kavachos 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/LICENSE +21 -0
  2. package/dist/agent/index.d.ts +32 -0
  3. package/dist/agent/index.js +5 -0
  4. package/dist/agent/index.js.map +1 -0
  5. package/dist/audit/index.d.ts +19 -0
  6. package/dist/audit/index.js +5 -0
  7. package/dist/audit/index.js.map +1 -0
  8. package/dist/auth/index.d.ts +2 -0
  9. package/dist/auth/index.js +3 -0
  10. package/dist/auth/index.js.map +1 -0
  11. package/dist/chunk-D2LJLY7F.js +207 -0
  12. package/dist/chunk-D2LJLY7F.js.map +1 -0
  13. package/dist/chunk-DTCKF26N.js +208 -0
  14. package/dist/chunk-DTCKF26N.js.map +1 -0
  15. package/dist/chunk-PZ5AY32C.js +9 -0
  16. package/dist/chunk-PZ5AY32C.js.map +1 -0
  17. package/dist/chunk-XSYYQH75.js +153 -0
  18. package/dist/chunk-XSYYQH75.js.map +1 -0
  19. package/dist/chunk-XW2X3O53.js +92 -0
  20. package/dist/chunk-XW2X3O53.js.map +1 -0
  21. package/dist/index.d.ts +181 -0
  22. package/dist/index.js +862 -0
  23. package/dist/index.js.map +1 -0
  24. package/dist/mcp/index.d.ts +222 -0
  25. package/dist/mcp/index.js +1005 -0
  26. package/dist/mcp/index.js.map +1 -0
  27. package/dist/permission/index.d.ts +84 -0
  28. package/dist/permission/index.js +5 -0
  29. package/dist/permission/index.js.map +1 -0
  30. package/dist/types-C5htunW6.d.ts +351 -0
  31. package/dist/types-fHHAt3tt.d.ts +2127 -0
  32. package/package.json +100 -0
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/db/database.ts","../src/db/migrations.ts","../src/delegation/delegation.ts","../src/kavach.ts","../src/openapi.ts"],"names":["drizzleSqlite","anyDb"],"mappings":";;;;;;;;;;;;;;AAyDA,eAAsB,eAAe,MAAA,EAA2C;AAC/E,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,IAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,IAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,IAAA,OAAOA,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AAAA,EACxC;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,UAAA,EAAY;AAEnC,IAAA,MAAM,EAAE,MAAK,GAAI,MAAM,OAAO,IAAI,CAAA,CAAE,MAAM,MAAM;AAC/C,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,2BAA2B,CAAA;AAE5D,IAAA,MAAM,OAAO,IAAI,IAAA,CAAK,EAAE,gBAAA,EAAkB,MAAA,CAAO,KAAK,CAAA;AAGtD,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,OAAA,EAAS;AAEhC,IAAA,MAAM,SAAS,MAAM,OAAO,gBAAgB,CAAA,CAAE,MAAM,MAAM;AACzD,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,oBAAoB,CAAA;AAErD,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,UAAA,CAAW,MAAA,CAAO,GAAG,CAAA;AAGzC,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,MAAM,IAAI,KAAA;AAAA,IACT,CAAA,yCAAA,EAA6C,OAA0B,QAAQ,CAAA,kDAAA;AAAA,GAEhF;AACD;AASO,SAAS,mBAAmB,MAAA,EAAkC;AACpE,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA;AAAA,MACT,CAAA,wFAAA,EACiD,OAAO,QAAQ,CAAA,EAAA;AAAA,KACjE;AAAA,EACD;AACA,EAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,EAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,EAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,EAAA,OAAOA,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AACxC;;;ACrGA,SAAS,gBAAgB,QAAA,EAAgD;AACxE,EAAA,MAAM,aAAa,QAAA,KAAa,UAAA;AAChC,EAAA,MAAM,UAAU,QAAA,KAAa,OAAA;AAG7B,EAAA,MAAM,EAAA,GAAK,UAAA,GAAa,aAAA,GAAgB,OAAA,GAAU,aAAA,GAAgB,SAAA;AAElE,EAAA,MAAM,MAAA,GAAS,EAAA;AAEf,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,OAAA,GAAU,OAAA,GAAU,MAAA,GAAS,MAAA;AAEvD,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,SAAA,GAAY,OAAA,GAAU,YAAA,GAAe,SAAA;AAE/D,EAAA,MAAM,IAAA,GAAO,eAAA;AAEb,EAAA,OAAO;AAAA;AAAA;AAAA;AAAA,IAIN,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAMN,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAA,EAQF,MAAM,CAAA;AAAA,kBAAA,EACN,MAAM,CAAA;AAAA,kBAAA,EACN,IAAI,CAAA;AAAA,kBAAA,EACJ,EAAE,CAAA;AAAA,kBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMpB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA;AAAA,cAAA,EACJ,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,EAAE,CAAA;AAAA,gBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAML,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAOJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAIL,EAAE,CAAA;AAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAOjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,mBAAA,EAID,IAAI,CAAA;AAAA,mBAAA,EACJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,MAAA,GAAS,GAAG,CAAA;AAAA;AAAA;AAAA,mBAAA,EAGlD,EAAE,CAAA;AAAA,mBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMrB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8BAAA,EAMU,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA;AAAA;AAAA,8BAAA,EAGJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,8BAAA,EACnD,IAAI,CAAA;AAAA,8BAAA,EACJ,EAAE,CAAA;AAAA,8BAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhC,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAA,EAQQ,EAAE,CAAA;AAAA,4BAAA,EACF,MAAM,CAAA;AAAA,4BAAA,EACN,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAM9B,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAAA,EAUK,EAAE,CAAA;AAAA,yBAAA,EACF,EAAE,CAAA;AAAA,CAAA;AAAA,GAE5B;AACD;AAqBA,eAAsB,YAAA,CACrB,IACA,QAAA,EACgB;AAChB,EAAA,MAAM,UAAA,GAAa,gBAAgB,QAAQ,CAAA;AAE3C,EAAA,IAAI,aAAa,QAAA,EAAU;AAK1B,IAAA,MAAM,UAAW,EAAA,CAAW,OAAA;AAC5B,IAAA,IAAI,OAAA,EAAS,QAAQ,IAAA,EAAM;AAG1B,MAAA,OAAA,CAAQ,OAAO,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,KAAK,IAAI,GAAG,CAAA;AAChD,MAAA;AAAA,IACD;AAGA,IAAA,MAAMC,MAAAA,GAAQ,EAAA;AACd,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAMA,MAAAA,CAAM,IAAI,GAAG,CAAA;AAAA,IACpB;AACA,IAAA;AAAA,EACD;AAMA,EAAA,MAAM,KAAA,GAAQ,EAAA;AAEd,EAAA,IAAI,aAAa,UAAA,EAAY;AAG5B,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,MAAM,GAAG,CAAA;AAAA,IACvB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,IAAI,aAAa,OAAA,EAAS;AAEzB,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,QAAQ,GAAG,CAAA;AAAA,IACzB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,QAAQ,CAAA,CAAA,CAAG,CAAA;AACnE;ACzQA,SAAS,kBAAA,CAAmB,aAA2B,UAAA,EAAmC;AACzF,EAAA,KAAA,MAAW,aAAa,UAAA,EAAY;AACnC,IAAA,MAAM,WAAA,GAAc,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,KAAM;AAE3C,MAAA,IAAI,CAAC,gBAAA,CAAiB,CAAA,CAAE,UAAU,SAAA,CAAU,QAAQ,GAAG,OAAO,KAAA;AAG9D,MAAA,KAAA,MAAW,MAAA,IAAU,UAAU,OAAA,EAAS;AACvC,QAAA,IAAI,CAAC,CAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,MAAM,CAAA,IAAK,CAAC,CAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,KAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA;AAED,IAAA,IAAI,CAAC,aAAa,OAAO,KAAA;AAAA,EAC1B;AAEA,EAAA,OAAO,IAAA;AACR;AAQA,SAAS,gBAAA,CAAiB,gBAAwB,aAAA,EAAgC;AACjF,EAAA,IAAI,cAAA,KAAmB,KAAK,OAAO,IAAA;AACnC,EAAA,IAAI,cAAA,KAAmB,eAAe,OAAO,IAAA;AAE7C,EAAA,MAAM,WAAA,GAAc,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,KAAA,CAAM,GAAG,CAAA;AAE1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,CAAY,QAAQ,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,WAAA,CAAY,CAAC,CAAA,KAAM,GAAA,EAAK,OAAO,IAAA;AACnC,IAAA,IAAI,YAAY,CAAC,CAAA,KAAM,UAAA,CAAW,CAAC,GAAG,OAAO,KAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,WAAA,CAAY,UAAU,UAAA,CAAW,MAAA;AACzC;AAMO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,QAAA,CACd,OACA,iBAAA,EAC2B;AAE3B,IAAA,IAAI,CAAC,kBAAA,CAAmB,iBAAA,EAAmB,KAAA,CAAM,WAAW,CAAA,EAAG;AAC9D,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD;AAGA,IAAA,MAAM,iBAAiB,MAAM,EAAA,CAC3B,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACA,GAAA,CAAI,EAAA,CAAG,gBAAA,CAAiB,SAAA,EAAW,KAAA,CAAM,SAAS,CAAA,EAAG,EAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ,CAAC;AAAA,KAC3F;AAED,IAAA,MAAM,YAAA,GACL,cAAA,CAAe,MAAA,GAAS,CAAA,GAAI,KAAK,GAAA,CAAI,GAAG,cAAA,CAAe,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,KAAK,CAAC,IAAI,CAAA,GAAI,CAAA;AAEnF,IAAA,MAAM,QAAA,GAAW,MAAM,QAAA,IAAY,CAAA;AAEnC,IAAA,IAAI,eAAe,QAAA,EAAU;AAC5B,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,iBAAA,EAAoB,YAAY,CAAA,kCAAA,EAAqC,QAAQ,CAAA,2CAAA;AAAA,OAE9E;AAAA,IACD;AAEA,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,gBAAgB,CAAA,CAAE,MAAA,CAAO;AAAA,MACxC,EAAA;AAAA,MACA,aAAa,KAAA,CAAM,SAAA;AAAA,MACnB,WAAW,KAAA,CAAM,OAAA;AAAA,MACjB,WAAA,EAAa,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QAC1C,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,SAAS,CAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,KAAA,EAAO,YAAA;AAAA,MACP,QAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,KAAA,EAAO,YAAA;AAAA,MACP,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAKA,EAAA,eAAe,iBAAiB,OAAA,EAAgC;AAC/D,IAAA,MAAM,QAAQ,MAAM,EAAA,CAClB,MAAA,EAAO,CACP,KAAK,gBAAgB,CAAA,CACrB,KAAA,CAAM,EAAA,CAAG,iBAAiB,EAAA,EAAI,OAAO,CAAC,CAAA,CACtC,MAAM,CAAC,CAAA;AAET,IAAA,IAAI,CAAC,MAAM,CAAC,CAAA,QAAS,IAAI,KAAA,CAAM,CAAA,iBAAA,EAAoB,OAAO,CAAA,WAAA,CAAa,CAAA;AAGvE,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,gBAAgB,CAAA,CACvB,IAAI,EAAE,MAAA,EAAQ,SAAA,EAAW,EACzB,KAAA,CAAM,EAAA,CAAG,gBAAA,CAAiB,EAAA,EAAI,OAAO,CAAC,CAAA;AAGxC,IAAA,MAAM,cAAc,MAAM,EAAA,CACxB,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACA,GAAA;AAAA,QACC,GAAG,gBAAA,CAAiB,WAAA,EAAa,KAAA,CAAM,CAAC,EAAE,SAAS,CAAA;AAAA,QACnD,EAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ;AAAA;AACrC,KACD;AAED,IAAA,KAAA,MAAW,SAAS,WAAA,EAAa;AAChC,MAAA,MAAM,gBAAA,CAAiB,MAAM,EAAE,CAAA;AAAA,IAChC;AAAA,EACD;AAKA,EAAA,eAAe,wBAAwB,OAAA,EAAwC;AAC9E,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,GACA,IAAA,CAAK,gBAAgB,EACrB,KAAA,CAAM,GAAA,CAAI,GAAG,gBAAA,CAAiB,SAAA,EAAW,OAAO,CAAA,EAAG,EAAA,CAAG,iBAAiB,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAG3F,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,eAAe,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAG3D,IAAA,MAAM,iBAA+B,EAAC;AACtC,IAAA,KAAA,MAAW,SAAS,YAAA,EAAc;AACjC,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,WAAA,EAAa;AACrC,QAAA,cAAA,CAAe,IAAA,CAAK;AAAA,UACnB,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,SAAS,IAAA,CAAK;AAAA,SACd,CAAA;AAAA,MACF;AAAA,IACD;AAEA,IAAA,OAAO,cAAA;AAAA,EACR;AAKA,EAAA,eAAe,WAAW,OAAA,EAA6C;AACtE,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,EAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA,CAAM,EAAA,CAAG,gBAAA,CAAiB,WAAA,EAAa,OAAO,CAAC,CAAA;AAEjD,IAAA,OAAO,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACzB,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,WAAW,CAAA,CAAE,WAAA;AAAA,MACb,SAAS,CAAA,CAAE,SAAA;AAAA,MACX,WAAA,EAAa,CAAA,CAAE,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACtC,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,SAAS,CAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,WAAW,CAAA,CAAE,SAAA;AAAA,MACb,OAAO,CAAA,CAAE,KAAA;AAAA,MACT,WAAW,CAAA,CAAE;AAAA,KACd,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,EAAE,QAAA,EAAU,gBAAA,EAAkB,uBAAA,EAAyB,UAAA,EAAW;AAC1E;;;AC9JA,eAAsB,aAAa,MAAA,EAAsB;AACxD,EAAA,MAAM,EAAA,GAAK,MAAM,cAAA,CAAe,MAAA,CAAO,QAAQ,CAAA;AAI/C,EAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,cAAA,EAAgB;AACpC,IAAA,MAAM,YAAA,CAAa,EAAA,EAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA;AAAA,EAChD;AAEA,EAAA,MAAM,WAAA,GAAc;AAAA,IACnB,EAAA;AAAA,IACA,UAAA,EAAY,MAAA,CAAO,MAAA,EAAQ,UAAA,IAAc,EAAA;AAAA,IACzC,kBAAA,EAAoB,MAAA,CAAO,MAAA,EAAQ,kBAAA,IAAsB,EAAC;AAAA,IAC1D,WAAA,EAAa,MAAA,CAAO,MAAA,EAAQ,WAAA,IAAe;AAAA,GAC5C;AAEA,EAAA,MAAM,WAAA,GAAc,kBAAkB,WAAW,CAAA;AAEjD,EAAA,MAAM,mBAAmB,sBAAA,CAAuB;AAAA,IAC/C,EAAA;AAAA,IACA,QAAA,EAAU,MAAA,CAAO,MAAA,EAAQ,QAAA,IAAY;AAAA,GACrC,CAAA;AAED,EAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,EAAE,EAAA,EAAI,CAAA;AAE5C,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,EAAE,EAAA,EAAI,CAAA;AAGtD,EAAA,eAAe,SAAA,CAAU,SAAiB,OAAA,EAAqD;AAC9F,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,GAAA,CAAI,OAAO,CAAA;AAC3C,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,UAAU,OAAO,CAAA,WAAA,CAAA;AAAA,QACzB,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,IAAI,KAAA,CAAM,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,QAAQ,CAAA,OAAA,EAAU,KAAA,CAAM,IAAI,CAAA,KAAA,EAAQ,MAAM,MAAM,CAAA,CAAA;AAAA,QAChD,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,OAAO,gBAAA,CAAiB,SAAA,CAAU,KAAA,EAAO,OAAO,CAAA;AAAA,EACjD;AAGA,EAAA,eAAe,gBAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,aAAA,CAAc,KAAK,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,gCAAA;AAAA,QACR,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,OAAO,gBAAA,CAAiB,SAAA,CAAU,KAAA,EAAO,OAAO,CAAA;AAAA,EACjD;AAGA,EAAA,eAAe,SAAS,KAAA,EAAgD;AACvE,IAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,GAAA,CAAI,MAAM,SAAS,CAAA;AACzD,IAAA,IAAI,CAAC,aAAa,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,KAAA,CAAM,SAAS,CAAA,WAAA,CAAa,CAAA;AAC/E,IAAA,IAAI,WAAA,CAAY,WAAW,QAAA,EAAU;AACpC,MAAA,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,WAAA,CAAY,IAAI,CAAA,KAAA,EAAQ,WAAA,CAAY,MAAM,CAAA,CAAE,CAAA;AAAA,IAC9E;AACA,IAAA,OAAO,gBAAA,CAAiB,QAAA,CAAS,KAAA,EAAO,WAAA,CAAY,WAAW,CAAA;AAAA,EAChE;AAEA,EAAA,OAAO;AAAA,IACN,KAAA,EAAO;AAAA,MACN,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,KAAK,WAAA,CAAY,GAAA;AAAA,MACjB,MAAM,WAAA,CAAY,IAAA;AAAA,MAClB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,eAAe,WAAA,CAAY;AAAA,KAC5B;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA,EAAY;AAAA,MACX,QAAQ,gBAAA,CAAiB,gBAAA;AAAA,MACzB,yBAAyB,gBAAA,CAAiB,uBAAA;AAAA,MAC1C,YAAY,gBAAA,CAAiB;AAAA,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACN,KAAA,EAAO,CAAC,MAAA,KAAwB,WAAA,CAAY,MAAM,MAAM,CAAA;AAAA,MACxD,MAAA,EAAQ,CAAC,OAAA,KAAgC,WAAA,CAAY,OAAO,OAAO;AAAA,KACpE;AAAA;AAAA,IAEA;AAAA,GACD;AACD;;;ACxFO,SAAS,oBAAoB,OAAA,EAA+D;AAClG,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,uBAAA;AACpC,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,OAAA;AAEpC,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,OAAA;AAAA,IACT,IAAA,EAAM;AAAA,MACL,KAAA,EAAO,cAAA;AAAA,MACP,OAAA;AAAA,MACA,WAAA,EACC;AAAA,KACF;AAAA,IACA,SAAS,CAAC,EAAE,KAAK,OAAA,EAAS,WAAA,EAAa,uBAAuB,CAAA;AAAA,IAC9D,KAAA,EAAO;AAAA,MACN,SAAA,EAAW;AAAA,QACV,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,qCAAA;AAAsC;AACvD;AACD,aACD;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,eAAA,EAAgB;AAAA,YACtC,KAAA,EAAO,EAAE,WAAA,EAAa,8BAAA;AAA+B;AACtD,SACD;AAAA,QACA,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,aAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA;AAAE,aAClE;AAAA,YACA;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA;AAAE;AACxE,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,gBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,8BAA6B;AAAE;AACxE;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,iBAAA;AAAA,UACT,WAAA,EAAa,UAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE,aACnF;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAA;AAAkB;AACzC,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE;AACnF;AACD,SACD;AAAA,QACA,MAAA,EAAQ;AAAA,UACP,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAW,EAAE,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAgB;AAAE;AACtD,OACD;AAAA,MACA,qBAAA,EAAuB;AAAA,QACtB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,kBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,uCAAsC;AAAE;AAC/E;AACD;AACD;AACD,OACD;AAAA,MACA,YAAA,EAAc;AAAA,QACb,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,2BAAA;AAAA,UACT,WAAA,EAAa,WAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,kBAAA,EAAoB;AAAA,QACnB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,0BAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,kBAAA,EAAoB;AAAA,gBACnB,MAAA,EAAQ;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,UAAA,EAAY;AAAA,oBACX,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS,mBAC7B;AAAA,kBACA,QAAA,EAAU,CAAC,QAAA,EAAU,UAAU;AAAA;AAChC;AACD;AACD,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,QAAA,EAAU;AAAA,QACT,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,kBAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,OAAO,CAAA;AAAA,UACd,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC5E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA;AAAE,aACvE;AAAA,YACA,EAAE,IAAA,EAAM,OAAA,EAAS,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU,EAAE;AAAA,YAC3E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU;AAAE,WAC7E;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,mBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAC7E;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,yBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,YAAY,CAAA;AAAA,UACnB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,sCAAqC;AAAE;AAC9E,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,oBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD;AACD,KACD;AAAA,IACA,UAAA,EAAY;AAAA,MACX,OAAA,EAAS;AAAA,QACR,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,MAAA,EAAQ,QAAQ,aAAa,CAAA;AAAA,UACnD,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA,EAAE;AAAA,YACjE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,cAAA,EAAgB;AAAA,UACf,IAAA,EAAM,QAAA;AAAA,UACN,WAAA,EAAa,gEAAA;AAAA,UACb,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,KAAA,EAAO;AAAA,cACN,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EACC;AAAA,aACF;AAAA,YACA,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAClF,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,UAAA,EAAY,SAAS,CAAA;AAAA,UAChC,UAAA,EAAY;AAAA,YACX,QAAA,EAAU;AAAA,cACT,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EAAa;AAAA,aACd;AAAA,YACA,OAAA,EAAS;AAAA,cACR,IAAA,EAAM,OAAA;AAAA,cACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cACxB,WAAA,EAAa;AAAA,aACd;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,4CAAA;AAA6C;AACnE,SACD;AAAA,QACA,qBAAA,EAAuB;AAAA,UACtB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,kBAAA,EAAoB,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,YAC/D,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,UAAA,EAAY;AAAA,cACX,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACX,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA,EAAe;AAAA,gBACrD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACpD,aACD;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACzD,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,QAAA,EAAU,UAAU,CAAA;AAAA,UAC1C,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC3B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,IAAA,EAAK;AAAA,YACzC,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA;AAAS;AAC3B,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,UAAA,EAAY,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC7B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAE;AAAA,YACtE,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC9B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,aAAA,EAAe;AAAA,UACd,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,WAAA,EAAa,SAAA,EAAW,eAAe,WAAW,CAAA;AAAA,UAC7D,UAAA,EAAY;AAAA,YACX,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,QAAA,EAAU,EAAE,IAAA,EAAM,SAAA;AAAU;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,KAAA,EAAO,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACzB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD;AACD,OACD;AAAA,MACA,eAAA,EAAiB;AAAA,QAChB,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA,SACf;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA;AACf;AACD;AACD,GACD;AACD","file":"index.js","sourcesContent":["import BetterSqlite3 from \"better-sqlite3\";\nimport type { BetterSQLite3Database } from \"drizzle-orm/better-sqlite3\";\nimport { drizzle as drizzleSqlite } from \"drizzle-orm/better-sqlite3\";\nimport * as schema from \"./schema.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Type definitions\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * The fully-typed SQLite Drizzle database.\n * Postgres and MySQL connections are represented as `AnyDatabase` at the\n * adapter boundary because drizzle-orm exposes separate schema builders\n * (pg-core / mysql-core) that are incompatible with the SQLite schema\n * defined in schema.ts. Full multi-dialect Drizzle schema support is\n * planned for v0.2.0.\n */\nexport type Database = BetterSQLite3Database<typeof schema>;\n\n/**\n * A wider union used internally when the provider is postgres or mysql.\n * Using `unknown` with a discriminated tag keeps `any` contained to a\n * single adapter-boundary cast below.\n */\nexport type AnyDatabase =\n\t| { provider: \"sqlite\"; db: Database }\n\t| { provider: \"postgres\"; db: PostgresDatabase }\n\t| { provider: \"mysql\"; db: MySQLDatabase };\n\n// Import types lazily so the drivers stay optional peer deps.\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype PostgresDatabase = any;\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype MySQLDatabase = any;\n\nexport interface DatabaseConfig {\n\tprovider: \"sqlite\" | \"postgres\" | \"mysql\";\n\turl: string;\n\t/** Skip automatic table creation on init (default: false) */\n\tskipMigrations?: boolean;\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Factory\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create a database connection.\n *\n * - **SQLite** – fully typed Drizzle ORM via `better-sqlite3` (current default).\n * - **Postgres** – Drizzle connection via `drizzle-orm/node-postgres` + `pg` (peer dep).\n * - **MySQL** – Drizzle connection via `drizzle-orm/mysql2` + `mysql2` (peer dep).\n *\n * For Postgres and MySQL the return value is typed as `Database` for source\n * compatibility; the underlying Drizzle instance is created against the\n * correct driver. Full pg-core / mysql-core schema typings are planned for v0.2.0.\n */\nexport async function createDatabase(config: DatabaseConfig): Promise<Database> {\n\tif (config.provider === \"sqlite\") {\n\t\tconst sqlite = new BetterSqlite3(config.url);\n\t\tsqlite.pragma(\"journal_mode = WAL\");\n\t\tsqlite.pragma(\"foreign_keys = ON\");\n\t\treturn drizzleSqlite(sqlite, { schema });\n\t}\n\n\tif (config.provider === \"postgres\") {\n\t\t// Dynamic import keeps `pg` an optional peer dep.\n\t\tconst { Pool } = await import(\"pg\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"postgres\" requires the \"pg\" package. ' +\n\t\t\t\t\t\"Install it with: npm install pg\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/node-postgres\");\n\n\t\tconst pool = new Pool({ connectionString: config.url });\n\t\t// Cast to Database for API compatibility; full pg schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tif (config.provider === \"mysql\") {\n\t\t// Dynamic import keeps `mysql2` an optional peer dep.\n\t\tconst mysql2 = await import(\"mysql2/promise\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"mysql\" requires the \"mysql2\" package. ' +\n\t\t\t\t\t\"Install it with: npm install mysql2\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/mysql2\");\n\n\t\tconst pool = mysql2.createPool(config.url);\n\t\t// Cast to Database for API compatibility; full mysql-core schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tthrow new Error(\n\t\t`KavachOS: unsupported database provider \"${(config as DatabaseConfig).provider}\". ` +\n\t\t\t'Valid values are \"sqlite\", \"postgres\", \"mysql\".',\n\t);\n}\n\n/**\n * Synchronous SQLite-only factory kept for backwards compatibility with code\n * that cannot use async initialisation. Throws if a non-SQLite provider is\n * supplied.\n *\n * @deprecated Prefer the async `createDatabase()` which supports all providers.\n */\nexport function createDatabaseSync(config: DatabaseConfig): Database {\n\tif (config.provider !== \"sqlite\") {\n\t\tthrow new Error(\n\t\t\t`createDatabaseSync() only supports SQLite. ` +\n\t\t\t\t`Use the async createDatabase() for provider \"${config.provider}\".`,\n\t\t);\n\t}\n\tconst sqlite = new BetterSqlite3(config.url);\n\tsqlite.pragma(\"journal_mode = WAL\");\n\tsqlite.pragma(\"foreign_keys = ON\");\n\treturn drizzleSqlite(sqlite, { schema });\n}\n","import type { Database, DatabaseConfig } from \"./database.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Per-provider DDL helpers\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Returns CREATE TABLE statements for all 10 KavachOS tables, adapted to the\n * target SQL dialect.\n *\n * Dialect differences handled here:\n * - **Timestamps** – SQLite stores as INTEGER (Unix ms); Postgres uses\n * TIMESTAMPTZ; MySQL uses DATETIME(3).\n * - **JSON columns** – SQLite stores as TEXT; Postgres uses JSONB;\n * MySQL uses JSON.\n * - **Booleans** – SQLite stores as INTEGER (0/1); Postgres uses BOOLEAN;\n * MySQL uses TINYINT(1).\n * - **Auto-increment** – Not used here (IDs are application-generated UUIDs /\n * nanoids), so no SERIAL vs AUTO_INCREMENT difference applies.\n */\nfunction buildStatements(provider: DatabaseConfig[\"provider\"]): string[] {\n\tconst isPostgres = provider === \"postgres\";\n\tconst isMysql = provider === \"mysql\";\n\n\t// Timestamp column type\n\tconst ts = isPostgres ? \"TIMESTAMPTZ\" : isMysql ? \"DATETIME(3)\" : \"INTEGER\";\n\t// Nullable timestamp (same type, just no NOT NULL)\n\tconst tsNull = ts;\n\t// JSON column type\n\tconst json = isPostgres ? \"JSONB\" : isMysql ? \"JSON\" : \"TEXT\";\n\t// Boolean column type\n\tconst bool = isPostgres ? \"BOOLEAN\" : isMysql ? \"TINYINT(1)\" : \"INTEGER\";\n\t// IF NOT EXISTS is universally supported\n\tconst ifne = \"IF NOT EXISTS\";\n\n\treturn [\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_users\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_users (\n id TEXT NOT NULL PRIMARY KEY,\n email TEXT NOT NULL UNIQUE,\n name TEXT,\n external_id TEXT,\n external_provider TEXT,\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_agents\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_agents (\n id TEXT NOT NULL PRIMARY KEY,\n owner_id TEXT NOT NULL REFERENCES kavach_users(id),\n name TEXT NOT NULL,\n type TEXT NOT NULL,\n status TEXT NOT NULL DEFAULT 'active',\n token_hash TEXT NOT NULL,\n token_prefix TEXT NOT NULL,\n expires_at ${tsNull},\n last_active_at ${tsNull},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_permissions\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_permissions (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n actions ${json} NOT NULL,\n constraints ${json},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_delegation_chains\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_delegation_chains (\n id TEXT NOT NULL PRIMARY KEY,\n from_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n to_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n permissions ${json} NOT NULL,\n depth INTEGER NOT NULL DEFAULT 1,\n max_depth INTEGER NOT NULL DEFAULT 3,\n status TEXT NOT NULL DEFAULT 'active',\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_audit_logs\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_audit_logs (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n action TEXT NOT NULL,\n resource TEXT NOT NULL,\n parameters ${json},\n result TEXT NOT NULL,\n reason TEXT,\n duration_ms INTEGER NOT NULL,\n tokens_cost INTEGER,\n ip TEXT,\n user_agent TEXT,\n timestamp ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_rate_limits\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_rate_limits (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n window_start ${ts} NOT NULL,\n count INTEGER NOT NULL DEFAULT 0\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_mcp_servers\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_mcp_servers (\n id TEXT NOT NULL PRIMARY KEY,\n name TEXT NOT NULL,\n endpoint TEXT NOT NULL UNIQUE,\n tools ${json} NOT NULL,\n auth_required ${bool} NOT NULL DEFAULT ${isPostgres ? \"TRUE\" : \"1\"},\n rate_limit_rpm INTEGER,\n status TEXT NOT NULL DEFAULT 'active',\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_clients\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_clients (\n id TEXT NOT NULL PRIMARY KEY,\n client_id TEXT NOT NULL UNIQUE,\n client_secret TEXT,\n client_name TEXT,\n client_uri TEXT,\n redirect_uris ${json} NOT NULL,\n grant_types ${json} NOT NULL,\n response_types ${json} NOT NULL,\n token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_basic',\n type TEXT NOT NULL DEFAULT 'confidential',\n disabled ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_access_tokens\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_access_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n access_token TEXT NOT NULL UNIQUE,\n refresh_token TEXT UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n scopes TEXT NOT NULL,\n resource TEXT,\n access_token_expires_at ${ts} NOT NULL,\n refresh_token_expires_at ${tsNull},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_authorization_codes\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_authorization_codes (\n id TEXT NOT NULL PRIMARY KEY,\n code TEXT NOT NULL UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n redirect_uri TEXT NOT NULL,\n scopes TEXT NOT NULL,\n code_challenge TEXT,\n code_challenge_method TEXT,\n resource TEXT,\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\t];\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Public API\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create all KavachOS tables if they do not already exist.\n *\n * Uses `CREATE TABLE IF NOT EXISTS` so it is safe to call on every startup.\n * Tables are created in dependency order (no forward-reference FK issues).\n *\n * @param db Drizzle database instance returned by `createDatabase()`.\n * @param provider The database provider used to build the correct DDL syntax.\n *\n * @example\n * ```typescript\n * const db = await createDatabase({ provider: 'postgres', url: process.env.DATABASE_URL });\n * await createTables(db, 'postgres');\n * ```\n */\nexport async function createTables(\n\tdb: Database,\n\tprovider: DatabaseConfig[\"provider\"],\n): Promise<void> {\n\tconst statements = buildStatements(provider);\n\n\tif (provider === \"sqlite\") {\n\t\t// SQLite Drizzle exposes the underlying better-sqlite3 instance via\n\t\t// the `session` property. We use it for synchronous multi-statement\n\t\t// execution which is the most reliable path for DDL on SQLite.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: accessing internal drizzle session for raw DDL\n\t\tconst session = (db as any).session;\n\t\tif (session?.client?.exec) {\n\t\t\t// better-sqlite3 Database.exec() runs multiple statements separated\n\t\t\t// by semicolons in a single call.\n\t\t\tsession.client.exec(statements.join(\";\\n\") + \";\");\n\t\t\treturn;\n\t\t}\n\t\t// Fallback: run each statement individually via drizzle `run`.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: raw SQL fallback for DDL execution\n\t\tconst anyDb = db as any;\n\t\tfor (const sql of statements) {\n\t\t\tawait anyDb.run(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\t// Postgres and MySQL: execute each statement via the underlying pool/client.\n\t// We access the internal session to issue raw DDL since drizzle-orm/node-postgres\n\t// and drizzle-orm/mysql2 both expose `.session.client` (or `.client`).\n\t// biome-ignore lint/suspicious/noExplicitAny: raw DDL on pg/mysql adapter boundary\n\tconst anyDb = db as any;\n\n\tif (provider === \"postgres\") {\n\t\t// drizzle-orm/node-postgres wraps a `pg` Pool; the pool is at db.session.client\n\t\t// or accessible via db.$client depending on drizzle version.\n\t\tconst client: { query: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying pg client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.query(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tif (provider === \"mysql\") {\n\t\t// drizzle-orm/mysql2 wraps a mysql2 Pool; exposed at db.$client.\n\t\tconst client: { execute: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying mysql2 client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.execute(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tthrow new Error(`createTables: unsupported provider \"${provider}\"`);\n}\n","import { randomUUID } from \"node:crypto\";\nimport { and, eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { delegationChains } from \"../db/schema.js\";\nimport type { DelegateInput, DelegationChain, Permission } from \"../types.js\";\n\ninterface DelegationModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Verify that delegated permissions are a subset of the parent's permissions.\n * A child agent cannot have more permissions than its parent.\n */\nfunction isPermissionSubset(parentPerms: Permission[], childPerms: Permission[]): boolean {\n\tfor (const childPerm of childPerms) {\n\t\tconst parentMatch = parentPerms.find((p) => {\n\t\t\t// Check resource match (child must be same or more specific)\n\t\t\tif (!isResourceSubset(p.resource, childPerm.resource)) return false;\n\n\t\t\t// Check actions match (child must have same or fewer actions)\n\t\t\tfor (const action of childPerm.actions) {\n\t\t\t\tif (!p.actions.includes(action) && !p.actions.includes(\"*\")) return false;\n\t\t\t}\n\n\t\t\treturn true;\n\t\t});\n\n\t\tif (!parentMatch) return false;\n\t}\n\n\treturn true;\n}\n\n/**\n * Check if childResource is the same as or more specific than parentResource.\n * \"mcp:github:*\" contains \"mcp:github:read\"\n * \"mcp:*\" contains \"mcp:github:*\"\n * \"*\" contains everything\n */\nfunction isResourceSubset(parentResource: string, childResource: string): boolean {\n\tif (parentResource === \"*\") return true;\n\tif (parentResource === childResource) return true;\n\n\tconst parentParts = parentResource.split(\":\");\n\tconst childParts = childResource.split(\":\");\n\n\tfor (let i = 0; i < parentParts.length; i++) {\n\t\tif (parentParts[i] === \"*\") return true;\n\t\tif (parentParts[i] !== childParts[i]) return false;\n\t}\n\n\treturn parentParts.length <= childParts.length;\n}\n\n/**\n * Create the delegation module.\n * Handles agent-to-agent permission delegation with chain tracking.\n */\nexport function createDelegationModule(config: DelegationModuleConfig) {\n\tconst { db } = config;\n\n\tasync function delegate(\n\t\tinput: DelegateInput,\n\t\tparentPermissions: Permission[],\n\t): Promise<DelegationChain> {\n\t\t// Validate permissions are a subset\n\t\tif (!isPermissionSubset(parentPermissions, input.permissions)) {\n\t\t\tthrow new Error(\n\t\t\t\t\"Delegated permissions must be a subset of the parent agent's permissions. \" +\n\t\t\t\t\t\"A child agent cannot have more access than its parent.\",\n\t\t\t);\n\t\t}\n\n\t\t// Check delegation depth\n\t\tconst existingChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(eq(delegationChains.toAgentId, input.fromAgent), eq(delegationChains.status, \"active\")),\n\t\t\t);\n\n\t\tconst currentDepth =\n\t\t\texistingChains.length > 0 ? Math.max(...existingChains.map((c) => c.depth)) + 1 : 1;\n\n\t\tconst maxDepth = input.maxDepth ?? 3;\n\n\t\tif (currentDepth > maxDepth) {\n\t\t\tthrow new Error(\n\t\t\t\t`Delegation depth ${currentDepth} exceeds maximum allowed depth of ${maxDepth}. ` +\n\t\t\t\t\t\"This prevents infinite delegation chains.\",\n\t\t\t);\n\t\t}\n\n\t\tconst id = randomUUID();\n\t\tconst now = new Date();\n\n\t\tawait db.insert(delegationChains).values({\n\t\t\tid,\n\t\t\tfromAgentId: input.fromAgent,\n\t\t\ttoAgentId: input.toAgent,\n\t\t\tpermissions: input.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\tdepth: currentDepth,\n\t\t\tmaxDepth,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\treturn {\n\t\t\tid,\n\t\t\tfromAgent: input.fromAgent,\n\t\t\ttoAgent: input.toAgent,\n\t\t\tpermissions: input.permissions,\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tdepth: currentDepth,\n\t\t\tcreatedAt: now,\n\t\t};\n\t}\n\n\t/**\n\t * Revoke a delegation chain. Revoking a parent chain also revokes all children.\n\t */\n\tasync function revokeDelegation(chainId: string): Promise<void> {\n\t\tconst chain = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.id, chainId))\n\t\t\t.limit(1);\n\n\t\tif (!chain[0]) throw new Error(`Delegation chain ${chainId} not found.`);\n\n\t\t// Revoke this chain\n\t\tawait db\n\t\t\t.update(delegationChains)\n\t\t\t.set({ status: \"revoked\" })\n\t\t\t.where(eq(delegationChains.id, chainId));\n\n\t\t// Cascade: revoke all chains where the to-agent of this chain is the from-agent\n\t\tconst childChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\teq(delegationChains.fromAgentId, chain[0].toAgentId),\n\t\t\t\t\teq(delegationChains.status, \"active\"),\n\t\t\t\t),\n\t\t\t);\n\n\t\tfor (const child of childChains) {\n\t\t\tawait revokeDelegation(child.id);\n\t\t}\n\t}\n\n\t/**\n\t * Get the effective permissions for an agent, including delegated permissions.\n\t */\n\tasync function getEffectivePermissions(agentId: string): Promise<Permission[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(and(eq(delegationChains.toAgentId, agentId), eq(delegationChains.status, \"active\")));\n\n\t\t// Filter expired chains\n\t\tconst now = new Date();\n\t\tconst activeChains = chains.filter((c) => c.expiresAt > now);\n\n\t\t// Collect all delegated permissions\n\t\tconst delegatedPerms: Permission[] = [];\n\t\tfor (const chain of activeChains) {\n\t\t\tfor (const perm of chain.permissions) {\n\t\t\t\tdelegatedPerms.push({\n\t\t\t\t\tresource: perm.resource,\n\t\t\t\t\tactions: perm.actions,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\n\t\treturn delegatedPerms;\n\t}\n\n\t/**\n\t * List all delegation chains for an agent (as source or target).\n\t */\n\tasync function listChains(agentId: string): Promise<DelegationChain[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.fromAgentId, agentId));\n\n\t\treturn chains.map((c) => ({\n\t\t\tid: c.id,\n\t\t\tfromAgent: c.fromAgentId,\n\t\t\ttoAgent: c.toAgentId,\n\t\t\tpermissions: c.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\texpiresAt: c.expiresAt,\n\t\t\tdepth: c.depth,\n\t\t\tcreatedAt: c.createdAt,\n\t\t}));\n\t}\n\n\treturn { delegate, revokeDelegation, getEffectivePermissions, listChains };\n}\n","import { createAgentModule } from \"./agent/agent.js\";\nimport { createAuditModule } from \"./audit/audit.js\";\nimport { createDatabase } from \"./db/database.js\";\nimport { createTables } from \"./db/migrations.js\";\nimport { createDelegationModule } from \"./delegation/delegation.js\";\nimport { createPermissionEngine } from \"./permission/engine.js\";\nimport type {\n\tAuditExportOptions,\n\tAuditFilter,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tDelegateInput,\n\tDelegationChain,\n\tKavachConfig,\n} from \"./types.js\";\n\n/**\n * Create a KavachOS instance.\n *\n * The factory is **async** so it can open database connections for Postgres\n * and MySQL (which require async driver initialisation) and optionally run\n * `CREATE TABLE IF NOT EXISTS` for all schema tables.\n *\n * @example SQLite (simplest)\n * ```typescript\n * import { createKavach } from 'kavachos';\n *\n * const kavach = await createKavach({\n * database: { provider: 'sqlite', url: 'kavach.db' },\n * });\n * ```\n *\n * @example Postgres\n * ```typescript\n * const kavach = await createKavach({\n * database: { provider: 'postgres', url: process.env.DATABASE_URL },\n * });\n * ```\n *\n * @example MySQL – skip auto-migration (tables managed externally)\n * ```typescript\n * const kavach = await createKavach({\n * database: {\n * provider: 'mysql',\n * url: process.env.DATABASE_URL,\n * skipMigrations: true,\n * },\n * });\n * ```\n */\nexport async function createKavach(config: KavachConfig) {\n\tconst db = await createDatabase(config.database);\n\n\t// Automatically create tables unless the caller has opted out.\n\t// Uses CREATE TABLE IF NOT EXISTS so it is safe to run every startup.\n\tif (!config.database.skipMigrations) {\n\t\tawait createTables(db, config.database.provider);\n\t}\n\n\tconst agentConfig = {\n\t\tdb,\n\t\tmaxPerUser: config.agents?.maxPerUser ?? 10,\n\t\tdefaultPermissions: config.agents?.defaultPermissions ?? [],\n\t\ttokenExpiry: config.agents?.tokenExpiry ?? \"24h\",\n\t};\n\n\tconst agentModule = createAgentModule(agentConfig);\n\n\tconst permissionEngine = createPermissionEngine({\n\t\tdb,\n\t\tauditAll: config.agents?.auditAll ?? true,\n\t});\n\n\tconst auditModule = createAuditModule({ db });\n\n\tconst delegationModule = createDelegationModule({ db });\n\n\t// Authorize: look up agent, check permissions\n\tasync function authorize(agentId: string, request: AuthorizeRequest): Promise<AuthorizeResult> {\n\t\tconst agent = await agentModule.get(agentId);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agentId}\" not found`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\tif (agent.status !== \"active\") {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agent.name}\" is ${agent.status}`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\treturn permissionEngine.authorize(agent, request);\n\t}\n\n\t// Authorize by token: validate token then check permissions\n\tasync function authorizeByToken(\n\t\ttoken: string,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst agent = await agentModule.validateToken(token);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"Invalid or expired agent token\",\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\treturn permissionEngine.authorize(agent, request);\n\t}\n\n\t// Delegate: verify parent permissions then create chain\n\tasync function delegate(input: DelegateInput): Promise<DelegationChain> {\n\t\tconst parentAgent = await agentModule.get(input.fromAgent);\n\t\tif (!parentAgent) throw new Error(`Parent agent \"${input.fromAgent}\" not found`);\n\t\tif (parentAgent.status !== \"active\") {\n\t\t\tthrow new Error(`Parent agent \"${parentAgent.name}\" is ${parentAgent.status}`);\n\t\t}\n\t\treturn delegationModule.delegate(input, parentAgent.permissions);\n\t}\n\n\treturn {\n\t\tagent: {\n\t\t\tcreate: agentModule.create,\n\t\t\tget: agentModule.get,\n\t\t\tlist: agentModule.list,\n\t\t\tupdate: agentModule.update,\n\t\t\trevoke: agentModule.revoke,\n\t\t\trotate: agentModule.rotate,\n\t\t\tvalidateToken: agentModule.validateToken,\n\t\t},\n\t\tauthorize,\n\t\tauthorizeByToken,\n\t\tdelegate,\n\t\tdelegation: {\n\t\t\trevoke: delegationModule.revokeDelegation,\n\t\t\tgetEffectivePermissions: delegationModule.getEffectivePermissions,\n\t\t\tlistChains: delegationModule.listChains,\n\t\t},\n\t\taudit: {\n\t\t\tquery: (filter: AuditFilter) => auditModule.query(filter),\n\t\t\texport: (options: AuditExportOptions) => auditModule.export(options),\n\t\t},\n\t\t/** Direct database access for advanced usage */\n\t\tdb,\n\t};\n}\n\nexport type Kavach = Awaited<ReturnType<typeof createKavach>>;\n","/**\n * OpenAPI 3.1 specification generator for KavachOS REST API.\n *\n * This generates the spec that enables auto-generated SDKs\n * for Python, Go, Java, Rust, etc. via OpenAPI codegen tools.\n */\n\nexport interface OpenAPISpec {\n\topenapi: string;\n\tinfo: { title: string; version: string; description: string };\n\tservers: Array<{ url: string; description: string }>;\n\tpaths: Record<string, Record<string, PathOperation>>;\n\tcomponents: {\n\t\tschemas: Record<string, SchemaObject>;\n\t\tsecuritySchemes: Record<string, SecurityScheme>;\n\t};\n}\n\ninterface PathOperation {\n\tsummary: string;\n\toperationId: string;\n\ttags: string[];\n\tsecurity?: Array<Record<string, string[]>>;\n\tparameters?: ParameterObject[];\n\trequestBody?: { required: boolean; content: Record<string, { schema: SchemaRef }> };\n\tresponses: Record<\n\t\tstring,\n\t\t{ description: string; content?: Record<string, { schema: SchemaRef }> }\n\t>;\n}\n\ninterface ParameterObject {\n\tname: string;\n\tin: \"query\" | \"path\" | \"header\";\n\trequired: boolean;\n\tschema: SchemaRef;\n}\n\ninterface SecurityScheme {\n\ttype: string;\n\tscheme?: string;\n\tbearerFormat?: string;\n}\n\ntype SchemaRef = { $ref: string } | SchemaObject;\n\ninterface SchemaObject {\n\ttype?: string;\n\tproperties?: Record<string, SchemaRef>;\n\trequired?: string[];\n\titems?: SchemaRef;\n\tenum?: string[];\n\tdescription?: string;\n\tformat?: string;\n\tnullable?: boolean;\n}\n\n/**\n * Generate the full OpenAPI 3.1 specification for the KavachOS REST API.\n */\nexport function generateOpenAPISpec(options?: { baseUrl?: string; version?: string }): OpenAPISpec {\n\tconst baseUrl = options?.baseUrl ?? \"http://localhost:3000\";\n\tconst version = options?.version ?? \"0.0.1\";\n\n\treturn {\n\t\topenapi: \"3.1.0\",\n\t\tinfo: {\n\t\t\ttitle: \"KavachOS API\",\n\t\t\tversion,\n\t\t\tdescription:\n\t\t\t\t\"The Auth OS for AI Agents. Identity, permissions, delegation, and audit for the agentic era.\",\n\t\t},\n\t\tservers: [{ url: baseUrl, description: \"KavachOS API Server\" }],\n\t\tpaths: {\n\t\t\t\"/agents\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create a new agent\",\n\t\t\t\t\toperationId: \"createAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/CreateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Agent created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { $ref: \"#/components/schemas/AgentWithToken\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"400\": { description: \"Invalid input\" },\n\t\t\t\t\t\t\"429\": { description: \"Max agents per user exceeded\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"List agents\",\n\t\t\t\t\toperationId: \"listAgents\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"status\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"type\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"List of agents\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/Agent\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Get agent by ID\",\n\t\t\t\t\toperationId: \"getAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent details\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"404\": { description: \"Agent not found\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tpatch: {\n\t\t\t\t\tsummary: \"Update agent\",\n\t\t\t\t\toperationId: \"updateAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/UpdateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent updated\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tdelete: {\n\t\t\t\t\tsummary: \"Revoke agent\",\n\t\t\t\t\toperationId: \"revokeAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: { \"204\": { description: \"Agent revoked\" } },\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}/rotate\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Rotate agent token\",\n\t\t\t\t\toperationId: \"rotateAgentToken\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"New token issued\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AgentWithToken\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize an agent action\",\n\t\t\t\t\toperationId: \"authorize\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeRequest\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize/token\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize by agent token\",\n\t\t\t\t\toperationId: \"authorizeByToken\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\tsecurity: [{ AgentToken: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\trequired: [\"action\", \"resource\"],\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/audit\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Query audit logs\",\n\t\t\t\t\toperationId: \"queryAudit\",\n\t\t\t\t\ttags: [\"Audit\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"agentId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"since\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"until\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"result\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{ name: \"limit\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t\t{ name: \"offset\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Audit log entries\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/AuditEntry\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/delegations\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create delegation chain\",\n\t\t\t\t\toperationId: \"createDelegation\",\n\t\t\t\t\ttags: [\"Delegation\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegateInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Delegation created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegationChain\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tcomponents: {\n\t\t\tschemas: {\n\t\t\t\tCreateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"ownerId\", \"name\", \"type\", \"permissions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tUpdateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgent: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tstatus: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tupdatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgentWithToken: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tdescription: \"Agent identity with the token (only returned on create/rotate)\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Agent token (kv_ prefix). Store securely - not retrievable after creation.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\" },\n\t\t\t\t\t\tstatus: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermission: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"resource\", \"actions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tresource: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription: \"Resource pattern (e.g. mcp:github:*, tool:file_read)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tactions: {\n\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\titems: { type: \"string\" },\n\t\t\t\t\t\t\tdescription: \"Allowed actions (read, write, execute, delete, *)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tconstraints: { $ref: \"#/components/schemas/PermissionConstraints\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermissionConstraints: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tmaxCallsPerHour: { type: \"integer\" },\n\t\t\t\t\t\tallowedArgPatterns: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t\trequireApproval: { type: \"boolean\" },\n\t\t\t\t\t\ttimeWindow: {\n\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\tstart: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t\tend: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tipAllowlist: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeRequest: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"agentId\", \"action\", \"resource\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeResult: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tallowed: { type: \"boolean\" },\n\t\t\t\t\t\treason: { type: \"string\", nullable: true },\n\t\t\t\t\t\tauditId: { type: \"string\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuditEntry: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\tuserId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\tparameters: { type: \"object\" },\n\t\t\t\t\t\tresult: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\tdurationMs: { type: \"integer\" },\n\t\t\t\t\t\ttimestamp: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegateInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"fromAgent\", \"toAgent\", \"permissions\", \"expiresAt\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tmaxDepth: { type: \"integer\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegationChain: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\tdepth: { type: \"integer\" },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsecuritySchemes: {\n\t\t\t\tBearerAuth: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"JWT\",\n\t\t\t\t},\n\t\t\t\tAgentToken: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"KavachOS Agent Token (kv_...)\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t};\n}\n"]}
package/dist/mcp/index.d.ts ADDED
@@ -0,0 +1,222 @@
1
+ import { a as McpAuthContext, R as Result, b as McpAuthorizeResult, c as McpServerMetadata, d as McpProtectedResourceMetadata, e as McpClientRegistrationResponse, M as McpConfig, f as McpAuthModule, g as McpTokenResponse, h as McpSession } from '../types-C5htunW6.js';
2
+ export { K as KavachError, i as McpAccessToken, j as McpAuthorizationCode, k as McpAuthorizeRequest, l as McpAuthorizeRequestSchema, m as McpClient, n as McpClientRegistrationRequest, o as McpClientRegistrationSchema, p as McpTokenPayload, q as McpTokenRequest, r as McpTokenRequestParsed, s as McpTokenRequestSchema } from '../types-C5htunW6.js';
3
+ import 'zod';
4
+
5
+ /**
6
+ * Handle the OAuth 2.1 authorization endpoint.
7
+ *
8
+ * GET /mcp/authorize
9
+ *
10
+ * Validates the request parameters, checks the client, enforces PKCE S256,
11
+ * validates Resource Indicators (RFC 8707), and issues an authorization code.
12
+ *
13
+ * The caller is responsible for authenticating the user before calling this
14
+ * function. The `ctx.resolveUserId(request)` hook must return a non-null
15
+ * user ID for the currently authenticated user.
16
+ */
17
+ declare function handleAuthorize(ctx: McpAuthContext, request: Request): Promise<Result<McpAuthorizeResult>>;
18
+
19
+ /**
20
+ * Build OAuth 2.0 Authorization Server Metadata (RFC 8414).
21
+ *
22
+ * Returned at: GET /.well-known/oauth-authorization-server
23
+ */
24
+ declare function getAuthorizationServerMetadata(ctx: McpAuthContext): McpServerMetadata;
25
+ /**
26
+ * Build Protected Resource Metadata (RFC 9728).
27
+ *
28
+ * Returned at: GET /.well-known/oauth-protected-resource
29
+ *
30
+ * An MCP resource server (tool server) publishes this so clients can
31
+ * discover which authorization server to use.
32
+ */
33
+ declare function getProtectedResourceMetadata(ctx: McpAuthContext): McpProtectedResourceMetadata;
34
+
35
+ /**
36
+ * Dynamic Client Registration (RFC 7591).
37
+ *
38
+ * Endpoint logic for: POST /mcp/register
39
+ *
40
+ * Validates the registration request, generates client credentials,
41
+ * persists the client via the context store, and returns the
42
+ * RFC 7591-compliant registration response.
43
+ */
44
+ declare function registerClient(ctx: McpAuthContext, body: unknown): Promise<Result<McpClientRegistrationResponse>>;
45
+
46
+ /**
47
+ * Create the MCP authorization server module.
48
+ *
49
+ * This is the main factory that wires up all MCP OAuth 2.1 endpoints
50
+ * into a single module. The caller provides storage callbacks (how to
51
+ * persist clients, codes, and tokens) and user resolution (how to identify
52
+ * the currently authenticated user).
53
+ *
54
+ * @example
55
+ * ```typescript
56
+ * const mcp = createMcpModule({
57
+ * config: {
58
+ * enabled: true,
59
+ * issuer: 'https://auth.example.com',
60
+ * baseUrl: 'https://auth.example.com/api/auth',
61
+ * signingSecret: process.env.MCP_SIGNING_SECRET,
62
+ * },
63
+ * storeClient: async (client) => { await db.insert(mcpClients).values(client); },
64
+ * findClient: async (id) => { return db.query.mcpClients.findFirst({ where: eq(mcpClients.clientId, id) }); },
65
+ * storeAuthorizationCode: async (code) => { await db.insert(mcpCodes).values(code); },
66
+ * consumeAuthorizationCode: async (code) => {
67
+ * const found = await db.query.mcpCodes.findFirst({ where: eq(mcpCodes.code, code) });
68
+ * if (found) await db.delete(mcpCodes).where(eq(mcpCodes.code, code));
69
+ * return found ?? null;
70
+ * },
71
+ * storeToken: async (token) => { await db.insert(mcpTokens).values(token); },
72
+ * findTokenByRefreshToken: async (rt) => { ... },
73
+ * revokeToken: async (at) => { ... },
74
+ * resolveUserId: async (request) => {
75
+ * const session = await getSession(request);
76
+ * return session?.userId ?? null;
77
+ * },
78
+ * });
79
+ *
80
+ * // Use in a framework adapter:
81
+ * app.get('/.well-known/oauth-authorization-server', () => mcp.getMetadata());
82
+ * app.get('/.well-known/oauth-protected-resource', () => mcp.getProtectedResourceMetadata());
83
+ * app.post('/mcp/register', (req) => mcp.registerClient(req.body));
84
+ * app.get('/mcp/authorize', (req) => mcp.authorize(req));
85
+ * app.post('/mcp/token', (req) => mcp.token(req));
86
+ * ```
87
+ */
88
+ declare function createMcpModule(params: {
89
+ config: McpConfig;
90
+ storeClient: McpAuthContext["storeClient"];
91
+ findClient: McpAuthContext["findClient"];
92
+ storeAuthorizationCode: McpAuthContext["storeAuthorizationCode"];
93
+ consumeAuthorizationCode: McpAuthContext["consumeAuthorizationCode"];
94
+ storeToken: McpAuthContext["storeToken"];
95
+ findTokenByRefreshToken: McpAuthContext["findTokenByRefreshToken"];
96
+ revokeToken: McpAuthContext["revokeToken"];
97
+ resolveUserId: McpAuthContext["resolveUserId"];
98
+ }): McpAuthModule;
99
+ /**
100
+ * Create HTTP Response helpers for framework adapters.
101
+ *
102
+ * These take Result types and produce standard Response objects
103
+ * with proper status codes, cache-control headers, and CORS.
104
+ */
105
+ declare function createMcpResponseHelpers(ctx: McpAuthContext): {
106
+ /** Metadata endpoints: 200 with JSON */
107
+ metadataResponse: (data: unknown) => Response;
108
+ /** Registration: 201 with Cache-Control: no-store */
109
+ registrationResponse: (result: Result<unknown>) => Response;
110
+ /** Authorization: 302 redirect or error */
111
+ authorizeResponse: (result: Result<{
112
+ redirectUri: string;
113
+ }>) => Response;
114
+ /** Token: 200 with Cache-Control: no-store or error */
115
+ tokenResponse: (result: Result<unknown>) => Response;
116
+ /** Auth failure in JSON-RPC format for MCP resource servers */
117
+ unauthorizedResponse: (error: {
118
+ code: string;
119
+ message: string;
120
+ }) => Response;
121
+ };
122
+
123
+ /**
124
+ * Handle the OAuth 2.1 token endpoint.
125
+ *
126
+ * POST /mcp/token
127
+ *
128
+ * Supports two grant types:
129
+ * 1. authorization_code - Exchange auth code + PKCE verifier for tokens
130
+ * 2. refresh_token - Refresh an expired access token
131
+ */
132
+ declare function handleTokenExchange(ctx: McpAuthContext, request: Request): Promise<Result<McpTokenResponse>>;
133
+
134
+ /**
135
+ * Generate a cryptographically secure random token string.
136
+ *
137
+ * Uses `crypto.getRandomValues()` (Web Crypto API compatible) to produce
138
+ * a URL-safe base64 string of the requested byte length.
139
+ */
140
+ declare function generateSecureToken(byteLength: number): string;
141
+ /**
142
+ * Compute the S256 code challenge from a code verifier.
143
+ *
144
+ * S256: BASE64URL(SHA256(ASCII(code_verifier)))
145
+ *
146
+ * Uses Web Crypto (SubtleCrypto) for cross-runtime compatibility.
147
+ */
148
+ declare function computeS256Challenge(codeVerifier: string): Promise<string>;
149
+ /**
150
+ * Verify a PKCE S256 code_verifier against a stored code_challenge.
151
+ */
152
+ declare function verifyS256(codeVerifier: string, codeChallenge: string): Promise<boolean>;
153
+ /**
154
+ * Parse a URL search params or form body into a plain object.
155
+ *
156
+ * Handles both `application/x-www-form-urlencoded` and `application/json`
157
+ * content types, as required by OAuth 2.1 token endpoint.
158
+ */
159
+ declare function parseRequestBody(request: Request): Promise<Record<string, string>>;
160
+ /**
161
+ * Extract client credentials from the Authorization header (Basic auth).
162
+ *
163
+ * Returns [client_id, client_secret] or null if not present.
164
+ */
165
+ declare function extractBasicAuth(request: Request): [string, string] | null;
166
+ /**
167
+ * Extract a Bearer token from the Authorization header.
168
+ */
169
+ declare function extractBearerToken(request: Request): string | null;
170
+
171
+ /**
172
+ * Validate an MCP access token (JWT).
173
+ *
174
+ * Performs:
175
+ * 1. JWT signature verification (HS256)
176
+ * 2. Expiry check
177
+ * 3. Issuer validation
178
+ * 4. Audience validation (token must be bound to the expected resource)
179
+ * 5. Scope validation (optional - checks all required scopes are present)
180
+ *
181
+ * Target: < 5ms with cached keys (per CLAUDE.md performance rule).
182
+ */
183
+ declare function validateAccessToken(ctx: McpAuthContext, token: string, options?: {
184
+ requiredScopes?: string[];
185
+ expectedAudience?: string;
186
+ }): Promise<Result<McpSession>>;
187
+ /**
188
+ * MCP auth middleware.
189
+ *
190
+ * Extracts the Bearer token from the Authorization header, validates it,
191
+ * and returns the session. This is the primary entry point for protecting
192
+ * MCP resource server endpoints.
193
+ *
194
+ * Pattern inspired by better-auth's `withMcpAuth()`, adapted to KavachOS's
195
+ * functional Result-based API.
196
+ *
197
+ * Usage:
198
+ * ```typescript
199
+ * const result = await withMcpAuth(ctx, request, { requiredScopes: ['read'] });
200
+ * if (!result.success) {
201
+ * return new Response(JSON.stringify(result.error), { status: 401 });
202
+ * }
203
+ * const session = result.data;
204
+ * ```
205
+ */
206
+ declare function withMcpAuth(ctx: McpAuthContext, request: Request, options?: {
207
+ requiredScopes?: string[];
208
+ expectedAudience?: string;
209
+ }): Promise<Result<McpSession>>;
210
+ /**
211
+ * Build a 401 Unauthorized response in the JSON-RPC format expected
212
+ * by MCP clients.
213
+ *
214
+ * Includes the WWW-Authenticate header pointing to the protected
215
+ * resource metadata document, as required by the MCP spec.
216
+ */
217
+ declare function buildUnauthorizedResponse(ctx: McpAuthContext, error: {
218
+ code: string;
219
+ message: string;
220
+ }): Response;
221
+
222
+ export { McpAuthContext, McpAuthModule, McpAuthorizeResult, McpClientRegistrationResponse, McpConfig, McpProtectedResourceMetadata, McpServerMetadata, McpSession, McpTokenResponse, Result, buildUnauthorizedResponse, computeS256Challenge, createMcpModule, createMcpResponseHelpers, extractBasicAuth, extractBearerToken, generateSecureToken, getAuthorizationServerMetadata, getProtectedResourceMetadata, handleAuthorize, handleTokenExchange, parseRequestBody, registerClient, validateAccessToken, verifyS256, withMcpAuth };