kozou 1.1.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +48 -6
- package/dist/commands/dev-runtime.d.ts +1 -0
- package/dist/commands/dev-runtime.d.ts.map +1 -1
- package/dist/commands/dev-runtime.js +119 -10
- package/dist/commands/dev-runtime.js.map +1 -1
- package/dist/config.d.ts +15 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +83 -4
- package/dist/config.js.map +1 -1
- package/dist/templates/docker-compose.yml +2 -1
- package/dist/templates/env.example +1 -0
- package/package.json +7 -7
package/README.md
CHANGED
|
@@ -163,6 +163,8 @@ auth:
|
|
|
163
163
|
anonRole: web_anon # role for requests with no token (else 401)
|
|
164
164
|
ui:
|
|
165
165
|
role: app_admin # role the bundled Admin UI runs as (HS256)
|
|
166
|
+
claims: # extra claims minted into the UI token (HS256)
|
|
167
|
+
tenant_id: acme # for RLS policies reading request.jwt.claims
|
|
166
168
|
# token: ${KOZOU_ADAPTER_TOKEN} # RS256 / external IdP: supply a token instead
|
|
167
169
|
```
|
|
168
170
|
|
|
@@ -174,8 +176,10 @@ With no `auth:` block, the section is built instead from
|
|
|
174
176
|
`KOZOU_JWT_SECRET` / `KOZOU_JWT_PUBLIC_KEY` / `KOZOU_JWT_JWKS_URI` /
|
|
175
177
|
`KOZOU_JWT_ALGORITHMS` / `KOZOU_JWT_ISSUER` / `KOZOU_JWT_AUDIENCE` /
|
|
176
178
|
`KOZOU_JWT_ROLE_CLAIM` / `KOZOU_JWT_ALLOWED_ROLES` / `KOZOU_JWT_DEFAULT_ROLE` /
|
|
177
|
-
`KOZOU_JWT_ANON_ROLE` / `KOZOU_UI_ROLE` / `
|
|
178
|
-
and roles are comma-separated
|
|
179
|
+
`KOZOU_JWT_ANON_ROLE` / `KOZOU_UI_ROLE` / `KOZOU_UI_CLAIMS` /
|
|
180
|
+
`KOZOU_ADAPTER_TOKEN` (algorithms and roles are comma-separated;
|
|
181
|
+
`KOZOU_UI_CLAIMS` takes a JSON object and fails loudly at startup when
|
|
182
|
+
malformed). A role outside `allowedRoles` gets `403`. A request with
|
|
179
183
|
no token gets `401` unless `anonRole` is set, in which case it runs under
|
|
180
184
|
that role and your RLS policies decide what it sees (a present but invalid
|
|
181
185
|
token is always `401`). The login role of `database.url` must be `GRANT`ed
|
|
@@ -186,12 +190,50 @@ membership in every allowed role, and in `anonRole` when set.
|
|
|
186
190
|
The Admin UI calls `@kozou/api` server-side, so when `auth` is on it must
|
|
187
191
|
send a token too. Under **HS256** the CLI mints one for the UI claiming
|
|
188
192
|
`auth.ui.role` (or, if unset, no role — the API then applies `defaultRole`);
|
|
189
|
-
set `auth.ui.role` to the role the console should run as.
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
+
set `auth.ui.role` to the role the console should run as. RLS policies
|
|
194
|
+
usually need more than the role: `auth.ui.claims` (or `KOZOU_UI_CLAIMS`,
|
|
195
|
+
a JSON object) merges extra claims — a tenant id, an operator flag — into
|
|
196
|
+
the minted token, where `request.jwt.claims` makes them visible to your
|
|
197
|
+
policies. The merge is flat: the role claim is always controlled by
|
|
198
|
+
`auth.ui.role` (a colliding key is dropped with a startup warning), and
|
|
199
|
+
`iat` / configured `iss` / `aud` win likewise. These are *service-token*
|
|
200
|
+
claims — everyone who can reach the UI port acts with them. Under
|
|
201
|
+
**RS256** or an external identity provider the CLI cannot mint, so supply
|
|
202
|
+
a ready-made token via `auth.ui.token` (or the `KOZOU_ADAPTER_TOKEN` env);
|
|
203
|
+
without it the UI is rejected with `401` and the CLI logs how to fix it
|
|
204
|
+
(`auth.ui.claims` only applies to tokens the CLI mints itself).
|
|
193
205
|
The minted role must satisfy `allowedRoles` or the UI gets `403`.
|
|
194
206
|
|
|
207
|
+
#### Privilege-aware introspection (opt-in)
|
|
208
|
+
|
|
209
|
+
By default the Admin UI reflects what the schema *declares*, not what the
|
|
210
|
+
serving role may *do* with it — so a column protected by a column-level
|
|
211
|
+
`GRANT` still renders editable (the write then fails at save), and a table
|
|
212
|
+
the role cannot read still appears in the nav (opening it errors). Set:
|
|
213
|
+
|
|
214
|
+
```yaml
|
|
215
|
+
introspection:
|
|
216
|
+
respectPrivileges: true # default false
|
|
217
|
+
# role: app_user # optional; defaults to auth.ui.role / auth.defaultRole
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
and the UI's introspection evaluates the serving role's privileges
|
|
221
|
+
(`has_table_privilege` / `has_column_privilege`, gated by schema `USAGE`) and
|
|
222
|
+
folds them in **per form mode**: on the edit form a column the role cannot
|
|
223
|
+
`UPDATE` renders **read-only**; on the create form a column it cannot `INSERT`
|
|
224
|
+
renders read-only (so a write-once column with `INSERT` but no `UPDATE` is
|
|
225
|
+
editable on create and locked on edit, and vice versa). A table **or view** the
|
|
226
|
+
role cannot `SELECT` is **hidden** from the nav and resource list (a startup
|
|
227
|
+
line names what was hidden). The role evaluated is the Admin UI's
|
|
228
|
+
(`auth.ui.role`, else `auth.defaultRole`); set `introspection.role` to override.
|
|
229
|
+
When the UI uses a **ready-made token** (`auth.ui.token` / `KOZOU_ADAPTER_TOKEN`,
|
|
230
|
+
the RS256 / external-IdP path) you must set `introspection.role` explicitly —
|
|
231
|
+
the CLI cannot read the token's role, so it will not guess. This shapes the
|
|
232
|
+
**Admin UI** only — `@kozou/api` and the MCP server stay schema-wide (the API
|
|
233
|
+
enforces per request through the database; the MCP server intentionally
|
|
234
|
+
describes the whole schema). Per-request, per-role surfaces for direct API
|
|
235
|
+
consumers are a future refinement.
|
|
236
|
+
|
|
195
237
|
## License
|
|
196
238
|
|
|
197
239
|
Apache 2.0. See [LICENSE](../../LICENSE) at the repository root.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev-runtime.d.ts","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"dev-runtime.d.ts","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAQhD,wBAAgB,mBAAmB,IAAI,MAAM,CAI5C;AAMD,wBAAgB,aAAa,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,MAAM,CAEjF;AAYD,wBAAgB,eAAe,CAC7B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,CAAC,UAAU,EAC1B,aAAa,CAAC,EAAE,MAAM,EACtB,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,UAAU,CA4DnB;AAqBD,wBAAgB,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,MAAM,CAyBjE;AAgBD,MAAM,MAAM,eAAe,GAAG,iBAAiB,GAAG,eAAe,GAAG,WAAW,GAAG,UAAU,CAAC;AAE7F,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,EACzB,WAAW,EAAE,kBAAkB,GAAG,SAAS,EAC3C,UAAU,EAAE,OAAO,GAClB,eAAe,CAQjB;AAID,MAAM,MAAM,kBAAkB,GAAG;IAC/B,gBAAgB,CAAC,IAAI,EAAE;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC7B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,yEAAyE;IACzE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;6EAEyE;IACzE,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AAWF,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,kBAAkB,EAC1B,GAAG,EAAE,MAAM,CAAC,UAAU,GACrB,OAAO,CAAC,kBAAkB,CAAC,CAiE7B"}
|
|
@@ -5,6 +5,7 @@
|
|
|
5
5
|
// tested without launching any servers.
|
|
6
6
|
import { createRequire } from 'node:module';
|
|
7
7
|
import { dirname, join } from 'node:path';
|
|
8
|
+
import { resolvePrivilegeRole } from '../config.js';
|
|
8
9
|
// Resolve the Admin UI's adapter-node standalone server entry. The
|
|
9
10
|
// `build/` directory ships in @kozou/svelte-ui's published `files`, and
|
|
10
11
|
// resolving the package's own package.json works whether kozou runs from
|
|
@@ -41,14 +42,36 @@ export function buildAdminUiEnv(config, origin, baseEnv, apiAdapterUrl, apiToken
|
|
|
41
42
|
ORIGIN: origin,
|
|
42
43
|
NODE_ENV: 'production',
|
|
43
44
|
};
|
|
44
|
-
// JWT verifier / signing inputs are a CLI-process
|
|
45
|
-
// network-facing UI child only ever consumes KOZOU_ADAPTER_*,
|
|
46
|
-
// HS256 secret (or key / JWKS settings)
|
|
47
|
-
//
|
|
48
|
-
//
|
|
45
|
+
// JWT verifier / signing inputs and minting inputs are a CLI-process
|
|
46
|
+
// concern. The network-facing UI child only ever consumes KOZOU_ADAPTER_*,
|
|
47
|
+
// so the HS256 secret (or key / JWKS settings) and the UI token inputs
|
|
48
|
+
// (role name, claim values — which can carry tenant identifiers) must not
|
|
49
|
+
// extend into it — with the scaffold compose forwarding these variables
|
|
50
|
+
// they are present in the parent environment on the default path.
|
|
49
51
|
for (const key of Object.keys(env)) {
|
|
50
|
-
if (key.startsWith('KOZOU_JWT_'))
|
|
52
|
+
if (key.startsWith('KOZOU_JWT_') || key === 'KOZOU_UI_ROLE' || key === 'KOZOU_UI_CLAIMS') {
|
|
51
53
|
delete env[key];
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
// Privilege-aware introspection (issue #99): pass the resolved role through to
|
|
57
|
+
// the UI child so its introspection reflects what that role may do (hide
|
|
58
|
+
// unreadable tables, lock non-updatable columns). Set it authoritatively from
|
|
59
|
+
// config — delete any inherited value when the feature is off, so a stray
|
|
60
|
+
// parent KOZOU_INTROSPECTION_ROLE cannot silently turn it on.
|
|
61
|
+
// A ready-made token only actually gates role resolution on the in-house API
|
|
62
|
+
// path: the external REST opt-out below clears KOZOU_ADAPTER_TOKEN and the UI
|
|
63
|
+
// never forwards it, so an inherited token there must not force
|
|
64
|
+
// introspection.role. Detect a real ready-made token (config or inherited
|
|
65
|
+
// env) only when the API path is active.
|
|
66
|
+
const suppliedToken = apiAdapterUrl !== undefined &&
|
|
67
|
+
((config.auth?.ui?.token !== undefined && config.auth.ui.token.length > 0) ||
|
|
68
|
+
(baseEnv.KOZOU_ADAPTER_TOKEN !== undefined && baseEnv.KOZOU_ADAPTER_TOKEN.length > 0));
|
|
69
|
+
const privilegeRole = resolvePrivilegeRole(config, { suppliedToken });
|
|
70
|
+
if (privilegeRole !== undefined) {
|
|
71
|
+
env.KOZOU_INTROSPECTION_ROLE = privilegeRole;
|
|
72
|
+
}
|
|
73
|
+
else {
|
|
74
|
+
delete env.KOZOU_INTROSPECTION_ROLE;
|
|
52
75
|
}
|
|
53
76
|
if (apiAdapterUrl !== undefined) {
|
|
54
77
|
// In-house @kozou/api backend: point the UI at it and attach the token
|
|
@@ -115,6 +138,10 @@ export function describeApiAuth(auth) {
|
|
|
115
138
|
parts.push(`ui role=${auth.ui.role}`);
|
|
116
139
|
else if (auth.ui?.token !== undefined)
|
|
117
140
|
parts.push('ui token=supplied');
|
|
141
|
+
if (auth.ui?.claims !== undefined) {
|
|
142
|
+
// Key names only — values can carry tenant identifiers.
|
|
143
|
+
parts.push(`ui claims=[${Object.keys(auth.ui.claims).join(', ')}]`);
|
|
144
|
+
}
|
|
118
145
|
return parts.join(', ');
|
|
119
146
|
}
|
|
120
147
|
export function classifyAdminUiExposure(auth, tokenResult, inhouseApi) {
|
|
@@ -141,9 +168,15 @@ export async function resolveAdminUiToken(config, minter, env) {
|
|
|
141
168
|
const auth = config.auth;
|
|
142
169
|
if (auth === undefined)
|
|
143
170
|
return {}; // no auth -> the UI sends no token (unchanged)
|
|
171
|
+
const claims = auth.ui?.claims;
|
|
144
172
|
const supplied = auth.ui?.token ?? env.KOZOU_ADAPTER_TOKEN;
|
|
145
173
|
if (supplied !== undefined && supplied.length > 0) {
|
|
146
|
-
|
|
174
|
+
// claims only apply to a token the CLI mints itself.
|
|
175
|
+
const warning = claims !== undefined
|
|
176
|
+
? 'auth.ui.claims is ignored because a ready-made token is supplied ' +
|
|
177
|
+
'(auth.ui.token / KOZOU_ADAPTER_TOKEN); put the claims in that token instead.'
|
|
178
|
+
: undefined;
|
|
179
|
+
return warning !== undefined ? { token: supplied, warning } : { token: supplied };
|
|
147
180
|
}
|
|
148
181
|
const secret = auth.jwt.secret;
|
|
149
182
|
if (secret !== undefined && secret.length > 0) {
|
|
@@ -154,17 +187,93 @@ export async function resolveAdminUiToken(config, minter, env) {
|
|
|
154
187
|
role,
|
|
155
188
|
issuer: auth.jwt.issuer,
|
|
156
189
|
audience: auth.jwt.audience,
|
|
190
|
+
claims,
|
|
157
191
|
});
|
|
158
|
-
const
|
|
159
|
-
|
|
192
|
+
const warnings = [];
|
|
193
|
+
const reserved = reservedClaimCollisions(auth, claims);
|
|
194
|
+
if (reserved.length > 0) {
|
|
195
|
+
warnings.push(`auth.ui.claims key(s) ${reserved.map((k) => `"${k}"`).join(', ')} are ` +
|
|
196
|
+
'reserved and overridden by the auth config (the role claim, iat, ' +
|
|
197
|
+
'and iss/aud when configured).');
|
|
198
|
+
}
|
|
199
|
+
// exp/nbf pass through (an intentionally expiring UI token is allowed),
|
|
200
|
+
// but a value that provably fails verification — expired, not yet
|
|
201
|
+
// valid, or not a number — would 401 every UI request from the start.
|
|
202
|
+
const temporalWarning = temporalClaimsWarning(claims);
|
|
203
|
+
if (temporalWarning !== undefined)
|
|
204
|
+
warnings.push(temporalWarning);
|
|
205
|
+
const roleWarning = mintedRoleWarning(auth, role);
|
|
206
|
+
if (roleWarning !== undefined)
|
|
207
|
+
warnings.push(roleWarning);
|
|
208
|
+
if (warnings.length === 0)
|
|
209
|
+
return { token };
|
|
210
|
+
return {
|
|
211
|
+
token,
|
|
212
|
+
warning: warnings.join(' '),
|
|
213
|
+
...(roleWarning !== undefined || temporalWarning !== undefined
|
|
214
|
+
? { knownRejected: true }
|
|
215
|
+
: {}),
|
|
216
|
+
};
|
|
160
217
|
}
|
|
218
|
+
const claimsNote = claims !== undefined
|
|
219
|
+
? ' (auth.ui.claims is also unusable on this path — the CLI cannot mint)'
|
|
220
|
+
: '';
|
|
161
221
|
return {
|
|
162
222
|
warning: 'auth uses an RS256 public key, so the CLI cannot mint a token for the ' +
|
|
163
223
|
'bundled Admin UI; it will be rejected with 401. Set auth.ui.token (or ' +
|
|
164
224
|
'KOZOU_ADAPTER_TOKEN) to a token from your identity provider, or use an ' +
|
|
165
|
-
|
|
225
|
+
`HS256 secret so the CLI can mint one${claimsNote}.`,
|
|
166
226
|
};
|
|
167
227
|
}
|
|
228
|
+
// Keys in auth.ui.claims that the mint will override (or drop): the role
|
|
229
|
+
// claim is always reserved, `iat` is always set, and `iss`/`aud` are set
|
|
230
|
+
// when the auth config declares an issuer/audience. Surfaced as a startup
|
|
231
|
+
// warning so a colliding key is never a silent override.
|
|
232
|
+
function reservedClaimCollisions(auth, claims) {
|
|
233
|
+
if (claims === undefined)
|
|
234
|
+
return [];
|
|
235
|
+
const reserved = new Set([auth.roleClaim ?? 'role', 'iat']);
|
|
236
|
+
if (auth.jwt.issuer !== undefined)
|
|
237
|
+
reserved.add('iss');
|
|
238
|
+
if (auth.jwt.audience !== undefined)
|
|
239
|
+
reserved.add('aud');
|
|
240
|
+
return Object.keys(claims).filter((k) => reserved.has(k));
|
|
241
|
+
}
|
|
242
|
+
// `exp` / `nbf` in auth.ui.claims that provably make the minted token fail
|
|
243
|
+
// verification: already expired, not valid yet, or not a number (the
|
|
244
|
+
// verifier rejects malformed temporal claims). A well-formed future `exp`
|
|
245
|
+
// is intentional (an expiring UI token) and passes silently.
|
|
246
|
+
function temporalClaimsWarning(claims) {
|
|
247
|
+
if (claims === undefined)
|
|
248
|
+
return undefined;
|
|
249
|
+
const now = Math.floor(Date.now() / 1000);
|
|
250
|
+
// Finite numbers only: YAML parses `.nan` / `.inf` to NaN / Infinity,
|
|
251
|
+
// which survive a typeof check, serialize to null in the JWT payload,
|
|
252
|
+
// and fail verification.
|
|
253
|
+
if ('exp' in claims) {
|
|
254
|
+
const exp = claims.exp;
|
|
255
|
+
if (typeof exp !== 'number' || !Number.isFinite(exp)) {
|
|
256
|
+
return 'auth.ui.claims.exp is not a finite number (UNIX seconds), so ' +
|
|
257
|
+
'the API rejects the minted Admin UI token (401).';
|
|
258
|
+
}
|
|
259
|
+
if (exp <= now) {
|
|
260
|
+
return 'auth.ui.claims.exp is already in the past, so the API rejects ' +
|
|
261
|
+
'the minted Admin UI token (401).';
|
|
262
|
+
}
|
|
263
|
+
}
|
|
264
|
+
if ('nbf' in claims) {
|
|
265
|
+
const nbf = claims.nbf;
|
|
266
|
+
if (typeof nbf !== 'number' || !Number.isFinite(nbf)) {
|
|
267
|
+
return 'auth.ui.claims.nbf is not a finite number (UNIX seconds), so ' +
|
|
268
|
+
'the API rejects the minted Admin UI token (401).';
|
|
269
|
+
}
|
|
270
|
+
if (nbf > now) {
|
|
271
|
+
return 'auth.ui.claims.nbf is in the future, so the API rejects the ' +
|
|
272
|
+
'minted Admin UI token (401) until that time.';
|
|
273
|
+
}
|
|
274
|
+
}
|
|
275
|
+
return undefined;
|
|
276
|
+
}
|
|
168
277
|
// A minted Admin UI token will be rejected with 403 unless the API can
|
|
169
278
|
// resolve an allowed role for it. Surface that as a warning at startup
|
|
170
279
|
// rather than letting the UI fail opaquely.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev-runtime.js","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,kEAAkE;AAClE,wEAAwE;AACxE,wCAAwC;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"dev-runtime.js","sourceRoot":"","sources":["../../src/commands/dev-runtime.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,EAAE;AACF,kEAAkE;AAClE,wEAAwE;AACxE,wCAAwC;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAEpD,mEAAmE;AACnE,wEAAwE;AACxE,yEAAyE;AACzE,yEAAyE;AACzE,eAAe;AACf,MAAM,UAAU,mBAAmB;IACjC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;IACrE,OAAO,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AACzD,CAAC;AAED,sEAAsE;AACtE,yEAAyE;AACzE,wEAAwE;AACxE,gDAAgD;AAChD,MAAM,UAAU,aAAa,CAAC,MAAmB,EAAE,GAAsB;IACvE,OAAO,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,YAAY,IAAI,oBAAoB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;AACvF,CAAC;AAED,uEAAuE;AACvE,oEAAoE;AACpE,EAAE;AACF,2EAA2E;AAC3E,8EAA8E;AAC9E,wEAAwE;AACxE,6EAA6E;AAC7E,8EAA8E;AAC9E,8EAA8E;AAC9E,0BAA0B;AAC1B,MAAM,UAAU,eAAe,CAC7B,MAAmB,EACnB,MAAc,EACd,OAA0B,EAC1B,aAAsB,EACtB,QAAiB;IAEjB,MAAM,GAAG,GAAsB;QAC7B,GAAG,OAAO;QACV,YAAY,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG;QACjC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC;QACnC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI;QAC3B,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,YAAY;KACvB,CAAC;IACF,qEAAqE;IACrE,2EAA2E;IAC3E,uEAAuE;IACvE,0EAA0E;IAC1E,wEAAwE;IACxE,kEAAkE;IAClE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,GAAG,KAAK,eAAe,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;YACzF,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,+EAA+E;IAC/E,yEAAyE;IACzE,8EAA8E;IAC9E,0EAA0E;IAC1E,8DAA8D;IAC9D,6EAA6E;IAC7E,8EAA8E;IAC9E,gEAAgE;IAChE,0EAA0E;IAC1E,yCAAyC;IACzC,MAAM,aAAa,GACjB,aAAa,KAAK,SAAS;QAC3B,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YACxE,CAAC,OAAO,CAAC,mBAAmB,KAAK,SAAS,IAAI,OAAO,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;IAC3F,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC;IACtE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,GAAG,CAAC,wBAAwB,GAAG,aAAa,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,CAAC,wBAAwB,CAAC;IACtC,CAAC;IACD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;QAChC,uEAAuE;QACvE,uEAAuE;QACvE,GAAG,CAAC,kBAAkB,GAAG,KAAK,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,aAAa,CAAC;QACtC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,CAAC,mBAAmB,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,OAAO,GAAG,CAAC,kBAAkB,CAAC;QAC9B,OAAO,GAAG,CAAC,mBAAmB,CAAC;QAC/B,GAAG,CAAC,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;IAC7C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,yEAAyE;AACzE,8EAA8E;AAC9E,yEAAyE;AACzE,gBAAgB;AAChB,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAC;IACzB,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,sEAAsE;AACtE,kEAAkE;AAClE,kEAAkE;AAClE,yEAAyE;AACzE,2DAA2D;AAC3D,MAAM,UAAU,eAAe,CAAC,IAAyB;IACvD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO,gFAAgF,CAAC;IAC1F,CAAC;IACD,MAAM,IAAI,GACR,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QACzD,CAAC,CAAC,uBAAuB;QACzB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;YAC7D,CAAC,CAAC,SAAS,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG;YAC/C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;gBACjE,CAAC,CAAC,mBAAmB;gBACrB,CAAC,CAAC,8DAA8D,CAAC;IACzE,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,CAAC;IACrB,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAClF,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzE,IAAI,IAAI,CAAC,EAAE,EAAE,IAAI,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;SAClE,IAAI,IAAI,CAAC,EAAE,EAAE,KAAK,KAAK,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACvE,IAAI,IAAI,CAAC,EAAE,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAClC,wDAAwD;QACxD,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAkBD,MAAM,UAAU,uBAAuB,CACrC,IAAyB,EACzB,WAA2C,EAC3C,UAAmB;IAEnB,IAAI,CAAC,UAAU,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,iBAAiB,CAAC;IAChE,MAAM,KAAK,GAAG,WAAW,EAAE,KAAK,CAAC;IACjC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,OAAO,WAAW,EAAE,aAAa,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC;IAC5E,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,WAAW,CAAC;IAChF,OAAO,UAAU,CAAC;AACpB,CAAC;AA0BD,6EAA6E;AAC7E,kEAAkE;AAClE,0EAA0E;AAC1E,6EAA6E;AAC7E,cAAc;AACd,4EAA4E;AAC5E,yEAAyE;AACzE,6EAA6E;AAC7E,kDAAkD;AAClD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAmB,EACnB,MAA0B,EAC1B,GAAsB;IAEtB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;IACzB,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,+CAA+C;IAElF,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC;IAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,EAAE,KAAK,IAAI,GAAG,CAAC,mBAAmB,CAAC;IAC3D,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,qDAAqD;QACrD,MAAM,OAAO,GACX,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,mEAAmE;gBACnE,8EAA8E;YAChF,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IACpF,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC;IAC/B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC;YAC1C,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,IAAI;YACJ,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM;YACvB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ;YAC3B,MAAM;SACP,CAAC,CAAC;QACH,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,uBAAuB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,IAAI,CACX,yBAAyB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO;gBACtE,mEAAmE;gBACnE,+BAA+B,CAClC,CAAC;QACJ,CAAC;QACD,wEAAwE;QACxE,kEAAkE;QAClE,sEAAsE;QACtE,MAAM,eAAe,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACtD,IAAI,eAAe,KAAK,SAAS;YAAE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAClE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAClD,IAAI,WAAW,KAAK,SAAS;YAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QAC5C,OAAO;YACL,KAAK;YACL,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3B,GAAG,CAAC,WAAW,KAAK,SAAS,IAAI,eAAe,KAAK,SAAS;gBAC5D,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE;gBACzB,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GACd,MAAM,KAAK,SAAS;QAClB,CAAC,CAAC,uEAAuE;QACzE,CAAC,CAAC,EAAE,CAAC;IACT,OAAO;QACL,OAAO,EACL,wEAAwE;YACxE,wEAAwE;YACxE,yEAAyE;YACzE,uCAAuC,UAAU,GAAG;KACvD,CAAC;AACJ,CAAC;AAED,yEAAyE;AACzE,yEAAyE;AACzE,0EAA0E;AAC1E,yDAAyD;AACzD,SAAS,uBAAuB,CAC9B,IAAsC,EACtC,MAA2C;IAE3C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAS,CAAC,IAAI,CAAC,SAAS,IAAI,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IACpE,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACvD,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS;QAAE,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,2EAA2E;AAC3E,qEAAqE;AACrE,0EAA0E;AAC1E,6DAA6D;AAC7D,SAAS,qBAAqB,CAC5B,MAA2C;IAE3C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,sEAAsE;IACtE,sEAAsE;IACtE,yBAAyB;IACzB,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,+DAA+D;gBACpE,kDAAkD,CAAC;QACvD,CAAC;QACD,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;YACf,OAAO,gEAAgE;gBACrE,kCAAkC,CAAC;QACvC,CAAC;IACH,CAAC;IACD,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,+DAA+D;gBACpE,kDAAkD,CAAC;QACvD,CAAC;QACD,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;YACd,OAAO,8DAA8D;gBACnE,8CAA8C,CAAC;QACnD,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,uEAAuE;AACvE,uEAAuE;AACvE,4CAA4C;AAC5C,SAAS,iBAAiB,CACxB,IAAsC,EACtC,IAAwB;IAExB,MAAM,SAAS,GAAG,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;IAClF,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO,iEAAiE;YACtE,wEAAwE;YACxE,+DAA+D,CAAC;IACpE,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9E,OAAO,8BAA8B,SAAS,+BAA+B;YAC3E,oEAAoE;YACpE,eAAe,CAAC;IACpB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
package/dist/config.d.ts
CHANGED
|
@@ -32,6 +32,10 @@ declare const configSchema: z.ZodObject<{
|
|
|
32
32
|
cache: z.ZodPrefault<z.ZodObject<{
|
|
33
33
|
ttlMs: z.ZodDefault<z.ZodNumber>;
|
|
34
34
|
}, z.core.$strip>>;
|
|
35
|
+
introspection: z.ZodPrefault<z.ZodObject<{
|
|
36
|
+
respectPrivileges: z.ZodDefault<z.ZodBoolean>;
|
|
37
|
+
role: z.ZodOptional<z.ZodString>;
|
|
38
|
+
}, z.core.$strip>>;
|
|
35
39
|
auth: z.ZodOptional<z.ZodObject<{
|
|
36
40
|
jwt: z.ZodObject<{
|
|
37
41
|
secret: z.ZodOptional<z.ZodString>;
|
|
@@ -52,6 +56,7 @@ declare const configSchema: z.ZodObject<{
|
|
|
52
56
|
ui: z.ZodOptional<z.ZodObject<{
|
|
53
57
|
role: z.ZodOptional<z.ZodString>;
|
|
54
58
|
token: z.ZodOptional<z.ZodString>;
|
|
59
|
+
claims: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
55
60
|
}, z.core.$strip>>;
|
|
56
61
|
}, z.core.$strip>>;
|
|
57
62
|
}, z.core.$strip>;
|
|
@@ -65,6 +70,16 @@ export declare class KozouConfigError extends Error {
|
|
|
65
70
|
readonly filePath: string | null;
|
|
66
71
|
constructor(message: string, filePath: string | null, issues: KozouConfigIssue[]);
|
|
67
72
|
}
|
|
73
|
+
/**
|
|
74
|
+
* Resolve the role whose privileges privilege-aware introspection (issue #99)
|
|
75
|
+
* should evaluate, or `undefined` when the feature is off. The role defaults to
|
|
76
|
+
* the Admin UI's role (`auth.ui.role`, else `auth.defaultRole`); an explicit
|
|
77
|
+
* `introspection.role` overrides. Throws when the feature is on but no role can
|
|
78
|
+
* be resolved — privileges are role-relative, so there is nothing to evaluate.
|
|
79
|
+
*/
|
|
80
|
+
export declare function resolvePrivilegeRole(config: KozouConfig, opts?: {
|
|
81
|
+
suppliedToken?: boolean;
|
|
82
|
+
}): string | undefined;
|
|
68
83
|
export type LoadConfigOptions = {
|
|
69
84
|
/** Path to kozou.config.yaml. Default: ./kozou.config.yaml relative to cwd. */
|
|
70
85
|
path?: string;
|
package/dist/config.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA2CxB,eAAO,MAAM,aAAa,+BAAgC,CAAC;AAC3D,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA2CxB,eAAO,MAAM,aAAa,+BAAgC,CAAC;AAC3D,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AA6EzD,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAQhB,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAIvD,MAAM,MAAM,gBAAgB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjE,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACpC,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;gBACrB,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,gBAAgB,EAAE;CAMjF;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,WAAW,EACnB,IAAI,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACrC,MAAM,GAAG,SAAS,CA+BpB;AAMD,MAAM,MAAM,iBAAiB,GAAG;IAC9B,+EAA+E;IAC/E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wEAAwE;IACxE,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAyIF,wBAAsB,UAAU,CAAC,IAAI,GAAE,iBAAsB,GAAG,OAAO,CAAC,WAAW,CAAC,CA6CnF"}
|
package/dist/config.js
CHANGED
|
@@ -69,6 +69,19 @@ const cacheSchema = z
|
|
|
69
69
|
ttlMs: z.number().int().min(0).default(60_000),
|
|
70
70
|
})
|
|
71
71
|
.prefault({});
|
|
72
|
+
// Opt-in privilege-aware introspection (issue #99). When on, the Admin UI's
|
|
73
|
+
// generated surfaces reflect what the serving role may actually do: columns it
|
|
74
|
+
// cannot UPDATE render read-only, columns it cannot INSERT drop from create
|
|
75
|
+
// forms, and tables it cannot SELECT are hidden. Default off = current
|
|
76
|
+
// (schema-faithful) behaviour. The role evaluated defaults to the Admin UI's
|
|
77
|
+
// role (auth.ui.role, else auth.defaultRole); `role` overrides it explicitly.
|
|
78
|
+
// The MCP server stays schema-wide regardless (it never sets this).
|
|
79
|
+
const introspectionSchema = z
|
|
80
|
+
.object({
|
|
81
|
+
respectPrivileges: z.boolean().default(false),
|
|
82
|
+
role: z.string().min(1).optional(),
|
|
83
|
+
})
|
|
84
|
+
.prefault({});
|
|
72
85
|
const databaseSchema = z.object({
|
|
73
86
|
url: z.string().min(1, 'database.url is required (set DATABASE_URL or kozou.config.yaml)'),
|
|
74
87
|
schemas: z.array(z.string().min(1)).default(['public']),
|
|
@@ -87,11 +100,14 @@ const jwtAuthSchema = z.object({
|
|
|
87
100
|
});
|
|
88
101
|
// How the bundled Admin UI authenticates to @kozou/api when auth is on. This
|
|
89
102
|
// is a CLI-only concern (not part of @kozou/api's AuthConfig): under HS256 the
|
|
90
|
-
// CLI mints a token claiming `role
|
|
91
|
-
//
|
|
103
|
+
// CLI mints a token claiming `role` plus the optional `claims` (for RLS
|
|
104
|
+
// policies that read request.jwt.claims beyond the role, e.g. a tenant id);
|
|
105
|
+
// for RS256 / an external IdP it cannot mint, so `token` carries a
|
|
106
|
+
// ready-made one through to the UI instead.
|
|
92
107
|
const authUiSchema = z.object({
|
|
93
108
|
role: z.string().min(1).optional(),
|
|
94
109
|
token: z.string().min(1).optional(),
|
|
110
|
+
claims: z.record(z.string(), z.unknown()).optional(),
|
|
95
111
|
});
|
|
96
112
|
const authSchema = z.object({
|
|
97
113
|
jwt: jwtAuthSchema,
|
|
@@ -108,6 +124,7 @@ const configSchema = z.object({
|
|
|
108
124
|
adapter: adapterSchema,
|
|
109
125
|
uiHints: uiHintsSchema,
|
|
110
126
|
cache: cacheSchema,
|
|
127
|
+
introspection: introspectionSchema,
|
|
111
128
|
auth: authSchema.optional(),
|
|
112
129
|
});
|
|
113
130
|
export class KozouConfigError extends Error {
|
|
@@ -120,6 +137,38 @@ export class KozouConfigError extends Error {
|
|
|
120
137
|
this.issues = issues;
|
|
121
138
|
}
|
|
122
139
|
}
|
|
140
|
+
/**
|
|
141
|
+
* Resolve the role whose privileges privilege-aware introspection (issue #99)
|
|
142
|
+
* should evaluate, or `undefined` when the feature is off. The role defaults to
|
|
143
|
+
* the Admin UI's role (`auth.ui.role`, else `auth.defaultRole`); an explicit
|
|
144
|
+
* `introspection.role` overrides. Throws when the feature is on but no role can
|
|
145
|
+
* be resolved — privileges are role-relative, so there is nothing to evaluate.
|
|
146
|
+
*/
|
|
147
|
+
export function resolvePrivilegeRole(config, opts = {}) {
|
|
148
|
+
if (!config.introspection.respectPrivileges)
|
|
149
|
+
return undefined;
|
|
150
|
+
// A ready-made token (auth.ui.token or the KOZOU_ADAPTER_TOKEN env — the
|
|
151
|
+
// RS256 / external-IdP path) carries its own role claim that the CLI does not
|
|
152
|
+
// mint and cannot reliably read, and it takes precedence over minting. The
|
|
153
|
+
// auth-derived fallback (auth.ui.role / defaultRole) could therefore evaluate
|
|
154
|
+
// a *different* role than the UI actually uses — hiding/locking the wrong
|
|
155
|
+
// things. Require an explicit introspection.role whenever such a token is
|
|
156
|
+
// actually in play (the caller decides: only the in-house API path forwards a
|
|
157
|
+
// token; the PostgREST opt-out clears it, so it does not gate there).
|
|
158
|
+
if (config.introspection.role === undefined && opts.suppliedToken === true) {
|
|
159
|
+
throw new KozouConfigError('introspection.respectPrivileges is on with a ready-made token (auth.ui.token / ' +
|
|
160
|
+
'KOZOU_ADAPTER_TOKEN), whose role the CLI cannot infer. Set introspection.role to the ' +
|
|
161
|
+
'role that token assumes so privilege-aware introspection evaluates the same role the ' +
|
|
162
|
+
'Admin UI runs as.', null, [{ path: 'introspection.role', message: 'required when a ready-made token is supplied' }]);
|
|
163
|
+
}
|
|
164
|
+
const role = config.introspection.role ?? config.auth?.ui?.role ?? config.auth?.defaultRole;
|
|
165
|
+
if (role === undefined || role.length === 0) {
|
|
166
|
+
throw new KozouConfigError('introspection.respectPrivileges is on but no role to evaluate could be resolved. ' +
|
|
167
|
+
'Set introspection.role explicitly, or configure auth.ui.role / auth.defaultRole ' +
|
|
168
|
+
'(the role the Admin UI assumes).', null, [{ path: 'introspection.role', message: 'no privilege role could be resolved' }]);
|
|
169
|
+
}
|
|
170
|
+
return role;
|
|
171
|
+
}
|
|
123
172
|
// ---- Loader --------------------------------------------------------------
|
|
124
173
|
const DEFAULT_CONFIG_PATH = 'kozou.config.yaml';
|
|
125
174
|
// Matches either an escaped `$$` (which becomes a literal `$`) or a
|
|
@@ -227,17 +276,47 @@ function injectAuthFromEnv(raw, env) {
|
|
|
227
276
|
if (env.KOZOU_JWT_CLAIMS_GUC)
|
|
228
277
|
auth.claimsGuc = env.KOZOU_JWT_CLAIMS_GUC;
|
|
229
278
|
// How the bundled Admin UI authenticates: KOZOU_UI_ROLE names the role the
|
|
230
|
-
// CLI mints an HS256 token for;
|
|
231
|
-
//
|
|
279
|
+
// CLI mints an HS256 token for; KOZOU_UI_CLAIMS is a JSON object of extra
|
|
280
|
+
// claims to mint into it; KOZOU_ADAPTER_TOKEN supplies a ready-made token
|
|
281
|
+
// (RS256 / external IdP, where the CLI cannot mint).
|
|
232
282
|
const ui = {};
|
|
233
283
|
if (env.KOZOU_UI_ROLE)
|
|
234
284
|
ui.role = env.KOZOU_UI_ROLE;
|
|
285
|
+
if (env.KOZOU_UI_CLAIMS)
|
|
286
|
+
ui.claims = parseUiClaimsEnv(env.KOZOU_UI_CLAIMS);
|
|
235
287
|
if (env.KOZOU_ADAPTER_TOKEN)
|
|
236
288
|
ui.token = env.KOZOU_ADAPTER_TOKEN;
|
|
237
289
|
if (Object.keys(ui).length > 0)
|
|
238
290
|
auth.ui = ui;
|
|
239
291
|
return { ...obj, auth };
|
|
240
292
|
}
|
|
293
|
+
// KOZOU_UI_CLAIMS must be a JSON object. A malformed value fails loudly at
|
|
294
|
+
// startup — silently minting a token without the expected claims would be
|
|
295
|
+
// the same silent-misconfiguration class as unforwarded auth env vars
|
|
296
|
+
// (every RLS policy keyed on a claim would just see nothing).
|
|
297
|
+
function parseUiClaimsEnv(raw) {
|
|
298
|
+
// The CLI surfaces only the top-level error message, so the actionable
|
|
299
|
+
// detail (which env var, what is wrong with it) must live there — not
|
|
300
|
+
// just in the structured issues.
|
|
301
|
+
let parsed;
|
|
302
|
+
try {
|
|
303
|
+
parsed = JSON.parse(raw);
|
|
304
|
+
}
|
|
305
|
+
catch (err) {
|
|
306
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
307
|
+
const detail = `KOZOU_UI_CLAIMS is not valid JSON: ${message}`;
|
|
308
|
+
throw new KozouConfigError(`Invalid kozou config: ${detail}`, null, [
|
|
309
|
+
{ path: 'auth.ui.claims', message: detail },
|
|
310
|
+
]);
|
|
311
|
+
}
|
|
312
|
+
if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
|
|
313
|
+
const detail = 'KOZOU_UI_CLAIMS must be a JSON object, e.g. {"tenant_id":"acme"}.';
|
|
314
|
+
throw new KozouConfigError(`Invalid kozou config: ${detail}`, null, [
|
|
315
|
+
{ path: 'auth.ui.claims', message: detail },
|
|
316
|
+
]);
|
|
317
|
+
}
|
|
318
|
+
return parsed;
|
|
319
|
+
}
|
|
241
320
|
export async function loadConfig(opts = {}) {
|
|
242
321
|
const env = opts.env ?? process.env;
|
|
243
322
|
const requestedPath = opts.path ?? DEFAULT_CONFIG_PATH;
|
package/dist/config.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,EAAE;AACF,4EAA4E;AAC5E,wEAAwE;AACxE,4EAA4E;AAC5E,8EAA8E;AAC9E,EAAE;AACF,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,6EAA6E;AAE7E,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,8EAA8E;AAE9E,2EAA2E;AAC3E,4EAA4E;AAC5E,0EAA0E;AAC1E,wEAAwE;AACxE,uEAAuE;AACvE,kEAAkE;AAElE,MAAM,cAAc,GAAG,CAAC;KACrB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACvD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;CAC3C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACvD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;CAC3C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,eAAe,GAAG,CAAC;KACtB,MAAM,CAAC;IACN,IAAI,EAAE,mBAAmB;IACzB,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAClC,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,EAAE,EAAE,cAAc;IAClB,GAAG,EAAE,eAAe;CACrB,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,+EAA+E;AAC/E,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,WAAW,CAAU,CAAC;AAG3D,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,yEAAyE;IACzE,4DAA4D;IAC5D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC;CACxD,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC1C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,WAAW,GAAG,CAAC;KAClB,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CAC/C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kEAAkE,CAAC;IAC1F,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC;CACxD,CAAC,CAAC;AAEH,4EAA4E;AAC5E,wEAAwE;AACxE,wEAAwE;AACxE,4DAA4D;AAC5D,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC9E,CAAC,CAAC;AAEH,6EAA6E;AAC7E,+EAA+E;AAC/E,2EAA2E;AAC3E,uEAAuE;AACvE,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACpC,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1B,GAAG,EAAE,aAAa;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,EAAE,EAAE,YAAY,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,QAAQ,EAAE,cAAc;IACxB,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,aAAa;IACtB,OAAO,EAAE,aAAa;IACtB,KAAK,EAAE,WAAW;IAClB,IAAI,EAAE,UAAU,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAQH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,MAAM,CAAqB;IAC3B,QAAQ,CAAgB;IACjC,YAAY,OAAe,EAAE,QAAuB,EAAE,MAA0B;QAC9E,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,6EAA6E;AAE7E,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AAchD,oEAAoE;AACpE,wEAAwE;AACxE,6EAA6E;AAC7E,MAAM,YAAY,GAAG,oDAAoD,CAAC;AAE1E,SAAS,aAAa,CAAC,KAAc,EAAE,GAAsB;IAC3D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC,OAAO,CAClB,YAAY,EACZ,CAAC,KAAK,EAAE,IAAwB,EAAE,QAAiB,EAAE,EAAE;YACrD,iEAAiE;YACjE,kEAAkE;YAClE,uCAAuC;YACvC,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,GAAG,CAAC;YAC/B,gEAAgE;YAChE,iEAAiE;YACjE,+DAA+D;YAC/D,gDAAgD;YAChD,MAAM,CAAC,GAAG,GAAG,CAAC,IAAc,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,CAAC,CAAC;YAC9B,IAAI,QAAQ,KAAK,SAAS;gBAAE,OAAO,QAAQ,CAAC;YAC5C,OAAO,EAAE,CAAC;QACZ,CAAC,CACF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAY,EAAE,GAAsB;IACpE,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC;IAChC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAEtD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC9B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,EAAE,GAAG,QAAmC,CAAC;QAC/C,IAAI,EAAE,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC;YAC1C,OAAO,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAC1C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,KAAK;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,2EAA2E;AAC3E,2EAA2E;AAC3E,SAAS,iBAAiB,CAAC,GAAY,EAAE,GAAsB;IAC7D,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,CAAC,kCAAkC;IAE1E,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC;IACpC,MAAM,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAC3C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,IAAI,CAAC,OAAO;QAAE,OAAO,GAAG,CAAC,CAAC,sCAAsC;IAEzF,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,IAAI,MAAM;QAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;IAChC,IAAI,SAAS;QAAE,GAAG,CAAC,SAAS,GAAG,SAAS,CAAC;IACzC,IAAI,OAAO;QAAE,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;IACnC,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACvD,IAAI,UAAU;QAAE,GAAG,CAAC,UAAU,GAAG,UAAU,CAAC;IAC5C,IAAI,GAAG,CAAC,gBAAgB;QAAE,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC;IAC5D,IAAI,GAAG,CAAC,kBAAkB;QAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,kBAAkB,CAAC;IAElE,MAAM,IAAI,GAA4B,EAAE,GAAG,EAAE,CAAC;IAC9C,IAAI,GAAG,CAAC,oBAAoB;QAAE,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxE,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC5D,IAAI,YAAY;QAAE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnD,IAAI,GAAG,CAAC,sBAAsB;QAAE,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,sBAAsB,CAAC;IAC9E,IAAI,GAAG,CAAC,mBAAmB;QAAE,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,mBAAmB,CAAC;IACrE,IAAI,GAAG,CAAC,oBAAoB;QAAE,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAExE,2EAA2E;IAC3E,0EAA0E;IAC1E,2DAA2D;IAC3D,MAAM,EAAE,GAA4B,EAAE,CAAC;IACvC,IAAI,GAAG,CAAC,aAAa;QAAE,EAAE,CAAC,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;IACnD,IAAI,GAAG,CAAC,mBAAmB;QAAE,EAAE,CAAC,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC;IAChE,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,OAAO,EAAE,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAA0B,EAAE;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACpC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,IAAI,mBAAmB,CAAC;IACvD,MAAM,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC;QACvC,CAAC,CAAC,aAAa;QACf,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,CAAC;IAE1C,IAAI,GAAG,GAAY,EAAE,CAAC;IACtB,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC;YACH,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,gBAAgB,CACxB,iCAAiC,OAAO,EAAE,EAC1C,OAAO,EACP,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAC9B,CAAC;QACJ,CAAC;QACD,UAAU,GAAG,OAAO,CAAC;IACvB,CAAC;IAED,wEAAwE;IACxE,MAAM,aAAa,GAAG,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,aAAa,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IACnD,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,gBAAgB,CACxB,yBAAyB,GAAG,CAAC,MAAM,CAAC,MAAM,WAAW,EACrD,UAAU,EACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACrB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ;gBAClC,OAAO,EAAE,CAAC,CAAC,OAAO;aACnB,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAC5B,EAAE;AACF,4EAA4E;AAC5E,wEAAwE;AACxE,4EAA4E;AAC5E,8EAA8E;AAC9E,EAAE;AACF,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,+EAA+E;AAC/E,6EAA6E;AAE7E,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,8EAA8E;AAE9E,2EAA2E;AAC3E,4EAA4E;AAC5E,0EAA0E;AAC1E,wEAAwE;AACxE,uEAAuE;AACvE,kEAAkE;AAElE,MAAM,cAAc,GAAG,CAAC;KACrB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACvD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;CAC3C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACvD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;CAC3C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,eAAe,GAAG,CAAC;KACtB,MAAM,CAAC;IACN,IAAI,EAAE,mBAAmB;IACzB,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAClC,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,YAAY,GAAG,CAAC;KACnB,MAAM,CAAC;IACN,EAAE,EAAE,cAAc;IAClB,GAAG,EAAE,eAAe;CACrB,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,4EAA4E;AAC5E,+EAA+E;AAC/E,+EAA+E;AAC/E,+EAA+E;AAC/E,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,WAAW,CAAU,CAAC;AAG3D,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC1C,yEAAyE;IACzE,4DAA4D;IAC5D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC;CACxD,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,aAAa,GAAG,CAAC;KACpB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CAC1C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,WAAW,GAAG,CAAC;KAClB,MAAM,CAAC;IACN,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;CAC/C,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,4EAA4E;AAC5E,+EAA+E;AAC/E,4EAA4E;AAC5E,uEAAuE;AACvE,6EAA6E;AAC7E,8EAA8E;AAC9E,oEAAoE;AACpE,MAAM,mBAAmB,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,iBAAiB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAC7C,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACnC,CAAC;KACD,QAAQ,CAAC,EAAE,CAAC,CAAC;AAEhB,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,kEAAkE,CAAC;IAC1F,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC;CACxD,CAAC,CAAC;AAEH,4EAA4E;AAC5E,wEAAwE;AACxE,wEAAwE;AACxE,4DAA4D;AAC5D,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC9E,CAAC,CAAC;AAEH,6EAA6E;AAC7E,+EAA+E;AAC/E,wEAAwE;AACxE,4EAA4E;AAC5E,mEAAmE;AACnE,4CAA4C;AAC5C,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1B,GAAG,EAAE,aAAa;IAClB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnD,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACzC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACvC,EAAE,EAAE,YAAY,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,QAAQ,EAAE,cAAc;IACxB,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,aAAa;IACtB,OAAO,EAAE,aAAa;IACtB,KAAK,EAAE,WAAW;IAClB,aAAa,EAAE,mBAAmB;IAClC,IAAI,EAAE,UAAU,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAQH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,MAAM,CAAqB;IAC3B,QAAQ,CAAgB;IACjC,YAAY,OAAe,EAAE,QAAuB,EAAE,MAA0B;QAC9E,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAmB,EACnB,OAAoC,EAAE;IAEtC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,iBAAiB;QAAE,OAAO,SAAS,CAAC;IAC9D,yEAAyE;IACzE,8EAA8E;IAC9E,2EAA2E;IAC3E,8EAA8E;IAC9E,0EAA0E;IAC1E,0EAA0E;IAC1E,8EAA8E;IAC9E,sEAAsE;IACtE,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3E,MAAM,IAAI,gBAAgB,CACxB,iFAAiF;YAC/E,uFAAuF;YACvF,uFAAuF;YACvF,mBAAmB,EACrB,IAAI,EACJ,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAC1F,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC;IAC5F,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,gBAAgB,CACxB,mFAAmF;YACjF,kFAAkF;YAClF,kCAAkC,EACpC,IAAI,EACJ,CAAC,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6EAA6E;AAE7E,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AAchD,oEAAoE;AACpE,wEAAwE;AACxE,6EAA6E;AAC7E,MAAM,YAAY,GAAG,oDAAoD,CAAC;AAE1E,SAAS,aAAa,CAAC,KAAc,EAAE,GAAsB;IAC3D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC,OAAO,CAClB,YAAY,EACZ,CAAC,KAAK,EAAE,IAAwB,EAAE,QAAiB,EAAE,EAAE;YACrD,iEAAiE;YACjE,kEAAkE;YAClE,uCAAuC;YACvC,IAAI,KAAK,KAAK,IAAI;gBAAE,OAAO,GAAG,CAAC;YAC/B,gEAAgE;YAChE,iEAAiE;YACjE,+DAA+D;YAC/D,gDAAgD;YAChD,MAAM,CAAC,GAAG,GAAG,CAAC,IAAc,CAAC,CAAC;YAC9B,IAAI,CAAC,KAAK,SAAS;gBAAE,OAAO,CAAC,CAAC;YAC9B,IAAI,QAAQ,KAAK,SAAS;gBAAE,OAAO,QAAQ,CAAC;YAC5C,OAAO,EAAE,CAAC;QACZ,CAAC,CACF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAY,EAAE,GAAsB;IACpE,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC;IAChC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAEtD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC9B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,EAAE,GAAG,QAAmC,CAAC;QAC/C,IAAI,EAAE,CAAC,GAAG,KAAK,SAAS,IAAI,EAAE,CAAC,GAAG,KAAK,EAAE,EAAE,CAAC;YAC1C,OAAO,EAAE,GAAG,GAAG,EAAE,QAAQ,EAAE,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAC1C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,KAAK;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,2EAA2E;AAC3E,2EAA2E;AAC3E,SAAS,iBAAiB,CAAC,GAAY,EAAE,GAAsB;IAC7D,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC,CAAC,kCAAkC;IAE1E,MAAM,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC;IACpC,MAAM,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAC3C,MAAM,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,IAAI,CAAC,OAAO;QAAE,OAAO,GAAG,CAAC,CAAC,sCAAsC;IAEzF,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,IAAI,MAAM;QAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC;IAChC,IAAI,SAAS;QAAE,GAAG,CAAC,SAAS,GAAG,SAAS,CAAC;IACzC,IAAI,OAAO;QAAE,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;IACnC,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IACvD,IAAI,UAAU;QAAE,GAAG,CAAC,UAAU,GAAG,UAAU,CAAC;IAC5C,IAAI,GAAG,CAAC,gBAAgB;QAAE,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC;IAC5D,IAAI,GAAG,CAAC,kBAAkB;QAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,kBAAkB,CAAC;IAElE,MAAM,IAAI,GAA4B,EAAE,GAAG,EAAE,CAAC;IAC9C,IAAI,GAAG,CAAC,oBAAoB;QAAE,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IACxE,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC5D,IAAI,YAAY;QAAE,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnD,IAAI,GAAG,CAAC,sBAAsB;QAAE,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,sBAAsB,CAAC;IAC9E,IAAI,GAAG,CAAC,mBAAmB;QAAE,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,mBAAmB,CAAC;IACrE,IAAI,GAAG,CAAC,oBAAoB;QAAE,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAExE,2EAA2E;IAC3E,0EAA0E;IAC1E,0EAA0E;IAC1E,qDAAqD;IACrD,MAAM,EAAE,GAA4B,EAAE,CAAC;IACvC,IAAI,GAAG,CAAC,aAAa;QAAE,EAAE,CAAC,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC;IACnD,IAAI,GAAG,CAAC,eAAe;QAAE,EAAE,CAAC,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC3E,IAAI,GAAG,CAAC,mBAAmB;QAAE,EAAE,CAAC,KAAK,GAAG,GAAG,CAAC,mBAAmB,CAAC;IAChE,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IAC7C,OAAO,EAAE,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,2EAA2E;AAC3E,0EAA0E;AAC1E,sEAAsE;AACtE,8DAA8D;AAC9D,SAAS,gBAAgB,CAAC,GAAW;IACnC,uEAAuE;IACvE,sEAAsE;IACtE,iCAAiC;IACjC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,sCAAsC,OAAO,EAAE,CAAC;QAC/D,MAAM,IAAI,gBAAgB,CAAC,yBAAyB,MAAM,EAAE,EAAE,IAAI,EAAE;YAClE,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE;SAC5C,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3E,MAAM,MAAM,GAAG,mEAAmE,CAAC;QACnF,MAAM,IAAI,gBAAgB,CAAC,yBAAyB,MAAM,EAAE,EAAE,IAAI,EAAE;YAClE,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,EAAE;SAC5C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAiC,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAA0B,EAAE;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACpC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,IAAI,mBAAmB,CAAC;IACvD,MAAM,OAAO,GAAG,UAAU,CAAC,aAAa,CAAC;QACvC,CAAC,CAAC,aAAa;QACf,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,CAAC;IAE1C,IAAI,GAAG,GAAY,EAAE,CAAC;IACtB,IAAI,UAAU,GAAkB,IAAI,CAAC;IACrC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,CAAC;YACH,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,gBAAgB,CACxB,iCAAiC,OAAO,EAAE,EAC1C,OAAO,EACP,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAC9B,CAAC;QACJ,CAAC;QACD,UAAU,GAAG,OAAO,CAAC;IACvB,CAAC;IAED,wEAAwE;IACxE,MAAM,aAAa,GAAG,wBAAwB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,aAAa,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IACnD,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,gBAAgB,CACxB,yBAAyB,GAAG,CAAC,MAAM,CAAC,MAAM,WAAW,EACrD,UAAU,EACV,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACrB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ;gBAClC,OAAO,EAAE,CAAC,CAAC,OAAO;aACnB,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}
|
|
@@ -34,7 +34,7 @@ services:
|
|
|
34
34
|
# `kozou dev` spawns the bundled @kozou/svelte-ui Admin UI, the MCP HTTP
|
|
35
35
|
# server, and Kozou's in-house REST backend (all in-process). Each binds
|
|
36
36
|
# 0.0.0.0 inside the container so the port mappings below reach your host.
|
|
37
|
-
image: ghcr.io/kozou-dev/kozou:v1.
|
|
37
|
+
image: ghcr.io/kozou-dev/kozou:v1.3.0
|
|
38
38
|
command: ["dev"]
|
|
39
39
|
environment:
|
|
40
40
|
DATABASE_URL: postgres://${POSTGRES_USER:-kozou}:${POSTGRES_PASSWORD:-kozou}@postgres:5432/${POSTGRES_DB:-kozou}
|
|
@@ -61,6 +61,7 @@ services:
|
|
|
61
61
|
KOZOU_JWT_ANON_ROLE: ${KOZOU_JWT_ANON_ROLE:-}
|
|
62
62
|
KOZOU_JWT_CLAIMS_GUC: ${KOZOU_JWT_CLAIMS_GUC:-}
|
|
63
63
|
KOZOU_UI_ROLE: ${KOZOU_UI_ROLE:-}
|
|
64
|
+
KOZOU_UI_CLAIMS: ${KOZOU_UI_CLAIMS:-}
|
|
64
65
|
KOZOU_ADAPTER_TOKEN: ${KOZOU_ADAPTER_TOKEN:-}
|
|
65
66
|
depends_on:
|
|
66
67
|
postgres:
|
|
@@ -25,4 +25,5 @@ KOZOU_ORIGIN=http://localhost:3333
|
|
|
25
25
|
# KOZOU_JWT_JWKS_URI=https://your-idp/.well-known/jwks.json # Auth0 / Clerk / Supabase
|
|
26
26
|
# KOZOU_JWT_ANON_ROLE=web_anon # role for requests with no token (else 401)
|
|
27
27
|
# KOZOU_UI_ROLE=app_admin # role the bundled Admin UI runs as (HS256)
|
|
28
|
+
# KOZOU_UI_CLAIMS={"tenant_id":"acme"} # extra claims minted into the UI token (HS256, JSON object)
|
|
28
29
|
# KOZOU_ADAPTER_TOKEN= # RS256 / external IdP: a ready-made UI token
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "kozou",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.3.0",
|
|
4
4
|
"description": "Kozou CLI: scaffolding, schema introspection, and MCP server entry points.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"repository": {
|
|
@@ -38,11 +38,11 @@
|
|
|
38
38
|
"pg": "^8.13.0",
|
|
39
39
|
"yaml": "^2.9.0",
|
|
40
40
|
"zod": "^4.4.3",
|
|
41
|
-
"@kozou/
|
|
42
|
-
"@kozou/
|
|
43
|
-
"@kozou/
|
|
44
|
-
"@kozou/
|
|
45
|
-
"@kozou/
|
|
41
|
+
"@kozou/api": "1.3.0",
|
|
42
|
+
"@kozou/core": "1.3.0",
|
|
43
|
+
"@kozou/mcp": "1.3.0",
|
|
44
|
+
"@kozou/introspect": "1.3.0",
|
|
45
|
+
"@kozou/svelte-ui": "1.3.0"
|
|
46
46
|
},
|
|
47
47
|
"devDependencies": {
|
|
48
48
|
"@modelcontextprotocol/sdk": "^1.0.0",
|
|
@@ -51,7 +51,7 @@
|
|
|
51
51
|
"@types/pg": "^8.11.10",
|
|
52
52
|
"testcontainers": "^12.0.0",
|
|
53
53
|
"tsx": "^4.19.0",
|
|
54
|
-
"@kozou/codegen": "1.
|
|
54
|
+
"@kozou/codegen": "1.3.0"
|
|
55
55
|
},
|
|
56
56
|
"scripts": {
|
|
57
57
|
"typecheck": "tsc --noEmit",
|