npm - emdash - Versions diffs - 0.14.0 → 0.16.0 - Mend

emdash 0.14.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (650) hide show

package/dist/menus-arUNspyU.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"menus-arUNspyU.mjs","names":[],"sources":["../src/database/repositories/menu.ts","../src/api/handlers/menus.ts"],"sourcesContent":["/**\n * Menu repository\n *\n * Owns every SQL touch for `_emdash_menus` and `_emdash_menu_items`, plus the\n * row→entity mapping. Matches the architecture used by every other resource\n * (content, taxonomies, redirects, comments, media): handlers stay thin and\n * orchestrate; the repository is the single place where snake_case DB columns\n * become camelCase entities (and vice versa).\n *\n * i18n: menus are per-locale. `(name, locale)` is unique. Translations of the\n * same menu share a `translation_group` ULID. Menu item `reference_id` stores\n * the referenced content's translation_group (not a specific row id) so a\n * single menu item survives content translations.\n */\n\nimport type { Kysely, Selectable } from \"kysely\";\nimport { ulid } from \"ulidx\";\n\nimport { withTransaction } from \"../transaction.js\";\nimport type { Database, MenuItemTable, MenuTable } from \"../types.js\";\n\n/**\n * Thrown from inside a repository transaction when the menu the caller\n * resolved earlier has since been deleted. Handlers translate this to a\n * `NOT_FOUND` API response. Necessary because D1 disables FK enforcement\n * (so `ON DELETE CASCADE` won't fire), and an unchecked `setItems` would\n * happily insert items whose `menu_id` no longer exists, leaving orphans.\n */\nexport class MenuGoneError extends Error {\n\tconstructor(public readonly menuId: string) {\n\t\tsuper(`Menu ${menuId} was deleted while being modified`);\n\t\tthis.name = \"MenuGoneError\";\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Entity shapes (camelCase — what the API returns)\n// ---------------------------------------------------------------------------\n\nexport interface Menu {\n\tid: string;\n\tname: string;\n\tlabel: string;\n\tcreatedAt: string;\n\tupdatedAt: string;\n\tlocale: string;\n\ttranslationGroup: string | null;\n}\n\nexport interface MenuItem {\n\tid: string;\n\tmenuId: string;\n\tparentId: string | null;\n\tsortOrder: number;\n\ttype: string;\n\treferenceCollection: string | null;\n\treferenceId: string | null;\n\tcustomUrl: string | null;\n\tlabel: string;\n\ttitleAttr: string | null;\n\ttarget: string | null;\n\tcssClasses: string | null;\n\tcreatedAt: string;\n\tlocale: string;\n\ttranslationGroup: string | null;\n}\n\nexport interface MenuListItem extends Menu {\n\titemCount: number;\n}\n\nexport interface MenuWithItems extends Menu {\n\titems: MenuItem[];\n}\n\nexport interface MenuTranslation {\n\tid: string;\n\tname: string;\n\tlabel: string;\n\tlocale: string;\n\tupdatedAt: string;\n}\n\n// ---------------------------------------------------------------------------\n// Input shapes\n// ---------------------------------------------------------------------------\n\nexport interface CreateMenuInput {\n\tname: string;\n\tlabel: string;\n\tlocale?: string;\n\t/**\n\t * When set, the new menu joins the source menu's translation_group and\n\t * inherits its items (cloned, with new ULIDs but the same translation_group\n\t * per item so nav entries stay logically identified across translations).\n\t */\n\ttranslationOf?: string;\n}\n\nexport interface UpdateMenuInput {\n\tlabel?: string;\n}\n\nexport interface CreateMenuItemInput {\n\ttype: string;\n\tlabel: string;\n\treferenceCollection?: string;\n\treferenceId?: string;\n\tcustomUrl?: string;\n\ttarget?: string;\n\ttitleAttr?: string;\n\tcssClasses?: string;\n\tparentId?: string;\n\tsortOrder?: number;\n}\n\nexport interface UpdateMenuItemInput {\n\tlabel?: string;\n\tcustomUrl?: string;\n\ttarget?: string;\n\ttitleAttr?: string;\n\tcssClasses?: string;\n\tparentId?: string | null;\n\tsortOrder?: number;\n}\n\n/**\n * Item shape used by `setItems()`. Items are placed by array order. Children\n * point at parents via `parentIndex` (must reference an earlier index, so the\n * insert can resolve parents before children). The validation of that ordering\n * lives at the API boundary (`handleMenuSetItems`) so REST/MCP callers receive\n * the same error shape.\n */\nexport interface SetMenuItem {\n\tlabel: string;\n\ttype: \"custom\" | \"page\" | \"post\" | \"taxonomy\" | \"collection\";\n\tcustomUrl?: string;\n\treferenceCollection?: string;\n\treferenceId?: string;\n\ttitleAttr?: string;\n\ttarget?: string;\n\tcssClasses?: string;\n\tparentIndex?: number;\n}\n\nexport interface ReorderItem {\n\tid: string;\n\tparentId: string | null;\n\tsortOrder: number;\n}\n\n// ---------------------------------------------------------------------------\n// Row → entity mappers\n// ---------------------------------------------------------------------------\n\nfunction rowToMenu(row: Selectable<MenuTable>): Menu {\n\treturn {\n\t\tid: row.id,\n\t\tname: row.name,\n\t\tlabel: row.label,\n\t\tcreatedAt: row.created_at,\n\t\tupdatedAt: row.updated_at,\n\t\tlocale: row.locale,\n\t\ttranslationGroup: row.translation_group,\n\t};\n}\n\nfunction rowToMenuItem(row: Selectable<MenuItemTable>): MenuItem {\n\treturn {\n\t\tid: row.id,\n\t\tmenuId: row.menu_id,\n\t\tparentId: row.parent_id,\n\t\tsortOrder: row.sort_order,\n\t\ttype: row.type,\n\t\treferenceCollection: row.reference_collection,\n\t\treferenceId: row.reference_id,\n\t\tcustomUrl: row.custom_url,\n\t\tlabel: row.label,\n\t\ttitleAttr: row.title_attr,\n\t\ttarget: row.target,\n\t\tcssClasses: row.css_classes,\n\t\tcreatedAt: row.created_at,\n\t\tlocale: row.locale,\n\t\ttranslationGroup: row.translation_group,\n\t};\n}\n\n// ---------------------------------------------------------------------------\n// Repository\n// ---------------------------------------------------------------------------\n\nexport class MenuRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t// --- Menus -------------------------------------------------------------\n\n\t/**\n\t * List menus with their item counts. When `locale` is omitted, returns\n\t * every locale variant as its own row (consistent with the admin listing\n\t * model: each translation is its own menu for editing purposes).\n\t */\n\tasync findMany(options: { locale?: string } = {}): Promise<MenuListItem[]> {\n\t\t// Single LEFT JOIN + GROUP BY for the per-menu count. Avoids N+1.\n\t\tlet query = this.db\n\t\t\t.selectFrom(\"_emdash_menus as m\")\n\t\t\t.leftJoin(\"_emdash_menu_items as i\", \"i.menu_id\", \"m.id\")\n\t\t\t.select(({ fn }) => [\n\t\t\t\t\"m.id\",\n\t\t\t\t\"m.name\",\n\t\t\t\t\"m.label\",\n\t\t\t\t\"m.created_at\",\n\t\t\t\t\"m.updated_at\",\n\t\t\t\t\"m.locale\",\n\t\t\t\t\"m.translation_group\",\n\t\t\t\tfn.count<number>(\"i.id\").as(\"itemCount\"),\n\t\t\t])\n\t\t\t.groupBy([\n\t\t\t\t\"m.id\",\n\t\t\t\t\"m.name\",\n\t\t\t\t\"m.label\",\n\t\t\t\t\"m.created_at\",\n\t\t\t\t\"m.updated_at\",\n\t\t\t\t\"m.locale\",\n\t\t\t\t\"m.translation_group\",\n\t\t\t])\n\t\t\t.orderBy(\"m.name\", \"asc\");\n\t\tif (options.locale !== undefined) query = query.where(\"m.locale\", \"=\", options.locale);\n\t\tconst rows = await query.execute();\n\n\t\treturn rows.map((row) => ({\n\t\t\t// Postgres returns count() as `string`; SQLite as `number`. Normalize.\n\t\t\titemCount: typeof row.itemCount === \"string\" ? Number(row.itemCount) : row.itemCount,\n\t\t\t...rowToMenu({\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tlabel: row.label,\n\t\t\t\tcreated_at: row.created_at,\n\t\t\t\tupdated_at: row.updated_at,\n\t\t\t\tlocale: row.locale,\n\t\t\t\ttranslation_group: row.translation_group,\n\t\t\t}),\n\t\t}));\n\t}\n\n\t/**\n\t * Find every menu row matching `name` (one per locale on multi-locale\n\t * installs). Callers use this both to look up a single menu (when locale\n\t * is supplied) and to detect AMBIGUOUS_LOCALE situations (`length > 1`).\n\t */\n\tasync findByName(name: string, options: { locale?: string } = {}): Promise<Menu[]> {\n\t\tlet query = this.db\n\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t.selectAll()\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.orderBy(\"locale\", \"asc\");\n\t\tif (options.locale !== undefined) query = query.where(\"locale\", \"=\", options.locale);\n\t\tconst rows = await query.execute();\n\t\treturn rows.map(rowToMenu);\n\t}\n\n\tasync findById(id: string): Promise<Menu | null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", id)\n\t\t\t.executeTakeFirst();\n\t\treturn row ? rowToMenu(row) : null;\n\t}\n\n\t/** Fetch a menu plus its items, ordered by `sort_order`. */\n\tasync findWithItems(menuId: string): Promise<MenuWithItems | null> {\n\t\tconst menu = await this.findById(menuId);\n\t\tif (!menu) return null;\n\t\tconst items = await this.findItems(menuId);\n\t\treturn { ...menu, items };\n\t}\n\n\tasync findItems(menuId: string): Promise<MenuItem[]> {\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t.selectAll()\n\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t.orderBy(\"sort_order\", \"asc\")\n\t\t\t.execute();\n\t\treturn rows.map(rowToMenuItem);\n\t}\n\n\t/**\n\t * Returns true when a menu already exists for the given `(name, locale)`.\n\t * Used by the handler to surface a CONFLICT before attempting the insert.\n\t */\n\tasync existsByNameAndLocale(name: string, locale: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.where(\"locale\", \"=\", locale)\n\t\t\t.executeTakeFirst();\n\t\treturn row !== undefined;\n\t}\n\n\t/**\n\t * Create a menu. When `translationOf` is supplied the new menu joins the\n\t * source menu's translation_group and clones its items (each clone gets a\n\t * fresh ULID, but inherits the source item's `translation_group` so a\n\t * given nav entry resolves to \"the same item\" across menu translations).\n\t *\n\t * If the source menu is missing this throws — callers should validate\n\t * existence via `findById` first to return a clean NOT_FOUND.\n\t */\n\tasync create(input: CreateMenuInput): Promise<Menu> {\n\t\tconst id = ulid();\n\n\t\tlet translationGroup: string = id;\n\t\tlet sourceMenuId: string | null = null;\n\t\tif (input.translationOf) {\n\t\t\tconst source = await this.findById(input.translationOf);\n\t\t\tif (!source) throw new Error(\"Source menu for translation not found\");\n\t\t\ttranslationGroup = source.translationGroup ?? source.id;\n\t\t\tsourceMenuId = source.id;\n\t\t}\n\n\t\tawait withTransaction(this.db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_menus\")\n\t\t\t\t.values({\n\t\t\t\t\tid,\n\t\t\t\t\tname: input.name,\n\t\t\t\t\tlabel: input.label,\n\t\t\t\t\t...(input.locale !== undefined ? { locale: input.locale } : {}),\n\t\t\t\t\ttranslation_group: translationGroup,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tif (sourceMenuId) {\n\t\t\t\tconst sourceItems = await trx\n\t\t\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t\t\t.selectAll()\n\t\t\t\t\t.where(\"menu_id\", \"=\", sourceMenuId)\n\t\t\t\t\t.orderBy(\"sort_order\", \"asc\")\n\t\t\t\t\t.execute();\n\t\t\t\tif (sourceItems.length > 0) {\n\t\t\t\t\t// old-id → new-id map so parent pointers land on the clones.\n\t\t\t\t\tconst idMap = new Map<string, string>();\n\t\t\t\t\tfor (const item of sourceItems) idMap.set(item.id, ulid());\n\n\t\t\t\t\tawait trx\n\t\t\t\t\t\t.insertInto(\"_emdash_menu_items\")\n\t\t\t\t\t\t.values(\n\t\t\t\t\t\t\tsourceItems.map((item) => ({\n\t\t\t\t\t\t\t\tid: idMap.get(item.id)!,\n\t\t\t\t\t\t\t\tmenu_id: id,\n\t\t\t\t\t\t\t\tparent_id: item.parent_id ? (idMap.get(item.parent_id) ?? null) : null,\n\t\t\t\t\t\t\t\tsort_order: item.sort_order,\n\t\t\t\t\t\t\t\ttype: item.type,\n\t\t\t\t\t\t\t\treference_collection: item.reference_collection,\n\t\t\t\t\t\t\t\treference_id: item.reference_id,\n\t\t\t\t\t\t\t\tcustom_url: item.custom_url,\n\t\t\t\t\t\t\t\tlabel: item.label,\n\t\t\t\t\t\t\t\ttitle_attr: item.title_attr,\n\t\t\t\t\t\t\t\ttarget: item.target,\n\t\t\t\t\t\t\t\tcss_classes: item.css_classes,\n\t\t\t\t\t\t\t\t...(input.locale !== undefined ? { locale: input.locale } : {}),\n\t\t\t\t\t\t\t\ttranslation_group: item.translation_group ?? item.id,\n\t\t\t\t\t\t\t})),\n\t\t\t\t\t\t)\n\t\t\t\t\t\t.execute();\n\t\t\t\t}\n\t\t\t}\n\t\t});\n\n\t\tconst created = await this.findById(id);\n\t\tif (!created) throw new Error(\"Failed to create menu\");\n\t\treturn created;\n\t}\n\n\tasync update(id: string, input: UpdateMenuInput): Promise<Menu | null> {\n\t\tconst existing = await this.findById(id);\n\t\tif (!existing) return null;\n\n\t\tconst values: Record<string, unknown> = {};\n\t\tif (input.label !== undefined) values.label = input.label;\n\n\t\tif (Object.keys(values).length > 0) {\n\t\t\tawait this.db.updateTable(\"_emdash_menus\").set(values).where(\"id\", \"=\", id).execute();\n\t\t}\n\n\t\treturn (await this.findById(id))!;\n\t}\n\n\t/**\n\t * Delete a menu. Items are deleted explicitly to avoid relying on the\n\t * `ON DELETE CASCADE` FK declared in migration 005, which migration 036\n\t * removed: that FK is what made #1021 destructive on D1 (the cascade\n\t * fired when the i18n migration dropped `_emdash_menus`), so dropping\n\t * the FK was the fix. The explicit delete keeps the runtime working\n\t * the same way before and after the migration.\n\t */\n\tasync delete(id: string): Promise<boolean> {\n\t\tconst existing = await this.findById(id);\n\t\tif (!existing) return false;\n\n\t\tawait withTransaction(this.db, async (trx) => {\n\t\t\tawait trx.deleteFrom(\"_emdash_menu_items\").where(\"menu_id\", \"=\", id).execute();\n\t\t\tawait trx.deleteFrom(\"_emdash_menus\").where(\"id\", \"=\", id).execute();\n\t\t});\n\t\treturn true;\n\t}\n\n\t/**\n\t * List every translation of a menu (by id or translation_group).\n\t *\n\t * Returns `null` when neither the id nor the group resolves to a menu,\n\t * mapped to NOT_FOUND by the handler.\n\t */\n\tasync listTranslations(\n\t\tidOrGroup: string,\n\t): Promise<{ translationGroup: string | null; translations: MenuTranslation[] } | null> {\n\t\tconst anchor = await this.db\n\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t.selectAll()\n\t\t\t.where((eb) => eb.or([eb(\"id\", \"=\", idOrGroup), eb(\"translation_group\", \"=\", idOrGroup)]))\n\t\t\t.executeTakeFirst();\n\t\tif (!anchor) return null;\n\n\t\tconst group = anchor.translation_group ?? anchor.id;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t.selectAll()\n\t\t\t.where(\"translation_group\", \"=\", group)\n\t\t\t.orderBy(\"locale\", \"asc\")\n\t\t\t.execute();\n\n\t\treturn {\n\t\t\ttranslationGroup: group,\n\t\t\ttranslations: rows.map((row) => ({\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tlocale: row.locale,\n\t\t\t\tlabel: row.label,\n\t\t\t\tupdatedAt: row.updated_at,\n\t\t\t})),\n\t\t};\n\t}\n\n\t// --- Items -------------------------------------------------------------\n\n\t/**\n\t * Insert a menu item. `locale` is propagated from the parent menu so\n\t * `_emdash_menu_items.locale` mirrors the menu's locale (queries can scope\n\t * by locale without a join).\n\t *\n\t * When `sortOrder` is omitted, the next position within the same parent\n\t * scope is used (max + 1). The fresh `translation_group` defaults to the\n\t * item's own id, matching the migration 036 backfill.\n\t */\n\tasync createItem(menuId: string, locale: string, input: CreateMenuItemInput): Promise<MenuItem> {\n\t\tlet sortOrder = input.sortOrder ?? 0;\n\t\tif (input.sortOrder === undefined) {\n\t\t\tconst maxOrder = await this.db\n\t\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t\t.select(({ fn }) => fn.max(\"sort_order\").as(\"max\"))\n\t\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t\t.where(\"parent_id\", \"is\", input.parentId ?? null)\n\t\t\t\t.executeTakeFirst();\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- Kysely fn.max returns unknown; always a number for sort_order column\n\t\t\tsortOrder = ((maxOrder?.max as number) ?? -1) + 1;\n\t\t}\n\n\t\tconst id = ulid();\n\t\tawait this.db\n\t\t\t.insertInto(\"_emdash_menu_items\")\n\t\t\t.values({\n\t\t\t\tid,\n\t\t\t\tmenu_id: menuId,\n\t\t\t\tparent_id: input.parentId ?? null,\n\t\t\t\tsort_order: sortOrder,\n\t\t\t\ttype: input.type,\n\t\t\t\treference_collection: input.referenceCollection ?? null,\n\t\t\t\treference_id: input.referenceId ?? null,\n\t\t\t\tcustom_url: input.customUrl ?? null,\n\t\t\t\tlabel: input.label,\n\t\t\t\ttitle_attr: input.titleAttr ?? null,\n\t\t\t\ttarget: input.target ?? null,\n\t\t\t\tcss_classes: input.cssClasses ?? null,\n\t\t\t\tlocale,\n\t\t\t\ttranslation_group: id,\n\t\t\t})\n\t\t\t.execute();\n\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", id)\n\t\t\t.executeTakeFirstOrThrow();\n\t\treturn rowToMenuItem(row);\n\t}\n\n\t/**\n\t * Update a menu item. Caller must ensure the item belongs to the menu —\n\t * the `where(\"menu_id\", \"=\", menuId)` guard prevents cross-menu writes.\n\t * Returns `null` if the item is not found within the menu.\n\t */\n\tasync updateItem(\n\t\tmenuId: string,\n\t\titemId: string,\n\t\tinput: UpdateMenuItemInput,\n\t): Promise<MenuItem | null> {\n\t\tconst existing = await this.db\n\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"id\", \"=\", itemId)\n\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t.executeTakeFirst();\n\t\tif (!existing) return null;\n\n\t\tconst values: Record<string, unknown> = {};\n\t\tif (input.label !== undefined) values.label = input.label;\n\t\tif (input.customUrl !== undefined) values.custom_url = input.customUrl;\n\t\tif (input.target !== undefined) values.target = input.target;\n\t\tif (input.titleAttr !== undefined) values.title_attr = input.titleAttr;\n\t\tif (input.cssClasses !== undefined) values.css_classes = input.cssClasses;\n\t\tif (input.parentId !== undefined) values.parent_id = input.parentId;\n\t\tif (input.sortOrder !== undefined) values.sort_order = input.sortOrder;\n\n\t\tif (Object.keys(values).length > 0) {\n\t\t\tawait this.db\n\t\t\t\t.updateTable(\"_emdash_menu_items\")\n\t\t\t\t.set(values)\n\t\t\t\t.where(\"id\", \"=\", itemId)\n\t\t\t\t.execute();\n\t\t}\n\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", itemId)\n\t\t\t.executeTakeFirstOrThrow();\n\t\treturn rowToMenuItem(row);\n\t}\n\n\t/** Delete an item scoped to its menu. Returns false if nothing was deleted. */\n\tasync deleteItem(menuId: string, itemId: string): Promise<boolean> {\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"_emdash_menu_items\")\n\t\t\t.where(\"id\", \"=\", itemId)\n\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t.execute();\n\t\treturn result[0]?.numDeletedRows !== 0n;\n\t}\n\n\t/**\n\t * Atomic replace: delete every existing item and re-insert in order.\n\t * `parentIndex` (validated by the caller) is resolved against the live\n\t * insert order so children always reference real parent ids.\n\t *\n\t * Returns the count of inserted items (matches the existing handler API).\n\t */\n\tasync setItems(\n\t\tmenuId: string,\n\t\tlocale: string,\n\t\titems: SetMenuItem[],\n\t): Promise<{ itemCount: number }> {\n\t\tawait withTransaction(this.db, async (trx) => {\n\t\t\t// Re-check menu existence INSIDE the transaction. The handler\n\t\t\t// resolved by (name, locale) before this call; if a concurrent\n\t\t\t// menu_delete landed in between, inserting new items would\n\t\t\t// silently orphan them. The FK from migration 005 was removed\n\t\t\t// by migration 036 (#1021) and not restored, so nothing at the\n\t\t\t// schema level stops the orphans. Throw a MenuGoneError so the\n\t\t\t// rollback fires and the handler returns NOT_FOUND with the\n\t\t\t// original menu name in the message.\n\t\t\tconst stillThere = await trx\n\t\t\t\t.selectFrom(\"_emdash_menus\")\n\t\t\t\t.select(\"id\")\n\t\t\t\t.where(\"id\", \"=\", menuId)\n\t\t\t\t.executeTakeFirst();\n\t\t\tif (!stillThere) throw new MenuGoneError(menuId);\n\n\t\t\tawait trx.deleteFrom(\"_emdash_menu_items\").where(\"menu_id\", \"=\", menuId).execute();\n\n\t\t\tconst insertedIds: string[] = [];\n\t\t\tfor (let i = 0; i < items.length; i++) {\n\t\t\t\tconst item = items[i];\n\t\t\t\tif (!item) continue;\n\t\t\t\tconst id = ulid();\n\t\t\t\tconst parentId =\n\t\t\t\t\titem.parentIndex !== undefined ? (insertedIds[item.parentIndex] ?? null) : null;\n\t\t\t\tawait trx\n\t\t\t\t\t.insertInto(\"_emdash_menu_items\")\n\t\t\t\t\t.values({\n\t\t\t\t\t\tid,\n\t\t\t\t\t\tmenu_id: menuId,\n\t\t\t\t\t\tparent_id: parentId,\n\t\t\t\t\t\tsort_order: i,\n\t\t\t\t\t\ttype: item.type,\n\t\t\t\t\t\treference_collection: item.referenceCollection ?? null,\n\t\t\t\t\t\treference_id: item.referenceId ?? null,\n\t\t\t\t\t\tcustom_url: item.customUrl ?? null,\n\t\t\t\t\t\tlabel: item.label,\n\t\t\t\t\t\ttitle_attr: item.titleAttr ?? null,\n\t\t\t\t\t\ttarget: item.target ?? null,\n\t\t\t\t\t\tcss_classes: item.cssClasses ?? null,\n\t\t\t\t\t\tlocale,\n\t\t\t\t\t})\n\t\t\t\t\t.execute();\n\t\t\t\tinsertedIds.push(id);\n\t\t\t}\n\n\t\t\tawait trx\n\t\t\t\t.updateTable(\"_emdash_menus\")\n\t\t\t\t.set({ updated_at: new Date().toISOString() })\n\t\t\t\t.where(\"id\", \"=\", menuId)\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn { itemCount: items.length };\n\t}\n\n\t/**\n\t * Batch reorder items. Each entry is applied scoped to the menu so a\n\t * malicious payload cannot move foreign items into this menu's siblings.\n\t */\n\tasync reorderItems(menuId: string, items: ReorderItem[]): Promise<MenuItem[]> {\n\t\treturn withTransaction(this.db, async (trx) => {\n\t\t\tfor (const item of items) {\n\t\t\t\tawait trx\n\t\t\t\t\t.updateTable(\"_emdash_menu_items\")\n\t\t\t\t\t.set({ parent_id: item.parentId, sort_order: item.sortOrder })\n\t\t\t\t\t.where(\"id\", \"=\", item.id)\n\t\t\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t\t\t.execute();\n\t\t\t}\n\n\t\t\tconst rows = await trx\n\t\t\t\t.selectFrom(\"_emdash_menu_items\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"menu_id\", \"=\", menuId)\n\t\t\t\t.orderBy(\"sort_order\", \"asc\")\n\t\t\t\t.execute();\n\t\t\treturn rows.map(rowToMenuItem);\n\t\t});\n\t}\n}\n","/**\n * Menu CRUD handlers.\n *\n * Business logic for menu and menu-item endpoints. Routes are thin wrappers\n * that parse input, check auth, and call these.\n *\n * i18n: Menus are per-locale. `(name, locale)` is unique, so the same `name`\n * (e.g. \"primary\") can exist in several locales within one translation_group.\n * Menu items carry a `locale` + `translation_group` as well, and their\n * `reference_id` points at the referenced content's translation_group (not a\n * specific row id), so a single menu item target survives content translations.\n */\n\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tMenuGoneError,\n\tMenuRepository,\n\ttype CreateMenuItemInput as CreateMenuItemRepoInput,\n\ttype Menu,\n\ttype MenuItem,\n\ttype MenuListItem,\n\ttype MenuWithItems,\n\ttype SetMenuItem,\n\ttype UpdateMenuItemInput as UpdateMenuItemRepoInput,\n} from \"../../database/repositories/menu.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { getI18nConfig } from \"../../i18n/config.js\";\nimport type { ApiResult } from \"../types.js\";\n\n// Re-export entity types so route files and tests can import them from the\n// handler module without having to know about the repository layout.\nexport type {\n\tMenu,\n\tMenuItem,\n\tMenuListItem,\n\tMenuTranslation,\n\tMenuWithItems,\n} from \"../../database/repositories/menu.js\";\n\nexport interface MenuTranslationsResponse {\n\ttranslationGroup: string | null;\n\ttranslations: Array<{\n\t\tid: string;\n\t\tname: string;\n\t\tlocale: string;\n\t\tlabel: string;\n\t\tupdatedAt: string;\n\t}>;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Error returned when a menu lookup by `name` matches multiple locale\n * variants and the caller did not pass `locale` to disambiguate. Maps to\n * HTTP 400 via `mapErrorStatus`. The available locales are surfaced in the\n * message so MCP/REST callers can recover by re-issuing with `locale`.\n */\nfunction ambiguousMenuLocaleError(\n\tname: string,\n\tlocales: readonly string[],\n): { success: false; error: { code: \"AMBIGUOUS_LOCALE\"; message: string } } {\n\tconst sortedLocales = locales.toSorted();\n\treturn {\n\t\tsuccess: false,\n\t\terror: {\n\t\t\tcode: \"AMBIGUOUS_LOCALE\",\n\t\t\tmessage: `Menu '${name}' exists in multiple locales (${sortedLocales.join(\n\t\t\t\t\", \",\n\t\t\t)}); pass 'locale' to disambiguate.`,\n\t\t},\n\t};\n}\n\ntype ResolveMenuResult =\n\t| { success: true; menu: Menu }\n\t| { success: false; error: { code: \"NOT_FOUND\" | \"AMBIGUOUS_LOCALE\"; message: string } };\n\n/**\n * Resolve a menu by name + optional locale to a single Menu, surfacing the\n * canonical NOT_FOUND / AMBIGUOUS_LOCALE errors. Every item handler relies on\n * this to translate (name, locale) into an unambiguous menu row.\n */\nasync function resolveMenu(\n\trepo: MenuRepository,\n\tname: string,\n\toptions: { locale?: string },\n): Promise<ResolveMenuResult> {\n\tconst matches = await repo.findByName(name, options);\n\tif (matches.length === 0) {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"NOT_FOUND\",\n\t\t\t\tmessage: `Menu '${name}' not found${options.locale ? ` in locale '${options.locale}'` : \"\"}`,\n\t\t\t},\n\t\t};\n\t}\n\tif (matches.length > 1) {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: ambiguousMenuLocaleError(\n\t\t\t\tname,\n\t\t\t\tmatches.map((m) => m.locale),\n\t\t\t).error,\n\t\t};\n\t}\n\treturn { success: true, menu: matches[0] };\n}\n\n// ---------------------------------------------------------------------------\n// Menu handlers\n// ---------------------------------------------------------------------------\n\n/**\n * List menus with item counts. Filter by `locale` when provided.\n */\nexport async function handleMenuList(\n\tdb: Kysely<Database>,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<MenuListItem[]>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst items = await repo.findMany(options);\n\t\treturn { success: true, data: items };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_LIST_ERROR\", message: \"Failed to fetch menus\" },\n\t\t};\n\t}\n}\n\n/**\n * Create a new menu. When `translationOf` is supplied the new menu joins the\n * source menu's translation_group (and gets the source's items cloned by the\n * repository).\n */\nexport async function handleMenuCreate(\n\tdb: Kysely<Database>,\n\tinput: { name: string; label: string; locale?: string; translationOf?: string },\n): Promise<ApiResult<Menu>> {\n\ttry {\n\t\t// Translating from a source menu only makes sense when the caller\n\t\t// names the target locale: otherwise we'd silently clone into the\n\t\t// configured default, which is almost never what's intended (and\n\t\t// will collide if the source is already the default-locale menu).\n\t\t// Enforced here so REST/SDK callers get the same guard as MCP.\n\t\tif (input.translationOf && !input.locale) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"`locale` is required when `translationOf` is provided\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst repo = new MenuRepository(db);\n\n\t\t// Existence check up front so the repo's \"Source not found\" throw\n\t\t// becomes a clean NOT_FOUND on the API.\n\t\tif (input.translationOf) {\n\t\t\tconst source = await repo.findById(input.translationOf);\n\t\t\tif (!source) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: { code: \"NOT_FOUND\", message: \"Source menu for translation not found\" },\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\t// Duplicate guard: same (name, locale). Falls back to the configured\n\t\t// defaultLocale to match the column DEFAULT set by migration 036.\n\t\tconst effectiveLocale = input.locale ?? getI18nConfig()?.defaultLocale ?? \"en\";\n\t\tif (await repo.existsByNameAndLocale(input.name, effectiveLocale)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"CONFLICT\",\n\t\t\t\t\tmessage: `Menu \"${input.name}\" already exists${\n\t\t\t\t\t\tinput.locale ? ` in locale \"${input.locale}\"` : \"\"\n\t\t\t\t\t}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst menu = await repo.create(input);\n\t\treturn { success: true, data: menu };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_CREATE_ERROR\", message: \"Failed to create menu\" },\n\t\t};\n\t}\n}\n\n/**\n * Get a single menu by name. Honours an optional `locale` filter; when two\n * menus share a name across locales, the locale distinguishes them.\n *\n * Historical behaviour: when `locale` is omitted, returns the lowest-locale\n * match (deterministic). Mirrors the pre-repo handler.\n */\nexport async function handleMenuGet(\n\tdb: Kysely<Database>,\n\tname: string,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<MenuWithItems>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst matches = await repo.findByName(name, options);\n\t\tif (matches.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: `Menu '${name}' not found` },\n\t\t\t};\n\t\t}\n\t\tconst menu = matches[0];\n\t\tconst items = await repo.findItems(menu.id);\n\t\treturn { success: true, data: { ...menu, items } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_GET_ERROR\", message: \"Failed to fetch menu\" },\n\t\t};\n\t}\n}\n\n/**\n * Get a menu by id. Useful when the caller already has the id (e.g. after\n * creating a translation and navigating to it).\n */\nexport async function handleMenuGetById(\n\tdb: Kysely<Database>,\n\tid: string,\n): Promise<ApiResult<MenuWithItems>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst menu = await repo.findWithItems(id);\n\t\tif (!menu) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: `Menu '${id}' not found` },\n\t\t\t};\n\t\t}\n\t\treturn { success: true, data: menu };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_GET_ERROR\", message: \"Failed to fetch menu\" },\n\t\t};\n\t}\n}\n\n/**\n * Update a menu's label. The name + locale are immutable.\n */\nexport async function handleMenuUpdate(\n\tdb: Kysely<Database>,\n\tname: string,\n\tinput: { label?: string; locale?: string },\n): Promise<ApiResult<Menu>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, name, { locale: input.locale });\n\t\tif (!resolved.success) return resolved;\n\t\tconst updated = await repo.update(resolved.menu.id, { label: input.label });\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: `Menu '${name}' not found` },\n\t\t\t};\n\t\t}\n\t\treturn { success: true, data: updated };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_UPDATE_ERROR\", message: \"Failed to update menu\" },\n\t\t};\n\t}\n}\n\n/**\n * Delete a menu (and its items, via the repository's explicit cleanup).\n */\nexport async function handleMenuDelete(\n\tdb: Kysely<Database>,\n\tname: string,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, name, options);\n\t\tif (!resolved.success) return resolved;\n\t\tawait repo.delete(resolved.menu.id);\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_DELETE_ERROR\", message: \"Failed to delete menu\" },\n\t\t};\n\t}\n}\n\n/**\n * List every translation of a menu (by id or translation_group).\n */\nexport async function handleMenuTranslations(\n\tdb: Kysely<Database>,\n\tidOrGroup: string,\n): Promise<ApiResult<MenuTranslationsResponse>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst result = await repo.listTranslations(idOrGroup);\n\t\tif (!result) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"Menu not found\" },\n\t\t\t};\n\t\t}\n\t\treturn { success: true, data: result };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_TRANSLATIONS_ERROR\", message: \"Failed to list menu translations\" },\n\t\t};\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Menu item handlers\n// ---------------------------------------------------------------------------\n\nexport type CreateMenuItemInput = CreateMenuItemRepoInput;\nexport type UpdateMenuItemInput = UpdateMenuItemRepoInput;\nexport type MenuSetItemsInput = SetMenuItem;\n\n/**\n * Add an item to a menu. The item inherits the menu's locale.\n */\nexport async function handleMenuItemCreate(\n\tdb: Kysely<Database>,\n\tmenuName: string,\n\tinput: CreateMenuItemInput,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<MenuItem>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, menuName, options);\n\t\tif (!resolved.success) return resolved;\n\n\t\tconst item = await repo.createItem(resolved.menu.id, resolved.menu.locale, input);\n\t\treturn { success: true, data: item };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_ITEM_CREATE_ERROR\", message: \"Failed to create menu item\" },\n\t\t};\n\t}\n}\n\n/**\n * Update a menu item.\n */\nexport async function handleMenuItemUpdate(\n\tdb: Kysely<Database>,\n\tmenuName: string,\n\titemId: string,\n\tinput: UpdateMenuItemInput,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<MenuItem>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, menuName, options);\n\t\tif (!resolved.success) return resolved;\n\n\t\tconst updated = await repo.updateItem(resolved.menu.id, itemId, input);\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"Menu item not found\" },\n\t\t\t};\n\t\t}\n\t\treturn { success: true, data: updated };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_ITEM_UPDATE_ERROR\", message: \"Failed to update menu item\" },\n\t\t};\n\t}\n}\n\n/**\n * Delete a menu item.\n */\nexport async function handleMenuItemDelete(\n\tdb: Kysely<Database>,\n\tmenuName: string,\n\titemId: string,\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, menuName, options);\n\t\tif (!resolved.success) return resolved;\n\n\t\tconst deleted = await repo.deleteItem(resolved.menu.id, itemId);\n\t\tif (!deleted) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"Menu item not found\" },\n\t\t\t};\n\t\t}\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_ITEM_DELETE_ERROR\", message: \"Failed to delete menu item\" },\n\t\t};\n\t}\n}\n\nexport interface ReorderItem {\n\tid: string;\n\tparentId: string | null;\n\tsortOrder: number;\n}\n\n// ---------------------------------------------------------------------------\n// Atomic-replace menu items (used by the MCP `menu_set_items` tool and admin)\n// ---------------------------------------------------------------------------\n\n/**\n * Replace the entire set of items for a menu in one atomic transaction.\n *\n * Existing items are deleted and the new list is inserted in the order\n * provided. `parentIndex` references resolve to actual parent IDs as the\n * insert proceeds.\n */\nexport async function handleMenuSetItems(\n\tdb: Kysely<Database>,\n\tmenuName: string,\n\titems: MenuSetItemsInput[],\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<{ name: string; itemCount: number }>> {\n\t// Validate parentIndex references — must be strictly earlier so the array\n\t// can be inserted in order with parents resolved first. Negative indices\n\t// are caught by Zod's `.nonnegative()` at the MCP boundary, but we guard\n\t// explicitly so REST routes / direct handler use get the same error.\n\tfor (let i = 0; i < items.length; i++) {\n\t\tconst item = items[i];\n\t\tif (item?.parentIndex !== undefined) {\n\t\t\tif (item.parentIndex < 0 || item.parentIndex >= i) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\t\tmessage: `item[${i}].parentIndex (${item.parentIndex}) must reference an earlier item`,\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, menuName, options);\n\t\tif (!resolved.success) return resolved;\n\n\t\tconst { itemCount } = await repo.setItems(resolved.menu.id, resolved.menu.locale, items);\n\t\treturn { success: true, data: { name: menuName, itemCount } };\n\t} catch (error) {\n\t\t// `MenuGoneError` is thrown from inside the repository transaction\n\t\t// when the menu was deleted concurrently between `resolveMenu` and the\n\t\t// setItems write. Returning NOT_FOUND mirrors the original handler's\n\t\t// in-transaction `notFoundSentinel` branch and keeps the response\n\t\t// shape stable for REST/MCP callers.\n\t\tif (error instanceof MenuGoneError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"NOT_FOUND\",\n\t\t\t\t\tmessage: `Menu '${menuName}' not found${\n\t\t\t\t\t\toptions.locale ? ` in locale '${options.locale}'` : \"\"\n\t\t\t\t\t}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tconsole.error(\"[emdash] handleMenuSetItems failed:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_SET_ITEMS_ERROR\", message: \"Failed to set menu items\" },\n\t\t};\n\t}\n}\n\n/**\n * Batch reorder menu items.\n */\nexport async function handleMenuItemReorder(\n\tdb: Kysely<Database>,\n\tmenuName: string,\n\titems: ReorderItem[],\n\toptions: { locale?: string } = {},\n): Promise<ApiResult<MenuItem[]>> {\n\ttry {\n\t\tconst repo = new MenuRepository(db);\n\t\tconst resolved = await resolveMenu(repo, menuName, options);\n\t\tif (!resolved.success) return resolved;\n\n\t\tconst updated = await repo.reorderItems(resolved.menu.id, items);\n\t\treturn { success: true, data: updated };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: { code: \"MENU_REORDER_ERROR\", message: \"Failed to reorder menu items\" },\n\t\t};\n\t}\n}\n"],"mappings":";;;;;;;;;;;;;AA4BA,IAAa,gBAAb,cAAmC,MAAM;CACxC,YAAY,AAAgB,QAAgB;AAC3C,QAAM,QAAQ,OAAO,mCAAmC;EAD7B;AAE3B,OAAK,OAAO;;;AA4Hd,SAAS,UAAU,KAAkC;AACpD,QAAO;EACN,IAAI,IAAI;EACR,MAAM,IAAI;EACV,OAAO,IAAI;EACX,WAAW,IAAI;EACf,WAAW,IAAI;EACf,QAAQ,IAAI;EACZ,kBAAkB,IAAI;EACtB;;AAGF,SAAS,cAAc,KAA0C;AAChE,QAAO;EACN,IAAI,IAAI;EACR,QAAQ,IAAI;EACZ,UAAU,IAAI;EACd,WAAW,IAAI;EACf,MAAM,IAAI;EACV,qBAAqB,IAAI;EACzB,aAAa,IAAI;EACjB,WAAW,IAAI;EACf,OAAO,IAAI;EACX,WAAW,IAAI;EACf,QAAQ,IAAI;EACZ,YAAY,IAAI;EAChB,WAAW,IAAI;EACf,QAAQ,IAAI;EACZ,kBAAkB,IAAI;EACtB;;AAOF,IAAa,iBAAb,MAA4B;CAC3B,YAAY,AAAQ,IAAsB;EAAtB;;;;;;;CASpB,MAAM,SAAS,UAA+B,EAAE,EAA2B;EAE1E,IAAI,QAAQ,KAAK,GACf,WAAW,qBAAqB,CAChC,SAAS,2BAA2B,aAAa,OAAO,CACxD,QAAQ,EAAE,SAAS;GACnB;GACA;GACA;GACA;GACA;GACA;GACA;GACA,GAAG,MAAc,OAAO,CAAC,GAAG,YAAY;GACxC,CAAC,CACD,QAAQ;GACR;GACA;GACA;GACA;GACA;GACA;GACA;GACA,CAAC,CACD,QAAQ,UAAU,MAAM;AAC1B,MAAI,QAAQ,WAAW,OAAW,SAAQ,MAAM,MAAM,YAAY,KAAK,QAAQ,OAAO;AAGtF,UAFa,MAAM,MAAM,SAAS,EAEtB,KAAK,SAAS;GAEzB,WAAW,OAAO,IAAI,cAAc,WAAW,OAAO,IAAI,UAAU,GAAG,IAAI;GAC3E,GAAG,UAAU;IACZ,IAAI,IAAI;IACR,MAAM,IAAI;IACV,OAAO,IAAI;IACX,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,QAAQ,IAAI;IACZ,mBAAmB,IAAI;IACvB,CAAC;GACF,EAAE;;;;;;;CAQJ,MAAM,WAAW,MAAc,UAA+B,EAAE,EAAmB;EAClF,IAAI,QAAQ,KAAK,GACf,WAAW,gBAAgB,CAC3B,WAAW,CACX,MAAM,QAAQ,KAAK,KAAK,CACxB,QAAQ,UAAU,MAAM;AAC1B,MAAI,QAAQ,WAAW,OAAW,SAAQ,MAAM,MAAM,UAAU,KAAK,QAAQ,OAAO;AAEpF,UADa,MAAM,MAAM,SAAS,EACtB,IAAI,UAAU;;CAG3B,MAAM,SAAS,IAAkC;EAChD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,gBAAgB,CAC3B,WAAW,CACX,MAAM,MAAM,KAAK,GAAG,CACpB,kBAAkB;AACpB,SAAO,MAAM,UAAU,IAAI,GAAG;;;CAI/B,MAAM,cAAc,QAA+C;EAClE,MAAM,OAAO,MAAM,KAAK,SAAS,OAAO;AACxC,MAAI,CAAC,KAAM,QAAO;EAClB,MAAM,QAAQ,MAAM,KAAK,UAAU,OAAO;AAC1C,SAAO;GAAE,GAAG;GAAM;GAAO;;CAG1B,MAAM,UAAU,QAAqC;AAOpD,UANa,MAAM,KAAK,GACtB,WAAW,qBAAqB,CAChC,WAAW,CACX,MAAM,WAAW,KAAK,OAAO,CAC7B,QAAQ,cAAc,MAAM,CAC5B,SAAS,EACC,IAAI,cAAc;;;;;;CAO/B,MAAM,sBAAsB,MAAc,QAAkC;AAO3E,SANY,MAAM,KAAK,GACrB,WAAW,gBAAgB,CAC3B,OAAO,KAAK,CACZ,MAAM,QAAQ,KAAK,KAAK,CACxB,MAAM,UAAU,KAAK,OAAO,CAC5B,kBAAkB,KACL;;;;;;;;;;;CAYhB,MAAM,OAAO,OAAuC;EACnD,MAAM,KAAK,MAAM;EAEjB,IAAI,mBAA2B;EAC/B,IAAI,eAA8B;AAClC,MAAI,MAAM,eAAe;GACxB,MAAM,SAAS,MAAM,KAAK,SAAS,MAAM,cAAc;AACvD,OAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,wCAAwC;AACrE,sBAAmB,OAAO,oBAAoB,OAAO;AACrD,kBAAe,OAAO;;AAGvB,QAAM,gBAAgB,KAAK,IAAI,OAAO,QAAQ;AAC7C,SAAM,IACJ,WAAW,gBAAgB,CAC3B,OAAO;IACP;IACA,MAAM,MAAM;IACZ,OAAO,MAAM;IACb,GAAI,MAAM,WAAW,SAAY,EAAE,QAAQ,MAAM,QAAQ,GAAG,EAAE;IAC9D,mBAAmB;IACnB,CAAC,CACD,SAAS;AAEX,OAAI,cAAc;IACjB,MAAM,cAAc,MAAM,IACxB,WAAW,qBAAqB,CAChC,WAAW,CACX,MAAM,WAAW,KAAK,aAAa,CACnC,QAAQ,cAAc,MAAM,CAC5B,SAAS;AACX,QAAI,YAAY,SAAS,GAAG;KAE3B,MAAM,wBAAQ,IAAI,KAAqB;AACvC,UAAK,MAAM,QAAQ,YAAa,OAAM,IAAI,KAAK,IAAI,MAAM,CAAC;AAE1D,WAAM,IACJ,WAAW,qBAAqB,CAChC,OACA,YAAY,KAAK,UAAU;MAC1B,IAAI,MAAM,IAAI,KAAK,GAAG;MACtB,SAAS;MACT,WAAW,KAAK,YAAa,MAAM,IAAI,KAAK,UAAU,IAAI,OAAQ;MAClE,YAAY,KAAK;MACjB,MAAM,KAAK;MACX,sBAAsB,KAAK;MAC3B,cAAc,KAAK;MACnB,YAAY,KAAK;MACjB,OAAO,KAAK;MACZ,YAAY,KAAK;MACjB,QAAQ,KAAK;MACb,aAAa,KAAK;MAClB,GAAI,MAAM,WAAW,SAAY,EAAE,QAAQ,MAAM,QAAQ,GAAG,EAAE;MAC9D,mBAAmB,KAAK,qBAAqB,KAAK;MAClD,EAAE,CACH,CACA,SAAS;;;IAGZ;EAEF,MAAM,UAAU,MAAM,KAAK,SAAS,GAAG;AACvC,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,wBAAwB;AACtD,SAAO;;CAGR,MAAM,OAAO,IAAY,OAA8C;AAEtE,MAAI,CADa,MAAM,KAAK,SAAS,GAAG,CACzB,QAAO;EAEtB,MAAM,SAAkC,EAAE;AAC1C,MAAI,MAAM,UAAU,OAAW,QAAO,QAAQ,MAAM;AAEpD,MAAI,OAAO,KAAK,OAAO,CAAC,SAAS,EAChC,OAAM,KAAK,GAAG,YAAY,gBAAgB,CAAC,IAAI,OAAO,CAAC,MAAM,MAAM,KAAK,GAAG,CAAC,SAAS;AAGtF,SAAQ,MAAM,KAAK,SAAS,GAAG;;;;;;;;;;CAWhC,MAAM,OAAO,IAA8B;AAE1C,MAAI,CADa,MAAM,KAAK,SAAS,GAAG,CACzB,QAAO;AAEtB,QAAM,gBAAgB,KAAK,IAAI,OAAO,QAAQ;AAC7C,SAAM,IAAI,WAAW,qBAAqB,CAAC,MAAM,WAAW,KAAK,GAAG,CAAC,SAAS;AAC9E,SAAM,IAAI,WAAW,gBAAgB,CAAC,MAAM,MAAM,KAAK,GAAG,CAAC,SAAS;IACnE;AACF,SAAO;;;;;;;;CASR,MAAM,iBACL,WACuF;EACvF,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,gBAAgB,CAC3B,WAAW,CACX,OAAO,OAAO,GAAG,GAAG,CAAC,GAAG,MAAM,KAAK,UAAU,EAAE,GAAG,qBAAqB,KAAK,UAAU,CAAC,CAAC,CAAC,CACzF,kBAAkB;AACpB,MAAI,CAAC,OAAQ,QAAO;EAEpB,MAAM,QAAQ,OAAO,qBAAqB,OAAO;AAQjD,SAAO;GACN,kBAAkB;GAClB,eATY,MAAM,KAAK,GACtB,WAAW,gBAAgB,CAC3B,WAAW,CACX,MAAM,qBAAqB,KAAK,MAAM,CACtC,QAAQ,UAAU,MAAM,CACxB,SAAS,EAIS,KAAK,SAAS;IAChC,IAAI,IAAI;IACR,MAAM,IAAI;IACV,QAAQ,IAAI;IACZ,OAAO,IAAI;IACX,WAAW,IAAI;IACf,EAAE;GACH;;;;;;;;;;;CAcF,MAAM,WAAW,QAAgB,QAAgB,OAA+C;EAC/F,IAAI,YAAY,MAAM,aAAa;AACnC,MAAI,MAAM,cAAc,OAQvB,eAPiB,MAAM,KAAK,GAC1B,WAAW,qBAAqB,CAChC,QAAQ,EAAE,SAAS,GAAG,IAAI,aAAa,CAAC,GAAG,MAAM,CAAC,CAClD,MAAM,WAAW,KAAK,OAAO,CAC7B,MAAM,aAAa,MAAM,MAAM,YAAY,KAAK,CAChD,kBAAkB,GAEI,OAAkB,MAAM;EAGjD,MAAM,KAAK,MAAM;AACjB,QAAM,KAAK,GACT,WAAW,qBAAqB,CAChC,OAAO;GACP;GACA,SAAS;GACT,WAAW,MAAM,YAAY;GAC7B,YAAY;GACZ,MAAM,MAAM;GACZ,sBAAsB,MAAM,uBAAuB;GACnD,cAAc,MAAM,eAAe;GACnC,YAAY,MAAM,aAAa;GAC/B,OAAO,MAAM;GACb,YAAY,MAAM,aAAa;GAC/B,QAAQ,MAAM,UAAU;GACxB,aAAa,MAAM,cAAc;GACjC;GACA,mBAAmB;GACnB,CAAC,CACD,SAAS;AAOX,SAAO,cALK,MAAM,KAAK,GACrB,WAAW,qBAAqB,CAChC,WAAW,CACX,MAAM,MAAM,KAAK,GAAG,CACpB,yBAAyB,CACF;;;;;;;CAQ1B,MAAM,WACL,QACA,QACA,OAC2B;AAO3B,MAAI,CANa,MAAM,KAAK,GAC1B,WAAW,qBAAqB,CAChC,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,OAAO,CACxB,MAAM,WAAW,KAAK,OAAO,CAC7B,kBAAkB,CACL,QAAO;EAEtB,MAAM,SAAkC,EAAE;AAC1C,MAAI,MAAM,UAAU,OAAW,QAAO,QAAQ,MAAM;AACpD,MAAI,MAAM,cAAc,OAAW,QAAO,aAAa,MAAM;AAC7D,MAAI,MAAM,WAAW,OAAW,QAAO,SAAS,MAAM;AACtD,MAAI,MAAM,cAAc,OAAW,QAAO,aAAa,MAAM;AAC7D,MAAI,MAAM,eAAe,OAAW,QAAO,cAAc,MAAM;AAC/D,MAAI,MAAM,aAAa,OAAW,QAAO,YAAY,MAAM;AAC3D,MAAI,MAAM,cAAc,OAAW,QAAO,aAAa,MAAM;AAE7D,MAAI,OAAO,KAAK,OAAO,CAAC,SAAS,EAChC,OAAM,KAAK,GACT,YAAY,qBAAqB,CACjC,IAAI,OAAO,CACX,MAAM,MAAM,KAAK,OAAO,CACxB,SAAS;AAQZ,SAAO,cALK,MAAM,KAAK,GACrB,WAAW,qBAAqB,CAChC,WAAW,CACX,MAAM,MAAM,KAAK,OAAO,CACxB,yBAAyB,CACF;;;CAI1B,MAAM,WAAW,QAAgB,QAAkC;AAMlE,UALe,MAAM,KAAK,GACxB,WAAW,qBAAqB,CAChC,MAAM,MAAM,KAAK,OAAO,CACxB,MAAM,WAAW,KAAK,OAAO,CAC7B,SAAS,EACG,IAAI,mBAAmB;;;;;;;;;CAUtC,MAAM,SACL,QACA,QACA,OACiC;AACjC,QAAM,gBAAgB,KAAK,IAAI,OAAO,QAAQ;AAc7C,OAAI,CALe,MAAM,IACvB,WAAW,gBAAgB,CAC3B,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB,CACH,OAAM,IAAI,cAAc,OAAO;AAEhD,SAAM,IAAI,WAAW,qBAAqB,CAAC,MAAM,WAAW,KAAK,OAAO,CAAC,SAAS;GAElF,MAAM,cAAwB,EAAE;AAChC,QAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;IACtC,MAAM,OAAO,MAAM;AACnB,QAAI,CAAC,KAAM;IACX,MAAM,KAAK,MAAM;IACjB,MAAM,WACL,KAAK,gBAAgB,SAAa,YAAY,KAAK,gBAAgB,OAAQ;AAC5E,UAAM,IACJ,WAAW,qBAAqB,CAChC,OAAO;KACP;KACA,SAAS;KACT,WAAW;KACX,YAAY;KACZ,MAAM,KAAK;KACX,sBAAsB,KAAK,uBAAuB;KAClD,cAAc,KAAK,eAAe;KAClC,YAAY,KAAK,aAAa;KAC9B,OAAO,KAAK;KACZ,YAAY,KAAK,aAAa;KAC9B,QAAQ,KAAK,UAAU;KACvB,aAAa,KAAK,cAAc;KAChC;KACA,CAAC,CACD,SAAS;AACX,gBAAY,KAAK,GAAG;;AAGrB,SAAM,IACJ,YAAY,gBAAgB,CAC5B,IAAI,EAAE,6BAAY,IAAI,MAAM,EAAC,aAAa,EAAE,CAAC,CAC7C,MAAM,MAAM,KAAK,OAAO,CACxB,SAAS;IACV;AAEF,SAAO,EAAE,WAAW,MAAM,QAAQ;;;;;;CAOnC,MAAM,aAAa,QAAgB,OAA2C;AAC7E,SAAO,gBAAgB,KAAK,IAAI,OAAO,QAAQ;AAC9C,QAAK,MAAM,QAAQ,MAClB,OAAM,IACJ,YAAY,qBAAqB,CACjC,IAAI;IAAE,WAAW,KAAK;IAAU,YAAY,KAAK;IAAW,CAAC,CAC7D,MAAM,MAAM,KAAK,KAAK,GAAG,CACzB,MAAM,WAAW,KAAK,OAAO,CAC7B,SAAS;AASZ,WANa,MAAM,IACjB,WAAW,qBAAqB,CAChC,WAAW,CACX,MAAM,WAAW,KAAK,OAAO,CAC7B,QAAQ,cAAc,MAAM,CAC5B,SAAS,EACC,IAAI,cAAc;IAC7B;;;;;;;;;;;;;;;;;;;;;;;;;ACpkBJ,SAAS,yBACR,MACA,SAC2E;AAE3E,QAAO;EACN,SAAS;EACT,OAAO;GACN,MAAM;GACN,SAAS,SAAS,KAAK,gCALH,QAAQ,UAAU,CAK+B,KACpE,KACA,CAAC;GACF;EACD;;;;;;;AAYF,eAAe,YACd,MACA,MACA,SAC6B;CAC7B,MAAM,UAAU,MAAM,KAAK,WAAW,MAAM,QAAQ;AACpD,KAAI,QAAQ,WAAW,EACtB,QAAO;EACN,SAAS;EACT,OAAO;GACN,MAAM;GACN,SAAS,SAAS,KAAK,aAAa,QAAQ,SAAS,eAAe,QAAQ,OAAO,KAAK;GACxF;EACD;AAEF,KAAI,QAAQ,SAAS,EACpB,QAAO;EACN,SAAS;EACT,OAAO,yBACN,MACA,QAAQ,KAAK,MAAM,EAAE,OAAO,CAC5B,CAAC;EACF;AAEF,QAAO;EAAE,SAAS;EAAM,MAAM,QAAQ;EAAI;;;;;AAU3C,eAAsB,eACrB,IACA,UAA+B,EAAE,EACI;AACrC,KAAI;AAGH,SAAO;GAAE,SAAS;GAAM,MADV,MADD,IAAI,eAAe,GAAG,CACV,SAAS,QAAQ;GACL;SAC9B;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAAyB;GACpE;;;;;;;;AASH,eAAsB,iBACrB,IACA,OAC2B;AAC3B,KAAI;AAMH,MAAI,MAAM,iBAAiB,CAAC,MAAM,OACjC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAGF,MAAM,OAAO,IAAI,eAAe,GAAG;AAInC,MAAI,MAAM,eAET;OAAI,CADW,MAAM,KAAK,SAAS,MAAM,cAAc,CAEtD,QAAO;IACN,SAAS;IACT,OAAO;KAAE,MAAM;KAAa,SAAS;KAAyC;IAC9E;;EAMH,MAAM,kBAAkB,MAAM,UAAU,eAAe,EAAE,iBAAiB;AAC1E,MAAI,MAAM,KAAK,sBAAsB,MAAM,MAAM,gBAAgB,CAChE,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS,SAAS,MAAM,KAAK,kBAC5B,MAAM,SAAS,eAAe,MAAM,OAAO,KAAK;IAEjD;GACD;AAIF,SAAO;GAAE,SAAS;GAAM,MADX,MAAM,KAAK,OAAO,MAAM;GACD;SAC7B;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAqB,SAAS;IAAyB;GACtE;;;;;;;;;;AAWH,eAAsB,cACrB,IACA,MACA,UAA+B,EAAE,EACG;AACpC,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,UAAU,MAAM,KAAK,WAAW,MAAM,QAAQ;AACpD,MAAI,QAAQ,WAAW,EACtB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS,SAAS,KAAK;IAAc;GACjE;EAEF,MAAM,OAAO,QAAQ;EACrB,MAAM,QAAQ,MAAM,KAAK,UAAU,KAAK,GAAG;AAC3C,SAAO;GAAE,SAAS;GAAM,MAAM;IAAE,GAAG;IAAM;IAAO;GAAE;SAC3C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAkB,SAAS;IAAwB;GAClE;;;;;;AAiCH,eAAsB,iBACrB,IACA,MACA,OAC2B;AAC3B,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,MAAM,EAAE,QAAQ,MAAM,QAAQ,CAAC;AACxE,MAAI,CAAC,SAAS,QAAS,QAAO;EAC9B,MAAM,UAAU,MAAM,KAAK,OAAO,SAAS,KAAK,IAAI,EAAE,OAAO,MAAM,OAAO,CAAC;AAC3E,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS,SAAS,KAAK;IAAc;GACjE;AAEF,SAAO;GAAE,SAAS;GAAM,MAAM;GAAS;SAChC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAqB,SAAS;IAAyB;GACtE;;;;;;AAOH,eAAsB,iBACrB,IACA,MACA,UAA+B,EAAE,EACO;AACxC,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,MAAM,QAAQ;AACvD,MAAI,CAAC,SAAS,QAAS,QAAO;AAC9B,QAAM,KAAK,OAAO,SAAS,KAAK,GAAG;AACnC,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAqB,SAAS;IAAyB;GACtE;;;;;;AAOH,eAAsB,uBACrB,IACA,WAC+C;AAC/C,KAAI;EAEH,MAAM,SAAS,MADF,IAAI,eAAe,GAAG,CACT,iBAAiB,UAAU;AACrD,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAkB;GACvD;AAEF,SAAO;GAAE,SAAS;GAAM,MAAM;GAAQ;SAC/B;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA2B,SAAS;IAAoC;GACvF;;;;;;AAeH,eAAsB,qBACrB,IACA,UACA,OACA,UAA+B,EAAE,EACF;AAC/B,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,QAAQ;AAC3D,MAAI,CAAC,SAAS,QAAS,QAAO;AAG9B,SAAO;GAAE,SAAS;GAAM,MADX,MAAM,KAAK,WAAW,SAAS,KAAK,IAAI,SAAS,KAAK,QAAQ,MAAM;GAC7C;SAC7B;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAA8B;GAChF;;;;;;AAOH,eAAsB,qBACrB,IACA,UACA,QACA,OACA,UAA+B,EAAE,EACF;AAC/B,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,QAAQ;AAC3D,MAAI,CAAC,SAAS,QAAS,QAAO;EAE9B,MAAM,UAAU,MAAM,KAAK,WAAW,SAAS,KAAK,IAAI,QAAQ,MAAM;AACtE,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuB;GAC5D;AAEF,SAAO;GAAE,SAAS;GAAM,MAAM;GAAS;SAChC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAA8B;GAChF;;;;;;AAOH,eAAsB,qBACrB,IACA,UACA,QACA,UAA+B,EAAE,EACO;AACxC,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,QAAQ;AAC3D,MAAI,CAAC,SAAS,QAAS,QAAO;AAG9B,MAAI,CADY,MAAM,KAAK,WAAW,SAAS,KAAK,IAAI,OAAO,CAE9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuB;GAC5D;AAEF,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAA8B;GAChF;;;;;;;;;;AAqBH,eAAsB,mBACrB,IACA,UACA,OACA,UAA+B,EAAE,EACyB;AAK1D,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;EACtC,MAAM,OAAO,MAAM;AACnB,MAAI,MAAM,gBAAgB,QACzB;OAAI,KAAK,cAAc,KAAK,KAAK,eAAe,EAC/C,QAAO;IACN,SAAS;IACT,OAAO;KACN,MAAM;KACN,SAAS,QAAQ,EAAE,iBAAiB,KAAK,YAAY;KACrD;IACD;;;AAKJ,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,QAAQ;AAC3D,MAAI,CAAC,SAAS,QAAS,QAAO;EAE9B,MAAM,EAAE,cAAc,MAAM,KAAK,SAAS,SAAS,KAAK,IAAI,SAAS,KAAK,QAAQ,MAAM;AACxF,SAAO;GAAE,SAAS;GAAM,MAAM;IAAE,MAAM;IAAU;IAAW;GAAE;UACrD,OAAO;AAMf,MAAI,iBAAiB,cACpB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS,SAAS,SAAS,aAC1B,QAAQ,SAAS,eAAe,QAAQ,OAAO,KAAK;IAErD;GACD;AAEF,UAAQ,MAAM,uCAAuC,MAAM;AAC3D,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAA4B;GAC5E;;;;;;AAOH,eAAsB,sBACrB,IACA,UACA,OACA,UAA+B,EAAE,EACA;AACjC,KAAI;EACH,MAAM,OAAO,IAAI,eAAe,GAAG;EACnC,MAAM,WAAW,MAAM,YAAY,MAAM,UAAU,QAAQ;AAC3D,MAAI,CAAC,SAAS,QAAS,QAAO;AAG9B,SAAO;GAAE,SAAS;GAAM,MADR,MAAM,KAAK,aAAa,SAAS,KAAK,IAAI,MAAM;GACzB;SAChC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAsB,SAAS;IAAgC;GAC9E"}

package/dist/mime-KV5TqkMN.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mime-KV5TqkMN.mjs","names":[],"sources":["../src/media/mime.ts"],"sourcesContent":["export function normalizeMime(mime: string): string {\n\treturn mime.split(\";\")[0]!.trim().toLowerCase();\n}\n\nexport function matchesMimeAllowlist(mime: string, allowList: readonly string[]): boolean {\n\tconst normalized = normalizeMime(mime);\n\tfor (const entry of allowList) {\n\t\tif (!entry \|\| !entry.includes(\"/\")) continue;\n\t\tconst normalizedEntry = normalizeMime(entry);\n\t\tif (normalizedEntry.endsWith(\"/\")) {\n\t\t\tif (normalized.startsWith(normalizedEntry)) return true;\n\t\t} else if (normalized === normalizedEntry) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}\n\nexport const EXTENSION_TO_MIME: Readonly<Record<string, string>> = {\n\t\".pdf\": \"application/pdf\",\n\t\".png\": \"image/png\",\n\t\".jpg\": \"image/jpeg\",\n\t\".jpeg\": \"image/jpeg\",\n\t\".gif\": \"image/gif\",\n\t\".webp\": \"image/webp\",\n\t\".svg\": \"image/svg+xml\",\n\t\".mp3\": \"audio/mpeg\",\n\t\".wav\": \"audio/wav\",\n\t\".mp4\": \"video/mp4\",\n\t\".webm\": \"video/webm\",\n\t\".zip\": \"application/zip\",\n\t\".tar\": \"application/x-tar\",\n\t\".gz\": \"application/gzip\",\n\t\".csv\": \"text/csv\",\n\t\".doc\": \"application/msword\",\n\t\".docx\": \"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\n\t\".xls\": \"application/vnd.ms-excel\",\n\t\".xlsx\": \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\n\t\".txt\": \"text/plain\",\n\t\".rtf\": \"application/rtf\",\n\t\".vtt\": \"text/vtt\",\n\t\".srt\": \"application/x-subrip\",\n\t\".woff\": \"font/woff\",\n\t\".woff2\": \"font/woff2\",\n};\n\nconst VALID_MIME_RE = /^[a-z0-9][a-z0-9!#$&^_+\\-.]\\/[a-z0-9!#$&^_+\\-.]$/i;\n\nexport function expandExtensionShorthand(entry: string): string \| null {\n\tconst trimmed = entry.trim();\n\tif (!trimmed) return null;\n\tif (trimmed.includes(\"/\")) return VALID_MIME_RE.test(trimmed) ? trimmed : null;\n\tif (trimmed.startsWith(\".\")) {\n\t\treturn EXTENSION_TO_MIME[trimmed.toLowerCase()] ?? null;\n\t}\n\treturn null;\n}\n\n/*\n Extract the `allowedMimeTypes` list from a `_emdash_fields.validation` row\n * (raw JSON string). Returns null when the value is missing, malformed, or the\n * list is empty — callers treat that as \"no field-specific constraint\".\n */\nexport function parseAllowedMimeTypes(rawValidation: string \| null \| undefined): string[] \| null {\n\tif (!rawValidation) return null;\n\ttry {\n\t\tconst parsed: unknown = JSON.parse(rawValidation);\n\t\tif (typeof parsed !== \"object\" \|\| parsed === null) return null;\n\t\tconst list = (parsed as { allowedMimeTypes?: unknown }).allowedMimeTypes;\n\t\tif (!Array.isArray(list) \|\| list.length === 0) return null;\n\t\treturn list.filter((entry): entry is string => typeof entry === \"string\");\n\t} catch {\n\t\treturn null;\n\t}\n}\n"],"mappings":";AAAA,SAAgB,cAAc,MAAsB;AACnD,QAAO,KAAK,MAAM,IAAI,CAAC,~~GAAI~~,MAAM,CAAC,aAAa;;~~AAGhD~~,SAAgB,qBAAqB,MAAc,WAAuC;CACzF,MAAM,aAAa,cAAc,KAAK;AACtC,MAAK,MAAM,SAAS,WAAW;AAC9B,MAAI,CAAC,SAAS,CAAC,MAAM,SAAS,IAAI,CAAE;EACpC,MAAM,kBAAkB,cAAc,MAAM;AAC5C,MAAI,gBAAgB,SAAS,IAAI,EAChC;OAAI,WAAW,WAAW,gBAAgB,CAAE,QAAO;aACzC,eAAe,gBACzB,QAAO;;AAGT,QAAO;;;;;;;AAgDR,SAAgB,sBAAsB,eAA2D;AAChG,KAAI,CAAC,cAAe,QAAO;AAC3B,KAAI;EACH,MAAM,SAAkB,KAAK,MAAM,cAAc;AACjD,MAAI,OAAO,WAAW,YAAY,WAAW,KAAM,QAAO;EAC1D,MAAM,OAAQ,OAA0C;AACxD,MAAI,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,WAAW,EAAG,QAAO;AACtD,SAAO,KAAK,QAAQ,UAA2B,OAAO,UAAU,SAAS;SAClE;AACP,SAAO"}
1	+ {"version":3,"file":"mime-KV5TqkMN.mjs","names":[],"sources":["../src/media/mime.ts"],"sourcesContent":["export function normalizeMime(mime: string): string {\n\treturn mime.split(\";\")[0].trim().toLowerCase();\n}\n\nexport function matchesMimeAllowlist(mime: string, allowList: readonly string[]): boolean {\n\tconst normalized = normalizeMime(mime);\n\tfor (const entry of allowList) {\n\t\tif (!entry \|\| !entry.includes(\"/\")) continue;\n\t\tconst normalizedEntry = normalizeMime(entry);\n\t\tif (normalizedEntry.endsWith(\"/\")) {\n\t\t\tif (normalized.startsWith(normalizedEntry)) return true;\n\t\t} else if (normalized === normalizedEntry) {\n\t\t\treturn true;\n\t\t}\n\t}\n\treturn false;\n}\n\nexport const EXTENSION_TO_MIME: Readonly<Record<string, string>> = {\n\t\".pdf\": \"application/pdf\",\n\t\".png\": \"image/png\",\n\t\".jpg\": \"image/jpeg\",\n\t\".jpeg\": \"image/jpeg\",\n\t\".gif\": \"image/gif\",\n\t\".webp\": \"image/webp\",\n\t\".svg\": \"image/svg+xml\",\n\t\".mp3\": \"audio/mpeg\",\n\t\".wav\": \"audio/wav\",\n\t\".mp4\": \"video/mp4\",\n\t\".webm\": \"video/webm\",\n\t\".zip\": \"application/zip\",\n\t\".tar\": \"application/x-tar\",\n\t\".gz\": \"application/gzip\",\n\t\".csv\": \"text/csv\",\n\t\".doc\": \"application/msword\",\n\t\".docx\": \"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\n\t\".xls\": \"application/vnd.ms-excel\",\n\t\".xlsx\": \"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\n\t\".txt\": \"text/plain\",\n\t\".rtf\": \"application/rtf\",\n\t\".vtt\": \"text/vtt\",\n\t\".srt\": \"application/x-subrip\",\n\t\".woff\": \"font/woff\",\n\t\".woff2\": \"font/woff2\",\n};\n\nconst VALID_MIME_RE = /^[a-z0-9][a-z0-9!#$&^_+\\-.]\\/[a-z0-9!#$&^_+\\-.]$/i;\n\nexport function expandExtensionShorthand(entry: string): string \| null {\n\tconst trimmed = entry.trim();\n\tif (!trimmed) return null;\n\tif (trimmed.includes(\"/\")) return VALID_MIME_RE.test(trimmed) ? trimmed : null;\n\tif (trimmed.startsWith(\".\")) {\n\t\treturn EXTENSION_TO_MIME[trimmed.toLowerCase()] ?? null;\n\t}\n\treturn null;\n}\n\n/*\n Extract the `allowedMimeTypes` list from a `_emdash_fields.validation` row\n * (raw JSON string). Returns null when the value is missing, malformed, or the\n * list is empty — callers treat that as \"no field-specific constraint\".\n */\nexport function parseAllowedMimeTypes(rawValidation: string \| null \| undefined): string[] \| null {\n\tif (!rawValidation) return null;\n\ttry {\n\t\tconst parsed: unknown = JSON.parse(rawValidation);\n\t\tif (typeof parsed !== \"object\" \|\| parsed === null) return null;\n\t\tconst list = (parsed as { allowedMimeTypes?: unknown }).allowedMimeTypes;\n\t\tif (!Array.isArray(list) \|\| list.length === 0) return null;\n\t\treturn list.filter((entry): entry is string => typeof entry === \"string\");\n\t} catch {\n\t\treturn null;\n\t}\n}\n"],"mappings":";AAAA,SAAgB,cAAc,MAAsB;AACnD,QAAO,KAAK,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC,aAAa;;AAG/C,SAAgB,qBAAqB,MAAc,WAAuC;CACzF,MAAM,aAAa,cAAc,KAAK;AACtC,MAAK,MAAM,SAAS,WAAW;AAC9B,MAAI,CAAC,SAAS,CAAC,MAAM,SAAS,IAAI,CAAE;EACpC,MAAM,kBAAkB,cAAc,MAAM;AAC5C,MAAI,gBAAgB,SAAS,IAAI,EAChC;OAAI,WAAW,WAAW,gBAAgB,CAAE,QAAO;aACzC,eAAe,gBACzB,QAAO;;AAGT,QAAO;;;;;;;AAgDR,SAAgB,sBAAsB,eAA2D;AAChG,KAAI,CAAC,cAAe,QAAO;AAC3B,KAAI;EACH,MAAM,SAAkB,KAAK,MAAM,cAAc;AACjD,MAAI,OAAO,WAAW,YAAY,WAAW,KAAM,QAAO;EAC1D,MAAM,OAAQ,OAA0C;AACxD,MAAI,CAAC,MAAM,QAAQ,KAAK,IAAI,KAAK,WAAW,EAAG,QAAO;AACtD,SAAO,KAAK,QAAQ,UAA2B,OAAO,UAAU,SAAS;SAClE;AACP,SAAO"}

package/dist/{mode-DPRPvJYm.mjs → mode-CaaiebZI.mjs} RENAMED Viewed

@@ -20,4 +20,4 @@ function getAuthMode(config) {
 //#endregion
 export { getAuthMode as t };
-//# sourceMappingURL=mode-DPRPvJYm.mjs.map
+//# sourceMappingURL=mode-CaaiebZI.mjs.map

package/dist/{mode-DPRPvJYm.mjs.map → mode-CaaiebZI.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mode-~~DPRPvJYm~~.mjs","names":[],"sources":["../src/auth/mode.ts"],"sourcesContent":["/*\n Auth Mode Detection\n \n Determines which authentication provider is active based on config.\n * Supports both passkey (default) and external auth providers via AuthDescriptor.\n /\n\nimport type { EmDashConfig } from \"../astro/integration/runtime.js\";\nimport type {\n\tAuthDescriptor,\n\tAuthProviderDescriptor,\n\tAuthRouteDescriptor,\n\tAuthResult,\n\tExternalAuthConfig,\n} from \"./types.js\";\n\nexport type {\n\tAuthDescriptor,\n\tAuthProviderDescriptor,\n\tAuthRouteDescriptor,\n\tAuthResult,\n\tExternalAuthConfig,\n};\n\n/\n Passkey auth mode (default)\n /\nexport interface PasskeyAuthMode {\n\ttype: \"passkey\";\n}\n\n/\n External auth provider mode (Cloudflare Access, etc.)\n /\nexport interface ExternalAuthMode {\n\ttype: \"external\";\n\t/* Provider type identifier (e.g., \"cloudflare-access\") /\n\tproviderType: string;\n\t/* Module to import for authentication /\n\tentrypoint: string;\n\t/* Provider-specific configuration /\n\tconfig: unknown;\n}\n\n/\n Union of all auth modes\n /\nexport type AuthMode = PasskeyAuthMode \| ExternalAuthMode;\n\n/\n Extended config type with auth.\n \n This is the same as `EmDashConfig` with an optional `auth` field.\n * Kept for backwards compatibility — prefer `EmDashConfig` in new code\n * since `getAuthMode` now accepts `EmDashConfig` directly.\n /\nexport interface EmDashConfigWithAuth extends EmDashConfig {\n\tauth?: AuthDescriptor;\n}\n\n/\n Determine the active auth mode from config.\n \n Accepts `EmDashConfig` (or subtype) — checks for `auth` field via duck typing.\n \n @param config EmDash configuration\n * @returns The active auth mode\n /\nexport function getAuthMode(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): AuthMode {\n\tconst auth = config?.auth;\n\n\t// Check for AuthDescriptor (transparent external auth like Cloudflare Access)\n\tif (auth && \"entrypoint\" in auth && auth.entrypoint) {\n\t\treturn {\n\t\t\ttype: \"external\",\n\t\t\tproviderType: auth.type,\n\t\t\tentrypoint: auth.entrypoint,\n\t\t\tconfig: auth.config,\n\t\t};\n\t}\n\n\t// Default to passkey\n\treturn { type: \"passkey\" };\n}\n\n/\n Check if an external auth provider is active\n /\nexport function isExternalAuthEnabled(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): boolean {\n\treturn getAuthMode(config).type === \"external\";\n}\n\n/\n Get external auth config if enabled\n */\nexport function getExternalAuthConfig(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): ExternalAuthMode \| null {\n\tconst mode = getAuthMode(config);\n\tif (mode.type === \"external\") {\n\t\treturn mode;\n\t}\n\treturn null;\n}\n"],"mappings":";;;;;;;;;AAoEA,SAAgB,YACf,QACW;CACX,MAAM,OAAO,QAAQ;AAGrB,KAAI,QAAQ,gBAAgB,QAAQ,KAAK,WACxC,QAAO;EACN,MAAM;EACN,cAAc,KAAK;EACnB,YAAY,KAAK;EACjB,QAAQ,KAAK;EACb;AAIF,QAAO,EAAE,MAAM,WAAW"}
1	+ {"version":3,"file":"mode-CaaiebZI.mjs","names":[],"sources":["../src/auth/mode.ts"],"sourcesContent":["/*\n Auth Mode Detection\n \n Determines which authentication provider is active based on config.\n * Supports both passkey (default) and external auth providers via AuthDescriptor.\n /\n\nimport type { EmDashConfig } from \"../astro/integration/runtime.js\";\nimport type {\n\tAuthDescriptor,\n\tAuthProviderDescriptor,\n\tAuthRouteDescriptor,\n\tAuthResult,\n\tExternalAuthConfig,\n} from \"./types.js\";\n\nexport type {\n\tAuthDescriptor,\n\tAuthProviderDescriptor,\n\tAuthRouteDescriptor,\n\tAuthResult,\n\tExternalAuthConfig,\n};\n\n/\n Passkey auth mode (default)\n /\nexport interface PasskeyAuthMode {\n\ttype: \"passkey\";\n}\n\n/\n External auth provider mode (Cloudflare Access, etc.)\n /\nexport interface ExternalAuthMode {\n\ttype: \"external\";\n\t/* Provider type identifier (e.g., \"cloudflare-access\") /\n\tproviderType: string;\n\t/* Module to import for authentication /\n\tentrypoint: string;\n\t/* Provider-specific configuration /\n\tconfig: unknown;\n}\n\n/\n Union of all auth modes\n /\nexport type AuthMode = PasskeyAuthMode \| ExternalAuthMode;\n\n/\n Extended config type with auth.\n \n This is the same as `EmDashConfig` with an optional `auth` field.\n * Kept for backwards compatibility — prefer `EmDashConfig` in new code\n * since `getAuthMode` now accepts `EmDashConfig` directly.\n /\nexport interface EmDashConfigWithAuth extends EmDashConfig {\n\tauth?: AuthDescriptor;\n}\n\n/\n Determine the active auth mode from config.\n \n Accepts `EmDashConfig` (or subtype) — checks for `auth` field via duck typing.\n \n @param config EmDash configuration\n * @returns The active auth mode\n /\nexport function getAuthMode(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): AuthMode {\n\tconst auth = config?.auth;\n\n\t// Check for AuthDescriptor (transparent external auth like Cloudflare Access)\n\tif (auth && \"entrypoint\" in auth && auth.entrypoint) {\n\t\treturn {\n\t\t\ttype: \"external\",\n\t\t\tproviderType: auth.type,\n\t\t\tentrypoint: auth.entrypoint,\n\t\t\tconfig: auth.config,\n\t\t};\n\t}\n\n\t// Default to passkey\n\treturn { type: \"passkey\" };\n}\n\n/\n Check if an external auth provider is active\n /\nexport function isExternalAuthEnabled(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): boolean {\n\treturn getAuthMode(config).type === \"external\";\n}\n\n/\n Get external auth config if enabled\n */\nexport function getExternalAuthConfig(\n\tconfig: (EmDashConfig & { auth?: AuthDescriptor }) \| null \| undefined,\n): ExternalAuthMode \| null {\n\tconst mode = getAuthMode(config);\n\tif (mode.type === \"external\") {\n\t\treturn mode;\n\t}\n\treturn null;\n}\n"],"mappings":";;;;;;;;;AAoEA,SAAgB,YACf,QACW;CACX,MAAM,OAAO,QAAQ;AAGrB,KAAI,QAAQ,gBAAgB,QAAQ,KAAK,WACxC,QAAO;EACN,MAAM;EACN,cAAc,KAAK;EACnB,YAAY,KAAK;EACjB,QAAQ,KAAK;EACb;AAIF,QAAO,EAAE,MAAM,WAAW"}

package/dist/{oauth-authorization-62GmpGIH.mjs → oauth-authorization-CTMeVfvj.mjs} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { t as withTransaction } from "./transaction-NQj4VJ7Z.mjs";
-import { a as hashApiToken, n as VALID_SCOPES, r as generatePrefixedToken, t as TOKEN_PREFIXES } from "./api-tokens-D3C9v02m.mjs";
-import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "./oauth-clients-D_B0_-Bz.mjs";
-import { t as lookupUserRoleAndStatus } from "./oauth-user-lookup-meyS2oB1.mjs";
+import { a as hashApiToken, n as VALID_SCOPES, r as generatePrefixedToken, t as TOKEN_PREFIXES } from "./api-tokens-iPIHAY8N.mjs";
+import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "./oauth-clients-eJCbkVSG.mjs";
+import { t as lookupUserRoleAndStatus } from "./oauth-user-lookup-3JwsVw6N.mjs";
 import { clampScopes, computeS256Challenge, secureCompare } from "@emdash-cms/auth";
 import { generateCodeVerifier } from "arctic";
@@ -272,4 +272,4 @@ function buildDeniedRedirect(redirectUri, state) {
 //#endregion
 export { handleAuthorizationApproval as n, handleAuthorizationCodeExchange as r, buildDeniedRedirect as t };
-//# sourceMappingURL=oauth-authorization-62GmpGIH.mjs.map
+//# sourceMappingURL=oauth-authorization-CTMeVfvj.mjs.map

package/dist/{oauth-authorization-62GmpGIH.mjs.map → oauth-authorization-CTMeVfvj.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-authorization-62GmpGIH.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/*\n OAuth 2.1 Authorization Code + PKCE handlers.\n \n Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n \n Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n /\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/* Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) /\nconst AUTH_CODE_TTL_SECONDS = 10 60;\n\n/** Access token TTL: 1 hour /\nconst ACCESS_TOKEN_TTL_SECONDS = 60 60;\n\n/** Refresh token TTL: 90 days /\nconst REFRESH_TOKEN_TTL_SECONDS = 90 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/*\n Validate and normalize scopes. Returns validated scope list.\n /\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/\n Process an authorization request after the user approves consent.\n \n Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n \n Scopes are clamped to the user's role to prevent scope escalation.\n /\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/\n Exchange an authorization code for access + refresh tokens.\n \n Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_, ec_ort_).\n /\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/\n Build the authorization denied redirect URL.\n /\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/\n Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}
1	+ {"version":3,"file":"oauth-authorization-CTMeVfvj.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/*\n OAuth 2.1 Authorization Code + PKCE handlers.\n \n Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n \n Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n /\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/* Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) /\nconst AUTH_CODE_TTL_SECONDS = 10 60;\n\n/** Access token TTL: 1 hour /\nconst ACCESS_TOKEN_TTL_SECONDS = 60 60;\n\n/** Refresh token TTL: 90 days /\nconst REFRESH_TOKEN_TTL_SECONDS = 90 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/*\n Validate and normalize scopes. Returns validated scope list.\n /\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/\n Process an authorization request after the user approves consent.\n \n Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n \n Scopes are clamped to the user's role to prevent scope escalation.\n /\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/\n Exchange an authorization code for access + refresh tokens.\n \n Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_, ec_ort_).\n /\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/\n Build the authorization denied redirect URL.\n /\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/\n Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}

package/dist/{oauth-clients-D_B0_-Bz.mjs → oauth-clients-eJCbkVSG.mjs} RENAMED Viewed

@@ -263,4 +263,4 @@ function validateClientRedirectUri(redirectUri, allowedUris) {
 //#endregion
 export { handleOAuthClientUpdate as a, validateRedirectUri as c, handleOAuthClientList as i, handleOAuthClientDelete as n, lookupOAuthClient as o, handleOAuthClientGet as r, validateClientRedirectUri as s, handleOAuthClientCreate as t };
-//# sourceMappingURL=oauth-clients-D_B0_-Bz.mjs.map
+//# sourceMappingURL=oauth-clients-eJCbkVSG.mjs.map

package/dist/oauth-clients-eJCbkVSG.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"oauth-clients-eJCbkVSG.mjs","names":[],"sources":["../src/api/oauth/redirect-uri.ts","../src/api/handlers/oauth-clients.ts"],"sourcesContent":["/**\n * Validate a redirect URI per OAuth 2.1 security requirements.\n *\n * Allows localhost / loopback redirect URIs over HTTP for native clients,\n * and any HTTPS URL for web-based flows.\n */\nexport function validateRedirectUri(uri: string): string | null {\n\ttry {\n\t\tconst url = new URL(uri);\n\n\t\t// Reject protocol-relative URLs\n\t\tif (uri.startsWith(\"//\")) {\n\t\t\treturn \"Protocol-relative redirect URIs are not allowed\";\n\t\t}\n\n\t\t// Allow localhost/loopback over HTTP (for desktop MCP clients)\n\t\tif (url.protocol === \"http:\") {\n\t\t\tconst host = url.hostname;\n\t\t\tif (host === \"127.0.0.1\" || host === \"localhost\" || host === \"[::1]\") {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn \"HTTP redirect URIs are only allowed for localhost\";\n\t\t}\n\n\t\t// Allow HTTPS\n\t\tif (url.protocol === \"https:\") {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn `Unsupported redirect URI scheme: ${url.protocol}`;\n\t} catch {\n\t\treturn \"Invalid redirect URI\";\n\t}\n}\n","/**\n * OAuth client management handlers.\n *\n * CRUD operations for registered OAuth clients. Each client has a set\n * of pre-registered redirect URIs. The authorization endpoint rejects\n * any redirect_uri not in the client's registered set.\n */\n\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Parse a JSON string column into a typed value. */\nfunction parseJsonColumn<T>(value: string): T {\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns unknown, callers provide the expected shape\n\treturn JSON.parse(value) as T;\n}\n\nfunction validateRegisteredRedirectUris(redirectUris: string[]): string | null {\n\tfor (const redirectUri of redirectUris) {\n\t\tconst error = validateRedirectUri(redirectUri);\n\t\tif (error) {\n\t\t\treturn `Invalid redirect URI: ${error}`;\n\t\t}\n\t}\n\treturn null;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface OAuthClientInfo {\n\tid: string;\n\tname: string;\n\tredirectUris: string[];\n\tscopes: string[] | null;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new OAuth client.\n */\nexport async function handleOAuthClientCreate(\n\tdb: Kysely<Database>,\n\tinput: {\n\t\tid: string;\n\t\tname: string;\n\t\tredirectUris: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tif (input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\tif (redirectUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Check for duplicate client ID\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"id\", \"=\", input.id)\n\t\t\t.executeTakeFirst();\n\n\t\tif (existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"CONFLICT\", message: \"OAuth client with this ID already exists\" },\n\t\t\t};\n\t\t}\n\n\t\tconst now = new Date().toISOString();\n\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_oauth_clients\")\n\t\t\t.values({\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirect_uris: JSON.stringify(input.redirectUris),\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null,\n\t\t\t})\n\t\t\t.execute();\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirectUris: input.redirectUris,\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? input.scopes : null,\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_CREATE_ERROR\",\n\t\t\t\tmessage: \"Failed to create OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * List all registered OAuth clients.\n */\nexport async function handleOAuthClientList(\n\tdb: Kysely<Database>,\n): Promise<ApiResult<{ items: OAuthClientInfo[] }>> {\n\ttry {\n\t\tconst rows = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.orderBy(\"created_at\", \"desc\")\n\t\t\t.execute();\n\n\t\tconst items: OAuthClientInfo[] = rows.map((row) => ({\n\t\t\tid: row.id,\n\t\t\tname: row.name,\n\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\tcreatedAt: row.created_at,\n\t\t\tupdatedAt: row.updated_at,\n\t\t}));\n\n\t\treturn { success: true, data: { items } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_LIST_ERROR\",\n\t\t\t\tmessage: \"Failed to list OAuth clients\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Get a single OAuth client by ID.\n */\nexport async function handleOAuthClientGet(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst row = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\t\tcreatedAt: row.created_at,\n\t\t\t\tupdatedAt: row.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_GET_ERROR\",\n\t\t\t\tmessage: \"Failed to get OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Update an OAuth client.\n */\nexport async function handleOAuthClientUpdate(\n\tdb: Kysely<Database>,\n\tclientId: string,\n\tinput: {\n\t\tname?: string;\n\t\tredirectUris?: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined && input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\t\tif (redirectUriError) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\tconst updates: Record<string, string | null> = {\n\t\t\tupdated_at: new Date().toISOString(),\n\t\t};\n\n\t\tif (input.name !== undefined) {\n\t\t\tupdates.name = input.name;\n\t\t}\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tupdates.redirect_uris = JSON.stringify(input.redirectUris);\n\t\t}\n\t\tif (input.scopes !== undefined) {\n\t\t\tupdates.scopes =\n\t\t\t\tinput.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null;\n\t\t}\n\n\t\tawait db.updateTable(\"_emdash_oauth_clients\").set(updates).where(\"id\", \"=\", clientId).execute();\n\n\t\t// Fetch the updated row\n\t\tconst updated = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found after update\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: updated.id,\n\t\t\t\tname: updated.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(updated.redirect_uris),\n\t\t\t\tscopes: updated.scopes ? parseJsonColumn<string[]>(updated.scopes) : null,\n\t\t\t\tcreatedAt: updated.created_at,\n\t\t\t\tupdatedAt: updated.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_UPDATE_ERROR\",\n\t\t\t\tmessage: \"Failed to update OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Delete an OAuth client.\n */\nexport async function handleOAuthClientDelete(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst result = await db\n\t\t\t.deleteFrom(\"_emdash_oauth_clients\")\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (result.numDeletedRows === 0n) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_DELETE_ERROR\",\n\t\t\t\tmessage: \"Failed to delete OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Lookup helpers (used by authorization handler)\n// ---------------------------------------------------------------------------\n\n/**\n * Look up a registered OAuth client by ID.\n * Returns the client's redirect URIs or null if the client is not registered.\n */\nexport async function lookupOAuthClient(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<{ redirectUris: string[]; scopes: string[] | null } | null> {\n\tconst row = await db\n\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t.select([\"redirect_uris\", \"scopes\"])\n\t\t.where(\"id\", \"=\", clientId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t};\n}\n\n/**\n * Validate that a redirect URI is in the client's registered set.\n *\n * Comparison is exact string match (per RFC 6749 §3.1.2.3).\n * Returns null if valid, or an error message if not.\n */\nexport function validateClientRedirectUri(\n\tredirectUri: string,\n\tallowedUris: string[],\n): string | null {\n\tif (allowedUris.includes(redirectUri)) {\n\t\treturn null; // OK\n\t}\n\treturn \"redirect_uri is not registered for this client\";\n}\n"],"mappings":";;;;;;;AAMA,SAAgB,oBAAoB,KAA4B;AAC/D,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,IAAI;AAGxB,MAAI,IAAI,WAAW,KAAK,CACvB,QAAO;AAIR,MAAI,IAAI,aAAa,SAAS;GAC7B,MAAM,OAAO,IAAI;AACjB,OAAI,SAAS,eAAe,SAAS,eAAe,SAAS,QAC5D,QAAO;AAER,UAAO;;AAIR,MAAI,IAAI,aAAa,SACpB,QAAO;AAGR,SAAO,oCAAoC,IAAI;SACxC;AACP,SAAO;;;;;;;ACZT,SAAS,gBAAmB,OAAkB;AAE7C,QAAO,KAAK,MAAM,MAAM;;AAGzB,SAAS,+BAA+B,cAAuC;AAC9E,MAAK,MAAM,eAAe,cAAc;EACvC,MAAM,QAAQ,oBAAoB,YAAY;AAC9C,MAAI,MACH,QAAO,yBAAyB;;AAGlC,QAAO;;;;;AAuBR,eAAsB,wBACrB,IACA,OAMsC;AACtC,KAAI;AACH,MAAI,MAAM,aAAa,WAAW,EACjC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAGF,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,MAAI,iBACH,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAUF,MANiB,MAAM,GACrB,WAAW,wBAAwB,CACnC,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,MAAM,GAAG,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAY,SAAS;IAA4C;GAChF;EAGF,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;AAEpC,QAAM,GACJ,WAAW,wBAAwB,CACnC,OAAO;GACP,IAAI,MAAM;GACV,MAAM,MAAM;GACZ,eAAe,KAAK,UAAU,MAAM,aAAa;GACjD,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;GACjF,CAAC,CACD,SAAS;AAEX,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,MAAM;IACV,MAAM,MAAM;IACZ,cAAc,MAAM;IACpB,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,MAAM,SAAS;IACjE,WAAW;IACX,WAAW;IACX;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,sBACrB,IACmD;AACnD,KAAI;AAgBH,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,QAfnB,MAAM,GACjB,WAAW,wBAAwB,CACnC,WAAW,CACX,QAAQ,cAAc,OAAO,CAC7B,SAAS,EAE2B,KAAK,SAAS;IACnD,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf,EAAE,EAEoC;GAAE;SAClC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,qBACrB,IACA,UACsC;AACtC,KAAI;EACH,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACA,OAKsC;AACtC,KAAI;AAOH,MAAI,CANa,MAAM,GACrB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,MAAI,MAAM,iBAAiB,UAAa,MAAM,aAAa,WAAW,EACrE,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAGF,MAAI,MAAM,iBAAiB,QAAW;GACrC,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,OAAI,iBACH,QAAO;IACN,SAAS;IACT,OAAO;KACN,MAAM;KACN,SAAS;KACT;IACD;;EAIH,MAAM,UAAyC,EAC9C,6BAAY,IAAI,MAAM,EAAC,aAAa,EACpC;AAED,MAAI,MAAM,SAAS,OAClB,SAAQ,OAAO,MAAM;AAEtB,MAAI,MAAM,iBAAiB,OAC1B,SAAQ,gBAAgB,KAAK,UAAU,MAAM,aAAa;AAE3D,MAAI,MAAM,WAAW,OACpB,SAAQ,SACP,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;AAG3E,QAAM,GAAG,YAAY,wBAAwB,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,SAAS,CAAC,SAAS;EAG/F,MAAM,UAAU,MAAM,GACpB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuC;GAC5E;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,QAAQ;IACZ,MAAM,QAAQ;IACd,cAAc,gBAA0B,QAAQ,cAAc;IAC9D,QAAQ,QAAQ,SAAS,gBAA0B,QAAQ,OAAO,GAAG;IACrE,WAAW,QAAQ;IACnB,WAAW,QAAQ;IACnB;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACwC;AACxC,KAAI;AAMH,OALe,MAAM,GACnB,WAAW,wBAAwB,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,EAET,mBAAmB,GAC7B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;AAYH,eAAsB,kBACrB,IACA,UACsE;CACtE,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,OAAO,CAAC,iBAAiB,SAAS,CAAC,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,cAAc,gBAA0B,IAAI,cAAc;EAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;EAC7D;;;;;;;;AASF,SAAgB,0BACf,aACA,aACgB;AAChB,KAAI,YAAY,SAAS,YAAY,CACpC,QAAO;AAER,QAAO"}

package/dist/{oauth-state-store-DpsZViTu.mjs → oauth-state-store-vOSdOeGe.mjs} RENAMED Viewed

@@ -46,4 +46,4 @@ function createOAuthStateStore(db) {
 //#endregion
 export { createOAuthStateStore as t };
-//# sourceMappingURL=oauth-state-store-DpsZViTu.mjs.map
+//# sourceMappingURL=oauth-state-store-vOSdOeGe.mjs.map

package/dist/{oauth-state-store-DpsZViTu.mjs.map → oauth-state-store-vOSdOeGe.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-state-store-~~DpsZViTu~~.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/*\n OAuth state store\n \n Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n /\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState \| null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" \|\|\n\t\t\t\t\tparsed === null \|\|\n\t\t\t\t\t!(\"provider\" in parsed) \|\|\n\t\t\t\t\ttypeof parsed.provider !== \"string\" \|\|\n\t\t\t\t\t!(\"redirectUri\" in parsed) \|\|\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}
1	+ {"version":3,"file":"oauth-state-store-vOSdOeGe.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/*\n OAuth state store\n \n Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n /\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState \| null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" \|\|\n\t\t\t\t\tparsed === null \|\|\n\t\t\t\t\t!(\"provider\" in parsed) \|\|\n\t\t\t\t\ttypeof parsed.provider !== \"string\" \|\|\n\t\t\t\t\t!(\"redirectUri\" in parsed) \|\|\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}

package/dist/{oauth-user-lookup-meyS2oB1.mjs → oauth-user-lookup-3JwsVw6N.mjs} RENAMED Viewed

@@ -23,4 +23,4 @@ async function lookupUserRoleAndStatus(db, userId) {
 //#endregion
 export { lookupUserRoleAndStatus as t };
-//# sourceMappingURL=oauth-user-lookup-meyS2oB1.mjs.map
+//# sourceMappingURL=oauth-user-lookup-3JwsVw6N.mjs.map

package/dist/{oauth-user-lookup-meyS2oB1.mjs.map → oauth-user-lookup-3JwsVw6N.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-user-lookup-~~meyS2oB1~~.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/*\n Shared user lookup for OAuth token operations.\n \n Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n /\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/\n Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus \| null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}
1	+ {"version":3,"file":"oauth-user-lookup-3JwsVw6N.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/*\n Shared user lookup for OAuth token operations.\n \n Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n /\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/\n Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus \| null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}

package/dist/options-BL4X94qY.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"options-BL4X94qY.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/*\n Options repository for key-value settings storage\n \n Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n /\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/\n\t Get an option value\n\t /\n\tasync get<T = unknown>(name: string): Promise<T \| null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript~~-eslint(~~no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/\n\t Get an option value with a default\n\t /\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/\n\t Set an option value (creates or updates)\n\t /\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/\n\t Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t \n\t Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t /\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/\n\t Delete an option\n\t /\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/\n\t Check if an option exists\n\t /\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/\n\t Get multiple options at once\n\t /\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript~~-eslint(~~no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Set multiple options at once\n\t /\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/\n\t Get all options (use sparingly)\n\t /\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Get all options matching a prefix\n\t /\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript~~-eslint(~~no-unsafe-type-assertion) -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}
1	+ {"version":3,"file":"options-BL4X94qY.mjs","names":[],"sources":["../src/database/repositories/options.ts"],"sourcesContent":["import { sql, type Kysely, type SqlBool } from \"kysely\";\n\nimport type { Database, OptionTable } from \"../types.js\";\n\nfunction escapeLike(value: string): string {\n\treturn value.replaceAll(\"\\\\\", \"\\\\\\\\\").replaceAll(\"%\", \"\\\\%\").replaceAll(\"_\", \"\\\\_\");\n}\n\n/*\n Options repository for key-value settings storage\n \n Used for site settings, plugin configuration, and other arbitrary key-value data.\n * Values are stored as JSON for flexibility.\n /\nexport class OptionsRepository {\n\tconstructor(private db: Kysely<Database>) {}\n\n\t/\n\t Get an option value\n\t /\n\tasync get<T = unknown>(name: string): Promise<T \| null> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"value\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) return null;\n\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\treturn JSON.parse(row.value) as T;\n\t}\n\n\t/\n\t Get an option value with a default\n\t /\n\tasync getOrDefault<T>(name: string, defaultValue: T): Promise<T> {\n\t\tconst value = await this.get<T>(name);\n\t\treturn value ?? defaultValue;\n\t}\n\n\t/\n\t Set an option value (creates or updates)\n\t /\n\tasync set<T = unknown>(name: string, value: T): Promise<void> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\t// Upsert: insert or replace\n\t\tawait this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doUpdateSet({ value: row.value }))\n\t\t\t.execute();\n\t}\n\n\t/\n\t Set an option value only if no row with that name exists. Atomic at the\n\t * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent\n\t * callers can't race past the check.\n\t \n\t Returns true when the row was inserted, false when a row already\n\t * existed (regardless of its value — even an empty string or null).\n\t /\n\tasync setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {\n\t\tconst row: OptionTable = {\n\t\t\tname,\n\t\t\tvalue: JSON.stringify(value),\n\t\t};\n\n\t\tconst result = await this.db\n\t\t\t.insertInto(\"options\")\n\t\t\t.values(row)\n\t\t\t.onConflict((oc) => oc.column(\"name\").doNothing())\n\t\t\t.executeTakeFirst();\n\n\t\t// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.\n\t\t// When the ON CONFLICT branch fires and does nothing, the count is 0.\n\t\treturn (result.numInsertedOrUpdatedRows ?? 0n) > 0n;\n\t}\n\n\t/\n\t Delete an option\n\t /\n\tasync delete(name: string): Promise<boolean> {\n\t\tconst result = await this.db.deleteFrom(\"options\").where(\"name\", \"=\", name).executeTakeFirst();\n\n\t\treturn (result.numDeletedRows ?? 0) > 0;\n\t}\n\n\t/\n\t Check if an option exists\n\t /\n\tasync exists(name: string): Promise<boolean> {\n\t\tconst row = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select(\"name\")\n\t\t\t.where(\"name\", \"=\", name)\n\t\t\t.executeTakeFirst();\n\n\t\treturn !!row;\n\t}\n\n\t/\n\t Get multiple options at once\n\t /\n\tasync getMany<T = unknown>(names: string[]): Promise<Map<string, T>> {\n\t\tif (names.length === 0) return new Map();\n\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(\"name\", \"in\", names)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Set multiple options at once\n\t /\n\tasync setMany<T = unknown>(options: Record<string, T>): Promise<void> {\n\t\tconst entries = Object.entries(options);\n\t\tif (entries.length === 0) return;\n\n\t\tfor (const [name, value] of entries) {\n\t\t\tawait this.set(name, value);\n\t\t}\n\t}\n\n\t/\n\t Get all options (use sparingly)\n\t /\n\tasync getAll(): Promise<Map<string, unknown>> {\n\t\tconst rows = await this.db.selectFrom(\"options\").select([\"name\", \"value\"]).execute();\n\n\t\tconst result = new Map<string, unknown>();\n\t\tfor (const row of rows) {\n\t\t\tresult.set(row.name, JSON.parse(row.value));\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Get all options matching a prefix\n\t /\n\tasync getByPrefix<T = unknown>(prefix: string): Promise<Map<string, T>> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst rows = await this.db\n\t\t\t.selectFrom(\"options\")\n\t\t\t.select([\"name\", \"value\"])\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.execute();\n\n\t\tconst result = new Map<string, T>();\n\t\tfor (const row of rows) {\n\t\t\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns any; generic callers provide T\n\t\t\tresult.set(row.name, JSON.parse(row.value) as T);\n\t\t}\n\t\treturn result;\n\t}\n\n\t/\n\t Delete all options matching a prefix\n\t */\n\tasync deleteByPrefix(prefix: string): Promise<number> {\n\t\tconst pattern = `${escapeLike(prefix)}%`;\n\t\tconst result = await this.db\n\t\t\t.deleteFrom(\"options\")\n\t\t\t.where(sql<SqlBool>`name LIKE ${pattern} ESCAPE '\\\\'`)\n\t\t\t.executeTakeFirst();\n\n\t\treturn Number(result.numDeletedRows ?? 0);\n\t}\n}\n"],"mappings":";;;AAIA,SAAS,WAAW,OAAuB;AAC1C,QAAO,MAAM,WAAW,MAAM,OAAO,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,KAAK,MAAM;;;;;;;;AASpF,IAAa,oBAAb,MAA+B;CAC9B,YAAY,AAAQ,IAAsB;EAAtB;;;;;CAKpB,MAAM,IAAiB,MAAiC;EACvD,MAAM,MAAM,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,QAAQ,CACf,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;AAEpB,MAAI,CAAC,IAAK,QAAO;AAEjB,SAAO,KAAK,MAAM,IAAI,MAAM;;;;;CAM7B,MAAM,aAAgB,MAAc,cAA6B;AAEhE,SADc,MAAM,KAAK,IAAO,KAAK,IACrB;;;;;CAMjB,MAAM,IAAiB,MAAc,OAAyB;EAC7D,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAGD,QAAM,KAAK,GACT,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,YAAY,EAAE,OAAO,IAAI,OAAO,CAAC,CAAC,CACvE,SAAS;;;;;;;;;;CAWZ,MAAM,YAAyB,MAAc,OAA4B;EACxE,MAAM,MAAmB;GACxB;GACA,OAAO,KAAK,UAAU,MAAM;GAC5B;AAUD,WARe,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,OAAO,IAAI,CACX,YAAY,OAAO,GAAG,OAAO,OAAO,CAAC,WAAW,CAAC,CACjD,kBAAkB,EAIL,4BAA4B,MAAM;;;;;CAMlD,MAAM,OAAO,MAAgC;AAG5C,WAFe,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,MAAM,QAAQ,KAAK,KAAK,CAAC,kBAAkB,EAE/E,kBAAkB,KAAK;;;;;CAMvC,MAAM,OAAO,MAAgC;AAO5C,SAAO,CAAC,CANI,MAAM,KAAK,GACrB,WAAW,UAAU,CACrB,OAAO,OAAO,CACd,MAAM,QAAQ,KAAK,KAAK,CACxB,kBAAkB;;;;;CAQrB,MAAM,QAAqB,OAA0C;AACpE,MAAI,MAAM,WAAW,EAAG,wBAAO,IAAI,KAAK;EAExC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,QAAQ,MAAM,MAAM,CAC1B,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,QAAqB,SAA2C;EACrE,MAAM,UAAU,OAAO,QAAQ,QAAQ;AACvC,MAAI,QAAQ,WAAW,EAAG;AAE1B,OAAK,MAAM,CAAC,MAAM,UAAU,QAC3B,OAAM,KAAK,IAAI,MAAM,MAAM;;;;;CAO7B,MAAM,SAAwC;EAC7C,MAAM,OAAO,MAAM,KAAK,GAAG,WAAW,UAAU,CAAC,OAAO,CAAC,QAAQ,QAAQ,CAAC,CAAC,SAAS;EAEpF,MAAM,yBAAS,IAAI,KAAsB;AACzC,OAAK,MAAM,OAAO,KACjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC;AAE5C,SAAO;;;;;CAMR,MAAM,YAAyB,QAAyC;EACvE,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,OAAO,MAAM,KAAK,GACtB,WAAW,UAAU,CACrB,OAAO,CAAC,QAAQ,QAAQ,CAAC,CACzB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,SAAS;EAEX,MAAM,yBAAS,IAAI,KAAgB;AACnC,OAAK,MAAM,OAAO,KAEjB,QAAO,IAAI,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,CAAM;AAEjD,SAAO;;;;;CAMR,MAAM,eAAe,QAAiC;EACrD,MAAM,UAAU,GAAG,WAAW,OAAO,CAAC;EACtC,MAAM,SAAS,MAAM,KAAK,GACxB,WAAW,UAAU,CACrB,MAAM,GAAY,aAAa,QAAQ,cAAc,CACrD,kBAAkB;AAEpB,SAAO,OAAO,OAAO,kBAAkB,EAAE"}

package/dist/{options-Cq64Wx0O.d.mts → options-DhV-gwJb.d.mts} RENAMED Viewed

@@ -1,5 +1,5 @@
-import { r as ContentItem } from "./types-CzvJd1ND.mjs";
-import { t as Database } from "./types-C1KKK4VP.mjs";
+import { r as ContentItem } from "./types-DaYDYW6g.mjs";
+import { t as Database } from "./types-DaqNzqVt.mjs";
 import { Kysely } from "kysely";
 import { z } from "zod";
@@ -97,7 +97,7 @@ interface ApiContext {
  * Always returns `{ error: { code, message } }` with correct Content-Type.
  * Use this for all error responses in API routes.
  */
-declare function apiError(code: string, message: string, status: number): Response;
+declare function apiError(code: string, message: string, status: number, details?: Record<string, unknown>): Response;
 /**
  * Create a standardized success response.
  *
@@ -204,4 +204,4 @@ declare class OptionsRepository {
 }
 //#endregion
 export { parseQuery as a, handleError as c, ContentListResponse as d, ContentResponse as f, ManifestResponse as h, parseBody as i, ApiContext as l, ListResponse as m, ParseResult as n, apiError as o, FieldDescriptor as p, isParseError as r, apiSuccess as s, OptionsRepository as t, ApiResult as u };
-//# sourceMappingURL=options-Cq64Wx0O.d.mts.map
+//# sourceMappingURL=options-DhV-gwJb.d.mts.map

package/dist/options-DhV-gwJb.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"options-DhV-gwJb.d.mts","names":[],"sources":["../src/api/types.ts","../src/api/error.ts","../src/api/parse.ts","../src/database/repositories/options.ts"],"mappings":";;;;;;;;AASA;UAAiB,YAAA;EAChB,KAAA,EAAO,CAAA;EACP,UAAA;EAF6B;;;;;EAQ7B,KAAA;AAAA;AAMD;;;AAAA,UAAiB,mBAAA,SAA4B,YAAA,CAAa,WAAA;AAAA,UAEzC,eAAA;EAChB,IAAA,EAAM,WAAA;;EAEN,IAAA;AAAA;;;;UAMgB,gBAAA;EAChB,OAAA;EACA,IAAA;EACA,WAAA,EAAa,MAAA;IAGX,KAAA;IACA,aAAA;IACA,QAAA;IACA,MAAA,EAAQ,MAAA,SAAe,eAAA;EAAA;EAGzB,OAAA,EAAS,MAAA;IAGP,UAAA,GAAa,KAAA;MAAQ,IAAA;MAAc,SAAA;IAAA;IACnC,OAAA;EAAA;AAAA;AAAA,UAKc,eAAA;EAChB,IAAA;EACA,KAAA;EACA,QAAA;EAZA;;;;EAiBA,OAAA,GAAU,KAAA;IAAQ,KAAA;IAAe,KAAA;EAAA,KAAmB,MAAA;AAAA;AARrD;;;;;;;;;;;;AAAA,KAuBY,SAAA;EACP,OAAA;EAAe,IAAA,EAAM,CAAA;AAAA;EAEvB,OAAA;EACA,KAAA;IAAS,IAAA,EAAM,CAAA;IAAG,OAAA;IAAiB,OAAA,GAAU,MAAA;EAAA;AAAA;;;;UAM/B,UAAA;EAChB,MAAA;EACA,QAAA;AAAA;;;;;;;;;iBC5De,QAAA,CACf,IAAA,UACA,OAAA,UACA,MAAA,UACA,OAAA,GAAU,MAAA,oBACR,QAAA;;;ADZH;;;;iBC2BgB,UAAA,GAAA,CAAc,IAAA,EAAM,CAAA,EAAG,MAAA,YAAe,QAAA;ADzBtD;;;;;;;;AAAA,iBCqCgB,WAAA,CACf,KAAA,WACA,eAAA,UACA,YAAA,WACE,QAAA;;;;;;;KChDS,WAAA,MAAiB,CAAA,GAAI,QAAA;;;;;;AFKjC;iBEGsB,SAAA,WAAoB,CAAA,CAAE,OAAA,CAAA,CAC3C,OAAA,EAAS,OAAA,EACT,MAAA,EAAQ,CAAA,GACN,OAAA,CAAQ,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;;AFK/B;;iBEyDgB,UAAA,WAAqB,CAAA,CAAE,OAAA,CAAA,CAAS,GAAA,EAAK,GAAA,EAAK,MAAA,EAAQ,CAAA,GAAI,WAAA,CAAY,CAAA,CAAE,KAAA,CAAM,CAAA;;;;;iBA6C1E,YAAA,GAAA,CAAgB,MAAA,EAAQ,WAAA,CAAY,CAAA,IAAK,MAAA,IAAU,QAAA;;;;;;;AF/HnE;;cGKa,iBAAA;EAAA,QACQ,EAAA;cAAA,EAAA,EAAI,MAAA,CAAO,QAAA;EHL/B;;;EGUM,GAAA,aAAA,CAAiB,IAAA,WAAe,OAAA,CAAQ,CAAA;EHHzC;;AAMN;EGYO,YAAA,GAAA,CAAgB,IAAA,UAAc,YAAA,EAAc,CAAA,GAAI,OAAA,CAAQ,CAAA;;;;EAQxD,GAAA,aAAA,CAAiB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EHlBjB;;;;;;;;EGwCzB,WAAA,aAAA,CAAyB,IAAA,UAAc,KAAA,EAAO,CAAA,GAAI,OAAA;EH/BxB;;;EGmD1B,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDf;;;EGyDP,MAAA,CAAO,IAAA,WAAe,OAAA;EHhDb;;;EG6DT,OAAA,aAAA,CAAqB,KAAA,aAAkB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHtEpD;;;EG0FP,OAAA,aAAA,CAAqB,OAAA,EAAS,MAAA,SAAe,CAAA,IAAK,OAAA;EHpFtD;;;EGgGI,MAAA,CAAA,GAAU,OAAA,CAAQ,GAAA;EH7Ff;;;EG0GH,WAAA,aAAA,CAAyB,MAAA,WAAiB,OAAA,CAAQ,GAAA,SAAY,CAAA;EHvG/B;;;EG0H/B,cAAA,CAAe,MAAA,WAAiB,OAAA;AAAA"}

package/dist/page/index.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { J as PageFragmentContribution, Z as PageMetadataContribution, et as PageMetadataLinkRel, mt as PublicPageContext, t as BreadcrumbItem, tt as PagePlacement } from "../types-B05e2naf.mjs";
-import { n as SeoSettings } from "../types-DW1l0gCv.mjs";
+import { J as PageFragmentContribution, Z as PageMetadataContribution, et as PageMetadataLinkRel, ht as PublicPageContext, t as BreadcrumbItem, tt as PagePlacement } from "../types-DGHWRQgr.mjs";
+import { n as SeoSettings } from "../types-Dgo6y-Ut.mjs";
 //#region src/page/context.d.ts
 /** Fields shared by both input forms */

package/dist/{parse-BFTPon-J.mjs → parse-DHbXfvxO.mjs} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { t as apiError } from "./error-tSQWIl5U.mjs";
+import { t as apiError } from "./error-ChfADBuu.mjs";
 import { z } from "zod";
 //#region src/api/parse.ts
@@ -86,4 +86,4 @@ function isParseError(result) {
 //#endregion
 export { parseQuery as i, parseBody as n, parseOptionalBody as r, isParseError as t };
-//# sourceMappingURL=parse-BFTPon-J.mjs.map
+//# sourceMappingURL=parse-DHbXfvxO.mjs.map

package/dist/{parse-BFTPon-J.mjs.map → parse-DHbXfvxO.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"parse-~~BFTPon-J~~.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/*\n Request body and query parameter parsing with Zod validation.\n \n All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n /\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/* Maximum allowed JSON request body size (10 MB). /\nconst MAX_BODY_SIZE = 10 1024 * 1024;\n\n/*\n Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n /\nexport type ParseResult<T> = T \| Response;\n\n/\n Parse and validate a JSON request body against a Zod schema.\n \n Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n /\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/\n Parse and validate an optional JSON request body.\n \n Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n /\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/\n Parse and validate URL search params against a Zod schema.\n \n Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n /\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/\n Validate raw data against a schema. Returns data or error Response.\n /\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/\n Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}
1	+ {"version":3,"file":"parse-DHbXfvxO.mjs","names":[],"sources":["../src/api/parse.ts"],"sourcesContent":["/*\n Request body and query parameter parsing with Zod validation.\n \n All API routes should use these utilities instead of `request.json() as T`\n * or raw `url.searchParams.get()` with manual coercion.\n /\n\nimport { z } from \"zod\";\n\nimport { apiError } from \"./error.js\";\n\n/* Maximum allowed JSON request body size (10 MB). /\nconst MAX_BODY_SIZE = 10 1024 * 1024;\n\n/*\n Result of parsing: either the validated data or an error Response.\n * Routes should check `if (result instanceof Response) return result;`\n /\nexport type ParseResult<T> = T \| Response;\n\n/\n Parse and validate a JSON request body against a Zod schema.\n \n Returns the validated data on success, or a 400 Response on failure.\n * Replaces all `(await request.json()) as T` casts.\n /\nexport async function parseBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = await request.json();\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/\n Parse and validate an optional JSON request body.\n \n Returns `defaultValue` if the body is empty, or the validated data if present.\n * For endpoints where the body is optional (e.g., preview-url, confirm).\n /\nexport async function parseOptionalBody<T extends z.ZodType>(\n\trequest: Request,\n\tschema: T,\n\tdefaultValue: z.infer<T>,\n): Promise<ParseResult<z.infer<T>>> {\n\t// Best-effort size check via Content-Length (can be absent with chunked encoding)\n\tconst contentLength = request.headers.get(\"Content-Length\");\n\tif (contentLength && parseInt(contentLength, 10) > MAX_BODY_SIZE) {\n\t\treturn apiError(\"PAYLOAD_TOO_LARGE\", \"Request body too large\", 413);\n\t}\n\n\tlet text: string;\n\ttry {\n\t\ttext = await request.text();\n\t} catch {\n\t\treturn defaultValue;\n\t}\n\n\tif (!text.trim()) {\n\t\treturn defaultValue;\n\t}\n\n\tlet raw: unknown;\n\ttry {\n\t\traw = JSON.parse(text);\n\t} catch {\n\t\treturn apiError(\"INVALID_JSON\", \"Request body must be valid JSON\", 400);\n\t}\n\n\treturn validate(schema, raw);\n}\n\n/\n Parse and validate URL search params against a Zod schema.\n \n Converts searchParams to a plain object before validation.\n * Zod coercion handles string -> number/boolean conversion.\n * Replaces manual `url.searchParams.get()` + `parseInt()` patterns.\n /\nexport function parseQuery<T extends z.ZodType>(url: URL, schema: T): ParseResult<z.infer<T>> {\n\tconst raw: Record<string, string> = {};\n\tfor (const [key, value] of url.searchParams) {\n\t\traw[key] = value;\n\t}\n\treturn validate(schema, raw);\n}\n\n/\n Validate raw data against a schema. Returns data or error Response.\n /\nfunction validate<T extends z.ZodType>(schema: T, data: unknown): ParseResult<z.infer<T>> {\n\tconst result = schema.safeParse(data);\n\n\tif (result.success) {\n\t\treturn result.data as z.infer<T>;\n\t}\n\n\t// Format Zod errors into a readable structure\n\tconst issues = result.error.issues.map((issue: z.ZodIssue) => ({\n\t\tpath: issue.path.join(\".\"),\n\t\tmessage: issue.message,\n\t}));\n\n\treturn Response.json(\n\t\t{\n\t\t\terror: {\n\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\tmessage: \"Invalid request data\",\n\t\t\t\tdetails: { issues },\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tstatus: 400,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"private, no-store\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/\n Type guard to check if a ParseResult is an error Response.\n * Usage: `if (isParseError(result)) return result;`\n */\nexport function isParseError<T>(result: ParseResult<T>): result is Response {\n\treturn result instanceof Response;\n}\n"],"mappings":";;;;;AAYA,MAAM,gBAAgB,KAAK,OAAO;;;;;;;AAclC,eAAsB,UACrB,SACA,QACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,QAAM,MAAM,QAAQ,MAAM;SACnB;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;AAS7B,eAAsB,kBACrB,SACA,QACA,cACmC;CAEnC,MAAM,gBAAgB,QAAQ,QAAQ,IAAI,iBAAiB;AAC3D,KAAI,iBAAiB,SAAS,eAAe,GAAG,GAAG,cAClD,QAAO,SAAS,qBAAqB,0BAA0B,IAAI;CAGpE,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,QAAQ,MAAM;SACpB;AACP,SAAO;;AAGR,KAAI,CAAC,KAAK,MAAM,CACf,QAAO;CAGR,IAAI;AACJ,KAAI;AACH,QAAM,KAAK,MAAM,KAAK;SACf;AACP,SAAO,SAAS,gBAAgB,mCAAmC,IAAI;;AAGxE,QAAO,SAAS,QAAQ,IAAI;;;;;;;;;AAU7B,SAAgB,WAAgC,KAAU,QAAoC;CAC7F,MAAM,MAA8B,EAAE;AACtC,MAAK,MAAM,CAAC,KAAK,UAAU,IAAI,aAC9B,KAAI,OAAO;AAEZ,QAAO,SAAS,QAAQ,IAAI;;;;;AAM7B,SAAS,SAA8B,QAAW,MAAwC;CACzF,MAAM,SAAS,OAAO,UAAU,KAAK;AAErC,KAAI,OAAO,QACV,QAAO,OAAO;CAIf,MAAM,SAAS,OAAO,MAAM,OAAO,KAAK,WAAuB;EAC9D,MAAM,MAAM,KAAK,KAAK,IAAI;EAC1B,SAAS,MAAM;EACf,EAAE;AAEH,QAAO,SAAS,KACf,EACC,OAAO;EACN,MAAM;EACN,SAAS;EACT,SAAS,EAAE,QAAQ;EACnB,EACD,EACD;EACC,QAAQ;EACR,SAAS,EACR,iBAAiB,qBACjB;EACD,CACD;;;;;;AAOF,SAAgB,aAAgB,QAA4C;AAC3E,QAAO,kBAAkB"}

package/dist/{passkey-config-Cg86_ISa.mjs → passkey-config-BloQOT3y.mjs} RENAMED Viewed

@@ -43,4 +43,4 @@ function getPasskeyConfig(url, siteName, siteUrl, allowedOrigins) {
 //#endregion
 export { getPasskeyConfig as t };
-//# sourceMappingURL=passkey-config-Cg86_ISa.mjs.map
+//# sourceMappingURL=passkey-config-BloQOT3y.mjs.map

package/dist/{passkey-config-Cg86_ISa.mjs.map → passkey-config-BloQOT3y.mjs.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"passkey-config-~~Cg86_ISa~~.mjs","names":[],"sources":["../src/auth/passkey-config.ts"],"sourcesContent":["/*\n Passkey configuration helper\n \n Extracts passkey configuration from the request URL.\n * This ensures the rpId and origin are correctly set for both\n * localhost development and production deployments.\n /\n\nexport interface PasskeyConfig {\n\trpName: string;\n\trpId: string;\n\t/\n\t Accepted client-data origins. First entry is the canonical/preferred origin;\n\t * additional entries support multi-origin deployments (e.g. apex + preview\n\t * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.\n\t /\n\torigins: string[];\n}\n\n/\n Get passkey configuration from request URL\n \n @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)\n * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)\n * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).\n * When set, the canonical origin and rpId are taken from this URL.\n * @param allowedOrigins Optional list of additional accepted origins for verification.\n * Each must share `rpId` with the canonical origin (WebAuthn requirement).\n * Typical use: apex + preview subdomain on the same registrable domain.\n * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.\n */\nexport function getPasskeyConfig(\n\turl: URL,\n\tsiteName?: string,\n\tsiteUrl?: string,\n\tallowedOrigins?: string[],\n): PasskeyConfig {\n\tlet rpName: string;\n\tlet rpId: string;\n\tlet canonicalOrigin: string;\n\n\tif (siteUrl) {\n\t\tlet publicUrl: URL;\n\t\ttry {\n\t\t\tpublicUrl = new URL(siteUrl);\n\t\t} catch (e) {\n\t\t\tthrow new Error(`Invalid siteUrl: \"${siteUrl}\"`, { cause: e });\n\t\t}\n\t\trpName = siteName \|\| publicUrl.hostname;\n\t\trpId = publicUrl.hostname;\n\t\tcanonicalOrigin = publicUrl.origin;\n\t} else {\n\t\trpName = siteName \|\| url.hostname;\n\t\trpId = url.hostname;\n\t\tcanonicalOrigin = url.origin;\n\t}\n\n\tconst origins = [canonicalOrigin];\n\tif (allowedOrigins) {\n\t\tfor (const extra of allowedOrigins) {\n\t\t\tif (extra && !origins.includes(extra)) origins.push(extra);\n\t\t}\n\t}\n\n\treturn { rpName, rpId, origins };\n}\n"],"mappings":";;;;;;;;;;;;;AA+BA,SAAgB,iBACf,KACA,UACA,SACA,gBACgB;CAChB,IAAI;CACJ,IAAI;CACJ,IAAI;AAEJ,KAAI,SAAS;EACZ,IAAI;AACJ,MAAI;AACH,eAAY,IAAI,IAAI,QAAQ;WACpB,GAAG;AACX,SAAM,IAAI,MAAM,qBAAqB,QAAQ,IAAI,EAAE,OAAO,GAAG,CAAC;;AAE/D,WAAS,YAAY,UAAU;AAC/B,SAAO,UAAU;AACjB,oBAAkB,UAAU;QACtB;AACN,WAAS,YAAY,IAAI;AACzB,SAAO,IAAI;AACX,oBAAkB,IAAI;;CAGvB,MAAM,UAAU,CAAC,gBAAgB;AACjC,KAAI,gBACH;OAAK,MAAM,SAAS,eACnB,KAAI,SAAS,CAAC,QAAQ,SAAS,MAAM,CAAE,SAAQ,KAAK,MAAM;;AAI5D,QAAO;EAAE;EAAQ;EAAM;EAAS"}
1	+ {"version":3,"file":"passkey-config-BloQOT3y.mjs","names":[],"sources":["../src/auth/passkey-config.ts"],"sourcesContent":["/*\n Passkey configuration helper\n \n Extracts passkey configuration from the request URL.\n * This ensures the rpId and origin are correctly set for both\n * localhost development and production deployments.\n /\n\nexport interface PasskeyConfig {\n\trpName: string;\n\trpId: string;\n\t/\n\t Accepted client-data origins. First entry is the canonical/preferred origin;\n\t * additional entries support multi-origin deployments (e.g. apex + preview\n\t * subdomain sharing the same `rpId`). See `allowedOrigins` parameter.\n\t /\n\torigins: string[];\n}\n\n/\n Get passkey configuration from request URL\n \n @param url The request URL (typically `new URL(Astro.request.url)` or `new URL(request.url)`)\n * @param siteName Optional site name for rpName (defaults to hostname from `url` or public origin)\n * @param siteUrl Optional browser-facing origin (see `EmDashConfig.siteUrl`).\n * When set, the canonical origin and rpId are taken from this URL.\n * @param allowedOrigins Optional list of additional accepted origins for verification.\n * Each must share `rpId` with the canonical origin (WebAuthn requirement).\n * Typical use: apex + preview subdomain on the same registrable domain.\n * @throws If `siteUrl` is non-empty but not parseable by `new URL()`.\n */\nexport function getPasskeyConfig(\n\turl: URL,\n\tsiteName?: string,\n\tsiteUrl?: string,\n\tallowedOrigins?: string[],\n): PasskeyConfig {\n\tlet rpName: string;\n\tlet rpId: string;\n\tlet canonicalOrigin: string;\n\n\tif (siteUrl) {\n\t\tlet publicUrl: URL;\n\t\ttry {\n\t\t\tpublicUrl = new URL(siteUrl);\n\t\t} catch (e) {\n\t\t\tthrow new Error(`Invalid siteUrl: \"${siteUrl}\"`, { cause: e });\n\t\t}\n\t\trpName = siteName \|\| publicUrl.hostname;\n\t\trpId = publicUrl.hostname;\n\t\tcanonicalOrigin = publicUrl.origin;\n\t} else {\n\t\trpName = siteName \|\| url.hostname;\n\t\trpId = url.hostname;\n\t\tcanonicalOrigin = url.origin;\n\t}\n\n\tconst origins = [canonicalOrigin];\n\tif (allowedOrigins) {\n\t\tfor (const extra of allowedOrigins) {\n\t\t\tif (extra && !origins.includes(extra)) origins.push(extra);\n\t\t}\n\t}\n\n\treturn { rpName, rpId, origins };\n}\n"],"mappings":";;;;;;;;;;;;;AA+BA,SAAgB,iBACf,KACA,UACA,SACA,gBACgB;CAChB,IAAI;CACJ,IAAI;CACJ,IAAI;AAEJ,KAAI,SAAS;EACZ,IAAI;AACJ,MAAI;AACH,eAAY,IAAI,IAAI,QAAQ;WACpB,GAAG;AACX,SAAM,IAAI,MAAM,qBAAqB,QAAQ,IAAI,EAAE,OAAO,GAAG,CAAC;;AAE/D,WAAS,YAAY,UAAU;AAC/B,SAAO,UAAU;AACjB,oBAAkB,UAAU;QACtB;AACN,WAAS,YAAY,IAAI;AACzB,SAAO,IAAI;AACX,oBAAkB,IAAI;;CAGvB,MAAM,UAAU,CAAC,gBAAgB;AACjC,KAAI,gBACH;OAAK,MAAM,SAAS,eACnB,KAAI,SAAS,CAAC,QAAQ,SAAS,MAAM,CAAE,SAAQ,KAAK,MAAM;;AAI5D,QAAO;EAAE;EAAQ;EAAM;EAAS"}

package/dist/{placeholder-D3cFCU9y.d.mts → placeholder-KCkkCtgQ.d.mts} RENAMED Viewed

@@ -282,4 +282,4 @@ declare function generatePlaceholder(buffer: Uint8Array, mimeType: string, dimen
 }): Promise<PlaceholderData | null>;
 //#endregion
 export { MediaValue as _, ComponentEmbed as a, mediaItemToValue as b, EmbedResult as c, MediaListResult as d, MediaProvider as f, MediaUploadInput as g, MediaProviderItem as h, AudioEmbed as i, ImageEmbed as l, MediaProviderDescriptor as m, generatePlaceholder as n, CreateMediaProviderFn as o, MediaProviderCapabilities as p, normalizeMediaValue as r, EmbedOptions as s, PlaceholderData as t, MediaListOptions as u, ThumbnailOptions as v, VideoEmbed as y };
-//# sourceMappingURL=placeholder-D3cFCU9y.d.mts.map
+//# sourceMappingURL=placeholder-KCkkCtgQ.d.mts.map

package/dist/{placeholder-D3cFCU9y.d.mts.map → placeholder-KCkkCtgQ.d.mts.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"placeholder-~~D3cFCU9y~~.d.mts","names":[],"sources":["../src/media/types.ts","../src/media/normalize.ts","../src/media/placeholder.ts"],"mappings":";;AAYA;;;;;;;;;;UAAiB,uBAAA,WAAkC,MAAA;EAKlD;EAHA,EAAA;EASA;EANA,IAAA;EAYA;EATA,IAAA;EAYA;EATA,UAAA;EASe;EANf,WAAA;EAYgB;EAThB,YAAA,EAAc,yBAAA;;EAGd,MAAA,EAAQ,OAAA;AAAA;;;;UAMQ,yBAAA;EAQV;EANN,MAAA;EAYgC;EAVhC,MAAA;EAUgC;EARhC,MAAA;EAYA;EAVA,MAAA;AAAA;;;AAoBD;UAdiB,gBAAA;;EAEhB,MAAA;EAaA;EAXA,KAAA;EAYA;EAVA,KAAA;EAUU;EARV,QAAA;AAAA;;;;UAMgB,eAAA;EAChB,KAAA,EAAO,iBAAA;EACP,UAAA;AAAA;;;;;UAOgB,iBAAA;EAiBH;EAfb,EAAA;EAqBgB;EAnBhB,QAAA;;EAEA,QAAA;EAkBA;EAhBA,IAAA;EAiBA;EAfA,KAAA;EACA,MAAA;EAeG;EAbH,GAAA;EAmB4B;EAjB5B,UAAA;EAiB4B;EAf5B,IAAA,GAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAChB,IAAA,EAAM,IAAA;EACN,QAAA;EACA,GAAA;AAAA;;;;UAMgB,YAAA;EAYS;EAVzB,KAAA;EAUmD;EARnD,MAAA;EAQ8E;EAN9E,MAAA;AAAA;;;;KAMW,WAAA,GAAc,UAAA,GAAa,UAAA,GAAa,UAAA,GAAa,cAAA;AAAA,UAEhD,UAAA;EAChB,IAAA;EACA,GAAA;EACA,MAAA;EACA,KAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EAIkB;EAFlB,UAAA;EAEmD;EAAnD,MAAA,IAAU,IAAA;IAAQ,KAAA;IAAgB,MAAA;IAAiB,MAAA;EAAA;AAAA;AAAA,UAGnC,UAAA;EAChB,IAAA;EAEA;EAAA,GAAA;EAEU;EAAV,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAI/B;EAFA,MAAA;EACA,KAAA;EACA,MAAA;EAKA;EAHA,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,WAAA;EACA,OAAA;EACA,WAAA;AAAA;AAAA,UAGgB,UAAA;EAChB,IAAA;EACA,GAAA;EACA,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAC/B,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,OAAA;AAAA;AAAA,UAGgB,cAAA;EAChB,IAAA;EAD8B;EAG9B,OAAA;EAIa;EAFb,MAAA;EAFA;EAIA,KAAA,EAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAAgB;EAEhC,KAAA;EAAA;EAEA,MAAA;AAAA;;;;;UAOgB,aAAA;EASU;;;EAL1B,IAAA,CAAK,OAAA,EAAS,gBAAA,GAAmB,OAAA,CAAQ,eAAA;EAUP;;;EALlC,GAAA,EAAK,EAAA,WAAa,OAAA,CAAQ,iBAAA;EAgBmC;;;EAX7D,MAAA,EAAQ,KAAA,EAAO,gBAAA,GAAmB,OAAA,CAAQ,iBAAA;EAkBgC;;;EAb1E,MAAA,EAAQ,EAAA,WAAa,OAAA;EAfhB;;;;EAqBL,QAAA,CAAS,KAAA,EAAO,UAAA,EAAY,OAAA,GAAU,YAAA,GAAe,OAAA,CAAQ,WAAA,IAAe,WAAA;EAhB1D;;;;;EAuBlB,eAAA,EAAiB,EAAA,UAAY,QAAA,WAAmB,OAAA,GAAU,gBAAA;AAAA;;;;KAM/C,qBAAA,WAAgC,MAAA,sBAC3C,MAAA,EAAQ,OAAA,KACJ,aAAA;;;;;;;;;UAUY,UAAA;EAlBa;EAoB7B,QAAA;EApBgD;EAuBhD,EAAA;EAvB0E;EA0B1E,GAAA;EApBgC;EAuBhC,UAAA;EAvB2C;EA0B3C,QAAA;EACA,QAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EA9B2C;EAiC3C,IAAA,GAAO,MAAA;AAAA;;;;iBAMQ,gBAAA,CAAiB,UAAA,UAAoB,IAAA,EAAM,iBAAA,GAAoB,UAAA;;;;;;;;;;;;iBClPzD,mBAAA,CACrB,KAAA,WACA,WAAA,GAAc,EAAA,aAAe,aAAA,eAC3B,OAAA,CAAQ,UAAA;;;;ADhBX;;;;;;UEDiB,eAAA;EAChB,QAAA;EACA,aAAA;AAAA;;;;;;;;;;iBAgGqB,mBAAA,CACrB,MAAA,EAAQ,UAAA,EACR,QAAA,UACA,UAAA;EAAe,KAAA;EAAe,MAAA;AAAA,IAC5B,OAAA,CAAQ,eAAA"}
1	+ {"version":3,"file":"placeholder-KCkkCtgQ.d.mts","names":[],"sources":["../src/media/types.ts","../src/media/normalize.ts","../src/media/placeholder.ts"],"mappings":";;AAYA;;;;;;;;;;UAAiB,uBAAA,WAAkC,MAAA;EAKlD;EAHA,EAAA;EASA;EANA,IAAA;EAYA;EATA,IAAA;EAYA;EATA,UAAA;EASe;EANf,WAAA;EAYgB;EAThB,YAAA,EAAc,yBAAA;;EAGd,MAAA,EAAQ,OAAA;AAAA;;;;UAMQ,yBAAA;EAQV;EANN,MAAA;EAYgC;EAVhC,MAAA;EAUgC;EARhC,MAAA;EAYA;EAVA,MAAA;AAAA;;;AAoBD;UAdiB,gBAAA;;EAEhB,MAAA;EAaA;EAXA,KAAA;EAYA;EAVA,KAAA;EAUU;EARV,QAAA;AAAA;;;;UAMgB,eAAA;EAChB,KAAA,EAAO,iBAAA;EACP,UAAA;AAAA;;;;;UAOgB,iBAAA;EAiBH;EAfb,EAAA;EAqBgB;EAnBhB,QAAA;;EAEA,QAAA;EAkBA;EAhBA,IAAA;EAiBA;EAfA,KAAA;EACA,MAAA;EAeG;EAbH,GAAA;EAmB4B;EAjB5B,UAAA;EAiB4B;EAf5B,IAAA,GAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAChB,IAAA,EAAM,IAAA;EACN,QAAA;EACA,GAAA;AAAA;;;;UAMgB,YAAA;EAYS;EAVzB,KAAA;EAUmD;EARnD,MAAA;EAQ8E;EAN9E,MAAA;AAAA;;;;KAMW,WAAA,GAAc,UAAA,GAAa,UAAA,GAAa,UAAA,GAAa,cAAA;AAAA,UAEhD,UAAA;EAChB,IAAA;EACA,GAAA;EACA,MAAA;EACA,KAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EAIkB;EAFlB,UAAA;EAEmD;EAAnD,MAAA,IAAU,IAAA;IAAQ,KAAA;IAAgB,MAAA;IAAiB,MAAA;EAAA;AAAA;AAAA,UAGnC,UAAA;EAChB,IAAA;EAEA;EAAA,GAAA;EAEU;EAAV,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAI/B;EAFA,MAAA;EACA,KAAA;EACA,MAAA;EAKA;EAHA,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,WAAA;EACA,OAAA;EACA,WAAA;AAAA;AAAA,UAGgB,UAAA;EAChB,IAAA;EACA,GAAA;EACA,OAAA,GAAU,KAAA;IAAQ,GAAA;IAAa,IAAA;EAAA;EAC/B,QAAA;EACA,QAAA;EACA,KAAA;EACA,IAAA;EACA,OAAA;AAAA;AAAA,UAGgB,cAAA;EAChB,IAAA;EAD8B;EAG9B,OAAA;EAIa;EAFb,MAAA;EAFA;EAIA,KAAA,EAAO,MAAA;AAAA;;;;UAMS,gBAAA;EAAgB;EAEhC,KAAA;EAAA;EAEA,MAAA;AAAA;;;;;UAOgB,aAAA;EASU;;;EAL1B,IAAA,CAAK,OAAA,EAAS,gBAAA,GAAmB,OAAA,CAAQ,eAAA;EAUP;;;EALlC,GAAA,EAAK,EAAA,WAAa,OAAA,CAAQ,iBAAA;EAgBmC;;;EAX7D,MAAA,EAAQ,KAAA,EAAO,gBAAA,GAAmB,OAAA,CAAQ,iBAAA;EAkBgC;;;EAb1E,MAAA,EAAQ,EAAA,WAAa,OAAA;EAfhB;;;;EAqBL,QAAA,CAAS,KAAA,EAAO,UAAA,EAAY,OAAA,GAAU,YAAA,GAAe,OAAA,CAAQ,WAAA,IAAe,WAAA;EAhB1D;;;;;EAuBlB,eAAA,EAAiB,EAAA,UAAY,QAAA,WAAmB,OAAA,GAAU,gBAAA;AAAA;;;;KAM/C,qBAAA,WAAgC,MAAA,sBAC3C,MAAA,EAAQ,OAAA,KACJ,aAAA;;;;;;;;;UAUY,UAAA;EAlBa;EAoB7B,QAAA;EApBgD;EAuBhD,EAAA;EAvB0E;EA0B1E,GAAA;EApBgC;EAuBhC,UAAA;EAvB2C;EA0B3C,QAAA;EACA,QAAA;EACA,KAAA;EACA,MAAA;EACA,GAAA;EA9B2C;EAiC3C,IAAA,GAAO,MAAA;AAAA;;;;iBAMQ,gBAAA,CAAiB,UAAA,UAAoB,IAAA,EAAM,iBAAA,GAAoB,UAAA;;;;;;;;;;;;iBClPzD,mBAAA,CACrB,KAAA,WACA,WAAA,GAAc,EAAA,aAAe,aAAA,eAC3B,OAAA,CAAQ,UAAA;;;;ADhBX;;;;;;UEDiB,eAAA;EAChB,QAAA;EACA,aAAA;AAAA;;;;;;;;;;iBAgGqB,mBAAA,CACrB,MAAA,EAAQ,UAAA,EACR,QAAA,UACA,UAAA;EAAe,KAAA;EAAe,MAAA;AAAA,IAC5B,OAAA,CAAQ,eAAA"}

package/dist/plugin-types.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { $ as PageMetadataHandler, A as EmailDeliverEvent, C as CronHandler, Ct as UninstallEvent, D as EmailAfterSendHandler, E as EmailAfterSendEvent, H as MediaAfterUploadEvent, K as MediaUploadEvent, O as EmailBeforeSendEvent, Q as PageMetadataEvent, R as LifecycleEvent, S as CronEvent, U as MediaAfterUploadHandler, W as MediaBeforeUploadHandler, X as PageFragmentHandler, Y as PageFragmentEvent, _ as ContentBeforeDeleteHandler, a as CommentAfterCreateHandler, b as ContentHookEvent, c as CommentBeforeCreateEvent, d as CommentModerateHandler, g as ContentAfterUnpublishHandler, h as ContentAfterSaveHandler, i as CommentAfterCreateEvent, j as EmailDeliverHandler, k as EmailBeforeSendHandler, l as CommentBeforeCreateHandler, m as ContentAfterPublishHandler, o as CommentAfterModerateEvent, ot as PluginContext, p as ContentAfterDeleteHandler, s as CommentAfterModerateHandler, u as CommentModerateEvent, v as ContentBeforeSaveHandler, wt as UninstallHandler, x as ContentPublishStateChangeEvent, y as ContentDeleteEvent, z as LifecycleHandler } from "./types-B05e2naf.mjs";
+import { $ as PageMetadataHandler, A as EmailDeliverEvent, C as CronHandler, D as EmailAfterSendHandler, E as EmailAfterSendEvent, Et as UninstallHandler, H as MediaAfterUploadEvent, K as MediaUploadEvent, O as EmailBeforeSendEvent, Q as PageMetadataEvent, R as LifecycleEvent, S as CronEvent, Tt as UninstallEvent, U as MediaAfterUploadHandler, W as MediaBeforeUploadHandler, X as PageFragmentHandler, Y as PageFragmentEvent, _ as ContentBeforeDeleteHandler, a as CommentAfterCreateHandler, b as ContentHookEvent, c as CommentBeforeCreateEvent, d as CommentModerateHandler, g as ContentAfterUnpublishHandler, h as ContentAfterSaveHandler, i as CommentAfterCreateEvent, j as EmailDeliverHandler, k as EmailBeforeSendHandler, l as CommentBeforeCreateHandler, m as ContentAfterPublishHandler, o as CommentAfterModerateEvent, p as ContentAfterDeleteHandler, s as CommentAfterModerateHandler, st as PluginContext, u as CommentModerateEvent, v as ContentBeforeSaveHandler, x as ContentPublishStateChangeEvent, y as ContentDeleteEvent, z as LifecycleHandler } from "./types-DGHWRQgr.mjs";
 //#region src/plugin-types.d.ts
 /**