msoutlook-mcp 0.1.0

package/dist/auth/token-refresh.js

@@ -0,0 +1,133 @@
+/**
+ * HTTP-based token refresh.
+ *
+ * Uses the OWA first-party client ID (public SPA — no client secret needed) to
+ * exchange a cached refresh token for new access tokens via the standard
+ * OAuth2 token endpoint.
+ *
+ * Key detail (from msteams-mcp): the Origin header is REQUIRED for SPA
+ * client IDs. Azure AD validates that refresh token grants from SPA clients
+ * include a cross-origin Origin header matching a registered redirect URI.
+ * Without it Azure AD returns AADSTS9002327.
+ */
+import { logger } from '../utils/logger.js';
+import { OWA_CLIENT_ID, OWA_SCOPE, GRAPH_SCOPE, OWA_BASE } from '../constants.js';
+import { readTokenCache, writeTokenCache } from './session-store.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// Concurrent refresh guards — separate per resource so an OWA refresh doesn't
+// block a Graph refresh (mirrors msteams-mcp's guard, split by scope).
+// ─────────────────────────────────────────────────────────────────────────────
+let owaRefreshInProgress = false;
+let graphRefreshInProgress = false;
+const REFRESH_TIMEOUT_MS = 10_000;
+async function callTokenEndpoint(tenantId, refreshToken, scope) {
+    const url = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+    const body = new URLSearchParams({
+        client_id: OWA_CLIENT_ID,
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+        scope,
+    });
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REFRESH_TIMEOUT_MS);
+    try {
+        const res = await fetch(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                // Required for SPA public clients — Azure AD returns AADSTS9002327 without this
+                'Origin': OWA_BASE,
+            },
+            body: body.toString(),
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            const text = await res.text().catch(() => '');
+            logger.warn(`Token refresh HTTP ${res.status}`, text.slice(0, 200));
+            return null;
+        }
+        return await res.json();
+    }
+    catch (err) {
+        if (err instanceof Error && err.name === 'AbortError') {
+            logger.warn('Token refresh request timed out');
+        }
+        else {
+            logger.warn('Token refresh network error', err instanceof Error ? err.message : String(err));
+        }
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Public refresh functions
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Refresh the OWA access token via HTTP.
+ * Returns the new access token on success, null on failure.
+ * Prevents concurrent refresh races with module-level guard.
+ */
+export async function refreshOwaToken() {
+    if (owaRefreshInProgress) {
+        logger.debug('OWA token refresh already in progress');
+        return null;
+    }
+    const cache = readTokenCache();
+    if (!cache?.refreshToken || !cache.tenantId) {
+        logger.debug('No refresh token or tenant ID cached');
+        return null;
+    }
+    owaRefreshInProgress = true;
+    try {
+        logger.debug('Refreshing OWA access token via HTTP');
+        const response = await callTokenEndpoint(cache.tenantId, cache.refreshToken, OWA_SCOPE);
+        if (!response)
+            return null;
+        const updated = {
+            ...cache,
+            owaToken: response.access_token,
+            owaTokenExpiry: Date.now() + response.expires_in * 1000,
+            refreshToken: response.refresh_token ?? cache.refreshToken,
+            extractedAt: Date.now(),
+        };
+        writeTokenCache(updated);
+        logger.info('OWA token refreshed successfully');
+        return response.access_token;
+    }
+    finally {
+        owaRefreshInProgress = false;
+    }
+}
+/**
+ * Refresh the Graph access token via HTTP.
+ */
+export async function refreshGraphToken() {
+    if (graphRefreshInProgress)
+        return null;
+    const cache = readTokenCache();
+    if (!cache?.refreshToken || !cache.tenantId)
+        return null;
+    graphRefreshInProgress = true;
+    try {
+        logger.debug('Refreshing Graph access token via HTTP');
+        const response = await callTokenEndpoint(cache.tenantId, cache.refreshToken, GRAPH_SCOPE);
+        if (!response)
+            return null;
+        const updated = {
+            ...cache,
+            graphToken: response.access_token,
+            graphTokenExpiry: Date.now() + response.expires_in * 1000,
+            refreshToken: response.refresh_token ?? cache.refreshToken,
+            extractedAt: Date.now(),
+        };
+        writeTokenCache(updated);
+        logger.info('Graph token refreshed successfully');
+        return response.access_token;
+    }
+    finally {
+        graphRefreshInProgress = false;
+    }
+}
+//# sourceMappingURL=token-refresh.js.map

package/dist/auth/token-refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-refresh.js","sourceRoot":"","sources":["../../src/auth/token-refresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAClF,OAAO,EAAE,cAAc,EAAE,eAAe,EAAmB,MAAM,oBAAoB,CAAC;AAEtF,gFAAgF;AAChF,8EAA8E;AAC9E,uEAAuE;AACvE,gFAAgF;AAEhF,IAAI,oBAAoB,GAAG,KAAK,CAAC;AACjC,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAanC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,KAAK,UAAU,iBAAiB,CAC9B,QAAgB,EAChB,YAAoB,EACpB,KAAa;IAEb,MAAM,GAAG,GAAG,qCAAqC,QAAQ,oBAAoB,CAAC;IAE9E,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,SAAS,EAAE,aAAa;QACxB,UAAU,EAAE,eAAe;QAC3B,aAAa,EAAE,YAAY;QAC3B,KAAK;KACN,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,kBAAkB,CAAC,CAAC;IAEvE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,gFAAgF;gBAChF,QAAQ,EAAE,QAAQ;aACnB;YACD,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;YACrB,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sBAAsB,GAAG,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,GAAG,CAAC,IAAI,EAAmB,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACtD,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/F,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,IAAI,oBAAoB,EAAE,CAAC;QACzB,MAAM,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,YAAY,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC5C,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oBAAoB,GAAG,IAAI,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QACxF,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,MAAM,OAAO,GAAe;YAC1B,GAAG,KAAK;YACR,QAAQ,EAAE,QAAQ,CAAC,YAAY;YAC/B,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI;YACvD,YAAY,EAAE,QAAQ,CAAC,aAAa,IAAI,KAAK,CAAC,YAAY;YAC1D,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QACF,eAAe,CAAC,OAAO,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;YAAS,CAAC;QACT,oBAAoB,GAAG,KAAK,CAAC;IAC/B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,IAAI,sBAAsB;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,KAAK,GAAG,cAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,EAAE,YAAY,IAAI,CAAC,KAAK,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEzD,sBAAsB,GAAG,IAAI,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC1F,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,MAAM,OAAO,GAAe;YAC1B,GAAG,KAAK;YACR,UAAU,EAAE,QAAQ,CAAC,YAAY;YACjC,gBAAgB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,UAAU,GAAG,IAAI;YACzD,YAAY,EAAE,QAAQ,CAAC,aAAa,IAAI,KAAK,CAAC,YAAY;YAC1D,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QACF,eAAe,CAAC,OAAO,CAAC,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;QAClD,OAAO,QAAQ,CAAC,YAAY,CAAC;IAC/B,CAAC;YAAS,CAAC;QACT,sBAAsB,GAAG,KAAK,CAAC;IACjC,CAAC;AACH,CAAC"}

package/dist/browser/cookie-import.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Import Microsoft SSO cookies from the user's real browser profile into a
+ * Playwright context, enabling silent SSO on first login without re-entering
+ * credentials.
+ *
+ * Supports all major platforms:
+ *   macOS  — Chrome/Edge via macOS Keychain, AES-128-CBC
+ *   Linux  — Chrome/Edge via libsecret / "peanuts" fallback, AES-128-CBC
+ *   Windows — Chrome/Edge via DPAPI (PowerShell), AES-256-GCM
+ *
+ * SQLite access uses sql.js (pure JS/WASM) — no native build tools needed.
+ *
+ * Fails gracefully on every error: cookie import is a best-effort optimisation.
+ * If it fails the user falls back to a normal headed browser login.
+ *
+ * NOTE — Chrome 127+ on Windows uses App-Bound Encryption (prefix "APPB")
+ * which cannot be decrypted outside the Chrome process. Those cookies are
+ * silently skipped. Edge on Windows is unaffected and remains fully supported.
+ */
+import type { BrowserContext } from 'playwright';
+/**
+ * Import Microsoft SSO cookies from the user's real browser into the Playwright
+ * context. Enables instant silent authentication — OWA recognises the session
+ * and skips the login page entirely.
+ *
+ * @param context - Playwright browser context to inject cookies into
+ * @param channel - Browser channel in use: 'chrome', 'msedge', or undefined
+ */
+export declare function importMicrosoftCookies(context: BrowserContext, channel: string | undefined): Promise<void>;
+//# sourceMappingURL=cookie-import.d.ts.map

package/dist/browser/cookie-import.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-import.d.ts","sourceRoot":"","sources":["../../src/browser/cookie-import.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAOH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAiXjD;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,cAAc,EACvB,OAAO,EAAE,MAAM,GAAG,SAAS,GAC1B,OAAO,CAAC,IAAI,CAAC,CAgHf"}

package/dist/browser/cookie-import.js

@@ -0,0 +1,446 @@
+/**
+ * Import Microsoft SSO cookies from the user's real browser profile into a
+ * Playwright context, enabling silent SSO on first login without re-entering
+ * credentials.
+ *
+ * Supports all major platforms:
+ *   macOS  — Chrome/Edge via macOS Keychain, AES-128-CBC
+ *   Linux  — Chrome/Edge via libsecret / "peanuts" fallback, AES-128-CBC
+ *   Windows — Chrome/Edge via DPAPI (PowerShell), AES-256-GCM
+ *
+ * SQLite access uses sql.js (pure JS/WASM) — no native build tools needed.
+ *
+ * Fails gracefully on every error: cookie import is a best-effort optimisation.
+ * If it fails the user falls back to a normal headed browser login.
+ *
+ * NOTE — Chrome 127+ on Windows uses App-Bound Encryption (prefix "APPB")
+ * which cannot be decrypted outside the Chrome process. Those cookies are
+ * silently skipped. Edge on Windows is unaffected and remains fully supported.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { execSync } from 'node:child_process';
+import { logger } from '../utils/logger.js';
+// ─────────────────────────────────────────────────────────────────────────────
+// Per-platform browser configs
+// ─────────────────────────────────────────────────────────────────────────────
+function getBrowserConfigs() {
+    const home = os.homedir();
+    if (process.platform === 'darwin') {
+        return {
+            chrome: {
+                label: 'Chrome',
+                dataDir: path.join(home, 'Library', 'Application Support', 'Google', 'Chrome'),
+                keychainService: 'Chrome Safe Storage',
+                profileEnvVar: 'MSOUTLOOK_CHROME_PROFILE',
+            },
+            msedge: {
+                label: 'Edge',
+                dataDir: path.join(home, 'Library', 'Application Support', 'Microsoft Edge'),
+                keychainService: 'Microsoft Edge Safe Storage',
+                profileEnvVar: 'MSOUTLOOK_EDGE_PROFILE',
+            },
+        };
+    }
+    if (process.platform === 'win32') {
+        const localAppData = process.env.LOCALAPPDATA ?? path.join(home, 'AppData', 'Local');
+        return {
+            chrome: {
+                label: 'Chrome',
+                dataDir: path.join(localAppData, 'Google', 'Chrome', 'User Data'),
+                profileEnvVar: 'MSOUTLOOK_CHROME_PROFILE',
+            },
+            msedge: {
+                label: 'Edge',
+                dataDir: path.join(localAppData, 'Microsoft', 'Edge', 'User Data'),
+                profileEnvVar: 'MSOUTLOOK_EDGE_PROFILE',
+            },
+        };
+    }
+    // Linux
+    return {
+        chrome: {
+            label: 'Chrome',
+            dataDir: path.join(home, '.config', 'google-chrome'),
+            keychainService: 'Chrome Safe Storage',
+            profileEnvVar: 'MSOUTLOOK_CHROME_PROFILE',
+        },
+        msedge: {
+            label: 'Edge',
+            dataDir: path.join(home, '.config', 'microsoft-edge'),
+            keychainService: 'Microsoft Edge Safe Storage',
+            profileEnvVar: 'MSOUTLOOK_EDGE_PROFILE',
+        },
+    };
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Profile detection
+// ─────────────────────────────────────────────────────────────────────────────
+function selectProfile(dataDir, envVar) {
+    const override = process.env[envVar];
+    if (override)
+        return override;
+    // Chrome/Edge newer versions store cookies at Default/Network/Cookies
+    // Try Default profile first (most common), fall back to scanning
+    const defaultPath = path.join(dataDir, 'Default');
+    if (fs.existsSync(path.join(defaultPath, 'Network', 'Cookies')) ||
+        fs.existsSync(path.join(defaultPath, 'Cookies'))) {
+        return 'Default';
+    }
+    // Scan Local State for other profiles
+    const localStatePath = path.join(dataDir, 'Local State');
+    if (!fs.existsSync(localStatePath))
+        return null;
+    try {
+        const state = JSON.parse(fs.readFileSync(localStatePath, 'utf8'));
+        const cache = state.profile?.info_cache ?? {};
+        return Object.keys(cache)[0] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/** Returns the Cookies database path, checking both old and new locations. */
+function getCookiesDbPath(dataDir, profile) {
+    const base = path.join(dataDir, profile);
+    // Newer Chrome/Edge moved cookies into a Network sub-directory
+    const newPath = path.join(base, 'Network', 'Cookies');
+    if (fs.existsSync(newPath))
+        return newPath;
+    const oldPath = path.join(base, 'Cookies');
+    if (fs.existsSync(oldPath))
+        return oldPath;
+    return null;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// SQLite reading (sql.js — pure JS/WASM, no native deps)
+// ─────────────────────────────────────────────────────────────────────────────
+const MICROSOFT_DOMAINS_SQL = [
+    '%microsoftonline%',
+    '%login.live.com%',
+    '%login.microsoft.com%',
+    '%microsoft.com%',
+    '%office.com%',
+    '%office365.com%',
+    '%outlook.com%',
+].map(d => `host_key LIKE '${d}'`).join(' OR ');
+async function readCookiesFromDb(dbPath) {
+    // Copy to temp to avoid locking conflicts with a running browser
+    const tmpDb = path.join(os.tmpdir(), `msoutlook-mcp-cookies-${Date.now()}.db`);
+    try {
+        fs.copyFileSync(dbPath, tmpDb);
+        for (const ext of ['-wal', '-shm']) {
+            const src = dbPath + ext;
+            if (fs.existsSync(src))
+                fs.copyFileSync(src, tmpDb + ext);
+        }
+        // Dynamic import so sql.js WASM loads lazily (only when cookie import runs)
+        const initSqlJs = (await import('sql.js')).default;
+        const SQL = await initSqlJs();
+        const fileBuffer = fs.readFileSync(tmpDb);
+        const db = new SQL.Database(fileBuffer);
+        const result = db.exec(`SELECT host_key, name, encrypted_value, path, expires_utc,
+              is_secure, is_httponly, samesite
+       FROM cookies
+       WHERE (${MICROSOFT_DOMAINS_SQL}) AND expires_utc > 0`);
+        db.close();
+        if (!result[0])
+            return [];
+        const { columns, values } = result[0];
+        const idx = (col) => columns.indexOf(col);
+        return values.map(row => ({
+            host_key: row[idx('host_key')],
+            name: row[idx('name')],
+            encrypted_value: Buffer.from(row[idx('encrypted_value')]),
+            path: row[idx('path')],
+            expires_utc: row[idx('expires_utc')],
+            is_secure: row[idx('is_secure')],
+            is_httponly: row[idx('is_httponly')],
+            samesite: row[idx('samesite')],
+        }));
+    }
+    catch (err) {
+        logger.debug('Failed to read cookies DB', err instanceof Error ? err.message : String(err));
+        return [];
+    }
+    finally {
+        for (const f of [tmpDb, `${tmpDb}-wal`, `${tmpDb}-shm`]) {
+            try {
+                fs.unlinkSync(f);
+            }
+            catch { /* ignore */ }
+        }
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// macOS key retrieval (Keychain AES-128-CBC)
+// ─────────────────────────────────────────────────────────────────────────────
+const macKeyCache = new Map();
+function getMacOSDecryptionKey(keychainService) {
+    if (macKeyCache.has(keychainService))
+        return macKeyCache.get(keychainService) ?? null;
+    try {
+        const password = execSync(`security find-generic-password -s "${keychainService}" -w`, { encoding: 'utf8', timeout: 5000 }).trim();
+        const key = crypto.pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1');
+        macKeyCache.set(keychainService, key);
+        return key;
+    }
+    catch {
+        macKeyCache.set(keychainService, null);
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Linux key retrieval (libsecret → "peanuts" fallback, AES-128-CBC)
+// ─────────────────────────────────────────────────────────────────────────────
+const linuxKeyCache = new Map();
+function getLinuxDecryptionKey(keychainService) {
+    if (linuxKeyCache.has(keychainService))
+        return linuxKeyCache.get(keychainService);
+    let password = 'peanuts'; // fallback used when no keyring is available
+    // Try libsecret first (GNOME / systemd)
+    const appName = keychainService.toLowerCase().includes('edge') ? 'microsoft-edge' : 'chrome';
+    const secretToolAttempts = [
+        `secret-tool lookup xdg:schema chrome_libsecret_os_crypt_password_v2 application ${appName}`,
+        `secret-tool lookup xdg:schema chrome_libsecret_os_crypt_password_v1 application ${appName}`,
+        `secret-tool lookup service "${keychainService}" account "${appName}"`,
+    ];
+    for (const cmd of secretToolAttempts) {
+        try {
+            const result = execSync(cmd, { encoding: 'utf8', timeout: 3000 }).trim();
+            if (result) {
+                password = result;
+                break;
+            }
+        }
+        catch { /* continue */ }
+    }
+    // Linux uses 1 PBKDF2 iteration (vs 1003 on macOS)
+    const key = crypto.pbkdf2Sync(password, 'saltysalt', 1, 16, 'sha1');
+    linuxKeyCache.set(keychainService, key);
+    return key;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Windows key retrieval (DPAPI via PowerShell + AES-256-GCM)
+// ─────────────────────────────────────────────────────────────────────────────
+let windowsAesKeyCache = null;
+function getWindowsDecryptionKey(dataDir) {
+    if (!windowsAesKeyCache)
+        windowsAesKeyCache = new Map();
+    if (windowsAesKeyCache.has(dataDir))
+        return windowsAesKeyCache.get(dataDir) ?? null;
+    try {
+        const localStatePath = path.join(dataDir, 'Local State');
+        if (!fs.existsSync(localStatePath))
+            return null;
+        const localState = JSON.parse(fs.readFileSync(localStatePath, 'utf8'));
+        const encryptedKeyB64 = localState.os_crypt?.encrypted_key;
+        if (!encryptedKeyB64)
+            return null;
+        // The key is base64-encoded; first 5 bytes are the literal ASCII "DPAPI" prefix
+        const encryptedKeyBytes = Buffer.from(encryptedKeyB64, 'base64');
+        const dpapiBlob = encryptedKeyBytes.subarray(5); // strip "DPAPI"
+        const dpapiB64 = dpapiBlob.toString('base64');
+        // Use PowerShell (always available on Windows 10+) to call CryptUnprotectData
+        const psScript = `Add-Type -AssemblyName System.Security; [System.Convert]::ToBase64String([System.Security.Cryptography.ProtectedData]::Unprotect([System.Convert]::FromBase64String('${dpapiB64}'), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser))`;
+        const decryptedB64 = execSync(`powershell -NoProfile -NonInteractive -Command "${psScript}"`, { encoding: 'utf8', timeout: 10_000 }).trim();
+        const key = Buffer.from(decryptedB64, 'base64');
+        windowsAesKeyCache.set(dataDir, key);
+        return key;
+    }
+    catch (err) {
+        logger.debug('Windows DPAPI key retrieval failed', err instanceof Error ? err.message : String(err));
+        windowsAesKeyCache.set(dataDir, null);
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Cookie decryption (platform-aware)
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Strip the 32-byte SHA256(host_key) domain-hash prefix that Chrome/Edge v24+
+ * (2024) prepend to the plaintext before encryption. Older cookies have no
+ * prefix, so we only strip when the first 32 bytes actually match the hash.
+ */
+function stripDomainHashPrefix(plaintext, hostKey) {
+    if (plaintext.length < 32)
+        return plaintext;
+    const domainHash = crypto.createHash('sha256').update(hostKey).digest();
+    return plaintext.subarray(0, 32).equals(domainHash) ? plaintext.subarray(32) : plaintext;
+}
+function decryptCookieValue(encryptedValue, platform, key, hostKey) {
+    if (encryptedValue.length < 4)
+        return null;
+    const prefix = encryptedValue.subarray(0, 3).toString('ascii');
+    // App-Bound Encryption (Chrome 127+ on Windows) — cannot decrypt externally
+    if (encryptedValue.subarray(0, 4).toString('ascii') === 'APPB') {
+        return null;
+    }
+    if (prefix !== 'v10' && prefix !== 'v11') {
+        // Unencrypted plain-text value (legacy)
+        return encryptedValue.toString('utf8').replace(/\0/g, '');
+    }
+    try {
+        let plaintext;
+        if (platform === 'win32') {
+            // Windows: AES-256-GCM
+            // Layout: v10 (3 bytes) | nonce (12 bytes) | ciphertext | tag (16 bytes)
+            // Minimum valid length = 3 + 12 + 16 = 31 bytes
+            if (encryptedValue.length < 31)
+                return null;
+            const nonce = encryptedValue.subarray(3, 15);
+            const ciphertextWithTag = encryptedValue.subarray(15);
+            const tag = ciphertextWithTag.subarray(-16);
+            const ciphertext = ciphertextWithTag.subarray(0, -16);
+            const decipher = crypto.createDecipheriv('aes-256-gcm', key, nonce);
+            decipher.setAuthTag(tag);
+            plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        }
+        else {
+            // macOS / Linux: AES-128-CBC
+            // Layout: v10/v11 (3 bytes) | ciphertext (rest)
+            const ciphertext = encryptedValue.subarray(3);
+            const iv = Buffer.alloc(16, 0x20); // 16 space characters
+            const decipher = crypto.createDecipheriv('aes-128-cbc', key, iv);
+            decipher.setAutoPadding(true);
+            plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        }
+        // Strip the v24+ domain-hash prefix if present, then decode.
+        return stripDomainHashPrefix(plaintext, hostKey).toString('utf8');
+    }
+    catch {
+        return null;
+    }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Cookie conversion helpers
+// ─────────────────────────────────────────────────────────────────────────────
+function chromeEpochToUnix(ts) {
+    return Math.floor(ts / 1_000_000) - 11644473600;
+}
+function sameSiteLabel(v) {
+    if (v === 2)
+        return 'Strict';
+    if (v === 1)
+        return 'Lax';
+    return 'None';
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Main export
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Import Microsoft SSO cookies from the user's real browser into the Playwright
+ * context. Enables instant silent authentication — OWA recognises the session
+ * and skips the login page entirely.
+ *
+ * @param context - Playwright browser context to inject cookies into
+ * @param channel - Browser channel in use: 'chrome', 'msedge', or undefined
+ */
+export async function importMicrosoftCookies(context, channel) {
+    // Opt-out: users who'd rather sign in once manually (and avoid the one-time
+    // Keychain/keyring prompt) can set this. The persistent profile then
+    // remembers the session for all future logins.
+    if (process.env.MSOUTLOOK_SKIP_COOKIE_IMPORT === 'true') {
+        logger.debug('Cookie import skipped (MSOUTLOOK_SKIP_COOKIE_IMPORT=true)');
+        return;
+    }
+    const platform = process.platform;
+    const configs = getBrowserConfigs();
+    const browserKey = channel === 'msedge' ? 'msedge' : 'chrome';
+    const config = configs[browserKey];
+    if (!config)
+        return;
+    if (!fs.existsSync(config.dataDir)) {
+        logger.debug(`${config.label} data dir not found — skipping cookie import`);
+        return;
+    }
+    const profile = selectProfile(config.dataDir, config.profileEnvVar);
+    if (!profile) {
+        logger.debug(`No ${config.label} profile found — skipping cookie import`);
+        return;
+    }
+    const dbPath = getCookiesDbPath(config.dataDir, profile);
+    if (!dbPath) {
+        logger.debug(`No ${config.label} cookies database found — skipping cookie import`);
+        return;
+    }
+    // Retrieve platform-specific decryption key
+    let decryptionKey = null;
+    if (platform === 'darwin') {
+        decryptionKey = getMacOSDecryptionKey(config.keychainService);
+    }
+    else if (platform === 'linux') {
+        decryptionKey = getLinuxDecryptionKey(config.keychainService ?? config.label);
+    }
+    else if (platform === 'win32') {
+        decryptionKey = getWindowsDecryptionKey(config.dataDir);
+    }
+    if (!decryptionKey) {
+        logger.debug(`Could not retrieve ${config.label} decryption key — skipping cookie import`);
+        return;
+    }
+    const rawCookies = await readCookiesFromDb(dbPath);
+    if (rawCookies.length === 0) {
+        logger.debug(`No Microsoft cookies in ${config.label} profile`);
+        return;
+    }
+    const nowSec = Math.floor(Date.now() / 1000);
+    const playwrightCookies = rawCookies
+        .map(c => {
+        const value = decryptCookieValue(c.encrypted_value, platform, decryptionKey, c.host_key);
+        if (!value)
+            return null;
+        const expires = chromeEpochToUnix(c.expires_utc);
+        if (expires <= nowSec)
+            return null; // skip already-expired cookies
+        const secure = c.is_secure === 1;
+        let sameSite = sameSiteLabel(c.samesite);
+        // Chromium rejects SameSite=None cookies that are not Secure ("Invalid cookie fields").
+        // Downgrade those to Lax so the batch is always accepted.
+        if (sameSite === 'None' && !secure)
+            sameSite = 'Lax';
+        return {
+            name: c.name,
+            value,
+            domain: c.host_key, // raw host_key, as Chrome stores it (matches msteams-mcp)
+            path: c.path || '/',
+            expires,
+            secure,
+            httpOnly: c.is_httponly === 1,
+            sameSite,
+        };
+    })
+        .filter((c) => c !== null);
+    if (playwrightCookies.length === 0) {
+        logger.debug(`No valid ${config.label} cookies to import (decryption failed or all expired)`);
+        return;
+    }
+    // Try the whole batch first (fast path). If Playwright rejects it because a
+    // single cookie has invalid fields, fall back to adding them one at a time so
+    // one bad cookie can't block the rest.
+    try {
+        await context.addCookies(playwrightCookies);
+        logger.info(`Imported ${playwrightCookies.length} Microsoft SSO cookies from ${config.label} (${platform}) — browser will sign in automatically`);
+        return;
+    }
+    catch {
+        logger.debug('Batch cookie inject failed — retrying individually');
+    }
+    let imported = 0;
+    for (const cookie of playwrightCookies) {
+        try {
+            await context.addCookies([cookie]);
+            imported++;
+        }
+        catch { /* skip the offending cookie */ }
+    }
+    if (imported > 0) {
+        logger.info(`Imported ${imported}/${playwrightCookies.length} Microsoft SSO cookies from ${config.label} (${platform})`);
+    }
+    else {
+        logger.debug('Cookie injection failed for all cookies');
+    }
+}
+//# sourceMappingURL=cookie-import.js.map

package/dist/browser/cookie-import.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie-import.js","sourceRoot":"","sources":["../../src/browser/cookie-import.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AA2B5C,gFAAgF;AAChF,+BAA+B;AAC/B,gFAAgF;AAEhF,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAE1B,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO;YACL,MAAM,EAAE;gBACN,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,qBAAqB,EAAE,QAAQ,EAAE,QAAQ,CAAC;gBAC9E,eAAe,EAAE,qBAAqB;gBACtC,aAAa,EAAE,0BAA0B;aAC1C;YACD,MAAM,EAAE;gBACN,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,qBAAqB,EAAE,gBAAgB,CAAC;gBAC5E,eAAe,EAAE,6BAA6B;gBAC9C,aAAa,EAAE,wBAAwB;aACxC;SACF,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QACrF,OAAO;YACL,MAAM,EAAE;gBACN,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,CAAC;gBACjE,aAAa,EAAE,0BAA0B;aAC1C;YACD,MAAM,EAAE;gBACN,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC;gBAClE,aAAa,EAAE,wBAAwB;aACxC;SACF,CAAC;IACJ,CAAC;IAED,QAAQ;IACR,OAAO;QACL,MAAM,EAAE;YACN,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC;YACpD,eAAe,EAAE,qBAAqB;YACtC,aAAa,EAAE,0BAA0B;SAC1C;QACD,MAAM,EAAE;YACN,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,gBAAgB,CAAC;YACrD,eAAe,EAAE,6BAA6B;YAC9C,aAAa,EAAE,wBAAwB;SACxC;KACF,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF,SAAS,aAAa,CAAC,OAAe,EAAE,MAAc;IACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,sEAAsE;IACtE,iEAAiE;IACjE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAClD,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAC3D,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC,EAAE,CAAC;QACrD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sCAAsC;IACtC,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,MAAM,CAAC,CAE/D,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,EAAE,CAAC;QAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS,gBAAgB,CAAC,OAAe,EAAE,OAAe;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACzC,+DAA+D;IAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAC;IAC3C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAChF,yDAAyD;AACzD,gFAAgF;AAEhF,MAAM,qBAAqB,GAAG;IAC5B,mBAAmB;IACnB,kBAAkB;IAClB,uBAAuB;IACvB,iBAAiB;IACjB,cAAc;IACd,iBAAiB;IACjB,eAAe;CAChB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAEhD,KAAK,UAAU,iBAAiB,CAAC,MAAc;IAC7C,iEAAiE;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/E,IAAI,CAAC;QACH,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC/B,KAAK,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;YACnC,MAAM,GAAG,GAAG,MAAM,GAAG,GAAG,CAAC;YACzB,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,KAAK,GAAG,GAAG,CAAC,CAAC;QAC5D,CAAC;QAED,4EAA4E;QAC5E,MAAM,SAAS,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACnD,MAAM,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC;QAC9B,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAExC,MAAM,MAAM,GAAG,EAAE,CAAC,IAAI,CACpB;;;gBAGU,qBAAqB,uBAAuB,CACvD,CAAC;QACF,EAAE,CAAC,KAAK,EAAE,CAAC;QAEX,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YAAE,OAAO,EAAE,CAAC;QAE1B,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAElD,OAAQ,MAAsB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACzC,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAW;YACxC,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAW;YAChC,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAe,CAAC;YACvE,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAW;YAChC,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAW;YAC9C,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAW;YAC1C,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAW;YAC9C,QAAQ,EAAE,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAW;SACzC,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5F,OAAO,EAAE,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,KAAK,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,EAAE,GAAG,KAAK,MAAM,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC;gBAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,6CAA6C;AAC7C,gFAAgF;AAEhF,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;AAErD,SAAS,qBAAqB,CAAC,eAAuB;IACpD,IAAI,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC;QAAE,OAAO,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC;IACtF,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,QAAQ,CACvB,sCAAsC,eAAe,MAAM,EAC3D,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CACpC,CAAC,IAAI,EAAE,CAAC;QACT,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QACvE,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;QACtC,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,WAAW,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,oEAAoE;AACpE,gFAAgF;AAEhF,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;AAEhD,SAAS,qBAAqB,CAAC,eAAuB;IACpD,IAAI,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC;QAAE,OAAO,aAAa,CAAC,GAAG,CAAC,eAAe,CAAE,CAAC;IAEnF,IAAI,QAAQ,GAAG,SAAS,CAAC,CAAC,6CAA6C;IAEvE,wCAAwC;IACxC,MAAM,OAAO,GAAG,eAAe,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC7F,MAAM,kBAAkB,GAAG;QACzB,mFAAmF,OAAO,EAAE;QAC5F,mFAAmF,OAAO,EAAE;QAC5F,+BAA+B,eAAe,cAAc,OAAO,GAAG;KACvE,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACzE,IAAI,MAAM,EAAE,CAAC;gBAAC,QAAQ,GAAG,MAAM,CAAC;gBAAC,MAAM;YAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;IAC5B,CAAC;IAED,mDAAmD;IACnD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IACpE,aAAa,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IACxC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,gFAAgF;AAChF,6DAA6D;AAC7D,gFAAgF;AAEhF,IAAI,kBAAkB,GAAsC,IAAI,CAAC;AAEjE,SAAS,uBAAuB,CAAC,OAAe;IAC9C,IAAI,CAAC,kBAAkB;QAAE,kBAAkB,GAAG,IAAI,GAAG,EAAE,CAAC;IACxD,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC;IAEpF,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC;QAEhD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,MAAM,CAAC,CAEpE,CAAC;QACF,MAAM,eAAe,GAAG,UAAU,CAAC,QAAQ,EAAE,aAAa,CAAC;QAC3D,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAElC,gFAAgF;QAChF,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QACjE,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;QACjE,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE9C,8EAA8E;QAC9E,MAAM,QAAQ,GAAG,wKAAwK,QAAQ,8EAA8E,CAAC;QAChR,MAAM,YAAY,GAAG,QAAQ,CAC3B,mDAAmD,QAAQ,GAAG,EAC9D,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CACtC,CAAC,IAAI,EAAE,CAAC;QAET,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;QAChD,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACrC,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACrG,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,qCAAqC;AACrC,gFAAgF;AAEhF;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,SAAiB,EAAE,OAAe;IAC/D,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,SAAS,CAAC;IAC5C,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IACxE,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3F,CAAC;AAED,SAAS,kBAAkB,CACzB,cAAsB,EACtB,QAAyB,EACzB,GAAW,EACX,OAAe;IAEf,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAE/D,4EAA4E;IAC5E,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,MAAM,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACzC,wCAAwC;QACxC,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,CAAC;QACH,IAAI,SAAiB,CAAC;QACtB,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,uBAAuB;YACvB,yEAAyE;YACzE,gDAAgD;YAChD,IAAI,cAAc,CAAC,MAAM,GAAG,EAAE;gBAAE,OAAO,IAAI,CAAC;YAC5C,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7C,MAAM,iBAAiB,GAAG,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACtD,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;YAC5C,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YAEtD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YACpE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACzB,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,6BAA6B;YAC7B,gDAAgD;YAChD,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,sBAAsB;YACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACjE,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAC9B,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7E,CAAC;QAED,6DAA6D;QAC7D,OAAO,qBAAqB,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF,SAAS,iBAAiB,CAAC,EAAU;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,SAAS,CAAC,GAAG,WAAW,CAAC;AAClD,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,cAAc;AACd,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAuB,EACvB,OAA2B;IAE3B,4EAA4E;IAC5E,qEAAqE;IACrE,+CAA+C;IAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,MAAM,EAAE,CAAC;QACxD,MAAM,CAAC,KAAK,CAAC,2DAA2D,CAAC,CAAC;QAC1E,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO;IAEpB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,8CAA8C,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACpE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,MAAM,MAAM,CAAC,KAAK,yCAAyC,CAAC,CAAC;QAC1E,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACzD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,KAAK,CAAC,MAAM,MAAM,CAAC,KAAK,kDAAkD,CAAC,CAAC;QACnF,OAAO;IACT,CAAC;IAED,4CAA4C;IAC5C,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,eAAgB,CAAC,CAAC;IACjE,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;IAChF,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QAChC,aAAa,GAAG,uBAAuB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,CAAC,KAAK,CAAC,sBAAsB,MAAM,CAAC,KAAK,0CAA0C,CAAC,CAAC;QAC3F,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACnD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,KAAK,CAAC,2BAA2B,MAAM,CAAC,KAAK,UAAU,CAAC,CAAC;QAChE,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE7C,MAAM,iBAAiB,GAAG,UAAU;SACjC,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,MAAM,KAAK,GAAG,kBAAkB,CAAC,CAAC,CAAC,eAAe,EAAE,QAAQ,EAAE,aAAc,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC1F,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,OAAO,GAAG,iBAAiB,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACjD,IAAI,OAAO,IAAI,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,+BAA+B;QAEnE,MAAM,MAAM,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC;QACjC,IAAI,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzC,wFAAwF;QACxF,0DAA0D;QAC1D,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC,MAAM;YAAE,QAAQ,GAAG,KAAK,CAAC;QAErD,OAAO;YACL,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK;YACL,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,0DAA0D;YAC9E,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,GAAG;YACnB,OAAO;YACP,MAAM;YACN,QAAQ,EAAE,CAAC,CAAC,WAAW,KAAK,CAAC;YAC7B,QAAQ;SACT,CAAC;IACJ,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAA8B,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;IAEzD,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,KAAK,CAAC,YAAY,MAAM,CAAC,KAAK,uDAAuD,CAAC,CAAC;QAC9F,OAAO;IACT,CAAC;IAED,4EAA4E;IAC5E,8EAA8E;IAC9E,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,YAAY,iBAAiB,CAAC,MAAM,+BAA+B,MAAM,CAAC,KAAK,KAAK,QAAQ,wCAAwC,CAAC,CAAC;QAClJ,OAAO;IACT,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YACnC,QAAQ,EAAE,CAAC;QACb,CAAC;QAAC,MAAM,CAAC,CAAC,+BAA+B,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,YAAY,QAAQ,IAAI,iBAAiB,CAAC,MAAM,+BAA+B,MAAM,CAAC,KAAK,KAAK,QAAQ,GAAG,CAAC,CAAC;IAC3H,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC"}