alepha 0.13.0 → 0.13.1

package/dist/server-rate-limit/index.d.cts

@@ -1,183 +0,0 @@
-import * as alepha1 from "alepha";
-import { Descriptor, KIND, Static } from "alepha";
-import { ServerRequest, ServerRouterProvider } from "alepha/server";
-import * as alepha_logger0 from "alepha/logger";
-import * as alepha_cache0 from "alepha/cache";
-
-//#region src/server-rate-limit/providers/ServerRateLimitProvider.d.ts
-interface RateLimitResult {
-  allowed: boolean;
-  limit: number;
-  remaining: number;
-  resetTime: number;
-  retryAfter?: number;
-}
-/**
- * Rate limit configuration atom (global defaults)
- */
-declare const rateLimitOptions: alepha1.Atom<alepha1.TObject<{
-  windowMs: alepha1.TOptional<alepha1.TNumber>;
-  max: alepha1.TOptional<alepha1.TNumber>;
-  skipFailedRequests: alepha1.TOptional<alepha1.TBoolean>;
-  skipSuccessfulRequests: alepha1.TOptional<alepha1.TBoolean>;
-}>, "alepha.server.rate-limit.options">;
-type RateLimitAtomOptions = Static<typeof rateLimitOptions.schema>;
-declare module "alepha" {
-  interface State {
-    [rateLimitOptions.key]: RateLimitAtomOptions;
-  }
-}
-declare class ServerRateLimitProvider {
-  protected readonly log: alepha_logger0.Logger;
-  protected readonly serverRouterProvider: ServerRouterProvider;
-  protected readonly env: {
-    RATE_LIMIT_WINDOW_MS: number;
-    RATE_LIMIT_MAX_REQUESTS: number;
-  };
-  protected readonly cache: alepha_cache0.CacheDescriptorFn<RateLimitData, any[]>;
-  protected readonly globalOptions: Readonly<{
-    windowMs?: number | undefined;
-    max?: number | undefined;
-    skipFailedRequests?: boolean | undefined;
-    skipSuccessfulRequests?: boolean | undefined;
-  }>;
-  /**
-   * Registered rate limit configurations with their path patterns
-   */
-  readonly registeredConfigs: RateLimitDescriptorOptions[];
-  /**
-   * Register a rate limit configuration (called by descriptors)
-   */
-  registerRateLimit(config: RateLimitDescriptorOptions): void;
-  protected readonly onStart: alepha1.HookDescriptor<"start">;
-  readonly onRequest: alepha1.HookDescriptor<"server:onRequest">;
-  readonly onActionRequest: alepha1.HookDescriptor<"action:onRequest">;
-  /**
-   * Build complete rate limit options by merging with global defaults
-   */
-  protected buildRateLimitOptions(config: RateLimitDescriptorOptions): RateLimitOptions;
-  /**
-   * Set rate limit headers on the response
-   */
-  protected setRateLimitHeaders(request: ServerRequest, result: RateLimitResult): void;
-  checkLimit(req: ServerRequest, options?: RateLimitOptions): Promise<RateLimitResult>;
-  protected generateKey(req: ServerRequest): string;
-  protected getClientIP(req: ServerRequest): string;
-}
-interface RateLimitData {
-  count: number;
-  windowStart: number;
-  hits: number[];
-}
-//#endregion
-//#region src/server-rate-limit/descriptors/$rateLimit.d.ts
-/**
- * Declares rate limiting for server routes or custom usage.
- * This descriptor provides methods to check rate limits and configure behavior
- * within the server request/response cycle.
- *
- * @example
- * ```ts
- * class ApiService {
- *   // Apply rate limiting to specific paths
- *   apiRateLimit = $rateLimit({
- *     paths: ["/api/*"],
- *     max: 100,
- *     windowMs: 15 * 60 * 1000, // 15 minutes
- *   });
- *
- *   // Or use check() method for manual rate limiting
- *   customAction = $action({
- *     handler: async (req) => {
- *       const result = await this.apiRateLimit.check(req);
- *       if (!result.allowed) throw new Error("Rate limited");
- *       return "ok";
- *     },
- *   });
- * }
- * ```
- */
-declare const $rateLimit: {
-  (options?: RateLimitDescriptorOptions): AbstractRateLimitDescriptor;
-  [KIND]: typeof RateLimitDescriptor;
-};
-interface RateLimitDescriptorOptions extends RateLimitOptions {
-  /** Name identifier for this rate limit (default: property key) */
-  name?: string;
-  /** Path patterns to match (supports wildcards like /api/*) */
-  paths?: string[];
-}
-interface AbstractRateLimitDescriptor {
-  readonly name: string;
-  readonly options: RateLimitDescriptorOptions;
-  check(request: ServerRequest, options?: RateLimitOptions): Promise<RateLimitResult>;
-}
-declare class RateLimitDescriptor extends Descriptor<RateLimitDescriptorOptions> implements AbstractRateLimitDescriptor {
-  protected readonly serverRateLimitProvider: ServerRateLimitProvider;
-  get name(): string;
-  protected onInit(): void;
-  /**
-   * Checks rate limit for the given request using this descriptor's configuration.
-   */
-  check(request: ServerRequest, options?: RateLimitOptions): Promise<RateLimitResult>;
-}
-//#endregion
-//#region src/server-rate-limit/index.d.ts
-declare module "alepha/server" {
-  interface ActionDescriptorOptions<TConfig> {
-    /**
-     * Rate limiting configuration for this action.
-     * When specified, the action will be rate limited according to these settings.
-     */
-    rateLimit?: RateLimitOptions;
-  }
-  interface ServerRoute {
-    /**
-     * Route-specific rate limit configuration.
-     * If set, overrides the global rate limit options for this route.
-     */
-    rateLimit?: RateLimitOptions;
-  }
-}
-interface RateLimitOptions {
-  /** Maximum number of requests per window (default: 100) */
-  max?: number;
-  /** Window duration in milliseconds (default: 15 minutes) */
-  windowMs?: number;
-  /** Custom key generator function */
-  keyGenerator?: (req: any) => string;
-  /** Skip rate limiting for failed requests */
-  skipFailedRequests?: boolean;
-  /** Skip rate limiting for successful requests */
-  skipSuccessfulRequests?: boolean;
-}
-/**
- * Provides rate limiting capabilities for server routes and actions with configurable limits and windows.
- *
- * The server-rate-limit module enables per-route and per-action rate limiting using either:
- * - The `$rateLimit` descriptor with `paths` option for path-based rate limiting
- * - The `rateLimit` option in action descriptors for action-specific limiting
- *
- * It offers sliding window rate limiting, custom key generation, and seamless integration with server routes.
- *
- * @example
- * ```ts
- * import { $rateLimit, AlephaServerRateLimit } from "alepha/server-rate-limit";
- *
- * class ApiService {
- *   // Path-specific rate limiting
- *   apiRateLimit = $rateLimit({
- *     paths: ["/api/*"],
- *     max: 100,
- *     windowMs: 15 * 60 * 1000, // 15 minutes
- *   });
- * }
- * ```
- *
- * @see {@link $rateLimit}
- * @module alepha.server.rate-limit
- */
-declare const AlephaServerRateLimit: alepha1.Service<alepha1.Module>;
-//#endregion
-export { $rateLimit, AbstractRateLimitDescriptor, AlephaServerRateLimit, RateLimitAtomOptions, RateLimitDescriptor, RateLimitDescriptorOptions, RateLimitOptions, RateLimitResult, ServerRateLimitProvider, rateLimitOptions };
-//# sourceMappingURL=index.d.cts.map

package/dist/server-security/index.cjs

@@ -1,316 +0,0 @@
-let alepha = require("alepha");
-let alepha_security = require("alepha/security");
-let alepha_server = require("alepha/server");
-let node_crypto = require("node:crypto");
-let alepha_logger = require("alepha/logger");
-
-//#region src/server-security/providers/ServerBasicAuthProvider.ts
-var ServerBasicAuthProvider = class {
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	log = (0, alepha_logger.$logger)();
-	routerProvider = (0, alepha.$inject)(alepha_server.ServerRouterProvider);
-	realm = "Secure Area";
-	/**
-	* Registered basic auth descriptors with their configurations
-	*/
-	registeredAuths = [];
-	/**
-	* Register a basic auth configuration (called by descriptors)
-	*/
-	registerAuth(config) {
-		this.registeredAuths.push(config);
-	}
-	onStart = (0, alepha.$hook)({
-		on: "start",
-		handler: async () => {
-			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
-				const matchedRoutes = this.routerProvider.getRoutes(pattern);
-				for (const route of matchedRoutes) route.secure = { basic: {
-					username: auth.username,
-					password: auth.password
-				} };
-			}
-			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
-		}
-	});
-	/**
-	* Hook into server:onRequest to check basic auth
-	*/
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		handler: async ({ route, request }) => {
-			const routeAuth = route.secure;
-			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Hook into action:onRequest to check basic auth for actions
-	*/
-	onActionRequest = (0, alepha.$hook)({
-		on: "action:onRequest",
-		handler: async ({ action, request }) => {
-			const routeAuth = action.route.secure;
-			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Check basic authentication
-	*/
-	checkAuth(request, options) {
-		const authHeader = request.headers?.authorization;
-		if (!authHeader || !authHeader.startsWith("Basic ")) {
-			this.sendAuthRequired(request);
-			throw new alepha_server.HttpError({
-				status: 401,
-				message: "Authentication required"
-			});
-		}
-		const base64Credentials = authHeader.slice(6);
-		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
-		const colonIndex = credentials.indexOf(":");
-		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
-		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
-		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
-			this.sendAuthRequired(request);
-			this.log.warn(`Failed basic auth attempt for user`, { username });
-			throw new alepha_server.HttpError({
-				status: 401,
-				message: "Invalid credentials"
-			});
-		}
-	}
-	/**
-	* Performs a timing-safe comparison of credentials to prevent timing attacks.
-	* Always compares both username and password to avoid leaking which one is wrong.
-	*/
-	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
-		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
-		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
-		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
-		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
-		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
-	}
-	/**
-	* Compares two buffers in constant time, handling different lengths safely.
-	* Returns 1 if equal, 0 if not equal.
-	*/
-	safeCompare(input, expected) {
-		if (input.length !== expected.length) {
-			(0, node_crypto.timingSafeEqual)(input, input);
-			return 0;
-		}
-		return (0, node_crypto.timingSafeEqual)(input, expected) ? 1 : 0;
-	}
-	/**
-	* Send WWW-Authenticate header
-	*/
-	sendAuthRequired(request) {
-		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
-	}
-};
-const isBasicAuth = (value) => {
-	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
-};
-
-//#endregion
-//#region src/server-security/descriptors/$basicAuth.ts
-/**
-* Declares HTTP Basic Authentication for server routes.
-* This descriptor provides methods to protect routes with username/password authentication.
-*/
-const $basicAuth = (options) => {
-	return (0, alepha.createDescriptor)(BasicAuthDescriptor, options);
-};
-var BasicAuthDescriptor = class extends alepha.Descriptor {
-	serverBasicAuthProvider = (0, alepha.$inject)(ServerBasicAuthProvider);
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	onInit() {
-		this.serverBasicAuthProvider.registerAuth(this.options);
-	}
-	/**
-	* Checks basic auth for the given request using this descriptor's configuration.
-	*/
-	check(request, options) {
-		const mergedOptions = {
-			...this.options,
-			...options
-		};
-		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
-	}
-};
-$basicAuth[alepha.KIND] = BasicAuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.ts
-var ServerSecurityProvider = class {
-	log = (0, alepha_logger.$logger)();
-	securityProvider = (0, alepha.$inject)(alepha_security.SecurityProvider);
-	jwtProvider = (0, alepha.$inject)(alepha_security.JwtProvider);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	onConfigure = (0, alepha.$hook)({
-		on: "configure",
-		handler: async () => {
-			for (const action of this.alepha.descriptors(alepha_server.$action)) {
-				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
-				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
-					name: action.name,
-					group: action.group,
-					method: action.route.method,
-					path: action.route.path
-				});
-			}
-		}
-	});
-	onActionRequest = (0, alepha.$hook)({
-		on: "action:onRequest",
-		handler: async ({ action, request, options }) => {
-			if (action.options.secure === false && !options.user) {
-				this.log.trace("Skipping security check for route");
-				return;
-			}
-			if (isBasicAuth(action.route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
-			try {
-				request.user = this.createUserFromLocalFunctionContext(options, permission);
-				const route = action.route;
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(alepha_security.userAccountInfoSchema, request.user));
-			} catch (error) {
-				if (action.options.secure || permission) throw error;
-				this.log.trace("Skipping security check for action");
-			}
-		}
-	});
-	onRequest = (0, alepha.$hook)({
-		on: "server:onRequest",
-		priority: "last",
-		handler: async ({ request, route }) => {
-			if (route.secure === false) {
-				this.log.trace("Skipping security check for route - explicitly disabled");
-				return;
-			}
-			if (isBasicAuth(route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
-			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(alepha_security.userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
-					user: request.user,
-					permission
-				});
-			} catch (error) {
-				if (route.secure || permission) throw error;
-				this.log.trace("Skipping security check for route - error occurred", error);
-			}
-		}
-	});
-	check(user, secure) {
-		if (secure.realm) {
-			if (user.realm !== secure.realm) throw new alepha_server.ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
-		}
-	}
-	/**
-	* Get the user account token for a local action call.
-	* There are three possible sources for the user:
-	* - `options.user`: the user passed in the options
-	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
-	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
-	*
-	* Priority order: `options.user` > `"system"` > `"context"`.
-	*
-	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
-	*/
-	createUserFromLocalFunctionContext(options, permission) {
-		const fromOptions = typeof options.user === "object" ? options.user : void 0;
-		const type = typeof options.user === "string" ? options.user : void 0;
-		let user;
-		const fromContext = this.alepha.context.get("request")?.user;
-		const fromSystem = this.alepha.state.get("alepha.server.security.system.user");
-		if (type === "system") user = fromSystem;
-		else if (type === "context") user = fromContext;
-		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new alepha_server.UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
-		let ownership;
-		if (permission) {
-			const result = this.securityProvider.checkPermission(permission, ...roles);
-			if (!result.isAuthorized) throw new alepha_server.ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
-			ownership = result.ownership;
-		}
-		return {
-			...user,
-			ownership
-		};
-	}
-	createTestUser() {
-		return {
-			id: (0, node_crypto.randomUUID)(),
-			name: "Test",
-			roles: this.securityProvider.getRoles().map((role) => role.name)
-		};
-	}
-	onClientRequest = (0, alepha.$hook)({
-		on: "client:onRequest",
-		handler: async ({ request, options }) => {
-			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
-			request.headers = new Headers(request.headers);
-			if (!request.headers.has("authorization")) {
-				const test = this.createTestUser();
-				const user = typeof options?.user === "object" ? options.user : void 0;
-				const sub = user?.id ?? test.id;
-				const roles = user?.roles ?? test.roles;
-				const token = await this.jwtProvider.create({
-					sub,
-					roles
-				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
-				request.headers.set("authorization", `Bearer ${token}`);
-			}
-		}
-	});
-};
-
-//#endregion
-//#region src/server-security/index.ts
-/**
-* Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
-*
-* By default, all $action will be guarded by a permission check.
-*
-* @see {@link ServerSecurityProvider}
-* @module alepha.server.security
-*/
-const AlephaServerSecurity = (0, alepha.$module)({
-	name: "alepha.server.security",
-	descriptors: [
-		alepha_security.$realm,
-		alepha_security.$role,
-		alepha_security.$permission,
-		$basicAuth
-	],
-	services: [
-		alepha_server.AlephaServer,
-		alepha_security.AlephaSecurity,
-		ServerSecurityProvider,
-		ServerBasicAuthProvider
-	]
-});
-
-//#endregion
-exports.$basicAuth = $basicAuth;
-exports.AlephaServerSecurity = AlephaServerSecurity;
-exports.BasicAuthDescriptor = BasicAuthDescriptor;
-exports.ServerBasicAuthProvider = ServerBasicAuthProvider;
-exports.ServerSecurityProvider = ServerSecurityProvider;
-exports.isBasicAuth = isBasicAuth;
-//# sourceMappingURL=index.cjs.map

package/dist/server-security/index.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.cjs","names":["Alepha","ServerRouterProvider","HttpError","Descriptor","KIND","SecurityProvider","JwtProvider","Alepha","$action","userAccountInfoSchema","ForbiddenError","user: UserAccountToken | undefined","UnauthorizedError","ownership: boolean | string | undefined","$realm","$role","$permission","AlephaServer","AlephaSecurity"],"sources":["../../src/server-security/providers/ServerBasicAuthProvider.ts","../../src/server-security/descriptors/$basicAuth.ts","../../src/server-security/providers/ServerSecurityProvider.ts","../../src/server-security/index.ts"],"sourcesContent":["import { timingSafeEqual } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  HttpError,\n  type ServerRequest,\n  ServerRouterProvider,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface BasicAuthOptions {\n  username: string;\n  password: string;\n}\n\nexport interface BasicAuthDescriptorConfig extends BasicAuthOptions {\n  /** Name identifier for this basic auth (default: property key) */\n  name?: string;\n  /** Path patterns to match (supports wildcards like /devtools/*) */\n  paths?: string[];\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerBasicAuthProvider {\n  protected readonly alepha = $inject(Alepha);\n  protected readonly log = $logger();\n  protected readonly routerProvider = $inject(ServerRouterProvider);\n  protected readonly realm = \"Secure Area\";\n\n  /**\n   * Registered basic auth descriptors with their configurations\n   */\n  public readonly registeredAuths: BasicAuthDescriptorConfig[] = [];\n\n  /**\n   * Register a basic auth configuration (called by descriptors)\n   */\n  public registerAuth(config: BasicAuthDescriptorConfig): void {\n    this.registeredAuths.push(config);\n  }\n\n  public readonly onStart = $hook({\n    on: \"start\",\n    handler: async () => {\n      for (const auth of this.registeredAuths) {\n        if (auth.paths) {\n          for (const pattern of auth.paths) {\n            const matchedRoutes = this.routerProvider.getRoutes(pattern);\n            for (const route of matchedRoutes) {\n              route.secure = {\n                basic: {\n                  username: auth.username,\n                  password: auth.password,\n                },\n              };\n            }\n          }\n        }\n      }\n\n      if (this.registeredAuths.length > 0) {\n        this.log.info(\n          `Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`,\n        );\n      }\n    },\n  });\n\n  /**\n   * Hook into server:onRequest to check basic auth\n   */\n  public readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    handler: async ({ route, request }) => {\n      const routeAuth = route.secure;\n      if (\n        typeof routeAuth === \"object\" &&\n        \"basic\" in routeAuth &&\n        routeAuth.basic\n      ) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Hook into action:onRequest to check basic auth for actions\n   */\n  public readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request }) => {\n      const routeAuth = action.route.secure;\n      if (isBasicAuth(routeAuth)) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Check basic authentication\n   */\n  public checkAuth(request: ServerRequest, options: BasicAuthOptions): void {\n    const authHeader = request.headers?.authorization;\n\n    if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n      this.sendAuthRequired(request);\n      throw new HttpError({\n        status: 401,\n        message: \"Authentication required\",\n      });\n    }\n\n    // decode base64 credentials\n    const base64Credentials = authHeader.slice(6); // Remove \"Basic \"\n    const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n      \"utf-8\",\n    );\n\n    // split only on the first colon to handle passwords with colons\n    const colonIndex = credentials.indexOf(\":\");\n    const username =\n      colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n    const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n    // verify credentials using timing-safe comparison to prevent timing attacks\n    const isValid = this.timingSafeCredentialCheck(\n      username,\n      password,\n      options.username,\n      options.password,\n    );\n\n    if (!isValid) {\n      this.sendAuthRequired(request);\n      this.log.warn(`Failed basic auth attempt for user`, {\n        username,\n      });\n      throw new HttpError({\n        status: 401,\n        message: \"Invalid credentials\",\n      });\n    }\n  }\n\n  /**\n   * Performs a timing-safe comparison of credentials to prevent timing attacks.\n   * Always compares both username and password to avoid leaking which one is wrong.\n   */\n  protected timingSafeCredentialCheck(\n    inputUsername: string,\n    inputPassword: string,\n    expectedUsername: string,\n    expectedPassword: string,\n  ): boolean {\n    // Convert to buffers for timing-safe comparison\n    const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n    const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n    const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n    const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n    // timingSafeEqual requires same-length buffers\n    // When lengths differ, we compare against a dummy buffer to maintain constant time\n    const userMatch = this.safeCompare(inputUserBuf, expectedUserBuf);\n    const passMatch = this.safeCompare(inputPassBuf, expectedPassBuf);\n\n    // Both must match - bitwise AND avoids short-circuit evaluation\n    // eslint-disable-next-line no-bitwise\n    return (userMatch & passMatch) === 1;\n  }\n\n  /**\n   * Compares two buffers in constant time, handling different lengths safely.\n   * Returns 1 if equal, 0 if not equal.\n   */\n  protected safeCompare(input: Buffer, expected: Buffer): number {\n    // If lengths differ, compare input against itself to maintain timing\n    // but return 0 (not equal)\n    if (input.length !== expected.length) {\n      // Still perform a comparison to keep timing consistent\n      timingSafeEqual(input, input);\n      return 0;\n    }\n\n    return timingSafeEqual(input, expected) ? 1 : 0;\n  }\n\n  /**\n   * Send WWW-Authenticate header\n   */\n  protected sendAuthRequired(request: ServerRequest): void {\n    request.reply.setHeader(\"WWW-Authenticate\", `Basic realm=\"${this.realm}\"`);\n  }\n}\n\nexport const isBasicAuth = (\n  value: unknown,\n): value is { basic: BasicAuthOptions } => {\n  return (\n    typeof value === \"object\" && !!value && \"basic\" in value && !!value.basic\n  );\n};\n","import { $inject, createDescriptor, Descriptor, KIND } from \"alepha\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type {\n  BasicAuthDescriptorConfig,\n  BasicAuthOptions,\n} from \"../providers/ServerBasicAuthProvider.ts\";\nimport { ServerBasicAuthProvider } from \"../providers/ServerBasicAuthProvider.ts\";\n\n/**\n * Declares HTTP Basic Authentication for server routes.\n * This descriptor provides methods to protect routes with username/password authentication.\n */\nexport const $basicAuth = (\n  options: BasicAuthDescriptorConfig,\n): AbstractBasicAuthDescriptor => {\n  return createDescriptor(BasicAuthDescriptor, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface AbstractBasicAuthDescriptor {\n  readonly name: string;\n  readonly options: BasicAuthDescriptorConfig;\n  check(request: ServerRequest, options?: BasicAuthOptions): void;\n}\n\nexport class BasicAuthDescriptor\n  extends Descriptor<BasicAuthDescriptorConfig>\n  implements AbstractBasicAuthDescriptor\n{\n  protected readonly serverBasicAuthProvider = $inject(ServerBasicAuthProvider);\n\n  public get name(): string {\n    return this.options.name ?? `${this.config.propertyKey}`;\n  }\n\n  protected onInit() {\n    // Register this auth configuration with the provider\n    this.serverBasicAuthProvider.registerAuth(this.options);\n  }\n\n  /**\n   * Checks basic auth for the given request using this descriptor's configuration.\n   */\n  public check(request: ServerRequest, options?: BasicAuthOptions): void {\n    const mergedOptions = { ...this.options, ...options };\n    this.serverBasicAuthProvider.checkAuth(request, mergedOptions);\n  }\n}\n\n$basicAuth[KIND] = BasicAuthDescriptor;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  JwtProvider,\n  type Permission,\n  SecurityProvider,\n  type UserAccountToken,\n  userAccountInfoSchema,\n} from \"alepha/security\";\nimport {\n  $action,\n  ForbiddenError,\n  type ServerRequest,\n  UnauthorizedError,\n} from \"alepha/server\";\nimport {\n  type BasicAuthOptions,\n  isBasicAuth,\n} from \"./ServerBasicAuthProvider.ts\";\n\nexport class ServerSecurityProvider {\n  protected readonly log = $logger();\n  protected readonly securityProvider = $inject(SecurityProvider);\n  protected readonly jwtProvider = $inject(JwtProvider);\n  protected readonly alepha = $inject(Alepha);\n\n  protected readonly onConfigure = $hook({\n    on: \"configure\",\n    handler: async () => {\n      for (const action of this.alepha.descriptors($action)) {\n        // -------------------------------------------------------------------------------------------------------------\n        // if the action is disabled or not secure, we do NOT create a permission for it\n        // -------------------------------------------------------------------------------------------------------------\n        if (\n          action.options.disabled ||\n          action.options.secure === false ||\n          this.securityProvider.getRealms().length === 0\n        ) {\n          continue;\n        }\n\n        const secure = action.options.secure;\n        if (typeof secure !== \"object\") {\n          this.securityProvider.createPermission({\n            name: action.name,\n            group: action.group,\n            method: action.route.method,\n            path: action.route.path,\n          });\n        }\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request, options }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      // but only if no user is provided in options\n      if (action.options.secure === false && !options.user) {\n        this.log.trace(\"Skipping security check for route\");\n        return;\n      }\n\n      if (isBasicAuth(action.route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find(\n          (it) =>\n            it.path === action.route.path && it.method === action.route.method,\n        );\n\n      try {\n        request.user = this.createUserFromLocalFunctionContext(\n          options,\n          permission,\n        );\n\n        const route = action.route;\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.state.set(\n          \"alepha.server.request.user\",\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n      } catch (error) {\n        if (action.options.secure || permission) {\n          throw error;\n        }\n        // else, we skip the security check\n        this.log.trace(\"Skipping security check for action\");\n      }\n    },\n  });\n\n  protected readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    priority: \"last\",\n    handler: async ({ request, route }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      if (route.secure === false) {\n        this.log.trace(\n          \"Skipping security check for route - explicitly disabled\",\n        );\n        return;\n      }\n\n      if (isBasicAuth(route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find((it) => it.path === route.path && it.method === route.method);\n\n      if (!request.headers.authorization && !route.secure && !permission) {\n        this.log.trace(\n          \"Skipping security check for route - no authorization header and not secure\",\n        );\n        return;\n      }\n\n      try {\n        // set user to request\n        request.user = await this.securityProvider.createUserFromToken(\n          request.headers.authorization,\n          { permission },\n        );\n\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.state.set(\n          \"alepha.server.request.user\",\n          // remove sensitive info\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n\n        this.log.trace(\"User set from request token\", {\n          user: request.user,\n          permission,\n        });\n      } catch (error) {\n        if (route.secure || permission) {\n          throw error;\n        }\n\n        // else, we skip the security check\n        this.log.trace(\n          \"Skipping security check for route - error occurred\",\n          error,\n        );\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected check(user: UserAccountToken, secure: ServerRouteSecure) {\n    if (secure.realm) {\n      if (user.realm !== secure.realm) {\n        throw new ForbiddenError(\n          `User must belong to realm '${secure.realm}' to access this route`,\n        );\n      }\n    }\n  }\n\n  /**\n   * Get the user account token for a local action call.\n   * There are three possible sources for the user:\n   * - `options.user`: the user passed in the options\n   * - `\"system\"`: the system user from the state (you MUST set state `server.security.system.user`)\n   * - `\"context\"`: the user from the request context (you MUST be in an HTTP request context)\n   *\n   * Priority order: `options.user` > `\"system\"` > `\"context\"`.\n   *\n   * In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.\n   */\n  protected createUserFromLocalFunctionContext(\n    options: { user?: UserAccountToken | \"system\" | \"context\" },\n    permission?: Permission,\n  ): UserAccountToken {\n    const fromOptions =\n      typeof options.user === \"object\" ? options.user : undefined;\n\n    const type = typeof options.user === \"string\" ? options.user : undefined;\n\n    let user: UserAccountToken | undefined;\n\n    const fromContext = this.alepha.context.get<ServerRequest>(\"request\")?.user;\n    const fromSystem = this.alepha.state.get(\n      \"alepha.server.security.system.user\",\n    );\n\n    if (type === \"system\") {\n      user = fromSystem;\n    } else if (type === \"context\") {\n      user = fromContext;\n    } else {\n      user = fromOptions ?? fromContext ?? fromSystem;\n    }\n\n    if (!user) {\n      // in testing mode, we create a test user\n      if (this.alepha.isTest() && !(\"user\" in options)) {\n        return this.createTestUser();\n      }\n\n      throw new UnauthorizedError(\"User is required for calling this action\");\n    }\n\n    const roles =\n      user.roles ??\n      (this.alepha.isTest()\n        ? this.securityProvider.getRoles().map((role) => role.name)\n        : []);\n    let ownership: boolean | string | undefined;\n\n    if (permission) {\n      const result = this.securityProvider.checkPermission(\n        permission,\n        ...roles,\n      );\n      if (!result.isAuthorized) {\n        throw new ForbiddenError(\n          `Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`,\n        );\n      }\n      ownership = result.ownership;\n    }\n\n    // create a new user object with ownership if needed\n    return {\n      ...user,\n      ownership,\n    };\n  }\n\n  // ---------------------------------------------------------------------------------------------------------------\n  // TESTING ONLY\n  // ---------------------------------------------------------------------------------------------------------------\n\n  protected createTestUser(): UserAccountToken {\n    return {\n      id: randomUUID(),\n      name: \"Test\",\n      roles: this.securityProvider.getRoles().map((role) => role.name),\n    };\n  }\n\n  protected readonly onClientRequest = $hook({\n    on: \"client:onRequest\",\n    handler: async ({ request, options }) => {\n      if (!this.alepha.isTest()) {\n        return;\n      }\n\n      // skip helper if user is explicitly set to undefined\n      if (\"user\" in options && options.user === undefined) {\n        return;\n      }\n\n      request.headers = new Headers(request.headers);\n\n      if (!request.headers.has(\"authorization\")) {\n        const test = this.createTestUser();\n        const user =\n          typeof options?.user === \"object\" ? options.user : undefined;\n        const sub = user?.id ?? test.id;\n        const roles = user?.roles ?? test.roles;\n\n        const token = await this.jwtProvider.create(\n          {\n            sub,\n            roles,\n          },\n          user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n        );\n\n        request.headers.set(\"authorization\", `Bearer ${token}`);\n      }\n    },\n  });\n}\n\nexport type ServerRouteSecure = {\n  realm?: string;\n  basic?: BasicAuthOptions;\n};\n","import { $module } from \"alepha\";\nimport {\n  $permission,\n  $realm,\n  $role,\n  AlephaSecurity,\n  type UserAccount,\n  type UserAccountToken,\n} from \"alepha/security\";\nimport { AlephaServer, type FetchOptions } from \"alepha/server\";\nimport { $basicAuth } from \"./descriptors/$basicAuth.ts\";\nimport { ServerBasicAuthProvider } from \"./providers/ServerBasicAuthProvider.ts\";\nimport {\n  type ServerRouteSecure,\n  ServerSecurityProvider,\n} from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./descriptors/$basicAuth.ts\";\nexport * from \"./providers/ServerBasicAuthProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n  interface State {\n    /**\n     * Real (or fake) user account, used for internal actions.\n     *\n     * If you define this, you assume that all actions are executed by this user by default.\n     * > To force a different user, you need to pass it explicitly in the options.\n     */\n\n    \"alepha.server.security.system.user\"?: UserAccountToken;\n\n    /**\n     * The authenticated user account attached to the server request state.\n     *\n     * @internal\n     */\n    \"alepha.server.request.user\"?: UserAccount;\n  }\n}\n\ndeclare module \"alepha/server\" {\n  interface ServerRequest<TConfig> {\n    user?: UserAccountToken; // for all routes, user is maybe present\n  }\n\n  interface ServerActionRequest<TConfig> {\n    user: UserAccountToken; // for actions, user is always present\n  }\n\n  interface ServerRoute {\n    /**\n     * If true, the route will be protected by the security provider.\n     * All actions are secure by default, but you can disable it for specific actions.\n     */\n    secure?: boolean | ServerRouteSecure;\n  }\n\n  interface ClientRequestOptions extends FetchOptions {\n    /**\n     * Forward user from the previous request.\n     * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n     * If \"context\", use the user from the current context (e.g. request).\n     *\n     * @default \"system\" if provided, else \"context\" if available.\n     */\n    user?: UserAccountToken | \"system\" | \"context\";\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.\n *\n * By default, all $action will be guarded by a permission check.\n *\n * @see {@link ServerSecurityProvider}\n * @module alepha.server.security\n */\nexport const AlephaServerSecurity = $module({\n  name: \"alepha.server.security\",\n  descriptors: [$realm, $role, $permission, $basicAuth],\n  services: [\n    AlephaServer,\n    AlephaSecurity,\n    ServerSecurityProvider,\n    ServerBasicAuthProvider,\n  ],\n});\n"],"mappings":";;;;;;;AAyBA,IAAa,0BAAb,MAAqC;CACnC,AAAmB,6BAAiBA,cAAO;CAC3C,AAAmB,kCAAe;CAClC,AAAmB,qCAAyBC,mCAAqB;CACjE,AAAmB,QAAQ;;;;CAK3B,AAAgB,kBAA+C,EAAE;;;;CAKjE,AAAO,aAAa,QAAyC;AAC3D,OAAK,gBAAgB,KAAK,OAAO;;CAGnC,AAAgB,4BAAgB;EAC9B,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,QAAQ,KAAK,gBACtB,KAAI,KAAK,MACP,MAAK,MAAM,WAAW,KAAK,OAAO;IAChC,MAAM,gBAAgB,KAAK,eAAe,UAAU,QAAQ;AAC5D,SAAK,MAAM,SAAS,cAClB,OAAM,SAAS,EACb,OAAO;KACL,UAAU,KAAK;KACf,UAAU,KAAK;KAChB,EACF;;AAMT,OAAI,KAAK,gBAAgB,SAAS,EAChC,MAAK,IAAI,KACP,oBAAoB,KAAK,gBAAgB,OAAO,wCACjD;;EAGN,CAAC;;;;CAKF,AAAgB,8BAAkB;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,YAAY,MAAM;AACxB,OACE,OAAO,cAAc,YACrB,WAAW,aACX,UAAU,MAEV,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAgB,oCAAwB;EACtC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,YAAY,OAAO,MAAM;AAC/B,OAAI,YAAY,UAAU,CACxB,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAO,UAAU,SAAwB,SAAiC;EACxE,MAAM,aAAa,QAAQ,SAAS;AAEpC,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,EAAE;AACnD,QAAK,iBAAiB,QAAQ;AAC9B,SAAM,IAAIC,wBAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;EAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;EAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;EAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;EAC3C,MAAM,WACJ,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG;EACzD,MAAM,WAAW,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG;AAUzE,MAAI,CAPY,KAAK,0BACnB,UACA,UACA,QAAQ,UACR,QAAQ,SACT,EAEa;AACZ,QAAK,iBAAiB,QAAQ;AAC9B,QAAK,IAAI,KAAK,sCAAsC,EAClD,UACD,CAAC;AACF,SAAM,IAAIA,wBAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;;;;;;CAQN,AAAU,0BACR,eACA,eACA,kBACA,kBACS;EAET,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;EAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAS9D,UALkB,KAAK,YAAY,cAAc,gBAAgB,GAC/C,KAAK,YAAY,cAAc,gBAAgB,MAI9B;;;;;;CAOrC,AAAU,YAAY,OAAe,UAA0B;AAG7D,MAAI,MAAM,WAAW,SAAS,QAAQ;AAEpC,oCAAgB,OAAO,MAAM;AAC7B,UAAO;;AAGT,0CAAuB,OAAO,SAAS,GAAG,IAAI;;;;;CAMhD,AAAU,iBAAiB,SAA8B;AACvD,UAAQ,MAAM,UAAU,oBAAoB,gBAAgB,KAAK,MAAM,GAAG;;;AAI9E,MAAa,eACX,UACyC;AACzC,QACE,OAAO,UAAU,YAAY,CAAC,CAAC,SAAS,WAAW,SAAS,CAAC,CAAC,MAAM;;;;;;;;;AC5LxE,MAAa,cACX,YACgC;AAChC,qCAAwB,qBAAqB,QAAQ;;AAWvD,IAAa,sBAAb,cACUC,kBAEV;CACE,AAAmB,8CAAkC,wBAAwB;CAE7E,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,OAAO;;CAG7C,AAAU,SAAS;AAEjB,OAAK,wBAAwB,aAAa,KAAK,QAAQ;;;;;CAMzD,AAAO,MAAM,SAAwB,SAAkC;EACrE,MAAM,gBAAgB;GAAE,GAAG,KAAK;GAAS,GAAG;GAAS;AACrD,OAAK,wBAAwB,UAAU,SAAS,cAAc;;;AAIlE,WAAWC,eAAQ;;;;AC7BnB,IAAa,yBAAb,MAAoC;CAClC,AAAmB,kCAAe;CAClC,AAAmB,uCAA2BC,iCAAiB;CAC/D,AAAmB,kCAAsBC,4BAAY;CACrD,AAAmB,6BAAiBC,cAAO;CAE3C,AAAmB,gCAAoB;EACrC,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,UAAU,KAAK,OAAO,YAAYC,sBAAQ,EAAE;AAIrD,QACE,OAAO,QAAQ,YACf,OAAO,QAAQ,WAAW,SAC1B,KAAK,iBAAiB,WAAW,CAAC,WAAW,EAE7C;AAIF,QAAI,OADW,OAAO,QAAQ,WACR,SACpB,MAAK,iBAAiB,iBAAiB;KACrC,MAAM,OAAO;KACb,OAAO,OAAO;KACd,QAAQ,OAAO,MAAM;KACrB,MAAM,OAAO,MAAM;KACpB,CAAC;;;EAIT,CAAC;CAIF,AAAmB,oCAAwB;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,cAAc;AAG/C,OAAI,OAAO,QAAQ,WAAW,SAAS,CAAC,QAAQ,MAAM;AACpD,SAAK,IAAI,MAAM,oCAAoC;AACnD;;AAGF,OAAI,YAAY,OAAO,MAAM,OAAO,CAClC;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MACE,OACC,GAAG,SAAS,OAAO,MAAM,QAAQ,GAAG,WAAW,OAAO,MAAM,OAC/D;AAEH,OAAI;AACF,YAAQ,OAAO,KAAK,mCAClB,SACA,WACD;IAED,MAAM,QAAQ,OAAO;AACrB,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BACA,KAAK,OAAO,MAAM,OAAOC,uCAAuB,QAAQ,KAAK,CAC9D;YACM,OAAO;AACd,QAAI,OAAO,QAAQ,UAAU,WAC3B,OAAM;AAGR,SAAK,IAAI,MAAM,qCAAqC;;;EAGzD,CAAC;CAEF,AAAmB,8BAAkB;EACnC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,SAAS,YAAY;AAErC,OAAI,MAAM,WAAW,OAAO;AAC1B,SAAK,IAAI,MACP,0DACD;AACD;;AAGF,OAAI,YAAY,MAAM,OAAO,CAC3B;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MAAM,OAAO,GAAG,SAAS,MAAM,QAAQ,GAAG,WAAW,MAAM,OAAO;AAErE,OAAI,CAAC,QAAQ,QAAQ,iBAAiB,CAAC,MAAM,UAAU,CAAC,YAAY;AAClE,SAAK,IAAI,MACP,6EACD;AACD;;AAGF,OAAI;AAEF,YAAQ,OAAO,MAAM,KAAK,iBAAiB,oBACzC,QAAQ,QAAQ,eAChB,EAAE,YAAY,CACf;AAED,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BAEA,KAAK,OAAO,MAAM,OAAOA,uCAAuB,QAAQ,KAAK,CAC9D;AAED,SAAK,IAAI,MAAM,+BAA+B;KAC5C,MAAM,QAAQ;KACd;KACD,CAAC;YACK,OAAO;AACd,QAAI,MAAM,UAAU,WAClB,OAAM;AAIR,SAAK,IAAI,MACP,sDACA,MACD;;;EAGN,CAAC;CAIF,AAAU,MAAM,MAAwB,QAA2B;AACjE,MAAI,OAAO,OACT;OAAI,KAAK,UAAU,OAAO,MACxB,OAAM,IAAIC,6BACR,8BAA8B,OAAO,MAAM,wBAC5C;;;;;;;;;;;;;;CAgBP,AAAU,mCACR,SACA,YACkB;EAClB,MAAM,cACJ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAEpD,MAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAE/D,IAAIC;EAEJ,MAAM,cAAc,KAAK,OAAO,QAAQ,IAAmB,UAAU,EAAE;EACvE,MAAM,aAAa,KAAK,OAAO,MAAM,IACnC,qCACD;AAED,MAAI,SAAS,SACX,QAAO;WACE,SAAS,UAClB,QAAO;MAEP,QAAO,eAAe,eAAe;AAGvC,MAAI,CAAC,MAAM;AAET,OAAI,KAAK,OAAO,QAAQ,IAAI,EAAE,UAAU,SACtC,QAAO,KAAK,gBAAgB;AAG9B,SAAM,IAAIC,gCAAkB,2CAA2C;;EAGzE,MAAM,QACJ,KAAK,UACJ,KAAK,OAAO,QAAQ,GACjB,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK,GACzD,EAAE;EACR,IAAIC;AAEJ,MAAI,YAAY;GACd,MAAM,SAAS,KAAK,iBAAiB,gBACnC,YACA,GAAG,MACJ;AACD,OAAI,CAAC,OAAO,aACV,OAAM,IAAIH,6BACR,eAAe,KAAK,iBAAiB,mBAAmB,WAAW,CAAC,8BACrE;AAEH,eAAY,OAAO;;AAIrB,SAAO;GACL,GAAG;GACH;GACD;;CAOH,AAAU,iBAAmC;AAC3C,SAAO;GACL,iCAAgB;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,AAAmB,oCAAwB;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAIF,OAAI,UAAU,WAAW,QAAQ,SAAS,OACxC;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;;;;AChNJ,MAAa,2CAA+B;CAC1C,MAAM;CACN,aAAa;EAACI;EAAQC;EAAOC;EAAa;EAAW;CACrD,UAAU;EACRC;EACAC;EACA;EACA;EACD;CACF,CAAC"}