harper-kb 0.2.0

package/dist/oauth/keys.js

@@ -0,0 +1,101 @@
+/**
+ * OAuth RSA Key Management
+ *
+ * Generates, stores, loads, and caches an RS256 key pair for signing JWT
+ * access tokens. The key is stored in the OAuthSigningKey table so all
+ * Harper worker threads share the same key.
+ */
+import { generateKeyPair, exportJWK, importJWK } from 'jose';
+const KEY_ID = 'primary';
+let cachedPrivateKey = null;
+let cachedPublicKeyJwk = null;
+/**
+ * Ensure a signing key exists. Loads from DB or generates a new one.
+ * Called once during handleApplication() on each worker thread.
+ */
+export async function ensureSigningKey() {
+    const existing = await databases.kb.OAuthSigningKey.get(KEY_ID);
+    if (existing && existing.publicKeyJwk && existing.privateKeyJwk) {
+        cachedPublicKeyJwk = toJwk(existing.publicKeyJwk);
+        cachedPrivateKey = (await importJWK(toJwk(existing.privateKeyJwk), 'RS256'));
+        logger?.info?.('OAuth signing key loaded from database');
+        return;
+    }
+    // Generate a new RSA key pair
+    const { publicKey, privateKey } = await generateKeyPair('RS256', {
+        extractable: true,
+    });
+    const pubJwk = await exportJWK(publicKey);
+    const privJwk = await exportJWK(privateKey);
+    pubJwk.kid = KEY_ID;
+    pubJwk.use = 'sig';
+    pubJwk.alg = 'RS256';
+    try {
+        await databases.kb.OAuthSigningKey.put({
+            id: KEY_ID,
+            publicKeyJwk: JSON.stringify(pubJwk),
+            privateKeyJwk: JSON.stringify(privJwk),
+            algorithm: 'RS256',
+        });
+    }
+    catch {
+        // Another worker may have created the key concurrently — reload
+        const reloaded = await databases.kb.OAuthSigningKey.get(KEY_ID);
+        if (reloaded && reloaded.publicKeyJwk && reloaded.privateKeyJwk) {
+            cachedPublicKeyJwk = toJwk(reloaded.publicKeyJwk);
+            cachedPrivateKey = (await importJWK(toJwk(reloaded.privateKeyJwk), 'RS256'));
+            logger?.info?.('OAuth signing key loaded after concurrent creation');
+            return;
+        }
+        throw new Error('Failed to create or load OAuth signing key');
+    }
+    cachedPrivateKey = privateKey;
+    cachedPublicKeyJwk = pubJwk;
+    logger?.info?.('OAuth signing key generated and stored');
+}
+/**
+ * Get the private key for signing JWTs.
+ * Lazily initializes if not yet loaded.
+ */
+export async function getPrivateKey() {
+    if (!cachedPrivateKey) {
+        await ensureSigningKey();
+    }
+    return cachedPrivateKey;
+}
+/**
+ * Get the public key JWK for token verification and JWKS endpoint.
+ * Lazily initializes if not yet loaded.
+ */
+export async function getPublicKeyJwk() {
+    if (!cachedPublicKeyJwk) {
+        await ensureSigningKey();
+    }
+    return cachedPublicKeyJwk;
+}
+/**
+ * Get the key ID for the JWT header.
+ */
+export function getKeyId() {
+    return KEY_ID;
+}
+/**
+ * Get the JWKS response body for the /oauth/jwks endpoint.
+ */
+export async function getJwks() {
+    return { keys: [await getPublicKeyJwk()] };
+}
+/**
+ * Normalize a value from Harper's table into a JWK object.
+ * Harper's `Any` column type may return the JWK as a string or wrapped object.
+ */
+function toJwk(value) {
+    if (typeof value === 'string') {
+        return JSON.parse(value);
+    }
+    if (value && typeof value === 'object') {
+        return value;
+    }
+    throw new Error(`Cannot convert ${typeof value} to JWK`);
+}
+//# sourceMappingURL=keys.js.map

package/dist/oauth/keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.js","sourceRoot":"","sources":["../../src/oauth/keys.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAY,MAAM,MAAM,CAAC;AAEvE,MAAM,MAAM,GAAG,SAAS,CAAC;AAEzB,IAAI,gBAAgB,GAAqB,IAAI,CAAC;AAC9C,IAAI,kBAAkB,GAAe,IAAI,CAAC;AAE1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhE,IAAI,QAAQ,IAAI,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;QACjE,kBAAkB,GAAG,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAClD,gBAAgB,GAAG,CAAC,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,CAAc,CAAC;QAC1F,MAAM,EAAE,IAAI,EAAE,CAAC,wCAAwC,CAAC,CAAC;QACzD,OAAO;IACR,CAAC;IAED,8BAA8B;IAC9B,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE;QAChE,WAAW,EAAE,IAAI;KACjB,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;IAE5C,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC;IACpB,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC;IACnB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC;IAErB,IAAI,CAAC;QACJ,MAAM,SAAS,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC;YACtC,EAAE,EAAE,MAAM;YACV,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YACpC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YACtC,SAAS,EAAE,OAAO;SAClB,CAAC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACR,gEAAgE;QAChE,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChE,IAAI,QAAQ,IAAI,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;YACjE,kBAAkB,GAAG,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAClD,gBAAgB,GAAG,CAAC,MAAM,SAAS,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,CAAc,CAAC;YAC1F,MAAM,EAAE,IAAI,EAAE,CAAC,oDAAoD,CAAC,CAAC;YACrE,OAAO;QACR,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC/D,CAAC;IAED,gBAAgB,GAAG,UAAU,CAAC;IAC9B,kBAAkB,GAAG,MAAM,CAAC;IAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,wCAAwC,CAAC,CAAC;AAC1D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IAClC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACvB,MAAM,gBAAgB,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,gBAAiB,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACpC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACzB,MAAM,gBAAgB,EAAE,CAAC;IAC1B,CAAC;IACD,OAAO,kBAAmB,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ;IACvB,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO;IAC5B,OAAO,EAAE,IAAI,EAAE,CAAC,MAAM,eAAe,EAAE,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,SAAS,KAAK,CAAC,KAAc;IAC5B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAQ,CAAC;IACjC,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAY,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,kBAAkB,OAAO,KAAK,SAAS,CAAC,CAAC;AAC1D,CAAC"}

package/dist/oauth/metadata.d.ts

@@ -0,0 +1,23 @@
+/**
+ * OAuth Metadata Endpoints
+ *
+ * Serves RFC 9728 Protected Resource Metadata and RFC 8414 Authorization
+ * Server Metadata at their well-known URLs.
+ */
+import type { HarperRequest } from '../types.ts';
+/**
+ * Handle GET /.well-known/oauth-protected-resource/<kbId>
+ *
+ * RFC 9728 — tells MCP clients where to find the authorization server
+ * and what scopes are supported. Each KB has its own protected resource
+ * metadata so the resource URL is scoped to that KB.
+ */
+export declare function handleProtectedResourceMetadata(request: HarperRequest, kbId: string): Response;
+/**
+ * Handle GET /.well-known/oauth-authorization-server
+ *
+ * RFC 8414 — describes the authorization server's capabilities,
+ * endpoints, and supported grant types.
+ */
+export declare function handleAuthServerMetadata(request: HarperRequest): Response;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/oauth/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../../src/oauth/metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAKjD;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,GAAG,QAAQ,CAU9F;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,aAAa,GAAG,QAAQ,CAgBzE"}

package/dist/oauth/metadata.js

@@ -0,0 +1,57 @@
+/**
+ * OAuth Metadata Endpoints
+ *
+ * Serves RFC 9728 Protected Resource Metadata and RFC 8414 Authorization
+ * Server Metadata at their well-known URLs.
+ */
+import { getBaseUrl } from "../http-utils.js";
+const SCOPES = ['mcp:read', 'mcp:write'];
+/**
+ * Handle GET /.well-known/oauth-protected-resource/<kbId>
+ *
+ * RFC 9728 — tells MCP clients where to find the authorization server
+ * and what scopes are supported. Each KB has its own protected resource
+ * metadata so the resource URL is scoped to that KB.
+ */
+export function handleProtectedResourceMetadata(request, kbId) {
+    const baseUrl = getBaseUrl(request);
+    return jsonResponse(200, {
+        resource: `${baseUrl}/mcp/${kbId}`,
+        authorization_servers: [baseUrl],
+        scopes_supported: SCOPES,
+        bearer_methods_supported: ['header'],
+        resource_name: 'Knowledge Base MCP Server',
+    });
+}
+/**
+ * Handle GET /.well-known/oauth-authorization-server
+ *
+ * RFC 8414 — describes the authorization server's capabilities,
+ * endpoints, and supported grant types.
+ */
+export function handleAuthServerMetadata(request) {
+    const baseUrl = getBaseUrl(request);
+    return jsonResponse(200, {
+        issuer: baseUrl,
+        authorization_endpoint: `${baseUrl}/mcp-auth/authorize`,
+        token_endpoint: `${baseUrl}/mcp-auth/token`,
+        registration_endpoint: `${baseUrl}/mcp-auth/register`,
+        jwks_uri: `${baseUrl}/mcp-auth/jwks`,
+        scopes_supported: SCOPES,
+        response_types_supported: ['code'],
+        grant_types_supported: ['authorization_code', 'refresh_token'],
+        token_endpoint_auth_methods_supported: ['none'],
+        code_challenge_methods_supported: ['S256'],
+        service_documentation: `${baseUrl}/`,
+    });
+}
+function jsonResponse(status, body) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+        },
+    });
+}
+//# sourceMappingURL=metadata.js.map

package/dist/oauth/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../../src/oauth/metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAE9C,MAAM,MAAM,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B,CAAC,OAAsB,EAAE,IAAY;IACnF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAEpC,OAAO,YAAY,CAAC,GAAG,EAAE;QACxB,QAAQ,EAAE,GAAG,OAAO,QAAQ,IAAI,EAAE;QAClC,qBAAqB,EAAE,CAAC,OAAO,CAAC;QAChC,gBAAgB,EAAE,MAAM;QACxB,wBAAwB,EAAE,CAAC,QAAQ,CAAC;QACpC,aAAa,EAAE,2BAA2B;KAC1C,CAAC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAsB;IAC9D,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAEpC,OAAO,YAAY,CAAC,GAAG,EAAE;QACxB,MAAM,EAAE,OAAO;QACf,sBAAsB,EAAE,GAAG,OAAO,qBAAqB;QACvD,cAAc,EAAE,GAAG,OAAO,iBAAiB;QAC3C,qBAAqB,EAAE,GAAG,OAAO,oBAAoB;QACrD,QAAQ,EAAE,GAAG,OAAO,gBAAgB;QACpC,gBAAgB,EAAE,MAAM;QACxB,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC9D,qCAAqC,EAAE,CAAC,MAAM,CAAC;QAC/C,gCAAgC,EAAE,CAAC,MAAM,CAAC;QAC1C,qBAAqB,EAAE,GAAG,OAAO,GAAG;KACpC,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,MAAc,EAAE,IAA6B;IAClE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACzC,MAAM;QACN,OAAO,EAAE;YACR,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,sBAAsB;SACvC;KACD,CAAC,CAAC;AACJ,CAAC"}

package/dist/oauth/middleware.d.ts

@@ -0,0 +1,23 @@
+/**
+ * OAuth Middleware
+ *
+ * Route dispatcher for all OAuth endpoints. Registered via
+ * scope.server.http() before the MCP and webhook middlewares.
+ *
+ * Routes (MCP OAuth 2.1 — separate from @harperfast/oauth's /oauth/* Resource):
+ *   GET  /.well-known/oauth-protected-resource/<kbId>  → per-KB resource metadata
+ *   GET  /.well-known/oauth-authorization-server       → auth server metadata
+ *   POST /mcp-auth/register                            → DCR
+ *   GET  /mcp-auth/authorize                           → login page
+ *   POST /mcp-auth/authorize                           → credential validation + redirect
+ *   POST /mcp-auth/token                               → code exchange / refresh
+ *   GET  /mcp-auth/jwks                                → public key set
+ */
+import type { HarperRequest } from '../types.ts';
+type MiddlewareFn = (request: HarperRequest, next: (req: HarperRequest) => Promise<unknown>) => Promise<unknown>;
+/**
+ * Create the OAuth middleware for Harper's scope.server.http().
+ */
+export declare function createOAuthMiddleware(): MiddlewareFn;
+export {};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/oauth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/oauth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,GAAG,EAAE,aAAa,KAAK,OAAO,CAAC,OAAO,CAAC,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;AAEjH;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,YAAY,CA2CpD"}

package/dist/oauth/middleware.js

@@ -0,0 +1,65 @@
+/**
+ * OAuth Middleware
+ *
+ * Route dispatcher for all OAuth endpoints. Registered via
+ * scope.server.http() before the MCP and webhook middlewares.
+ *
+ * Routes (MCP OAuth 2.1 — separate from @harperfast/oauth's /oauth/* Resource):
+ *   GET  /.well-known/oauth-protected-resource/<kbId>  → per-KB resource metadata
+ *   GET  /.well-known/oauth-authorization-server       → auth server metadata
+ *   POST /mcp-auth/register                            → DCR
+ *   GET  /mcp-auth/authorize                           → login page
+ *   POST /mcp-auth/authorize                           → credential validation + redirect
+ *   POST /mcp-auth/token                               → code exchange / refresh
+ *   GET  /mcp-auth/jwks                                → public key set
+ */
+import { handleProtectedResourceMetadata, handleAuthServerMetadata } from "./metadata.js";
+import { handleRegister } from "./register.js";
+import { handleAuthorizeGet, handleAuthorizePost } from "./authorize.js";
+import { handleToken } from "./token.js";
+import { getJwks } from "./keys.js";
+/**
+ * Create the OAuth middleware for Harper's scope.server.http().
+ */
+export function createOAuthMiddleware() {
+    return async (request, next) => {
+        const pathname = request.pathname || '';
+        const method = (request.method || 'GET').toUpperCase();
+        // Well-known metadata endpoints — protected resource metadata is per-KB
+        const prMatch = pathname.match(/^\/\.well-known\/oauth-protected-resource\/([^/]+)$/);
+        if (prMatch && method === 'GET') {
+            return handleProtectedResourceMetadata(request, prMatch[1]);
+        }
+        if (pathname === '/.well-known/oauth-authorization-server' && method === 'GET') {
+            return handleAuthServerMetadata(request);
+        }
+        // MCP OAuth endpoints (under /mcp-auth/ to avoid conflict with
+        // @harperfast/oauth's OAuthResource which owns the /oauth/* path)
+        if (pathname === '/mcp-auth/register' && method === 'POST') {
+            return handleRegister(request);
+        }
+        if (pathname === '/mcp-auth/authorize') {
+            if (method === 'GET') {
+                return handleAuthorizeGet(request);
+            }
+            if (method === 'POST') {
+                return handleAuthorizePost(request);
+            }
+        }
+        if (pathname === '/mcp-auth/token' && method === 'POST') {
+            return handleToken(request);
+        }
+        if (pathname === '/mcp-auth/jwks' && method === 'GET') {
+            return new Response(JSON.stringify(await getJwks()), {
+                status: 200,
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Cache-Control': 'public, max-age=3600',
+                },
+            });
+        }
+        // Not a handled route — pass through
+        return next(request);
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/oauth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/oauth/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,+BAA+B,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAC1F,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKpC;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACpC,OAAO,KAAK,EAAE,OAAsB,EAAE,IAA8C,EAAoB,EAAE;QACzG,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QAEvD,wEAAwE;QACxE,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACtF,IAAI,OAAO,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACjC,OAAO,+BAA+B,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,QAAQ,KAAK,yCAAyC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAChF,OAAO,wBAAwB,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QAED,+DAA+D;QAC/D,kEAAkE;QAClE,IAAI,QAAQ,KAAK,oBAAoB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC5D,OAAO,cAAc,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,QAAQ,KAAK,qBAAqB,EAAE,CAAC;YACxC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACtB,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;YACD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACvB,OAAO,mBAAmB,CAAC,OAAO,CAAC,CAAC;YACrC,CAAC;QACF,CAAC;QACD,IAAI,QAAQ,KAAK,iBAAiB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACzD,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACvD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,OAAO,EAAE,CAAC,EAAE;gBACpD,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACR,cAAc,EAAE,kBAAkB;oBAClC,eAAe,EAAE,sBAAsB;iBACvC;aACD,CAAC,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;IACtB,CAAC,CAAC;AACH,CAAC"}

package/dist/oauth/register.d.ts

@@ -0,0 +1,15 @@
+/**
+ * OAuth Dynamic Client Registration (RFC 7591)
+ *
+ * POST /oauth/register — allows MCP clients to register themselves
+ * and receive a client_id for the authorization flow.
+ */
+import type { HarperRequest } from '../types.ts';
+/**
+ * Handle POST /oauth/register
+ *
+ * Accepts a registration request and stores the client in OAuthClient table.
+ * Public clients (no client_secret) are the default — PKCE provides security.
+ */
+export declare function handleRegister(request: HarperRequest): Promise<Response>;
+//# sourceMappingURL=register.d.ts.map

package/dist/oauth/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../src/oauth/register.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiE9E"}

package/dist/oauth/register.js

@@ -0,0 +1,78 @@
+/**
+ * OAuth Dynamic Client Registration (RFC 7591)
+ *
+ * POST /oauth/register — allows MCP clients to register themselves
+ * and receive a client_id for the authorization flow.
+ */
+import crypto from 'node:crypto';
+import { readBody } from "../http-utils.js";
+/**
+ * Handle POST /oauth/register
+ *
+ * Accepts a registration request and stores the client in OAuthClient table.
+ * Public clients (no client_secret) are the default — PKCE provides security.
+ */
+export async function handleRegister(request) {
+    let body;
+    try {
+        const raw = await readBody(request);
+        body = JSON.parse(raw);
+    }
+    catch {
+        return errorResponse(400, 'invalid_client_metadata', 'Invalid JSON body');
+    }
+    // Validate redirect_uris (required)
+    const redirectUris = body.redirect_uris;
+    if (!Array.isArray(redirectUris) || redirectUris.length === 0) {
+        return errorResponse(400, 'invalid_redirect_uri', 'redirect_uris is required and must be a non-empty array');
+    }
+    // Validate each redirect URI: only localhost or https allowed
+    for (const uri of redirectUris) {
+        if (typeof uri !== 'string') {
+            return errorResponse(400, 'invalid_redirect_uri', 'Each redirect_uri must be a string');
+        }
+        try {
+            const parsed = new URL(uri);
+            const isLocalhost = parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1' || parsed.hostname === '::1';
+            const isHttps = parsed.protocol === 'https:';
+            if (!isLocalhost && !isHttps) {
+                return errorResponse(400, 'invalid_redirect_uri', `redirect_uri must use https:// or be localhost: ${uri}`);
+            }
+        }
+        catch {
+            return errorResponse(400, 'invalid_redirect_uri', `Invalid redirect_uri: ${uri}`);
+        }
+    }
+    const clientId = crypto.randomUUID();
+    const clientName = typeof body.client_name === 'string' ? body.client_name : 'Unknown Client';
+    const grantTypes = Array.isArray(body.grant_types) ? body.grant_types : ['authorization_code'];
+    const responseTypes = Array.isArray(body.response_types) ? body.response_types : ['code'];
+    const record = {
+        id: clientId,
+        clientName,
+        redirectUris,
+        grantTypes,
+        responseTypes,
+        scope: typeof body.scope === 'string' ? body.scope : 'mcp:read mcp:write',
+    };
+    await databases.kb.OAuthClient.put(record);
+    logger?.info?.(`OAuth client registered: ${clientId} (${clientName})`);
+    return new Response(JSON.stringify({
+        client_id: clientId,
+        client_name: clientName,
+        redirect_uris: redirectUris,
+        grant_types: grantTypes,
+        response_types: responseTypes,
+        client_id_issued_at: Math.floor(Date.now() / 1000),
+    }), {
+        status: 201,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+function errorResponse(status, error, description) {
+    return new Response(JSON.stringify({ error, error_description: description }), {
+        status,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+//# sourceMappingURL=register.js.map

package/dist/oauth/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../src/oauth/register.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAsB;IAC1D,IAAI,IAA6B,CAAC;IAClC,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,aAAa,CAAC,GAAG,EAAE,yBAAyB,EAAE,mBAAmB,CAAC,CAAC;IAC3E,CAAC;IAED,oCAAoC;IACpC,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,yDAAyD,CAAC,CAAC;IAC9G,CAAC;IAED,8DAA8D;IAC9D,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAChC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,oCAAoC,CAAC,CAAC;QACzF,CAAC;QACD,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,MAAM,WAAW,GAChB,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,KAAK,CAAC;YACjG,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAC7C,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC9B,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,mDAAmD,GAAG,EAAE,CAAC,CAAC;YAC7G,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,aAAa,CAAC,GAAG,EAAE,sBAAsB,EAAE,yBAAyB,GAAG,EAAE,CAAC,CAAC;QACnF,CAAC;IACF,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACrC,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAC9F,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC/F,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAE1F,MAAM,MAAM,GAAG;QACd,EAAE,EAAE,QAAQ;QACZ,UAAU;QACV,YAAY;QACZ,UAAU;QACV,aAAa;QACb,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,oBAAoB;KACzE,CAAC;IAEF,MAAM,SAAS,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,MAA4C,CAAC,CAAC;IAEjF,MAAM,EAAE,IAAI,EAAE,CAAC,4BAA4B,QAAQ,KAAK,UAAU,GAAG,CAAC,CAAC;IAEvE,OAAO,IAAI,QAAQ,CAClB,IAAI,CAAC,SAAS,CAAC;QACd,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,UAAU;QACvB,aAAa,EAAE,YAAY;QAC3B,WAAW,EAAE,UAAU;QACvB,cAAc,EAAE,aAAa;QAC7B,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;KAClD,CAAC,EACF;QACC,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAC/C,CACD,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,KAAa,EAAE,WAAmB;IACxE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC,EAAE;QAC9E,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAC/C,CAAC,CAAC;AACJ,CAAC"}

package/dist/oauth/token.d.ts

@@ -0,0 +1,16 @@
+/**
+ * OAuth Token Endpoint
+ *
+ * POST /oauth/token — exchanges authorization codes for JWT access tokens
+ * and handles refresh token grants.
+ *
+ * Supports:
+ * - grant_type=authorization_code (with PKCE verification)
+ * - grant_type=refresh_token (with token rotation)
+ */
+import type { HarperRequest } from '../types.ts';
+/**
+ * Handle POST /oauth/token
+ */
+export declare function handleToken(request: HarperRequest): Promise<Response>;
+//# sourceMappingURL=token.d.ts.map

package/dist/oauth/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/oauth/token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAOjD;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,CA8B3E"}

package/dist/oauth/token.js

@@ -0,0 +1,184 @@
+/**
+ * OAuth Token Endpoint
+ *
+ * POST /oauth/token — exchanges authorization codes for JWT access tokens
+ * and handles refresh token grants.
+ *
+ * Supports:
+ * - grant_type=authorization_code (with PKCE verification)
+ * - grant_type=refresh_token (with token rotation)
+ */
+import crypto from 'node:crypto';
+import { SignJWT } from 'jose';
+import { readBody, parseFormBody, getBaseUrl } from "../http-utils.js";
+import { getPrivateKey, getKeyId } from "./keys.js";
+/** Access token lifetime: 1 hour */
+const ACCESS_TOKEN_EXPIRY = '1h';
+/**
+ * Handle POST /oauth/token
+ */
+export async function handleToken(request) {
+    let form;
+    try {
+        const rawBody = await readBody(request);
+        // Accept both form-urlencoded and JSON
+        const contentType = getContentType(request);
+        if (contentType.includes('json')) {
+            const json = JSON.parse(rawBody);
+            form = {};
+            for (const [k, v] of Object.entries(json)) {
+                form[k] = String(v);
+            }
+        }
+        else {
+            form = parseFormBody(rawBody);
+        }
+    }
+    catch {
+        return errorResponse(400, 'invalid_request', 'Invalid request body');
+    }
+    const grantType = form.grant_type;
+    if (grantType === 'authorization_code') {
+        return handleAuthorizationCodeGrant(form, request);
+    }
+    if (grantType === 'refresh_token') {
+        return handleRefreshTokenGrant(form, request);
+    }
+    return errorResponse(400, 'unsupported_grant_type', 'Unsupported grant_type');
+}
+/**
+ * Exchange an authorization code for tokens.
+ */
+async function handleAuthorizationCodeGrant(form, request) {
+    const code = form.code;
+    const redirectUri = form.redirect_uri;
+    const clientId = form.client_id;
+    const codeVerifier = form.code_verifier;
+    if (!code || !redirectUri || !clientId || !codeVerifier) {
+        return errorResponse(400, 'invalid_request', 'Missing required parameters: code, redirect_uri, client_id, code_verifier');
+    }
+    // Look up the authorization code
+    const codeRecord = await databases.kb.OAuthCode.get(code);
+    if (!codeRecord) {
+        return errorResponse(400, 'invalid_grant', 'Invalid or expired authorization code');
+    }
+    // Delete immediately — one-time use enforced before validation to prevent
+    // race conditions where two concurrent requests both read the same code
+    await databases.kb.OAuthCode.delete(code);
+    // Reject pending records (used during GitHub OAuth flow, not real auth codes)
+    if (codeRecord.type === 'pending') {
+        return errorResponse(400, 'invalid_grant', 'Invalid or expired authorization code');
+    }
+    // Validate client_id and redirect_uri match
+    if (codeRecord.clientId !== clientId) {
+        return errorResponse(400, 'invalid_grant', 'client_id does not match the authorization code');
+    }
+    if (codeRecord.redirectUri !== redirectUri) {
+        return errorResponse(400, 'invalid_grant', 'redirect_uri does not match the authorization code');
+    }
+    // PKCE verification: SHA256(code_verifier) must equal stored code_challenge
+    // Uses timing-safe comparison to prevent side-channel attacks
+    const expectedChallenge = base64urlEncode(crypto.createHash('sha256').update(codeVerifier).digest());
+    const storedChallenge = String(codeRecord.codeChallenge);
+    const expectedBuf = Buffer.from(expectedChallenge);
+    const storedBuf = Buffer.from(storedChallenge);
+    if (expectedBuf.length !== storedBuf.length || !crypto.timingSafeEqual(expectedBuf, storedBuf)) {
+        return errorResponse(400, 'invalid_grant', 'PKCE code_verifier validation failed');
+    }
+    // Issue tokens
+    const userId = codeRecord.userId;
+    const scope = codeRecord.scope;
+    const resource = codeRecord.resource || '';
+    return issueTokens(userId, clientId, scope, resource, request);
+}
+/**
+ * Exchange a refresh token for new tokens (with rotation).
+ */
+async function handleRefreshTokenGrant(form, request) {
+    const refreshToken = form.refresh_token;
+    const clientId = form.client_id;
+    if (!refreshToken || !clientId) {
+        return errorResponse(400, 'invalid_request', 'Missing required parameters: refresh_token, client_id');
+    }
+    // Look up the refresh token
+    const tokenRecord = await databases.kb.OAuthRefreshToken.get(refreshToken);
+    if (!tokenRecord) {
+        return errorResponse(400, 'invalid_grant', 'Invalid or expired refresh token');
+    }
+    if (tokenRecord.clientId !== clientId) {
+        return errorResponse(400, 'invalid_grant', 'client_id does not match the refresh token');
+    }
+    // Delete old refresh token (rotation)
+    await databases.kb.OAuthRefreshToken.delete(refreshToken);
+    const userId = tokenRecord.userId;
+    const scope = tokenRecord.scope;
+    const resource = tokenRecord.resource || '';
+    return issueTokens(userId, clientId, scope, resource, request);
+}
+/**
+ * Issue a JWT access token and an opaque refresh token.
+ */
+async function issueTokens(userId, clientId, scope, resource, request) {
+    const baseUrl = getBaseUrl(request);
+    // Use the resource URL as the audience when available (KB-scoped token),
+    // otherwise fall back to the base MCP path
+    const audience = resource || `${baseUrl}/mcp`;
+    // Sign JWT access token
+    const accessToken = await new SignJWT({
+        scope,
+        client_id: clientId,
+    })
+        .setProtectedHeader({ alg: 'RS256', kid: getKeyId() })
+        .setSubject(userId)
+        .setIssuer(baseUrl)
+        .setAudience(audience)
+        .setExpirationTime(ACCESS_TOKEN_EXPIRY)
+        .setIssuedAt()
+        .setJti(crypto.randomUUID())
+        .sign(await getPrivateKey());
+    // Generate opaque refresh token (carries resource for refresh grant)
+    const refreshToken = crypto.randomBytes(32).toString('hex');
+    await databases.kb.OAuthRefreshToken.put({
+        id: refreshToken,
+        clientId,
+        userId,
+        scope,
+        resource,
+    });
+    logger?.info?.(`OAuth tokens issued for user ${userId}, client ${clientId}`);
+    return new Response(JSON.stringify({
+        access_token: accessToken,
+        token_type: 'Bearer',
+        expires_in: 3600,
+        refresh_token: refreshToken,
+        scope,
+    }), {
+        status: 200,
+        headers: {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'no-store',
+        },
+    });
+}
+function base64urlEncode(buffer) {
+    return buffer.toString('base64url');
+}
+function getContentType(request) {
+    const headers = request.headers;
+    if (!headers)
+        return '';
+    if (typeof headers.get === 'function') {
+        return headers.get('content-type') || '';
+    }
+    return (headers['content-type'] || '');
+}
+function errorResponse(status, error, description) {
+    return new Response(JSON.stringify({ error, error_description: description }), {
+        status,
+        headers: {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'no-store',
+        },
+    });
+}
+//# sourceMappingURL=token.js.map

package/dist/oauth/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/oauth/token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAE/B,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAEpD,oCAAoC;AACpC,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAEjC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAsB;IACvD,IAAI,IAA4B,CAAC;IACjC,IAAI,CAAC;QACJ,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxC,uCAAuC;QACvC,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACjC,IAAI,GAAG,EAAE,CAAC;YACV,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3C,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;QACF,CAAC;aAAM,CAAC;YACP,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;IACF,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,aAAa,CAAC,GAAG,EAAE,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAElC,IAAI,SAAS,KAAK,oBAAoB,EAAE,CAAC;QACxC,OAAO,4BAA4B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,SAAS,KAAK,eAAe,EAAE,CAAC;QACnC,OAAO,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,aAAa,CAAC,GAAG,EAAE,wBAAwB,EAAE,wBAAwB,CAAC,CAAC;AAC/E,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,4BAA4B,CAAC,IAA4B,EAAE,OAAsB;IAC/F,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACvB,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;IAChC,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAExC,IAAI,CAAC,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QACzD,OAAO,aAAa,CACnB,GAAG,EACH,iBAAiB,EACjB,2EAA2E,CAC3E,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU,EAAE,CAAC;QACjB,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,uCAAuC,CAAC,CAAC;IACrF,CAAC;IAED,0EAA0E;IAC1E,wEAAwE;IACxE,MAAM,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAE1C,8EAA8E;IAC9E,IAAK,UAAsC,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChE,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,uCAAuC,CAAC,CAAC;IACrF,CAAC;IAED,4CAA4C;IAC5C,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtC,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,iDAAiD,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,UAAU,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QAC5C,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,oDAAoD,CAAC,CAAC;IAClG,CAAC;IAED,4EAA4E;IAC5E,8DAA8D;IAC9D,MAAM,iBAAiB,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IACrG,MAAM,eAAe,GAAG,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IACzD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAE/C,IAAI,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC,EAAE,CAAC;QAChG,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,sCAAsC,CAAC,CAAC;IACpF,CAAC;IAED,eAAe;IACf,MAAM,MAAM,GAAG,UAAU,CAAC,MAAgB,CAAC;IAC3C,MAAM,KAAK,GAAG,UAAU,CAAC,KAAe,CAAC;IACzC,MAAM,QAAQ,GAAI,UAAU,CAAC,QAAmB,IAAI,EAAE,CAAC;IAEvD,OAAO,WAAW,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,uBAAuB,CAAC,IAA4B,EAAE,OAAsB;IAC1F,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC;IAEhC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChC,OAAO,aAAa,CAAC,GAAG,EAAE,iBAAiB,EAAE,uDAAuD,CAAC,CAAC;IACvG,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC3E,IAAI,CAAC,WAAW,EAAE,CAAC;QAClB,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,kCAAkC,CAAC,CAAC;IAChF,CAAC;IAED,IAAI,WAAW,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACvC,OAAO,aAAa,CAAC,GAAG,EAAE,eAAe,EAAE,4CAA4C,CAAC,CAAC;IAC1F,CAAC;IAED,sCAAsC;IACtC,MAAM,SAAS,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAE1D,MAAM,MAAM,GAAG,WAAW,CAAC,MAAgB,CAAC;IAC5C,MAAM,KAAK,GAAG,WAAW,CAAC,KAAe,CAAC;IAC1C,MAAM,QAAQ,GAAI,WAAW,CAAC,QAAmB,IAAI,EAAE,CAAC;IAExD,OAAO,WAAW,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CACzB,MAAc,EACd,QAAgB,EAChB,KAAa,EACb,QAAgB,EAChB,OAAsB;IAEtB,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAEpC,yEAAyE;IACzE,2CAA2C;IAC3C,MAAM,QAAQ,GAAG,QAAQ,IAAI,GAAG,OAAO,MAAM,CAAC;IAE9C,wBAAwB;IACxB,MAAM,WAAW,GAAG,MAAM,IAAI,OAAO,CAAC;QACrC,KAAK;QACL,SAAS,EAAE,QAAQ;KACnB,CAAC;SACA,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,EAAE,CAAC;SACrD,UAAU,CAAC,MAAM,CAAC;SAClB,SAAS,CAAC,OAAO,CAAC;SAClB,WAAW,CAAC,QAAQ,CAAC;SACrB,iBAAiB,CAAC,mBAAmB,CAAC;SACtC,WAAW,EAAE;SACb,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;SAC3B,IAAI,CAAC,MAAM,aAAa,EAAE,CAAC,CAAC;IAE9B,qEAAqE;IACrE,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5D,MAAM,SAAS,CAAC,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC;QACxC,EAAE,EAAE,YAAY;QAChB,QAAQ;QACR,MAAM;QACN,KAAK;QACL,QAAQ;KACR,CAAC,CAAC;IAEH,MAAM,EAAE,IAAI,EAAE,CAAC,gCAAgC,MAAM,YAAY,QAAQ,EAAE,CAAC,CAAC;IAE7E,OAAO,IAAI,QAAQ,CAClB,IAAI,CAAC,SAAS,CAAC;QACd,YAAY,EAAE,WAAW;QACzB,UAAU,EAAE,QAAQ;QACpB,UAAU,EAAE,IAAI;QAChB,aAAa,EAAE,YAAY;QAC3B,KAAK;KACL,CAAC,EACF;QACC,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACR,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,UAAU;SAC3B;KACD,CACD,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACtC,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,cAAc,CAAC,OAAsB;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IACxB,IAAI,OAAQ,OAAe,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAChD,OAAQ,OAAe,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,CAAE,OAAe,CAAC,cAAc,CAAC,IAAI,EAAE,CAAW,CAAC;AAC3D,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,KAAa,EAAE,WAAmB;IACxE,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC,EAAE;QAC9E,MAAM;QACN,OAAO,EAAE;YACR,cAAc,EAAE,kBAAkB;YAClC,eAAe,EAAE,UAAU;SAC3B;KACD,CAAC,CAAC;AACJ,CAAC"}