@usearete/sdk 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +111 -0
- package/dist/index.d.ts +913 -0
- package/dist/index.esm.js +3031 -0
- package/dist/index.esm.js.map +1 -0
- package/dist/index.js +3074 -0
- package/dist/index.js.map +1 -0
- package/dist/ssr/handlers.d.ts +131 -0
- package/dist/ssr/handlers.esm.js +269 -0
- package/dist/ssr/handlers.esm.js.map +1 -0
- package/dist/ssr/handlers.js +294 -0
- package/dist/ssr/handlers.js.map +1 -0
- package/dist/ssr/index.d.ts +147 -0
- package/dist/ssr/index.esm.js +269 -0
- package/dist/ssr/index.esm.js.map +1 -0
- package/dist/ssr/index.js +295 -0
- package/dist/ssr/index.js.map +1 -0
- package/dist/ssr/nextjs-app.d.ts +143 -0
- package/dist/ssr/nextjs-app.esm.js +336 -0
- package/dist/ssr/nextjs-app.esm.js.map +1 -0
- package/dist/ssr/nextjs-app.js +359 -0
- package/dist/ssr/nextjs-app.js.map +1 -0
- package/dist/ssr/tanstack-start.d.ts +165 -0
- package/dist/ssr/tanstack-start.esm.js +357 -0
- package/dist/ssr/tanstack-start.esm.js.map +1 -0
- package/dist/ssr/tanstack-start.js +381 -0
- package/dist/ssr/tanstack-start.js.map +1 -0
- package/dist/ssr/vite.d.ts +164 -0
- package/dist/ssr/vite.esm.js +364 -0
- package/dist/ssr/vite.esm.js.map +1 -0
- package/dist/ssr/vite.js +387 -0
- package/dist/ssr/vite.js.map +1 -0
- package/package.json +98 -0
|
@@ -0,0 +1,269 @@
|
|
|
1
|
+
import * as ed25519 from '@noble/ed25519';
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Base64URL encoding/decoding utilities
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Encode Uint8Array to base64url string (RFC 4648)
|
|
8
|
+
*/
|
|
9
|
+
function encode(bytes) {
|
|
10
|
+
// Convert to regular base64
|
|
11
|
+
const base64 = Buffer.from(bytes).toString('base64');
|
|
12
|
+
// Convert to base64url: replace + with -, / with _, remove padding
|
|
13
|
+
return base64
|
|
14
|
+
.replace(/\+/g, '-')
|
|
15
|
+
.replace(/\//g, '_')
|
|
16
|
+
.replace(/=/g, '');
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Decode base64url string to Uint8Array
|
|
20
|
+
*/
|
|
21
|
+
function decode(base64url) {
|
|
22
|
+
// Convert from base64url to regular base64
|
|
23
|
+
let base64 = base64url
|
|
24
|
+
.replace(/-/g, '+')
|
|
25
|
+
.replace(/_/g, '/');
|
|
26
|
+
// Add padding if needed
|
|
27
|
+
const padding = 4 - (base64.length % 4);
|
|
28
|
+
if (padding !== 4) {
|
|
29
|
+
base64 += '='.repeat(padding);
|
|
30
|
+
}
|
|
31
|
+
return new Uint8Array(Buffer.from(base64, 'base64'));
|
|
32
|
+
}
|
|
33
|
+
const base64url = {
|
|
34
|
+
encode,
|
|
35
|
+
decode,
|
|
36
|
+
};
|
|
37
|
+
|
|
38
|
+
/**
|
|
39
|
+
* Arete Auth Server - Drop-in Endpoint Handlers
|
|
40
|
+
*
|
|
41
|
+
* These are framework-agnostic API route handlers that users can mount however they like.
|
|
42
|
+
* They handle token minting and JWKS serving directly using Ed25519 signing.
|
|
43
|
+
*
|
|
44
|
+
* @example
|
|
45
|
+
* ```typescript
|
|
46
|
+
* // app/api/arete/sessions/route.ts (Next.js App Router)
|
|
47
|
+
* import { handleSessionRequest, handleJwksRequest } from '@usearete/sdk/ssr/handlers';
|
|
48
|
+
*
|
|
49
|
+
* export async function POST(request: Request) {
|
|
50
|
+
* const user = await getAuthenticatedUser(request);
|
|
51
|
+
* if (!user) return new Response('Unauthorized', { status: 401 });
|
|
52
|
+
* return handleSessionRequest({}, user.id);
|
|
53
|
+
* }
|
|
54
|
+
*
|
|
55
|
+
* export async function GET() {
|
|
56
|
+
* return handleJwksRequest();
|
|
57
|
+
* }
|
|
58
|
+
* ```
|
|
59
|
+
*/
|
|
60
|
+
/**
|
|
61
|
+
* Decode base64 to Uint8Array
|
|
62
|
+
*/
|
|
63
|
+
function decodeBase64(base64) {
|
|
64
|
+
const binary = Buffer.from(base64, 'base64');
|
|
65
|
+
return new Uint8Array(binary);
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Encode Uint8Array to base64url
|
|
69
|
+
*/
|
|
70
|
+
function encodeBase64url(bytes) {
|
|
71
|
+
return base64url.encode(bytes);
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Generate a key ID from public key bytes
|
|
75
|
+
*/
|
|
76
|
+
function deriveKeyId(publicKey) {
|
|
77
|
+
// Use first 8 bytes of public key as hex for kid
|
|
78
|
+
return Array.from(publicKey.slice(0, 8))
|
|
79
|
+
.map(b => b.toString(16).padStart(2, '0'))
|
|
80
|
+
.join('');
|
|
81
|
+
}
|
|
82
|
+
/**
|
|
83
|
+
* Create JWT header for Ed25519
|
|
84
|
+
*/
|
|
85
|
+
function createJwtHeader(keyId) {
|
|
86
|
+
const header = {
|
|
87
|
+
alg: 'EdDSA',
|
|
88
|
+
typ: 'JWT',
|
|
89
|
+
kid: keyId,
|
|
90
|
+
};
|
|
91
|
+
return encodeBase64url(new TextEncoder().encode(JSON.stringify(header)));
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* Create JWT payload from claims
|
|
95
|
+
*/
|
|
96
|
+
function createJwtPayload(claims) {
|
|
97
|
+
return encodeBase64url(new TextEncoder().encode(JSON.stringify(claims)));
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Sign data with Ed25519
|
|
101
|
+
*/
|
|
102
|
+
async function signEd25519(data, privateKey) {
|
|
103
|
+
const messageBytes = new TextEncoder().encode(data);
|
|
104
|
+
return await ed25519.signAsync(messageBytes, privateKey);
|
|
105
|
+
}
|
|
106
|
+
/**
|
|
107
|
+
* Mint a session token using Ed25519 signing
|
|
108
|
+
* `subject` must come from verified server-side auth or trusted service code.
|
|
109
|
+
*/
|
|
110
|
+
async function mintSessionToken(config, subject = 'anonymous', scope = 'read', origin) {
|
|
111
|
+
const signingKeyBase64 = config.signingKey || process.env.ARETE_SIGNING_KEY;
|
|
112
|
+
if (!signingKeyBase64) {
|
|
113
|
+
throw new Error('ARETE_SIGNING_KEY not set. Generate with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'base64\'))"');
|
|
114
|
+
}
|
|
115
|
+
const privateKeyBytes = decodeBase64(signingKeyBase64);
|
|
116
|
+
if (privateKeyBytes.length !== 32) {
|
|
117
|
+
throw new Error(`Invalid signing key length: expected 32 bytes, got ${privateKeyBytes.length}. ` +
|
|
118
|
+
'Ed25519 signing key must be 32 bytes (base64-encoded).');
|
|
119
|
+
}
|
|
120
|
+
// Derive public key from private key
|
|
121
|
+
const publicKeyBytes = await ed25519.getPublicKeyAsync(privateKeyBytes);
|
|
122
|
+
const keyId = config.keyId || deriveKeyId(publicKeyBytes);
|
|
123
|
+
const issuer = config.issuer || process.env.ARETE_ISSUER || 'arete';
|
|
124
|
+
const audience = config.audience || process.env.ARETE_AUDIENCE || 'arete';
|
|
125
|
+
const ttlSeconds = config.ttlSeconds || 300;
|
|
126
|
+
const now = Math.floor(Date.now() / 1000);
|
|
127
|
+
const expiresAt = now + ttlSeconds;
|
|
128
|
+
const claims = {
|
|
129
|
+
iss: issuer,
|
|
130
|
+
sub: subject,
|
|
131
|
+
aud: audience,
|
|
132
|
+
iat: now,
|
|
133
|
+
nbf: now,
|
|
134
|
+
exp: expiresAt,
|
|
135
|
+
jti: crypto.randomUUID(),
|
|
136
|
+
scope,
|
|
137
|
+
metering_key: `meter:${subject}`,
|
|
138
|
+
key_class: 'secret',
|
|
139
|
+
limits: config.limits || {
|
|
140
|
+
max_connections: 10,
|
|
141
|
+
max_subscriptions: 100,
|
|
142
|
+
max_snapshot_rows: 1000,
|
|
143
|
+
max_messages_per_minute: 10000,
|
|
144
|
+
max_bytes_per_minute: 100 * 1024 * 1024,
|
|
145
|
+
},
|
|
146
|
+
};
|
|
147
|
+
// Add origin binding if provided
|
|
148
|
+
if (origin) {
|
|
149
|
+
claims.origin = origin;
|
|
150
|
+
}
|
|
151
|
+
// Create JWT
|
|
152
|
+
const header = createJwtHeader(keyId);
|
|
153
|
+
const payload = createJwtPayload(claims);
|
|
154
|
+
const signingInput = `${header}.${payload}`;
|
|
155
|
+
const signature = await signEd25519(signingInput, privateKeyBytes);
|
|
156
|
+
const signatureBase64 = encodeBase64url(signature);
|
|
157
|
+
const token = `${signingInput}.${signatureBase64}`;
|
|
158
|
+
return {
|
|
159
|
+
token,
|
|
160
|
+
expires_at: expiresAt,
|
|
161
|
+
};
|
|
162
|
+
}
|
|
163
|
+
/**
|
|
164
|
+
* Generate JWKS response from signing key
|
|
165
|
+
*/
|
|
166
|
+
async function generateJwks(config) {
|
|
167
|
+
const signingKeyBase64 = config.signingKey || process.env.ARETE_SIGNING_KEY;
|
|
168
|
+
const publicKeyBase64 = config.publicKey || process.env.ARETE_PUBLIC_KEY;
|
|
169
|
+
if (!signingKeyBase64 && !publicKeyBase64) {
|
|
170
|
+
return { keys: [] };
|
|
171
|
+
}
|
|
172
|
+
let publicKeyBytes;
|
|
173
|
+
if (publicKeyBase64) {
|
|
174
|
+
// Use provided public key
|
|
175
|
+
publicKeyBytes = decodeBase64(publicKeyBase64);
|
|
176
|
+
if (publicKeyBytes.length !== 32) {
|
|
177
|
+
throw new Error(`Invalid public key length: expected 32 bytes, got ${publicKeyBytes.length}`);
|
|
178
|
+
}
|
|
179
|
+
}
|
|
180
|
+
else {
|
|
181
|
+
// Derive public key from private key
|
|
182
|
+
const privateKeyBytes = decodeBase64(signingKeyBase64);
|
|
183
|
+
if (privateKeyBytes.length !== 32) {
|
|
184
|
+
throw new Error(`Invalid signing key length: expected 32 bytes, got ${privateKeyBytes.length}`);
|
|
185
|
+
}
|
|
186
|
+
publicKeyBytes = await ed25519.getPublicKeyAsync(privateKeyBytes);
|
|
187
|
+
}
|
|
188
|
+
const keyId = config.keyId ||
|
|
189
|
+
(publicKeyBase64 ? 'key-1' : deriveKeyId(publicKeyBytes));
|
|
190
|
+
return {
|
|
191
|
+
keys: [
|
|
192
|
+
{
|
|
193
|
+
kty: 'OKP',
|
|
194
|
+
crv: 'Ed25519',
|
|
195
|
+
kid: keyId,
|
|
196
|
+
use: 'sig',
|
|
197
|
+
alg: 'EdDSA',
|
|
198
|
+
x: encodeBase64url(publicKeyBytes),
|
|
199
|
+
},
|
|
200
|
+
],
|
|
201
|
+
};
|
|
202
|
+
}
|
|
203
|
+
/**
|
|
204
|
+
* Framework-agnostic request handler for token minting
|
|
205
|
+
* Returns a Response object that can be used with any framework
|
|
206
|
+
* The `subject` must be derived from verified server-side auth.
|
|
207
|
+
*/
|
|
208
|
+
async function handleSessionRequest(config = {}, subject = 'anonymous', scope = 'read', origin) {
|
|
209
|
+
try {
|
|
210
|
+
const tokenData = await mintSessionToken(config, subject, scope, origin);
|
|
211
|
+
return new Response(JSON.stringify(tokenData), {
|
|
212
|
+
status: 200,
|
|
213
|
+
headers: {
|
|
214
|
+
'Content-Type': 'application/json',
|
|
215
|
+
},
|
|
216
|
+
});
|
|
217
|
+
}
|
|
218
|
+
catch (error) {
|
|
219
|
+
return new Response(JSON.stringify({
|
|
220
|
+
error: error instanceof Error ? error.message : 'Failed to mint token',
|
|
221
|
+
}), {
|
|
222
|
+
status: 500,
|
|
223
|
+
headers: {
|
|
224
|
+
'Content-Type': 'application/json',
|
|
225
|
+
},
|
|
226
|
+
});
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
/**
|
|
230
|
+
* Framework-agnostic request handler for JWKS endpoint
|
|
231
|
+
*/
|
|
232
|
+
async function handleJwksRequest(config = {}) {
|
|
233
|
+
try {
|
|
234
|
+
const jwks = await generateJwks(config);
|
|
235
|
+
return new Response(JSON.stringify(jwks), {
|
|
236
|
+
status: 200,
|
|
237
|
+
headers: {
|
|
238
|
+
'Content-Type': 'application/json',
|
|
239
|
+
},
|
|
240
|
+
});
|
|
241
|
+
}
|
|
242
|
+
catch (error) {
|
|
243
|
+
return new Response(JSON.stringify({
|
|
244
|
+
error: error instanceof Error ? error.message : 'Failed to generate JWKS',
|
|
245
|
+
}), {
|
|
246
|
+
status: 500,
|
|
247
|
+
headers: {
|
|
248
|
+
'Content-Type': 'application/json',
|
|
249
|
+
},
|
|
250
|
+
});
|
|
251
|
+
}
|
|
252
|
+
}
|
|
253
|
+
/**
|
|
254
|
+
* Framework-agnostic health check handler
|
|
255
|
+
*/
|
|
256
|
+
function handleHealthRequest() {
|
|
257
|
+
return new Response(JSON.stringify({
|
|
258
|
+
status: 'healthy',
|
|
259
|
+
version: '0.5.10',
|
|
260
|
+
}), {
|
|
261
|
+
status: 200,
|
|
262
|
+
headers: {
|
|
263
|
+
'Content-Type': 'application/json',
|
|
264
|
+
},
|
|
265
|
+
});
|
|
266
|
+
}
|
|
267
|
+
|
|
268
|
+
export { base64url, generateJwks, handleHealthRequest, handleJwksRequest, handleSessionRequest, mintSessionToken };
|
|
269
|
+
//# sourceMappingURL=index.esm.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.esm.js","sources":["../../src/ssr/utils.ts","../../src/ssr/handlers.ts"],"sourcesContent":[null,null],"names":[],"mappings":";;AAAA;;AAEG;AAEH;;AAEG;AACG,SAAU,MAAM,CAAC,KAAiB,EAAA;;AAEtC,IAAA,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;;AAErD,IAAA,OAAO,MAAM;AACV,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;AACnB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;AACnB,SAAA,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED;;AAEG;AACG,SAAU,MAAM,CAAC,SAAiB,EAAA;;IAEtC,IAAI,MAAM,GAAG,SAAS;AACnB,SAAA,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;AAClB,SAAA,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;;IAGtB,MAAM,OAAO,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACxC,IAAA,IAAI,OAAO,KAAK,CAAC,EAAE;AACjB,QAAA,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;KAC/B;AAED,IAAA,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAEY,MAAA,SAAS,GAAG;IACvB,MAAM;IACN,MAAM;;;ACrCR;;;;;;;;;;;;;;;;;;;;;AAqBG;AAoGH;;AAEG;AACH,SAAS,YAAY,CAAC,MAAc,EAAA;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC7C,IAAA,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;AAEG;AACH,SAAS,eAAe,CAAC,KAAiB,EAAA;AACxC,IAAA,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED;;AAEG;AACH,SAAS,WAAW,CAAC,SAAqB,EAAA;;AAExC,IAAA,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACrC,SAAA,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACzC,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED;;AAEG;AACH,SAAS,eAAe,CAAC,KAAa,EAAA;AACpC,IAAA,MAAM,MAAM,GAAG;AACb,QAAA,GAAG,EAAE,OAAO;AACZ,QAAA,GAAG,EAAE,KAAK;AACV,QAAA,GAAG,EAAE,KAAK;KACX,CAAC;AACF,IAAA,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;AAEG;AACH,SAAS,gBAAgB,CAAC,MAAqB,EAAA;AAC7C,IAAA,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;AAEG;AACH,eAAe,WAAW,CACxB,IAAY,EACZ,UAAsB,EAAA;IAEtB,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO,MAAM,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED;;;AAGG;AACI,eAAe,gBAAgB,CACpC,MAAyB,EACzB,OAAA,GAAkB,WAAW,EAC7B,KAAgB,GAAA,MAAM,EACtB,MAAe,EAAA;IAEf,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC5E,IAAI,CAAC,gBAAgB,EAAE;AACrB,QAAA,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAC;KACH;AAED,IAAA,MAAM,eAAe,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;AACvD,IAAA,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE;AACjC,QAAA,MAAM,IAAI,KAAK,CACb,sDAAsD,eAAe,CAAC,MAAM,CAAI,EAAA,CAAA;AAChF,YAAA,wDAAwD,CACzD,CAAC;KACH;;IAGD,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC;IACxE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,cAAc,CAAC,CAAC;AAE1D,IAAA,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC;AACpE,IAAA,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC;AAC1E,IAAA,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;AAE5C,IAAA,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AAC1C,IAAA,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;AAEnC,IAAA,MAAM,MAAM,GAAkB;AAC5B,QAAA,GAAG,EAAE,MAAM;AACX,QAAA,GAAG,EAAE,OAAO;AACZ,QAAA,GAAG,EAAE,QAAQ;AACb,QAAA,GAAG,EAAE,GAAG;AACR,QAAA,GAAG,EAAE,GAAG;AACR,QAAA,GAAG,EAAE,SAAS;AACd,QAAA,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;QACxB,KAAK;QACL,YAAY,EAAE,CAAS,MAAA,EAAA,OAAO,CAAE,CAAA;AAChC,QAAA,SAAS,EAAE,QAAQ;AACnB,QAAA,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI;AACvB,YAAA,eAAe,EAAE,EAAE;AACnB,YAAA,iBAAiB,EAAE,GAAG;AACtB,YAAA,iBAAiB,EAAE,IAAI;AACvB,YAAA,uBAAuB,EAAE,KAAK;AAC9B,YAAA,oBAAoB,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI;AACxC,SAAA;KACF,CAAC;;IAGF,IAAI,MAAM,EAAE;AACV,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;KACxB;;AAGD,IAAA,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;AACtC,IAAA,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACzC,IAAA,MAAM,YAAY,GAAG,CAAA,EAAG,MAAM,CAAI,CAAA,EAAA,OAAO,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACnE,IAAA,MAAM,eAAe,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;AAEnD,IAAA,MAAM,KAAK,GAAG,CAAA,EAAG,YAAY,CAAI,CAAA,EAAA,eAAe,EAAE,CAAC;IAEnD,OAAO;QACL,KAAK;AACL,QAAA,UAAU,EAAE,SAAS;KACtB,CAAC;AACJ,CAAC;AAED;;AAEG;AACI,eAAe,YAAY,CAAC,MAAyB,EAAA;IAC1D,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC5E,MAAM,eAAe,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAEzE,IAAA,IAAI,CAAC,gBAAgB,IAAI,CAAC,eAAe,EAAE;AACzC,QAAA,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;KACrB;AAED,IAAA,IAAI,cAA0B,CAAC;IAE/B,IAAI,eAAe,EAAE;;AAEnB,QAAA,cAAc,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;AAC/C,QAAA,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE;YAChC,MAAM,IAAI,KAAK,CACb,CAAA,kDAAA,EAAqD,cAAc,CAAC,MAAM,CAAE,CAAA,CAC7E,CAAC;SACH;KACF;SAAM;;AAEL,QAAA,MAAM,eAAe,GAAG,YAAY,CAAC,gBAAiB,CAAC,CAAC;AACxD,QAAA,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE;YACjC,MAAM,IAAI,KAAK,CACb,CAAA,mDAAA,EAAsD,eAAe,CAAC,MAAM,CAAE,CAAA,CAC/E,CAAC;SACH;QACD,cAAc,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC;KACnE;AAED,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK;AACxB,SAAC,eAAe,GAAG,OAAO,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;IAE5D,OAAO;AACL,QAAA,IAAI,EAAE;AACJ,YAAA;AACE,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,SAAS;AACd,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,OAAO;AACZ,gBAAA,CAAC,EAAE,eAAe,CAAC,cAAc,CAAC;AACnC,aAAA;AACF,SAAA;KACF,CAAC;AACJ,CAAC;AAED;;;;AAIG;AACI,eAAe,oBAAoB,CACxC,MAA4B,GAAA,EAAE,EAC9B,OAAA,GAAkB,WAAW,EAC7B,KAAgB,GAAA,MAAM,EACtB,MAAe,EAAA;AAEf,IAAA,IAAI;AACF,QAAA,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAEzE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;AAC7C,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CAAC,CAAC;KACJ;IAAC,OAAO,KAAK,EAAE;AACd,QAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,YAAA,KAAK,EAAE,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,sBAAsB;AACvE,SAAA,CAAC,EACF;AACE,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CACF,CAAC;KACH;AACH,CAAC;AAED;;AAEG;AACI,eAAe,iBAAiB,CAAC,SAA4B,EAAE,EAAA;AACpE,IAAA,IAAI;AACF,QAAA,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;AACxC,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CAAC,CAAC;KACJ;IAAC,OAAO,KAAK,EAAE;AACd,QAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,YAAA,KAAK,EAAE,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,yBAAyB;AAC1E,SAAA,CAAC,EACF;AACE,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CACF,CAAC;KACH;AACH,CAAC;AAED;;AAEG;SACa,mBAAmB,GAAA;AACjC,IAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,QAAA,MAAM,EAAE,SAAS;AACjB,QAAA,OAAO,EAAE,QAAQ;AAClB,KAAA,CAAC,EACF;AACE,QAAA,MAAM,EAAE,GAAG;AACX,QAAA,OAAO,EAAE;AACP,YAAA,cAAc,EAAE,kBAAkB;AACnC,SAAA;AACF,KAAA,CACF,CAAC;AACJ;;;;"}
|
|
@@ -0,0 +1,295 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var ed25519 = require('@noble/ed25519');
|
|
4
|
+
|
|
5
|
+
function _interopNamespaceDefault(e) {
|
|
6
|
+
var n = Object.create(null);
|
|
7
|
+
if (e) {
|
|
8
|
+
Object.keys(e).forEach(function (k) {
|
|
9
|
+
if (k !== 'default') {
|
|
10
|
+
var d = Object.getOwnPropertyDescriptor(e, k);
|
|
11
|
+
Object.defineProperty(n, k, d.get ? d : {
|
|
12
|
+
enumerable: true,
|
|
13
|
+
get: function () { return e[k]; }
|
|
14
|
+
});
|
|
15
|
+
}
|
|
16
|
+
});
|
|
17
|
+
}
|
|
18
|
+
n.default = e;
|
|
19
|
+
return Object.freeze(n);
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
var ed25519__namespace = /*#__PURE__*/_interopNamespaceDefault(ed25519);
|
|
23
|
+
|
|
24
|
+
/**
|
|
25
|
+
* Base64URL encoding/decoding utilities
|
|
26
|
+
*/
|
|
27
|
+
/**
|
|
28
|
+
* Encode Uint8Array to base64url string (RFC 4648)
|
|
29
|
+
*/
|
|
30
|
+
function encode(bytes) {
|
|
31
|
+
// Convert to regular base64
|
|
32
|
+
const base64 = Buffer.from(bytes).toString('base64');
|
|
33
|
+
// Convert to base64url: replace + with -, / with _, remove padding
|
|
34
|
+
return base64
|
|
35
|
+
.replace(/\+/g, '-')
|
|
36
|
+
.replace(/\//g, '_')
|
|
37
|
+
.replace(/=/g, '');
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Decode base64url string to Uint8Array
|
|
41
|
+
*/
|
|
42
|
+
function decode(base64url) {
|
|
43
|
+
// Convert from base64url to regular base64
|
|
44
|
+
let base64 = base64url
|
|
45
|
+
.replace(/-/g, '+')
|
|
46
|
+
.replace(/_/g, '/');
|
|
47
|
+
// Add padding if needed
|
|
48
|
+
const padding = 4 - (base64.length % 4);
|
|
49
|
+
if (padding !== 4) {
|
|
50
|
+
base64 += '='.repeat(padding);
|
|
51
|
+
}
|
|
52
|
+
return new Uint8Array(Buffer.from(base64, 'base64'));
|
|
53
|
+
}
|
|
54
|
+
const base64url = {
|
|
55
|
+
encode,
|
|
56
|
+
decode,
|
|
57
|
+
};
|
|
58
|
+
|
|
59
|
+
/**
|
|
60
|
+
* Arete Auth Server - Drop-in Endpoint Handlers
|
|
61
|
+
*
|
|
62
|
+
* These are framework-agnostic API route handlers that users can mount however they like.
|
|
63
|
+
* They handle token minting and JWKS serving directly using Ed25519 signing.
|
|
64
|
+
*
|
|
65
|
+
* @example
|
|
66
|
+
* ```typescript
|
|
67
|
+
* // app/api/arete/sessions/route.ts (Next.js App Router)
|
|
68
|
+
* import { handleSessionRequest, handleJwksRequest } from '@usearete/sdk/ssr/handlers';
|
|
69
|
+
*
|
|
70
|
+
* export async function POST(request: Request) {
|
|
71
|
+
* const user = await getAuthenticatedUser(request);
|
|
72
|
+
* if (!user) return new Response('Unauthorized', { status: 401 });
|
|
73
|
+
* return handleSessionRequest({}, user.id);
|
|
74
|
+
* }
|
|
75
|
+
*
|
|
76
|
+
* export async function GET() {
|
|
77
|
+
* return handleJwksRequest();
|
|
78
|
+
* }
|
|
79
|
+
* ```
|
|
80
|
+
*/
|
|
81
|
+
/**
|
|
82
|
+
* Decode base64 to Uint8Array
|
|
83
|
+
*/
|
|
84
|
+
function decodeBase64(base64) {
|
|
85
|
+
const binary = Buffer.from(base64, 'base64');
|
|
86
|
+
return new Uint8Array(binary);
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Encode Uint8Array to base64url
|
|
90
|
+
*/
|
|
91
|
+
function encodeBase64url(bytes) {
|
|
92
|
+
return base64url.encode(bytes);
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Generate a key ID from public key bytes
|
|
96
|
+
*/
|
|
97
|
+
function deriveKeyId(publicKey) {
|
|
98
|
+
// Use first 8 bytes of public key as hex for kid
|
|
99
|
+
return Array.from(publicKey.slice(0, 8))
|
|
100
|
+
.map(b => b.toString(16).padStart(2, '0'))
|
|
101
|
+
.join('');
|
|
102
|
+
}
|
|
103
|
+
/**
|
|
104
|
+
* Create JWT header for Ed25519
|
|
105
|
+
*/
|
|
106
|
+
function createJwtHeader(keyId) {
|
|
107
|
+
const header = {
|
|
108
|
+
alg: 'EdDSA',
|
|
109
|
+
typ: 'JWT',
|
|
110
|
+
kid: keyId,
|
|
111
|
+
};
|
|
112
|
+
return encodeBase64url(new TextEncoder().encode(JSON.stringify(header)));
|
|
113
|
+
}
|
|
114
|
+
/**
|
|
115
|
+
* Create JWT payload from claims
|
|
116
|
+
*/
|
|
117
|
+
function createJwtPayload(claims) {
|
|
118
|
+
return encodeBase64url(new TextEncoder().encode(JSON.stringify(claims)));
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Sign data with Ed25519
|
|
122
|
+
*/
|
|
123
|
+
async function signEd25519(data, privateKey) {
|
|
124
|
+
const messageBytes = new TextEncoder().encode(data);
|
|
125
|
+
return await ed25519__namespace.signAsync(messageBytes, privateKey);
|
|
126
|
+
}
|
|
127
|
+
/**
|
|
128
|
+
* Mint a session token using Ed25519 signing
|
|
129
|
+
* `subject` must come from verified server-side auth or trusted service code.
|
|
130
|
+
*/
|
|
131
|
+
async function mintSessionToken(config, subject = 'anonymous', scope = 'read', origin) {
|
|
132
|
+
const signingKeyBase64 = config.signingKey || process.env.ARETE_SIGNING_KEY;
|
|
133
|
+
if (!signingKeyBase64) {
|
|
134
|
+
throw new Error('ARETE_SIGNING_KEY not set. Generate with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'base64\'))"');
|
|
135
|
+
}
|
|
136
|
+
const privateKeyBytes = decodeBase64(signingKeyBase64);
|
|
137
|
+
if (privateKeyBytes.length !== 32) {
|
|
138
|
+
throw new Error(`Invalid signing key length: expected 32 bytes, got ${privateKeyBytes.length}. ` +
|
|
139
|
+
'Ed25519 signing key must be 32 bytes (base64-encoded).');
|
|
140
|
+
}
|
|
141
|
+
// Derive public key from private key
|
|
142
|
+
const publicKeyBytes = await ed25519__namespace.getPublicKeyAsync(privateKeyBytes);
|
|
143
|
+
const keyId = config.keyId || deriveKeyId(publicKeyBytes);
|
|
144
|
+
const issuer = config.issuer || process.env.ARETE_ISSUER || 'arete';
|
|
145
|
+
const audience = config.audience || process.env.ARETE_AUDIENCE || 'arete';
|
|
146
|
+
const ttlSeconds = config.ttlSeconds || 300;
|
|
147
|
+
const now = Math.floor(Date.now() / 1000);
|
|
148
|
+
const expiresAt = now + ttlSeconds;
|
|
149
|
+
const claims = {
|
|
150
|
+
iss: issuer,
|
|
151
|
+
sub: subject,
|
|
152
|
+
aud: audience,
|
|
153
|
+
iat: now,
|
|
154
|
+
nbf: now,
|
|
155
|
+
exp: expiresAt,
|
|
156
|
+
jti: crypto.randomUUID(),
|
|
157
|
+
scope,
|
|
158
|
+
metering_key: `meter:${subject}`,
|
|
159
|
+
key_class: 'secret',
|
|
160
|
+
limits: config.limits || {
|
|
161
|
+
max_connections: 10,
|
|
162
|
+
max_subscriptions: 100,
|
|
163
|
+
max_snapshot_rows: 1000,
|
|
164
|
+
max_messages_per_minute: 10000,
|
|
165
|
+
max_bytes_per_minute: 100 * 1024 * 1024,
|
|
166
|
+
},
|
|
167
|
+
};
|
|
168
|
+
// Add origin binding if provided
|
|
169
|
+
if (origin) {
|
|
170
|
+
claims.origin = origin;
|
|
171
|
+
}
|
|
172
|
+
// Create JWT
|
|
173
|
+
const header = createJwtHeader(keyId);
|
|
174
|
+
const payload = createJwtPayload(claims);
|
|
175
|
+
const signingInput = `${header}.${payload}`;
|
|
176
|
+
const signature = await signEd25519(signingInput, privateKeyBytes);
|
|
177
|
+
const signatureBase64 = encodeBase64url(signature);
|
|
178
|
+
const token = `${signingInput}.${signatureBase64}`;
|
|
179
|
+
return {
|
|
180
|
+
token,
|
|
181
|
+
expires_at: expiresAt,
|
|
182
|
+
};
|
|
183
|
+
}
|
|
184
|
+
/**
|
|
185
|
+
* Generate JWKS response from signing key
|
|
186
|
+
*/
|
|
187
|
+
async function generateJwks(config) {
|
|
188
|
+
const signingKeyBase64 = config.signingKey || process.env.ARETE_SIGNING_KEY;
|
|
189
|
+
const publicKeyBase64 = config.publicKey || process.env.ARETE_PUBLIC_KEY;
|
|
190
|
+
if (!signingKeyBase64 && !publicKeyBase64) {
|
|
191
|
+
return { keys: [] };
|
|
192
|
+
}
|
|
193
|
+
let publicKeyBytes;
|
|
194
|
+
if (publicKeyBase64) {
|
|
195
|
+
// Use provided public key
|
|
196
|
+
publicKeyBytes = decodeBase64(publicKeyBase64);
|
|
197
|
+
if (publicKeyBytes.length !== 32) {
|
|
198
|
+
throw new Error(`Invalid public key length: expected 32 bytes, got ${publicKeyBytes.length}`);
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
else {
|
|
202
|
+
// Derive public key from private key
|
|
203
|
+
const privateKeyBytes = decodeBase64(signingKeyBase64);
|
|
204
|
+
if (privateKeyBytes.length !== 32) {
|
|
205
|
+
throw new Error(`Invalid signing key length: expected 32 bytes, got ${privateKeyBytes.length}`);
|
|
206
|
+
}
|
|
207
|
+
publicKeyBytes = await ed25519__namespace.getPublicKeyAsync(privateKeyBytes);
|
|
208
|
+
}
|
|
209
|
+
const keyId = config.keyId ||
|
|
210
|
+
(publicKeyBase64 ? 'key-1' : deriveKeyId(publicKeyBytes));
|
|
211
|
+
return {
|
|
212
|
+
keys: [
|
|
213
|
+
{
|
|
214
|
+
kty: 'OKP',
|
|
215
|
+
crv: 'Ed25519',
|
|
216
|
+
kid: keyId,
|
|
217
|
+
use: 'sig',
|
|
218
|
+
alg: 'EdDSA',
|
|
219
|
+
x: encodeBase64url(publicKeyBytes),
|
|
220
|
+
},
|
|
221
|
+
],
|
|
222
|
+
};
|
|
223
|
+
}
|
|
224
|
+
/**
|
|
225
|
+
* Framework-agnostic request handler for token minting
|
|
226
|
+
* Returns a Response object that can be used with any framework
|
|
227
|
+
* The `subject` must be derived from verified server-side auth.
|
|
228
|
+
*/
|
|
229
|
+
async function handleSessionRequest(config = {}, subject = 'anonymous', scope = 'read', origin) {
|
|
230
|
+
try {
|
|
231
|
+
const tokenData = await mintSessionToken(config, subject, scope, origin);
|
|
232
|
+
return new Response(JSON.stringify(tokenData), {
|
|
233
|
+
status: 200,
|
|
234
|
+
headers: {
|
|
235
|
+
'Content-Type': 'application/json',
|
|
236
|
+
},
|
|
237
|
+
});
|
|
238
|
+
}
|
|
239
|
+
catch (error) {
|
|
240
|
+
return new Response(JSON.stringify({
|
|
241
|
+
error: error instanceof Error ? error.message : 'Failed to mint token',
|
|
242
|
+
}), {
|
|
243
|
+
status: 500,
|
|
244
|
+
headers: {
|
|
245
|
+
'Content-Type': 'application/json',
|
|
246
|
+
},
|
|
247
|
+
});
|
|
248
|
+
}
|
|
249
|
+
}
|
|
250
|
+
/**
|
|
251
|
+
* Framework-agnostic request handler for JWKS endpoint
|
|
252
|
+
*/
|
|
253
|
+
async function handleJwksRequest(config = {}) {
|
|
254
|
+
try {
|
|
255
|
+
const jwks = await generateJwks(config);
|
|
256
|
+
return new Response(JSON.stringify(jwks), {
|
|
257
|
+
status: 200,
|
|
258
|
+
headers: {
|
|
259
|
+
'Content-Type': 'application/json',
|
|
260
|
+
},
|
|
261
|
+
});
|
|
262
|
+
}
|
|
263
|
+
catch (error) {
|
|
264
|
+
return new Response(JSON.stringify({
|
|
265
|
+
error: error instanceof Error ? error.message : 'Failed to generate JWKS',
|
|
266
|
+
}), {
|
|
267
|
+
status: 500,
|
|
268
|
+
headers: {
|
|
269
|
+
'Content-Type': 'application/json',
|
|
270
|
+
},
|
|
271
|
+
});
|
|
272
|
+
}
|
|
273
|
+
}
|
|
274
|
+
/**
|
|
275
|
+
* Framework-agnostic health check handler
|
|
276
|
+
*/
|
|
277
|
+
function handleHealthRequest() {
|
|
278
|
+
return new Response(JSON.stringify({
|
|
279
|
+
status: 'healthy',
|
|
280
|
+
version: '0.5.10',
|
|
281
|
+
}), {
|
|
282
|
+
status: 200,
|
|
283
|
+
headers: {
|
|
284
|
+
'Content-Type': 'application/json',
|
|
285
|
+
},
|
|
286
|
+
});
|
|
287
|
+
}
|
|
288
|
+
|
|
289
|
+
exports.base64url = base64url;
|
|
290
|
+
exports.generateJwks = generateJwks;
|
|
291
|
+
exports.handleHealthRequest = handleHealthRequest;
|
|
292
|
+
exports.handleJwksRequest = handleJwksRequest;
|
|
293
|
+
exports.handleSessionRequest = handleSessionRequest;
|
|
294
|
+
exports.mintSessionToken = mintSessionToken;
|
|
295
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sources":["../../src/ssr/utils.ts","../../src/ssr/handlers.ts"],"sourcesContent":[null,null],"names":["ed25519"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA;;AAEG;AAEH;;AAEG;AACG,SAAU,MAAM,CAAC,KAAiB,EAAA;;AAEtC,IAAA,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;;AAErD,IAAA,OAAO,MAAM;AACV,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;AACnB,SAAA,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;AACnB,SAAA,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED;;AAEG;AACG,SAAU,MAAM,CAAC,SAAiB,EAAA;;IAEtC,IAAI,MAAM,GAAG,SAAS;AACnB,SAAA,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;AAClB,SAAA,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;;IAGtB,MAAM,OAAO,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACxC,IAAA,IAAI,OAAO,KAAK,CAAC,EAAE;AACjB,QAAA,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;KAC/B;AAED,IAAA,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAEY,MAAA,SAAS,GAAG;IACvB,MAAM;IACN,MAAM;;;ACrCR;;;;;;;;;;;;;;;;;;;;;AAqBG;AAoGH;;AAEG;AACH,SAAS,YAAY,CAAC,MAAc,EAAA;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC7C,IAAA,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;AAEG;AACH,SAAS,eAAe,CAAC,KAAiB,EAAA;AACxC,IAAA,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjC,CAAC;AAED;;AAEG;AACH,SAAS,WAAW,CAAC,SAAqB,EAAA;;AAExC,IAAA,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACrC,SAAA,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACzC,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED;;AAEG;AACH,SAAS,eAAe,CAAC,KAAa,EAAA;AACpC,IAAA,MAAM,MAAM,GAAG;AACb,QAAA,GAAG,EAAE,OAAO;AACZ,QAAA,GAAG,EAAE,KAAK;AACV,QAAA,GAAG,EAAE,KAAK;KACX,CAAC;AACF,IAAA,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;AAEG;AACH,SAAS,gBAAgB,CAAC,MAAqB,EAAA;AAC7C,IAAA,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;AAEG;AACH,eAAe,WAAW,CACxB,IAAY,EACZ,UAAsB,EAAA;IAEtB,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO,MAAMA,kBAAO,CAAC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;AAC3D,CAAC;AAED;;;AAGG;AACI,eAAe,gBAAgB,CACpC,MAAyB,EACzB,OAAA,GAAkB,WAAW,EAC7B,KAAgB,GAAA,MAAM,EACtB,MAAe,EAAA;IAEf,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC5E,IAAI,CAAC,gBAAgB,EAAE;AACrB,QAAA,MAAM,IAAI,KAAK,CACb,2HAA2H,CAC5H,CAAC;KACH;AAED,IAAA,MAAM,eAAe,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;AACvD,IAAA,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE;AACjC,QAAA,MAAM,IAAI,KAAK,CACb,sDAAsD,eAAe,CAAC,MAAM,CAAI,EAAA,CAAA;AAChF,YAAA,wDAAwD,CACzD,CAAC;KACH;;IAGD,MAAM,cAAc,GAAG,MAAMA,kBAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC;IACxE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,cAAc,CAAC,CAAC;AAE1D,IAAA,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC;AACpE,IAAA,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC;AAC1E,IAAA,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;AAE5C,IAAA,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AAC1C,IAAA,MAAM,SAAS,GAAG,GAAG,GAAG,UAAU,CAAC;AAEnC,IAAA,MAAM,MAAM,GAAkB;AAC5B,QAAA,GAAG,EAAE,MAAM;AACX,QAAA,GAAG,EAAE,OAAO;AACZ,QAAA,GAAG,EAAE,QAAQ;AACb,QAAA,GAAG,EAAE,GAAG;AACR,QAAA,GAAG,EAAE,GAAG;AACR,QAAA,GAAG,EAAE,SAAS;AACd,QAAA,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;QACxB,KAAK;QACL,YAAY,EAAE,CAAS,MAAA,EAAA,OAAO,CAAE,CAAA;AAChC,QAAA,SAAS,EAAE,QAAQ;AACnB,QAAA,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI;AACvB,YAAA,eAAe,EAAE,EAAE;AACnB,YAAA,iBAAiB,EAAE,GAAG;AACtB,YAAA,iBAAiB,EAAE,IAAI;AACvB,YAAA,uBAAuB,EAAE,KAAK;AAC9B,YAAA,oBAAoB,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI;AACxC,SAAA;KACF,CAAC;;IAGF,IAAI,MAAM,EAAE;AACV,QAAA,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;KACxB;;AAGD,IAAA,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;AACtC,IAAA,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACzC,IAAA,MAAM,YAAY,GAAG,CAAA,EAAG,MAAM,CAAI,CAAA,EAAA,OAAO,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACnE,IAAA,MAAM,eAAe,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;AAEnD,IAAA,MAAM,KAAK,GAAG,CAAA,EAAG,YAAY,CAAI,CAAA,EAAA,eAAe,EAAE,CAAC;IAEnD,OAAO;QACL,KAAK;AACL,QAAA,UAAU,EAAE,SAAS;KACtB,CAAC;AACJ,CAAC;AAED;;AAEG;AACI,eAAe,YAAY,CAAC,MAAyB,EAAA;IAC1D,MAAM,gBAAgB,GAAG,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC5E,MAAM,eAAe,GAAG,MAAM,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AAEzE,IAAA,IAAI,CAAC,gBAAgB,IAAI,CAAC,eAAe,EAAE;AACzC,QAAA,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;KACrB;AAED,IAAA,IAAI,cAA0B,CAAC;IAE/B,IAAI,eAAe,EAAE;;AAEnB,QAAA,cAAc,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;AAC/C,QAAA,IAAI,cAAc,CAAC,MAAM,KAAK,EAAE,EAAE;YAChC,MAAM,IAAI,KAAK,CACb,CAAA,kDAAA,EAAqD,cAAc,CAAC,MAAM,CAAE,CAAA,CAC7E,CAAC;SACH;KACF;SAAM;;AAEL,QAAA,MAAM,eAAe,GAAG,YAAY,CAAC,gBAAiB,CAAC,CAAC;AACxD,QAAA,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,EAAE;YACjC,MAAM,IAAI,KAAK,CACb,CAAA,mDAAA,EAAsD,eAAe,CAAC,MAAM,CAAE,CAAA,CAC/E,CAAC;SACH;QACD,cAAc,GAAG,MAAMA,kBAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC;KACnE;AAED,IAAA,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK;AACxB,SAAC,eAAe,GAAG,OAAO,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;IAE5D,OAAO;AACL,QAAA,IAAI,EAAE;AACJ,YAAA;AACE,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,SAAS;AACd,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,KAAK;AACV,gBAAA,GAAG,EAAE,OAAO;AACZ,gBAAA,CAAC,EAAE,eAAe,CAAC,cAAc,CAAC;AACnC,aAAA;AACF,SAAA;KACF,CAAC;AACJ,CAAC;AAED;;;;AAIG;AACI,eAAe,oBAAoB,CACxC,MAA4B,GAAA,EAAE,EAC9B,OAAA,GAAkB,WAAW,EAC7B,KAAgB,GAAA,MAAM,EACtB,MAAe,EAAA;AAEf,IAAA,IAAI;AACF,QAAA,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAEzE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;AAC7C,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CAAC,CAAC;KACJ;IAAC,OAAO,KAAK,EAAE;AACd,QAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,YAAA,KAAK,EAAE,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,sBAAsB;AACvE,SAAA,CAAC,EACF;AACE,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CACF,CAAC;KACH;AACH,CAAC;AAED;;AAEG;AACI,eAAe,iBAAiB,CAAC,SAA4B,EAAE,EAAA;AACpE,IAAA,IAAI;AACF,QAAA,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;AACxC,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CAAC,CAAC;KACJ;IAAC,OAAO,KAAK,EAAE;AACd,QAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,YAAA,KAAK,EAAE,KAAK,YAAY,KAAK,GAAG,KAAK,CAAC,OAAO,GAAG,yBAAyB;AAC1E,SAAA,CAAC,EACF;AACE,YAAA,MAAM,EAAE,GAAG;AACX,YAAA,OAAO,EAAE;AACP,gBAAA,cAAc,EAAE,kBAAkB;AACnC,aAAA;AACF,SAAA,CACF,CAAC;KACH;AACH,CAAC;AAED;;AAEG;SACa,mBAAmB,GAAA;AACjC,IAAA,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC;AACb,QAAA,MAAM,EAAE,SAAS;AACjB,QAAA,OAAO,EAAE,QAAQ;AAClB,KAAA,CAAC,EACF;AACE,QAAA,MAAM,EAAE,GAAG;AACX,QAAA,OAAO,EAAE;AACP,YAAA,cAAc,EAAE,kBAAkB;AACnC,SAAA;AACF,KAAA,CACF,CAAC;AACJ;;;;;;;;;"}
|