arc-1 0.4.4 → 0.6.0

package/dist/handlers/zod-errors.js

@@ -0,0 +1,43 @@
+/**
+ * Format Zod validation errors into LLM-friendly messages.
+ *
+ * Produces structured error text with field paths and expected values,
+ * consistent with the existing errorResult() pattern in intent.ts.
+ */
+/**
+ * Format a ZodError into an LLM-friendly multi-line string.
+ *
+ * Example output:
+ *   Invalid arguments for SAPRead:
+ *     - "type": expected one of: PROG, CLAS, INTF, ..., got "PROGG"
+ *     - "maxRows": expected number, got string
+ *
+ *   Hint: Check the tool schema for valid parameter types and values.
+ */
+// biome-ignore lint/suspicious/noExplicitAny: accepts any Zod error shape
+export function formatZodError(error, toolName) {
+    const issues = error.issues.map((issue) => {
+        const path = issue.path.length > 0 ? `"${issue.path.join('.')}"` : 'input';
+        // Zod v4 uses 'code' to distinguish issue types
+        if (issue.code === 'invalid_value' && issue.values) {
+            return `${path}: expected one of: ${issue.values.join(', ')}`;
+        }
+        if (issue.code === 'invalid_type') {
+            if (issue.input === undefined) {
+                return `${path}: required (expected ${issue.expected ?? 'value'})`;
+            }
+            return `${path}: expected ${issue.expected ?? 'value'}, got ${typeof issue.input}`;
+        }
+        if (issue.code === 'unrecognized_keys' && issue.keys) {
+            return `Unknown parameter(s): ${issue.keys.join(', ')}`;
+        }
+        return `${path}: ${issue.message}`;
+    });
+    return [
+        `Invalid arguments for ${toolName}:`,
+        ...issues.map((i) => `  - ${i}`),
+        '',
+        'Hint: Check the tool schema for valid parameter types and values.',
+    ].join('\n');
+}
+//# sourceMappingURL=zod-errors.js.map

package/dist/handlers/zod-errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"zod-errors.js","sourceRoot":"","sources":["../../src/handlers/zod-errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;GASG;AACH,0EAA0E;AAC1E,MAAM,UAAU,cAAc,CAAC,KAAqC,EAAE,QAAgB;IACpF,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACxC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;QAE3E,gDAAgD;QAChD,IAAI,KAAK,CAAC,IAAI,KAAK,eAAe,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACnD,OAAO,GAAG,IAAI,sBAAsB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChE,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YAClC,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC9B,OAAO,GAAG,IAAI,wBAAwB,KAAK,CAAC,QAAQ,IAAI,OAAO,GAAG,CAAC;YACrE,CAAC;YACD,OAAO,GAAG,IAAI,cAAc,KAAK,CAAC,QAAQ,IAAI,OAAO,SAAS,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC;QACrF,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,KAAK,mBAAmB,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YACrD,OAAO,yBAAyB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1D,CAAC;QAED,OAAO,GAAG,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,yBAAyB,QAAQ,GAAG;QACpC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,EAAE;QACF,mEAAmE;KACpE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}

package/dist/server/config.d.ts

@@ -8,6 +8,27 @@
  * for drop-in compatibility with existing deployments and documentation.
  */
 import type { ServerConfig } from './types.js';
+/**
+ * Parse API keys string into structured array.
+ * Format: "key1:profile1,key2:profile2"
+ * Each entry maps an API key to a named profile.
+ */
+export declare function parseApiKeys(raw: string): Array<{
+    key: string;
+    profile: string;
+}>;
+/**
+ * Maps profile names to the scopes they grant.
+ * Used when API keys are assigned to profiles — the key inherits these scopes.
+ * Kept in sync with PROFILES: each profile's safety flags determine its scopes.
+ */
+export declare const PROFILE_SCOPES: Record<string, string[]>;
+/**
+ * Named profiles — convenience presets for common safety configurations.
+ * Each profile sets a combination of safety flags. Individual CLI flags
+ * applied after the profile can override any profile default.
+ */
+export declare const PROFILES: Record<string, Partial<ServerConfig>>;
 /**
  * Parse CLI arguments and environment variables into a ServerConfig.
  *
@@ -16,4 +37,9 @@ import type { ServerConfig } from './types.js';
  * Commander is used for the full CLI (cli.ts), not the server startup.
  */
 export declare function parseArgs(args: string[]): ServerConfig;
+/**
+ * Validate configuration for internally consistent auth settings.
+ * Fails fast at startup for invalid or dangerous config combinations.
+ */
+export declare function validateConfig(config: ServerConfig): void;
 //# sourceMappingURL=config.d.ts.map

package/dist/server/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAiB,YAAY,EAAiB,MAAM,YAAY,CAAC;AAG7E;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,YAAY,CA2HtD"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAiB,YAAY,EAAiB,MAAM,YAAY,CAAC;AAG7E;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BjF;AAED;;;;GAIG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAOnD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAY,CAAC,CAwC1D,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,YAAY,CAiKtD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAkBzD"}

package/dist/server/config.js

@@ -8,6 +8,98 @@
  * for drop-in compatibility with existing deployments and documentation.
  */
 import { DEFAULT_CONFIG } from './types.js';
+/**
+ * Parse API keys string into structured array.
+ * Format: "key1:profile1,key2:profile2"
+ * Each entry maps an API key to a named profile.
+ */
+export function parseApiKeys(raw) {
+    const entries = [];
+    for (const pair of raw.split(',')) {
+        const trimmed = pair.trim();
+        if (!trimmed)
+            continue;
+        // Use LAST colon as separator — keys may contain colons (e.g. base64)
+        // but profile names never do
+        const colonIdx = trimmed.lastIndexOf(':');
+        if (colonIdx === -1) {
+            throw new Error(`Invalid API key entry '${trimmed}': expected 'key:profile' format. ` +
+                `Valid profiles: ${Object.keys(PROFILES).join(', ')}`);
+        }
+        const key = trimmed.slice(0, colonIdx);
+        const profile = trimmed.slice(colonIdx + 1);
+        if (!key) {
+            throw new Error('Invalid API key entry: key cannot be empty');
+        }
+        if (!PROFILES[profile]) {
+            throw new Error(`Invalid profile '${profile}' in API key entry. Valid profiles: ${Object.keys(PROFILES).join(', ')}`);
+        }
+        entries.push({ key, profile });
+    }
+    if (entries.length === 0) {
+        throw new Error('ARC1_API_KEYS is set but contains no valid entries. Format: "key1:profile1,key2:profile2"');
+    }
+    return entries;
+}
+/**
+ * Maps profile names to the scopes they grant.
+ * Used when API keys are assigned to profiles — the key inherits these scopes.
+ * Kept in sync with PROFILES: each profile's safety flags determine its scopes.
+ */
+export const PROFILE_SCOPES = {
+    viewer: ['read'],
+    'viewer-data': ['read', 'data'],
+    'viewer-sql': ['read', 'data', 'sql'],
+    developer: ['read', 'write'],
+    'developer-data': ['read', 'write', 'data'],
+    'developer-sql': ['read', 'write', 'data', 'sql'],
+};
+/**
+ * Named profiles — convenience presets for common safety configurations.
+ * Each profile sets a combination of safety flags. Individual CLI flags
+ * applied after the profile can override any profile default.
+ */
+export const PROFILES = {
+    viewer: {
+        readOnly: true,
+        blockData: true,
+        blockFreeSQL: true,
+        enableTransports: false,
+    },
+    'viewer-data': {
+        readOnly: true,
+        blockData: false,
+        blockFreeSQL: true,
+        enableTransports: false,
+    },
+    'viewer-sql': {
+        readOnly: true,
+        blockData: false,
+        blockFreeSQL: false,
+        enableTransports: false,
+    },
+    developer: {
+        readOnly: false,
+        blockData: true,
+        blockFreeSQL: true,
+        enableTransports: true,
+        allowedPackages: ['$TMP'],
+    },
+    'developer-data': {
+        readOnly: false,
+        blockData: false,
+        blockFreeSQL: true,
+        enableTransports: true,
+        allowedPackages: ['$TMP'],
+    },
+    'developer-sql': {
+        readOnly: false,
+        blockData: false,
+        blockFreeSQL: false,
+        enableTransports: true,
+        allowedPackages: ['$TMP'],
+    },
+};
 /**
  * Parse CLI arguments and environment variables into a ServerConfig.
  *
@@ -60,15 +152,42 @@ export function parseArgs(args) {
     const transport = resolve('transport', 'SAP_TRANSPORT', 'stdio');
     config.transport = (transport === 'http-streamable' ? 'http-streamable' : 'stdio');
     config.httpAddr = resolve('http-addr', 'SAP_HTTP_ADDR', '0.0.0.0:8080');
-    // --- Safety ---
-    config.readOnly = resolveBool('read-only', 'SAP_READ_ONLY', false);
-    config.blockFreeSQL = resolveBool('block-free-sql', 'SAP_BLOCK_FREE_SQL', false);
+    // --- Profile (apply before individual safety flags so flags can override) ---
+    const profileName = getFlag('profile') ?? process.env.ARC1_PROFILE;
+    if (profileName) {
+        const profile = PROFILES[profileName];
+        if (!profile) {
+            throw new Error(`Unknown profile '${profileName}'. Valid profiles: ${Object.keys(PROFILES).join(', ')}`);
+        }
+        Object.assign(config, profile);
+    }
+    // --- Safety (individual flags override profile defaults) ---
+    // Only override profile defaults when the flag/env is explicitly set
+    const readOnlyExplicit = getFlag('read-only') ?? process.env.SAP_READ_ONLY;
+    if (readOnlyExplicit !== undefined)
+        config.readOnly = readOnlyExplicit === 'true' || readOnlyExplicit === '1';
+    else if (!profileName)
+        config.readOnly = false;
+    const blockFreeSQLExplicit = getFlag('block-free-sql') ?? process.env.SAP_BLOCK_FREE_SQL;
+    if (blockFreeSQLExplicit !== undefined)
+        config.blockFreeSQL = blockFreeSQLExplicit === 'true' || blockFreeSQLExplicit === '1';
+    else if (!profileName)
+        config.blockFreeSQL = false;
+    const blockDataExplicit = getFlag('block-data') ?? process.env.SAP_BLOCK_DATA;
+    if (blockDataExplicit !== undefined)
+        config.blockData = blockDataExplicit === 'true' || blockDataExplicit === '1';
+    else if (!profileName)
+        config.blockData = false;
     config.allowedOps = resolve('allowed-ops', 'SAP_ALLOWED_OPS', '');
     config.disallowedOps = resolve('disallowed-ops', 'SAP_DISALLOWED_OPS', '');
-    const pkgs = resolve('allowed-packages', 'SAP_ALLOWED_PACKAGES', '');
-    config.allowedPackages = pkgs ? pkgs.split(',').map((p) => p.trim()) : [];
-    config.allowTransportableEdits = resolveBool('allow-transportable-edits', 'SAP_ALLOW_TRANSPORTABLE_EDITS', false);
-    config.enableTransports = resolveBool('enable-transports', 'SAP_ENABLE_TRANSPORTS', false);
+    const pkgs = getFlag('allowed-packages') ?? process.env.SAP_ALLOWED_PACKAGES;
+    if (pkgs)
+        config.allowedPackages = pkgs.split(',').map((p) => p.trim());
+    const enableTransportsExplicit = getFlag('enable-transports') ?? process.env.SAP_ENABLE_TRANSPORTS;
+    if (enableTransportsExplicit !== undefined)
+        config.enableTransports = enableTransportsExplicit === 'true' || enableTransportsExplicit === '1';
+    else if (!profileName)
+        config.enableTransports = false;
     // --- Features ---
     config.featureAbapGit = resolveFeature('feature-abapgit', 'SAP_FEATURE_ABAPGIT');
     config.featureRap = resolveFeature('feature-rap', 'SAP_FEATURE_RAP');
@@ -81,8 +200,18 @@ export function parseArgs(args) {
     config.systemType = (['btp', 'onprem'].includes(systemType) ? systemType : 'auto');
     // --- Authentication (MCP client → ARC-1) ---
     config.apiKey = getFlag('api-key') ?? process.env.ARC1_API_KEY;
+    // Multiple API keys with per-key profiles: "key1:viewer,key2:developer"
+    const apiKeysRaw = getFlag('api-keys') ?? process.env.ARC1_API_KEYS;
+    if (apiKeysRaw) {
+        config.apiKeys = parseApiKeys(apiKeysRaw);
+    }
     config.oidcIssuer = getFlag('oidc-issuer') ?? process.env.SAP_OIDC_ISSUER;
     config.oidcAudience = getFlag('oidc-audience') ?? process.env.SAP_OIDC_AUDIENCE;
+    const clockTolerance = getFlag('oidc-clock-tolerance') ?? process.env.SAP_OIDC_CLOCK_TOLERANCE;
+    if (clockTolerance) {
+        const parsed = Number.parseInt(clockTolerance, 10);
+        config.oidcClockTolerance = Number.isNaN(parsed) ? undefined : parsed;
+    }
     config.xsuaaAuth = resolveBool('xsuaa-auth', 'SAP_XSUAA_AUTH', false);
     // --- BTP ABAP Environment (direct connection via service key) ---
     config.btpServiceKey = getFlag('btp-service-key') ?? process.env.SAP_BTP_SERVICE_KEY;
@@ -116,6 +245,26 @@ export function parseArgs(args) {
     if (config.verbose) {
         config.logLevel = 'debug';
     }
+    // --- Startup Validation ---
+    validateConfig(config);
     return config;
 }
+/**
+ * Validate configuration for internally consistent auth settings.
+ * Fails fast at startup for invalid or dangerous config combinations.
+ */
+export function validateConfig(config) {
+    // OIDC: audience is required when issuer is set (RFC 9700 §2.3 audience restriction)
+    if (config.oidcIssuer && !config.oidcAudience) {
+        throw new Error('SAP_OIDC_AUDIENCE is required when SAP_OIDC_ISSUER is set — ' +
+            'audience validation prevents token confusion across services (RFC 9700 §2.3)');
+    }
+    if (config.oidcAudience && !config.oidcIssuer) {
+        throw new Error('SAP_OIDC_ISSUER is required when SAP_OIDC_AUDIENCE is set');
+    }
+    // PP: ppStrict requires ppEnabled
+    if (config.ppStrict && !config.ppEnabled) {
+        throw new Error('SAP_PP_STRICT=true requires SAP_PP_ENABLED=true — strict mode has no effect without principal propagation enabled');
+    }
+}
 //# sourceMappingURL=config.js.map

package/dist/server/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,CAAC;IAErC,8DAA8D;IAC9D,MAAM,OAAO,GAAG,CAAC,IAAY,EAAsB,EAAE;QACnD,MAAM,MAAM,GAAG,KAAK,IAAI,GAAG,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,iDAAiD;IACjD,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAkB,EAAU,EAAE;QAC3E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;IAC5D,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAmB,EAAW,EAAE;QACjF,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,UAAU,CAAC;QACzC,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,IAAY,EAAE,MAAc,EAAiB,EAAE;QACrE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;QAC3D,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,KAAK;YAAE,OAAO,GAAG,CAAC;QAC9C,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,yBAAyB;IACzB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC5D,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,CAAC;IAEjE,sBAAsB;IACtB,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAEhF,oBAAoB;IACpB,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IACjE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAkB,CAAC;IACpG,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IAExE,iBAAiB;IACjB,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,CAAC;IACnE,MAAM,CAAC,YAAY,GAAG,WAAW,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,KAAK,CAAC,CAAC;IACjF,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,OAAO,CAAC,kBAAkB,EAAE,sBAAsB,EAAE,EAAE,CAAC,CAAC;IACrE,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,MAAM,CAAC,uBAAuB,GAAG,WAAW,CAAC,2BAA2B,EAAE,+BAA+B,EAAE,KAAK,CAAC,CAAC;IAClH,MAAM,CAAC,gBAAgB,GAAG,WAAW,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,KAAK,CAAC,CAAC;IAE3F,mBAAmB;IACnB,MAAM,CAAC,cAAc,GAAG,cAAc,CAAC,iBAAiB,EAAE,qBAAqB,CAAC,CAAC;IACjF,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IACxE,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,gBAAgB,GAAG,cAAc,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAC;IACvF,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAExE,gCAAgC;IAChC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACrE,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAA+B,CAAC;IAEjH,8CAA8C;IAC9C,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC/D,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAChF,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAEtE,mEAAmE;IACnE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACrF,MAAM,CAAC,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IACnG,MAAM,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;IACtF,MAAM,CAAC,oBAAoB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAE/D,gCAAgC;IAChC,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IACtE,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,CAAC;IAEnE,oBAAoB;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACpE,MAAM,CAAC,QAAQ,GAAG,CAAC,QAAQ,KAAK,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAA6B,CAAC;IAE1G,eAAe;IACf,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACtF,MAAM,CAAC,eAAe,GAAG,WAAW,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,IAAI,CAAC,CAAC;IAEzF,gBAAgB;IAChB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IACzD,MAAM,CAAC,SAAS,GAAG,CACjB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CACzC,CAAC;IAC/B,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC9E,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC,cAAc,EAAE,mBAAmB,EAAE,KAAK,CAAC,CAAC;IAC7E,MAAM,CAAC,mBAAmB,GAAG,OAAO,CAAC,uBAAuB,EAAE,4BAA4B,EAAE,EAAE,CAAC,CAAC;IAEhG,kBAAkB;IAClB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,CAAC,QAAQ,GAAG,CAChB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAC9C,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAA8B,CAAC;IAEzF,eAAe;IACf,MAAM,CAAC,OAAO,GAAG,WAAW,CAAC,SAAS,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC;IAC9D,2CAA2C;IAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC5B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW;IACtC,MAAM,OAAO,GAA4C,EAAE,CAAC;IAC5D,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,sEAAsE;QACtE,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,0BAA0B,OAAO,oCAAoC;gBACnE,mBAAmB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxD,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;QAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,oBAAoB,OAAO,uCAAuC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACrG,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;IAC/G,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAA6B;IACtD,MAAM,EAAE,CAAC,MAAM,CAAC;IAChB,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;IAC/B,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;IACrC,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IAC5B,gBAAgB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;IAC3C,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC;CAClD,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,QAAQ,GAA0C;IAC7D,MAAM,EAAE;QACN,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,IAAI;QACf,YAAY,EAAE,IAAI;QAClB,gBAAgB,EAAE,KAAK;KACxB;IACD,aAAa,EAAE;QACb,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,KAAK;QAChB,YAAY,EAAE,IAAI;QAClB,gBAAgB,EAAE,KAAK;KACxB;IACD,YAAY,EAAE;QACZ,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,KAAK;QAChB,YAAY,EAAE,KAAK;QACnB,gBAAgB,EAAE,KAAK;KACxB;IACD,SAAS,EAAE;QACT,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,IAAI;QACf,YAAY,EAAE,IAAI;QAClB,gBAAgB,EAAE,IAAI;QACtB,eAAe,EAAE,CAAC,MAAM,CAAC;KAC1B;IACD,gBAAgB,EAAE;QAChB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,KAAK;QAChB,YAAY,EAAE,IAAI;QAClB,gBAAgB,EAAE,IAAI;QACtB,eAAe,EAAE,CAAC,MAAM,CAAC;KAC1B;IACD,eAAe,EAAE;QACf,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,KAAK;QAChB,YAAY,EAAE,KAAK;QACnB,gBAAgB,EAAE,IAAI;QACtB,eAAe,EAAE,CAAC,MAAM,CAAC;KAC1B;CACF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,CAAC;IAErC,8DAA8D;IAC9D,MAAM,OAAO,GAAG,CAAC,IAAY,EAAsB,EAAE;QACnD,MAAM,MAAM,GAAG,KAAK,IAAI,GAAG,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,iDAAiD;IACjD,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAkB,EAAU,EAAE;QAC3E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;IAC5D,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAmB,EAAW,EAAE;QACjF,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,UAAU,CAAC;QACzC,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,IAAY,EAAE,MAAc,EAAiB,EAAE;QACrE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;QAC3D,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,KAAK;YAAE,OAAO,GAAG,CAAC;QAC9C,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,yBAAyB;IACzB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC5D,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,CAAC;IAEjE,sBAAsB;IACtB,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAEhF,oBAAoB;IACpB,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IACjE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAkB,CAAC;IACpG,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IAExE,+EAA+E;IAC/E,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACnE,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,oBAAoB,WAAW,sBAAsB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC3G,CAAC;QACD,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,8DAA8D;IAC9D,qEAAqE;IACrE,MAAM,gBAAgB,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAC3E,IAAI,gBAAgB,KAAK,SAAS;QAAE,MAAM,CAAC,QAAQ,GAAG,gBAAgB,KAAK,MAAM,IAAI,gBAAgB,KAAK,GAAG,CAAC;SACzG,IAAI,CAAC,WAAW;QAAE,MAAM,CAAC,QAAQ,GAAG,KAAK,CAAC;IAE/C,MAAM,oBAAoB,GAAG,OAAO,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACzF,IAAI,oBAAoB,KAAK,SAAS;QACpC,MAAM,CAAC,YAAY,GAAG,oBAAoB,KAAK,MAAM,IAAI,oBAAoB,KAAK,GAAG,CAAC;SACnF,IAAI,CAAC,WAAW;QAAE,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC;IAEnD,MAAM,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC9E,IAAI,iBAAiB,KAAK,SAAS;QAAE,MAAM,CAAC,SAAS,GAAG,iBAAiB,KAAK,MAAM,IAAI,iBAAiB,KAAK,GAAG,CAAC;SAC7G,IAAI,CAAC,WAAW;QAAE,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC;IAChD,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAC7E,IAAI,IAAI;QAAE,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACxE,MAAM,wBAAwB,GAAG,OAAO,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;IACnG,IAAI,wBAAwB,KAAK,SAAS;QACxC,MAAM,CAAC,gBAAgB,GAAG,wBAAwB,KAAK,MAAM,IAAI,wBAAwB,KAAK,GAAG,CAAC;SAC/F,IAAI,CAAC,WAAW;QAAE,MAAM,CAAC,gBAAgB,GAAG,KAAK,CAAC;IAEvD,mBAAmB;IACnB,MAAM,CAAC,cAAc,GAAG,cAAc,CAAC,iBAAiB,EAAE,qBAAqB,CAAC,CAAC;IACjF,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IACxE,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,gBAAgB,GAAG,cAAc,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAC;IACvF,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAExE,gCAAgC;IAChC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACrE,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAA+B,CAAC;IAEjH,8CAA8C;IAC9C,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAE/D,wEAAwE;IACxE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACpE,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,OAAO,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAChF,MAAM,cAAc,GAAG,OAAO,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAC/F,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QACnD,MAAM,CAAC,kBAAkB,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,CAAC;IACD,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAEtE,mEAAmE;IACnE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACrF,MAAM,CAAC,iBAAiB,GAAG,OAAO,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IACnG,MAAM,MAAM,GAAG,OAAO,CAAC,yBAAyB,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;IACtF,MAAM,CAAC,oBAAoB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;IAE/D,gCAAgC;IAChC,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IACtE,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,CAAC;IAEnE,oBAAoB;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC,CAAC;IACpE,MAAM,CAAC,QAAQ,GAAG,CAAC,QAAQ,KAAK,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,CAA6B,CAAC;IAE1G,eAAe;IACf,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACtF,MAAM,CAAC,eAAe,GAAG,WAAW,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,IAAI,CAAC,CAAC;IAEzF,gBAAgB;IAChB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IACzD,MAAM,CAAC,SAAS,GAAG,CACjB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CACzC,CAAC;IAC/B,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,CAAC;IAC9E,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC,cAAc,EAAE,mBAAmB,EAAE,KAAK,CAAC,CAAC;IAC7E,MAAM,CAAC,mBAAmB,GAAG,OAAO,CAAC,uBAAuB,EAAE,4BAA4B,EAAE,EAAE,CAAC,CAAC;IAEhG,kBAAkB;IAClB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,CAAC,QAAQ,GAAG,CAChB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAC9C,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAA8B,CAAC;IAEzF,eAAe;IACf,MAAM,CAAC,OAAO,GAAG,WAAW,CAAC,SAAS,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC;IAC9D,2CAA2C;IAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC5B,CAAC;IAED,6BAA6B;IAC7B,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAoB;IACjD,qFAAqF;IACrF,IAAI,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,8DAA8D;YAC5D,8EAA8E,CACjF,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;IAED,kCAAkC;IAClC,IAAI,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,mHAAmH,CACpH,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/server/http.d.ts

@@ -31,4 +31,12 @@ import type { XsuaaCredentials } from './xsuaa.js';
  * Start the HTTP Streamable server.
  */
 export declare function startHttpServer(serverFactory: () => McpServer, config: ServerConfig, xsuaaCredentials?: XsuaaCredentials): Promise<void>;
+/**
+ * Extract scopes from an OIDC JWT payload.
+ *
+ * Tries `scope` (space-separated string, standard OIDC) then `scp` (array, Azure AD style).
+ * Filters to known scopes, applies implied scope expansion, and falls back to read-only
+ * when no scope claims are present (safe default for providers that don't emit scopes).
+ */
+export declare function extractOidcScopes(payload: Record<string, unknown>): string[];
 //# sourceMappingURL=http.d.ts.map

package/dist/server/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAMrF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA4CnD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAiKf"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAQrF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAsEnD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAkKf;AA2GD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAiC5E"}

package/dist/server/http.js

@@ -26,8 +26,31 @@
  */
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import express from 'express';
+import { expandImpliedScopes } from '../adt/safety.js';
+import { PROFILE_SCOPES } from './config.js';
 import { logger } from './logger.js';
 import { VERSION } from './server.js';
+// ─── API Key Matching Helper ─────────────────────────────────────────
+/**
+ * Match a token against configured API keys (multi-key with profiles).
+ * Returns the matched entry's profile and scopes, or undefined if no match.
+ */
+function matchApiKey(token, config) {
+    // Multi-key: check apiKeys array first
+    if (config.apiKeys) {
+        for (const entry of config.apiKeys) {
+            if (token === entry.key) {
+                const scopes = PROFILE_SCOPES[entry.profile] ?? ['read'];
+                return { profile: entry.profile, scopes, clientId: `api-key:${entry.profile}` };
+            }
+        }
+    }
+    // Single key: legacy behavior (full scopes)
+    if (config.apiKey && token === config.apiKey) {
+        return { profile: 'full', scopes: ['read', 'write', 'data', 'sql', 'admin'], clientId: 'api-key' };
+    }
+    return undefined;
+}
 // ─── JWKS / JWT types (lazy-loaded from jose) ────────────────────────
 let joseModule = null;
 let jwksClient = null;
@@ -166,7 +189,7 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
             issuerUrl: new URL(appUrl),
             baseUrl: new URL(appUrl),
             resourceServerUrl: new URL(`${appUrl}/mcp`),
-            scopesSupported: ['read', 'write', 'admin'],
+            scopesSupported: ['read', 'write', 'data', 'sql', 'admin'],
             resourceName: 'ARC-1 SAP MCP Server',
         }));
         // Protected MCP endpoint with chained token verification
@@ -181,16 +204,18 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         if (config.oidcIssuer) {
             await initJwks(config.oidcIssuer);
         }
-        // Auth middleware for standard mode
-        const authMiddleware = async (req, res, next) => {
-            const authResult = await checkAuth(req, config);
-            if (!authResult.ok) {
-                res.status(authResult.status).json({ error: authResult.message });
-                return;
-            }
-            next();
-        };
-        app.all('/mcp', authMiddleware, mcpHandler);
+        if (config.apiKey || config.apiKeys || config.oidcIssuer) {
+            // Use requireBearerAuth so that authInfo is populated on the MCP request context.
+            // This enables scope enforcement, per-request safety, and principal propagation.
+            const { requireBearerAuth } = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
+            const verifier = createStandardVerifier(config);
+            const bearerAuth = requireBearerAuth({ verifier: { verifyAccessToken: verifier } });
+            app.all('/mcp', bearerAuth, mcpHandler);
+        }
+        else {
+            // No auth configured — open access
+            app.all('/mcp', mcpHandler);
+        }
     }
     // ─── 404 for anything else ─────────────────────────────────
     app.use((req, res) => {
@@ -202,8 +227,10 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         let authMode = 'NONE (open)';
         if (config.xsuaaAuth && xsuaaCredentials)
             authMode = 'XSUAA OAuth proxy';
-        else if (config.apiKey && config.oidcIssuer)
+        else if ((config.apiKey || config.apiKeys) && config.oidcIssuer)
             authMode = 'API key + OIDC';
+        else if (config.apiKeys)
+            authMode = `API keys (${config.apiKeys.length} keys)`;
         else if (config.apiKey)
             authMode = 'API key';
         else if (config.oidcIssuer)
@@ -216,6 +243,63 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         });
     });
 }
+// ─── Standard Mode Verifier ─────────────────────────────────────────
+/**
+ * Create a token verifier for standard auth mode (API key + OIDC).
+ * Returns AuthInfo so the MCP SDK populates extra.authInfo on the request,
+ * enabling scope enforcement, per-request safety, and principal propagation.
+ */
+function createStandardVerifier(config) {
+    return async (token) => {
+        // Lazy-import SDK error classes so bearerAuth maps them to 401/403
+        const { InvalidTokenError } = await import('@modelcontextprotocol/sdk/server/auth/errors.js');
+        // API key: match against multi-key map or single key
+        const apiKeyMatch = matchApiKey(token, config);
+        if (apiKeyMatch) {
+            // expiresAt is required by requireBearerAuth — use far-future expiry for static keys
+            const ONE_YEAR_SECS = 365 * 24 * 60 * 60;
+            return {
+                token,
+                clientId: apiKeyMatch.clientId,
+                scopes: apiKeyMatch.scopes,
+                expiresAt: Math.floor(Date.now() / 1000) + ONE_YEAR_SECS,
+            };
+        }
+        // OIDC: validate JWT and extract scopes
+        if (config.oidcIssuer) {
+            try {
+                if (!joseModule || !jwksClient) {
+                    await initJwks(config.oidcIssuer);
+                }
+                if (!joseModule || !jwksClient) {
+                    throw new Error('OIDC not initialized — check SAP_OIDC_ISSUER configuration');
+                }
+                const { payload } = await joseModule.jwtVerify(token, jwksClient, {
+                    issuer: config.oidcIssuer,
+                    audience: config.oidcAudience,
+                    requiredClaims: ['exp'],
+                    ...(config.oidcClockTolerance != null ? { clockTolerance: config.oidcClockTolerance } : {}),
+                });
+                logger.debug('Standard OIDC JWT validated', { sub: payload.sub, iss: payload.iss });
+                const scopes = extractOidcScopes(payload);
+                return {
+                    token,
+                    clientId: payload.azp ?? payload.sub ?? 'oidc-user',
+                    scopes,
+                    expiresAt: payload.exp,
+                    extra: { sub: payload.sub, iss: payload.iss },
+                };
+            }
+            catch (err) {
+                // Wrap JWT validation errors as InvalidTokenError so bearerAuth returns 401
+                if (err instanceof InvalidTokenError)
+                    throw err;
+                throw new InvalidTokenError(err.message ?? 'Invalid token');
+            }
+        }
+        throw new InvalidTokenError('Authentication failed: invalid token');
+    };
+}
 // ─── OIDC Verifier Factory ───────────────────────────────────────────
 /**
  * Create an Entra ID / OIDC token verifier using jose.
@@ -230,66 +314,67 @@ async function createOidcVerifier(config) {
         const { payload } = await joseModule.jwtVerify(token, jwksClient, {
             issuer: config.oidcIssuer,
             audience: config.oidcAudience,
+            requiredClaims: ['exp'],
+            ...(config.oidcClockTolerance != null ? { clockTolerance: config.oidcClockTolerance } : {}),
         });
         logger.debug('OIDC JWT validated', { sub: payload.sub, iss: payload.iss });
+        const scopes = extractOidcScopes(payload);
         return {
             token,
             clientId: payload.azp ?? payload.sub ?? 'oidc-user',
-            scopes: ['read', 'write', 'admin'], // OIDC tokens get full access (scopes managed by OIDC provider)
+            scopes,
             expiresAt: payload.exp,
             extra: { sub: payload.sub, iss: payload.iss },
         };
     };
 }
+// ─── OIDC Scope Extraction ──────────────────────────────────────────
+const KNOWN_SCOPES = ['read', 'write', 'data', 'sql', 'admin'];
 /**
- * Check authentication for standard mode (API key + OIDC).
- * Used when XSUAA auth is NOT enabled.
+ * Extract scopes from an OIDC JWT payload.
+ *
+ * Tries `scope` (space-separated string, standard OIDC) then `scp` (array, Azure AD style).
+ * Filters to known scopes, applies implied scope expansion, and falls back to read-only
+ * when no scope claims are present (safe default for providers that don't emit scopes).
  */
-async function checkAuth(req, config) {
-    // No auth configured — allow all
-    if (!config.apiKey && !config.oidcIssuer) {
-        return { ok: true, status: 200, message: '' };
+export function extractOidcScopes(payload) {
+    let rawScopes;
+    // Standard OIDC: space-separated string
+    if (typeof payload.scope === 'string') {
+        rawScopes = payload.scope.split(' ').filter((s) => s.length > 0);
     }
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith('Bearer ')) {
-        return {
-            ok: false,
-            status: 401,
-            message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
-        };
+    // Azure AD / Entra: `scp` as space-delimited string (delegated tokens) or array (app tokens)
+    else if (typeof payload.scp === 'string') {
+        rawScopes = payload.scp.split(' ').filter((s) => s.length > 0);
     }
-    const token = authHeader.slice(7);
-    // API Key check
-    if (config.apiKey) {
-        if (token === config.apiKey) {
-            return { ok: true, status: 200, message: '' };
-        }
-        if (!config.oidcIssuer) {
-            return { ok: false, status: 403, message: 'Invalid API key' };
-        }
+    else if (Array.isArray(payload.scp)) {
+        rawScopes = payload.scp.filter((s) => typeof s === 'string' && s.length > 0);
     }
-    // OIDC / JWT validation
-    if (config.oidcIssuer) {
-        try {
-            await validateJwt(token, config);
-            return { ok: true, status: 200, message: '' };
-        }
-        catch (err) {
-            const msg = err instanceof Error ? err.message : 'JWT validation failed';
-            logger.debug('JWT validation failed', { error: msg });
-            return { ok: false, status: 403, message: `Authentication failed: ${msg}` };
-        }
+    // No scope claims at all → read-only (safe default)
+    if (rawScopes === undefined) {
+        logger.warn('OIDC JWT has no scope/scp claims — granting read-only access. ' +
+            'Configure scope claims in your OIDC provider to grant write/data/sql access.');
+        return ['read'];
+    }
+    // Filter to known scopes
+    const filtered = rawScopes.filter((s) => KNOWN_SCOPES.includes(s));
+    // If scopes were present but none are known, grant minimum read access
+    if (filtered.length === 0) {
+        logger.warn('OIDC JWT has scope claims but none match known scopes — granting read-only', { rawScopes });
+        return ['read'];
     }
-    return { ok: false, status: 403, message: 'Authentication failed' };
+    return expandImpliedScopes(filtered);
 }
 /**
  * Initialize JWKS client from OIDC discovery.
  */
 async function initJwks(issuer) {
-    if (joseModule)
+    if (joseModule && jwksClient)
         return;
     try {
-        joseModule = await import('jose');
+        if (!joseModule) {
+            joseModule = await import('jose');
+        }
         const jwksUri = new URL('.well-known/openid-configuration', issuer.endsWith('/') ? issuer : `${issuer}/`);
         const discoveryResp = await fetch(jwksUri.toString());
         const discovery = (await discoveryResp.json());
@@ -306,26 +391,4 @@ async function initJwks(issuer) {
         });
     }
 }
-/**
- * Validate a JWT token against the configured OIDC issuer.
- */
-async function validateJwt(token, config) {
-    if (!joseModule || !jwksClient) {
-        if (config.oidcIssuer) {
-            await initJwks(config.oidcIssuer);
-        }
-        if (!joseModule || !jwksClient) {
-            throw new Error('OIDC not initialized — check SAP_OIDC_ISSUER configuration');
-        }
-    }
-    const { payload } = await joseModule.jwtVerify(token, jwksClient, {
-        issuer: config.oidcIssuer,
-        audience: config.oidcAudience,
-    });
-    logger.debug('JWT validated', {
-        sub: payload.sub,
-        iss: payload.iss,
-        exp: payload.exp,
-    });
-}
 //# sourceMappingURL=http.js.map