 'RATE_LIMITED',\n          retryAfter: rateLimitError.msBeforeNext,\n        });\n      }\n\n      // Attach user to request\n      req.user = user;\n\n      // Track metrics\n      metrics.increment('auth.success', { tier: user.tier });\n      metrics.timing('auth.duration', Date.now() - startTime);\n\n      logger.info('Authentication successful', {\n        userId: user.id,\n        tier: user.tier,\n        path: req.path,\n      });\n\n      next();\n    } catch (error: any) {\n      metrics.increment('auth.error');\n      logger.error('Authentication error', error);\n\n      if (error.name === 'TokenExpiredError') {\n        return res.status(401).json({\n          error: 'Token expired',\n          code: 'TOKEN_EXPIRED',\n        });\n      }\n\n      if (error.name === 'JsonWebTokenError') {\n        return res.status(401).json({\n          error: 'Invalid token',\n          code: 'INVALID_TOKEN',\n        });\n      }\n\n      res.status(500).json({\n        error: 'Authentication failed',\n        code: 'AUTH_ERROR',\n      });\n    }\n  };\n\n  /**\n   * WebSocket authentication handler\n   */\n  public authenticateWebSocket = async (\n    token: string\n  ): Promise<AuthUser | null> => {\n    try {\n      const decoded = jwt.decode(token, { complete: true }) as any;\n      if (!decoded || this.blacklistedTokens.has(token)) {\n        return null;\n      }\n\n      const signingKey = await this.getSigningKey(decoded.header.kid);\n      const verified = jwt.verify(token, signingKey, {\n        algorithms: ['RS256'],\n        audience: this.config.auth0Audience,\n        issuer: `https://${this.config.auth0Domain}/`,\n      }) as any;\n\n      return await this.loadUser(verified.sub, verified);\n    } catch (error: unknown) {\n      logger.error(\n        'WebSocket authentication failed',\n        error instanceof Error ? error : undefined\n      );\n      return null;\n    }\n  };\n\n  /**\n   * Permission checking middleware\n   */\n  public requirePermission = (permission: string) => {\n    return (req: AuthRequest, res: Response, next: NextFunction) => {\n      if (!req.user) {\n        return res.status(401).json({\n          error: 'Authentication required',\n          code: 'NOT_AUTHENTICATED',\n        });\n      }\n\n      if (!req.user.permissions.includes(permission)) {\n        metrics.increment('auth.permission_denied', { permission });\n        return res.status(403).json({\n          error: 'Insufficient permissions',\n          code: 'PERMISSION_DENIED',\n          required: permission,\n        });\n      }\n\n      return next();\n    };\n  };\n\n  /**\n   * Organization access middleware\n   */\n  public requireOrganization = (\n    req: AuthRequest,\n    res: Response,\n    next: NextFunction\n  ) => {\n    const orgId = req.params.orgId || req.query.orgId;\n\n    if (!req.user || !orgId) {\n      return res.status(401).json({\n        error: 'Authentication required',\n        code: 'NOT_AUTHENTICATED',\n      });\n    }\n\n    if (!req.user.organizations?.includes(orgId as string)) {\n      return res.status(403).json({\n        error: 'Organization access denied',\n        code: 'ORG_ACCESS_DENIED',\n      });\n    }\n\n    return next();\n  };\n\n  private extractApiKey(req: Request): string | null {\n    // Check Authorization header for API key\n    const authHeader = req.headers.authorization;\n    if (authHeader?.startsWith('Bearer sk-')) {\n      return authHeader.substring(7);\n    }\n\n    // Check X-API-Key header\n    const apiKeyHeader = req.headers['x-api-key'] as string;\n    if (apiKeyHeader?.startsWith('sk-')) {\n      return apiKeyHeader;\n    }\n\n    // Query parameter support removed for security reasons\n    // API keys should only be sent via headers to prevent:\n    // - URL logging exposure\n    // - Browser history leakage\n    // - Referer header transmission\n\n    return null;\n  }\n\n  private extractToken(req: Request): string | null {\n    const authHeader = req.headers.authorization;\n    if (\n      authHeader?.startsWith('Bearer ') &&\n      !authHeader.startsWith('Bearer sk-')\n    ) {\n      return authHeader.substring(7);\n    }\n\n    // Also check cookie for web clients\n    return req.cookies?.access_token || null;\n  }\n\n  private async loadUser(\n    sub: string,\n    tokenPayload?: any\n  ): Promise<AuthUser | null> {\n    // Try cache first\n    const cached = await this.redis.get(`user:${sub}`);\n    if (cached) {\n      const cachedUser = JSON.parse(cached);\n      // Update last login time in background\n      this.userModel\n        .updateLastLogin(cachedUser.id)\n        .catch((err) => logger.error('Failed to update last login', err));\n      return cachedUser;\n    }\n\n    // Load from database\n    let dbUser = await this.userModel.findUserBySub(sub);\n\n    // If user doesn't exist, create from token payload\n    if (!dbUser && tokenPayload) {\n      dbUser = await this.userModel.createUser({\n        sub,\n        email: tokenPayload.email || `${sub}@auth.local`,\n        name: tokenPayload.name,\n        avatar: tokenPayload.picture,\n        tier: this.determineTier(tokenPayload),\n        permissions: this.determinePermissions(tokenPayload),\n        organizations: this.extractOrganizations(tokenPayload),\n        metadata: {\n          auth0: tokenPayload,\n          signupSource: 'auth0',\n          createdVia: 'auth-middleware',\n        },\n      });\n      logger.info('Auto-created user from auth token', {\n        sub,\n        email: dbUser.email,\n      });\n    }\n\n    if (!dbUser) {\n      return null;\n    }\n\n    // Update last login\n    await this.userModel.updateLastLogin(dbUser.id);\n\n    // Convert to AuthUser format\n    const user: AuthUser = {\n      id: dbUser.id,\n      sub: dbUser.sub,\n      email: dbUser.email,\n      name: dbUser.name,\n      picture: dbUser.avatar,\n      tier: dbUser.tier,\n      permissions: dbUser.permissions,\n      organizations: dbUser.organizations.map((org) => org.id),\n      metadata: dbUser.metadata,\n    };\n\n    // Cache for 5 minutes\n    await this.redis.setex(`user:${sub}`, 300, JSON.stringify(user));\n\n    return user;\n  }\n\n  private determineTier(tokenPayload: any): 'free' | 'pro' | 'enterprise' {\n    // Check custom claims or metadata\n    if (tokenPayload['https://stackmemory.ai/tier']) {\n      return tokenPayload['https://stackmemory.ai/tier'];\n    }\n\n    // Check for subscription info\n    if (tokenPayload.subscription?.plan) {\n      const plan = tokenPayload.subscription.plan.toLowerCase();\n      if (plan.includes('enterprise')) return 'enterprise';\n      if (plan.includes('pro') || plan.includes('premium')) return 'pro';\n    }\n\n    // Default to free\n    return 'free';\n  }\n\n  private determinePermissions(tokenPayload: any): string[] {\n    const permissions: string[] = ['read', 'write'];\n\n    // Check custom permissions claim\n    if (tokenPayload['https://stackmemory.ai/permissions']) {\n      return tokenPayload['https://stackmemory.ai/permissions'];\n    }\n\n    // Check standard permissions\n    if (tokenPayload.permissions && Array.isArray(tokenPayload.permissions)) {\n      return tokenPayload.permissions;\n    }\n\n    // Check roles\n    if (tokenPayload.roles && Array.isArray(tokenPayload.roles)) {\n      if (tokenPayload.roles.includes('admin')) {\n        permissions.push('admin', 'delete');\n      }\n      if (tokenPayload.roles.includes('moderator')) {\n        permissions.push('moderate');\n      }\n    }\n\n    return permissions;\n  }\n\n  private extractOrganizations(\n    tokenPayload: any\n  ): Array<{ id: string; name: string; role: string }> {\n    const orgs: Array<{ id: string; name: string; role: string }> = [];\n\n    // Check custom organization claim\n    if (tokenPayload['https://stackmemory.ai/organizations']) {\n      return tokenPayload['https://stackmemory.ai/organizations'];\n    }\n\n    // Check Auth0 organizations\n    if (tokenPayload.org_id) {\n      orgs.push({\n        id: tokenPayload.org_id,\n        name: tokenPayload.org_name || tokenPayload.org_id,\n        role: tokenPayload.org_role || 'member',\n      });\n    }\n\n    return orgs;\n  }\n\n  private async initializeMockUser(): Promise<AuthUser> {\n    const mockSub = 'dev-sub';\n\n    // Check if user exists in database\n    let dbUser = await this.userModel.findUserBySub(mockSub);\n\n    if (!dbUser) {\n      // Create mock user in database\n      dbUser = await this.userModel.createUser({\n        sub: mockSub,\n        email: 'dev@stackmemory.local',\n        name: 'Development User',\n        tier: 'enterprise',\n        permissions: ['read', 'write', 'admin', 'delete'],\n        organizations: [\n          {\n            id: 'dev-org',\n            name: 'Development Organization',\n            role: 'admin',\n          },\n        ],\n        metadata: {\n          isDevelopmentUser: true,\n          createdAt: new Date().toISOString(),\n        },\n      });\n      logger.info('Created development mock user');\n    }\n\n    return {\n      id: dbUser.id,\n      sub: dbUser.sub,\n      email: dbUser.email,\n      name: dbUser.name,\n      picture: dbUser.avatar,\n      tier: dbUser.tier,\n      permissions: dbUser.permissions,\n      organizations: dbUser.organizations.map((org) => org.id),\n      metadata: dbUser.metadata,\n    };\n  }\n\n  private getMockUser(): AuthUser {\n    // Return cached mock user if available\n    if (this.mockUser) {\n      return this.mockUser;\n    }\n\n    // Initialize mock user synchronously to prevent race conditions\n    // This runs during constructor or first use\n    if (!this.mockUserInitializing) {\n      this.mockUserInitializing = true;\n\n      // Initialize asynchronously but return a temporary user immediately\n      this.initializeMockUser()\n        .then((user) => {\n          this.mockUser = user;\n          this.mockUserInitializing = false;\n          logger.info('Mock user initialized and cached');\n        })\n        .catch((err) => {\n          logger.error('Failed to initialize mock user', err);\n          this.mockUserInitializing = false;\n        });\n    }\n\n    // Return temporary mock user while initialization is in progress\n    return {\n      id: 'temp-dev-user-id',\n      sub: 'dev-sub',\n      email: 'dev@stackmemory.local',\n      name: 'Development User',\n      tier: 'enterprise',\n      permissions: ['read', 'write', 'admin', 'delete'],\n      organizations: ['dev-org'],\n      metadata: { temporary: true },\n    };\n  }\n\n  /**\n   * Revoke a token (add to blacklist)\n   */\n  public async revokeToken(token: string): Promise<void> {\n    this.blacklistedTokens.add(token);\n    await this.redis.publish('token:revoked', token);\n\n    // Also store in Redis with TTL matching token expiry\n    const decoded = jwt.decode(token) as any;\n    if (decoded?.exp) {\n      const ttl = decoded.exp - Math.floor(Date.now() / 1000);\n      if (ttl > 0) {\n        await this.redis.setex(`blacklist:${token}`, ttl, '1');\n      }\n    }\n  }\n\n  /**\n   * Cleanup resources\n   */\n  public async close(): Promise<void> {\n    await this.redis.quit();\n  }\n}\n"],
+  "mappings": ";;;;AAKA,OAAO,SAAS;AAChB,OAAO,aAAa;AAEpB,SAAS,wBAAwC;AACjD,OAAO,WAAW;AAClB,OAAO,mBAAmB;AAC1B,SAAS,cAAc;AACvB,SAAS,eAAe;AACxB,SAAS,oBAAqC;AAE9C,SAAS,OAAO,KAAa,cAA+B;AAC1D,QAAM,QAAQ,QAAQ,IAAI,GAAG;AAC7B,MAAI,UAAU,QAAW;AACvB,QAAI,iBAAiB,OAAW,QAAO;AACvC,UAAM,IAAI,MAAM,wBAAwB,GAAG,cAAc;AAAA,EAC3D;AACA,SAAO;AACT;AAEA,SAAS,eAAe,KAAiC;AACvD,SAAO,QAAQ,IAAI,GAAG;AACxB;AAmBO,MAAM,eAAe;AAAA,EAU1B,YACU,QAQR;AARQ;AASR,SAAK,QAAQ,IAAI,MAAM,OAAO,QAAQ;AAGtC,UAAM,SACJ,OAAO,UAAU,QAAQ,IAAI,gBAAgB,KAAK;AACpD,SAAK,KAAK,IAAI,cAAc,MAAM;AAClC,SAAK,YAAY,aAAa,KAAK,EAAE;AAErC,SAAK,aAAa,QAAQ;AAAA,MACxB,SAAS,WAAW,OAAO,WAAW;AAAA,MACtC,OAAO;AAAA,MACP,aAAa;AAAA;AAAA,MACb,WAAW;AAAA,MACX,uBAAuB;AAAA,IACzB,CAAC;AAED,SAAK,uBAAuB;AAC5B,SAAK,wBAAwB;AAAA,EAC/B;AAAA,EArCQ;AAAA,EACA;AAAA,EACA;AAAA,EACA,oBAAiC,oBAAI,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA,uBAAuB;AAAA,EAgCvB,yBAA+B;AAErC,SAAK,eAAe,oBAAI,IAAI;AAAA,MAC1B;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA;AAAA,UACR,UAAU;AAAA;AAAA,UACV,eAAe;AAAA;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,MACA;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,eAAe;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,MACA;AAAA,QACE;AAAA,QACA,IAAI,iBAAiB;AAAA,UACnB,aAAa,KAAK;AAAA,UAClB,WAAW;AAAA,UACX,QAAQ;AAAA,UACR,UAAU;AAAA,UACV,eAAe;AAAA,QACjB,CAAC;AAAA,MACH;AAAA,IACF,CAAC;AAGD,SAAK,aAAa;AAAA,MAChB;AAAA,MACA,IAAI,iBAAiB;AAAA,QACnB,aAAa,KAAK;AAAA,QAClB,WAAW;AAAA,QACX,QAAQ;AAAA;AAAA,QACR,UAAU;AAAA,QACV,eAAe;AAAA;AAAA,MACjB,CAAC;AAAA,IACH;AAAA,EACF;AAAA,EAEQ,0BAAgC;AAEtC,UAAM,aAAa,IAAI,MAAM,KAAK,OAAO,QAAQ;AACjD,eAAW,UAAU,eAAe;AAEpC,eAAW,GAAG,WAAW,CAAC,SAAS,UAAU;AAC3C,UAAI,YAAY,iBAAiB;AAC/B,aAAK,kBAAkB,IAAI,KAAK;AAEhC,YAAI,KAAK,kBAAkB,OAAO,KAAO;AACvC,eAAK,kBAAkB,MAAM;AAAA,QAC/B;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,cAAc,KAA8B;AACxD,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,WAAK,WAAW,cAAc,KAAK,CAAC,KAAK,QAAQ;AAC/C,YAAI,KAAK;AACP,iBAAO,GAAG;AAAA,QACZ,OAAO;AACL,gBAAM,aAAa,KAAK,aAAa;AACrC,cAAI,CAAC,YAAY;AACf,mBAAO,IAAI,MAAM,sBAAsB,CAAC;AAAA,UAC1C,OAAO;AACL,oBAAQ,UAAU;AAAA,UACpB;AAAA,QACF;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKO,eAAe,OACpB,KACA,KACA,SACiB;AACjB,UAAM,YAAY,KAAK,IAAI;AAE3B,QAAI;AAEF,UAAI,IAAI,SAAS,aAAa,IAAI,SAAS,YAAY;AACrD,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,KAAK,OAAO,cAAc,QAAQ,IAAI,UAAU,MAAM,eAAe;AACvE,YAAI,OAAO,KAAK,YAAY;AAC5B,eAAO,KAAK;AAAA,MACd;AAGA,YAAM,QAAQ,KAAK,aAAa,GAAG;AACnC,YAAM,SAAS,KAAK,cAAc,GAAG;AAErC,UAAI,CAAC,SAAS,CAAC,QAAQ;AACrB,gBAAQ,UAAU,0BAA0B;AAC5C,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,QAAQ;AACV,cAAMA,QAAO,MAAM,KAAK,UAAU,eAAe,MAAM;AACvD,YAAI,CAACA,OAAM;AACT,kBAAQ,UAAU,sBAAsB;AACxC,iBAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YAC1B,OAAO;AAAA,YACP,MAAM;AAAA,UACR,CAAC;AAAA,QACH;AAGA,YAAI,OAAO;AAAA,UACT,IAAIA,MAAK;AAAA,UACT,KAAKA,MAAK;AAAA,UACV,OAAOA,MAAK;AAAA,UACZ,MAAMA,MAAK;AAAA,UACX,SAASA,MAAK;AAAA,UACd,MAAMA,MAAK;AAAA,UACX,aAAaA,MAAK;AAAA,UAClB,eAAeA,MAAK,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,UACrD,UAAU,EAAE,GAAGA,MAAK,UAAU,YAAY,UAAU;AAAA,QACtD;AAEA,gBAAQ,UAAU,sBAAsB;AACxC,cAAM,QAAQ,OAAO,yBAAyB,KAAK,IAAI,IAAI,SAAS;AACpE,eAAO,KAAK;AAAA,MACd;AAGA,UAAI,SAAS,KAAK,kBAAkB,IAAI,KAAK,GAAG;AAC9C,gBAAQ,UAAU,wBAAwB;AAC1C,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,CAAC,OAAO;AAEV,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,UAAU,IAAI,OAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,UAAI,CAAC,SAAS;AACZ,gBAAQ,UAAU,oBAAoB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,aAAa,MAAM,KAAK,cAAc,QAAQ,OAAO,GAAG;AAC9D,YAAM,WAAW,IAAI,OAAO,OAAO,YAAY;AAAA,QAC7C,YAAY,CAAC,OAAO;AAAA,QACpB,UAAU,KAAK,OAAO;AAAA,QACtB,QAAQ,WAAW,KAAK,OAAO,WAAW;AAAA,MAC5C,CAAC;AAGD,YAAM,OAAO,MAAM,KAAK,SAAS,SAAS,KAAK,QAAQ;AACvD,UAAI,CAAC,MAAM;AACT,gBAAQ,UAAU,qBAAqB;AACvC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,UAAI,KAAK,UAAU,WAAW;AAC5B,gBAAQ,UAAU,qBAAqB;AACvC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAGA,YAAM,cACJ,KAAK,aAAa,IAAI,KAAK,IAAI,KAAK,KAAK,aAAa,IAAI,MAAM;AAClE,UAAI;AACF,cAAM,eAAe,MAAM,YAAY,QAAQ,KAAK,EAAE;AACtD,YAAI,gBAAgB;AAGpB,YAAI,UAAU,qBAAqB,YAAY,OAAO,SAAS,CAAC;AAChE,YAAI;AAAA,UACF;AAAA,UACA,aAAa,gBAAgB,SAAS;AAAA,QACxC;AACA,YAAI;AAAA,UACF;AAAA,UACA,IAAI,KAAK,KAAK,IAAI,IAAI,aAAa,YAAY,EAAE,YAAY;AAAA,QAC/D;AAAA,MACF,SAAS,gBAAqB;AAC5B,gBAAQ,UAAU,mBAAmB;AACrC,YAAI;AAAA,UACF;AAAA,UACA,KAAK,MAAM,eAAe,eAAe,GAAI,EAAE,SAAS;AAAA,QAC1D;AACA,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,UACN,YAAY,eAAe;AAAA,QAC7B,CAAC;AAAA,MACH;AAGA,UAAI,OAAO;AAGX,cAAQ,UAAU,gBAAgB,EAAE,MAAM,KAAK,KAAK,CAAC;AACrD,cAAQ,OAAO,iBAAiB,KAAK,IAAI,IAAI,SAAS;AAEtD,aAAO,KAAK,6BAA6B;AAAA,QACvC,QAAQ,KAAK;AAAA,QACb,MAAM,KAAK;AAAA,QACX,MAAM,IAAI;AAAA,MACZ,CAAC;AAED,WAAK;AAAA,IACP,SAAS,OAAY;AACnB,cAAQ,UAAU,YAAY;AAC9B,aAAO,MAAM,wBAAwB,KAAK;AAE1C,UAAI,MAAM,SAAS,qBAAqB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,MAAM,SAAS,qBAAqB;AACtC,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QACnB,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,wBAAwB,OAC7B,UAC6B;AAC7B,QAAI;AACF,YAAM,UAAU,IAAI,OAAO,OAAO,EAAE,UAAU,KAAK,CAAC;AACpD,UAAI,CAAC,WAAW,KAAK,kBAAkB,IAAI,KAAK,GAAG;AACjD,eAAO;AAAA,MACT;AAEA,YAAM,aAAa,MAAM,KAAK,cAAc,QAAQ,OAAO,GAAG;AAC9D,YAAM,WAAW,IAAI,OAAO,OAAO,YAAY;AAAA,QAC7C,YAAY,CAAC,OAAO;AAAA,QACpB,UAAU,KAAK,OAAO;AAAA,QACtB,QAAQ,WAAW,KAAK,OAAO,WAAW;AAAA,MAC5C,CAAC;AAED,aAAO,MAAM,KAAK,SAAS,SAAS,KAAK,QAAQ;AAAA,IACnD,SAAS,OAAgB;AACvB,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,oBAAoB,CAAC,eAAuB;AACjD,WAAO,CAAC,KAAkB,KAAe,SAAuB;AAC9D,UAAI,CAAC,IAAI,MAAM;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,IAAI,KAAK,YAAY,SAAS,UAAU,GAAG;AAC9C,gBAAQ,UAAU,0BAA0B,EAAE,WAAW,CAAC;AAC1D,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,UAC1B,OAAO;AAAA,UACP,MAAM;AAAA,UACN,UAAU;AAAA,QACZ,CAAC;AAAA,MACH;AAEA,aAAO,KAAK;AAAA,IACd;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKO,sBAAsB,CAC3B,KACA,KACA,SACG;AACH,UAAM,QAAQ,IAAI,OAAO,SAAS,IAAI,MAAM;AAE5C,QAAI,CAAC,IAAI,QAAQ,CAAC,OAAO;AACvB,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,IAAI,KAAK,eAAe,SAAS,KAAe,GAAG;AACtD,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,cAAc,KAA6B;AAEjD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QAAI,YAAY,WAAW,YAAY,GAAG;AACxC,aAAO,WAAW,UAAU,CAAC;AAAA,IAC/B;AAGA,UAAM,eAAe,IAAI,QAAQ,WAAW;AAC5C,QAAI,cAAc,WAAW,KAAK,GAAG;AACnC,aAAO;AAAA,IACT;AAQA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,KAA6B;AAChD,UAAM,aAAa,IAAI,QAAQ;AAC/B,QACE,YAAY,WAAW,SAAS,KAChC,CAAC,WAAW,WAAW,YAAY,GACnC;AACA,aAAO,WAAW,UAAU,CAAC;AAAA,IAC/B;AAGA,WAAO,IAAI,SAAS,gBAAgB;AAAA,EACtC;AAAA,EAEA,MAAc,SACZ,KACA,cAC0B;AAE1B,UAAM,SAAS,MAAM,KAAK,MAAM,IAAI,QAAQ,GAAG,EAAE;AACjD,QAAI,QAAQ;AACV,YAAM,aAAa,KAAK,MAAM,MAAM;AAEpC,WAAK,UACF,gBAAgB,WAAW,EAAE,EAC7B,MAAM,CAAC,QAAQ,OAAO,MAAM,+BAA+B,GAAG,CAAC;AAClE,aAAO;AAAA,IACT;AAGA,QAAI,SAAS,MAAM,KAAK,UAAU,cAAc,GAAG;AAGnD,QAAI,CAAC,UAAU,cAAc;AAC3B,eAAS,MAAM,KAAK,UAAU,WAAW;AAAA,QACvC;AAAA,QACA,OAAO,aAAa,SAAS,GAAG,GAAG;AAAA,QACnC,MAAM,aAAa;AAAA,QACnB,QAAQ,aAAa;AAAA,QACrB,MAAM,KAAK,cAAc,YAAY;AAAA,QACrC,aAAa,KAAK,qBAAqB,YAAY;AAAA,QACnD,eAAe,KAAK,qBAAqB,YAAY;AAAA,QACrD,UAAU;AAAA,UACR,OAAO;AAAA,UACP,cAAc;AAAA,UACd,YAAY;AAAA,QACd;AAAA,MACF,CAAC;AACD,aAAO,KAAK,qCAAqC;AAAA,QAC/C;AAAA,QACA,OAAO,OAAO;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AAGA,UAAM,KAAK,UAAU,gBAAgB,OAAO,EAAE;AAG9C,UAAM,OAAiB;AAAA,MACrB,IAAI,OAAO;AAAA,MACX,KAAK,OAAO;AAAA,MACZ,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,eAAe,OAAO,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,MACvD,UAAU,OAAO;AAAA,IACnB;AAGA,UAAM,KAAK,MAAM,MAAM,QAAQ,GAAG,IAAI,KAAK,KAAK,UAAU,IAAI,CAAC;AAE/D,WAAO;AAAA,EACT;AAAA,EAEQ,cAAc,cAAkD;AAEtE,QAAI,aAAa,6BAA6B,GAAG;AAC/C,aAAO,aAAa,6BAA6B;AAAA,IACnD;AAGA,QAAI,aAAa,cAAc,MAAM;AACnC,YAAM,OAAO,aAAa,aAAa,KAAK,YAAY;AACxD,UAAI,KAAK,SAAS,YAAY,EAAG,QAAO;AACxC,UAAI,KAAK,SAAS,KAAK,KAAK,KAAK,SAAS,SAAS,EAAG,QAAO;AAAA,IAC/D;AAGA,WAAO;AAAA,EACT;AAAA,EAEQ,qBAAqB,cAA6B;AACxD,UAAM,cAAwB,CAAC,QAAQ,OAAO;AAG9C,QAAI,aAAa,oCAAoC,GAAG;AACtD,aAAO,aAAa,oCAAoC;AAAA,IAC1D;AAGA,QAAI,aAAa,eAAe,MAAM,QAAQ,aAAa,WAAW,GAAG;AACvE,aAAO,aAAa;AAAA,IACtB;AAGA,QAAI,aAAa,SAAS,MAAM,QAAQ,aAAa,KAAK,GAAG;AAC3D,UAAI,aAAa,MAAM,SAAS,OAAO,GAAG;AACxC,oBAAY,KAAK,SAAS,QAAQ;AAAA,MACpC;AACA,UAAI,aAAa,MAAM,SAAS,WAAW,GAAG;AAC5C,oBAAY,KAAK,UAAU;AAAA,MAC7B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,qBACN,cACmD;AACnD,UAAM,OAA0D,CAAC;AAGjE,QAAI,aAAa,sCAAsC,GAAG;AACxD,aAAO,aAAa,sCAAsC;AAAA,IAC5D;AAGA,QAAI,aAAa,QAAQ;AACvB,WAAK,KAAK;AAAA,QACR,IAAI,aAAa;AAAA,QACjB,MAAM,aAAa,YAAY,aAAa;AAAA,QAC5C,MAAM,aAAa,YAAY;AAAA,MACjC,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,qBAAwC;AACpD,UAAM,UAAU;AAGhB,QAAI,SAAS,MAAM,KAAK,UAAU,cAAc,OAAO;AAEvD,QAAI,CAAC,QAAQ;AAEX,eAAS,MAAM,KAAK,UAAU,WAAW;AAAA,QACvC,KAAK;AAAA,QACL,OAAO;AAAA,QACP,MAAM;AAAA,QACN,MAAM;AAAA,QACN,aAAa,CAAC,QAAQ,SAAS,SAAS,QAAQ;AAAA,QAChD,eAAe;AAAA,UACb;AAAA,YACE,IAAI;AAAA,YACJ,MAAM;AAAA,YACN,MAAM;AAAA,UACR;AAAA,QACF;AAAA,QACA,UAAU;AAAA,UACR,mBAAmB;AAAA,UACnB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QACpC;AAAA,MACF,CAAC;AACD,aAAO,KAAK,+BAA+B;AAAA,IAC7C;AAEA,WAAO;AAAA,MACL,IAAI,OAAO;AAAA,MACX,KAAK,OAAO;AAAA,MACZ,OAAO,OAAO;AAAA,MACd,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,eAAe,OAAO,cAAc,IAAI,CAAC,QAAQ,IAAI,EAAE;AAAA,MACvD,UAAU,OAAO;AAAA,IACnB;AAAA,EACF;AAAA,EAEQ,cAAwB;AAE9B,QAAI,KAAK,UAAU;AACjB,aAAO,KAAK;AAAA,IACd;AAIA,QAAI,CAAC,KAAK,sBAAsB;AAC9B,WAAK,uBAAuB;AAG5B,WAAK,mBAAmB,EACrB,KAAK,CAAC,SAAS;AACd,aAAK,WAAW;AAChB,aAAK,uBAAuB;AAC5B,eAAO,KAAK,kCAAkC;AAAA,MAChD,CAAC,EACA,MAAM,CAAC,QAAQ;AACd,eAAO,MAAM,kCAAkC,GAAG;AAClD,aAAK,uBAAuB;AAAA,MAC9B,CAAC;AAAA,IACL;AAGA,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,OAAO;AAAA,MACP,MAAM;AAAA,MACN,MAAM;AAAA,MACN,aAAa,CAAC,QAAQ,SAAS,SAAS,QAAQ;AAAA,MAChD,eAAe,CAAC,SAAS;AAAA,MACzB,UAAU,EAAE,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,YAAY,OAA8B;AACrD,SAAK,kBAAkB,IAAI,KAAK;AAChC,UAAM,KAAK,MAAM,QAAQ,iBAAiB,KAAK;AAG/C,UAAM,UAAU,IAAI,OAAO,KAAK;AAChC,QAAI,SAAS,KAAK;AAChB,YAAM,MAAM,QAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACtD,UAAI,MAAM,GAAG;AACX,cAAM,KAAK,MAAM,MAAM,aAAa,KAAK,IAAI,KAAK,GAAG;AAAA,MACvD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAa,QAAuB;AAClC,UAAM,KAAK,MAAM,KAAK;AAAA,EACxB;AACF;",
+  "names": ["user"]
+}