@stratal/framework 0.0.1

package/dist/rbac/adapters/custom-zenstack-adapter.js

@@ -0,0 +1,159 @@
+import { Helper } from 'casbin';
+/**
+ * Custom ZenStack adapter for Casbin that works with Cloudflare Workers.
+ *
+ * Based on the original casbin-prisma-adapter but modified to:
+ * - Work with ZenStack v3 ORM clients
+ * - Avoid bundling errors in Cloudflare Workers
+ * - Accept pre-connected ZenStack clients (request-scoped)
+ */
+export class CustomZenStackAdapter {
+    #db;
+    filtered = false;
+    isFiltered() {
+        return this.filtered;
+    }
+    enableFiltered(enabled) {
+        this.filtered = enabled;
+    }
+    constructor(db) {
+        this.#db = db;
+    }
+    async loadPolicy(model) {
+        const lines = await this.#db.casbinRule.findMany();
+        for (const line of lines) {
+            this.#loadPolicyLine(line, model);
+        }
+    }
+    async loadFilteredPolicy(model, filter) {
+        const whereFilter = Object.keys(filter)
+            .map((ptype) => {
+            const policyPatterns = filter[ptype];
+            return policyPatterns.map((policyPattern) => {
+                return {
+                    ptype,
+                    ...(policyPattern[0] && { v0: policyPattern[0] }),
+                    ...(policyPattern[1] && { v1: policyPattern[1] }),
+                    ...(policyPattern[2] && { v2: policyPattern[2] }),
+                    ...(policyPattern[3] && { v3: policyPattern[3] }),
+                    ...(policyPattern[4] && { v4: policyPattern[4] }),
+                    ...(policyPattern[5] && { v5: policyPattern[5] }),
+                };
+            });
+        })
+            .flat();
+        const lines = await this.#db.casbinRule.findMany({
+            where: {
+                OR: whereFilter,
+            },
+        });
+        lines.forEach((line) => this.#loadPolicyLine(line, model));
+        this.enableFiltered(true);
+    }
+    async savePolicy(model) {
+        await this.#db.$executeRawUnsafe('DELETE FROM casbin_rule');
+        const lines = [];
+        const savePolicyType = (ptype) => {
+            const astMap = model.model.get(ptype);
+            if (astMap) {
+                for (const [ptype, ast] of astMap) {
+                    for (const rule of ast.policy) {
+                        const line = this.#savePolicyLine(ptype, rule);
+                        lines.push(line);
+                    }
+                }
+            }
+        };
+        savePolicyType('p');
+        savePolicyType('g');
+        await this.#db.casbinRule.createMany({ data: lines });
+        return true;
+    }
+    async addPolicy(_sec, ptype, rule) {
+        const line = this.#savePolicyLine(ptype, rule);
+        await this.#db.casbinRule.create({ data: line });
+    }
+    async addPolicies(_sec, ptype, rules) {
+        const processes = [];
+        for (const rule of rules) {
+            const line = this.#savePolicyLine(ptype, rule);
+            const p = this.#db.casbinRule.create({ data: line });
+            processes.push(p);
+        }
+        await Promise.all(processes);
+    }
+    async removePolicy(_sec, ptype, rule) {
+        const line = this.#savePolicyLine(ptype, rule);
+        await this.#db.casbinRule.deleteMany({ where: line });
+    }
+    async removePolicies(_sec, ptype, rules) {
+        const processes = [];
+        for (const rule of rules) {
+            const line = this.#savePolicyLine(ptype, rule);
+            const p = this.#db.casbinRule.deleteMany({ where: line });
+            processes.push(p);
+        }
+        await Promise.all(processes);
+    }
+    async removeFilteredPolicy(_sec, ptype, fieldIndex, ...fieldValues) {
+        const line = { ptype };
+        const idx = fieldIndex + fieldValues.length;
+        if (fieldIndex <= 0 && 0 < idx) {
+            line.v0 = fieldValues[0 - fieldIndex];
+        }
+        if (fieldIndex <= 1 && 1 < idx) {
+            line.v1 = fieldValues[1 - fieldIndex];
+        }
+        if (fieldIndex <= 2 && 2 < idx) {
+            line.v2 = fieldValues[2 - fieldIndex];
+        }
+        if (fieldIndex <= 3 && 3 < idx) {
+            line.v3 = fieldValues[3 - fieldIndex];
+        }
+        if (fieldIndex <= 4 && 4 < idx) {
+            line.v4 = fieldValues[4 - fieldIndex];
+        }
+        if (fieldIndex <= 5 && 5 < idx) {
+            line.v5 = fieldValues[5 - fieldIndex];
+        }
+        await this.#db.casbinRule.deleteMany({ where: line });
+    }
+    async close() {
+        // No-op: ZenStack uses pg.Pool for connection management
+    }
+    static newAdapter(db) {
+        const adapter = new CustomZenStackAdapter(db);
+        return adapter;
+    }
+    #loadPolicyLine = (line, model) => {
+        const result = line.ptype +
+            ', ' +
+            [line.v0, line.v1, line.v2, line.v3, line.v4, line.v5]
+                .filter((n) => n)
+                .join(', ');
+        Helper.loadPolicyLine(result, model);
+    };
+    #savePolicyLine = (ptype, rule) => {
+        const line = { ptype };
+        if (rule.length > 0) {
+            line.v0 = rule[0];
+        }
+        if (rule.length > 1) {
+            line.v1 = rule[1];
+        }
+        if (rule.length > 2) {
+            line.v2 = rule[2];
+        }
+        if (rule.length > 3) {
+            line.v3 = rule[3];
+        }
+        if (rule.length > 4) {
+            line.v4 = rule[4];
+        }
+        if (rule.length > 5) {
+            line.v5 = rule[5];
+        }
+        return line;
+    };
+}
+//# sourceMappingURL=custom-zenstack-adapter.js.map

package/dist/rbac/adapters/custom-zenstack-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"custom-zenstack-adapter.js","sourceRoot":"","sources":["../../../src/rbac/adapters/custom-zenstack-adapter.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAsC/B;;;;;;;GAOG;AACH,MAAM,OAAO,qBAAqB;IAChC,GAAG,CAAgB;IAEnB,QAAQ,GAAG,KAAK,CAAA;IAET,UAAU;QACf,OAAO,IAAI,CAAC,QAAQ,CAAA;IACtB,CAAC;IAEM,cAAc,CAAC,OAAgB;QACpC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAA;IACzB,CAAC;IAED,YAAY,EAAkB;QAC5B,IAAI,CAAC,GAAG,GAAG,EAAE,CAAA;IACf,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAY;QAC3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAA;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,eAAe,CAAC,IAAwB,EAAE,KAAK,CAAC,CAAA;QACvD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CACtB,KAAY,EACZ,MAAkC;QAElC,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;aACpC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACb,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;YACpC,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE;gBAC1C,OAAO;oBACL,KAAK;oBACL,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjD,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC;iBAClD,CAAA;YACH,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC;aACD,IAAI,EAAE,CAAA;QACT,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC/C,KAAK,EAAE;gBACL,EAAE,EAAE,WAAW;aAChB;SACF,CAAC,CAAA;QACF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,IAAwB,EAAE,KAAK,CAAC,CAAC,CAAA;QAC9E,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAY;QAC3B,MAAM,IAAI,CAAC,GAAG,CAAC,iBAAiB,CAAC,yBAAyB,CAAC,CAAA;QAE3D,MAAM,KAAK,GAA4B,EAAE,CAAA;QAEzC,MAAM,cAAc,GAAG,CAAC,KAAa,EAAQ,EAAE;YAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;YACrC,IAAI,MAAM,EAAE,CAAC;gBACX,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,MAAM,EAAE,CAAC;oBAClC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBAC9B,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;wBAC9C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;oBAClB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC,CAAA;QAED,cAAc,CAAC,GAAG,CAAC,CAAA;QACnB,cAAc,CAAC,GAAG,CAAC,CAAA;QAEnB,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;QAErD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY,EAAE,KAAa,EAAE,IAAc;QACzD,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC9C,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;IAClD,CAAC;IAED,KAAK,CAAC,WAAW,CACf,IAAY,EACZ,KAAa,EACb,KAAiB;QAEjB,MAAM,SAAS,GAAgC,EAAE,CAAA;QACjD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;YAC9C,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAA8B,CAAA;YACjF,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QAED,MAAM,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,IAAY,EACZ,KAAa,EACb,IAAc;QAEd,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC9C,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;IACvD,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,IAAY,EACZ,KAAa,EACb,KAAiB;QAEjB,MAAM,SAAS,GAAiC,EAAE,CAAA;QAClD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;YAC9C,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;YACzD,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QAED,MAAM,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,IAAY,EACZ,KAAa,EACb,UAAkB,EAClB,GAAG,WAAqB;QAExB,MAAM,IAAI,GAA0B,EAAE,KAAK,EAAE,CAAA;QAE7C,MAAM,GAAG,GAAG,UAAU,GAAG,WAAW,CAAC,MAAM,CAAA;QAC3C,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QACD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,UAAU,CAAC,CAAA;QACvC,CAAC;QAED,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;IACvD,CAAC;IAED,KAAK,CAAC,KAAK;QACT,yDAAyD;IAC3D,CAAC;IAED,MAAM,CAAC,UAAU,CAAC,EAAkB;QAClC,MAAM,OAAO,GAAG,IAAI,qBAAqB,CAAC,EAAE,CAAC,CAAA;QAC7C,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,eAAe,GAAG,CAAC,IAAsB,EAAE,KAAY,EAAQ,EAAE;QAC/D,MAAM,MAAM,GACV,IAAI,CAAC,KAAK;YACV,IAAI;YACJ,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC;iBACnD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;iBAChB,IAAI,CAAC,IAAI,CAAC,CAAA;QACf,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IACtC,CAAC,CAAA;IAED,eAAe,GAAG,CAChB,KAAa,EACb,IAAc,EACS,EAAE;QACzB,MAAM,IAAI,GAA0B,EAAE,KAAK,EAAE,CAAA;QAE7C,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QACnB,CAAC;QAED,OAAO,IAAI,CAAA;IACb,CAAC,CAAA;CACF"}

package/dist/rbac/adapters/index.d.ts

@@ -0,0 +1,2 @@
+export * from './custom-zenstack-adapter';
+//# sourceMappingURL=index.d.ts.map

package/dist/rbac/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rbac/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,2BAA2B,CAAA"}

package/dist/rbac/adapters/index.js

@@ -0,0 +1,2 @@
+export * from './custom-zenstack-adapter';
+//# sourceMappingURL=index.js.map

package/dist/rbac/adapters/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rbac/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,2BAA2B,CAAA"}

package/dist/rbac/constants.d.ts

@@ -0,0 +1,8 @@
+/**
+ * RBAC Constants
+ */
+export declare const RBAC_CONTEXT_KEYS: {
+    /** Key for storing required authorization scopes (permissions) in context */
+    readonly AUTH_SCOPES: symbol;
+};
+//# sourceMappingURL=constants.d.ts.map

package/dist/rbac/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/rbac/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,6EAA6E;;CAErE,CAAA"}

package/dist/rbac/constants.js

@@ -0,0 +1,8 @@
+/**
+ * RBAC Constants
+ */
+export const RBAC_CONTEXT_KEYS = {
+    /** Key for storing required authorization scopes (permissions) in context */
+    AUTH_SCOPES: Symbol('rbac:authScopes'),
+};
+//# sourceMappingURL=constants.js.map

package/dist/rbac/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/rbac/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,6EAA6E;IAC7E,WAAW,EAAE,MAAM,CAAC,iBAAiB,CAAC;CAC9B,CAAA"}

package/dist/rbac/errors/index.d.ts

@@ -0,0 +1,2 @@
+export * from './insufficient-permissions.error';
+//# sourceMappingURL=index.d.ts.map

package/dist/rbac/errors/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/rbac/errors/index.ts"],"names":[],"mappings":"AAAA,cAAc,kCAAkC,CAAA"}

package/dist/rbac/errors/index.js

@@ -0,0 +1,2 @@
+export * from './insufficient-permissions.error';
+//# sourceMappingURL=index.js.map

package/dist/rbac/errors/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/rbac/errors/index.ts"],"names":[],"mappings":"AAAA,cAAc,kCAAkC,CAAA"}

package/dist/rbac/errors/insufficient-permissions.error.d.ts

@@ -0,0 +1,14 @@
+import { ApplicationError } from 'stratal/errors';
+/**
+ * InsufficientPermissionsError
+ *
+ * Thrown when a user attempts to perform an action without the required permissions.
+ * This error is used by the auth guard after authorization check fails.
+ *
+ * HTTP Status: 403 Forbidden
+ * Error Code: 3102 (AUTHZ.INSUFFICIENT_PERMISSIONS)
+ */
+export declare class InsufficientPermissionsError extends ApplicationError {
+    constructor(requiredScopes: string[], userId?: string);
+}
+//# sourceMappingURL=insufficient-permissions.error.d.ts.map

package/dist/rbac/errors/insufficient-permissions.error.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insufficient-permissions.error.d.ts","sourceRoot":"","sources":["../../../src/rbac/errors/insufficient-permissions.error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAe,MAAM,gBAAgB,CAAA;AAE9D;;;;;;;;GAQG;AACH,qBAAa,4BAA6B,SAAQ,gBAAgB;gBACpD,cAAc,EAAE,MAAM,EAAE,EAAE,MAAM,CAAC,EAAE,MAAM;CAMtD"}

package/dist/rbac/errors/insufficient-permissions.error.js

@@ -0,0 +1,19 @@
+import { ApplicationError, ERROR_CODES } from 'stratal/errors';
+/**
+ * InsufficientPermissionsError
+ *
+ * Thrown when a user attempts to perform an action without the required permissions.
+ * This error is used by the auth guard after authorization check fails.
+ *
+ * HTTP Status: 403 Forbidden
+ * Error Code: 3102 (AUTHZ.INSUFFICIENT_PERMISSIONS)
+ */
+export class InsufficientPermissionsError extends ApplicationError {
+    constructor(requiredScopes, userId) {
+        super('errors.insufficientPermissions', ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {
+            requiredScopes: requiredScopes.join(', '),
+            userId: userId ?? 'unknown',
+        });
+    }
+}
+//# sourceMappingURL=insufficient-permissions.error.js.map

package/dist/rbac/errors/insufficient-permissions.error.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insufficient-permissions.error.js","sourceRoot":"","sources":["../../../src/rbac/errors/insufficient-permissions.error.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAE9D;;;;;;;;GAQG;AACH,MAAM,OAAO,4BAA6B,SAAQ,gBAAgB;IAChE,YAAY,cAAwB,EAAE,MAAe;QACnD,KAAK,CAAC,gCAAgC,EAAE,WAAW,CAAC,KAAK,CAAC,wBAAwB,EAAE;YAClF,cAAc,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;YACzC,MAAM,EAAE,MAAM,IAAI,SAAS;SAC5B,CAAC,CAAA;IACJ,CAAC;CACF"}

package/dist/rbac/index.d.ts

@@ -0,0 +1,9 @@
+export { RBAC_CONTEXT_KEYS } from './constants';
+export { InsufficientPermissionsError } from './errors/insufficient-permissions.error';
+export { CasbinEnforcerService } from './services/casbin-enforcer.service';
+export { CasbinService } from './services/casbin.service';
+export { CustomZenStackAdapter } from './adapters/custom-zenstack-adapter';
+export { RbacModule } from './rbac.module';
+export { RBAC_TOKENS } from './tokens';
+export type { RbacModuleOptions } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/rbac/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAC/C,OAAO,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AACtC,YAAY,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA"}

package/dist/rbac/index.js

@@ -0,0 +1,8 @@
+export { RBAC_CONTEXT_KEYS } from './constants';
+export { InsufficientPermissionsError } from './errors/insufficient-permissions.error';
+export { CasbinEnforcerService } from './services/casbin-enforcer.service';
+export { CasbinService } from './services/casbin.service';
+export { CustomZenStackAdapter } from './adapters/custom-zenstack-adapter';
+export { RbacModule } from './rbac.module';
+export { RBAC_TOKENS } from './tokens';
+//# sourceMappingURL=index.js.map

package/dist/rbac/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rbac/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AAC/C,OAAO,EAAE,4BAA4B,EAAE,MAAM,yCAAyC,CAAA;AACtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AACzD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAA;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA"}

package/dist/rbac/rbac.module.d.ts

@@ -0,0 +1,26 @@
+import type { AsyncModuleOptions, DynamicModule } from 'stratal/module';
+import type { RbacModuleOptions } from './types';
+/**
+ * RBAC Module
+ *
+ * Provides role-based access control using Casbin.
+ * Fully configurable — no hardcoded roles, policies, or model.
+ *
+ * @example
+ * ```typescript
+ * @Module({
+ *   imports: [
+ *     RbacModule.forRoot({
+ *       model: MY_RBAC_MODEL,
+ *       defaultPolicies: [['admin', 'users:*', '.*']],
+ *       roleHierarchy: [['super_admin', 'admin']],
+ *     })
+ *   ]
+ * })
+ * ```
+ */
+export declare class RbacModule {
+    static forRoot(options: RbacModuleOptions): DynamicModule;
+    static forRootAsync(options: AsyncModuleOptions<RbacModuleOptions>): DynamicModule;
+}
+//# sourceMappingURL=rbac.module.d.ts.map

package/dist/rbac/rbac.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.module.d.ts","sourceRoot":"","sources":["../../src/rbac/rbac.module.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAIvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAA;AAEhD;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAMa,UAAU;IACrB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,iBAAiB,GAAG,aAAa;IASzD,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,kBAAkB,CAAC,iBAAiB,CAAC,GAAG,aAAa;CAYnF"}

package/dist/rbac/rbac.module.js

@@ -0,0 +1,62 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var RbacModule_1;
+import { Module } from 'stratal/module';
+import { CasbinEnforcerService } from './services/casbin-enforcer.service';
+import { CasbinService } from './services/casbin.service';
+import { RBAC_TOKENS } from './tokens';
+/**
+ * RBAC Module
+ *
+ * Provides role-based access control using Casbin.
+ * Fully configurable — no hardcoded roles, policies, or model.
+ *
+ * @example
+ * ```typescript
+ * @Module({
+ *   imports: [
+ *     RbacModule.forRoot({
+ *       model: MY_RBAC_MODEL,
+ *       defaultPolicies: [['admin', 'users:*', '.*']],
+ *       roleHierarchy: [['super_admin', 'admin']],
+ *     })
+ *   ]
+ * })
+ * ```
+ */
+let RbacModule = RbacModule_1 = class RbacModule {
+    static forRoot(options) {
+        return {
+            module: RbacModule_1,
+            providers: [
+                { provide: RBAC_TOKENS.Options, useValue: options },
+            ],
+        };
+    }
+    static forRootAsync(options) {
+        return {
+            module: RbacModule_1,
+            providers: [
+                {
+                    provide: RBAC_TOKENS.Options,
+                    useFactory: options.useFactory,
+                    inject: options.inject,
+                },
+            ],
+        };
+    }
+};
+RbacModule = RbacModule_1 = __decorate([
+    Module({
+        providers: [
+            CasbinEnforcerService,
+            { provide: RBAC_TOKENS.CasbinService, useClass: CasbinService },
+        ],
+    })
+], RbacModule);
+export { RbacModule };
+//# sourceMappingURL=rbac.module.js.map

package/dist/rbac/rbac.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.module.js","sourceRoot":"","sources":["../../src/rbac/rbac.module.ts"],"names":[],"mappings":";;;;;;;AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAEvC,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAA;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AAGtC;;;;;;;;;;;;;;;;;;GAkBG;AAOI,IAAM,UAAU,kBAAhB,MAAM,UAAU;IACrB,MAAM,CAAC,OAAO,CAAC,OAA0B;QACvC,OAAO;YACL,MAAM,EAAE,YAAU;YAClB,SAAS,EAAE;gBACT,EAAE,OAAO,EAAE,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,OAA4B,EAAE;aACzE;SACF,CAAA;IACH,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,OAA8C;QAChE,OAAO;YACL,MAAM,EAAE,YAAU;YAClB,SAAS,EAAE;gBACT;oBACE,OAAO,EAAE,WAAW,CAAC,OAAO;oBAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB;aACF;SACF,CAAA;IACH,CAAC;CACF,CAAA;AAtBY,UAAU;IANtB,MAAM,CAAC;QACN,SAAS,EAAE;YACT,qBAAqB;YACrB,EAAE,OAAO,EAAE,WAAW,CAAC,aAAa,EAAE,QAAQ,EAAE,aAAa,EAAE;SAChE;KACF,CAAC;GACW,UAAU,CAsBtB"}

package/dist/rbac/services/casbin-enforcer.service.d.ts

@@ -0,0 +1,37 @@
+import { type Enforcer } from 'casbin';
+import { type CasbinDbClient } from '../adapters/custom-zenstack-adapter';
+import type { RbacModuleOptions } from '../types';
+/**
+ * CasbinEnforcerService
+ *
+ * Manages the Casbin enforcer instance for authorization.
+ * Model, default policies, and role hierarchy are provided via DI options.
+ */
+export declare class CasbinEnforcerService {
+    protected readonly db: CasbinDbClient;
+    protected readonly options: RbacModuleOptions;
+    protected enforcer: Enforcer | null;
+    constructor(db: CasbinDbClient, options: RbacModuleOptions);
+    /**
+     * Get or create the enforcer instance
+     */
+    getEnforcer(): Promise<Enforcer>;
+    /**
+     * Create a new enforcer instance.
+     * Can be overridden by subclasses to customize enforcer creation.
+     */
+    protected createEnforcer(): Promise<Enforcer>;
+    /**
+     * Seed default policies into database
+     */
+    seedPolicies(): Promise<void>;
+    /**
+     * Clear cached enforcer instance
+     */
+    clearCache(): void;
+    /**
+     * Seed role hierarchy into database
+     */
+    seedRoleHierarchy(): Promise<void>;
+}
+//# sourceMappingURL=casbin-enforcer.service.d.ts.map

package/dist/rbac/services/casbin-enforcer.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"casbin-enforcer.service.d.ts","sourceRoot":"","sources":["../../../src/rbac/services/casbin-enforcer.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAyC,KAAK,QAAQ,EAAE,MAAM,QAAQ,CAAA;AAG7E,OAAO,EAAyB,KAAK,cAAc,EAAE,MAAM,qCAAqC,CAAA;AAEhG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAA;AAEjD;;;;;GAKG;AACH,qBACa,qBAAqB;IAK9B,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,cAAc;IAErC,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,iBAAiB;IAN/C,SAAS,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAO;gBAIrB,EAAE,EAAE,cAAc,EAElB,OAAO,EAAE,iBAAiB;IAG/C;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC;IAKtC;;;OAGG;cACa,cAAc,IAAI,OAAO,CAAC,QAAQ,CAAC;IASnD;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAWnC;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;CAUzC"}

package/dist/rbac/services/casbin-enforcer.service.js

@@ -0,0 +1,86 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+import { newCachedEnforcer, newModelFromString } from 'casbin';
+import { DI_TOKENS, Transient } from 'stratal/di';
+import { inject } from 'tsyringe';
+import { CustomZenStackAdapter } from '../adapters/custom-zenstack-adapter';
+import { RBAC_TOKENS } from '../tokens';
+/**
+ * CasbinEnforcerService
+ *
+ * Manages the Casbin enforcer instance for authorization.
+ * Model, default policies, and role hierarchy are provided via DI options.
+ */
+let CasbinEnforcerService = class CasbinEnforcerService {
+    db;
+    options;
+    enforcer = null;
+    constructor(db, options) {
+        this.db = db;
+        this.options = options;
+    }
+    /**
+     * Get or create the enforcer instance
+     */
+    async getEnforcer() {
+        this.enforcer ??= await this.createEnforcer();
+        return this.enforcer;
+    }
+    /**
+     * Create a new enforcer instance.
+     * Can be overridden by subclasses to customize enforcer creation.
+     */
+    async createEnforcer() {
+        const model = newModelFromString(this.options.model);
+        const adapter = CustomZenStackAdapter.newAdapter(this.db);
+        const enforcer = await newCachedEnforcer(model, adapter);
+        await enforcer.loadPolicy();
+        return enforcer;
+    }
+    /**
+     * Seed default policies into database
+     */
+    async seedPolicies() {
+        const enforcer = await this.getEnforcer();
+        const policies = this.options.defaultPolicies ?? [];
+        for (const [role, resource, action] of policies) {
+            await enforcer.addPolicy(role, resource, action);
+        }
+        await enforcer.savePolicy();
+    }
+    /**
+     * Clear cached enforcer instance
+     */
+    clearCache() {
+        this.enforcer = null;
+    }
+    /**
+     * Seed role hierarchy into database
+     */
+    async seedRoleHierarchy() {
+        const enforcer = await this.getEnforcer();
+        const hierarchy = this.options.roleHierarchy ?? [];
+        for (const [childRole, parentRole] of hierarchy) {
+            await enforcer.addGroupingPolicy(childRole, parentRole);
+        }
+        await enforcer.savePolicy();
+    }
+};
+CasbinEnforcerService = __decorate([
+    Transient(),
+    __param(0, inject(DI_TOKENS.Database)),
+    __param(1, inject(RBAC_TOKENS.Options)),
+    __metadata("design:paramtypes", [Object, Object])
+], CasbinEnforcerService);
+export { CasbinEnforcerService };
+//# sourceMappingURL=casbin-enforcer.service.js.map

package/dist/rbac/services/casbin-enforcer.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"casbin-enforcer.service.js","sourceRoot":"","sources":["../../../src/rbac/services/casbin-enforcer.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAiB,MAAM,QAAQ,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,qBAAqB,EAAuB,MAAM,qCAAqC,CAAA;AAChG,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AAGvC;;;;;GAKG;AAEI,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB;IAKX;IAEA;IANX,QAAQ,GAAoB,IAAI,CAAA;IAE1C,YAEqB,EAAkB,EAElB,OAA0B;QAF1B,OAAE,GAAF,EAAE,CAAgB;QAElB,YAAO,GAAP,OAAO,CAAmB;IAC3C,CAAC;IAEL;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC,QAAQ,CAAA;IACtB,CAAC;IAED;;;OAGG;IACO,KAAK,CAAC,cAAc;QAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QAEpD,MAAM,OAAO,GAAG,qBAAqB,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QACzD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QACxD,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;QAC3B,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAA;QAEnD,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YAChD,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAA;QAClD,CAAC;QAED,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;IAC7B,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAA;IACtB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,EAAE,CAAA;QAElD,KAAK,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,IAAI,SAAS,EAAE,CAAC;YAChD,MAAM,QAAQ,CAAC,iBAAiB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;QACzD,CAAC;QAED,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;IAC7B,CAAC;CACF,CAAA;AAjEY,qBAAqB;IADjC,SAAS,EAAE;IAKP,WAAA,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;IAE1B,WAAA,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;;GANnB,qBAAqB,CAiEjC"}

package/dist/rbac/services/casbin.service.d.ts

@@ -0,0 +1,37 @@
+import type { Enforcer } from 'casbin';
+import type { AuthContext } from '../../context/auth-context';
+import { CasbinEnforcerService } from './casbin-enforcer.service';
+/**
+ * CasbinService
+ *
+ * Request-scoped service that provides the full Casbin RBAC API.
+ * Uses AuthContext to get the current user.
+ */
+export declare class CasbinService {
+    protected readonly context: AuthContext;
+    protected readonly enforcerService: CasbinEnforcerService;
+    constructor(context: AuthContext, enforcerService: CasbinEnforcerService);
+    protected getEnforcer(): Promise<Enforcer>;
+    addRoleForUser(userId: string, role: string): Promise<boolean>;
+    deleteRoleForUser(userId: string, role: string): Promise<boolean>;
+    deleteRolesForUser(userId: string): Promise<boolean>;
+    getRolesForUser(userId: string): Promise<string[]>;
+    getImplicitRolesForUser(userId: string): Promise<string[]>;
+    getUsersForRole(role: string): Promise<string[]>;
+    getImplicitUsersForRole(role: string): Promise<string[]>;
+    hasRoleForUser(userId: string, role: string): Promise<boolean>;
+    addRoleInheritance(childRole: string, parentRole: string): Promise<boolean>;
+    deleteRoleInheritance(childRole: string, parentRole: string): Promise<boolean>;
+    deleteUser(userId: string): Promise<boolean>;
+    deleteRole(role: string): Promise<boolean>;
+    getCurrentUserRoles(): Promise<string[]>;
+    currentUserHasRole(role: string): Promise<boolean>;
+    setRolesForUser(userId: string, roles: string[]): Promise<void>;
+    hasPermission(userId: string, scope: string, action: string): Promise<boolean>;
+    currentUserHasPermission(scope: string, action: string): Promise<boolean>;
+    hasAnyPermission(userId: string, scopes: string[], action: string): Promise<boolean>;
+    currentUserHasAnyPermission(scopes: string[], action: string): Promise<boolean>;
+    getPermissionsForUserAsCasbinJs(userId: string): Promise<Record<string, string[]>>;
+    getCurrentUserPermissionsAsCasbinJs(): Promise<Record<string, string[]>>;
+}
+//# sourceMappingURL=casbin.service.d.ts.map

package/dist/rbac/services/casbin.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"casbin.service.d.ts","sourceRoot":"","sources":["../../../src/rbac/services/casbin.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAA;AAGtC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAE7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAA;AAEjE;;;;;GAKG;AACH,qBACa,aAAa;IAGtB,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,WAAW;IAEvC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,qBAAqB;gBAFtC,OAAO,EAAE,WAAW,EAEpB,eAAe,EAAE,qBAAqB;cAG3C,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC;IAM1C,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO9D,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOjE,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOpD,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKlD,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAK1D,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKhD,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAKxD,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO9D,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO3E,qBAAqB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAS9E,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO5C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAS1C,mBAAmB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAMxC,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlD,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAW/D,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK9E,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAMzE,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAOpF,2BAA2B,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ/E,+BAA+B,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAelF,mCAAmC,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAK/E"}