emdash 0.21.0 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (655) hide show
  1. package/dist/{adapters-BxSmgtbF.d.mts → adapters-DAAjOID4.d.mts} +1 -1
  2. package/dist/{adapters-BxSmgtbF.d.mts.map → adapters-DAAjOID4.d.mts.map} +1 -1
  3. package/dist/after-B1IIdH3Y.mjs +29 -0
  4. package/dist/after-B1IIdH3Y.mjs.map +1 -0
  5. package/dist/{allowed-origins-BqC8cul8.mjs → allowed-origins-D5FxMUo8.mjs} +2 -2
  6. package/dist/{allowed-origins-BqC8cul8.mjs.map → allowed-origins-D5FxMUo8.mjs.map} +1 -1
  7. package/dist/api/route-utils.d.mts +3 -3
  8. package/dist/api/route-utils.mjs +20 -19
  9. package/dist/api/route-utils.mjs.map +1 -1
  10. package/dist/api/schemas/index.d.mts +2 -2
  11. package/dist/api/schemas/index.mjs +4 -4
  12. package/dist/{api-DxjIV2o8.mjs → api-BQ_yKRdG.mjs} +31 -25
  13. package/dist/api-BQ_yKRdG.mjs.map +1 -0
  14. package/dist/{api-tokens-BFFkB0jB.mjs → api-tokens-D6ppjIVi.mjs} +13 -3
  15. package/dist/api-tokens-D6ppjIVi.mjs.map +1 -0
  16. package/dist/{apply-CLjxheyb.mjs → apply-CWRyxIoO.mjs} +18 -18
  17. package/dist/{apply-CLjxheyb.mjs.map → apply-CWRyxIoO.mjs.map} +1 -1
  18. package/dist/astro/image-endpoint.d.mts +8 -0
  19. package/dist/astro/image-endpoint.d.mts.map +1 -0
  20. package/dist/astro/image-endpoint.mjs +55 -0
  21. package/dist/astro/image-endpoint.mjs.map +1 -0
  22. package/dist/astro/index.d.mts +36 -11
  23. package/dist/astro/index.d.mts.map +1 -1
  24. package/dist/astro/index.mjs +122 -26
  25. package/dist/astro/index.mjs.map +1 -1
  26. package/dist/astro/middleware/auth.d.mts +9 -9
  27. package/dist/astro/middleware/auth.d.mts.map +1 -1
  28. package/dist/astro/middleware/auth.mjs +12 -10
  29. package/dist/astro/middleware/auth.mjs.map +1 -1
  30. package/dist/astro/middleware/redirect.mjs +6 -6
  31. package/dist/astro/middleware/request-context.d.mts.map +1 -1
  32. package/dist/astro/middleware/request-context.mjs +8 -6
  33. package/dist/astro/middleware/request-context.mjs.map +1 -1
  34. package/dist/astro/middleware/setup.mjs +1 -1
  35. package/dist/astro/middleware.d.mts +1 -1
  36. package/dist/astro/middleware.d.mts.map +1 -1
  37. package/dist/astro/middleware.mjs +444 -149
  38. package/dist/astro/middleware.mjs.map +1 -1
  39. package/dist/astro/routes/api/admin/allowed-domains/_domain_.mjs +7 -7
  40. package/dist/astro/routes/api/admin/allowed-domains/index.mjs +7 -7
  41. package/dist/astro/routes/api/admin/api-tokens/_id_.mjs +5 -5
  42. package/dist/astro/routes/api/admin/api-tokens/index.mjs +6 -6
  43. package/dist/astro/routes/api/admin/byline-fields/_slug_/usage.mjs +6 -6
  44. package/dist/astro/routes/api/admin/byline-fields/_slug_.mjs +10 -10
  45. package/dist/astro/routes/api/admin/byline-fields/index.mjs +10 -10
  46. package/dist/astro/routes/api/admin/byline-fields/reorder.mjs +10 -10
  47. package/dist/astro/routes/api/admin/bylines/_id_/index.mjs +18 -16
  48. package/dist/astro/routes/api/admin/bylines/_id_/index.mjs.map +1 -1
  49. package/dist/astro/routes/api/admin/bylines/_id_/translations.mjs +18 -16
  50. package/dist/astro/routes/api/admin/bylines/_id_/translations.mjs.map +1 -1
  51. package/dist/astro/routes/api/admin/bylines/index.mjs +18 -16
  52. package/dist/astro/routes/api/admin/bylines/index.mjs.map +1 -1
  53. package/dist/astro/routes/api/admin/comments/_id_/status.mjs +15 -13
  54. package/dist/astro/routes/api/admin/comments/_id_/status.mjs.map +1 -1
  55. package/dist/astro/routes/api/admin/comments/_id_.mjs +8 -6
  56. package/dist/astro/routes/api/admin/comments/_id_.mjs.map +1 -1
  57. package/dist/astro/routes/api/admin/comments/bulk.mjs +12 -10
  58. package/dist/astro/routes/api/admin/comments/bulk.mjs.map +1 -1
  59. package/dist/astro/routes/api/admin/comments/counts.mjs +8 -6
  60. package/dist/astro/routes/api/admin/comments/counts.mjs.map +1 -1
  61. package/dist/astro/routes/api/admin/comments/index.mjs +12 -10
  62. package/dist/astro/routes/api/admin/comments/index.mjs.map +1 -1
  63. package/dist/astro/routes/api/admin/hooks/exclusive/_hookName_.mjs +6 -6
  64. package/dist/astro/routes/api/admin/hooks/exclusive/index.mjs +5 -5
  65. package/dist/astro/routes/api/admin/oauth-clients/_id_.mjs +5 -5
  66. package/dist/astro/routes/api/admin/oauth-clients/index.mjs +5 -5
  67. package/dist/astro/routes/api/admin/plugins/_id_/disable.mjs +41 -39
  68. package/dist/astro/routes/api/admin/plugins/_id_/disable.mjs.map +1 -1
  69. package/dist/astro/routes/api/admin/plugins/_id_/enable.mjs +41 -39
  70. package/dist/astro/routes/api/admin/plugins/_id_/enable.mjs.map +1 -1
  71. package/dist/astro/routes/api/admin/plugins/_id_/index.mjs +40 -38
  72. package/dist/astro/routes/api/admin/plugins/_id_/index.mjs.map +1 -1
  73. package/dist/astro/routes/api/admin/plugins/_id_/uninstall.mjs +40 -38
  74. package/dist/astro/routes/api/admin/plugins/_id_/uninstall.mjs.map +1 -1
  75. package/dist/astro/routes/api/admin/plugins/_id_/update.mjs +40 -38
  76. package/dist/astro/routes/api/admin/plugins/_id_/update.mjs.map +1 -1
  77. package/dist/astro/routes/api/admin/plugins/index.mjs +40 -38
  78. package/dist/astro/routes/api/admin/plugins/index.mjs.map +1 -1
  79. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/icon.mjs +4 -4
  80. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/index.mjs +40 -38
  81. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/index.mjs.map +1 -1
  82. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/install.mjs +40 -38
  83. package/dist/astro/routes/api/admin/plugins/marketplace/_id_/install.mjs.map +1 -1
  84. package/dist/astro/routes/api/admin/plugins/marketplace/index.mjs +40 -38
  85. package/dist/astro/routes/api/admin/plugins/marketplace/index.mjs.map +1 -1
  86. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.mjs +40 -38
  87. package/dist/astro/routes/api/admin/plugins/registry/_id_/uninstall.mjs.map +1 -1
  88. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.mjs +41 -39
  89. package/dist/astro/routes/api/admin/plugins/registry/_id_/update.mjs.map +1 -1
  90. package/dist/astro/routes/api/admin/plugins/registry/artifact.mjs +40 -38
  91. package/dist/astro/routes/api/admin/plugins/registry/artifact.mjs.map +1 -1
  92. package/dist/astro/routes/api/admin/plugins/registry/install.mjs +41 -39
  93. package/dist/astro/routes/api/admin/plugins/registry/install.mjs.map +1 -1
  94. package/dist/astro/routes/api/admin/plugins/updates.mjs +40 -38
  95. package/dist/astro/routes/api/admin/plugins/updates.mjs.map +1 -1
  96. package/dist/astro/routes/api/admin/themes/marketplace/_id_/index.mjs +40 -38
  97. package/dist/astro/routes/api/admin/themes/marketplace/_id_/index.mjs.map +1 -1
  98. package/dist/astro/routes/api/admin/themes/marketplace/_id_/thumbnail.mjs +4 -4
  99. package/dist/astro/routes/api/admin/themes/marketplace/index.mjs +40 -38
  100. package/dist/astro/routes/api/admin/themes/marketplace/index.mjs.map +1 -1
  101. package/dist/astro/routes/api/admin/users/_id_/disable.mjs +4 -4
  102. package/dist/astro/routes/api/admin/users/_id_/enable.mjs +3 -3
  103. package/dist/astro/routes/api/admin/users/_id_/index.mjs +8 -8
  104. package/dist/astro/routes/api/admin/users/_id_/send-recovery.mjs +5 -5
  105. package/dist/astro/routes/api/admin/users/index.mjs +7 -7
  106. package/dist/astro/routes/api/auth/dev-bypass.mjs +6 -6
  107. package/dist/astro/routes/api/auth/invite/accept.mjs +3 -3
  108. package/dist/astro/routes/api/auth/invite/complete.mjs +12 -12
  109. package/dist/astro/routes/api/auth/invite/index.mjs +9 -9
  110. package/dist/astro/routes/api/auth/invite/register-options.mjs +11 -11
  111. package/dist/astro/routes/api/auth/logout.mjs +4 -4
  112. package/dist/astro/routes/api/auth/magic-link/send.mjs +11 -11
  113. package/dist/astro/routes/api/auth/magic-link/verify.mjs +4 -4
  114. package/dist/astro/routes/api/auth/me.mjs +8 -8
  115. package/dist/astro/routes/api/auth/mode.mjs +1 -1
  116. package/dist/astro/routes/api/auth/oauth/_provider_/callback.mjs +4 -4
  117. package/dist/astro/routes/api/auth/oauth/_provider_.mjs +2 -2
  118. package/dist/astro/routes/api/auth/passkey/_id_.mjs +7 -7
  119. package/dist/astro/routes/api/auth/passkey/index.mjs +3 -3
  120. package/dist/astro/routes/api/auth/passkey/options.mjs +13 -13
  121. package/dist/astro/routes/api/auth/passkey/register/options.mjs +11 -11
  122. package/dist/astro/routes/api/auth/passkey/register/verify.mjs +12 -12
  123. package/dist/astro/routes/api/auth/passkey/verify.mjs +12 -12
  124. package/dist/astro/routes/api/auth/signup/complete.mjs +12 -12
  125. package/dist/astro/routes/api/auth/signup/request.mjs +11 -11
  126. package/dist/astro/routes/api/auth/signup/verify.mjs +3 -3
  127. package/dist/astro/routes/api/comments/_collection_/_contentId_/index.mjs +16 -15
  128. package/dist/astro/routes/api/comments/_collection_/_contentId_/index.mjs.map +1 -1
  129. package/dist/astro/routes/api/comments/_collection_/_contentId_/reactions.d.mts +9 -0
  130. package/dist/astro/routes/api/comments/_collection_/_contentId_/reactions.d.mts.map +1 -0
  131. package/dist/astro/routes/api/comments/_collection_/_contentId_/reactions.mjs +179 -0
  132. package/dist/astro/routes/api/comments/_collection_/_contentId_/reactions.mjs.map +1 -0
  133. package/dist/astro/routes/api/content/_collection_/_id_/compare.mjs +4 -4
  134. package/dist/astro/routes/api/content/_collection_/_id_/discard-draft.mjs +4 -4
  135. package/dist/astro/routes/api/content/_collection_/_id_/duplicate.mjs +4 -4
  136. package/dist/astro/routes/api/content/_collection_/_id_/permanent.mjs +4 -4
  137. package/dist/astro/routes/api/content/_collection_/_id_/preview-url.mjs +13 -13
  138. package/dist/astro/routes/api/content/_collection_/_id_/publish.mjs +8 -8
  139. package/dist/astro/routes/api/content/_collection_/_id_/restore.mjs +4 -4
  140. package/dist/astro/routes/api/content/_collection_/_id_/revisions.mjs +4 -4
  141. package/dist/astro/routes/api/content/_collection_/_id_/schedule.mjs +8 -8
  142. package/dist/astro/routes/api/content/_collection_/_id_/terms/_taxonomy_.mjs +17 -15
  143. package/dist/astro/routes/api/content/_collection_/_id_/terms/_taxonomy_.mjs.map +1 -1
  144. package/dist/astro/routes/api/content/_collection_/_id_/translations.mjs +4 -4
  145. package/dist/astro/routes/api/content/_collection_/_id_/unpublish.mjs +4 -4
  146. package/dist/astro/routes/api/content/_collection_/_id_.mjs +8 -8
  147. package/dist/astro/routes/api/content/_collection_/authors.mjs +4 -4
  148. package/dist/astro/routes/api/content/_collection_/index.mjs +8 -8
  149. package/dist/astro/routes/api/content/_collection_/trash.mjs +8 -8
  150. package/dist/astro/routes/api/dashboard.mjs +10 -8
  151. package/dist/astro/routes/api/dashboard.mjs.map +1 -1
  152. package/dist/astro/routes/api/dev/emails.mjs +4 -4
  153. package/dist/astro/routes/api/import/probe.d.mts +3 -3
  154. package/dist/astro/routes/api/import/probe.mjs +12 -12
  155. package/dist/astro/routes/api/import/wordpress/analyze.mjs +5 -5
  156. package/dist/astro/routes/api/import/wordpress/execute.d.mts +9 -9
  157. package/dist/astro/routes/api/import/wordpress/execute.mjs +17 -15
  158. package/dist/astro/routes/api/import/wordpress/execute.mjs.map +1 -1
  159. package/dist/astro/routes/api/import/wordpress/media.mjs +10 -10
  160. package/dist/astro/routes/api/import/wordpress/prepare.mjs +11 -11
  161. package/dist/astro/routes/api/import/wordpress/rewrite-urls.mjs +10 -10
  162. package/dist/astro/routes/api/import/wordpress-plugin/analyze.d.mts +1 -1
  163. package/dist/astro/routes/api/import/wordpress-plugin/analyze.mjs +12 -12
  164. package/dist/astro/routes/api/import/wordpress-plugin/callback.mjs +1 -1
  165. package/dist/astro/routes/api/import/wordpress-plugin/execute.d.mts +1 -1
  166. package/dist/astro/routes/api/import/wordpress-plugin/execute.mjs +19 -17
  167. package/dist/astro/routes/api/import/wordpress-plugin/execute.mjs.map +1 -1
  168. package/dist/astro/routes/api/manifest.mjs +5 -5
  169. package/dist/astro/routes/api/mcp.mjs +213 -46
  170. package/dist/astro/routes/api/mcp.mjs.map +1 -1
  171. package/dist/astro/routes/api/media/_id_/confirm.mjs +8 -8
  172. package/dist/astro/routes/api/media/_id_.mjs +8 -8
  173. package/dist/astro/routes/api/media/file/_...key_.mjs +3 -3
  174. package/dist/astro/routes/api/media/providers/_providerId_/_itemId_.mjs +4 -4
  175. package/dist/astro/routes/api/media/providers/_providerId_/index.mjs +4 -4
  176. package/dist/astro/routes/api/media/providers/index.mjs +4 -4
  177. package/dist/astro/routes/api/media/upload-url.mjs +10 -10
  178. package/dist/astro/routes/api/media.mjs +13 -13
  179. package/dist/astro/routes/api/menus/_name_/items/_id_.mjs +11 -9
  180. package/dist/astro/routes/api/menus/_name_/items/_id_.mjs.map +1 -1
  181. package/dist/astro/routes/api/menus/_name_/items.mjs +11 -9
  182. package/dist/astro/routes/api/menus/_name_/items.mjs.map +1 -1
  183. package/dist/astro/routes/api/menus/_name_/reorder.mjs +11 -9
  184. package/dist/astro/routes/api/menus/_name_/reorder.mjs.map +1 -1
  185. package/dist/astro/routes/api/menus/_name_/translations.mjs +11 -9
  186. package/dist/astro/routes/api/menus/_name_/translations.mjs.map +1 -1
  187. package/dist/astro/routes/api/menus/_name_.mjs +11 -9
  188. package/dist/astro/routes/api/menus/_name_.mjs.map +1 -1
  189. package/dist/astro/routes/api/menus/index.mjs +11 -9
  190. package/dist/astro/routes/api/menus/index.mjs.map +1 -1
  191. package/dist/astro/routes/api/oauth/authorize.mjs +6 -6
  192. package/dist/astro/routes/api/oauth/device/authorize.mjs +7 -7
  193. package/dist/astro/routes/api/oauth/device/code.mjs +10 -10
  194. package/dist/astro/routes/api/oauth/device/token.mjs +9 -9
  195. package/dist/astro/routes/api/oauth/register.mjs +4 -4
  196. package/dist/astro/routes/api/oauth/token/refresh.mjs +7 -7
  197. package/dist/astro/routes/api/oauth/token/revoke.mjs +7 -7
  198. package/dist/astro/routes/api/oauth/token.mjs +7 -7
  199. package/dist/astro/routes/api/openapi.json.mjs +5 -5
  200. package/dist/astro/routes/api/plugins/_pluginId_/_...path_.mjs +5 -5
  201. package/dist/astro/routes/api/redirects/404s/index.mjs +11 -11
  202. package/dist/astro/routes/api/redirects/404s/summary.mjs +11 -11
  203. package/dist/astro/routes/api/redirects/_id_.mjs +12 -12
  204. package/dist/astro/routes/api/redirects/index.mjs +12 -12
  205. package/dist/astro/routes/api/revisions/_revisionId_/index.mjs +4 -4
  206. package/dist/astro/routes/api/revisions/_revisionId_/restore.mjs +4 -4
  207. package/dist/astro/routes/api/schema/collections/_slug_/fields/_fieldSlug_.mjs +40 -38
  208. package/dist/astro/routes/api/schema/collections/_slug_/fields/_fieldSlug_.mjs.map +1 -1
  209. package/dist/astro/routes/api/schema/collections/_slug_/fields/index.mjs +40 -38
  210. package/dist/astro/routes/api/schema/collections/_slug_/fields/index.mjs.map +1 -1
  211. package/dist/astro/routes/api/schema/collections/_slug_/fields/reorder.mjs +40 -38
  212. package/dist/astro/routes/api/schema/collections/_slug_/fields/reorder.mjs.map +1 -1
  213. package/dist/astro/routes/api/schema/collections/_slug_/index.mjs +40 -38
  214. package/dist/astro/routes/api/schema/collections/_slug_/index.mjs.map +1 -1
  215. package/dist/astro/routes/api/schema/collections/index.mjs +40 -38
  216. package/dist/astro/routes/api/schema/collections/index.mjs.map +1 -1
  217. package/dist/astro/routes/api/schema/index.mjs +9 -8
  218. package/dist/astro/routes/api/schema/index.mjs.map +1 -1
  219. package/dist/astro/routes/api/schema/orphans/_slug_.mjs +40 -38
  220. package/dist/astro/routes/api/schema/orphans/_slug_.mjs.map +1 -1
  221. package/dist/astro/routes/api/schema/orphans/index.mjs +40 -38
  222. package/dist/astro/routes/api/schema/orphans/index.mjs.map +1 -1
  223. package/dist/astro/routes/api/search/enable.mjs +11 -11
  224. package/dist/astro/routes/api/search/index.mjs +10 -10
  225. package/dist/astro/routes/api/search/rebuild.mjs +11 -11
  226. package/dist/astro/routes/api/search/stats.mjs +7 -7
  227. package/dist/astro/routes/api/search/suggest.mjs +10 -10
  228. package/dist/astro/routes/api/sections/_slug_.mjs +10 -10
  229. package/dist/astro/routes/api/sections/index.mjs +10 -10
  230. package/dist/astro/routes/api/settings/email.mjs +6 -6
  231. package/dist/astro/routes/api/settings.mjs +16 -15
  232. package/dist/astro/routes/api/settings.mjs.map +1 -1
  233. package/dist/astro/routes/api/setup/admin-verify.mjs +13 -13
  234. package/dist/astro/routes/api/setup/admin.mjs +12 -12
  235. package/dist/astro/routes/api/setup/dev-bypass.d.mts.map +1 -1
  236. package/dist/astro/routes/api/setup/dev-bypass.mjs +30 -27
  237. package/dist/astro/routes/api/setup/dev-bypass.mjs.map +1 -1
  238. package/dist/astro/routes/api/setup/dev-reset.mjs +4 -4
  239. package/dist/astro/routes/api/setup/index.mjs +30 -28
  240. package/dist/astro/routes/api/setup/index.mjs.map +1 -1
  241. package/dist/astro/routes/api/setup/status.mjs +5 -5
  242. package/dist/astro/routes/api/snapshot.d.mts.map +1 -1
  243. package/dist/astro/routes/api/snapshot.mjs +10 -9
  244. package/dist/astro/routes/api/snapshot.mjs.map +1 -1
  245. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_/translations.mjs +16 -14
  246. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_/translations.mjs.map +1 -1
  247. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_.mjs +16 -14
  248. package/dist/astro/routes/api/taxonomies/_name_/terms/_slug_.mjs.map +1 -1
  249. package/dist/astro/routes/api/taxonomies/_name_/terms/index.mjs +16 -14
  250. package/dist/astro/routes/api/taxonomies/_name_/terms/index.mjs.map +1 -1
  251. package/dist/astro/routes/api/taxonomies/index.mjs +16 -14
  252. package/dist/astro/routes/api/taxonomies/index.mjs.map +1 -1
  253. package/dist/astro/routes/api/themes/preview.mjs +8 -8
  254. package/dist/astro/routes/api/typegen.mjs +6 -6
  255. package/dist/astro/routes/api/well-known/auth.mjs +2 -2
  256. package/dist/astro/routes/api/well-known/oauth-authorization-server.mjs +2 -2
  257. package/dist/astro/routes/api/well-known/oauth-protected-resource.mjs +2 -2
  258. package/dist/astro/routes/api/widget-areas/_name_/reorder.mjs +8 -8
  259. package/dist/astro/routes/api/widget-areas/_name_/widgets/_id_.mjs +11 -11
  260. package/dist/astro/routes/api/widget-areas/_name_/widgets.mjs +11 -11
  261. package/dist/astro/routes/api/widget-areas/_name_.mjs +7 -7
  262. package/dist/astro/routes/api/widget-areas/index.mjs +11 -11
  263. package/dist/astro/routes/api/widget-components.mjs +4 -4
  264. package/dist/astro/routes/robots.txt.mjs +10 -9
  265. package/dist/astro/routes/robots.txt.mjs.map +1 -1
  266. package/dist/astro/routes/sitemap-_collection_.xml.mjs +13 -12
  267. package/dist/astro/routes/sitemap-_collection_.xml.mjs.map +1 -1
  268. package/dist/astro/routes/sitemap.xml.mjs +11 -10
  269. package/dist/astro/routes/sitemap.xml.mjs.map +1 -1
  270. package/dist/astro/types.d.mts +16 -12
  271. package/dist/astro/types.d.mts.map +1 -1
  272. package/dist/auth/providers/github.d.mts +1 -1
  273. package/dist/auth/providers/google.d.mts +1 -1
  274. package/dist/{authorize-D5gfBVU5.mjs → authorize-Cse0k7B0.mjs} +2 -2
  275. package/dist/{authorize-D5gfBVU5.mjs.map → authorize-Cse0k7B0.mjs.map} +1 -1
  276. package/dist/{base64-CqR-7kqF.mjs → base64-CmWvODNW.mjs} +1 -1
  277. package/dist/{base64-CqR-7kqF.mjs.map → base64-CmWvODNW.mjs.map} +1 -1
  278. package/dist/{byline-V_Qp1Ziw.mjs → byline-DVo-liaP.mjs} +27 -76
  279. package/dist/byline-DVo-liaP.mjs.map +1 -0
  280. package/dist/{byline-fields-B0NO1yUB.mjs → byline-fields-B-KXkg5R.mjs} +3 -3
  281. package/dist/{byline-fields-B0NO1yUB.mjs.map → byline-fields-B-KXkg5R.mjs.map} +1 -1
  282. package/dist/{byline-fields-nBVqK_Ff.mjs → byline-fields-DaMKzkhO.mjs} +2 -2
  283. package/dist/{byline-fields-nBVqK_Ff.mjs.map → byline-fields-DaMKzkhO.mjs.map} +1 -1
  284. package/dist/{byline-fields-CQJRIQkn.d.mts → byline-fields-RFPkDLRw.d.mts} +56 -31
  285. package/dist/byline-fields-RFPkDLRw.d.mts.map +1 -0
  286. package/dist/{byline-registry-DedidtqC.mjs → byline-registry-BOjqDOim.mjs} +3 -3
  287. package/dist/{byline-registry-DedidtqC.mjs.map → byline-registry-BOjqDOim.mjs.map} +1 -1
  288. package/dist/{bylines-DfGDnred.mjs → bylines-f5ppBpD5.mjs} +8 -8
  289. package/dist/{bylines-DfGDnred.mjs.map → bylines-f5ppBpD5.mjs.map} +1 -1
  290. package/dist/{bylines-B2NWnIwS.mjs → bylines-pIKgc_TL.mjs} +10 -4
  291. package/dist/{bylines-B2NWnIwS.mjs.map → bylines-pIKgc_TL.mjs.map} +1 -1
  292. package/dist/{cache-DTTHWD8n.mjs → cache-Q6V4U-Xz.mjs} +3 -3
  293. package/dist/{cache-DTTHWD8n.mjs.map → cache-Q6V4U-Xz.mjs.map} +1 -1
  294. package/dist/{challenge-store-woE0bbCf.mjs → challenge-store-LhiqMccz.mjs} +1 -1
  295. package/dist/{challenge-store-woE0bbCf.mjs.map → challenge-store-LhiqMccz.mjs.map} +1 -1
  296. package/dist/{chunks-BerYVuve.mjs → chunks-SyjZaYwV.mjs} +2 -2
  297. package/dist/{chunks-BerYVuve.mjs.map → chunks-SyjZaYwV.mjs.map} +1 -1
  298. package/dist/cli/index.mjs +29 -27
  299. package/dist/cli/index.mjs.map +1 -1
  300. package/dist/client/cf-access.d.mts +1 -1
  301. package/dist/client/index.d.mts +1 -1
  302. package/dist/client/index.mjs +2 -1
  303. package/dist/client/index.mjs.map +1 -1
  304. package/dist/{comment-sqQxNpN3.mjs → comment-80UyJJUR.mjs} +11 -3
  305. package/dist/comment-80UyJJUR.mjs.map +1 -0
  306. package/dist/comment-reaction-Dyb-AutY.mjs +85 -0
  307. package/dist/comment-reaction-Dyb-AutY.mjs.map +1 -0
  308. package/dist/{comments-D2hNuxNa.mjs → comments-Cczx7AvD.mjs} +3 -3
  309. package/dist/{comments-D2hNuxNa.mjs.map → comments-Cczx7AvD.mjs.map} +1 -1
  310. package/dist/{components-DYKp2gmo.mjs → components-CYt4uVK9.mjs} +1 -1
  311. package/dist/{components-DYKp2gmo.mjs.map → components-CYt4uVK9.mjs.map} +1 -1
  312. package/dist/{content-BIlVx-RX.mjs → content-2PTDNnoh.mjs} +22 -7
  313. package/dist/content-2PTDNnoh.mjs.map +1 -0
  314. package/dist/{context-Cm4pt1Ws.mjs → context-B1W8soLv.mjs} +64 -26
  315. package/dist/context-B1W8soLv.mjs.map +1 -0
  316. package/dist/{cron-DdEVrQ2Y.mjs → cron-C5LVoNmP.mjs} +14 -2
  317. package/dist/cron-C5LVoNmP.mjs.map +1 -0
  318. package/dist/{dashboard-C-UYpps0.mjs → dashboard-CYjpQZ6-.mjs} +4 -4
  319. package/dist/{dashboard-C-UYpps0.mjs.map → dashboard-CYjpQZ6-.mjs.map} +1 -1
  320. package/dist/database/instrumentation.d.mts +19 -0
  321. package/dist/database/instrumentation.d.mts.map +1 -1
  322. package/dist/database/instrumentation.mjs +8 -1
  323. package/dist/database/instrumentation.mjs.map +1 -1
  324. package/dist/db/index.d.mts +3 -3
  325. package/dist/db/index.mjs +1 -1
  326. package/dist/db/libsql.d.mts +1 -1
  327. package/dist/db/postgres.d.mts +1 -1
  328. package/dist/db/sqlite.d.mts +1 -1
  329. package/dist/{db-errors-BluWkwGI.mjs → db-errors-UXB1CK42.mjs} +1 -1
  330. package/dist/{db-errors-BluWkwGI.mjs.map → db-errors-UXB1CK42.mjs.map} +1 -1
  331. package/dist/{default-NHGuJzQ3.mjs → default-CeRG-Ot4.mjs} +1 -1
  332. package/dist/{default-NHGuJzQ3.mjs.map → default-CeRG-Ot4.mjs.map} +1 -1
  333. package/dist/{device-flow-BQApWgnW.mjs → device-flow-DENDCQ9F.mjs} +5 -5
  334. package/dist/{device-flow-BQApWgnW.mjs.map → device-flow-DENDCQ9F.mjs.map} +1 -1
  335. package/dist/{email-console-BbU3RbWv.mjs → email-console-DJP32ucW.mjs} +1 -1
  336. package/dist/{email-console-BbU3RbWv.mjs.map → email-console-DJP32ucW.mjs.map} +1 -1
  337. package/dist/{error-CNn_w7jf.mjs → error-Bl6kZgtt.mjs} +2 -2
  338. package/dist/{error-CNn_w7jf.mjs.map → error-Bl6kZgtt.mjs.map} +1 -1
  339. package/dist/{escape-DPgcxcpL.mjs → escape-Bjio4ZsM.mjs} +1 -1
  340. package/dist/{escape-DPgcxcpL.mjs.map → escape-Bjio4ZsM.mjs.map} +1 -1
  341. package/dist/field-defs-cache-ztrdzUGb.mjs +77 -0
  342. package/dist/field-defs-cache-ztrdzUGb.mjs.map +1 -0
  343. package/dist/{fts-manager-Cx5z8jdA.mjs → fts-manager-CQuHt-vS.mjs} +2 -2
  344. package/dist/{fts-manager-Cx5z8jdA.mjs.map → fts-manager-CQuHt-vS.mjs.map} +1 -1
  345. package/dist/{hash-DlvIFn0b.mjs → hash-DrvzIXcz.mjs} +1 -1
  346. package/dist/{hash-DlvIFn0b.mjs.map → hash-DrvzIXcz.mjs.map} +1 -1
  347. package/dist/{import-KyxT1Mbs.mjs → import-Bb1T9WJS.mjs} +4 -4
  348. package/dist/{import-KyxT1Mbs.mjs.map → import-Bb1T9WJS.mjs.map} +1 -1
  349. package/dist/{index-D2VAiumu.d.mts → index-BaIj5hIq.d.mts} +198 -21
  350. package/dist/index-BaIj5hIq.d.mts.map +1 -0
  351. package/dist/{index-uT2yR66F.d.mts → index-qbL02uhs.d.mts} +3 -3
  352. package/dist/{index-uT2yR66F.d.mts.map → index-qbL02uhs.d.mts.map} +1 -1
  353. package/dist/index.d.mts +18 -17
  354. package/dist/index.mjs +64 -61
  355. package/dist/{init-lock-DlBHjf9-.mjs → init-lock-6b309ZrF.mjs} +2 -29
  356. package/dist/init-lock-6b309ZrF.mjs.map +1 -0
  357. package/dist/{load-Dq91b_DK.mjs → load-BNo-ER8C.mjs} +2 -2
  358. package/dist/{load-Dq91b_DK.mjs.map → load-BNo-ER8C.mjs.map} +1 -1
  359. package/dist/{loader-BqWjcH3h.mjs → loader-Dn74CG1b.mjs} +70 -11
  360. package/dist/loader-Dn74CG1b.mjs.map +1 -0
  361. package/dist/{manifest-schema-DFPeqMAn.mjs → manifest-schema-BWKnQYQF.mjs} +1 -1
  362. package/dist/{manifest-schema-DFPeqMAn.mjs.map → manifest-schema-BWKnQYQF.mjs.map} +1 -1
  363. package/dist/media/image-endpoint.d.mts +74 -0
  364. package/dist/media/image-endpoint.d.mts.map +1 -0
  365. package/dist/media/image-endpoint.mjs +162 -0
  366. package/dist/media/image-endpoint.mjs.map +1 -0
  367. package/dist/media/index.d.mts +1 -1
  368. package/dist/media/index.mjs +2 -2
  369. package/dist/media/local-runtime.d.mts +19 -11
  370. package/dist/media/local-runtime.d.mts.map +1 -1
  371. package/dist/media/local-runtime.mjs +16 -13
  372. package/dist/media/local-runtime.mjs.map +1 -1
  373. package/dist/{media-JOf3pNkw.mjs → media-Bw0sA6rb.mjs} +2 -2
  374. package/dist/{media-JOf3pNkw.mjs.map → media-Bw0sA6rb.mjs.map} +1 -1
  375. package/dist/{media-allowlist-_A0SuDn4.mjs → media-allowlist-B77I5_bw.mjs} +2 -2
  376. package/dist/{media-allowlist-_A0SuDn4.mjs.map → media-allowlist-B77I5_bw.mjs.map} +1 -1
  377. package/dist/{media-url-CqLd69IO.mjs → media-url-O4rm9-SQ.mjs} +1 -1
  378. package/dist/{media-url-CqLd69IO.mjs.map → media-url-O4rm9-SQ.mjs.map} +1 -1
  379. package/dist/{menus-DX4_E01q.mjs → menus-CYs0WZoL.mjs} +20 -6
  380. package/dist/menus-CYs0WZoL.mjs.map +1 -0
  381. package/dist/{menus-Ryk9L7fT.mjs → menus-DS8VTZgo.mjs} +167 -24
  382. package/dist/menus-DS8VTZgo.mjs.map +1 -0
  383. package/dist/{mime-YbtlEtvS.mjs → mime-BTzvzJ8M.mjs} +1 -1
  384. package/dist/{mime-YbtlEtvS.mjs.map → mime-BTzvzJ8M.mjs.map} +1 -1
  385. package/dist/{mode-CGXzIbD8.mjs → mode-BB0F8xTC.mjs} +1 -1
  386. package/dist/{mode-CGXzIbD8.mjs.map → mode-BB0F8xTC.mjs.map} +1 -1
  387. package/dist/{normalize-DKsg36ty.mjs → normalize-ClbNIenm.mjs} +1 -1
  388. package/dist/{normalize-DKsg36ty.mjs.map → normalize-ClbNIenm.mjs.map} +1 -1
  389. package/dist/{oauth-authorization-C2kVyjXI.mjs → oauth-authorization-CsvzIp_F.mjs} +5 -5
  390. package/dist/{oauth-authorization-C2kVyjXI.mjs.map → oauth-authorization-CsvzIp_F.mjs.map} +1 -1
  391. package/dist/{oauth-clients-BC873NCV.mjs → oauth-clients-C9SYwEbZ.mjs} +1 -1
  392. package/dist/{oauth-clients-BC873NCV.mjs.map → oauth-clients-C9SYwEbZ.mjs.map} +1 -1
  393. package/dist/{oauth-state-store-Cd--TUaq.mjs → oauth-state-store---zrApfB.mjs} +1 -1
  394. package/dist/{oauth-state-store-Cd--TUaq.mjs.map → oauth-state-store---zrApfB.mjs.map} +1 -1
  395. package/dist/{oauth-user-lookup-e4wOvDud.mjs → oauth-user-lookup-SHsWRlG9.mjs} +1 -1
  396. package/dist/{oauth-user-lookup-e4wOvDud.mjs.map → oauth-user-lookup-SHsWRlG9.mjs.map} +1 -1
  397. package/dist/object-cache/memory.d.mts +15 -0
  398. package/dist/object-cache/memory.d.mts.map +1 -0
  399. package/dist/object-cache/memory.mjs +56 -0
  400. package/dist/object-cache/memory.mjs.map +1 -0
  401. package/dist/object-cache-SEb2IM4Z.mjs +373 -0
  402. package/dist/object-cache-SEb2IM4Z.mjs.map +1 -0
  403. package/dist/{options-9kLgkE8m.d.mts → options-CqECG0gM.d.mts} +3 -3
  404. package/dist/{options-9kLgkE8m.d.mts.map → options-CqECG0gM.d.mts.map} +1 -1
  405. package/dist/{options-BPCVnesz.mjs → options-DTTML-Tx.mjs} +1 -1
  406. package/dist/{options-BPCVnesz.mjs.map → options-DTTML-Tx.mjs.map} +1 -1
  407. package/dist/page/index.d.mts +2 -2
  408. package/dist/{parse-DzSrk1t8.mjs → parse-C9hpjUyY.mjs} +2 -2
  409. package/dist/{parse-DzSrk1t8.mjs.map → parse-C9hpjUyY.mjs.map} +1 -1
  410. package/dist/{passkey-config-BpjbE_Uv.mjs → passkey-config-C0YfSBko.mjs} +1 -1
  411. package/dist/{passkey-config-BpjbE_Uv.mjs.map → passkey-config-C0YfSBko.mjs.map} +1 -1
  412. package/dist/{patterns-p-RBdTbM.mjs → patterns-BKmjvM7K.mjs} +1 -1
  413. package/dist/{patterns-p-RBdTbM.mjs.map → patterns-BKmjvM7K.mjs.map} +1 -1
  414. package/dist/{placeholder-2xumZh4g.mjs → placeholder-B0s2mWu5.mjs} +1 -1
  415. package/dist/{placeholder-2xumZh4g.mjs.map → placeholder-B0s2mWu5.mjs.map} +1 -1
  416. package/dist/{placeholder-BevVKfay.d.mts → placeholder-QoI4gEzP.d.mts} +1 -1
  417. package/dist/{placeholder-BevVKfay.d.mts.map → placeholder-QoI4gEzP.d.mts.map} +1 -1
  418. package/dist/plugin-types.d.mts +1 -1
  419. package/dist/plugin-utils.d.mts +9 -9
  420. package/dist/plugins/adapt-sandbox-entry.d.mts +9 -9
  421. package/dist/plugins/adapt-sandbox-entry.mjs +4 -2
  422. package/dist/plugins/adapt-sandbox-entry.mjs.map +1 -1
  423. package/dist/{transport-1cIrOb1Y.mjs → portable-text-BICg8bTk.mjs} +2 -135
  424. package/dist/portable-text-BICg8bTk.mjs.map +1 -0
  425. package/dist/{preview-Dqv2hwXr.mjs → preview-DKGCt2_p.mjs} +2 -2
  426. package/dist/{preview-Dqv2hwXr.mjs.map → preview-DKGCt2_p.mjs.map} +1 -1
  427. package/dist/{public-url-D_zARuvZ.mjs → public-url-CTVqgMmg.mjs} +1 -1
  428. package/dist/{public-url-D_zARuvZ.mjs.map → public-url-CTVqgMmg.mjs.map} +1 -1
  429. package/dist/{query-Crm038Mc.mjs → query-DgUHZLWB.mjs} +230 -31
  430. package/dist/query-DgUHZLWB.mjs.map +1 -0
  431. package/dist/{rate-limit-hRTBqmw1.mjs → rate-limit-BuQ5d4X_.mjs} +2 -2
  432. package/dist/{rate-limit-hRTBqmw1.mjs.map → rate-limit-BuQ5d4X_.mjs.map} +1 -1
  433. package/dist/{redirect-CRWIt8Zj.mjs → redirect-Bifv_yHv.mjs} +3 -3
  434. package/dist/{redirect-CRWIt8Zj.mjs.map → redirect-Bifv_yHv.mjs.map} +1 -1
  435. package/dist/{redirect-C-OOkyku.mjs → redirect-CS-PHtNh.mjs} +1 -1
  436. package/dist/{redirect-C-OOkyku.mjs.map → redirect-CS-PHtNh.mjs.map} +1 -1
  437. package/dist/{redirects-CP3TnTLO.mjs → redirects-BZ8Mxn8H.mjs} +6 -6
  438. package/dist/{redirects-CP3TnTLO.mjs.map → redirects-BZ8Mxn8H.mjs.map} +1 -1
  439. package/dist/{redirects-6Zg2SoYo.mjs → redirects-x9eFPeyi.mjs} +10 -3
  440. package/dist/redirects-x9eFPeyi.mjs.map +1 -0
  441. package/dist/{registry-diMzD1Wf.mjs → registry-CK1SS6pi.mjs} +6 -6
  442. package/dist/{registry-diMzD1Wf.mjs.map → registry-CK1SS6pi.mjs.map} +1 -1
  443. package/dist/{request-cache-UwmBAiUK.mjs → request-cache-KCNHp_RJ.mjs} +1 -1
  444. package/dist/{request-cache-UwmBAiUK.mjs.map → request-cache-KCNHp_RJ.mjs.map} +1 -1
  445. package/dist/{request-meta-DPechd0W.mjs → request-meta-CmS1tDFf.mjs} +2 -2
  446. package/dist/{request-meta-DPechd0W.mjs.map → request-meta-CmS1tDFf.mjs.map} +1 -1
  447. package/dist/{resolve-B3NUUtVY.mjs → resolve-C7I0qiR0.mjs} +1 -1
  448. package/dist/{resolve-B3NUUtVY.mjs.map → resolve-C7I0qiR0.mjs.map} +1 -1
  449. package/dist/{runner-C8vcbvCe.d.mts → runner-CEtq-6Sm.d.mts} +2 -2
  450. package/dist/{runner-C8vcbvCe.d.mts.map → runner-CEtq-6Sm.d.mts.map} +1 -1
  451. package/dist/{runner--4wMWwKM.mjs → runner-DYYnW530.mjs} +201 -170
  452. package/dist/runner-DYYnW530.mjs.map +1 -0
  453. package/dist/runtime.d.mts +10 -10
  454. package/dist/runtime.mjs +3 -3
  455. package/dist/{schema-BDOkd3OU.mjs → schema-CbFRFoM7.mjs} +13 -8
  456. package/dist/schema-CbFRFoM7.mjs.map +1 -0
  457. package/dist/{search-Bs_J_EW-.mjs → search-C-waE_YW.mjs} +4 -4
  458. package/dist/{search-Bs_J_EW-.mjs.map → search-C-waE_YW.mjs.map} +1 -1
  459. package/dist/{secrets-C8xmE6mR.mjs → secrets-BSf9pRRY.mjs} +5 -5
  460. package/dist/{secrets-C8xmE6mR.mjs.map → secrets-BSf9pRRY.mjs.map} +1 -1
  461. package/dist/{sections-P0zuBlyz.mjs → sections-osX9U-YJ.mjs} +3 -3
  462. package/dist/{sections-P0zuBlyz.mjs.map → sections-osX9U-YJ.mjs.map} +1 -1
  463. package/dist/seed/index.d.mts +2 -2
  464. package/dist/seed/index.mjs +23 -21
  465. package/dist/seo/index.d.mts +1 -1
  466. package/dist/seo/index.mjs +1 -1
  467. package/dist/{seo-DpNgGQjF.mjs → seo-4FovMwNS.mjs} +5 -2
  468. package/dist/seo-4FovMwNS.mjs.map +1 -0
  469. package/dist/{seo-CLhm-Fmb.mjs → seo-DCEF-AVr.mjs} +1 -1
  470. package/dist/{seo-CLhm-Fmb.mjs.map → seo-DCEF-AVr.mjs.map} +1 -1
  471. package/dist/{service-CDQQnT8W.mjs → service-jby1RRmU.mjs} +3 -3
  472. package/dist/{service-CDQQnT8W.mjs.map → service-jby1RRmU.mjs.map} +1 -1
  473. package/dist/session-user-B8aLtKAH.mjs +51 -0
  474. package/dist/session-user-B8aLtKAH.mjs.map +1 -0
  475. package/dist/{settings-sO0Fif4p.mjs → settings-4bRT2NIf.mjs} +3 -3
  476. package/dist/{settings-sO0Fif4p.mjs.map → settings-4bRT2NIf.mjs.map} +1 -1
  477. package/dist/{settings-BjBsmVAo.mjs → settings-t-H2jPuJ.mjs} +18 -10
  478. package/dist/settings-t-H2jPuJ.mjs.map +1 -0
  479. package/dist/{setup-complete-CMMr-oZU.mjs → setup-complete-gEiySUc-.mjs} +2 -2
  480. package/dist/{setup-complete-CMMr-oZU.mjs.map → setup-complete-gEiySUc-.mjs.map} +1 -1
  481. package/dist/{setup-nonce-169xl4fV.mjs → setup-nonce-DzS50zme.mjs} +1 -1
  482. package/dist/{setup-nonce-169xl4fV.mjs.map → setup-nonce-DzS50zme.mjs.map} +1 -1
  483. package/dist/{single-flight-cache-C0UV1Npg.mjs → single-flight-cache-Cdfkic3t.mjs} +2 -2
  484. package/dist/{single-flight-cache-C0UV1Npg.mjs.map → single-flight-cache-Cdfkic3t.mjs.map} +1 -1
  485. package/dist/{site-url-vtsuOvSD.mjs → site-url-BLebyON8.mjs} +2 -2
  486. package/dist/{site-url-vtsuOvSD.mjs.map → site-url-BLebyON8.mjs.map} +1 -1
  487. package/dist/{slugify-Cjh1ssOZ.mjs → slugify-Cce3dTdg.mjs} +1 -1
  488. package/dist/{slugify-Cjh1ssOZ.mjs.map → slugify-Cce3dTdg.mjs.map} +1 -1
  489. package/dist/{ssrf-XO05Voq6.mjs → ssrf-BRKb343l.mjs} +1 -1
  490. package/dist/{ssrf-XO05Voq6.mjs.map → ssrf-BRKb343l.mjs.map} +1 -1
  491. package/dist/{status-2gZklYuj.mjs → status-vUK0SA17.mjs} +1 -1
  492. package/dist/{status-2gZklYuj.mjs.map → status-vUK0SA17.mjs.map} +1 -1
  493. package/dist/storage/local.d.mts +1 -1
  494. package/dist/storage/local.mjs +1 -1
  495. package/dist/storage/s3.d.mts +1 -1
  496. package/dist/storage/s3.mjs +1 -1
  497. package/dist/{taxonomies-DuESHWKI.mjs → taxonomies-BBB8O-CU.mjs} +7 -7
  498. package/dist/{taxonomies-DuESHWKI.mjs.map → taxonomies-BBB8O-CU.mjs.map} +1 -1
  499. package/dist/{taxonomies-BBxYA38v.mjs → taxonomies-Dxrc_szG.mjs} +177 -123
  500. package/dist/taxonomies-Dxrc_szG.mjs.map +1 -0
  501. package/dist/{taxonomy-CdllE4oq.mjs → taxonomy-B2HQuVf5.mjs} +19 -6
  502. package/dist/taxonomy-B2HQuVf5.mjs.map +1 -0
  503. package/dist/{tokens-DMkVjxrx.mjs → tokens-LeuXF9gG.mjs} +2 -2
  504. package/dist/{tokens-DMkVjxrx.mjs.map → tokens-LeuXF9gG.mjs.map} +1 -1
  505. package/dist/{transaction-x2tJQ-A1.mjs → transaction-qfqpPVpu.mjs} +1 -1
  506. package/dist/{transaction-x2tJQ-A1.mjs.map → transaction-qfqpPVpu.mjs.map} +1 -1
  507. package/dist/{transport-jdvsZEIt.d.mts → transport-BZ-03aFT.d.mts} +1 -1
  508. package/dist/{transport-jdvsZEIt.d.mts.map → transport-BZ-03aFT.d.mts.map} +1 -1
  509. package/dist/transport-_2nBz7e9.mjs +135 -0
  510. package/dist/transport-_2nBz7e9.mjs.map +1 -0
  511. package/dist/{trusted-proxy-CHp41Fjj.mjs → trusted-proxy-DZY5WCn2.mjs} +1 -1
  512. package/dist/{trusted-proxy-CHp41Fjj.mjs.map → trusted-proxy-DZY5WCn2.mjs.map} +1 -1
  513. package/dist/{types-Del0VMij.d.mts → types-B-gIxFCE.d.mts} +9 -1
  514. package/dist/{types-Del0VMij.d.mts.map → types-B-gIxFCE.d.mts.map} +1 -1
  515. package/dist/{types-DdkL6fyv.d.mts → types-BG8_XTLj.d.mts} +1 -1
  516. package/dist/{types-DdkL6fyv.d.mts.map → types-BG8_XTLj.d.mts.map} +1 -1
  517. package/dist/{types-BTnnBYVX.d.mts → types-BWh2MjmA.d.mts} +15 -2
  518. package/dist/types-BWh2MjmA.d.mts.map +1 -0
  519. package/dist/{types-CkEuk-Zr.d.mts → types-BWqGVhFn.d.mts} +1 -1
  520. package/dist/{types-CkEuk-Zr.d.mts.map → types-BWqGVhFn.d.mts.map} +1 -1
  521. package/dist/{types-DejCHqWT.mjs → types-CQAugunJ.mjs} +1 -1
  522. package/dist/{types-DejCHqWT.mjs.map → types-CQAugunJ.mjs.map} +1 -1
  523. package/dist/{types-Bzfk2yC8.d.mts → types-CTLJYMhN.d.mts} +1 -1
  524. package/dist/{types-Bzfk2yC8.d.mts.map → types-CTLJYMhN.d.mts.map} +1 -1
  525. package/dist/{types-BFgYtuKd.d.mts → types-CUsXGRVj.d.mts} +1 -1
  526. package/dist/{types-BFgYtuKd.d.mts.map → types-CUsXGRVj.d.mts.map} +1 -1
  527. package/dist/{types-BXSUSAjt.mjs → types-DXOIbece.mjs} +3 -3
  528. package/dist/types-DXOIbece.mjs.map +1 -0
  529. package/dist/{types-u_XxjbS8.d.mts → types-DrYMm9s5.d.mts} +1 -1
  530. package/dist/{types-u_XxjbS8.d.mts.map → types-DrYMm9s5.d.mts.map} +1 -1
  531. package/dist/{types-DO7whVYU.d.mts → types-TTx8uP7V.d.mts} +2 -2
  532. package/dist/{types-DO7whVYU.d.mts.map → types-TTx8uP7V.d.mts.map} +1 -1
  533. package/dist/types-fS7-VTdR.d.mts +124 -0
  534. package/dist/types-fS7-VTdR.d.mts.map +1 -0
  535. package/dist/{types-BIduXPJk.mjs → types-tM44hEcf.mjs} +1 -1
  536. package/dist/{types-BIduXPJk.mjs.map → types-tM44hEcf.mjs.map} +1 -1
  537. package/dist/{user-C0um7wrg.mjs → user-Db-Rti_z.mjs} +3 -3
  538. package/dist/{user-C0um7wrg.mjs.map → user-Db-Rti_z.mjs.map} +1 -1
  539. package/dist/{utils-C4M981Br.mjs → utils-B7A57fm9.mjs} +2 -2
  540. package/dist/{utils-C4M981Br.mjs.map → utils-B7A57fm9.mjs.map} +1 -1
  541. package/dist/{validate-DGhQPXzI.mjs → validate-0Utjspbs.mjs} +3 -3
  542. package/dist/{validate-DGhQPXzI.mjs.map → validate-0Utjspbs.mjs.map} +1 -1
  543. package/dist/{validate-cJOiOvT2.d.mts → validate-DOFrIb-c.d.mts} +5 -5
  544. package/dist/{validate-cJOiOvT2.d.mts.map → validate-DOFrIb-c.d.mts.map} +1 -1
  545. package/dist/{validation-DVHjPM1M.mjs → validation-D9EnzH1T.mjs} +6 -6
  546. package/dist/{validation-DVHjPM1M.mjs.map → validation-D9EnzH1T.mjs.map} +1 -1
  547. package/dist/version-BgVM_1MU.mjs +7 -0
  548. package/dist/{version-BOjj_cfz.mjs.map → version-BgVM_1MU.mjs.map} +1 -1
  549. package/dist/{widgets-Ci6hLwfO.mjs → widgets-BSTzPUYa.mjs} +4 -4
  550. package/dist/{widgets-Ci6hLwfO.mjs.map → widgets-BSTzPUYa.mjs.map} +1 -1
  551. package/dist/{zod-generator-CarzgPAu.mjs → zod-generator-ElVQOav7.mjs} +51 -15
  552. package/dist/zod-generator-ElVQOav7.mjs.map +1 -0
  553. package/package.json +19 -6
  554. package/src/api/handlers/api-tokens.ts +19 -0
  555. package/src/api/handlers/comment-reactions.ts +165 -0
  556. package/src/api/handlers/schema.ts +8 -0
  557. package/src/api/schemas/bylines.ts +8 -0
  558. package/src/api/schemas/comments.ts +10 -0
  559. package/src/astro/image-endpoint.ts +84 -0
  560. package/src/astro/index.ts +6 -0
  561. package/src/astro/integration/index.ts +83 -22
  562. package/src/astro/integration/routes.ts +5 -0
  563. package/src/astro/integration/runtime.ts +65 -1
  564. package/src/astro/integration/virtual-modules.ts +40 -0
  565. package/src/astro/integration/vite-config.ts +25 -1
  566. package/src/astro/middleware/auth.ts +4 -3
  567. package/src/astro/middleware/request-context.ts +6 -1
  568. package/src/astro/middleware/scoped-db.ts +131 -0
  569. package/src/astro/middleware/stream-end-metrics.ts +15 -9
  570. package/src/astro/middleware.ts +131 -31
  571. package/src/astro/object-cache/adapters.ts +50 -0
  572. package/src/astro/prefetch.ts +77 -0
  573. package/src/astro/routes/admin.astro +5 -1
  574. package/src/astro/routes/api/comments/[collection]/[contentId]/reactions.ts +97 -0
  575. package/src/astro/routes/api/schema/index.ts +9 -3
  576. package/src/astro/routes/api/setup/dev-bypass.ts +5 -1
  577. package/src/astro/routes/api/snapshot.ts +3 -1
  578. package/src/astro/session-user.ts +57 -0
  579. package/src/astro/types.ts +1 -0
  580. package/src/cli/commands/export-seed.ts +10 -7
  581. package/src/comments/query.ts +78 -7
  582. package/src/comments/ranking.ts +58 -0
  583. package/src/components/Block.astro +71 -0
  584. package/src/components/Comments.astro +136 -1
  585. package/src/components/EmDashMedia.astro +1 -2
  586. package/src/components/Image.astro +36 -2
  587. package/src/components/InlinePortableTextEditor.tsx +10 -2
  588. package/src/components/index.ts +5 -0
  589. package/src/components/portable-text-text-align.ts +38 -0
  590. package/src/content/converters/portable-text-to-prosemirror.ts +5 -1
  591. package/src/content/converters/prosemirror-to-portable-text.ts +8 -0
  592. package/src/content/converters/types.ts +1 -0
  593. package/src/database/instrumentation.ts +21 -1
  594. package/src/database/migrations/044_comment_reactions.ts +56 -0
  595. package/src/database/migrations/runner.ts +2 -0
  596. package/src/database/repositories/byline.ts +27 -0
  597. package/src/database/repositories/comment-reaction.ts +132 -0
  598. package/src/database/repositories/comment.ts +10 -0
  599. package/src/database/repositories/content.ts +25 -3
  600. package/src/database/repositories/menu.ts +13 -1
  601. package/src/database/repositories/seo.ts +3 -0
  602. package/src/database/repositories/taxonomy.ts +13 -1
  603. package/src/database/repositories/types.ts +13 -0
  604. package/src/database/types.ts +9 -0
  605. package/src/emdash-runtime.ts +244 -75
  606. package/src/index.ts +22 -0
  607. package/src/loader.ts +97 -5
  608. package/src/mcp/server.ts +307 -20
  609. package/src/media/image-endpoint.ts +167 -0
  610. package/src/media/local-runtime.ts +18 -5
  611. package/src/menus/index.ts +11 -4
  612. package/src/object-cache/codec.ts +73 -0
  613. package/src/object-cache/index.ts +495 -0
  614. package/src/object-cache/memory.ts +91 -0
  615. package/src/object-cache/types.ts +124 -0
  616. package/src/plugins/adapt-sandbox-entry.ts +11 -1
  617. package/src/plugins/context.ts +94 -22
  618. package/src/plugins/cron.ts +18 -2
  619. package/src/plugins/routes.ts +40 -1
  620. package/src/query.ts +304 -18
  621. package/src/schema/query.ts +11 -4
  622. package/src/schema/zod-generator.ts +53 -8
  623. package/src/settings/index.ts +18 -5
  624. package/src/taxonomies/index.ts +263 -165
  625. package/src/ui.ts +5 -0
  626. package/src/virtual-modules.d.ts +24 -0
  627. package/dist/api-DxjIV2o8.mjs.map +0 -1
  628. package/dist/api-tokens-BFFkB0jB.mjs.map +0 -1
  629. package/dist/byline-V_Qp1Ziw.mjs.map +0 -1
  630. package/dist/byline-fields-CQJRIQkn.d.mts.map +0 -1
  631. package/dist/comment-sqQxNpN3.mjs.map +0 -1
  632. package/dist/content-BIlVx-RX.mjs.map +0 -1
  633. package/dist/context-Cm4pt1Ws.mjs.map +0 -1
  634. package/dist/cron-DdEVrQ2Y.mjs.map +0 -1
  635. package/dist/index-D2VAiumu.d.mts.map +0 -1
  636. package/dist/init-lock-DlBHjf9-.mjs.map +0 -1
  637. package/dist/loader-BqWjcH3h.mjs.map +0 -1
  638. package/dist/menus-DX4_E01q.mjs.map +0 -1
  639. package/dist/menus-Ryk9L7fT.mjs.map +0 -1
  640. package/dist/query-Crm038Mc.mjs.map +0 -1
  641. package/dist/redirects-6Zg2SoYo.mjs.map +0 -1
  642. package/dist/runner--4wMWwKM.mjs.map +0 -1
  643. package/dist/schema-BDOkd3OU.mjs.map +0 -1
  644. package/dist/seo-DpNgGQjF.mjs.map +0 -1
  645. package/dist/settings-BjBsmVAo.mjs.map +0 -1
  646. package/dist/taxonomies-BBxYA38v.mjs.map +0 -1
  647. package/dist/taxonomy-CdllE4oq.mjs.map +0 -1
  648. package/dist/transport-1cIrOb1Y.mjs.map +0 -1
  649. package/dist/types-BTnnBYVX.d.mts.map +0 -1
  650. package/dist/types-BXSUSAjt.mjs.map +0 -1
  651. package/dist/version-BOjj_cfz.mjs +0 -7
  652. package/dist/zod-generator-CarzgPAu.mjs.map +0 -1
  653. /package/dist/{api-tokens-C7ywRx7l.mjs → api-tokens-B4BQybOp.mjs} +0 -0
  654. /package/dist/{ssrf-CRZGzjdL.mjs → ssrf-CcX9zvMK.mjs} +0 -0
  655. /package/dist/{types-BoRm8-pp.mjs → types-BvbeGEtr.mjs} +0 -0
@@ -1 +1 @@
1
- {"version":3,"file":"normalize-DKsg36ty.mjs","names":[],"sources":["../src/media/normalize.ts"],"sourcesContent":["/**\n * Media Value Normalization\n *\n * Normalizes media field values into a consistent shape regardless of\n * creation path (seed scripts, media picker, WP import, URL input).\n *\n * Called at content create/update time when a media provider is available,\n * filling in missing dimensions, storageKey, mimeType, and filename from\n * the provider's `get()` method.\n */\n\nimport type { MediaProvider, MediaProviderItem, MediaValue } from \"./types.js\";\n\nexport const INTERNAL_MEDIA_PREFIX = \"/_emdash/api/media/file/\";\nconst URL_PATTERN = /^https?:\\/\\//;\n\n/**\n * Normalize a media field value into a consistent MediaValue shape.\n *\n * - `null`/`undefined` → `null`\n * - Bare URL string → `{ provider: \"external\", id: \"\", src: url }`\n * - Bare internal media URL → resolved via local provider's `get()`\n * - Bare local media ID → resolved via local provider's `get()`\n * - Object with `provider` + `id` → enriched with missing fields from provider\n */\nexport async function normalizeMediaValue(\n\tvalue: unknown,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\tif (value == null) return null;\n\n\t// Bare string URL\n\tif (typeof value === \"string\") {\n\t\treturn normalizeStringUrl(value, getProvider);\n\t}\n\n\t// Not an object — can't normalize\n\tif (!isRecord(value)) return null;\n\n\t// Must have at least an id to be a valid media value\n\tif (!(\"id\" in value) && !(\"src\" in value)) return null;\n\n\tconst provider = (typeof value.provider === \"string\" ? value.provider : undefined) || \"local\";\n\tconst id = typeof value.id === \"string\" ? value.id : \"\";\n\n\t// External URLs — return as-is, no server-side dimension detection\n\tif (provider === \"external\") {\n\t\treturn recordToMediaValue(value);\n\t}\n\n\t// Build the base value from the input\n\tconst result: MediaValue = { ...recordToMediaValue(value), provider };\n\n\t// For local media, strip `src` — it's derived at display time from storageKey\n\tif (provider === \"local\") {\n\t\tdelete result.src;\n\t}\n\n\t// Determine if we need to call the provider\n\tconst needsDimensions = result.width == null || result.height == null;\n\tconst needsStorageKey = provider === \"local\" && !result.meta?.storageKey;\n\tconst needsFileInfo = !result.mimeType || !result.filename;\n\tconst needsLookup = needsDimensions || needsStorageKey || needsFileInfo;\n\n\tif (!needsLookup || !id) return result;\n\n\t// Try to enrich from provider\n\tconst mediaProvider = getProvider(provider);\n\tif (!mediaProvider?.get) return result;\n\n\tlet providerItem: MediaProviderItem | null;\n\ttry {\n\t\tproviderItem = await mediaProvider.get(id);\n\t} catch {\n\t\treturn result;\n\t}\n\n\tif (!providerItem) return result;\n\n\treturn mergeProviderData(result, providerItem);\n}\n\nasync function normalizeStringUrl(\n\turl: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\t// Internal media URL — try to resolve via local provider\n\tif (url.startsWith(INTERNAL_MEDIA_PREFIX)) {\n\t\treturn resolveInternalUrl(url, getProvider);\n\t}\n\n\t// External HTTP(S) URL\n\tif (URL_PATTERN.test(url)) {\n\t\treturn Promise.resolve({\n\t\t\tprovider: \"external\",\n\t\t\tid: \"\",\n\t\t\tsrc: url,\n\t\t});\n\t}\n\n\tconst localMedia = await resolveLocalId(url, getProvider);\n\tif (localMedia) return localMedia;\n\n\t// Unrecognized string — preserve legacy behavior and treat as external\n\treturn {\n\t\tprovider: \"external\",\n\t\tid: \"\",\n\t\tsrc: url,\n\t};\n}\n\nasync function resolveInternalUrl(\n\turl: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue> {\n\tconst storageKey = url.slice(INTERNAL_MEDIA_PREFIX.length);\n\tconst localProvider = getProvider(\"local\");\n\n\tif (!localProvider?.get) {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\tlet item: MediaProviderItem | null;\n\ttry {\n\t\titem = await localProvider.get(storageKey);\n\t} catch {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\tif (!item) {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\treturn {\n\t\tprovider: \"local\",\n\t\tid: item.id,\n\t\tfilename: item.filename,\n\t\tmimeType: item.mimeType,\n\t\twidth: item.width,\n\t\theight: item.height,\n\t\talt: item.alt,\n\t\tmeta: item.meta,\n\t};\n}\n\nasync function resolveLocalId(\n\tid: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\tconst localProvider = getProvider(\"local\");\n\n\tif (!localProvider?.get) return null;\n\n\tlet item: MediaProviderItem | null;\n\ttry {\n\t\titem = await localProvider.get(id);\n\t} catch {\n\t\treturn null;\n\t}\n\n\tif (!item) return null;\n\n\treturn {\n\t\tprovider: \"local\",\n\t\tid: item.id,\n\t\tfilename: item.filename,\n\t\tmimeType: item.mimeType,\n\t\twidth: item.width,\n\t\theight: item.height,\n\t\talt: item.alt,\n\t\tmeta: item.meta,\n\t};\n}\n\n/**\n * Merge provider data into an existing MediaValue, preserving caller-supplied fields.\n * Caller `alt` takes priority over provider `alt` (per-usage, not per-image).\n */\nfunction mergeProviderData(existing: MediaValue, item: MediaProviderItem): MediaValue {\n\tconst result = { ...existing };\n\n\t// Fill missing dimensions\n\tif (result.width == null && item.width != null) result.width = item.width;\n\tif (result.height == null && item.height != null) result.height = item.height;\n\n\t// Fill missing file info\n\tif (!result.filename && item.filename) result.filename = item.filename;\n\tif (!result.mimeType && item.mimeType) result.mimeType = item.mimeType;\n\n\t// Fill missing alt (provider alt is fallback, not override)\n\tif (!result.alt && item.alt) result.alt = item.alt;\n\n\t// Fill missing meta (merge, don't replace)\n\tif (item.meta) {\n\t\tresult.meta = { ...item.meta, ...result.meta };\n\t}\n\n\treturn result;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\n/**\n * Extract known MediaValue fields from a runtime-checked record.\n * Avoids unsafe `as MediaValue` cast by reading each property explicitly.\n */\nfunction recordToMediaValue(obj: Record<string, unknown>): MediaValue {\n\tconst result: MediaValue = {\n\t\tid: typeof obj.id === \"string\" ? obj.id : \"\",\n\t};\n\tif (typeof obj.provider === \"string\") result.provider = obj.provider;\n\tif (typeof obj.src === \"string\") result.src = obj.src;\n\tif (typeof obj.previewUrl === \"string\") result.previewUrl = obj.previewUrl;\n\tif (typeof obj.filename === \"string\") result.filename = obj.filename;\n\tif (typeof obj.mimeType === \"string\") result.mimeType = obj.mimeType;\n\tif (typeof obj.width === \"number\") result.width = obj.width;\n\tif (typeof obj.height === \"number\") result.height = obj.height;\n\tif (typeof obj.alt === \"string\") result.alt = obj.alt;\n\tif (isRecord(obj.meta)) result.meta = obj.meta;\n\treturn result;\n}\n"],"mappings":";AAaA,MAAa,wBAAwB;AACrC,MAAM,cAAc;;;;;;;;;;AAWpB,eAAsB,oBACrB,OACA,aAC6B;AAC7B,KAAI,SAAS,KAAM,QAAO;AAG1B,KAAI,OAAO,UAAU,SACpB,QAAO,mBAAmB,OAAO,YAAY;AAI9C,KAAI,CAAC,SAAS,MAAM,CAAE,QAAO;AAG7B,KAAI,EAAE,QAAQ,UAAU,EAAE,SAAS,OAAQ,QAAO;CAElD,MAAM,YAAY,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,WAAc;CACtF,MAAM,KAAK,OAAO,MAAM,OAAO,WAAW,MAAM,KAAK;AAGrD,KAAI,aAAa,WAChB,QAAO,mBAAmB,MAAM;CAIjC,MAAM,SAAqB;EAAE,GAAG,mBAAmB,MAAM;EAAE;EAAU;AAGrE,KAAI,aAAa,QAChB,QAAO,OAAO;CAIf,MAAM,kBAAkB,OAAO,SAAS,QAAQ,OAAO,UAAU;CACjE,MAAM,kBAAkB,aAAa,WAAW,CAAC,OAAO,MAAM;CAC9D,MAAM,gBAAgB,CAAC,OAAO,YAAY,CAAC,OAAO;AAGlD,KAAI,EAFgB,mBAAmB,mBAAmB,kBAEtC,CAAC,GAAI,QAAO;CAGhC,MAAM,gBAAgB,YAAY,SAAS;AAC3C,KAAI,CAAC,eAAe,IAAK,QAAO;CAEhC,IAAI;AACJ,KAAI;AACH,iBAAe,MAAM,cAAc,IAAI,GAAG;SACnC;AACP,SAAO;;AAGR,KAAI,CAAC,aAAc,QAAO;AAE1B,QAAO,kBAAkB,QAAQ,aAAa;;AAG/C,eAAe,mBACd,KACA,aAC6B;AAE7B,KAAI,IAAI,WAAW,sBAAsB,CACxC,QAAO,mBAAmB,KAAK,YAAY;AAI5C,KAAI,YAAY,KAAK,IAAI,CACxB,QAAO,QAAQ,QAAQ;EACtB,UAAU;EACV,IAAI;EACJ,KAAK;EACL,CAAC;CAGH,MAAM,aAAa,MAAM,eAAe,KAAK,YAAY;AACzD,KAAI,WAAY,QAAO;AAGvB,QAAO;EACN,UAAU;EACV,IAAI;EACJ,KAAK;EACL;;AAGF,eAAe,mBACd,KACA,aACsB;CACtB,MAAM,aAAa,IAAI,MAAM,GAA6B;CAC1D,MAAM,gBAAgB,YAAY,QAAQ;AAE1C,KAAI,CAAC,eAAe,IACnB,QAAO;EAAE,UAAU;EAAY,IAAI;EAAI,KAAK;EAAK;CAGlD,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,cAAc,IAAI,WAAW;SACnC;AACP,SAAO;GAAE,UAAU;GAAY,IAAI;GAAI,KAAK;GAAK;;AAGlD,KAAI,CAAC,KACJ,QAAO;EAAE,UAAU;EAAY,IAAI;EAAI,KAAK;EAAK;AAGlD,QAAO;EACN,UAAU;EACV,IAAI,KAAK;EACT,UAAU,KAAK;EACf,UAAU,KAAK;EACf,OAAO,KAAK;EACZ,QAAQ,KAAK;EACb,KAAK,KAAK;EACV,MAAM,KAAK;EACX;;AAGF,eAAe,eACd,IACA,aAC6B;CAC7B,MAAM,gBAAgB,YAAY,QAAQ;AAE1C,KAAI,CAAC,eAAe,IAAK,QAAO;CAEhC,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,cAAc,IAAI,GAAG;SAC3B;AACP,SAAO;;AAGR,KAAI,CAAC,KAAM,QAAO;AAElB,QAAO;EACN,UAAU;EACV,IAAI,KAAK;EACT,UAAU,KAAK;EACf,UAAU,KAAK;EACf,OAAO,KAAK;EACZ,QAAQ,KAAK;EACb,KAAK,KAAK;EACV,MAAM,KAAK;EACX;;;;;;AAOF,SAAS,kBAAkB,UAAsB,MAAqC;CACrF,MAAM,SAAS,EAAE,GAAG,UAAU;AAG9B,KAAI,OAAO,SAAS,QAAQ,KAAK,SAAS,KAAM,QAAO,QAAQ,KAAK;AACpE,KAAI,OAAO,UAAU,QAAQ,KAAK,UAAU,KAAM,QAAO,SAAS,KAAK;AAGvE,KAAI,CAAC,OAAO,YAAY,KAAK,SAAU,QAAO,WAAW,KAAK;AAC9D,KAAI,CAAC,OAAO,YAAY,KAAK,SAAU,QAAO,WAAW,KAAK;AAG9D,KAAI,CAAC,OAAO,OAAO,KAAK,IAAK,QAAO,MAAM,KAAK;AAG/C,KAAI,KAAK,KACR,QAAO,OAAO;EAAE,GAAG,KAAK;EAAM,GAAG,OAAO;EAAM;AAG/C,QAAO;;AAGR,SAAS,SAAS,OAAkD;AACnE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;;;;;AAO5E,SAAS,mBAAmB,KAA0C;CACrE,MAAM,SAAqB,EAC1B,IAAI,OAAO,IAAI,OAAO,WAAW,IAAI,KAAK,IAC1C;AACD,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,QAAQ,SAAU,QAAO,MAAM,IAAI;AAClD,KAAI,OAAO,IAAI,eAAe,SAAU,QAAO,aAAa,IAAI;AAChE,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,UAAU,SAAU,QAAO,QAAQ,IAAI;AACtD,KAAI,OAAO,IAAI,WAAW,SAAU,QAAO,SAAS,IAAI;AACxD,KAAI,OAAO,IAAI,QAAQ,SAAU,QAAO,MAAM,IAAI;AAClD,KAAI,SAAS,IAAI,KAAK,CAAE,QAAO,OAAO,IAAI;AAC1C,QAAO"}
1
+ {"version":3,"file":"normalize-ClbNIenm.mjs","names":[],"sources":["../src/media/normalize.ts"],"sourcesContent":["/**\n * Media Value Normalization\n *\n * Normalizes media field values into a consistent shape regardless of\n * creation path (seed scripts, media picker, WP import, URL input).\n *\n * Called at content create/update time when a media provider is available,\n * filling in missing dimensions, storageKey, mimeType, and filename from\n * the provider's `get()` method.\n */\n\nimport type { MediaProvider, MediaProviderItem, MediaValue } from \"./types.js\";\n\nexport const INTERNAL_MEDIA_PREFIX = \"/_emdash/api/media/file/\";\nconst URL_PATTERN = /^https?:\\/\\//;\n\n/**\n * Normalize a media field value into a consistent MediaValue shape.\n *\n * - `null`/`undefined` → `null`\n * - Bare URL string → `{ provider: \"external\", id: \"\", src: url }`\n * - Bare internal media URL → resolved via local provider's `get()`\n * - Bare local media ID → resolved via local provider's `get()`\n * - Object with `provider` + `id` → enriched with missing fields from provider\n */\nexport async function normalizeMediaValue(\n\tvalue: unknown,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\tif (value == null) return null;\n\n\t// Bare string URL\n\tif (typeof value === \"string\") {\n\t\treturn normalizeStringUrl(value, getProvider);\n\t}\n\n\t// Not an object — can't normalize\n\tif (!isRecord(value)) return null;\n\n\t// Must have at least an id to be a valid media value\n\tif (!(\"id\" in value) && !(\"src\" in value)) return null;\n\n\tconst provider = (typeof value.provider === \"string\" ? value.provider : undefined) || \"local\";\n\tconst id = typeof value.id === \"string\" ? value.id : \"\";\n\n\t// External URLs — return as-is, no server-side dimension detection\n\tif (provider === \"external\") {\n\t\treturn recordToMediaValue(value);\n\t}\n\n\t// Build the base value from the input\n\tconst result: MediaValue = { ...recordToMediaValue(value), provider };\n\n\t// For local media, strip `src` — it's derived at display time from storageKey\n\tif (provider === \"local\") {\n\t\tdelete result.src;\n\t}\n\n\t// Determine if we need to call the provider\n\tconst needsDimensions = result.width == null || result.height == null;\n\tconst needsStorageKey = provider === \"local\" && !result.meta?.storageKey;\n\tconst needsFileInfo = !result.mimeType || !result.filename;\n\tconst needsLookup = needsDimensions || needsStorageKey || needsFileInfo;\n\n\tif (!needsLookup || !id) return result;\n\n\t// Try to enrich from provider\n\tconst mediaProvider = getProvider(provider);\n\tif (!mediaProvider?.get) return result;\n\n\tlet providerItem: MediaProviderItem | null;\n\ttry {\n\t\tproviderItem = await mediaProvider.get(id);\n\t} catch {\n\t\treturn result;\n\t}\n\n\tif (!providerItem) return result;\n\n\treturn mergeProviderData(result, providerItem);\n}\n\nasync function normalizeStringUrl(\n\turl: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\t// Internal media URL — try to resolve via local provider\n\tif (url.startsWith(INTERNAL_MEDIA_PREFIX)) {\n\t\treturn resolveInternalUrl(url, getProvider);\n\t}\n\n\t// External HTTP(S) URL\n\tif (URL_PATTERN.test(url)) {\n\t\treturn Promise.resolve({\n\t\t\tprovider: \"external\",\n\t\t\tid: \"\",\n\t\t\tsrc: url,\n\t\t});\n\t}\n\n\tconst localMedia = await resolveLocalId(url, getProvider);\n\tif (localMedia) return localMedia;\n\n\t// Unrecognized string — preserve legacy behavior and treat as external\n\treturn {\n\t\tprovider: \"external\",\n\t\tid: \"\",\n\t\tsrc: url,\n\t};\n}\n\nasync function resolveInternalUrl(\n\turl: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue> {\n\tconst storageKey = url.slice(INTERNAL_MEDIA_PREFIX.length);\n\tconst localProvider = getProvider(\"local\");\n\n\tif (!localProvider?.get) {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\tlet item: MediaProviderItem | null;\n\ttry {\n\t\titem = await localProvider.get(storageKey);\n\t} catch {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\tif (!item) {\n\t\treturn { provider: \"external\", id: \"\", src: url };\n\t}\n\n\treturn {\n\t\tprovider: \"local\",\n\t\tid: item.id,\n\t\tfilename: item.filename,\n\t\tmimeType: item.mimeType,\n\t\twidth: item.width,\n\t\theight: item.height,\n\t\talt: item.alt,\n\t\tmeta: item.meta,\n\t};\n}\n\nasync function resolveLocalId(\n\tid: string,\n\tgetProvider: (id: string) => MediaProvider | undefined,\n): Promise<MediaValue | null> {\n\tconst localProvider = getProvider(\"local\");\n\n\tif (!localProvider?.get) return null;\n\n\tlet item: MediaProviderItem | null;\n\ttry {\n\t\titem = await localProvider.get(id);\n\t} catch {\n\t\treturn null;\n\t}\n\n\tif (!item) return null;\n\n\treturn {\n\t\tprovider: \"local\",\n\t\tid: item.id,\n\t\tfilename: item.filename,\n\t\tmimeType: item.mimeType,\n\t\twidth: item.width,\n\t\theight: item.height,\n\t\talt: item.alt,\n\t\tmeta: item.meta,\n\t};\n}\n\n/**\n * Merge provider data into an existing MediaValue, preserving caller-supplied fields.\n * Caller `alt` takes priority over provider `alt` (per-usage, not per-image).\n */\nfunction mergeProviderData(existing: MediaValue, item: MediaProviderItem): MediaValue {\n\tconst result = { ...existing };\n\n\t// Fill missing dimensions\n\tif (result.width == null && item.width != null) result.width = item.width;\n\tif (result.height == null && item.height != null) result.height = item.height;\n\n\t// Fill missing file info\n\tif (!result.filename && item.filename) result.filename = item.filename;\n\tif (!result.mimeType && item.mimeType) result.mimeType = item.mimeType;\n\n\t// Fill missing alt (provider alt is fallback, not override)\n\tif (!result.alt && item.alt) result.alt = item.alt;\n\n\t// Fill missing meta (merge, don't replace)\n\tif (item.meta) {\n\t\tresult.meta = { ...item.meta, ...result.meta };\n\t}\n\n\treturn result;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n\treturn typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\n/**\n * Extract known MediaValue fields from a runtime-checked record.\n * Avoids unsafe `as MediaValue` cast by reading each property explicitly.\n */\nfunction recordToMediaValue(obj: Record<string, unknown>): MediaValue {\n\tconst result: MediaValue = {\n\t\tid: typeof obj.id === \"string\" ? obj.id : \"\",\n\t};\n\tif (typeof obj.provider === \"string\") result.provider = obj.provider;\n\tif (typeof obj.src === \"string\") result.src = obj.src;\n\tif (typeof obj.previewUrl === \"string\") result.previewUrl = obj.previewUrl;\n\tif (typeof obj.filename === \"string\") result.filename = obj.filename;\n\tif (typeof obj.mimeType === \"string\") result.mimeType = obj.mimeType;\n\tif (typeof obj.width === \"number\") result.width = obj.width;\n\tif (typeof obj.height === \"number\") result.height = obj.height;\n\tif (typeof obj.alt === \"string\") result.alt = obj.alt;\n\tif (isRecord(obj.meta)) result.meta = obj.meta;\n\treturn result;\n}\n"],"mappings":";AAaA,MAAa,wBAAwB;AACrC,MAAM,cAAc;;;;;;;;;;AAWpB,eAAsB,oBACrB,OACA,aAC6B;AAC7B,KAAI,SAAS,KAAM,QAAO;AAG1B,KAAI,OAAO,UAAU,SACpB,QAAO,mBAAmB,OAAO,YAAY;AAI9C,KAAI,CAAC,SAAS,MAAM,CAAE,QAAO;AAG7B,KAAI,EAAE,QAAQ,UAAU,EAAE,SAAS,OAAQ,QAAO;CAElD,MAAM,YAAY,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,WAAc;CACtF,MAAM,KAAK,OAAO,MAAM,OAAO,WAAW,MAAM,KAAK;AAGrD,KAAI,aAAa,WAChB,QAAO,mBAAmB,MAAM;CAIjC,MAAM,SAAqB;EAAE,GAAG,mBAAmB,MAAM;EAAE;EAAU;AAGrE,KAAI,aAAa,QAChB,QAAO,OAAO;CAIf,MAAM,kBAAkB,OAAO,SAAS,QAAQ,OAAO,UAAU;CACjE,MAAM,kBAAkB,aAAa,WAAW,CAAC,OAAO,MAAM;CAC9D,MAAM,gBAAgB,CAAC,OAAO,YAAY,CAAC,OAAO;AAGlD,KAAI,EAFgB,mBAAmB,mBAAmB,kBAEtC,CAAC,GAAI,QAAO;CAGhC,MAAM,gBAAgB,YAAY,SAAS;AAC3C,KAAI,CAAC,eAAe,IAAK,QAAO;CAEhC,IAAI;AACJ,KAAI;AACH,iBAAe,MAAM,cAAc,IAAI,GAAG;SACnC;AACP,SAAO;;AAGR,KAAI,CAAC,aAAc,QAAO;AAE1B,QAAO,kBAAkB,QAAQ,aAAa;;AAG/C,eAAe,mBACd,KACA,aAC6B;AAE7B,KAAI,IAAI,WAAW,sBAAsB,CACxC,QAAO,mBAAmB,KAAK,YAAY;AAI5C,KAAI,YAAY,KAAK,IAAI,CACxB,QAAO,QAAQ,QAAQ;EACtB,UAAU;EACV,IAAI;EACJ,KAAK;EACL,CAAC;CAGH,MAAM,aAAa,MAAM,eAAe,KAAK,YAAY;AACzD,KAAI,WAAY,QAAO;AAGvB,QAAO;EACN,UAAU;EACV,IAAI;EACJ,KAAK;EACL;;AAGF,eAAe,mBACd,KACA,aACsB;CACtB,MAAM,aAAa,IAAI,MAAM,GAA6B;CAC1D,MAAM,gBAAgB,YAAY,QAAQ;AAE1C,KAAI,CAAC,eAAe,IACnB,QAAO;EAAE,UAAU;EAAY,IAAI;EAAI,KAAK;EAAK;CAGlD,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,cAAc,IAAI,WAAW;SACnC;AACP,SAAO;GAAE,UAAU;GAAY,IAAI;GAAI,KAAK;GAAK;;AAGlD,KAAI,CAAC,KACJ,QAAO;EAAE,UAAU;EAAY,IAAI;EAAI,KAAK;EAAK;AAGlD,QAAO;EACN,UAAU;EACV,IAAI,KAAK;EACT,UAAU,KAAK;EACf,UAAU,KAAK;EACf,OAAO,KAAK;EACZ,QAAQ,KAAK;EACb,KAAK,KAAK;EACV,MAAM,KAAK;EACX;;AAGF,eAAe,eACd,IACA,aAC6B;CAC7B,MAAM,gBAAgB,YAAY,QAAQ;AAE1C,KAAI,CAAC,eAAe,IAAK,QAAO;CAEhC,IAAI;AACJ,KAAI;AACH,SAAO,MAAM,cAAc,IAAI,GAAG;SAC3B;AACP,SAAO;;AAGR,KAAI,CAAC,KAAM,QAAO;AAElB,QAAO;EACN,UAAU;EACV,IAAI,KAAK;EACT,UAAU,KAAK;EACf,UAAU,KAAK;EACf,OAAO,KAAK;EACZ,QAAQ,KAAK;EACb,KAAK,KAAK;EACV,MAAM,KAAK;EACX;;;;;;AAOF,SAAS,kBAAkB,UAAsB,MAAqC;CACrF,MAAM,SAAS,EAAE,GAAG,UAAU;AAG9B,KAAI,OAAO,SAAS,QAAQ,KAAK,SAAS,KAAM,QAAO,QAAQ,KAAK;AACpE,KAAI,OAAO,UAAU,QAAQ,KAAK,UAAU,KAAM,QAAO,SAAS,KAAK;AAGvE,KAAI,CAAC,OAAO,YAAY,KAAK,SAAU,QAAO,WAAW,KAAK;AAC9D,KAAI,CAAC,OAAO,YAAY,KAAK,SAAU,QAAO,WAAW,KAAK;AAG9D,KAAI,CAAC,OAAO,OAAO,KAAK,IAAK,QAAO,MAAM,KAAK;AAG/C,KAAI,KAAK,KACR,QAAO,OAAO;EAAE,GAAG,KAAK;EAAM,GAAG,OAAO;EAAM;AAG/C,QAAO;;AAGR,SAAS,SAAS,OAAkD;AACnE,QAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,MAAM;;;;;;AAO5E,SAAS,mBAAmB,KAA0C;CACrE,MAAM,SAAqB,EAC1B,IAAI,OAAO,IAAI,OAAO,WAAW,IAAI,KAAK,IAC1C;AACD,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,QAAQ,SAAU,QAAO,MAAM,IAAI;AAClD,KAAI,OAAO,IAAI,eAAe,SAAU,QAAO,aAAa,IAAI;AAChE,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,aAAa,SAAU,QAAO,WAAW,IAAI;AAC5D,KAAI,OAAO,IAAI,UAAU,SAAU,QAAO,QAAQ,IAAI;AACtD,KAAI,OAAO,IAAI,WAAW,SAAU,QAAO,SAAS,IAAI;AACxD,KAAI,OAAO,IAAI,QAAQ,SAAU,QAAO,MAAM,IAAI;AAClD,KAAI,SAAS,IAAI,KAAK,CAAE,QAAO,OAAO,IAAI;AAC1C,QAAO"}
@@ -1,7 +1,7 @@
1
- import { t as withTransaction } from "./transaction-x2tJQ-A1.mjs";
2
- import { a as hashApiToken, n as VALID_SCOPES, r as generatePrefixedToken, t as TOKEN_PREFIXES } from "./api-tokens-C7ywRx7l.mjs";
3
- import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "./oauth-clients-BC873NCV.mjs";
4
- import { t as lookupUserRoleAndStatus } from "./oauth-user-lookup-e4wOvDud.mjs";
1
+ import { t as withTransaction } from "./transaction-qfqpPVpu.mjs";
2
+ import { a as hashApiToken, n as VALID_SCOPES, r as generatePrefixedToken, t as TOKEN_PREFIXES } from "./api-tokens-B4BQybOp.mjs";
3
+ import { c as validateRedirectUri, o as lookupOAuthClient, s as validateClientRedirectUri } from "./oauth-clients-C9SYwEbZ.mjs";
4
+ import { t as lookupUserRoleAndStatus } from "./oauth-user-lookup-SHsWRlG9.mjs";
5
5
  import { clampScopes, computeS256Challenge, secureCompare } from "@emdash-cms/auth";
6
6
  import { generateCodeVerifier } from "arctic";
7
7
 
@@ -272,4 +272,4 @@ function buildDeniedRedirect(redirectUri, state) {
272
272
 
273
273
  //#endregion
274
274
  export { handleAuthorizationApproval as n, handleAuthorizationCodeExchange as r, buildDeniedRedirect as t };
275
- //# sourceMappingURL=oauth-authorization-C2kVyjXI.mjs.map
275
+ //# sourceMappingURL=oauth-authorization-CsvzIp_F.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-authorization-C2kVyjXI.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}
1
+ {"version":3,"file":"oauth-authorization-CsvzIp_F.mjs","names":[],"sources":["../src/api/handlers/oauth-authorization.ts"],"sourcesContent":["/**\n * OAuth 2.1 Authorization Code + PKCE handlers.\n *\n * Implements the server side of the authorization code grant for MCP clients\n * (Claude Desktop, VS Code, etc.) per the MCP authorization spec (draft).\n *\n * Uses arctic for PKCE challenge generation and @emdash-cms/auth for token\n * utilities. Token infrastructure is shared with the device flow.\n */\n\nimport { clampScopes, computeS256Challenge, secureCompare } from \"@emdash-cms/auth\";\nimport type { RoleLevel } from \"@emdash-cms/auth\";\nimport { generateCodeVerifier } from \"arctic\";\nimport type { Kysely } from \"kysely\";\n\nimport {\n\tgeneratePrefixedToken,\n\thashApiToken,\n\tTOKEN_PREFIXES,\n\tVALID_SCOPES,\n} from \"../../auth/api-tokens.js\";\nimport { withTransaction } from \"../../database/transaction.js\";\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\nimport { lookupOAuthClient, validateClientRedirectUri } from \"./oauth-clients.js\";\nimport { lookupUserRoleAndStatus } from \"./oauth-user-lookup.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Authorization codes expire after 10 minutes (RFC 6749 §4.1.2 recommends short-lived) */\nconst AUTH_CODE_TTL_SECONDS = 10 * 60;\n\n/** Access token TTL: 1 hour */\nconst ACCESS_TOKEN_TTL_SECONDS = 60 * 60;\n\n/** Refresh token TTL: 90 days */\nconst REFRESH_TOKEN_TTL_SECONDS = 90 * 24 * 60 * 60;\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizationParams {\n\tresponse_type: string;\n\tclient_id: string;\n\tredirect_uri: string;\n\tscope?: string;\n\tstate?: string;\n\tcode_challenge: string;\n\tcode_challenge_method: string;\n\tresource?: string;\n}\n\nexport interface TokenExchangeParams {\n\tgrant_type: string;\n\tcode: string;\n\tredirect_uri: string;\n\tclient_id: string;\n\tcode_verifier: string;\n\tresource?: string;\n}\n\nexport interface TokenResponse {\n\taccess_token: string;\n\trefresh_token: string;\n\ttoken_type: \"Bearer\";\n\texpires_in: number;\n\tscope: string;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction expiresAt(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\nexport { validateRedirectUri };\n\n/**\n * Validate and normalize scopes. Returns validated scope list.\n */\nfunction normalizeScopes(requested?: string): string[] {\n\tif (!requested) return [];\n\n\tconst validSet = new Set<string>(VALID_SCOPES);\n\tconst scopes = requested\n\t\t.split(\" \")\n\t\t.filter(Boolean)\n\t\t.filter((s) => validSet.has(s));\n\n\treturn scopes;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Process an authorization request after the user approves consent.\n *\n * Generates an authorization code, stores it with the PKCE challenge,\n * and returns the redirect URL with the code appended.\n *\n * Scopes are clamped to the user's role to prevent scope escalation.\n */\nexport async function handleAuthorizationApproval(\n\tdb: Kysely<Database>,\n\tuserId: string,\n\tuserRole: RoleLevel,\n\tparams: AuthorizationParams,\n): Promise<ApiResult<{ redirect_url: string }>> {\n\ttry {\n\t\t// Validate response_type\n\t\tif (params.response_type !== \"code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"UNSUPPORTED_RESPONSE_TYPE\",\n\t\t\t\t\tmessage: \"Only response_type=code is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri scheme/host (basic security check)\n\t\tconst uriError = validateRedirectUri(params.redirect_uri);\n\t\tif (uriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: uriError },\n\t\t\t};\n\t\t}\n\n\t\t// Look up the registered OAuth client\n\t\tconst client = await lookupOAuthClient(db, params.client_id);\n\t\tif (!client) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_CLIENT\",\n\t\t\t\t\tmessage: \"Unknown client_id\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate redirect_uri against client's registered URIs\n\t\tconst clientUriError = validateClientRedirectUri(params.redirect_uri, client.redirectUris);\n\t\tif (clientUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REDIRECT_URI\", message: clientUriError },\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge_method\n\t\tif (params.code_challenge_method !== \"S256\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"INVALID_REQUEST\",\n\t\t\t\t\tmessage: \"Only S256 code_challenge_method is supported\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Validate code_challenge is present\n\t\tif (!params.code_challenge) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_REQUEST\", message: \"code_challenge is required\" },\n\t\t\t};\n\t\t}\n\n\t\t// Validate scopes, then clamp to user's role\n\t\tconst userScopes = clampScopes(normalizeScopes(params.scope), userRole);\n\n\t\t// SEC-41: Intersect with client's registered scopes (if restricted).\n\t\t// A client registered with scopes: [\"content:read\"] should never receive\n\t\t// admin or schema:write, regardless of the approving user's role.\n\t\tconst clientScopes = client.scopes;\n\t\tconst scopes = clientScopes?.length\n\t\t\t? userScopes.filter((s: string) => clientScopes.includes(s))\n\t\t\t: userScopes;\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"INVALID_SCOPE\", message: \"No valid scopes requested\" },\n\t\t\t};\n\t\t}\n\n\t\t// Generate authorization code (high entropy, base64url)\n\t\tconst code = generateCodeVerifier(); // 32 bytes random, base64url\n\t\tconst codeHash = hashApiToken(code);\n\n\t\t// Store the authorization code\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_authorization_codes\")\n\t\t\t.values({\n\t\t\t\tcode_hash: codeHash,\n\t\t\t\tclient_id: params.client_id,\n\t\t\t\tredirect_uri: params.redirect_uri,\n\t\t\t\tuser_id: userId,\n\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\tcode_challenge: params.code_challenge,\n\t\t\t\tcode_challenge_method: params.code_challenge_method,\n\t\t\t\tresource: params.resource ?? null,\n\t\t\t\texpires_at: expiresAt(AUTH_CODE_TTL_SECONDS),\n\t\t\t})\n\t\t\t.execute();\n\n\t\t// Build the redirect URL\n\t\tconst redirectUrl = new URL(params.redirect_uri);\n\t\tredirectUrl.searchParams.set(\"code\", code);\n\t\tif (params.state) {\n\t\t\tredirectUrl.searchParams.set(\"state\", params.state);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: { redirect_url: redirectUrl.toString() },\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Authorization error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"AUTHORIZATION_ERROR\",\n\t\t\t\tmessage: \"Failed to process authorization\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Exchange an authorization code for access + refresh tokens.\n *\n * Validates the code, verifies PKCE, and issues tokens using the same\n * infrastructure as the device flow (ec_oat_*, ec_ort_*).\n */\nexport async function handleAuthorizationCodeExchange(\n\tdb: Kysely<Database>,\n\tparams: TokenExchangeParams,\n): Promise<ApiResult<TokenResponse>> {\n\ttry {\n\t\t// Validate grant_type\n\t\tif (params.grant_type !== \"authorization_code\") {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"unsupported_grant_type\", message: \"Invalid grant_type\" },\n\t\t\t};\n\t\t}\n\n\t\t// SEC-39: Atomically consume the authorization code using DELETE...RETURNING.\n\t\t// This prevents TOCTOU double-exchange: two concurrent requests with the\n\t\t// same code will race on the DELETE, and only one will get a row back.\n\t\tconst codeHash = hashApiToken(params.code);\n\n\t\tconst row = await db\n\t\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t\t.where(\"code_hash\", \"=\", codeHash)\n\t\t\t.returningAll()\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Invalid authorization code\" },\n\t\t\t};\n\t\t}\n\n\t\t// Check expiry\n\t\tif (new Date(row.expires_at) < new Date()) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"Authorization code expired\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify redirect_uri matches exactly\n\t\tif (row.redirect_uri !== params.redirect_uri) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"redirect_uri mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify client_id matches\n\t\tif (row.client_id !== params.client_id) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"client_id mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// PKCE verification: SHA256(code_verifier) must match stored code_challenge\n\t\t// Use constant-time comparison to prevent timing side-channels\n\t\tconst derivedChallenge = computeS256Challenge(params.code_verifier);\n\t\tif (!secureCompare(derivedChallenge, row.code_challenge)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"PKCE verification failed\" },\n\t\t\t};\n\t\t}\n\n\t\t// Verify resource matches (if stored)\n\t\tif (row.resource && params.resource && row.resource !== params.resource) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"resource mismatch\" },\n\t\t\t};\n\t\t}\n\n\t\t// Revalidate user role before issuing tokens (same pattern as handleTokenRefresh).\n\t\t// The user's role may have changed since the authorization code was issued.\n\t\tconst userInfo = await lookupUserRoleAndStatus(db, row.user_id);\n\t\tif (!userInfo) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (userInfo.disabled) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"invalid_grant\", message: \"User account is disabled\" },\n\t\t\t};\n\t\t}\n\n\t\t// Re-clamp scopes against the user's current role\n\t\tconst storedScopes = JSON.parse(row.scopes) as string[];\n\t\tlet scopes = clampScopes(storedScopes, userInfo.role);\n\n\t\t// Intersect with client's registered scopes (if restricted)\n\t\tconst client = await lookupOAuthClient(db, row.client_id);\n\t\tif (client?.scopes?.length) {\n\t\t\tscopes = scopes.filter((s: string) => client.scopes!.includes(s));\n\t\t}\n\n\t\tif (scopes.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"invalid_grant\",\n\t\t\t\t\tmessage: \"User role no longer supports any of the requested scopes\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Issue tokens (same as device flow)\n\t\tconst accessToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_ACCESS);\n\t\tconst accessExpires = expiresAt(ACCESS_TOKEN_TTL_SECONDS);\n\n\t\tconst refreshToken = generatePrefixedToken(TOKEN_PREFIXES.OAUTH_REFRESH);\n\t\tconst refreshExpires = expiresAt(REFRESH_TOKEN_TTL_SECONDS);\n\n\t\t// Atomically store both tokens in a transaction\n\t\tawait withTransaction(db, async (trx) => {\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: accessToken.hash,\n\t\t\t\t\ttoken_type: \"access\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: accessExpires,\n\t\t\t\t\trefresh_token_hash: refreshToken.hash,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\n\t\t\tawait trx\n\t\t\t\t.insertInto(\"_emdash_oauth_tokens\")\n\t\t\t\t.values({\n\t\t\t\t\ttoken_hash: refreshToken.hash,\n\t\t\t\t\ttoken_type: \"refresh\",\n\t\t\t\t\tuser_id: row.user_id,\n\t\t\t\t\tscopes: JSON.stringify(scopes),\n\t\t\t\t\tclient_type: \"mcp\",\n\t\t\t\t\texpires_at: refreshExpires,\n\t\t\t\t\trefresh_token_hash: null,\n\t\t\t\t\tclient_id: row.client_id,\n\t\t\t\t})\n\t\t\t\t.execute();\n\t\t});\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\taccess_token: accessToken.raw,\n\t\t\t\trefresh_token: refreshToken.raw,\n\t\t\t\ttoken_type: \"Bearer\",\n\t\t\t\texpires_in: ACCESS_TOKEN_TTL_SECONDS,\n\t\t\t\tscope: scopes.join(\" \"),\n\t\t\t},\n\t\t};\n\t} catch (error) {\n\t\tconsole.error(\"Token exchange error:\", error);\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"TOKEN_EXCHANGE_ERROR\",\n\t\t\t\tmessage: \"Failed to exchange authorization code\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Build the authorization denied redirect URL.\n */\nexport function buildDeniedRedirect(redirectUri: string, state?: string): string {\n\tconst url = new URL(redirectUri);\n\turl.searchParams.set(\"error\", \"access_denied\");\n\turl.searchParams.set(\"error_description\", \"The user denied the authorization request\");\n\tif (state) {\n\t\turl.searchParams.set(\"state\", state);\n\t}\n\treturn url.toString();\n}\n\n/**\n * Clean up expired authorization codes.\n */\nexport async function cleanupExpiredAuthorizationCodes(db: Kysely<Database>): Promise<number> {\n\tconst result = await db\n\t\t.deleteFrom(\"_emdash_authorization_codes\")\n\t\t.where(\"expires_at\", \"<\", new Date().toISOString())\n\t\t.executeTakeFirst();\n\n\treturn Number(result.numDeletedRows);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAiCA,MAAM,wBAAwB;;AAG9B,MAAM,2BAA2B;;AAGjC,MAAM,4BAA4B,OAAU,KAAK;AAsCjD,SAAS,UAAU,SAAyB;AAC3C,QAAO,IAAI,KAAK,KAAK,KAAK,GAAG,UAAU,IAAK,CAAC,aAAa;;;;;AAQ3D,SAAS,gBAAgB,WAA8B;AACtD,KAAI,CAAC,UAAW,QAAO,EAAE;CAEzB,MAAM,WAAW,IAAI,IAAY,aAAa;AAM9C,QALe,UACb,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,QAAQ,MAAM,SAAS,IAAI,EAAE,CAAC;;;;;;;;;;AAiBjC,eAAsB,4BACrB,IACA,QACA,UACA,QAC+C;AAC/C,KAAI;AAEH,MAAI,OAAO,kBAAkB,OAC5B,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,WAAW,oBAAoB,OAAO,aAAa;AACzD,MAAI,SACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAU;GAC1D;EAIF,MAAM,SAAS,MAAM,kBAAkB,IAAI,OAAO,UAAU;AAC5D,MAAI,CAAC,OACJ,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,iBAAiB,0BAA0B,OAAO,cAAc,OAAO,aAAa;AAC1F,MAAI,eACH,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAwB,SAAS;IAAgB;GAChE;AAIF,MAAI,OAAO,0BAA0B,OACpC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAIF,MAAI,CAAC,OAAO,eACX,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAmB,SAAS;IAA8B;GACzE;EAIF,MAAM,aAAa,YAAY,gBAAgB,OAAO,MAAM,EAAE,SAAS;EAKvE,MAAM,eAAe,OAAO;EAC5B,MAAM,SAAS,cAAc,SAC1B,WAAW,QAAQ,MAAc,aAAa,SAAS,EAAE,CAAC,GAC1D;AAEH,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA6B;GACtE;EAIF,MAAM,OAAO,sBAAsB;EACnC,MAAM,WAAW,aAAa,KAAK;AAGnC,QAAM,GACJ,WAAW,8BAA8B,CACzC,OAAO;GACP,WAAW;GACX,WAAW,OAAO;GAClB,cAAc,OAAO;GACrB,SAAS;GACT,QAAQ,KAAK,UAAU,OAAO;GAC9B,gBAAgB,OAAO;GACvB,uBAAuB,OAAO;GAC9B,UAAU,OAAO,YAAY;GAC7B,YAAY,UAAU,sBAAsB;GAC5C,CAAC,CACD,SAAS;EAGX,MAAM,cAAc,IAAI,IAAI,OAAO,aAAa;AAChD,cAAY,aAAa,IAAI,QAAQ,KAAK;AAC1C,MAAI,OAAO,MACV,aAAY,aAAa,IAAI,SAAS,OAAO,MAAM;AAGpD,SAAO;GACN,SAAS;GACT,MAAM,EAAE,cAAc,YAAY,UAAU,EAAE;GAC9C;UACO,OAAO;AACf,UAAQ,MAAM,wBAAwB,MAAM;AAC5C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;;;AAUH,eAAsB,gCACrB,IACA,QACoC;AACpC,KAAI;AAEH,MAAI,OAAO,eAAe,qBACzB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAA0B,SAAS;IAAsB;GACxE;EAMF,MAAM,WAAW,aAAa,OAAO,KAAK;EAE1C,MAAM,MAAM,MAAM,GAChB,WAAW,8BAA8B,CACzC,MAAM,aAAa,KAAK,SAAS,CACjC,cAAc,CACd,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,KAAK,IAAI,WAAW,mBAAG,IAAI,MAAM,CACxC,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA8B;GACvE;AAIF,MAAI,IAAI,iBAAiB,OAAO,aAC/B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAyB;GAClE;AAIF,MAAI,IAAI,cAAc,OAAO,UAC5B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAsB;GAC/D;AAMF,MAAI,CAAC,cADoB,qBAAqB,OAAO,cAAc,EAC9B,IAAI,eAAe,CACvD,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;AAIF,MAAI,IAAI,YAAY,OAAO,YAAY,IAAI,aAAa,OAAO,SAC9D,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAqB;GAC9D;EAKF,MAAM,WAAW,MAAM,wBAAwB,IAAI,IAAI,QAAQ;AAC/D,MAAI,CAAC,SACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAAkB;GAC3D;AAGF,MAAI,SAAS,SACZ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAiB,SAAS;IAA4B;GACrE;EAKF,IAAI,SAAS,YADQ,KAAK,MAAM,IAAI,OAAO,EACJ,SAAS,KAAK;EAGrD,MAAM,SAAS,MAAM,kBAAkB,IAAI,IAAI,UAAU;AACzD,MAAI,QAAQ,QAAQ,OACnB,UAAS,OAAO,QAAQ,MAAc,OAAO,OAAQ,SAAS,EAAE,CAAC;AAGlE,MAAI,OAAO,WAAW,EACrB,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAIF,MAAM,cAAc,sBAAsB,eAAe,aAAa;EACtE,MAAM,gBAAgB,UAAU,yBAAyB;EAEzD,MAAM,eAAe,sBAAsB,eAAe,cAAc;EACxE,MAAM,iBAAiB,UAAU,0BAA0B;AAG3D,QAAM,gBAAgB,IAAI,OAAO,QAAQ;AACxC,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,YAAY;IACxB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB,aAAa;IACjC,WAAW,IAAI;IACf,CAAC,CACD,SAAS;AAEX,SAAM,IACJ,WAAW,uBAAuB,CAClC,OAAO;IACP,YAAY,aAAa;IACzB,YAAY;IACZ,SAAS,IAAI;IACb,QAAQ,KAAK,UAAU,OAAO;IAC9B,aAAa;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW,IAAI;IACf,CAAC,CACD,SAAS;IACV;AAEF,SAAO;GACN,SAAS;GACT,MAAM;IACL,cAAc,YAAY;IAC1B,eAAe,aAAa;IAC5B,YAAY;IACZ,YAAY;IACZ,OAAO,OAAO,KAAK,IAAI;IACvB;GACD;UACO,OAAO;AACf,UAAQ,MAAM,yBAAyB,MAAM;AAC7C,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,SAAgB,oBAAoB,aAAqB,OAAwB;CAChF,MAAM,MAAM,IAAI,IAAI,YAAY;AAChC,KAAI,aAAa,IAAI,SAAS,gBAAgB;AAC9C,KAAI,aAAa,IAAI,qBAAqB,4CAA4C;AACtF,KAAI,MACH,KAAI,aAAa,IAAI,SAAS,MAAM;AAErC,QAAO,IAAI,UAAU"}
@@ -263,4 +263,4 @@ function validateClientRedirectUri(redirectUri, allowedUris) {
263
263
 
264
264
  //#endregion
265
265
  export { handleOAuthClientUpdate as a, validateRedirectUri as c, handleOAuthClientList as i, handleOAuthClientDelete as n, lookupOAuthClient as o, handleOAuthClientGet as r, validateClientRedirectUri as s, handleOAuthClientCreate as t };
266
- //# sourceMappingURL=oauth-clients-BC873NCV.mjs.map
266
+ //# sourceMappingURL=oauth-clients-C9SYwEbZ.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-clients-BC873NCV.mjs","names":[],"sources":["../src/api/oauth/redirect-uri.ts","../src/api/handlers/oauth-clients.ts"],"sourcesContent":["/**\n * Validate a redirect URI per OAuth 2.1 security requirements.\n *\n * Allows localhost / loopback redirect URIs over HTTP for native clients,\n * and any HTTPS URL for web-based flows.\n */\nexport function validateRedirectUri(uri: string): string | null {\n\ttry {\n\t\tconst url = new URL(uri);\n\n\t\t// Reject protocol-relative URLs\n\t\tif (uri.startsWith(\"//\")) {\n\t\t\treturn \"Protocol-relative redirect URIs are not allowed\";\n\t\t}\n\n\t\t// Allow localhost/loopback over HTTP (for desktop MCP clients)\n\t\tif (url.protocol === \"http:\") {\n\t\t\tconst host = url.hostname;\n\t\t\tif (host === \"127.0.0.1\" || host === \"localhost\" || host === \"[::1]\") {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn \"HTTP redirect URIs are only allowed for localhost\";\n\t\t}\n\n\t\t// Allow HTTPS\n\t\tif (url.protocol === \"https:\") {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn `Unsupported redirect URI scheme: ${url.protocol}`;\n\t} catch {\n\t\treturn \"Invalid redirect URI\";\n\t}\n}\n","/**\n * OAuth client management handlers.\n *\n * CRUD operations for registered OAuth clients. Each client has a set\n * of pre-registered redirect URIs. The authorization endpoint rejects\n * any redirect_uri not in the client's registered set.\n */\n\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Parse a JSON string column into a typed value. */\nfunction parseJsonColumn<T>(value: string): T {\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns unknown, callers provide the expected shape\n\treturn JSON.parse(value) as T;\n}\n\nfunction validateRegisteredRedirectUris(redirectUris: string[]): string | null {\n\tfor (const redirectUri of redirectUris) {\n\t\tconst error = validateRedirectUri(redirectUri);\n\t\tif (error) {\n\t\t\treturn `Invalid redirect URI: ${error}`;\n\t\t}\n\t}\n\treturn null;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface OAuthClientInfo {\n\tid: string;\n\tname: string;\n\tredirectUris: string[];\n\tscopes: string[] | null;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new OAuth client.\n */\nexport async function handleOAuthClientCreate(\n\tdb: Kysely<Database>,\n\tinput: {\n\t\tid: string;\n\t\tname: string;\n\t\tredirectUris: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tif (input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\tif (redirectUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Check for duplicate client ID\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"id\", \"=\", input.id)\n\t\t\t.executeTakeFirst();\n\n\t\tif (existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"CONFLICT\", message: \"OAuth client with this ID already exists\" },\n\t\t\t};\n\t\t}\n\n\t\tconst now = new Date().toISOString();\n\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_oauth_clients\")\n\t\t\t.values({\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirect_uris: JSON.stringify(input.redirectUris),\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null,\n\t\t\t})\n\t\t\t.execute();\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirectUris: input.redirectUris,\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? input.scopes : null,\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_CREATE_ERROR\",\n\t\t\t\tmessage: \"Failed to create OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * List all registered OAuth clients.\n */\nexport async function handleOAuthClientList(\n\tdb: Kysely<Database>,\n): Promise<ApiResult<{ items: OAuthClientInfo[] }>> {\n\ttry {\n\t\tconst rows = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.orderBy(\"created_at\", \"desc\")\n\t\t\t.execute();\n\n\t\tconst items: OAuthClientInfo[] = rows.map((row) => ({\n\t\t\tid: row.id,\n\t\t\tname: row.name,\n\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\tcreatedAt: row.created_at,\n\t\t\tupdatedAt: row.updated_at,\n\t\t}));\n\n\t\treturn { success: true, data: { items } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_LIST_ERROR\",\n\t\t\t\tmessage: \"Failed to list OAuth clients\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Get a single OAuth client by ID.\n */\nexport async function handleOAuthClientGet(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst row = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\t\tcreatedAt: row.created_at,\n\t\t\t\tupdatedAt: row.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_GET_ERROR\",\n\t\t\t\tmessage: \"Failed to get OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Update an OAuth client.\n */\nexport async function handleOAuthClientUpdate(\n\tdb: Kysely<Database>,\n\tclientId: string,\n\tinput: {\n\t\tname?: string;\n\t\tredirectUris?: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined && input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\t\tif (redirectUriError) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\tconst updates: Record<string, string | null> = {\n\t\t\tupdated_at: new Date().toISOString(),\n\t\t};\n\n\t\tif (input.name !== undefined) {\n\t\t\tupdates.name = input.name;\n\t\t}\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tupdates.redirect_uris = JSON.stringify(input.redirectUris);\n\t\t}\n\t\tif (input.scopes !== undefined) {\n\t\t\tupdates.scopes =\n\t\t\t\tinput.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null;\n\t\t}\n\n\t\tawait db.updateTable(\"_emdash_oauth_clients\").set(updates).where(\"id\", \"=\", clientId).execute();\n\n\t\t// Fetch the updated row\n\t\tconst updated = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found after update\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: updated.id,\n\t\t\t\tname: updated.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(updated.redirect_uris),\n\t\t\t\tscopes: updated.scopes ? parseJsonColumn<string[]>(updated.scopes) : null,\n\t\t\t\tcreatedAt: updated.created_at,\n\t\t\t\tupdatedAt: updated.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_UPDATE_ERROR\",\n\t\t\t\tmessage: \"Failed to update OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Delete an OAuth client.\n */\nexport async function handleOAuthClientDelete(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst result = await db\n\t\t\t.deleteFrom(\"_emdash_oauth_clients\")\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (result.numDeletedRows === 0n) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_DELETE_ERROR\",\n\t\t\t\tmessage: \"Failed to delete OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Lookup helpers (used by authorization handler)\n// ---------------------------------------------------------------------------\n\n/**\n * Look up a registered OAuth client by ID.\n * Returns the client's redirect URIs or null if the client is not registered.\n */\nexport async function lookupOAuthClient(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<{ redirectUris: string[]; scopes: string[] | null } | null> {\n\tconst row = await db\n\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t.select([\"redirect_uris\", \"scopes\"])\n\t\t.where(\"id\", \"=\", clientId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t};\n}\n\n/**\n * Validate that a redirect URI is in the client's registered set.\n *\n * Comparison is exact string match (per RFC 6749 §3.1.2.3).\n * Returns null if valid, or an error message if not.\n */\nexport function validateClientRedirectUri(\n\tredirectUri: string,\n\tallowedUris: string[],\n): string | null {\n\tif (allowedUris.includes(redirectUri)) {\n\t\treturn null; // OK\n\t}\n\treturn \"redirect_uri is not registered for this client\";\n}\n"],"mappings":";;;;;;;AAMA,SAAgB,oBAAoB,KAA4B;AAC/D,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,IAAI;AAGxB,MAAI,IAAI,WAAW,KAAK,CACvB,QAAO;AAIR,MAAI,IAAI,aAAa,SAAS;GAC7B,MAAM,OAAO,IAAI;AACjB,OAAI,SAAS,eAAe,SAAS,eAAe,SAAS,QAC5D,QAAO;AAER,UAAO;;AAIR,MAAI,IAAI,aAAa,SACpB,QAAO;AAGR,SAAO,oCAAoC,IAAI;SACxC;AACP,SAAO;;;;;;;ACZT,SAAS,gBAAmB,OAAkB;AAE7C,QAAO,KAAK,MAAM,MAAM;;AAGzB,SAAS,+BAA+B,cAAuC;AAC9E,MAAK,MAAM,eAAe,cAAc;EACvC,MAAM,QAAQ,oBAAoB,YAAY;AAC9C,MAAI,MACH,QAAO,yBAAyB;;AAGlC,QAAO;;;;;AAuBR,eAAsB,wBACrB,IACA,OAMsC;AACtC,KAAI;AACH,MAAI,MAAM,aAAa,WAAW,EACjC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAGF,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,MAAI,iBACH,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAUF,MANiB,MAAM,GACrB,WAAW,wBAAwB,CACnC,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,MAAM,GAAG,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAY,SAAS;IAA4C;GAChF;EAGF,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;AAEpC,QAAM,GACJ,WAAW,wBAAwB,CACnC,OAAO;GACP,IAAI,MAAM;GACV,MAAM,MAAM;GACZ,eAAe,KAAK,UAAU,MAAM,aAAa;GACjD,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;GACjF,CAAC,CACD,SAAS;AAEX,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,MAAM;IACV,MAAM,MAAM;IACZ,cAAc,MAAM;IACpB,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,MAAM,SAAS;IACjE,WAAW;IACX,WAAW;IACX;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,sBACrB,IACmD;AACnD,KAAI;AAgBH,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,QAfnB,MAAM,GACjB,WAAW,wBAAwB,CACnC,WAAW,CACX,QAAQ,cAAc,OAAO,CAC7B,SAAS,EAE2B,KAAK,SAAS;IACnD,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf,EAAE,EAEoC;GAAE;SAClC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,qBACrB,IACA,UACsC;AACtC,KAAI;EACH,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACA,OAKsC;AACtC,KAAI;AAOH,MAAI,CANa,MAAM,GACrB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,MAAI,MAAM,iBAAiB,UAAa,MAAM,aAAa,WAAW,EACrE,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAGF,MAAI,MAAM,iBAAiB,QAAW;GACrC,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,OAAI,iBACH,QAAO;IACN,SAAS;IACT,OAAO;KACN,MAAM;KACN,SAAS;KACT;IACD;;EAIH,MAAM,UAAyC,EAC9C,6BAAY,IAAI,MAAM,EAAC,aAAa,EACpC;AAED,MAAI,MAAM,SAAS,OAClB,SAAQ,OAAO,MAAM;AAEtB,MAAI,MAAM,iBAAiB,OAC1B,SAAQ,gBAAgB,KAAK,UAAU,MAAM,aAAa;AAE3D,MAAI,MAAM,WAAW,OACpB,SAAQ,SACP,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;AAG3E,QAAM,GAAG,YAAY,wBAAwB,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,SAAS,CAAC,SAAS;EAG/F,MAAM,UAAU,MAAM,GACpB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuC;GAC5E;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,QAAQ;IACZ,MAAM,QAAQ;IACd,cAAc,gBAA0B,QAAQ,cAAc;IAC9D,QAAQ,QAAQ,SAAS,gBAA0B,QAAQ,OAAO,GAAG;IACrE,WAAW,QAAQ;IACnB,WAAW,QAAQ;IACnB;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACwC;AACxC,KAAI;AAMH,OALe,MAAM,GACnB,WAAW,wBAAwB,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,EAET,mBAAmB,GAC7B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;AAYH,eAAsB,kBACrB,IACA,UACsE;CACtE,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,OAAO,CAAC,iBAAiB,SAAS,CAAC,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,cAAc,gBAA0B,IAAI,cAAc;EAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;EAC7D;;;;;;;;AASF,SAAgB,0BACf,aACA,aACgB;AAChB,KAAI,YAAY,SAAS,YAAY,CACpC,QAAO;AAER,QAAO"}
1
+ {"version":3,"file":"oauth-clients-C9SYwEbZ.mjs","names":[],"sources":["../src/api/oauth/redirect-uri.ts","../src/api/handlers/oauth-clients.ts"],"sourcesContent":["/**\n * Validate a redirect URI per OAuth 2.1 security requirements.\n *\n * Allows localhost / loopback redirect URIs over HTTP for native clients,\n * and any HTTPS URL for web-based flows.\n */\nexport function validateRedirectUri(uri: string): string | null {\n\ttry {\n\t\tconst url = new URL(uri);\n\n\t\t// Reject protocol-relative URLs\n\t\tif (uri.startsWith(\"//\")) {\n\t\t\treturn \"Protocol-relative redirect URIs are not allowed\";\n\t\t}\n\n\t\t// Allow localhost/loopback over HTTP (for desktop MCP clients)\n\t\tif (url.protocol === \"http:\") {\n\t\t\tconst host = url.hostname;\n\t\t\tif (host === \"127.0.0.1\" || host === \"localhost\" || host === \"[::1]\") {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn \"HTTP redirect URIs are only allowed for localhost\";\n\t\t}\n\n\t\t// Allow HTTPS\n\t\tif (url.protocol === \"https:\") {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn `Unsupported redirect URI scheme: ${url.protocol}`;\n\t} catch {\n\t\treturn \"Invalid redirect URI\";\n\t}\n}\n","/**\n * OAuth client management handlers.\n *\n * CRUD operations for registered OAuth clients. Each client has a set\n * of pre-registered redirect URIs. The authorization endpoint rejects\n * any redirect_uri not in the client's registered set.\n */\n\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\nimport { validateRedirectUri } from \"../oauth/redirect-uri.js\";\nimport type { ApiResult } from \"../types.js\";\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Parse a JSON string column into a typed value. */\nfunction parseJsonColumn<T>(value: string): T {\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- JSON.parse returns unknown, callers provide the expected shape\n\treturn JSON.parse(value) as T;\n}\n\nfunction validateRegisteredRedirectUris(redirectUris: string[]): string | null {\n\tfor (const redirectUri of redirectUris) {\n\t\tconst error = validateRedirectUri(redirectUri);\n\t\tif (error) {\n\t\t\treturn `Invalid redirect URI: ${error}`;\n\t\t}\n\t}\n\treturn null;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface OAuthClientInfo {\n\tid: string;\n\tname: string;\n\tredirectUris: string[];\n\tscopes: string[] | null;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\n// ---------------------------------------------------------------------------\n// Handlers\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new OAuth client.\n */\nexport async function handleOAuthClientCreate(\n\tdb: Kysely<Database>,\n\tinput: {\n\t\tid: string;\n\t\tname: string;\n\t\tredirectUris: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tif (input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\tif (redirectUriError) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\t// Check for duplicate client ID\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.select(\"id\")\n\t\t\t.where(\"id\", \"=\", input.id)\n\t\t\t.executeTakeFirst();\n\n\t\tif (existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"CONFLICT\", message: \"OAuth client with this ID already exists\" },\n\t\t\t};\n\t\t}\n\n\t\tconst now = new Date().toISOString();\n\n\t\tawait db\n\t\t\t.insertInto(\"_emdash_oauth_clients\")\n\t\t\t.values({\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirect_uris: JSON.stringify(input.redirectUris),\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null,\n\t\t\t})\n\t\t\t.execute();\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: input.id,\n\t\t\t\tname: input.name,\n\t\t\t\tredirectUris: input.redirectUris,\n\t\t\t\tscopes: input.scopes && input.scopes.length > 0 ? input.scopes : null,\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_CREATE_ERROR\",\n\t\t\t\tmessage: \"Failed to create OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * List all registered OAuth clients.\n */\nexport async function handleOAuthClientList(\n\tdb: Kysely<Database>,\n): Promise<ApiResult<{ items: OAuthClientInfo[] }>> {\n\ttry {\n\t\tconst rows = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.orderBy(\"created_at\", \"desc\")\n\t\t\t.execute();\n\n\t\tconst items: OAuthClientInfo[] = rows.map((row) => ({\n\t\t\tid: row.id,\n\t\t\tname: row.name,\n\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\tcreatedAt: row.created_at,\n\t\t\tupdatedAt: row.updated_at,\n\t\t}));\n\n\t\treturn { success: true, data: { items } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_LIST_ERROR\",\n\t\t\t\tmessage: \"Failed to list OAuth clients\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Get a single OAuth client by ID.\n */\nexport async function handleOAuthClientGet(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst row = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\t\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t\t\t\tcreatedAt: row.created_at,\n\t\t\t\tupdatedAt: row.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_GET_ERROR\",\n\t\t\t\tmessage: \"Failed to get OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Update an OAuth client.\n */\nexport async function handleOAuthClientUpdate(\n\tdb: Kysely<Database>,\n\tclientId: string,\n\tinput: {\n\t\tname?: string;\n\t\tredirectUris?: string[];\n\t\tscopes?: string[] | null;\n\t},\n): Promise<ApiResult<OAuthClientInfo>> {\n\ttry {\n\t\tconst existing = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!existing) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined && input.redirectUris.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: {\n\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\tmessage: \"At least one redirect URI is required\",\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tconst redirectUriError = validateRegisteredRedirectUris(input.redirectUris);\n\t\t\tif (redirectUriError) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: {\n\t\t\t\t\t\tcode: \"VALIDATION_ERROR\",\n\t\t\t\t\t\tmessage: redirectUriError,\n\t\t\t\t\t},\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\tconst updates: Record<string, string | null> = {\n\t\t\tupdated_at: new Date().toISOString(),\n\t\t};\n\n\t\tif (input.name !== undefined) {\n\t\t\tupdates.name = input.name;\n\t\t}\n\t\tif (input.redirectUris !== undefined) {\n\t\t\tupdates.redirect_uris = JSON.stringify(input.redirectUris);\n\t\t}\n\t\tif (input.scopes !== undefined) {\n\t\t\tupdates.scopes =\n\t\t\t\tinput.scopes && input.scopes.length > 0 ? JSON.stringify(input.scopes) : null;\n\t\t}\n\n\t\tawait db.updateTable(\"_emdash_oauth_clients\").set(updates).where(\"id\", \"=\", clientId).execute();\n\n\t\t// Fetch the updated row\n\t\tconst updated = await db\n\t\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t\t.selectAll()\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (!updated) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found after update\" },\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tid: updated.id,\n\t\t\t\tname: updated.name,\n\t\t\t\tredirectUris: parseJsonColumn<string[]>(updated.redirect_uris),\n\t\t\t\tscopes: updated.scopes ? parseJsonColumn<string[]>(updated.scopes) : null,\n\t\t\t\tcreatedAt: updated.created_at,\n\t\t\t\tupdatedAt: updated.updated_at,\n\t\t\t},\n\t\t};\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_UPDATE_ERROR\",\n\t\t\t\tmessage: \"Failed to update OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n/**\n * Delete an OAuth client.\n */\nexport async function handleOAuthClientDelete(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<ApiResult<{ deleted: true }>> {\n\ttry {\n\t\tconst result = await db\n\t\t\t.deleteFrom(\"_emdash_oauth_clients\")\n\t\t\t.where(\"id\", \"=\", clientId)\n\t\t\t.executeTakeFirst();\n\n\t\tif (result.numDeletedRows === 0n) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: { code: \"NOT_FOUND\", message: \"OAuth client not found\" },\n\t\t\t};\n\t\t}\n\n\t\treturn { success: true, data: { deleted: true } };\n\t} catch {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: {\n\t\t\t\tcode: \"CLIENT_DELETE_ERROR\",\n\t\t\t\tmessage: \"Failed to delete OAuth client\",\n\t\t\t},\n\t\t};\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// Lookup helpers (used by authorization handler)\n// ---------------------------------------------------------------------------\n\n/**\n * Look up a registered OAuth client by ID.\n * Returns the client's redirect URIs or null if the client is not registered.\n */\nexport async function lookupOAuthClient(\n\tdb: Kysely<Database>,\n\tclientId: string,\n): Promise<{ redirectUris: string[]; scopes: string[] | null } | null> {\n\tconst row = await db\n\t\t.selectFrom(\"_emdash_oauth_clients\")\n\t\t.select([\"redirect_uris\", \"scopes\"])\n\t\t.where(\"id\", \"=\", clientId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\tredirectUris: parseJsonColumn<string[]>(row.redirect_uris),\n\t\tscopes: row.scopes ? parseJsonColumn<string[]>(row.scopes) : null,\n\t};\n}\n\n/**\n * Validate that a redirect URI is in the client's registered set.\n *\n * Comparison is exact string match (per RFC 6749 §3.1.2.3).\n * Returns null if valid, or an error message if not.\n */\nexport function validateClientRedirectUri(\n\tredirectUri: string,\n\tallowedUris: string[],\n): string | null {\n\tif (allowedUris.includes(redirectUri)) {\n\t\treturn null; // OK\n\t}\n\treturn \"redirect_uri is not registered for this client\";\n}\n"],"mappings":";;;;;;;AAMA,SAAgB,oBAAoB,KAA4B;AAC/D,KAAI;EACH,MAAM,MAAM,IAAI,IAAI,IAAI;AAGxB,MAAI,IAAI,WAAW,KAAK,CACvB,QAAO;AAIR,MAAI,IAAI,aAAa,SAAS;GAC7B,MAAM,OAAO,IAAI;AACjB,OAAI,SAAS,eAAe,SAAS,eAAe,SAAS,QAC5D,QAAO;AAER,UAAO;;AAIR,MAAI,IAAI,aAAa,SACpB,QAAO;AAGR,SAAO,oCAAoC,IAAI;SACxC;AACP,SAAO;;;;;;;ACZT,SAAS,gBAAmB,OAAkB;AAE7C,QAAO,KAAK,MAAM,MAAM;;AAGzB,SAAS,+BAA+B,cAAuC;AAC9E,MAAK,MAAM,eAAe,cAAc;EACvC,MAAM,QAAQ,oBAAoB,YAAY;AAC9C,MAAI,MACH,QAAO,yBAAyB;;AAGlC,QAAO;;;;;AAuBR,eAAsB,wBACrB,IACA,OAMsC;AACtC,KAAI;AACH,MAAI,MAAM,aAAa,WAAW,EACjC,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;EAGF,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,MAAI,iBACH,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAUF,MANiB,MAAM,GACrB,WAAW,wBAAwB,CACnC,OAAO,KAAK,CACZ,MAAM,MAAM,KAAK,MAAM,GAAG,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAY,SAAS;IAA4C;GAChF;EAGF,MAAM,uBAAM,IAAI,MAAM,EAAC,aAAa;AAEpC,QAAM,GACJ,WAAW,wBAAwB,CACnC,OAAO;GACP,IAAI,MAAM;GACV,MAAM,MAAM;GACZ,eAAe,KAAK,UAAU,MAAM,aAAa;GACjD,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;GACjF,CAAC,CACD,SAAS;AAEX,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,MAAM;IACV,MAAM,MAAM;IACZ,cAAc,MAAM;IACpB,QAAQ,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,MAAM,SAAS;IACjE,WAAW;IACX,WAAW;IACX;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,sBACrB,IACmD;AACnD,KAAI;AAgBH,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,QAfnB,MAAM,GACjB,WAAW,wBAAwB,CACnC,WAAW,CACX,QAAQ,cAAc,OAAO,CAC7B,SAAS,EAE2B,KAAK,SAAS;IACnD,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf,EAAE,EAEoC;GAAE;SAClC;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,qBACrB,IACA,UACsC;AACtC,KAAI;EACH,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,IACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,IAAI;IACR,MAAM,IAAI;IACV,cAAc,gBAA0B,IAAI,cAAc;IAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;IAC7D,WAAW,IAAI;IACf,WAAW,IAAI;IACf;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACA,OAKsC;AACtC,KAAI;AAOH,MAAI,CANa,MAAM,GACrB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,CAGnB,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,MAAI,MAAM,iBAAiB,UAAa,MAAM,aAAa,WAAW,EACrE,QAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;AAGF,MAAI,MAAM,iBAAiB,QAAW;GACrC,MAAM,mBAAmB,+BAA+B,MAAM,aAAa;AAC3E,OAAI,iBACH,QAAO;IACN,SAAS;IACT,OAAO;KACN,MAAM;KACN,SAAS;KACT;IACD;;EAIH,MAAM,UAAyC,EAC9C,6BAAY,IAAI,MAAM,EAAC,aAAa,EACpC;AAED,MAAI,MAAM,SAAS,OAClB,SAAQ,OAAO,MAAM;AAEtB,MAAI,MAAM,iBAAiB,OAC1B,SAAQ,gBAAgB,KAAK,UAAU,MAAM,aAAa;AAE3D,MAAI,MAAM,WAAW,OACpB,SAAQ,SACP,MAAM,UAAU,MAAM,OAAO,SAAS,IAAI,KAAK,UAAU,MAAM,OAAO,GAAG;AAG3E,QAAM,GAAG,YAAY,wBAAwB,CAAC,IAAI,QAAQ,CAAC,MAAM,MAAM,KAAK,SAAS,CAAC,SAAS;EAG/F,MAAM,UAAU,MAAM,GACpB,WAAW,wBAAwB,CACnC,WAAW,CACX,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,MAAI,CAAC,QACJ,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAAuC;GAC5E;AAGF,SAAO;GACN,SAAS;GACT,MAAM;IACL,IAAI,QAAQ;IACZ,MAAM,QAAQ;IACd,cAAc,gBAA0B,QAAQ,cAAc;IAC9D,QAAQ,QAAQ,SAAS,gBAA0B,QAAQ,OAAO,GAAG;IACrE,WAAW,QAAQ;IACnB,WAAW,QAAQ;IACnB;GACD;SACM;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;AAOH,eAAsB,wBACrB,IACA,UACwC;AACxC,KAAI;AAMH,OALe,MAAM,GACnB,WAAW,wBAAwB,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB,EAET,mBAAmB,GAC7B,QAAO;GACN,SAAS;GACT,OAAO;IAAE,MAAM;IAAa,SAAS;IAA0B;GAC/D;AAGF,SAAO;GAAE,SAAS;GAAM,MAAM,EAAE,SAAS,MAAM;GAAE;SAC1C;AACP,SAAO;GACN,SAAS;GACT,OAAO;IACN,MAAM;IACN,SAAS;IACT;GACD;;;;;;;AAYH,eAAsB,kBACrB,IACA,UACsE;CACtE,MAAM,MAAM,MAAM,GAChB,WAAW,wBAAwB,CACnC,OAAO,CAAC,iBAAiB,SAAS,CAAC,CACnC,MAAM,MAAM,KAAK,SAAS,CAC1B,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,cAAc,gBAA0B,IAAI,cAAc;EAC1D,QAAQ,IAAI,SAAS,gBAA0B,IAAI,OAAO,GAAG;EAC7D;;;;;;;;AASF,SAAgB,0BACf,aACA,aACgB;AAChB,KAAI,YAAY,SAAS,YAAY,CACpC,QAAO;AAER,QAAO"}
@@ -46,4 +46,4 @@ function createOAuthStateStore(db) {
46
46
 
47
47
  //#endregion
48
48
  export { createOAuthStateStore as t };
49
- //# sourceMappingURL=oauth-state-store-Cd--TUaq.mjs.map
49
+ //# sourceMappingURL=oauth-state-store---zrApfB.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-state-store-Cd--TUaq.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/**\n * OAuth state store\n *\n * Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n */\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState | null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" ||\n\t\t\t\t\tparsed === null ||\n\t\t\t\t\t!(\"provider\" in parsed) ||\n\t\t\t\t\ttypeof parsed.provider !== \"string\" ||\n\t\t\t\t\t!(\"redirectUri\" in parsed) ||\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}
1
+ {"version":3,"file":"oauth-state-store---zrApfB.mjs","names":[],"sources":["../src/auth/oauth-state-store.ts"],"sourcesContent":["/**\n * OAuth state store\n *\n * Stores OAuth state in the auth_challenges table with automatic expiration.\n * Uses the existing table but with type=\"oauth\" to distinguish from WebAuthn challenges.\n */\n\nimport type { StateStore, OAuthState } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../database/types.js\";\n\nconst OAUTH_STATE_TTL_MS = 10 * 60 * 1000; // 10 minutes\n\nexport function createOAuthStateStore(db: Kysely<Database>): StateStore {\n\treturn {\n\t\tasync set(state: string, data: OAuthState): Promise<void> {\n\t\t\tconst expiresAt = new Date(Date.now() + OAUTH_STATE_TTL_MS).toISOString();\n\n\t\t\tawait db\n\t\t\t\t.insertInto(\"auth_challenges\")\n\t\t\t\t.values({\n\t\t\t\t\tchallenge: state,\n\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\tuser_id: null,\n\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t})\n\t\t\t\t.onConflict((oc) =>\n\t\t\t\t\toc.column(\"challenge\").doUpdateSet({\n\t\t\t\t\t\ttype: \"oauth\",\n\t\t\t\t\t\tdata: JSON.stringify(data),\n\t\t\t\t\t\texpires_at: expiresAt,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t\t.execute();\n\t\t},\n\n\t\tasync get(state: string): Promise<OAuthState | null> {\n\t\t\tconst row = await db\n\t\t\t\t.selectFrom(\"auth_challenges\")\n\t\t\t\t.selectAll()\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.executeTakeFirst();\n\n\t\t\tif (!row) return null;\n\n\t\t\tconst expiresAt = new Date(row.expires_at).getTime();\n\n\t\t\t// Check expiration\n\t\t\tif (expiresAt < Date.now()) {\n\t\t\t\t// Expired, delete and return null\n\t\t\t\tawait this.delete(state);\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tif (!row.data) return null;\n\n\t\t\ttry {\n\t\t\t\tconst parsed: unknown = JSON.parse(row.data);\n\t\t\t\tif (\n\t\t\t\t\ttypeof parsed !== \"object\" ||\n\t\t\t\t\tparsed === null ||\n\t\t\t\t\t!(\"provider\" in parsed) ||\n\t\t\t\t\ttypeof parsed.provider !== \"string\" ||\n\t\t\t\t\t!(\"redirectUri\" in parsed) ||\n\t\t\t\t\ttypeof parsed.redirectUri !== \"string\"\n\t\t\t\t) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\tconst oauthState: OAuthState = {\n\t\t\t\t\tprovider: parsed.provider,\n\t\t\t\t\tredirectUri: parsed.redirectUri,\n\t\t\t\t};\n\t\t\t\tif (\"codeVerifier\" in parsed && typeof parsed.codeVerifier === \"string\") {\n\t\t\t\t\toauthState.codeVerifier = parsed.codeVerifier;\n\t\t\t\t}\n\t\t\t\tif (\"nonce\" in parsed && typeof parsed.nonce === \"string\") {\n\t\t\t\t\toauthState.nonce = parsed.nonce;\n\t\t\t\t}\n\t\t\t\treturn oauthState;\n\t\t\t} catch {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t},\n\n\t\tasync delete(state: string): Promise<void> {\n\t\t\tawait db\n\t\t\t\t.deleteFrom(\"auth_challenges\")\n\t\t\t\t.where(\"challenge\", \"=\", state)\n\t\t\t\t.where(\"type\", \"=\", \"oauth\")\n\t\t\t\t.execute();\n\t\t},\n\t};\n}\n"],"mappings":";AAYA,MAAM,qBAAqB,MAAU;AAErC,SAAgB,sBAAsB,IAAkC;AACvE,QAAO;EACN,MAAM,IAAI,OAAe,MAAiC;GACzD,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,mBAAmB,CAAC,aAAa;AAEzE,SAAM,GACJ,WAAW,kBAAkB,CAC7B,OAAO;IACP,WAAW;IACX,MAAM;IACN,SAAS;IACT,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACD,YAAY,OACZ,GAAG,OAAO,YAAY,CAAC,YAAY;IAClC,MAAM;IACN,MAAM,KAAK,UAAU,KAAK;IAC1B,YAAY;IACZ,CAAC,CACF,CACA,SAAS;;EAGZ,MAAM,IAAI,OAA2C;GACpD,MAAM,MAAM,MAAM,GAChB,WAAW,kBAAkB,CAC7B,WAAW,CACX,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,kBAAkB;AAEpB,OAAI,CAAC,IAAK,QAAO;AAKjB,OAHkB,IAAI,KAAK,IAAI,WAAW,CAAC,SAAS,GAGpC,KAAK,KAAK,EAAE;AAE3B,UAAM,KAAK,OAAO,MAAM;AACxB,WAAO;;AAGR,OAAI,CAAC,IAAI,KAAM,QAAO;AAEtB,OAAI;IACH,MAAM,SAAkB,KAAK,MAAM,IAAI,KAAK;AAC5C,QACC,OAAO,WAAW,YAClB,WAAW,QACX,EAAE,cAAc,WAChB,OAAO,OAAO,aAAa,YAC3B,EAAE,iBAAiB,WACnB,OAAO,OAAO,gBAAgB,SAE9B,QAAO;IAER,MAAM,aAAyB;KAC9B,UAAU,OAAO;KACjB,aAAa,OAAO;KACpB;AACD,QAAI,kBAAkB,UAAU,OAAO,OAAO,iBAAiB,SAC9D,YAAW,eAAe,OAAO;AAElC,QAAI,WAAW,UAAU,OAAO,OAAO,UAAU,SAChD,YAAW,QAAQ,OAAO;AAE3B,WAAO;WACA;AACP,WAAO;;;EAIT,MAAM,OAAO,OAA8B;AAC1C,SAAM,GACJ,WAAW,kBAAkB,CAC7B,MAAM,aAAa,KAAK,MAAM,CAC9B,MAAM,QAAQ,KAAK,QAAQ,CAC3B,SAAS;;EAEZ"}
@@ -23,4 +23,4 @@ async function lookupUserRoleAndStatus(db, userId) {
23
23
 
24
24
  //#endregion
25
25
  export { lookupUserRoleAndStatus as t };
26
- //# sourceMappingURL=oauth-user-lookup-e4wOvDud.mjs.map
26
+ //# sourceMappingURL=oauth-user-lookup-SHsWRlG9.mjs.map
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-user-lookup-e4wOvDud.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/**\n * Shared user lookup for OAuth token operations.\n *\n * Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n */\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/**\n * Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus | null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}
1
+ {"version":3,"file":"oauth-user-lookup-SHsWRlG9.mjs","names":[],"sources":["../src/api/handlers/oauth-user-lookup.ts"],"sourcesContent":["/**\n * Shared user lookup for OAuth token operations.\n *\n * Extracts user role and disabled status from the database. Used by\n * handleTokenRefresh() to revalidate scopes against the user's current\n * role and reject disabled users.\n */\n\nimport { toRoleLevel, type RoleLevel } from \"@emdash-cms/auth\";\nimport type { Kysely } from \"kysely\";\n\nimport type { Database } from \"../../database/types.js\";\n\nexport interface UserRoleAndStatus {\n\trole: RoleLevel;\n\tdisabled: boolean;\n}\n\n/**\n * Look up a user's current role and disabled status.\n * Returns null if the user doesn't exist.\n */\nexport async function lookupUserRoleAndStatus(\n\tdb: Kysely<Database>,\n\tuserId: string,\n): Promise<UserRoleAndStatus | null> {\n\tconst row = await db\n\t\t.selectFrom(\"users\")\n\t\t.select([\"role\", \"disabled\"])\n\t\t.where(\"id\", \"=\", userId)\n\t\t.executeTakeFirst();\n\n\tif (!row) return null;\n\n\treturn {\n\t\trole: toRoleLevel(row.role),\n\t\tdisabled: row.disabled === 1,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAsBA,eAAsB,wBACrB,IACA,QACoC;CACpC,MAAM,MAAM,MAAM,GAChB,WAAW,QAAQ,CACnB,OAAO,CAAC,QAAQ,WAAW,CAAC,CAC5B,MAAM,MAAM,KAAK,OAAO,CACxB,kBAAkB;AAEpB,KAAI,CAAC,IAAK,QAAO;AAEjB,QAAO;EACN,MAAM,YAAY,IAAI,KAAK;EAC3B,UAAU,IAAI,aAAa;EAC3B"}
@@ -0,0 +1,15 @@
1
+ import { t as CreateObjectCacheBackendFn } from "../types-fS7-VTdR.mjs";
2
+
3
+ //#region src/object-cache/memory.d.ts
4
+ /**
5
+ * Create the in-isolate memory backend.
6
+ *
7
+ * Config keys (all optional):
8
+ * - `maxEntries` — soft cap on stored keys; oldest insertions are evicted
9
+ * first when exceeded (FIFO, cheap and good enough for a backstop). Default
10
+ * 1000.
11
+ */
12
+ declare const createObjectCache: CreateObjectCacheBackendFn;
13
+ //#endregion
14
+ export { createObjectCache };
15
+ //# sourceMappingURL=memory.d.mts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"memory.d.mts","names":[],"sources":["../../src/object-cache/memory.ts"],"mappings":";;;;;;;;;;;cAyDa,iBAAA,EAAmB,0BAAA"}
@@ -0,0 +1,56 @@
1
+ //#region src/object-cache/memory.ts
2
+ const STORE_KEY = Symbol.for("emdash:object-cache:memory");
3
+ const g = globalThis;
4
+ function getStore(maxEntries) {
5
+ const existing = g[STORE_KEY];
6
+ if (existing) return existing;
7
+ const store = {
8
+ map: /* @__PURE__ */ new Map(),
9
+ maxEntries
10
+ };
11
+ g[STORE_KEY] = store;
12
+ return store;
13
+ }
14
+ /**
15
+ * Create the in-isolate memory backend.
16
+ *
17
+ * Config keys (all optional):
18
+ * - `maxEntries` — soft cap on stored keys; oldest insertions are evicted
19
+ * first when exceeded (FIFO, cheap and good enough for a backstop). Default
20
+ * 1000.
21
+ */
22
+ const createObjectCache = (config) => {
23
+ const store = getStore(typeof config.maxEntries === "number" ? config.maxEntries : 1e3);
24
+ return {
25
+ get(key) {
26
+ const entry = store.map.get(key);
27
+ if (!entry) return Promise.resolve(null);
28
+ if (entry.expiresAt !== null && entry.expiresAt <= Date.now()) {
29
+ store.map.delete(key);
30
+ return Promise.resolve(null);
31
+ }
32
+ return Promise.resolve(entry.value);
33
+ },
34
+ set(key, value, ttlSeconds) {
35
+ store.map.delete(key);
36
+ store.map.set(key, {
37
+ value,
38
+ expiresAt: ttlSeconds && ttlSeconds > 0 ? Date.now() + ttlSeconds * 1e3 : null
39
+ });
40
+ while (store.map.size > store.maxEntries) {
41
+ const oldest = store.map.keys().next().value;
42
+ if (oldest === void 0) break;
43
+ store.map.delete(oldest);
44
+ }
45
+ return Promise.resolve();
46
+ },
47
+ delete(key) {
48
+ store.map.delete(key);
49
+ return Promise.resolve();
50
+ }
51
+ };
52
+ };
53
+
54
+ //#endregion
55
+ export { createObjectCache };
56
+ //# sourceMappingURL=memory.mjs.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"memory.mjs","names":[],"sources":["../../src/object-cache/memory.ts"],"sourcesContent":["/**\n * In-isolate memory object-cache backend — RUNTIME ENTRY\n *\n * The default backend for the Node runtime and a sensible local-dev option.\n * Caches across requests within a single isolate/process; it is NOT shared\n * across isolates, so on a multi-isolate platform (Cloudflare) you want the KV\n * backend instead. Still useful on Node, where one long-lived process serves\n * every request.\n *\n * Wire it up with `memoryCache()` from `emdash`:\n *\n * ```ts\n * import { memoryCache } from \"emdash\";\n * emdash({ objectCache: memoryCache() });\n * ```\n *\n * The store lives on `globalThis` behind a `Symbol.for` key so Vite SSR chunk\n * duplication doesn't create two independent caches (same pattern as\n * `request-context.ts`).\n */\n\nimport type { CreateObjectCacheBackendFn, ObjectCacheBackend } from \"./types.js\";\n\ninterface Entry {\n\tvalue: string;\n\t/** Absolute expiry in ms (`Date.now()` epoch), or `null` for none. */\n\texpiresAt: number | null;\n}\n\ninterface MemoryStore {\n\tmap: Map<string, Entry>;\n\tmaxEntries: number;\n}\n\nconst STORE_KEY = Symbol.for(\"emdash:object-cache:memory\");\nconst g = globalThis as Record<symbol, unknown>;\n\nfunction getStore(maxEntries: number): MemoryStore {\n\t// eslint-disable-next-line typescript/no-unsafe-type-assertion -- globalThis singleton pattern (see request-context.ts)\n\tconst existing = g[STORE_KEY] as MemoryStore | undefined;\n\tif (existing) {\n\t\t// First descriptor wins for sizing; later calls reuse the same map.\n\t\treturn existing;\n\t}\n\tconst store: MemoryStore = { map: new Map(), maxEntries };\n\tg[STORE_KEY] = store;\n\treturn store;\n}\n\n/**\n * Create the in-isolate memory backend.\n *\n * Config keys (all optional):\n * - `maxEntries` — soft cap on stored keys; oldest insertions are evicted\n * first when exceeded (FIFO, cheap and good enough for a backstop). Default\n * 1000.\n */\nexport const createObjectCache: CreateObjectCacheBackendFn = (config): ObjectCacheBackend => {\n\tconst maxEntries = typeof config.maxEntries === \"number\" ? config.maxEntries : 1000;\n\tconst store = getStore(maxEntries);\n\n\treturn {\n\t\tget(key: string): Promise<string | null> {\n\t\t\tconst entry = store.map.get(key);\n\t\t\tif (!entry) return Promise.resolve(null);\n\t\t\tif (entry.expiresAt !== null && entry.expiresAt <= Date.now()) {\n\t\t\t\tstore.map.delete(key);\n\t\t\t\treturn Promise.resolve(null);\n\t\t\t}\n\t\t\treturn Promise.resolve(entry.value);\n\t\t},\n\t\tset(key: string, value: string, ttlSeconds?: number): Promise<void> {\n\t\t\t// Refresh insertion order so recently-written keys survive eviction.\n\t\t\tstore.map.delete(key);\n\t\t\tstore.map.set(key, {\n\t\t\t\tvalue,\n\t\t\t\texpiresAt: ttlSeconds && ttlSeconds > 0 ? Date.now() + ttlSeconds * 1000 : null,\n\t\t\t});\n\t\t\twhile (store.map.size > store.maxEntries) {\n\t\t\t\tconst oldest = store.map.keys().next().value;\n\t\t\t\tif (oldest === undefined) break;\n\t\t\t\tstore.map.delete(oldest);\n\t\t\t}\n\t\t\treturn Promise.resolve();\n\t\t},\n\t\tdelete(key: string): Promise<void> {\n\t\t\tstore.map.delete(key);\n\t\t\treturn Promise.resolve();\n\t\t},\n\t};\n};\n"],"mappings":";AAkCA,MAAM,YAAY,OAAO,IAAI,6BAA6B;AAC1D,MAAM,IAAI;AAEV,SAAS,SAAS,YAAiC;CAElD,MAAM,WAAW,EAAE;AACnB,KAAI,SAEH,QAAO;CAER,MAAM,QAAqB;EAAE,qBAAK,IAAI,KAAK;EAAE;EAAY;AACzD,GAAE,aAAa;AACf,QAAO;;;;;;;;;;AAWR,MAAa,qBAAiD,WAA+B;CAE5F,MAAM,QAAQ,SADK,OAAO,OAAO,eAAe,WAAW,OAAO,aAAa,IAC7C;AAElC,QAAO;EACN,IAAI,KAAqC;GACxC,MAAM,QAAQ,MAAM,IAAI,IAAI,IAAI;AAChC,OAAI,CAAC,MAAO,QAAO,QAAQ,QAAQ,KAAK;AACxC,OAAI,MAAM,cAAc,QAAQ,MAAM,aAAa,KAAK,KAAK,EAAE;AAC9D,UAAM,IAAI,OAAO,IAAI;AACrB,WAAO,QAAQ,QAAQ,KAAK;;AAE7B,UAAO,QAAQ,QAAQ,MAAM,MAAM;;EAEpC,IAAI,KAAa,OAAe,YAAoC;AAEnE,SAAM,IAAI,OAAO,IAAI;AACrB,SAAM,IAAI,IAAI,KAAK;IAClB;IACA,WAAW,cAAc,aAAa,IAAI,KAAK,KAAK,GAAG,aAAa,MAAO;IAC3E,CAAC;AACF,UAAO,MAAM,IAAI,OAAO,MAAM,YAAY;IACzC,MAAM,SAAS,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC;AACvC,QAAI,WAAW,OAAW;AAC1B,UAAM,IAAI,OAAO,OAAO;;AAEzB,UAAO,QAAQ,SAAS;;EAEzB,OAAO,KAA4B;AAClC,SAAM,IAAI,OAAO,IAAI;AACrB,UAAO,QAAQ,SAAS;;EAEzB"}