hazo_auth 6.0.0 → 6.1.1

package/dist/components/otp/OTPRequestForm.js

@@ -0,0 +1,42 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import * as React from "react";
+import { Button } from "../ui/button.js";
+import { Input } from "../ui/input.js";
+import { Label } from "../ui/label.js";
+export function OTPRequestForm({ on_sent, api_base = "/api/hazo_auth", email_label = "Email address", submit_label = "Send code", pending_label = "Sending…", className, }) {
+    const [email, set_email] = React.useState("");
+    const [pending, set_pending] = React.useState(false);
+    const [error, set_error] = React.useState(null);
+    async function on_submit(ev) {
+        var _a;
+        ev.preventDefault();
+        set_error(null);
+        set_pending(true);
+        try {
+            const res = await fetch(`${api_base}/otp/request`, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({ email }),
+            });
+            if (res.status === 429) {
+                const body = (await res.json().catch(() => ({})));
+                const wait = (_a = body.retry_after_seconds) !== null && _a !== void 0 ? _a : 0;
+                set_error(`Too many requests. Try again in ${wait}s.`);
+                return;
+            }
+            if (!res.ok) {
+                set_error("Could not send code. Please check the email address and try again.");
+                return;
+            }
+            on_sent === null || on_sent === void 0 ? void 0 : on_sent(email);
+        }
+        catch (_b) {
+            set_error("Network error. Please try again.");
+        }
+        finally {
+            set_pending(false);
+        }
+    }
+    return (_jsxs("form", { onSubmit: on_submit, className: className, "aria-label": "Request sign-in code", children: [_jsxs("div", { className: "space-y-2", children: [_jsx(Label, { htmlFor: "otp-email", children: email_label }), _jsx(Input, { id: "otp-email", name: "email", type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => set_email(e.target.value), disabled: pending })] }), error && (_jsx("p", { role: "alert", className: "mt-3 text-sm text-destructive", children: error })), _jsx(Button, { type: "submit", disabled: pending || email.length === 0, className: "mt-4 w-full", children: pending ? pending_label : submit_label })] }));
+}

package/dist/components/otp/OTPVerifyForm.d.ts

@@ -0,0 +1,16 @@
+import * as React from "react";
+export interface OTPVerifyFormProps {
+    email: string;
+    on_success?: (auth: {
+        user_id: string;
+        email: string;
+    }) => void;
+    api_base?: string;
+    submit_label?: string;
+    pending_label?: string;
+    resend_label?: string;
+    className?: string;
+    redirect_url?: string;
+}
+export declare function OTPVerifyForm({ email, on_success, api_base, submit_label, pending_label, resend_label, className, redirect_url, }: OTPVerifyFormProps): React.ReactElement;
+//# sourceMappingURL=OTPVerifyForm.d.ts.map

package/dist/components/otp/OTPVerifyForm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OTPVerifyForm.d.ts","sourceRoot":"","sources":["../../../src/components/otp/OTPVerifyForm.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAI/B,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,aAAa,CAAC,EAC5B,KAAK,EACL,UAAU,EACV,QAA2B,EAC3B,YAAuB,EACvB,aAA4B,EAC5B,YAA4B,EAC5B,SAAS,EACT,YAAY,GACb,EAAE,kBAAkB,GAAG,KAAK,CAAC,YAAY,CAoIzC"}

package/dist/components/otp/OTPVerifyForm.js

@@ -0,0 +1,75 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import * as React from "react";
+import { Button } from "../ui/button.js";
+import { InputOTP, InputOTPGroup, InputOTPSlot } from "../ui/input-otp.js";
+export function OTPVerifyForm({ email, on_success, api_base = "/api/hazo_auth", submit_label = "Verify", pending_label = "Verifying…", resend_label = "Resend code", className, redirect_url, }) {
+    const [code, set_code] = React.useState("");
+    const [pending, set_pending] = React.useState(false);
+    const [error, set_error] = React.useState(null);
+    const [resend_state, set_resend_state] = React.useState("idle");
+    const [resend_wait, set_resend_wait] = React.useState(0);
+    async function on_submit(ev) {
+        ev.preventDefault();
+        if (code.length !== 6)
+            return;
+        set_error(null);
+        set_pending(true);
+        try {
+            const res = await fetch(`${api_base}/otp/verify`, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({ email, code }),
+            });
+            if (!res.ok) {
+                set_error("Invalid or expired code.");
+                return;
+            }
+            const body = (await res.json());
+            if (body.ok) {
+                on_success === null || on_success === void 0 ? void 0 : on_success({ user_id: body.user_id, email: body.email });
+                if (redirect_url) {
+                    window.location.href = redirect_url;
+                }
+            }
+            else {
+                set_error("Invalid or expired code.");
+            }
+        }
+        catch (_a) {
+            set_error("Network error. Please try again.");
+        }
+        finally {
+            set_pending(false);
+        }
+    }
+    async function on_resend() {
+        var _a;
+        set_resend_state("sending");
+        set_error(null);
+        try {
+            const res = await fetch(`${api_base}/otp/request`, {
+                method: "POST",
+                headers: { "content-type": "application/json" },
+                body: JSON.stringify({ email }),
+            });
+            if (res.status === 429) {
+                const body = (await res.json().catch(() => ({})));
+                set_resend_state("rate_limited");
+                set_resend_wait((_a = body.retry_after_seconds) !== null && _a !== void 0 ? _a : 0);
+                return;
+            }
+            if (!res.ok) {
+                set_error("Could not resend code.");
+                set_resend_state("idle");
+                return;
+            }
+            set_resend_state("sent");
+        }
+        catch (_b) {
+            set_error("Network error.");
+            set_resend_state("idle");
+        }
+    }
+    return (_jsxs("form", { onSubmit: on_submit, className: className, "aria-label": "Enter sign-in code", children: [_jsxs("p", { className: "text-sm text-muted-foreground mb-3", children: ["Enter the 6-digit code sent to ", _jsx("strong", { children: email }), "."] }), _jsx(InputOTP, { maxLength: 6, value: code, onChange: (v) => set_code(v), inputMode: "numeric", autoComplete: "one-time-code", disabled: pending, "aria-label": "One-time code", children: _jsxs(InputOTPGroup, { children: [_jsx(InputOTPSlot, { index: 0 }), _jsx(InputOTPSlot, { index: 1 }), _jsx(InputOTPSlot, { index: 2 }), _jsx(InputOTPSlot, { index: 3 }), _jsx(InputOTPSlot, { index: 4 }), _jsx(InputOTPSlot, { index: 5 })] }) }), error && (_jsx("p", { role: "alert", className: "mt-3 text-sm text-destructive", children: error })), _jsx(Button, { type: "submit", disabled: pending || code.length !== 6, className: "mt-4 w-full", children: pending ? pending_label : submit_label }), _jsx("div", { className: "mt-3 text-sm text-center", children: resend_state === "sent" ? (_jsx("span", { className: "text-muted-foreground", children: "Code sent." })) : resend_state === "rate_limited" ? (_jsxs("span", { className: "text-muted-foreground", children: ["Wait ", resend_wait, "s before resending."] })) : (_jsx("button", { type: "button", onClick: on_resend, disabled: resend_state === "sending", className: "underline text-muted-foreground hover:text-foreground", children: resend_label })) })] }));
+}

package/dist/components/otp/index.d.ts

@@ -0,0 +1,5 @@
+export { OTPRequestForm } from "./OTPRequestForm.js";
+export type { OTPRequestFormProps } from "./OTPRequestForm";
+export { OTPVerifyForm } from "./OTPVerifyForm.js";
+export type { OTPVerifyFormProps } from "./OTPVerifyForm";
+//# sourceMappingURL=index.d.ts.map

package/dist/components/otp/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/components/otp/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,YAAY,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/components/otp/index.js

@@ -0,0 +1,2 @@
+export { OTPRequestForm } from "./OTPRequestForm.js";
+export { OTPVerifyForm } from "./OTPVerifyForm.js";

package/dist/components/ui/input-otp.d.ts

@@ -0,0 +1,35 @@
+import * as React from "react";
+declare const InputOTP: React.ForwardRefExoticComponent<(Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "value" | "onChange" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
+    value?: string;
+    onChange?: (newValue: string) => unknown;
+    maxLength: number;
+    textAlign?: "left" | "center" | "right";
+    onComplete?: (...args: any[]) => unknown;
+    pushPasswordManagerStrategy?: "increase-width" | "none";
+    pasteTransformer?: (pasted: string) => string;
+    containerClassName?: string;
+    noScriptCSSFallback?: string | null;
+} & {
+    render: (props: import("input-otp").RenderProps) => React.ReactNode;
+    children?: never;
+} & React.RefAttributes<HTMLInputElement>, "ref"> | Omit<Omit<React.InputHTMLAttributes<HTMLInputElement>, "value" | "onChange" | "maxLength" | "textAlign" | "onComplete" | "pushPasswordManagerStrategy" | "pasteTransformer" | "containerClassName" | "noScriptCSSFallback"> & {
+    value?: string;
+    onChange?: (newValue: string) => unknown;
+    maxLength: number;
+    textAlign?: "left" | "center" | "right";
+    onComplete?: (...args: any[]) => unknown;
+    pushPasswordManagerStrategy?: "increase-width" | "none";
+    pasteTransformer?: (pasted: string) => string;
+    containerClassName?: string;
+    noScriptCSSFallback?: string | null;
+} & {
+    render?: never;
+    children: React.ReactNode;
+} & React.RefAttributes<HTMLInputElement>, "ref">) & React.RefAttributes<HTMLInputElement>>;
+declare const InputOTPGroup: React.ForwardRefExoticComponent<Omit<React.DetailedHTMLProps<React.HTMLAttributes<HTMLDivElement>, HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
+declare const InputOTPSlot: React.ForwardRefExoticComponent<Omit<React.DetailedHTMLProps<React.HTMLAttributes<HTMLDivElement>, HTMLDivElement>, "ref"> & {
+    index: number;
+} & React.RefAttributes<HTMLDivElement>>;
+declare const InputOTPSeparator: React.ForwardRefExoticComponent<Omit<React.DetailedHTMLProps<React.HTMLAttributes<HTMLDivElement>, HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };
+//# sourceMappingURL=input-otp.d.ts.map

package/dist/components/ui/input-otp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-otp.d.ts","sourceRoot":"","sources":["../../../src/components/ui/input-otp.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAK/B,QAAA,MAAM,QAAQ;;;;;kBAUoC,GAAG;;;;;;;;;;;;;kBAAH,GAAG;;;;;;;;2FAGnD,CAAC;AAGH,QAAA,MAAM,aAAa,mKAKjB,CAAC;AAGH,QAAA,MAAM,YAAY;WAEiC,MAAM;wCAyBvD,CAAC;AAGH,QAAA,MAAM,iBAAiB,mKAOrB,CAAC;AAGH,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,CAAC"}

package/dist/components/ui/input-otp.js

@@ -0,0 +1,44 @@
+"use client";
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import * as React from "react";
+import { OTPInput, OTPInputContext } from "input-otp";
+import { Minus } from "lucide-react";
+import { cn } from "../../lib/utils.js";
+const InputOTP = React.forwardRef((_a, ref) => {
+    var { className, containerClassName } = _a, props = __rest(_a, ["className", "containerClassName"]);
+    return (_jsx(OTPInput, Object.assign({ ref: ref, containerClassName: cn("flex items-center gap-2 has-[:disabled]:opacity-50", containerClassName), className: cn("disabled:cursor-not-allowed", className) }, props)));
+});
+InputOTP.displayName = "InputOTP";
+const InputOTPGroup = React.forwardRef((_a, ref) => {
+    var { className } = _a, props = __rest(_a, ["className"]);
+    return (_jsx("div", Object.assign({ ref: ref, className: cn("flex items-center", className) }, props)));
+});
+InputOTPGroup.displayName = "InputOTPGroup";
+const InputOTPSlot = React.forwardRef((_a, ref) => {
+    var _b;
+    var { index, className } = _a, props = __rest(_a, ["index", "className"]);
+    const inputOTPContext = React.useContext(OTPInputContext);
+    const slot = (_b = inputOTPContext === null || inputOTPContext === void 0 ? void 0 : inputOTPContext.slots) === null || _b === void 0 ? void 0 : _b[index];
+    const char = slot === null || slot === void 0 ? void 0 : slot.char;
+    const hasFakeCaret = slot === null || slot === void 0 ? void 0 : slot.hasFakeCaret;
+    const isActive = slot === null || slot === void 0 ? void 0 : slot.isActive;
+    return (_jsxs("div", Object.assign({ ref: ref, className: cn("relative flex h-10 w-10 items-center justify-center border-y border-r border-input text-sm transition-all first:rounded-l-md first:border-l last:rounded-r-md", isActive && "z-10 ring-2 ring-ring ring-offset-background", className) }, props, { children: [char, hasFakeCaret && (_jsx("div", { className: "pointer-events-none absolute inset-0 flex items-center justify-center", children: _jsx("div", { className: "h-4 w-px animate-caret-blink bg-foreground duration-1000" }) }))] })));
+});
+InputOTPSlot.displayName = "InputOTPSlot";
+const InputOTPSeparator = React.forwardRef((_a, ref) => {
+    var props = __rest(_a, []);
+    return (_jsx("div", Object.assign({ ref: ref, role: "separator" }, props, { children: _jsx(Minus, {}) })));
+});
+InputOTPSeparator.displayName = "InputOTPSeparator";
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };

package/dist/lib/cookies_config.server.d.ts

@@ -9,6 +9,7 @@ export declare const BASE_COOKIE_NAMES: {
     readonly USER_ID: "hazo_auth_user_id";
     readonly USER_EMAIL: "hazo_auth_user_email";
     readonly SESSION: "hazo_auth_session";
+    readonly SESSION_KIND: "hazo_auth_session_kind";
     readonly DEV_LOCK: "hazo_auth_dev_lock";
     readonly SCOPE_ID: "hazo_auth_scope_id";
     readonly ANON_ID: "hazo_auth_anon_id";

package/dist/lib/cookies_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cookies_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,aAAa,GAAG;IAC1B,6FAA6F;IAC7F,aAAa,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAYF,eAAO,MAAM,iBAAiB;;;;;;;CAOpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,aAAa,CAoBlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQzG;AAKD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,aAAa,CAKzD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}
+{"version":3,"file":"cookies_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/cookies_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,MAAM,MAAM,aAAa,GAAG;IAC1B,6FAA6F;IAC7F,aAAa,EAAE,MAAM,CAAC;IACtB,6EAA6E;IAC7E,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAYF,eAAO,MAAM,iBAAiB;;;;;;;;CAQpB,CAAC;AAGX;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,aAAa,CAoBlD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAGzD;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,GAAG;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAQzG;AAKD;;;GAGG;AACH,wBAAgB,yBAAyB,IAAI,aAAa,CAKzD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD"}

package/dist/lib/cookies_config.server.js

@@ -14,6 +14,7 @@ export const BASE_COOKIE_NAMES = {
     USER_ID: "hazo_auth_user_id",
     USER_EMAIL: "hazo_auth_user_email",
     SESSION: "hazo_auth_session",
+    SESSION_KIND: "hazo_auth_session_kind", // v6.1: marks OTP-issued sessions so /me can apply sliding expiry
     DEV_LOCK: "hazo_auth_dev_lock",
     SCOPE_ID: "hazo_auth_scope_id", // v5.2: Tenant context cookie for multi-tenancy
     ANON_ID: "hazo_auth_anon_id", // v5.2: Stable opaque per-visitor ID for anonymous flows (e.g. hazo_feedback)

package/dist/lib/login_config.server.d.ts

@@ -18,6 +18,12 @@ export type LoginConfig = {
     imageBackgroundColor: string;
     /** OAuth configuration */
     oauth: OAuthConfig;
+    /** Whether the OTP sign-in link is shown below the login form */
+    otpSigninEnabled: boolean;
+    /** Label for the OTP sign-in link */
+    otpSigninLabel: string;
+    /** href for the OTP sign-in link */
+    otpSigninHref: string;
 };
 /**
  * Reads login layout configuration from hazo_auth_config.ini file

package/dist/lib/login_config.server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAKrB,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAQ3E,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,OAAO,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;CACpB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAyE9C"}
+{"version":3,"file":"login_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/login_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAKrB,OAAO,EAAoB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAQ3E,MAAM,MAAM,WAAW,GAAG;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,OAAO,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,0BAA0B;IAC1B,KAAK,EAAE,WAAW,CAAC;IACnB,iEAAiE;IACjE,gBAAgB,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,oCAAoC;IACpC,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAGF;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAiF9C"}

package/dist/lib/login_config.server.js

@@ -38,6 +38,10 @@ export function get_login_config() {
     const imageBackgroundColor = get_config_value(section, "image_background_color", "#f1f5f9");
     // Get OAuth configuration
     const oauth = get_oauth_config();
+    // OTP sign-in link
+    const otpSigninEnabled = get_config_value(section, "otp_signin_enabled", "false") === "true";
+    const otpSigninLabel = get_config_value(section, "otp_signin_label", "Sign in with email code");
+    const otpSigninHref = get_config_value(section, "otp_signin_href", "/hazo_auth/otp");
     return {
         redirectRoute,
         successMessage,
@@ -55,5 +59,8 @@ export function get_login_config() {
         imageAlt,
         imageBackgroundColor,
         oauth,
+        otpSigninEnabled,
+        otpSigninLabel,
+        otpSigninHref,
     };
 }

package/dist/lib/otp_config.server.d.ts

@@ -0,0 +1,49 @@
+import "server-only";
+export declare const OTP_CONFIG_DEFAULTS: {
+    readonly auto_register: false;
+    readonly code_ttl_seconds: 600;
+    readonly session_ttl_seconds: 604800;
+    readonly slide_when_within_seconds: 86400;
+    readonly email_rate_limit_max: 3;
+    readonly email_rate_limit_window_seconds: 900;
+    readonly ip_rate_limit_max: 20;
+    readonly ip_rate_limit_window_seconds: 3600;
+    readonly max_verify_attempts: 5;
+    readonly auto_assign_scope_id: "00000000-0000-0000-0000-000000000001";
+    readonly auto_assign_role_name: "member";
+};
+export type OtpConfig = {
+    /** Whether to automatically register a new user when an unrecognised email requests an OTP */
+    auto_register: boolean;
+    /** How long (seconds) a generated OTP code is valid */
+    code_ttl_seconds: number;
+    /** How long (seconds) the session created after successful OTP verification lasts */
+    session_ttl_seconds: number;
+    /** Slide the session expiry when the remaining TTL falls below this many seconds */
+    slide_when_within_seconds: number;
+    /** Maximum OTP requests allowed per email address within the rate-limit window */
+    email_rate_limit_max: number;
+    /** Rate-limit window (seconds) for per-email OTP requests */
+    email_rate_limit_window_seconds: number;
+    /** Maximum OTP requests allowed per IP address within the rate-limit window */
+    ip_rate_limit_max: number;
+    /** Rate-limit window (seconds) for per-IP OTP requests */
+    ip_rate_limit_window_seconds: number;
+    /** Maximum failed verify attempts before the OTP code is invalidated */
+    max_verify_attempts: number;
+    /** Scope ID to auto-assign a newly registered OTP user to */
+    auto_assign_scope_id: string;
+    /** Role name to assign within the auto-assign scope */
+    auto_assign_role_name: string;
+};
+/**
+ * Reads OTP configuration from hazo_auth_config.ini [hazo_auth__otp] section.
+ * Falls back to defaults if the config file or section is missing.
+ */
+export declare function get_otp_config(): OtpConfig;
+/**
+ * Convenience accessor — returns just the session TTL seconds from OTP config.
+ * Suitable for passing to token-creation utilities.
+ */
+export declare function hazo_auth_otp_session_ttl_seconds(): number;
+//# sourceMappingURL=otp_config.server.d.ts.map

package/dist/lib/otp_config.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp_config.server.d.ts","sourceRoot":"","sources":["../../src/lib/otp_config.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,eAAO,MAAM,mBAAmB;;;;;;;;;;;;CAYtB,CAAC;AAGX,MAAM,MAAM,SAAS,GAAG;IACtB,8FAA8F;IAC9F,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,gBAAgB,EAAE,MAAM,CAAC;IACzB,qFAAqF;IACrF,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oFAAoF;IACpF,yBAAyB,EAAE,MAAM,CAAC;IAClC,kFAAkF;IAClF,oBAAoB,EAAE,MAAM,CAAC;IAC7B,6DAA6D;IAC7D,+BAA+B,EAAE,MAAM,CAAC;IACxC,+EAA+E;IAC/E,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,4BAA4B,EAAE,MAAM,CAAC;IACrC,wEAAwE;IACxE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,6DAA6D;IAC7D,oBAAoB,EAAE,MAAM,CAAC;IAC7B,uDAAuD;IACvD,qBAAqB,EAAE,MAAM,CAAC;CAC/B,CAAC;AAGF;;;GAGG;AACH,wBAAgB,cAAc,IAAI,SAAS,CA6B1C;AAED;;;GAGG;AACH,wBAAgB,iCAAiC,IAAI,MAAM,CAE1D"}

package/dist/lib/otp_config.server.js

@@ -0,0 +1,48 @@
+// file_description: server-only helper to read OTP sign-in configuration from hazo_auth_config.ini
+// section: server-only-guard
+import "server-only";
+// section: imports
+import { get_config_value, get_config_boolean, get_config_number } from "./config/config_loader.server.js";
+// section: defaults
+export const OTP_CONFIG_DEFAULTS = {
+    auto_register: false,
+    code_ttl_seconds: 600,
+    session_ttl_seconds: 604800,
+    slide_when_within_seconds: 86400,
+    email_rate_limit_max: 3,
+    email_rate_limit_window_seconds: 900,
+    ip_rate_limit_max: 20,
+    ip_rate_limit_window_seconds: 3600,
+    max_verify_attempts: 5,
+    auto_assign_scope_id: "00000000-0000-0000-0000-000000000001",
+    auto_assign_role_name: "member",
+};
+// section: helpers
+/**
+ * Reads OTP configuration from hazo_auth_config.ini [hazo_auth__otp] section.
+ * Falls back to defaults if the config file or section is missing.
+ */
+export function get_otp_config() {
+    const section = "hazo_auth__otp";
+    const d = OTP_CONFIG_DEFAULTS;
+    return {
+        auto_register: get_config_boolean(section, "otp_auto_register", d.auto_register),
+        code_ttl_seconds: get_config_number(section, "otp_code_ttl_seconds", d.code_ttl_seconds),
+        session_ttl_seconds: get_config_number(section, "otp_session_ttl_seconds", d.session_ttl_seconds),
+        slide_when_within_seconds: get_config_number(section, "otp_slide_when_within_seconds", d.slide_when_within_seconds),
+        email_rate_limit_max: get_config_number(section, "otp_email_rate_limit_max", d.email_rate_limit_max),
+        email_rate_limit_window_seconds: get_config_number(section, "otp_email_rate_limit_window_seconds", d.email_rate_limit_window_seconds),
+        ip_rate_limit_max: get_config_number(section, "otp_ip_rate_limit_max", d.ip_rate_limit_max),
+        ip_rate_limit_window_seconds: get_config_number(section, "otp_ip_rate_limit_window_seconds", d.ip_rate_limit_window_seconds),
+        max_verify_attempts: get_config_number(section, "otp_max_verify_attempts", d.max_verify_attempts),
+        auto_assign_scope_id: get_config_value(section, "otp_auto_assign_scope_id", d.auto_assign_scope_id),
+        auto_assign_role_name: get_config_value(section, "otp_auto_assign_role_name", d.auto_assign_role_name),
+    };
+}
+/**
+ * Convenience accessor — returns just the session TTL seconds from OTP config.
+ * Suitable for passing to token-creation utilities.
+ */
+export function hazo_auth_otp_session_ttl_seconds() {
+    return get_otp_config().session_ttl_seconds;
+}

package/dist/lib/services/email_service.d.ts

@@ -7,7 +7,7 @@ export type EmailOptions = {
     html_body?: string;
     text_body?: string;
 };
-export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed";
+export type EmailTemplateType = "forgot_password" | "email_verification" | "password_changed" | "otp_signin_code";
 export type EmailTemplateData = {
     token?: string;
     verification_url?: string;

package/dist/lib/services/email_service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_service.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAoB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAGxE,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,kBAAkB,CAAC;AAE9F,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC,CAAC;AAiBF;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAEpE;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAE3E;AA8LD;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwErG;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,iBAAiB,EAChC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAyF/C"}
+{"version":3,"file":"email_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_service.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAoB,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAGxE,MAAM,MAAM,YAAY,GAAG;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG,oBAAoB,GAAG,kBAAkB,GAAG,iBAAiB,CAAC;AAElH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CACnC,CAAC;AAiBF;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAEpE;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,mBAAmB,GAAG,IAAI,CAE3E;AAgMD;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAwErG;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,iBAAiB,EAChC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAyF/C"}

package/dist/lib/services/email_service.js

@@ -200,6 +200,8 @@ function get_email_subject(template_type) {
             return "Reset Your Password";
         case "password_changed":
             return "Password Changed Successfully";
+        case "otp_signin_code":
+            return "Your sign-in code";
         default:
             return "Email from hazo_auth";
     }

package/dist/lib/services/email_template_manifest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"email_template_manifest.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_template_manifest.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAiB3E;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B,EAAE,sBAAsB,EAuE/D,CAAC"}
+{"version":3,"file":"email_template_manifest.d.ts","sourceRoot":"","sources":["../../../src/lib/services/email_template_manifest.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAMrB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AAiB3E;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B,EAAE,sBAAsB,EAwF/D,CAAC"}

package/dist/lib/services/email_template_manifest.js

@@ -92,4 +92,21 @@ export const hazo_auth_template_manifest = [
             },
         ],
     },
+    {
+        template_name: "otp_signin_code",
+        template_label: "OTP sign-in code",
+        category: SYSTEM_CATEGORY,
+        html: read_template("otp_signin_code", "html"),
+        text: read_template("otp_signin_code", "txt"),
+        variables: [
+            {
+                variable_name: "otp_code",
+                variable_description: "6-digit OTP code for email sign-in (v6.1.0+)",
+            },
+            {
+                variable_name: "expires_in_minutes",
+                variable_description: "Number of minutes until the OTP code expires",
+            },
+        ],
+    },
 ];

package/dist/lib/services/email_templates/otp_signin_code.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <title>Your sign-in code</title>
+</head>
+<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
+  <p>Your sign-in code is:</p>
+  <p style="font-size: 28px; font-weight: bold; letter-spacing: 0.2em; font-family: monospace; margin: 16px 0;">{{otp_code}}</p>
+  <p>This code expires in {{expires_in_minutes}} minutes.</p>
+  <p style="color: #666; font-size: 12px;">If you didn't request this code, you can safely ignore this email.</p>
+</body>
+</html>

package/dist/lib/services/email_templates/otp_signin_code.txt

@@ -0,0 +1,5 @@
+Your sign-in code is: {{otp_code}}
+
+This code expires in {{expires_in_minutes}} minutes.
+
+If you didn't request this code, you can safely ignore this email.

package/dist/lib/services/index.d.ts

@@ -18,4 +18,6 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export { request_email_otp, verify_email_otp, generate_otp_code, hash_otp_code, verify_otp_code, } from "./otp_service.js";
+export type { RequestEmailOTPResult, VerifyEmailOTPResult } from "./otp_service";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/services/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAC;AAChC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iBAAiB,CAAC;AAChC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,0BAA0B,CAAC;AACzC,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,sBAAsB,CAAC;AACrC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,EACb,eAAe,GAChB,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC"}

package/dist/lib/services/index.js

@@ -20,3 +20,4 @@ export * from "./scope_service.js";
 export * from "./user_scope_service.js";
 export * from "./oauth_service.js";
 export * from "./branding_service.js";
+export { request_email_otp, verify_email_otp, generate_otp_code, hash_otp_code, verify_otp_code, } from "./otp_service.js";

package/dist/lib/services/otp_service.d.ts

@@ -0,0 +1,46 @@
+import "server-only";
+/**
+ * Generates a cryptographically random 6-digit numeric OTP code (000000–999999).
+ * Uses crypto.randomInt for uniform distribution.
+ */
+export declare function generate_otp_code(): string;
+export declare function hash_otp_code(code: string): Promise<string>;
+export declare function verify_otp_code(otp_hash: string, code: string): Promise<boolean>;
+export type RequestEmailOTPResult = {
+    ok: true;
+} | {
+    ok: false;
+    error: "rate_limited";
+    retry_after_seconds: number;
+};
+/**
+ * Initiates an OTP sign-in flow for the given email address.
+ *
+ * Behaviour:
+ * 1. Per-email rate limit — rejects if too many requests in the sliding window.
+ * 2. Per-IP rate limit — rejects if too many requests from this IP.
+ * 3. Unknown email + auto_register=false — silent no-op (constant-time padding).
+ * 4. Unknown email + auto_register=true — inserts OTP row with user_id=null, dispatches email.
+ * 5. Known email — marks prior unconsumed rows consumed, inserts fresh OTP row, dispatches email.
+ *
+ * Never reveals whether an email address is registered (always returns ok:true on success).
+ */
+export declare function request_email_otp(args: {
+    email: string;
+    ip: string;
+}): Promise<RequestEmailOTPResult>;
+export type VerifyEmailOTPResult = {
+    ok: true;
+    user_id: string;
+    email: string;
+    session_token: string;
+} | {
+    ok: false;
+    error: "invalid_or_expired";
+};
+export declare function verify_email_otp(args: {
+    email: string;
+    code: string;
+    ip: string;
+}): Promise<VerifyEmailOTPResult>;
+//# sourceMappingURL=otp_service.d.ts.map

package/dist/lib/services/otp_service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"otp_service.d.ts","sourceRoot":"","sources":["../../../src/lib/services/otp_service.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAUrB;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEjE;AAED,wBAAsB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAMtF;AAID,MAAM,MAAM,qBAAqB,GAC7B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,cAAc,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,CAAC;AAItE;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,qBAAqB,CAAC,CA8GjC;AAID,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,oBAAoB,CAAA;CAAE,CAAC;AAE/C,wBAAsB,gBAAgB,CAAC,IAAI,EAAE;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsHhC"}