@webwaka/core 1.3.0

package/CHANGELOG.md

@@ -0,0 +1,70 @@
+# @webwaka/core Changelog
+
+All notable changes to this package will be documented in this file.
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+---
+
+## [1.0.0] — 2026-03-23
+
+### Added — Auth Module (`src/core/auth/index.ts`)
+
+This release introduces the **canonical authentication package** for all WebWaka OS v4 Cloudflare Workers, resolving the critical security vulnerabilities identified in the March 2026 cross-repo security audit.
+
+#### New Exports
+
+| Export | Type | Description |
+|---|---|---|
+| `signJWT()` | `async function` | Issue a signed HS256 JWT using the Web Crypto API |
+| `verifyJWT()` | `async function` | Verify & decode an HS256 JWT; returns `null` on failure |
+| `jwtAuthMiddleware()` | Hono middleware factory | Verify Bearer JWT, inject `AuthUser` and `tenantId` into context |
+| `requireRole()` | Hono middleware factory | Enforce RBAC after `jwtAuthMiddleware` |
+| `requirePermissions()` | Hono middleware factory | Enforce permission-based access; SUPER_ADMIN bypasses |
+| `secureCORS()` | Hono middleware factory | Environment-aware CORS — never `origin: '*'` in production |
+| `rateLimit()` | Hono middleware factory | KV-backed sliding-window rate limiter |
+| `getTenantId()` | utility | Safely extract `tenantId` from Hono context |
+| `getAuthUser()` | utility | Safely extract `AuthUser` from Hono context |
+| `JWTPayload` | TypeScript interface | Canonical JWT payload shape |
+| `AuthUser` | TypeScript interface | Canonical user context shape |
+| `AuthEnv` | TypeScript interface | Required Cloudflare Worker bindings for auth |
+| `RateLimitEnv` | TypeScript interface | Required bindings for rate limiting (extends `AuthEnv`) |
+
+#### Security Invariants Enforced
+
+- **`tenantId` ALWAYS sourced from validated JWT payload** — `getTenantId()` throws if `jwtAuthMiddleware` was not applied, making cross-tenant data breaches impossible by construction.
+- **CORS NEVER uses `origin: '*'` in production** — `secureCORS()` enforces an explicit origin allowlist in production environments.
+- **Rate limiting on all auth endpoints** — `rateLimit()` provides KV-backed sliding-window rate limiting with configurable limits per endpoint class.
+- **Cryptographic token verification** — `verifyJWT()` uses `crypto.subtle.verify()` (HMAC-SHA256) available natively in the Cloudflare Workers runtime.
+
+#### Package Configuration
+
+- Added `package.json` with `@webwaka/core` package name and sub-path exports
+- Added `tsconfig.json` targeting ES2022 with `WebWorker` lib
+- Added `vitest.config.ts` for unit testing
+
+#### Tests Added
+
+- 22 new unit tests in `src/core/auth/index.test.ts`
+- Covers: sign/verify round-trip, expiry rejection, tamper detection, middleware public routes, RBAC enforcement, permission bypass, context helpers
+
+### Changed
+
+- `src/index.ts` — updated to re-export all auth primitives from the new auth module
+- `src/core/rbac/index.ts` — `requireRole` and `requirePermissions` are now superseded by the auth module exports; the RBAC module's mock `verifyJwt` is deprecated
+
+---
+
+## [0.1.0] — 2026-02-01 (Initial)
+
+### Added
+
+- CORE-1: Offline Sync Engine (Dexie/IndexedDB)
+- CORE-2: AI Engine abstraction (OpenRouter)
+- CORE-3: Universal Billing Ledger (integer kobo)
+- CORE-4: Notifications (Termii SMS/email)
+- CORE-5: KYC module
+- CORE-6: RBAC primitives (mock implementation — superseded by v1.0.0)
+- CORE-7: Geolocation utilities
+- CORE-8: Document management
+- CORE-9: Chat module
+- CORE-10: Booking engine

package/dist/ai.d.ts

@@ -0,0 +1,25 @@
+export interface AiMessage {
+    role: 'system' | 'user' | 'assistant';
+    content: string;
+}
+export interface AiCompletionOptions {
+    model?: string;
+    messages: AiMessage[];
+    maxTokens?: number;
+    temperature?: number;
+}
+export interface AiCompletionResult {
+    content: string;
+    model: string;
+    tokensUsed: number;
+    error?: string;
+}
+export declare class OpenRouterClient {
+    private apiKey;
+    private defaultModel;
+    private baseUrl;
+    constructor(apiKey: string, defaultModel?: string);
+    complete(opts: AiCompletionOptions): Promise<AiCompletionResult>;
+}
+export declare function createAiClient(apiKey: string, defaultModel?: string): OpenRouterClient;
+//# sourceMappingURL=ai.d.ts.map

package/dist/ai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai.d.ts","sourceRoot":"","sources":["../src/ai.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,WAAW,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,SAAS,EAAE,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,OAAO,CAAkC;gBAErC,MAAM,EAAE,MAAM,EAAE,YAAY,SAAuB;IAKzD,QAAQ,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC;CAyCvE;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,gBAAgB,CAEtF"}

package/dist/ai.js

@@ -0,0 +1,53 @@
+export class OpenRouterClient {
+    apiKey;
+    defaultModel;
+    baseUrl = 'https://openrouter.ai/api/v1';
+    constructor(apiKey, defaultModel = 'openai/gpt-4o-mini') {
+        this.apiKey = apiKey;
+        this.defaultModel = defaultModel;
+    }
+    async complete(opts) {
+        const model = opts.model ?? this.defaultModel;
+        try {
+            const body = {
+                model,
+                messages: opts.messages,
+            };
+            if (opts.maxTokens !== undefined)
+                body.max_tokens = opts.maxTokens;
+            if (opts.temperature !== undefined)
+                body.temperature = opts.temperature;
+            const res = await fetch(`${this.baseUrl}/chat/completions`, {
+                method: 'POST',
+                headers: {
+                    Authorization: `Bearer ${this.apiKey}`,
+                    'Content-Type': 'application/json',
+                    'HTTP-Referer': 'https://webwaka.com',
+                    'X-Title': 'WebWaka Commerce',
+                },
+                body: JSON.stringify(body),
+            });
+            const data = (await res.json());
+            if (!res.ok) {
+                return {
+                    content: '',
+                    model,
+                    tokensUsed: 0,
+                    error: data?.error?.message ?? 'OpenRouter request failed',
+                };
+            }
+            return {
+                content: data.choices?.[0]?.message?.content ?? '',
+                model: data.model ?? model,
+                tokensUsed: data.usage?.total_tokens ?? 0,
+            };
+        }
+        catch (err) {
+            return { content: '', model, tokensUsed: 0, error: err?.message };
+        }
+    }
+}
+export function createAiClient(apiKey, defaultModel) {
+    return new OpenRouterClient(apiKey, defaultModel);
+}
+//# sourceMappingURL=ai.js.map

package/dist/ai.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ai.js","sourceRoot":"","sources":["../src/ai.ts"],"names":[],"mappings":"AAmBA,MAAM,OAAO,gBAAgB;IACnB,MAAM,CAAS;IACf,YAAY,CAAS;IACrB,OAAO,GAAG,8BAA8B,CAAC;IAEjD,YAAY,MAAc,EAAE,YAAY,GAAG,oBAAoB;QAC7D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAAyB;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,YAAY,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,IAAI,GAA4B;gBACpC,KAAK;gBACL,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS;gBAAE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;YACnE,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;gBAAE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;YAExE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,mBAAmB,EAAE;gBAC1D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;oBACtC,cAAc,EAAE,kBAAkB;oBAClC,cAAc,EAAE,qBAAqB;oBACrC,SAAS,EAAE,kBAAkB;iBAC9B;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;aAC3B,CAAC,CAAC;YAEH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAQ,CAAC;YACvC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,OAAO;oBACL,OAAO,EAAE,EAAE;oBACX,KAAK;oBACL,UAAU,EAAE,CAAC;oBACb,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,IAAI,2BAA2B;iBAC3D,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE;gBAClD,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,KAAK;gBAC1B,UAAU,EAAE,IAAI,CAAC,KAAK,EAAE,YAAY,IAAI,CAAC;aAC1C,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QACpE,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,MAAc,EAAE,YAAqB;IAClE,OAAO,IAAI,gBAAgB,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AACpD,CAAC"}

package/dist/core/ai/AIEngine.d.ts

@@ -0,0 +1,69 @@
+/**
+ * CORE-5: AI/BYOK Abstraction Engine
+ * Blueprint Reference: Part 9.1 #7 (Vendor Neutral AI)
+ *
+ * Implements a three-tier fallback mechanism with per-tier retry and exponential backoff:
+ *   1. Tenant BYOK (Bring Your Own Key) via OpenRouter
+ *   2. Platform Key via OpenRouter
+ *   3. Cloudflare Workers AI (Ultimate Fallback)
+ *
+ * Each tier is retried up to `maxRetries` times (default 2) before escalating.
+ * Between attempts the engine sleeps for backoffMs * 2^attempt milliseconds.
+ */
+export interface AIRequest {
+    prompt: string;
+    model?: string;
+    tenantId: string;
+}
+export interface AIResponse {
+    text: string;
+    provider: 'tenant-openrouter' | 'platform-openrouter' | 'cloudflare-ai';
+    modelUsed: string;
+}
+export interface TenantConfig {
+    openRouterKey?: string;
+    preferredModel?: string;
+}
+export interface AIEngineOptions {
+    /** Maximum number of retry attempts per tier before escalating. Default: 2 */
+    maxRetries?: number;
+    /** Base delay in milliseconds for exponential backoff. Default: 200 */
+    backoffMs?: number;
+}
+export declare class AIEngine {
+    private platformOpenRouterKey;
+    private cloudflareAiBinding;
+    private maxRetries;
+    private backoffMs;
+    constructor(platformOpenRouterKey: string, cloudflareAiBinding: any, options?: AIEngineOptions);
+    /**
+     * Executes an AI request using the three-tier fallback strategy.
+     * Each tier is retried up to `maxRetries` times with exponential backoff
+     * before escalating to the next tier.
+     */
+    execute(request: AIRequest, tenantConfig: TenantConfig): Promise<AIResponse>;
+    /**
+     * Executes an AI request and returns a ReadableStream<Uint8Array> for
+     * server-sent events streaming.
+     *
+     * - Tier 1 & 2: calls OpenRouter with `stream: true` and pipes `Response.body`.
+     * - Tier 3 (CF AI fallback): calls `execute()` and wraps the text in a
+     *   single-chunk ReadableStream (CF AI does not support streaming natively).
+     */
+    executeStream(request: AIRequest, tenantConfig: TenantConfig): Promise<ReadableStream<Uint8Array>>;
+    /**
+     * Runs `fn` up to `maxRetries + 1` times (1 initial attempt + maxRetries retries).
+     * Emits logger.warn on each retry. Returns the result on success, or null after
+     * exhausting all attempts (so the caller can escalate to the next tier).
+     */
+    private withRetry;
+    /**
+     * Delays execution for `ms` milliseconds.
+     * Defined as a protected method so tests can spy on it via vi.spyOn(engine, 'sleep').
+     */
+    protected sleep(ms: number): Promise<void>;
+    private callOpenRouter;
+    private callOpenRouterStream;
+    private callCloudflareAI;
+}
+//# sourceMappingURL=AIEngine.d.ts.map

package/dist/core/ai/AIEngine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AIEngine.d.ts","sourceRoot":"","sources":["../../../src/core/ai/AIEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,mBAAmB,GAAG,qBAAqB,GAAG,eAAe,CAAC;IACxE,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,eAAe;IAC9B,8EAA8E;IAC9E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,QAAQ;IACnB,OAAO,CAAC,qBAAqB,CAAS;IACtC,OAAO,CAAC,mBAAmB,CAAM;IACjC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;gBAGxB,qBAAqB,EAAE,MAAM,EAC7B,mBAAmB,EAAE,GAAG,EACxB,OAAO,GAAE,eAAoB;IAQ/B;;;;OAIG;IACG,OAAO,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC;IAmClF;;;;;;;OAOG;IACG,aAAa,CACjB,OAAO,EAAE,SAAS,EAClB,YAAY,EAAE,YAAY,GACzB,OAAO,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IA0CtC;;;;OAIG;YACW,SAAS;IAuCvB;;;OAGG;IACH,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;YAI5B,cAAc;YAgCd,oBAAoB;YA+BpB,gBAAgB;CAgB/B"}

package/dist/core/ai/AIEngine.js

@@ -0,0 +1,185 @@
+/**
+ * CORE-5: AI/BYOK Abstraction Engine
+ * Blueprint Reference: Part 9.1 #7 (Vendor Neutral AI)
+ *
+ * Implements a three-tier fallback mechanism with per-tier retry and exponential backoff:
+ *   1. Tenant BYOK (Bring Your Own Key) via OpenRouter
+ *   2. Platform Key via OpenRouter
+ *   3. Cloudflare Workers AI (Ultimate Fallback)
+ *
+ * Each tier is retried up to `maxRetries` times (default 2) before escalating.
+ * Between attempts the engine sleeps for backoffMs * 2^attempt milliseconds.
+ */
+import { logger } from '../logger';
+export class AIEngine {
+    platformOpenRouterKey;
+    cloudflareAiBinding; // Type would be Ai from @cloudflare/workers-types
+    maxRetries;
+    backoffMs;
+    constructor(platformOpenRouterKey, cloudflareAiBinding, options = {}) {
+        this.platformOpenRouterKey = platformOpenRouterKey;
+        this.cloudflareAiBinding = cloudflareAiBinding;
+        this.maxRetries = options.maxRetries ?? 2;
+        this.backoffMs = options.backoffMs ?? 200;
+    }
+    /**
+     * Executes an AI request using the three-tier fallback strategy.
+     * Each tier is retried up to `maxRetries` times with exponential backoff
+     * before escalating to the next tier.
+     */
+    async execute(request, tenantConfig) {
+        // Tier 1: Tenant BYOK via OpenRouter
+        if (tenantConfig.openRouterKey) {
+            const tier1Result = await this.withRetry('Tier 1 (tenant BYOK)', request.tenantId, () => this.callOpenRouter(request.prompt, tenantConfig.openRouterKey, request.model ?? tenantConfig.preferredModel ?? 'openai/gpt-4o-mini', 'tenant-openrouter'));
+            if (tier1Result !== null)
+                return tier1Result;
+        }
+        // Tier 2: Platform Key via OpenRouter
+        if (this.platformOpenRouterKey) {
+            const tier2Result = await this.withRetry('Tier 2 (platform key)', request.tenantId, () => this.callOpenRouter(request.prompt, this.platformOpenRouterKey, request.model ?? 'openai/gpt-4o-mini', 'platform-openrouter'));
+            if (tier2Result !== null)
+                return tier2Result;
+        }
+        // Tier 3: Cloudflare Workers AI (Ultimate Fallback — no retry needed, CF AI is durable)
+        return await this.callCloudflareAI(request.prompt);
+    }
+    /**
+     * Executes an AI request and returns a ReadableStream<Uint8Array> for
+     * server-sent events streaming.
+     *
+     * - Tier 1 & 2: calls OpenRouter with `stream: true` and pipes `Response.body`.
+     * - Tier 3 (CF AI fallback): calls `execute()` and wraps the text in a
+     *   single-chunk ReadableStream (CF AI does not support streaming natively).
+     */
+    async executeStream(request, tenantConfig) {
+        // Tier 1: Tenant BYOK streaming
+        if (tenantConfig.openRouterKey) {
+            const tier1Result = await this.withRetry('Tier 1 stream (tenant BYOK)', request.tenantId, () => this.callOpenRouterStream(request.prompt, tenantConfig.openRouterKey, request.model ?? tenantConfig.preferredModel ?? 'openai/gpt-4o-mini'));
+            if (tier1Result !== null)
+                return tier1Result;
+        }
+        // Tier 2: Platform Key streaming
+        if (this.platformOpenRouterKey) {
+            const tier2Result = await this.withRetry('Tier 2 stream (platform key)', request.tenantId, () => this.callOpenRouterStream(request.prompt, this.platformOpenRouterKey, request.model ?? 'openai/gpt-4o-mini'));
+            if (tier2Result !== null)
+                return tier2Result;
+        }
+        // Tier 3: Cloudflare AI — wrap non-streaming execute() result in a single-chunk stream
+        // (CF AI does not support native streaming; this keeps fallback logic in one place)
+        const fallback = await this.execute(request, tenantConfig);
+        const encoder = new TextEncoder();
+        const chunk = encoder.encode(fallback.text);
+        return new ReadableStream({
+            start(controller) {
+                controller.enqueue(chunk);
+                controller.close();
+            },
+        });
+    }
+    /**
+     * Runs `fn` up to `maxRetries + 1` times (1 initial attempt + maxRetries retries).
+     * Emits logger.warn on each retry. Returns the result on success, or null after
+     * exhausting all attempts (so the caller can escalate to the next tier).
+     */
+    async withRetry(tierLabel, tenantId, fn) {
+        let lastError;
+        for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+            if (attempt > 0) {
+                const delayMs = this.backoffMs * Math.pow(2, attempt - 1);
+                logger.warn(`${tierLabel} retry attempt ${attempt} after ${delayMs}ms`, {
+                    tenantId,
+                    attempt,
+                    delayMs,
+                });
+                await this.sleep(delayMs);
+            }
+            try {
+                return await fn();
+            }
+            catch (error) {
+                lastError = error;
+                if (attempt < this.maxRetries) {
+                    logger.warn(`${tierLabel} attempt ${attempt + 1} failed, will retry`, {
+                        tenantId,
+                        attempt: attempt + 1,
+                        error,
+                    });
+                }
+            }
+        }
+        logger.warn(`${tierLabel} exhausted all ${this.maxRetries + 1} attempts, escalating`, {
+            tenantId,
+            error: lastError,
+        });
+        return null;
+    }
+    /**
+     * Delays execution for `ms` milliseconds.
+     * Defined as a protected method so tests can spy on it via vi.spyOn(engine, 'sleep').
+     */
+    sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+    async callOpenRouter(prompt, apiKey, model, provider) {
+        const response = await fetch('https://openrouter.ai/api/v1/chat/completions', {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${apiKey}`,
+                'Content-Type': 'application/json',
+                'HTTP-Referer': 'https://webwaka.com',
+                'X-Title': 'WebWaka OS v4',
+            },
+            body: JSON.stringify({
+                model,
+                messages: [{ role: 'user', content: prompt }],
+            }),
+        });
+        if (!response.ok) {
+            throw new Error(`OpenRouter API error: ${response.statusText}`);
+        }
+        const data = await response.json();
+        const content = data.choices?.[0]?.message?.content;
+        if (typeof content !== 'string') {
+            throw new Error('OpenRouter returned an unexpected response structure (missing choices[0].message.content)');
+        }
+        return { text: content, provider, modelUsed: model };
+    }
+    async callOpenRouterStream(prompt, apiKey, model) {
+        const response = await fetch('https://openrouter.ai/api/v1/chat/completions', {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${apiKey}`,
+                'Content-Type': 'application/json',
+                'HTTP-Referer': 'https://webwaka.com',
+                'X-Title': 'WebWaka OS v4',
+            },
+            body: JSON.stringify({
+                model,
+                messages: [{ role: 'user', content: prompt }],
+                stream: true,
+            }),
+        });
+        if (!response.ok) {
+            throw new Error(`OpenRouter streaming API error: ${response.statusText}`);
+        }
+        if (!response.body) {
+            throw new Error('OpenRouter returned no response body for streaming request');
+        }
+        return response.body;
+    }
+    async callCloudflareAI(prompt) {
+        if (!this.cloudflareAiBinding) {
+            throw new Error('Cloudflare AI binding not configured');
+        }
+        const model = '@cf/meta/llama-3-8b-instruct';
+        const response = await this.cloudflareAiBinding.run(model, {
+            messages: [{ role: 'user', content: prompt }],
+        });
+        return {
+            text: response.response,
+            provider: 'cloudflare-ai',
+            modelUsed: model,
+        };
+    }
+}
+//# sourceMappingURL=AIEngine.js.map

package/dist/core/ai/AIEngine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AIEngine.js","sourceRoot":"","sources":["../../../src/core/ai/AIEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AA0BnC,MAAM,OAAO,QAAQ;IACX,qBAAqB,CAAS;IAC9B,mBAAmB,CAAM,CAAC,kDAAkD;IAC5E,UAAU,CAAS;IACnB,SAAS,CAAS;IAE1B,YACE,qBAA6B,EAC7B,mBAAwB,EACxB,UAA2B,EAAE;QAE7B,IAAI,CAAC,qBAAqB,GAAG,qBAAqB,CAAC;QACnD,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC;QAC/C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,GAAG,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CAAC,OAAkB,EAAE,YAA0B;QAC1D,qCAAqC;QACrC,IAAI,YAAY,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,sBAAsB,EACtB,OAAO,CAAC,QAAQ,EAChB,GAAG,EAAE,CAAC,IAAI,CAAC,cAAc,CACvB,OAAO,CAAC,MAAM,EACd,YAAY,CAAC,aAAc,EAC3B,OAAO,CAAC,KAAK,IAAI,YAAY,CAAC,cAAc,IAAI,oBAAoB,EACpE,mBAAmB,CACpB,CACF,CAAC;YACF,IAAI,WAAW,KAAK,IAAI;gBAAE,OAAO,WAAW,CAAC;QAC/C,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,uBAAuB,EACvB,OAAO,CAAC,QAAQ,EAChB,GAAG,EAAE,CAAC,IAAI,CAAC,cAAc,CACvB,OAAO,CAAC,MAAM,EACd,IAAI,CAAC,qBAAqB,EAC1B,OAAO,CAAC,KAAK,IAAI,oBAAoB,EACrC,qBAAqB,CACtB,CACF,CAAC;YACF,IAAI,WAAW,KAAK,IAAI;gBAAE,OAAO,WAAW,CAAC;QAC/C,CAAC;QAED,wFAAwF;QACxF,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,OAAkB,EAClB,YAA0B;QAE1B,gCAAgC;QAChC,IAAI,YAAY,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,6BAA6B,EAC7B,OAAO,CAAC,QAAQ,EAChB,GAAG,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAC7B,OAAO,CAAC,MAAM,EACd,YAAY,CAAC,aAAc,EAC3B,OAAO,CAAC,KAAK,IAAI,YAAY,CAAC,cAAc,IAAI,oBAAoB,CACrE,CACF,CAAC;YACF,IAAI,WAAW,KAAK,IAAI;gBAAE,OAAO,WAAW,CAAC;QAC/C,CAAC;QAED,iCAAiC;QACjC,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,8BAA8B,EAC9B,OAAO,CAAC,QAAQ,EAChB,GAAG,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAC7B,OAAO,CAAC,MAAM,EACd,IAAI,CAAC,qBAAqB,EAC1B,OAAO,CAAC,KAAK,IAAI,oBAAoB,CACtC,CACF,CAAC;YACF,IAAI,WAAW,KAAK,IAAI;gBAAE,OAAO,WAAW,CAAC;QAC/C,CAAC;QAED,uFAAuF;QACvF,oFAAoF;QACpF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5C,OAAO,IAAI,cAAc,CAAa;YACpC,KAAK,CAAC,UAAU;gBACd,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;gBAC1B,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,SAAS,CACrB,SAAiB,EACjB,QAAgB,EAChB,EAAoB;QAEpB,IAAI,SAAkB,CAAC;QAEvB,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YAC5D,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;gBAC1D,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,kBAAkB,OAAO,UAAU,OAAO,IAAI,EAAE;oBACtE,QAAQ;oBACR,OAAO;oBACP,OAAO;iBACR,CAAC,CAAC;gBACH,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5B,CAAC;YAED,IAAI,CAAC;gBACH,OAAO,MAAM,EAAE,EAAE,CAAC;YACpB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,SAAS,GAAG,KAAK,CAAC;gBAClB,IAAI,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,YAAY,OAAO,GAAG,CAAC,qBAAqB,EAAE;wBACpE,QAAQ;wBACR,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,KAAK;qBACN,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,kBAAkB,IAAI,CAAC,UAAU,GAAG,CAAC,uBAAuB,EAAE;YACpF,QAAQ;YACR,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACO,KAAK,CAAC,EAAU;QACxB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IACzD,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,MAAc,EACd,MAAc,EACd,KAAa,EACb,QAAqD;QAErD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,+CAA+C,EAAE;YAC5E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,EAAE;gBACnC,cAAc,EAAE,kBAAkB;gBAClC,cAAc,EAAE,qBAAqB;gBACrC,SAAS,EAAE,eAAe;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK;gBACL,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;aAC9C,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAS,CAAC;QAC1C,MAAM,OAAO,GAAuB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC;QACxE,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;QAC/G,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACvD,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAChC,MAAc,EACd,MAAc,EACd,KAAa;QAEb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,+CAA+C,EAAE;YAC5E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,EAAE;gBACnC,cAAc,EAAE,kBAAkB;gBAClC,cAAc,EAAE,qBAAqB;gBACrC,SAAS,EAAE,eAAe;aAC3B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,KAAK;gBACL,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;gBAC7C,MAAM,EAAE,IAAI;aACb,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,MAAc;QAC3C,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,GAAG,8BAA8B,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,EAAE;YACzD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;SAC9C,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,QAAQ,CAAC,QAAQ;YACvB,QAAQ,EAAE,eAAe;YACzB,SAAS,EAAE,KAAK;SACjB,CAAC;IACJ,CAAC;CACF"}

package/dist/core/auth/index.d.ts

@@ -0,0 +1,183 @@
+/**
+ * @webwaka/core — Auth Module
+ * Blueprint Reference: Part 9.2 (Universal Architecture Standards — Auth & Authorization)
+ *
+ * Canonical authentication primitives for all WebWaka OS v4 Cloudflare Workers.
+ *
+ * Invariants enforced:
+ *  - Build Once Use Infinitely: single implementation, all suites import from here.
+ *  - tenantId ALWAYS sourced from validated JWT payload, NEVER from request headers.
+ *  - CORS NEVER uses wildcard `origin: '*'` in production.
+ *  - All auth/mutation endpoints MUST apply rateLimit middleware.
+ *
+ * Exports:
+ *  - signJWT()           — Issue a signed HS256 JWT (used by super-admin-v2 login)
+ *  - verifyJWT()         — Verify & decode an HS256 JWT (used by all suites)
+ *  - jwtAuthMiddleware() — Hono middleware: verify token, inject user into context
+ *  - requireRole()       — Hono middleware factory: enforce RBAC after jwtAuthMiddleware
+ *  - secureCORS()        — Hono CORS middleware with environment-aware origin allowlist
+ *  - rateLimit()         — Hono middleware: KV-backed sliding-window rate limiter
+ *  - AuthUser            — Canonical user session type
+ *  - JWTPayload          — Canonical JWT payload type
+ */
+import type { Context, MiddlewareHandler } from 'hono';
+export interface JWTPayload {
+    /** Subject — user ID */
+    sub: string;
+    /** Tenant ID — ALWAYS sourced from here, never from headers */
+    tenantId: string;
+    /** User role */
+    role: string;
+    /** Granted permissions */
+    permissions: string[];
+    /** Issued-at (Unix seconds) */
+    iat: number;
+    /** Expiry (Unix seconds) */
+    exp: number;
+    /** User email */
+    email: string;
+}
+/** Canonical user context injected into every authenticated Hono request */
+export interface AuthUser {
+    userId: string;
+    email: string;
+    role: string;
+    tenantId: string;
+    permissions: string[];
+}
+/**
+ * User context for API key authenticated requests (B2B / third-party systems).
+ * Compatible with the 'user' context key set by jwtAuthMiddleware.
+ */
+export interface WakaUser {
+    id: string;
+    tenant_id: string;
+    role: string;
+    name: string;
+    phone: string;
+    operator_id: string;
+}
+export interface AuthEnv {
+    JWT_SECRET: string;
+    ENVIRONMENT?: string;
+    /** Optional: KV namespace for rate-limiting counters */
+    RATE_LIMIT_KV?: KVNamespace;
+    /** Optional: D1 database binding used by verifyApiKey */
+    DB?: D1Database;
+}
+/**
+ * Sign a new HS256 JWT using the Web Crypto API (Cloudflare Workers compatible).
+ * Returns a compact `header.payload.signature` string.
+ */
+export declare function signJWT(payload: Omit<JWTPayload, 'iat' | 'exp'>, secret: string, expiresInSeconds?: number): Promise<string>;
+/**
+ * Verify an HS256 JWT and return its decoded payload.
+ * Returns null if the token is invalid, expired, or tampered with.
+ * Uses the Web Crypto API — safe for Cloudflare Workers edge runtime.
+ */
+export declare function verifyJWT(token: string, secret: string): Promise<JWTPayload | null>;
+/**
+ * Verifies an API key by hashing it with SHA-256 and looking it up in the
+ * api_keys table. Returns a WakaUser on success or null if the key is invalid.
+ * Compatible with Cloudflare Workers (Web Crypto API only).
+ */
+export declare function verifyApiKey(rawKey: string, db: D1Database): Promise<WakaUser | null>;
+export interface JwtAuthOptions {
+    /**
+     * Routes that bypass authentication entirely.
+     * Each entry is matched as a prefix against the request path.
+     * Method defaults to '*' (any method).
+     */
+    publicRoutes?: Array<{
+        method?: string;
+        path: string;
+    }>;
+}
+/**
+ * Hono middleware that verifies the Bearer JWT, rejects invalid/expired tokens,
+ * and injects the canonical `AuthUser` into the Hono context as `c.get('user')`.
+ *
+ * Also sets `c.get('tenantId')` from the JWT payload — NEVER from headers.
+ *
+ * Usage:
+ *   app.use('/api/*', jwtAuthMiddleware({ publicRoutes: [{ path: '/health' }] }));
+ */
+export declare function jwtAuthMiddleware(options?: JwtAuthOptions): MiddlewareHandler<{
+    Bindings: AuthEnv;
+}>;
+/**
+ * Hono middleware factory that enforces role-based access control.
+ * MUST be used AFTER jwtAuthMiddleware on the same route.
+ *
+ * Usage:
+ *   app.post('/api/admin/tenants', requireRole(['SUPER_ADMIN', 'TENANT_ADMIN']), handler);
+ */
+export declare function requireRole(allowedRoles: string[]): MiddlewareHandler;
+/**
+ * Hono middleware factory that enforces permission-based access control.
+ * SUPER_ADMIN role bypasses all permission checks.
+ * MUST be used AFTER jwtAuthMiddleware.
+ *
+ * Usage:
+ *   app.delete('/api/tenants/:id', requirePermissions(['delete:tenants']), handler);
+ */
+export declare function requirePermissions(requiredPermissions: string[]): MiddlewareHandler;
+export interface SecureCORSOptions {
+    /**
+     * Allowed origins for production. Defaults to WebWaka production domains.
+     * In non-production environments, all origins are allowed.
+     */
+    allowedOrigins?: string[];
+}
+/**
+ * Environment-aware CORS middleware.
+ * - Production: restricts to an explicit allowlist of WebWaka domains.
+ * - Non-production (staging/dev/local): allows all origins for developer convenience.
+ *
+ * NEVER uses `origin: '*'` in production.
+ *
+ * Usage:
+ *   app.use('*', secureCORS());
+ *   app.use('*', secureCORS({ allowedOrigins: ['https://app.mywebwaka.com'] }));
+ */
+export declare function secureCORS(options?: SecureCORSOptions): MiddlewareHandler<{
+    Bindings: AuthEnv;
+}>;
+export interface RateLimitOptions {
+    /** Maximum requests allowed per window. Default: 60 */
+    limit?: number;
+    /** Window duration in seconds. Default: 60 */
+    windowSeconds?: number;
+    /** Key prefix to namespace different rate limit buckets. Default: 'rl' */
+    keyPrefix?: string;
+    /** Custom key extractor. Default: uses CF-Connecting-IP header or 'unknown' */
+    keyExtractor?: (c: Context) => string;
+}
+export interface RateLimitEnv extends AuthEnv {
+    RATE_LIMIT_KV: KVNamespace;
+}
+/**
+ * KV-backed sliding-window rate limiter for Cloudflare Workers.
+ * Requires a `RATE_LIMIT_KV` KV namespace binding.
+ *
+ * Usage (auth endpoints — strict):
+ *   app.post('/auth/login', rateLimit({ limit: 10, windowSeconds: 60, keyPrefix: 'login' }), handler);
+ *
+ * Usage (general API):
+ *   app.use('/api/*', rateLimit({ limit: 300, windowSeconds: 60 }));
+ */
+export declare function rateLimit(options?: RateLimitOptions): MiddlewareHandler<{
+    Bindings: RateLimitEnv;
+}>;
+/**
+ * Safely extract tenantId from the Hono context.
+ * Throws if tenantId is not present (i.e., jwtAuthMiddleware was not applied).
+ * Use this in route handlers to enforce that tenant context is always present.
+ */
+export declare function getTenantId(c: Context): string;
+/**
+ * Safely extract the authenticated user from the Hono context.
+ * Throws if user is not present.
+ */
+export declare function getAuthUser(c: Context): AuthUser;
+//# sourceMappingURL=index.d.ts.map

package/dist/core/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAQ,MAAM,MAAM,CAAC;AAM7D,MAAM,WAAW,UAAU;IACzB,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,0BAA0B;IAC1B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB;IACjB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,4EAA4E;AAC5E,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,OAAO;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,yDAAyD;IACzD,EAAE,CAAC,EAAE,UAAU,CAAC;CACjB;AAgCD;;;GAGG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,GAAG,KAAK,CAAC,EACxC,MAAM,EAAE,MAAM,EACd,gBAAgB,SAAQ,GACvB,OAAO,CAAC,MAAM,CAAC,CAkCjB;AAED;;;;GAIG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAmC5B;AAID;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,EAAE,EAAE,UAAU,GACb,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAqC1B;AAID,MAAM,WAAW,cAAc;IAC7B;;;;OAIG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACzD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,GAAE,cAAmB,GAC3B,iBAAiB,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAsE1C;AAID;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAiBrE;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,mBAAmB,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAoBnF;AAID,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,OAAO,GAAE,iBAAsB,GAAG,iBAAiB,CAAC;IAAE,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAgCpG;AAID,MAAM,WAAW,gBAAgB;IAC/B,uDAAuD;IACvD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,0EAA0E;IAC1E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+EAA+E;IAC/E,YAAY,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,YAAa,SAAQ,OAAO;IAC3C,aAAa,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,OAAO,GAAE,gBAAqB,GAAG,iBAAiB,CAAC;IAAE,QAAQ,EAAE,YAAY,CAAA;CAAE,CAAC,CA2DvG;AAID;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAQ9C;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,GAAG,QAAQ,CAQhD"}