mcp-server-db2i 1.2.1 → 1.3.1

package/dist/auth/authMiddleware.js

@@ -0,0 +1,217 @@
+/**
+ * Authentication Middleware for HTTP Transport
+ *
+ * Express middleware to validate Bearer tokens on protected routes.
+ * Supports multiple authentication modes:
+ * - 'required': Full /auth flow with per-user DB credentials (default)
+ * - 'token': Pre-shared static token, uses env DB credentials
+ * - 'none': No authentication required, uses env DB credentials
+ */
+import { timingSafeEqual } from 'node:crypto';
+import { getTokenManager } from './tokenManager.js';
+import { createChildLogger } from '../utils/logger.js';
+import { getHttpConfig } from '../config.js';
+const log = createChildLogger({ component: 'auth-middleware' });
+/**
+ * Extract Bearer token from Authorization header
+ */
+function extractBearerToken(authHeader) {
+    if (!authHeader) {
+        return null;
+    }
+    const parts = authHeader.split(' ');
+    if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+        return null;
+    }
+    return parts[1];
+}
+/**
+ * Authentication middleware for protected routes
+ *
+ * Behavior depends on MCP_AUTH_MODE:
+ * - 'required': Validates Bearer token from /auth flow, attaches token session
+ * - 'token': Validates Bearer token against static MCP_AUTH_TOKEN
+ * - 'none': Skips authentication entirely
+ *
+ * @example
+ * app.post('/mcp', authMiddleware, (req, res) => {
+ *   const session = (req as AuthenticatedRequest).tokenSession;
+ *   // Use session.config for DB connection (only in 'required' mode)
+ * });
+ */
+export function authMiddleware(req, res, next) {
+    const httpConfig = getHttpConfig();
+    // No auth mode - skip authentication entirely
+    if (httpConfig.authMode === 'none') {
+        log.debug({ path: req.path, method: req.method, authMode: 'none' }, 'Auth disabled, allowing request');
+        return next();
+    }
+    // Token mode - validate against static token
+    if (httpConfig.authMode === 'token') {
+        const authHeader = req.headers.authorization;
+        const token = extractBearerToken(authHeader);
+        if (!token) {
+            log.debug({ path: req.path, method: req.method }, 'Missing or invalid Authorization header (token mode)');
+            res.status(401).json({
+                error: 'unauthorized',
+                error_description: 'Missing or invalid Authorization header. Use: Authorization: Bearer <token>',
+            });
+            return;
+        }
+        // Use constant-time comparison to prevent timing attacks
+        const staticToken = httpConfig.staticToken ?? '';
+        const tokenBuffer = Buffer.from(token);
+        const staticTokenBuffer = Buffer.from(staticToken);
+        const tokensMatch = tokenBuffer.length === staticTokenBuffer.length &&
+            timingSafeEqual(tokenBuffer, staticTokenBuffer);
+        if (tokensMatch) {
+            log.debug({ path: req.path, method: req.method, authMode: 'token' }, 'Static token validated');
+            // Store token for session keying (will use global config for DB)
+            req.authToken = token;
+            return next();
+        }
+        log.debug({ path: req.path, method: req.method }, 'Invalid static token');
+        res.status(401).json({
+            error: 'invalid_token',
+            error_description: 'Invalid authentication token',
+        });
+        return;
+    }
+    // Required mode - full token validation with per-user credentials
+    const authHeader = req.headers.authorization;
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+        log.debug({ path: req.path, method: req.method }, 'Missing or invalid Authorization header');
+        res.status(401).json({
+            error: 'unauthorized',
+            error_description: 'Missing or invalid Authorization header. Use: Authorization: Bearer <token>',
+        });
+        return;
+    }
+    const tokenManager = getTokenManager();
+    const result = tokenManager.validateToken(token);
+    if (!result.valid || !result.session) {
+        log.debug({ path: req.path, method: req.method, error: result.error }, 'Token validation failed');
+        res.status(401).json({
+            error: 'invalid_token',
+            error_description: result.error ?? 'Token validation failed',
+        });
+        return;
+    }
+    // Attach session to request
+    req.tokenSession = result.session;
+    req.authToken = token;
+    log.debug({
+        path: req.path,
+        method: req.method,
+        user: result.session.config.username,
+        host: result.session.config.hostname,
+    }, 'Request authenticated');
+    next();
+}
+/**
+ * Get the current auth mode for use in route handlers
+ */
+export function getAuthModeFromConfig() {
+    return getHttpConfig().authMode;
+}
+/**
+ * Optional authentication middleware
+ *
+ * Similar to authMiddleware but doesn't require authentication.
+ * If a valid token is provided, attaches the session to the request.
+ * If no token or invalid token, continues without error.
+ *
+ * Useful for endpoints that work with or without authentication.
+ */
+export function optionalAuthMiddleware(req, res, next) {
+    const authHeader = req.headers.authorization;
+    const token = extractBearerToken(authHeader);
+    if (token) {
+        const tokenManager = getTokenManager();
+        const result = tokenManager.validateToken(token);
+        if (result.valid && result.session) {
+            req.tokenSession = result.session;
+            req.authToken = token;
+        }
+    }
+    next();
+}
+/**
+ * Rate limiting middleware for auth endpoints
+ *
+ * Simple in-memory rate limiter to prevent brute force attacks.
+ * Tracks failed attempts by IP address.
+ */
+const authAttempts = new Map();
+const AUTH_RATE_LIMIT = {
+    maxAttempts: 5,
+    windowMs: 60000, // 1 minute
+};
+/**
+ * Get client IP from request
+ *
+ * Uses Express's req.ip which respects the 'trust proxy' setting.
+ * If proxy is trusted, req.ip will contain the client IP from X-Forwarded-For.
+ * If proxy is not trusted, req.ip will be the direct connection IP.
+ *
+ * To trust proxy headers, set app.set('trust proxy', true) or configure
+ * specific trusted proxies. Without this, X-Forwarded-For headers are ignored.
+ */
+function getClientIp(req) {
+    // Use Express's req.ip which respects 'trust proxy' setting
+    // This prevents IP spoofing when proxy is not trusted
+    return req.ip ?? req.socket.remoteAddress ?? 'unknown';
+}
+/**
+ * Auth rate limiting middleware
+ *
+ * Limits authentication attempts per IP to prevent brute force.
+ * Should be applied to the /auth endpoint.
+ */
+export function authRateLimitMiddleware(req, res, next) {
+    const ip = getClientIp(req);
+    const now = Date.now();
+    // Clean up expired entries
+    const entry = authAttempts.get(ip);
+    if (entry && entry.resetAt < now) {
+        authAttempts.delete(ip);
+    }
+    const current = authAttempts.get(ip);
+    if (current && current.count >= AUTH_RATE_LIMIT.maxAttempts) {
+        const retryAfter = Math.ceil((current.resetAt - now) / 1000);
+        log.warn({ ip, attempts: current.count }, 'Auth rate limit exceeded');
+        res.status(429).json({
+            error: 'too_many_requests',
+            error_description: `Too many authentication attempts. Try again in ${retryAfter} seconds.`,
+            retry_after: retryAfter,
+        });
+        return;
+    }
+    next();
+}
+/**
+ * Record a failed auth attempt for rate limiting
+ */
+export function recordFailedAuthAttempt(req) {
+    const ip = getClientIp(req);
+    const now = Date.now();
+    const current = authAttempts.get(ip);
+    if (current && current.resetAt > now) {
+        current.count++;
+    }
+    else {
+        authAttempts.set(ip, {
+            count: 1,
+            resetAt: now + AUTH_RATE_LIMIT.windowMs,
+        });
+    }
+}
+/**
+ * Clear rate limit for an IP (on successful auth)
+ */
+export function clearAuthRateLimit(req) {
+    const ip = getClientIp(req);
+    authAttempts.delete(ip);
+}
+//# sourceMappingURL=authMiddleware.js.map

package/dist/auth/authMiddleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authMiddleware.js","sourceRoot":"","sources":["../../src/auth/authMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAiB,MAAM,cAAc,CAAC;AAG5D,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC;AAYhE;;GAEG;AACH,SAAS,kBAAkB,CAAC,UAA8B;IACxD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAC5B,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IAEnC,8CAA8C;IAC9C,IAAI,UAAU,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACnC,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EACxD,iCAAiC,CAClC,CAAC;QACF,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,6CAA6C;IAC7C,IAAI,UAAU,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACpC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EACtC,sDAAsD,CACvD,CAAC;YACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,6EAA6E;aACjG,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,yDAAyD;QACzD,MAAM,WAAW,GAAG,UAAU,CAAC,WAAW,IAAI,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvC,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,KAAK,iBAAiB,CAAC,MAAM;YACjE,eAAe,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAElD,IAAI,WAAW,EAAE,CAAC;YAChB,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,EACzD,wBAAwB,CACzB,CAAC;YACF,iEAAiE;YAChE,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;YAChD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EACtC,sBAAsB,CACvB,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,8BAA8B;SAClD,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,kEAAkE;IAClE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EACtC,yCAAyC,CAC1C,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,cAAc;YACrB,iBAAiB,EAAE,6EAA6E;SACjG,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IAEjD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACrC,GAAG,CAAC,KAAK,CACP,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,EAC3D,yBAAyB,CAC1B,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,MAAM,CAAC,KAAK,IAAI,yBAAyB;SAC7D,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,4BAA4B;IAC3B,GAA4B,CAAC,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;IAC3D,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;IAEhD,GAAG,CAAC,KAAK,CACP;QACE,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;QACpC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ;KACrC,EACD,uBAAuB,CACxB,CAAC;IAEF,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,aAAa,EAAE,CAAC,QAAQ,CAAC;AAClC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAEjD,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAClC,GAA4B,CAAC,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;YAC3D,GAA4B,CAAC,SAAS,GAAG,KAAK,CAAC;QAClD,CAAC;IACH,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;;;;GAKG;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8C,CAAC;AAC3E,MAAM,eAAe,GAAG;IACtB,WAAW,EAAE,CAAC;IACd,QAAQ,EAAE,KAAK,EAAE,WAAW;CAC7B,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAS,WAAW,CAAC,GAAY;IAC/B,4DAA4D;IAC5D,sDAAsD;IACtD,OAAO,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CACrC,GAAY,EACZ,GAAa,EACb,IAAkB;IAElB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,2BAA2B;IAC3B,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACnC,IAAI,KAAK,IAAI,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;QACjC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAErC,IAAI,OAAO,IAAI,OAAO,CAAC,KAAK,IAAI,eAAe,CAAC,WAAW,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,0BAA0B,CAAC,CAAC;QACtE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,mBAAmB;YAC1B,iBAAiB,EAAE,kDAAkD,UAAU,WAAW;YAC1F,WAAW,EAAE,UAAU;SACxB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,EAAE,CAAC;AACT,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAY;IAClD,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACrC,IAAI,OAAO,IAAI,OAAO,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE;YACnB,KAAK,EAAE,CAAC;YACR,OAAO,EAAE,GAAG,GAAG,eAAe,CAAC,QAAQ;SACxC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAY;IAC7C,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5B,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;AAC1B,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Authentication module for HTTP transport
+ *
+ * Exports all auth-related types, middleware, and utilities.
+ */
+export type { AuthRequest, AuthResponse, AuthErrorResponse, TokenSession, TokenValidationResult, AuthValidationResult, } from './types.js';
+export { getTokenManager, TokenManager, type SessionCleanupCallback } from './tokenManager.js';
+export { authMiddleware, optionalAuthMiddleware, authRateLimitMiddleware, recordFailedAuthAttempt, clearAuthRateLimit, type AuthenticatedRequest, } from './authMiddleware.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,YAAY,EACV,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,KAAK,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAG/F,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,EAClB,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,10 @@
+/**
+ * Authentication module for HTTP transport
+ *
+ * Exports all auth-related types, middleware, and utilities.
+ */
+// Token Manager
+export { getTokenManager, TokenManager } from './tokenManager.js';
+// Middleware
+export { authMiddleware, optionalAuthMiddleware, authRateLimitMiddleware, recordFailedAuthAttempt, clearAuthRateLimit, } from './authMiddleware.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAYH,gBAAgB;AAChB,OAAO,EAAE,eAAe,EAAE,YAAY,EAA+B,MAAM,mBAAmB,CAAC;AAE/F,aAAa;AACb,OAAO,EACL,cAAc,EACd,sBAAsB,EACtB,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,GAEnB,MAAM,qBAAqB,CAAC"}

package/dist/auth/tokenManager.d.ts

@@ -0,0 +1,114 @@
+/**
+ * Token Manager for HTTP Authentication
+ *
+ * Handles secure token generation, validation, session storage, and cleanup.
+ * Tokens are stored in memory with automatic cleanup of expired sessions.
+ */
+import type { DB2iConfig } from '../config.js';
+import type { TokenSession, TokenValidationResult } from './types.js';
+/**
+ * Callback type for session cleanup notification
+ * Used to close associated resources (e.g., connection pools) when tokens expire
+ */
+export type SessionCleanupCallback = (token: string) => Promise<void> | void;
+/**
+ * Token Manager singleton for managing authentication tokens
+ */
+declare class TokenManager {
+    private static instance;
+    private sessions;
+    private cleanupTimer;
+    private readonly cleanupIntervalMs;
+    private cleanupCallback;
+    private constructor();
+    /**
+     * Get the singleton instance
+     */
+    static getInstance(): TokenManager;
+    /**
+     * Generate a cryptographically secure token
+     * Uses 32 bytes (256 bits) of randomness encoded as base64url
+     */
+    private generateTokenString;
+    /**
+     * Create a new token session
+     *
+     * @param config - DB2i configuration for this session
+     * @param durationSeconds - Optional custom token duration
+     * @returns The generated token and session info
+     */
+    createSession(config: DB2iConfig, durationSeconds?: number): {
+        token: string;
+        expiresAt: Date;
+        expiresIn: number;
+    };
+    /**
+     * Validate a token and return the session
+     *
+     * @param token - The token to validate
+     * @returns Validation result with session if valid
+     */
+    validateToken(token: string): TokenValidationResult;
+    /**
+     * Get a session by token without validation
+     * Used internally when token is already validated
+     */
+    getSession(token: string): TokenSession | undefined;
+    /**
+     * Update the MCP session ID for a token
+     * Used when a stateful MCP session is established
+     */
+    setMcpSessionId(token: string, mcpSessionId: string): void;
+    /**
+     * Revoke a token
+     *
+     * @param token - The token to revoke
+     * @returns true if token was found and revoked
+     */
+    revokeToken(token: string): Promise<boolean>;
+    /**
+     * Get session statistics
+     */
+    getStats(): {
+        totalSessions: number;
+        activeSessions: number;
+        expiredSessions: number;
+    };
+    /**
+     * Clean up expired sessions
+     */
+    private cleanupExpiredSessions;
+    /**
+     * Start the cleanup timer
+     */
+    private startCleanupTimer;
+    /**
+     * Stop the cleanup timer and clear all sessions
+     * Used for graceful shutdown
+     */
+    shutdown(): Promise<void>;
+    /**
+     * Check if a new session can be created (advisory)
+     *
+     * Note: This is an advisory check. In Node.js single-threaded environment,
+     * there's no race condition between synchronous operations. However, if async
+     * operations occur between calling this method and createSession(), the count
+     * could change. The hard limit is enforced in createSession() which throws
+     * an error if the limit is exceeded.
+     */
+    canCreateSession(): boolean;
+    /**
+     * Set a callback to be called when sessions are cleaned up
+     * Used to close associated resources (e.g., connection pools)
+     *
+     * @param callback - Function called with the token when a session is removed
+     */
+    setCleanupCallback(callback: SessionCleanupCallback): void;
+    /**
+     * Internal method to notify about session cleanup
+     */
+    private notifyCleanup;
+}
+export declare function getTokenManager(): TokenManager;
+export { TokenManager };
+//# sourceMappingURL=tokenManager.d.ts.map

package/dist/auth/tokenManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenManager.d.ts","sourceRoot":"","sources":["../../src/auth/tokenManager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG/C,OAAO,KAAK,EACV,YAAY,EACZ,qBAAqB,EACtB,MAAM,YAAY,CAAC;AAIpB;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAE7E;;GAEG;AACH,cAAM,YAAY;IAChB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAe;IACtC,OAAO,CAAC,QAAQ,CAAwC;IACxD,OAAO,CAAC,YAAY,CAA+B;IACnD,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAS;IAC3C,OAAO,CAAC,eAAe,CAAuC;IAE9D,OAAO;IAKP;;OAEG;IACH,MAAM,CAAC,WAAW,IAAI,YAAY;IAOlC;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAI3B;;;;;;OAMG;IACH,aAAa,CACX,MAAM,EAAE,UAAU,EAClB,eAAe,CAAC,EAAE,MAAM,GACvB;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE;IAsCxD;;;;;OAKG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,qBAAqB;IA4BnD;;;OAGG;IACH,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAInD;;;OAGG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI;IAW1D;;;;;OAKG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAqBlD;;OAEG;IACH,QAAQ,IAAI;QACV,aAAa,EAAE,MAAM,CAAC;QACtB,cAAc,EAAE,MAAM,CAAC;QACvB,eAAe,EAAE,MAAM,CAAC;KACzB;IAoBD;;OAEG;YACW,sBAAsB;IA0BpC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAkBzB;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAkB/B;;;;;;;;OAQG;IACH,gBAAgB,IAAI,OAAO;IAK3B;;;;;OAKG;IACH,kBAAkB,CAAC,QAAQ,EAAE,sBAAsB,GAAG,IAAI;IAK1D;;OAEG;YACW,aAAa;CAS5B;AAGD,wBAAgB,eAAe,IAAI,YAAY,CAE9C;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/auth/tokenManager.js

@@ -0,0 +1,255 @@
+/**
+ * Token Manager for HTTP Authentication
+ *
+ * Handles secure token generation, validation, session storage, and cleanup.
+ * Tokens are stored in memory with automatic cleanup of expired sessions.
+ */
+import crypto from 'node:crypto';
+import { getHttpConfig } from '../config.js';
+import { createChildLogger } from '../utils/logger.js';
+const log = createChildLogger({ component: 'token-manager' });
+/**
+ * Token Manager singleton for managing authentication tokens
+ */
+class TokenManager {
+    static instance;
+    sessions = new Map();
+    cleanupTimer = null;
+    cleanupIntervalMs = 60000; // 1 minute
+    cleanupCallback = null;
+    constructor() {
+        this.startCleanupTimer();
+        log.debug('Token manager initialized');
+    }
+    /**
+     * Get the singleton instance
+     */
+    static getInstance() {
+        if (!TokenManager.instance) {
+            TokenManager.instance = new TokenManager();
+        }
+        return TokenManager.instance;
+    }
+    /**
+     * Generate a cryptographically secure token
+     * Uses 32 bytes (256 bits) of randomness encoded as base64url
+     */
+    generateTokenString() {
+        return crypto.randomBytes(32).toString('base64url');
+    }
+    /**
+     * Create a new token session
+     *
+     * @param config - DB2i configuration for this session
+     * @param durationSeconds - Optional custom token duration
+     * @returns The generated token and session info
+     */
+    createSession(config, durationSeconds) {
+        const httpConfig = getHttpConfig();
+        // Check max sessions limit
+        if (this.sessions.size >= httpConfig.maxSessions) {
+            throw new Error(`Maximum concurrent sessions (${httpConfig.maxSessions}) reached. Please try again later.`);
+        }
+        const token = this.generateTokenString();
+        const now = new Date();
+        const expiresIn = durationSeconds ?? httpConfig.tokenExpiry;
+        const expiresAt = new Date(now.getTime() + expiresIn * 1000);
+        const session = {
+            token,
+            config,
+            createdAt: now,
+            expiresAt,
+            lastUsedAt: now,
+        };
+        this.sessions.set(token, session);
+        log.info({
+            sessionCount: this.sessions.size,
+            expiresIn,
+            host: config.hostname,
+            // Note: username intentionally omitted for PII compliance
+        }, 'Token session created');
+        return { token, expiresAt, expiresIn };
+    }
+    /**
+     * Validate a token and return the session
+     *
+     * @param token - The token to validate
+     * @returns Validation result with session if valid
+     */
+    validateToken(token) {
+        if (!token || typeof token !== 'string') {
+            return { valid: false, error: 'Invalid token format' };
+        }
+        const session = this.sessions.get(token);
+        if (!session) {
+            log.debug({ tokenPrefix: token.substring(0, 8) }, 'Token not found');
+            return { valid: false, error: 'Token not found or expired' };
+        }
+        // Check expiration
+        if (new Date() > session.expiresAt) {
+            log.debug({ tokenPrefix: token.substring(0, 8), expiredAt: session.expiresAt }, 'Token expired');
+            this.sessions.delete(token);
+            return { valid: false, error: 'Token expired' };
+        }
+        // Update last used timestamp
+        session.lastUsedAt = new Date();
+        return { valid: true, session };
+    }
+    /**
+     * Get a session by token without validation
+     * Used internally when token is already validated
+     */
+    getSession(token) {
+        return this.sessions.get(token);
+    }
+    /**
+     * Update the MCP session ID for a token
+     * Used when a stateful MCP session is established
+     */
+    setMcpSessionId(token, mcpSessionId) {
+        const session = this.sessions.get(token);
+        if (session) {
+            session.mcpSessionId = mcpSessionId;
+            log.debug({ tokenPrefix: token.substring(0, 8), mcpSessionId }, 'MCP session ID associated with token');
+        }
+    }
+    /**
+     * Revoke a token
+     *
+     * @param token - The token to revoke
+     * @returns true if token was found and revoked
+     */
+    async revokeToken(token) {
+        const session = this.sessions.get(token);
+        if (!session) {
+            return false;
+        }
+        this.sessions.delete(token);
+        // Notify cleanup callback to close associated resources
+        await this.notifyCleanup(token);
+        log.info({
+            tokenPrefix: token.substring(0, 8),
+            sessionCount: this.sessions.size,
+        }, 'Token revoked');
+        return true;
+    }
+    /**
+     * Get session statistics
+     */
+    getStats() {
+        const now = new Date();
+        let activeSessions = 0;
+        let expiredSessions = 0;
+        for (const session of this.sessions.values()) {
+            if (now <= session.expiresAt) {
+                activeSessions++;
+            }
+            else {
+                expiredSessions++;
+            }
+        }
+        return {
+            totalSessions: this.sessions.size,
+            activeSessions,
+            expiredSessions,
+        };
+    }
+    /**
+     * Clean up expired sessions
+     */
+    async cleanupExpiredSessions() {
+        const now = new Date();
+        const expiredTokens = [];
+        for (const [token, session] of this.sessions.entries()) {
+            if (now > session.expiresAt) {
+                expiredTokens.push(token);
+            }
+        }
+        if (expiredTokens.length > 0) {
+            for (const token of expiredTokens) {
+                this.sessions.delete(token);
+                // Notify cleanup callback to close associated resources
+                await this.notifyCleanup(token);
+            }
+            log.info({
+                expiredCount: expiredTokens.length,
+                remainingCount: this.sessions.size,
+            }, 'Cleaned up expired sessions');
+        }
+    }
+    /**
+     * Start the cleanup timer
+     */
+    startCleanupTimer() {
+        if (this.cleanupTimer) {
+            return;
+        }
+        this.cleanupTimer = setInterval(() => {
+            this.cleanupExpiredSessions();
+        }, this.cleanupIntervalMs);
+        // Don't block process exit
+        this.cleanupTimer.unref();
+        log.debug({ intervalMs: this.cleanupIntervalMs }, 'Session cleanup timer started');
+    }
+    /**
+     * Stop the cleanup timer and clear all sessions
+     * Used for graceful shutdown
+     */
+    async shutdown() {
+        if (this.cleanupTimer) {
+            clearInterval(this.cleanupTimer);
+            this.cleanupTimer = null;
+        }
+        // Notify cleanup callback for all remaining sessions
+        const tokens = Array.from(this.sessions.keys());
+        for (const token of tokens) {
+            await this.notifyCleanup(token);
+        }
+        const sessionCount = this.sessions.size;
+        this.sessions.clear();
+        log.info({ clearedSessions: sessionCount }, 'Token manager shutdown');
+    }
+    /**
+     * Check if a new session can be created (advisory)
+     *
+     * Note: This is an advisory check. In Node.js single-threaded environment,
+     * there's no race condition between synchronous operations. However, if async
+     * operations occur between calling this method and createSession(), the count
+     * could change. The hard limit is enforced in createSession() which throws
+     * an error if the limit is exceeded.
+     */
+    canCreateSession() {
+        const httpConfig = getHttpConfig();
+        return this.sessions.size < httpConfig.maxSessions;
+    }
+    /**
+     * Set a callback to be called when sessions are cleaned up
+     * Used to close associated resources (e.g., connection pools)
+     *
+     * @param callback - Function called with the token when a session is removed
+     */
+    setCleanupCallback(callback) {
+        this.cleanupCallback = callback;
+        log.debug('Session cleanup callback registered');
+    }
+    /**
+     * Internal method to notify about session cleanup
+     */
+    async notifyCleanup(token) {
+        if (this.cleanupCallback) {
+            try {
+                await this.cleanupCallback(token);
+            }
+            catch (err) {
+                log.error({ err, tokenPrefix: token.substring(0, 8) }, 'Error in cleanup callback');
+            }
+        }
+    }
+}
+// Export singleton getter
+export function getTokenManager() {
+    return TokenManager.getInstance();
+}
+// Export the class type for testing
+export { TokenManager };
+//# sourceMappingURL=tokenManager.js.map

package/dist/auth/tokenManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenManager.js","sourceRoot":"","sources":["../../src/auth/tokenManager.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAMvD,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;AAQ9D;;GAEG;AACH,MAAM,YAAY;IACR,MAAM,CAAC,QAAQ,CAAe;IAC9B,QAAQ,GAA8B,IAAI,GAAG,EAAE,CAAC;IAChD,YAAY,GAA0B,IAAI,CAAC;IAClC,iBAAiB,GAAG,KAAK,CAAC,CAAC,WAAW;IAC/C,eAAe,GAAkC,IAAI,CAAC;IAE9D;QACE,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,GAAG,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC3B,YAAY,CAAC,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QAC7C,CAAC;QACD,OAAO,YAAY,CAAC,QAAQ,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACK,mBAAmB;QACzB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACtD,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CACX,MAAkB,EAClB,eAAwB;QAExB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;QAEnC,2BAA2B;QAC3B,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACb,gCAAgC,UAAU,CAAC,WAAW,oCAAoC,CAC3F,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,eAAe,IAAI,UAAU,CAAC,WAAW,CAAC;QAC5D,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAiB;YAC5B,KAAK;YACL,MAAM;YACN,SAAS,EAAE,GAAG;YACd,SAAS;YACT,UAAU,EAAE,GAAG;SAChB,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAElC,GAAG,CAAC,IAAI,CACN;YACE,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YAChC,SAAS;YACT,IAAI,EAAE,MAAM,CAAC,QAAQ;YACrB,0DAA0D;SAC3D,EACD,uBAAuB,CACxB,CAAC;QAEF,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,aAAa,CAAC,KAAa;QACzB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;QACzD,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,iBAAiB,CAAC,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;QAC/D,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,IAAI,EAAE,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;YACnC,GAAG,CAAC,KAAK,CACP,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,EACpE,eAAe,CAChB,CAAC;YACF,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QAClD,CAAC;QAED,6BAA6B;QAC7B,OAAO,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC;QAEhC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,KAAa;QACtB,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,KAAa,EAAE,YAAoB;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,YAAY,GAAG,YAAY,CAAC;YACpC,GAAG,CAAC,KAAK,CACP,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,EACpD,sCAAsC,CACvC,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAE5B,wDAAwD;QACxD,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAEhC,GAAG,CAAC,IAAI,CACN;YACE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;YAClC,YAAY,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;SACjC,EACD,eAAe,CAChB,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,QAAQ;QAKN,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,cAAc,GAAG,CAAC,CAAC;QACvB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YAC7C,IAAI,GAAG,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC7B,cAAc,EAAE,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,eAAe,EAAE,CAAC;YACpB,CAAC;QACH,CAAC;QAED,OAAO;YACL,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;YACjC,cAAc;YACd,eAAe;SAChB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB;QAClC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,GAAG,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC5B,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;gBAClC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC5B,wDAAwD;gBACxD,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YAClC,CAAC;YACD,GAAG,CAAC,IAAI,CACN;gBACE,YAAY,EAAE,aAAa,CAAC,MAAM;gBAClC,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI;aACnC,EACD,6BAA6B,CAC9B,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,iBAAiB;QACvB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAChC,CAAC,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAE3B,2BAA2B;QAC3B,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QAE1B,GAAG,CAAC,KAAK,CACP,EAAE,UAAU,EAAE,IAAI,CAAC,iBAAiB,EAAE,EACtC,+BAA+B,CAChC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ;QACZ,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;QAED,qDAAqD;QACrD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAEtB,GAAG,CAAC,IAAI,CAAC,EAAE,eAAe,EAAE,YAAY,EAAE,EAAE,wBAAwB,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;OAQG;IACH,gBAAgB;QACd,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;QACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,UAAU,CAAC,WAAW,CAAC;IACrD,CAAC;IAED;;;;;OAKG;IACH,kBAAkB,CAAC,QAAgC;QACjD,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC;QAChC,GAAG,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACnD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa,CAAC,KAAa;QACvC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,2BAA2B,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,0BAA0B;AAC1B,MAAM,UAAU,eAAe;IAC7B,OAAO,YAAY,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAED,oCAAoC;AACpC,OAAO,EAAE,YAAY,EAAE,CAAC"}