mates-fullstack 1.0.0-beta.1

package/dist/main-runner.d.ts

@@ -0,0 +1,59 @@
+/**
+ * mates-fullstack — main-runner.ts
+ *
+ * Imports server/main.ts at startup to trigger module-level
+ * onRequest() / onRequest() / onResponse() registrations.
+ *
+ * server/main.ts is a pure side-effect module:
+ *
+ *   import { onRequest, onRequest, onResponse } from "mates-fullstack";
+ *
+ *   onRequest(async (c) => {
+ *     if (new URL(req.url).pathname === "/stripe-webhook") {
+ *       return new Response("ok");
+ *     }
+ *   });
+ *
+ *   onRequest(async (payload, ctx) => {
+ *     await rateLimit(payload, ctx, { max: 100 });
+ *     await auth(payload, ctx, { cookie: "session" });
+ *   });
+ *
+ *   onResponse(async (data, ctx) => {
+ *     ctx.resHeaders["x-response-time"] = "...";
+ *   });
+ *
+ * There is no default export, no main function, no lifecycle —
+ * just module-level calls that register hooks into the global arrays
+ * in middleware.ts.
+ *
+ * In dev hot-reload:
+ *   1. clearMiddleware() is called to reset the hook arrays
+ *   2. main.ts is re-imported (cache-busted) to re-register
+ */
+/**
+ * Import server/main.ts to register its onRequest/onResponse hooks.
+ * If the file doesn't exist, does nothing (optional file).
+ *
+ * @throws if the file exists but fails to import (syntax/runtime error).
+ *   A broken main.ts breaks every RPC request so we crash loudly.
+ */
+export declare function importMainFile(mainFile: string): Promise<void>;
+/**
+ * Re-import server/main.ts in dev hot-reload.
+ * Clears all existing hooks first so re-registration starts fresh.
+ * Uses a cache-bust timestamp to force a fresh module evaluation.
+ * On import error, logs and keeps the previously registered hooks.
+ */
+export declare function reloadMainFile(mainFile: string): Promise<void>;
+/**
+ * Watch server/main.ts for changes and reload on save.
+ * Returns a cleanup function that stops the watcher.
+ *
+ * @example
+ * const stop = watchMainFile(paths.mainFile, () => {
+ *   console.log("main.ts reloaded");
+ * });
+ */
+export declare function watchMainFile(mainFile: string, onReload?: () => void): () => void;
+//# sourceMappingURL=main-runner.d.ts.map

package/dist/main-runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main-runner.d.ts","sourceRoot":"","sources":["../src/main-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AASH;;;;;;GAMG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAWpE;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBpE;AAID;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,IAAI,GACpB,MAAM,IAAI,CA6DZ"}

package/dist/main-runner.js

@@ -0,0 +1,157 @@
+/**
+ * mates-fullstack — main-runner.ts
+ *
+ * Imports server/main.ts at startup to trigger module-level
+ * onRequest() / onRequest() / onResponse() registrations.
+ *
+ * server/main.ts is a pure side-effect module:
+ *
+ *   import { onRequest, onRequest, onResponse } from "mates-fullstack";
+ *
+ *   onRequest(async (c) => {
+ *     if (new URL(req.url).pathname === "/stripe-webhook") {
+ *       return new Response("ok");
+ *     }
+ *   });
+ *
+ *   onRequest(async (payload, ctx) => {
+ *     await rateLimit(payload, ctx, { max: 100 });
+ *     await auth(payload, ctx, { cookie: "session" });
+ *   });
+ *
+ *   onResponse(async (data, ctx) => {
+ *     ctx.resHeaders["x-response-time"] = "...";
+ *   });
+ *
+ * There is no default export, no main function, no lifecycle —
+ * just module-level calls that register hooks into the global arrays
+ * in middleware.ts.
+ *
+ * In dev hot-reload:
+ *   1. clearMiddleware() is called to reset the hook arrays
+ *   2. main.ts is re-imported (cache-busted) to re-register
+ */
+import fs from "node:fs";
+import path from "node:path";
+import { clearMiddleware, middlewareStats } from "./middleware.js";
+import { devLog, devError } from "./log.js";
+// ─── Loader ───────────────────────────────────────────────────────────────────
+/**
+ * Import server/main.ts to register its onRequest/onResponse hooks.
+ * If the file doesn't exist, does nothing (optional file).
+ *
+ * @throws if the file exists but fails to import (syntax/runtime error).
+ *   A broken main.ts breaks every RPC request so we crash loudly.
+ */
+export async function importMainFile(mainFile) {
+    if (!fs.existsSync(mainFile))
+        return;
+    try {
+        await import(mainFile);
+    }
+    catch (err) {
+        throw new Error(`[mates-fullstack] Failed to import server/main.ts: ${err?.message ?? err}\n` +
+            `Fix the error in server/main.ts before starting the server.`);
+    }
+}
+/**
+ * Re-import server/main.ts in dev hot-reload.
+ * Clears all existing hooks first so re-registration starts fresh.
+ * Uses a cache-bust timestamp to force a fresh module evaluation.
+ * On import error, logs and keeps the previously registered hooks.
+ */
+export async function reloadMainFile(mainFile) {
+    if (!fs.existsSync(mainFile))
+        return;
+    // Clear hooks BEFORE re-importing so the new registrations start clean
+    clearMiddleware();
+    try {
+        await import(`${mainFile}?t=${Date.now()}`);
+        const stats = middlewareStats();
+        devLog(`server/main.ts reloaded ` +
+            `(${stats.request} onRequest, ${stats.response} onResponse hooks)`);
+    }
+    catch (err) {
+        devError(`Failed to reload server/main.ts: ${err?.message ?? err}\n` +
+            `Previous hooks have been cleared. Fix the error and save again.`);
+        // Leave hooks empty — better than running stale hooks
+    }
+}
+// ─── Watcher ──────────────────────────────────────────────────────────────────
+/**
+ * Watch server/main.ts for changes and reload on save.
+ * Returns a cleanup function that stops the watcher.
+ *
+ * @example
+ * const stop = watchMainFile(paths.mainFile, () => {
+ *   console.log("main.ts reloaded");
+ * });
+ */
+export function watchMainFile(mainFile, onReload) {
+    if (!fs.existsSync(mainFile)) {
+        // Watch directory for the file to be created
+        const dir = path.dirname(mainFile);
+        const basename = path.basename(mainFile);
+        if (!fs.existsSync(dir))
+            return () => { };
+        let debounce = null;
+        const watcher = fs.watch(dir, (_event, filename) => {
+            if (filename !== basename)
+                return;
+            if (debounce)
+                clearTimeout(debounce);
+            debounce = setTimeout(async () => {
+                await reloadMainFile(mainFile);
+                onReload?.();
+            }, 50);
+        });
+        return () => {
+            if (debounce)
+                clearTimeout(debounce);
+            watcher.close();
+        };
+    }
+    let debounce = null;
+    // Watch the file directly
+    const fileWatcher = fs.watch(mainFile, () => {
+        if (debounce)
+            clearTimeout(debounce);
+        debounce = setTimeout(async () => {
+            await reloadMainFile(mainFile);
+            onReload?.();
+        }, 50);
+    });
+    // Also watch directory for atomic saves (vim, emacs rename on write)
+    const dir = path.dirname(mainFile);
+    const basename = path.basename(mainFile);
+    let dirDebounce = null;
+    const dirWatcher = fs.watch(dir, (event, filename) => {
+        if (filename !== basename || event !== "rename")
+            return;
+        if (dirDebounce)
+            clearTimeout(dirDebounce);
+        dirDebounce = setTimeout(async () => {
+            await reloadMainFile(mainFile);
+            onReload?.();
+        }, 50);
+    });
+    return () => {
+        if (debounce)
+            clearTimeout(debounce);
+        if (dirDebounce)
+            clearTimeout(dirDebounce);
+        try {
+            fileWatcher.close();
+        }
+        catch {
+            /* already closed */
+        }
+        try {
+            dirWatcher.close();
+        }
+        catch {
+            /* already closed */
+        }
+    };
+}
+//# sourceMappingURL=main-runner.js.map

package/dist/main-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"main-runner.js","sourceRoot":"","sources":["../src/main-runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAE5C,iFAAiF;AAEjF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO;IAErC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,sDAAsD,GAAG,EAAE,OAAO,IAAI,GAAG,IAAI;YAC3E,6DAA6D,CAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAgB;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO;IAErC,uEAAuE;IACvE,eAAe,EAAE,CAAC;IAElB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,GAAG,QAAQ,MAAM,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;QAChC,MAAM,CACJ,0BAA0B;YACxB,IAAI,KAAK,CAAC,OAAO,eAAe,KAAK,CAAC,QAAQ,oBAAoB,CACrE,CAAC;IACJ,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,QAAQ,CACN,oCAAoC,GAAG,EAAE,OAAO,IAAI,GAAG,IAAI;YACzD,iEAAiE,CACpE,CAAC;QACF,sDAAsD;IACxD,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,QAAqB;IAErB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,6CAA6C;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACzC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,GAAG,EAAE,GAAE,CAAC,CAAC;QAEzC,IAAI,QAAQ,GAAyC,IAAI,CAAC;QAC1D,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAc,EAAE,QAAuB,EAAE,EAAE;YACxE,IAAI,QAAQ,KAAK,QAAQ;gBAAE,OAAO;YAClC,IAAI,QAAQ;gBAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;YACrC,QAAQ,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;gBAC/B,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAC/B,QAAQ,EAAE,EAAE,CAAC;YACf,CAAC,EAAE,EAAE,CAAC,CAAC;QACT,CAAC,CAAC,CAAC;QACH,OAAO,GAAG,EAAE;YACV,IAAI,QAAQ;gBAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;YACrC,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,CAAC,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,GAAyC,IAAI,CAAC;IAE1D,0BAA0B;IAC1B,MAAM,WAAW,GAAG,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE;QAC1C,IAAI,QAAQ;YAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACrC,QAAQ,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;YAC/B,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC/B,QAAQ,EAAE,EAAE,CAAC;QACf,CAAC,EAAE,EAAE,CAAC,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,qEAAqE;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,WAAW,GAAyC,IAAI,CAAC;IAE7D,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAa,EAAE,QAAuB,EAAE,EAAE;QAC1E,IAAI,QAAQ,KAAK,QAAQ,IAAI,KAAK,KAAK,QAAQ;YAAE,OAAO;QACxD,IAAI,WAAW;YAAE,YAAY,CAAC,WAAW,CAAC,CAAC;QAC3C,WAAW,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;YAClC,MAAM,cAAc,CAAC,QAAQ,CAAC,CAAC;YAC/B,QAAQ,EAAE,EAAE,CAAC;QACf,CAAC,EAAE,EAAE,CAAC,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,EAAE;QACV,IAAI,QAAQ;YAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,WAAW;YAAE,YAAY,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,CAAC;YACH,WAAW,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QACD,IAAI,CAAC;YACH,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/mates-auth.d.ts

@@ -0,0 +1,82 @@
+import type { CookieOptions, Context } from "./ctx.js";
+import { type JwtPayload } from "./jwt.js";
+export type AuthDuration = number | string;
+export interface MatesAuthClaims extends JwtPayload {
+    /** Canonical user id used by matesAuth. Mirrored to `sub` in JWTs. */
+    userId?: string;
+    /** Common display-name aliases. */
+    userName?: string;
+    username?: string;
+    name?: string;
+    email?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+export interface MatesAuthContext extends MatesAuthClaims {
+    /** True only when `matesAuth()` verified an access token or refreshed it. */
+    isAuthenticated?: boolean;
+}
+export interface MatesAuthOptions {
+    /** JWT/HMAC secret. Falls back to AUTH_JWT_SECRET or JWT_SECRET. */
+    secret?: string;
+    /** Throw `AuthError(401)` when expired/invalid tokens require logout. Default: true. */
+    throwErrorIfTokensExpired?: boolean;
+    /** Access token cookie name. Default: "mates_access". */
+    accessCookieName?: string;
+    /** Refresh token cookie name. Default: "mates_refresh". */
+    refreshCookieName?: string;
+    /** Access token lifetime. Default: "15m". */
+    accessExpiresIn?: AuthDuration;
+    /** Refresh token lifetime. Default: "30d". */
+    refreshExpiresIn?: AuthDuration;
+    /** Cookie path. Default: "/". */
+    path?: string;
+    /** Cookie domain. */
+    domain?: string;
+    /** SameSite policy. Default: "lax". */
+    sameSite?: CookieOptions["sameSite"];
+    /** Secure flag. Default: true in production, false otherwise. */
+    secure?: boolean;
+    /** Refresh hook. Return fresh access claims, or null to force logout. */
+    onRefresh?: (userId: string, refreshPayload: JwtPayload, ctx: Context) => Promise<MatesAuthClaims | null> | MatesAuthClaims | null;
+    /** Optional post-verify hook for tokenVersion, disabled users, etc. */
+    onVerify?: (auth: MatesAuthClaims, ctx: Context) => Promise<boolean> | boolean;
+    /** Extract the canonical user id from claims. */
+    getUserId?: (claims: Record<string, unknown>) => string | undefined;
+    /**
+     * Expected issuer (`iss` claim) for tokens.
+     * If set, tokens with a different `iss` are rejected.
+     */
+    issuer?: string;
+    /**
+     * Expected audience (`aud` claim) for tokens.
+     * If set, tokens without this `aud` are rejected.
+     */
+    audience?: string;
+}
+export interface AuthLoginOptions extends Partial<MatesAuthOptions> {
+}
+/**
+ * Register the built-in auth middleware. Call once at module level in
+ * server/main.ts. It verifies httpOnly access/refresh tokens, updates
+ * `ctx.auth`, and clears cookies on logout.
+ */
+export declare function matesAuth(options?: MatesAuthOptions): void;
+export declare const auth: {
+    /**
+     * Create access/refresh token pair, set httpOnly cookies, and update
+     * `ctx.auth` for this request.
+     */
+    login(ctx: Context, payload: MatesAuthClaims, options?: AuthLoginOptions): Promise<{
+        accessToken: string;
+        refreshToken: string;
+        auth: MatesAuthContext;
+    }>;
+    /** Clear access and refresh cookies. */
+    logout(ctx: Context, options?: Partial<MatesAuthOptions>): void;
+    hashPassword: typeof hashPassword;
+    verifyPassword: typeof verifyPassword;
+};
+export declare function hashPassword(password: string): Promise<string>;
+export declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+//# sourceMappingURL=mates-auth.d.ts.map

package/dist/mates-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mates-auth.d.ts","sourceRoot":"","sources":["../src/mates-auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAEvD,OAAO,EAAO,KAAK,UAAU,EAAuB,MAAM,UAAU,CAAC;AAIrE,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,CAAC;AAE3C,MAAM,WAAW,eAAgB,SAAQ,UAAU;IACjD,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,gBAAiB,SAAQ,eAAe;IACvD,6EAA6E;IAC7E,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAC/B,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wFAAwF;IACxF,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,yDAAyD;IACzD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2DAA2D;IAC3D,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,6CAA6C;IAC7C,eAAe,CAAC,EAAE,YAAY,CAAC;IAC/B,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,YAAY,CAAC;IAChC,iCAAiC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qBAAqB;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IACrC,iEAAiE;IACjE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,yEAAyE;IACzE,SAAS,CAAC,EAAE,CACV,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,UAAU,EAC1B,GAAG,EAAE,OAAO,KACT,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,eAAe,GAAG,IAAI,CAAC;IAC9D,uEAAuE;IACvE,QAAQ,CAAC,EAAE,CACT,IAAI,EAAE,eAAe,EACrB,GAAG,EAAE,OAAO,KACT,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAChC,iDAAiD;IACjD,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,MAAM,GAAG,SAAS,CAAC;IACpE;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gBAAiB,SAAQ,OAAO,CAAC,gBAAgB,CAAC;CAAG;AAyBtE;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,OAAO,GAAE,gBAAqB,GAAG,IAAI,CAc9D;AAED,eAAO,MAAM,IAAI;IACf;;;OAGG;eAEI,OAAO,WACH,eAAe,YACf,gBAAgB,GACxB,QAAQ;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC;QACrB,MAAM,gBAAgB,CAAC;KACxB,CAAC;IAUF,wCAAwC;gBAC5B,OAAO,YAAW,QAAQ,gBAAgB,CAAC,GAAQ,IAAI;;;CAQpE,CAAC;AA6UF,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAepE;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAuBlB"}

package/dist/mates-auth.js

@@ -0,0 +1,323 @@
+import crypto from "node:crypto";
+import { AuthError } from "./errors.js";
+import { jwt } from "./jwt.js";
+import { onRequest } from "./middleware.js";
+import { onSocketConnect } from "./socket-router.js";
+const ACCESS_TOKEN_TYPE = "access";
+const REFRESH_TOKEN_TYPE = "refresh";
+let activeConfig = null;
+/**
+ * Register the built-in auth middleware. Call once at module level in
+ * server/main.ts. It verifies httpOnly access/refresh tokens, updates
+ * `ctx.auth`, and clears cookies on logout.
+ */
+export function matesAuth(options = {}) {
+    const config = resolveConfig(options, false);
+    activeConfig = config;
+    // HTTP path
+    onRequest(async (c) => {
+        await processAuthRequest(c, config);
+    });
+    // WebSocket path — runs during the socket upgrade handshake
+    // Reads httpOnly cookies, verifies JWT, populates ctx.auth
+    onSocketConnect(async (ctx) => {
+        await processAuthRequest(ctx, config);
+    });
+}
+export const auth = {
+    /**
+     * Create access/refresh token pair, set httpOnly cookies, and update
+     * `ctx.auth` for this request.
+     */
+    async login(ctx, payload, options = {}) {
+        const config = resolveConfig(options);
+        const authPayload = normalizeAuthPayload(payload, config);
+        const userId = requireUserId(authPayload, config);
+        const tokenPair = await signTokenPair(authPayload, userId, config);
+        setTokenCookies(ctx, tokenPair, config);
+        ctx.auth = { ...authPayload, userId, sub: userId, isAuthenticated: true };
+        return { ...tokenPair, auth: ctx.auth };
+    },
+    /** Clear access and refresh cookies. */
+    logout(ctx, options = {}) {
+        const config = resolveConfig(options);
+        clearAuthCookies(ctx, config);
+        ctx.auth = null;
+    },
+    hashPassword,
+    verifyPassword,
+};
+// ─── Refresh token JTI store ──────────────────────────────────────────────────
+// Tracks consumed refresh token JTIs to prevent replay attacks.
+// Single-process only — for multi-instance deployments, use onRefresh to
+// check a shared store (Redis, DB) and return null to force re-login.
+const _consumedJtis = new Map(); // jti → exp (unix seconds)
+function _isJtiConsumed(jti) {
+    const now = Math.floor(Date.now() / 1000);
+    // Opportunistic cleanup of expired entries
+    for (const [k, exp] of _consumedJtis) {
+        if (exp < now)
+            _consumedJtis.delete(k);
+    }
+    return _consumedJtis.has(jti);
+}
+function _consumeJti(jti, exp) {
+    _consumedJtis.set(jti, exp);
+}
+async function processAuthRequest(ctx, config) {
+    ctx.auth = null;
+    ctx.httpCookie = ctx.cookie;
+    const accessRaw = ctx.cookie.get(config.accessCookieName);
+    const refreshRaw = ctx.cookie.get(config.refreshCookieName);
+    const tokensWerePresent = Boolean(accessRaw || refreshRaw);
+    if (!tokensWerePresent)
+        return;
+    const accessPayload = accessRaw
+        ? await verifyTypedToken(accessRaw, ACCESS_TOKEN_TYPE, config)
+        : null;
+    if (accessPayload) {
+        const verified = await validateVerifiedAuth(accessPayload, ctx, config);
+        if (!verified)
+            return logoutOrThrow(ctx, config, "Unauthorized");
+        return;
+    }
+    const refreshPayload = refreshRaw
+        ? await verifyTypedToken(refreshRaw, REFRESH_TOKEN_TYPE, config)
+        : null;
+    if (!refreshPayload) {
+        return logoutOrThrow(ctx, config, "Authentication expired");
+    }
+    // Reject replayed refresh tokens
+    const refreshJti = typeof refreshPayload.jti === "string" ? refreshPayload.jti : null;
+    if (!refreshJti || _isJtiConsumed(refreshJti)) {
+        return logoutOrThrow(ctx, config, "Authentication expired");
+    }
+    const userId = config.getUserId(refreshPayload);
+    if (!userId) {
+        return logoutOrThrow(ctx, config, "Authentication expired");
+    }
+    const freshClaims = config.onRefresh
+        ? await config.onRefresh(userId, refreshPayload, ctx)
+        : refreshClaimsToAuth(refreshPayload, userId);
+    if (!freshClaims) {
+        return logoutOrThrow(ctx, config, "Authentication expired");
+    }
+    const authPayload = normalizeAuthPayload(freshClaims, config);
+    const freshUserId = requireUserId(authPayload, config);
+    if (freshUserId !== userId) {
+        return logoutOrThrow(ctx, config, "Authentication expired");
+    }
+    const verified = await validateVerifiedAuth(authPayload, ctx, config);
+    if (!verified)
+        return logoutOrThrow(ctx, config, "Unauthorized");
+    const tokens = await signTokenPair(authPayload, freshUserId, config);
+    setTokenCookies(ctx, tokens, config);
+    // Consume the used refresh JTI — prevents replay of the same token
+    _consumeJti(refreshJti, typeof refreshPayload.exp === "number" ? refreshPayload.exp : 0);
+}
+async function validateVerifiedAuth(payload, ctx, config) {
+    const authPayload = normalizeAuthPayload(payload, config);
+    const userId = config.getUserId(authPayload);
+    if (!userId)
+        return false;
+    if (config.onVerify) {
+        const valid = await config.onVerify(authPayload, ctx);
+        if (!valid)
+            return false;
+    }
+    ctx.auth = { ...authPayload, userId, sub: userId, isAuthenticated: true };
+    return true;
+}
+async function signTokenPair(payload, userId, config) {
+    const tokens = jwt(config.secret);
+    const signOptions = {
+        expiresIn: config.accessExpiresIn,
+        issuer: config.issuer,
+        audience: config.audience,
+    };
+    const accessToken = await tokens.sign({
+        ...stripJwtTiming(payload),
+        sub: userId,
+        userId,
+        tokenType: ACCESS_TOKEN_TYPE,
+    }, signOptions);
+    const refreshToken = await tokens.sign({ sub: userId, userId, tokenType: REFRESH_TOKEN_TYPE }, { ...signOptions, expiresIn: config.refreshExpiresIn, includeJti: true });
+    return { accessToken, refreshToken };
+}
+function setTokenCookies(ctx, tokens, config) {
+    ctx.cookie.set(config.accessCookieName, tokens.accessToken, {
+        ...baseCookieOptions(config),
+        httpOnly: true,
+        maxAge: parseDuration(config.accessExpiresIn),
+    });
+    ctx.cookie.set(config.refreshCookieName, tokens.refreshToken, {
+        ...baseCookieOptions(config),
+        httpOnly: true,
+        maxAge: parseDuration(config.refreshExpiresIn),
+    });
+}
+async function verifyTypedToken(token, tokenType, config) {
+    const payload = await jwt(config.secret).verify(token, {
+        issuer: config.issuer,
+        audience: config.audience,
+    });
+    if (!payload || payload.tokenType !== tokenType)
+        return null;
+    return payload;
+}
+function logoutOrThrow(ctx, config, message) {
+    clearAuthCookies(ctx, config);
+    ctx.auth = null;
+    if (config.throwErrorIfTokensExpired) {
+        throw new AuthError(message);
+    }
+}
+function clearAuthCookies(ctx, config) {
+    const options = cookieDeleteOptions(config);
+    ctx.cookie.delete(config.accessCookieName, options);
+    ctx.cookie.delete(config.refreshCookieName, options);
+}
+function normalizeAuthPayload(payload, config) {
+    const userId = config.getUserId(payload);
+    const clean = stripJwtTiming(payload);
+    delete clean.tokenType;
+    if (userId) {
+        clean.userId = userId;
+        clean.sub = userId;
+    }
+    return clean;
+}
+function requireUserId(payload, config) {
+    const userId = config.getUserId(payload);
+    if (!userId) {
+        throw new AuthError("Auth payload must include userId, id, or sub");
+    }
+    return userId;
+}
+function refreshClaimsToAuth(refreshPayload, userId) {
+    const clean = stripJwtTiming(refreshPayload);
+    delete clean.tokenType;
+    delete clean.jti;
+    return { ...clean, userId, sub: userId };
+}
+function stripJwtTiming(payload) {
+    const { iat: _iat, exp: _exp, nbf: _nbf, iss: _iss, aud: _aud, ...rest } = payload;
+    return { ...rest };
+}
+function defaultGetUserId(claims) {
+    const value = claims.userId ?? claims.id ?? claims.sub;
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+function resolveConfig(options = {}, inheritPrevious = true) {
+    const previous = inheritPrevious ? activeConfig : null;
+    const secret = options.secret ??
+        previous?.secret ??
+        process.env.AUTH_JWT_SECRET ??
+        process.env.JWT_SECRET;
+    if (!secret || secret.length < 8) {
+        throw new Error("[mates-fullstack] matesAuth: secret must be configured via " +
+            "matesAuth({ secret }), AUTH_JWT_SECRET, or JWT_SECRET.");
+    }
+    const refreshExpiresIn = options.refreshExpiresIn ?? previous?.refreshExpiresIn ?? "30d";
+    return {
+        secret,
+        throwErrorIfTokensExpired: options.throwErrorIfTokensExpired ??
+            previous?.throwErrorIfTokensExpired ??
+            true,
+        accessCookieName: options.accessCookieName ?? previous?.accessCookieName ?? "mates_access",
+        refreshCookieName: options.refreshCookieName ??
+            previous?.refreshCookieName ??
+            "mates_refresh",
+        accessExpiresIn: options.accessExpiresIn ?? previous?.accessExpiresIn ?? "15m",
+        refreshExpiresIn,
+        path: options.path ?? previous?.path ?? "/",
+        domain: options.domain ?? previous?.domain,
+        sameSite: options.sameSite ?? previous?.sameSite ?? "lax",
+        secure: options.secure ??
+            previous?.secure ??
+            process.env.NODE_ENV === "production",
+        onRefresh: options.onRefresh ?? previous?.onRefresh,
+        onVerify: options.onVerify ?? previous?.onVerify,
+        getUserId: options.getUserId ?? previous?.getUserId ?? defaultGetUserId,
+        issuer: options.issuer ?? previous?.issuer,
+        audience: options.audience ?? previous?.audience,
+    };
+}
+function baseCookieOptions(config) {
+    return {
+        path: config.path,
+        domain: config.domain,
+        sameSite: config.sameSite,
+        secure: config.secure,
+    };
+}
+function cookieDeleteOptions(config) {
+    return { path: config.path, domain: config.domain };
+}
+function parseDuration(value) {
+    if (typeof value === "number")
+        return Math.floor(value);
+    const str = value.trim();
+    if (/^\d+$/.test(str))
+        return Number(str);
+    const match = str.match(/^(\d+(?:\.\d+)?)\s*(s|m|h|d|w)$/i);
+    if (!match) {
+        throw new Error(`[mates-fullstack] matesAuth: invalid duration "${value}". ` +
+            "Use seconds or strings like 15m, 1h, 30d.");
+    }
+    const amount = Number(match[1]);
+    const unit = match[2].toLowerCase();
+    const multipliers = {
+        s: 1,
+        m: 60,
+        h: 3600,
+        d: 86400,
+        w: 604800,
+    };
+    return Math.floor(amount * multipliers[unit]);
+}
+const HASH_ALGORITHM = "scrypt";
+const KEY_LENGTH = 64;
+const SALT_LENGTH = 32;
+const SCRYPT_N = 16384;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+export async function hashPassword(password) {
+    const salt = new Uint8Array(crypto.randomBytes(SALT_LENGTH));
+    const derivedKey = crypto.scryptSync(password, salt, KEY_LENGTH, {
+        N: SCRYPT_N,
+        r: SCRYPT_R,
+        p: SCRYPT_P,
+    });
+    return [
+        HASH_ALGORITHM,
+        String(SCRYPT_N),
+        String(SCRYPT_R),
+        String(SCRYPT_P),
+        Buffer.from(salt).toString("base64url"),
+        derivedKey.toString("base64url"),
+    ].join(":");
+}
+export async function verifyPassword(password, hash) {
+    try {
+        const parts = hash.split(":");
+        if (parts.length !== 6 || parts[0] !== HASH_ALGORITHM)
+            return false;
+        const N = Number(parts[1]);
+        const r = Number(parts[2]);
+        const p = Number(parts[3]);
+        const salt = new Uint8Array(Buffer.from(parts[4], "base64url"));
+        const expectedKey = new Uint8Array(Buffer.from(parts[5], "base64url"));
+        const actualKey = crypto.scryptSync(password, salt, KEY_LENGTH, {
+            N,
+            r,
+            p,
+        });
+        return (expectedKey.length === actualKey.length &&
+            crypto.timingSafeEqual(expectedKey, actualKey));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=mates-auth.js.map

package/dist/mates-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mates-auth.js","sourceRoot":"","sources":["../src/mates-auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,GAAG,EAAwC,MAAM,UAAU,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAuFrD,MAAM,iBAAiB,GAAG,QAAQ,CAAC;AACnC,MAAM,kBAAkB,GAAG,SAAS,CAAC;AAErC,IAAI,YAAY,GAA8B,IAAI,CAAC;AAEnD;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,UAA4B,EAAE;IACtD,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,YAAY,GAAG,MAAM,CAAC;IAEtB,YAAY;IACZ,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,kBAAkB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,2DAA2D;IAC3D,eAAe,CAAC,KAAK,EAAE,GAAQ,EAAE,EAAE;QACjC,MAAM,kBAAkB,CAAC,GAAc,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,MAAM,IAAI,GAAG;IAClB;;;OAGG;IACH,KAAK,CAAC,KAAK,CACT,GAAY,EACZ,OAAwB,EACxB,UAA4B,EAAE;QAM9B,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACnE,eAAe,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;QAC1E,OAAO,EAAE,GAAG,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,IAAwB,EAAE,CAAC;IAC9D,CAAC;IAED,wCAAwC;IACxC,MAAM,CAAC,GAAY,EAAE,UAAqC,EAAE;QAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACtC,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC9B,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IAClB,CAAC;IAED,YAAY;IACZ,cAAc;CACf,CAAC;AAEF,iFAAiF;AACjF,gEAAgE;AAChE,yEAAyE;AACzE,sEAAsE;AAEtE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,2BAA2B;AAE5E,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,2CAA2C;IAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,aAAa,EAAE,CAAC;QACrC,IAAI,GAAG,GAAG,GAAG;YAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,GAAW;IAC3C,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,GAAY,EACZ,MAA0B;IAE1B,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IAChB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC;IAE5B,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC5D,MAAM,iBAAiB,GAAG,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,CAAC;IAE3D,IAAI,CAAC,iBAAiB;QAAE,OAAO;IAE/B,MAAM,aAAa,GAAG,SAAS;QAC7B,CAAC,CAAC,MAAM,gBAAgB,CAAC,SAAS,EAAE,iBAAiB,EAAE,MAAM,CAAC;QAC9D,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ;YAAE,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IAED,MAAM,cAAc,GAAG,UAAU;QAC/B,CAAC,CAAC,MAAM,gBAAgB,CAAC,UAAU,EAAE,kBAAkB,EAAE,MAAM,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC9D,CAAC;IAED,iCAAiC;IACjC,MAAM,UAAU,GACd,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IACrE,IAAI,CAAC,UAAU,IAAI,cAAc,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9C,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,SAAS;QAClC,CAAC,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,cAAc,EAAE,GAAG,CAAC;QACrD,CAAC,CAAC,mBAAmB,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAEhD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,GAAG,oBAAoB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,WAAW,GAAG,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACvD,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3B,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACtE,IAAI,CAAC,QAAQ;QAAE,OAAO,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IAEjE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IACrE,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAErC,mEAAmE;IACnE,WAAW,CACT,UAAU,EACV,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAChE,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,OAAmB,EACnB,GAAY,EACZ,MAA0B;IAE1B,MAAM,WAAW,GAAG,oBAAoB,CAAC,OAA0B,EAAE,MAAM,CAAC,CAAC;IAC7E,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;IAC3B,CAAC;IAED,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAwB,EACxB,MAAc,EACd,MAA0B;IAE1B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,WAAW,GAAmB;QAClC,SAAS,EAAE,MAAM,CAAC,eAAe;QACjC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,IAAI,CACnC;QACE,GAAG,cAAc,CAAC,OAAO,CAAC;QAC1B,GAAG,EAAE,MAAM;QACX,MAAM;QACN,SAAS,EAAE,iBAAiB;KAC7B,EACD,WAAW,CACZ,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,IAAI,CACpC,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,EACtD,EAAE,GAAG,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,gBAAgB,EAAE,UAAU,EAAE,IAAI,EAAE,CACzE,CAAC;IACF,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,CAAC;AACvC,CAAC;AAED,SAAS,eAAe,CACtB,GAAY,EACZ,MAAqD,EACrD,MAA0B;IAE1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,gBAAgB,EAAE,MAAM,CAAC,WAAW,EAAE;QAC1D,GAAG,iBAAiB,CAAC,MAAM,CAAC;QAC5B,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,eAAe,CAAC;KAC9C,CAAC,CAAC;IACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,EAAE,MAAM,CAAC,YAAY,EAAE;QAC5D,GAAG,iBAAiB,CAAC,MAAM,CAAC;QAC5B,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,gBAAgB,CAAC;KAC/C,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,KAAa,EACb,SAAiB,EACjB,MAA0B;IAE1B,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE;QACrD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;KAC1B,CAAC,CAAC;IACH,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAC7D,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,aAAa,CACpB,GAAY,EACZ,MAA0B,EAC1B,OAAe;IAEf,gBAAgB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC9B,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IAChB,IAAI,MAAM,CAAC,yBAAyB,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAY,EAAE,MAA0B;IAChE,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC5C,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IACpD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,oBAAoB,CAC3B,OAAwB,EACxB,MAA0B;IAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAoB,CAAC;IACzD,OAAO,KAAK,CAAC,SAAS,CAAC;IACvB,IAAI,MAAM,EAAE,CAAC;QACX,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;QACtB,KAAK,CAAC,GAAG,GAAG,MAAM,CAAC;IACrB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CACpB,OAAwB,EACxB,MAA0B;IAE1B,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CAAC,8CAA8C,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAC1B,cAA0B,EAC1B,MAAc;IAEd,MAAM,KAAK,GAAG,cAAc,CAAC,cAAc,CAAoB,CAAC;IAChE,OAAO,KAAK,CAAC,SAAS,CAAC;IACvB,OAAO,KAAK,CAAC,GAAG,CAAC;IACjB,OAAO,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,cAAc,CAAoC,OAAU;IACnE,MAAM,EACJ,GAAG,EAAE,IAAI,EACT,GAAG,EAAE,IAAI,EACT,GAAG,EAAE,IAAI,EACT,GAAG,EAAE,IAAI,EACT,GAAG,EAAE,IAAI,EACT,GAAG,IAAI,EACR,GAAG,OAAO,CAAC;IACZ,OAAO,EAAE,GAAG,IAAI,EAAO,CAAC;AAC1B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA+B;IACvD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,GAAG,CAAC;IACvD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3E,CAAC;AAED,SAAS,aAAa,CACpB,UAAqC,EAAE,EACvC,eAAe,GAAG,IAAI;IAEtB,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IACvD,MAAM,MAAM,GACV,OAAO,CAAC,MAAM;QACd,QAAQ,EAAE,MAAM;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe;QAC3B,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAEzB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,6DAA6D;YAC3D,wDAAwD,CAC3D,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GACpB,OAAO,CAAC,gBAAgB,IAAI,QAAQ,EAAE,gBAAgB,IAAI,KAAK,CAAC;IAElE,OAAO;QACL,MAAM;QACN,yBAAyB,EACvB,OAAO,CAAC,yBAAyB;YACjC,QAAQ,EAAE,yBAAyB;YACnC,IAAI;QACN,gBAAgB,EACd,OAAO,CAAC,gBAAgB,IAAI,QAAQ,EAAE,gBAAgB,IAAI,cAAc;QAC1E,iBAAiB,EACf,OAAO,CAAC,iBAAiB;YACzB,QAAQ,EAAE,iBAAiB;YAC3B,eAAe;QACjB,eAAe,EACb,OAAO,CAAC,eAAe,IAAI,QAAQ,EAAE,eAAe,IAAI,KAAK;QAC/D,gBAAgB;QAChB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,QAAQ,EAAE,IAAI,IAAI,GAAG;QAC3C,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,QAAQ,EAAE,MAAM;QAC1C,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ,EAAE,QAAQ,IAAI,KAAK;QACzD,MAAM,EACJ,OAAO,CAAC,MAAM;YACd,QAAQ,EAAE,MAAM;YAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QACvC,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,QAAQ,EAAE,SAAS;QACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ,EAAE,QAAQ;QAChD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,QAAQ,EAAE,SAAS,IAAI,gBAAgB;QACvE,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,QAAQ,EAAE,MAAM;QAC1C,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ,EAAE,QAAQ;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,MAA0B;IACnD,OAAO;QACL,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,MAA0B;IAE1B,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,aAAa,CAAC,KAAmB;IACxC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;IAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,kDAAkD,KAAK,KAAK;YAC1D,2CAA2C,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,WAAW,GAA2B;QAC1C,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,EAAE;QACL,CAAC,EAAE,IAAI;QACP,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,MAAM;KACV,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,cAAc,GAAG,QAAQ,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,QAAQ,GAAG,KAAK,CAAC;AACvB,MAAM,QAAQ,GAAG,CAAC,CAAC;AACnB,MAAM,QAAQ,GAAG,CAAC,CAAC;AAEnB,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,QAAgB;IACjD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE;QAC/D,CAAC,EAAE,QAAQ;QACX,CAAC,EAAE,QAAQ;QACX,CAAC,EAAE,QAAQ;KACZ,CAAC,CAAC;IACH,OAAO;QACL,cAAc;QACd,MAAM,CAAC,QAAQ,CAAC;QAChB,MAAM,CAAC,QAAQ,CAAC;QAChB,MAAM,CAAC,QAAQ,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;QACvC,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;KACjC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,QAAgB,EAChB,IAAY;IAEZ,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,cAAc;YAAE,OAAO,KAAK,CAAC;QAEpE,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC;QAChE,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE;YAC9D,CAAC;YACD,CAAC;YACD,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,CACL,WAAW,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM;YACvC,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,SAAkC,CAAC,CACxE,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}