nitrostack 1.0.0

package/dist/auth/api-key.js

@@ -0,0 +1,168 @@
+import crypto from 'crypto';
+/**
+ * Create API Key authentication middleware
+ *
+ * @example
+ * ```typescript
+ * const server = createServer({...});
+ *
+ * // Simple API key auth
+ * server.app.use('/mcp', createAPIKeyAuth({
+ *   keys: [
+ *     process.env.API_KEY_1!,
+ *     process.env.API_KEY_2!,
+ *   ],
+ *   headerName: 'X-API-Key',
+ * }));
+ *
+ * server.start();
+ *
+ * // Client usage:
+ * // curl -H "X-API-Key: your-api-key" https://mcp.example.com/mcp/tools
+ * ```
+ */
+export function createAPIKeyAuth(config) {
+    const headerName = config.headerName || 'x-api-key';
+    const queryParamName = config.queryParamName || 'api_key';
+    // Validate config
+    if (!config.keys || config.keys.length === 0) {
+        throw new Error('API key auth requires at least one key');
+    }
+    return async (req, res, next) => {
+        try {
+            // 1. Extract API key from header or query
+            let apiKey;
+            // Try header first (recommended)
+            apiKey = req.headers[headerName.toLowerCase()];
+            // Try query parameter (if allowed)
+            if (!apiKey && config.allowQueryParam) {
+                apiKey = req.query[queryParamName];
+            }
+            if (!apiKey) {
+                return res.status(401).json({
+                    error: 'unauthorized',
+                    message: `Missing API key. Provide in ${headerName} header${config.allowQueryParam ? ` or ${queryParamName} query parameter` : ''}`,
+                });
+            }
+            // 2. Validate API key
+            let isValid = false;
+            if (config.hashed) {
+                // Compare hashed values
+                const hashedKey = hashAPIKey(apiKey);
+                isValid = config.keys.includes(hashedKey);
+            }
+            else {
+                // Direct comparison
+                isValid = config.keys.includes(apiKey);
+            }
+            // 3. Custom validation
+            if (config.customValidation) {
+                const customValid = await config.customValidation(apiKey);
+                isValid = isValid && customValid;
+            }
+            if (!isValid) {
+                return res.status(401).json({
+                    error: 'unauthorized',
+                    message: 'Invalid API key',
+                });
+            }
+            // 4. Attach to request
+            req.auth = {
+                authenticated: true,
+                tokenInfo: {
+                    active: true,
+                },
+                scopes: ['*'], // API keys typically have full access
+                clientId: `apikey_${hashAPIKey(apiKey).substring(0, 8)}`,
+                subject: undefined,
+            };
+            next();
+        }
+        catch (error) {
+            return res.status(500).json({
+                error: 'server_error',
+                message: 'API key validation failed',
+            });
+        }
+    };
+}
+/**
+ * Generate a secure API key
+ *
+ * @example
+ * ```typescript
+ * const apiKey = generateAPIKey();
+ * console.log('API Key:', apiKey);
+ * // Save to .env: API_KEY_1=sk_...
+ * ```
+ */
+export function generateAPIKey(prefix = 'sk') {
+    const randomBytes = crypto.randomBytes(32);
+    const key = randomBytes.toString('base64url');
+    return `${prefix}_${key}`;
+}
+/**
+ * Hash an API key (SHA-256)
+ * Use this to store hashed keys instead of plain text
+ *
+ * @example
+ * ```typescript
+ * const apiKey = 'sk_abc123...';
+ * const hashed = hashAPIKey(apiKey);
+ * // Store hashed in database
+ *
+ * // In config:
+ * createAPIKeyAuth({
+ *   keys: [hashed],
+ *   hashed: true,
+ * });
+ * ```
+ */
+export function hashAPIKey(key) {
+    return crypto.createHash('sha256').update(key).digest('hex');
+}
+/**
+ * Validate API key format
+ */
+export function isValidAPIKeyFormat(key, prefix) {
+    if (prefix) {
+        return key.startsWith(`${prefix}_`) && key.length > prefix.length + 10;
+    }
+    return key.length >= 32;
+}
+export function generateAPIKeyWithMetadata(options) {
+    const key = generateAPIKey(options.prefix);
+    const hashed = hashAPIKey(key);
+    const createdAt = new Date();
+    let expiresAt;
+    if (options.expiresIn) {
+        expiresAt = new Date();
+        expiresAt.setDate(expiresAt.getDate() + options.expiresIn);
+    }
+    return {
+        key,
+        hashed,
+        name: options.name,
+        createdAt,
+        expiresAt,
+        scopes: options.scopes,
+    };
+}
+/**
+ * Validate API key with metadata (expiration, scopes)
+ */
+export function validateAPIKeyWithMetadata(key, metadata, requiredScopes) {
+    // Check expiration
+    if (metadata.expiresAt && new Date() > metadata.expiresAt) {
+        return { valid: false, reason: 'API key has expired' };
+    }
+    // Check scopes
+    if (requiredScopes && metadata.scopes) {
+        const hasAllScopes = requiredScopes.every(scope => metadata.scopes.includes(scope) || metadata.scopes.includes('*'));
+        if (!hasAllScopes) {
+            return { valid: false, reason: 'API key does not have required scopes' };
+        }
+    }
+    return { valid: true };
+}
+//# sourceMappingURL=api-key.js.map

package/dist/auth/api-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key.js","sourceRoot":"","sources":["../../src/auth/api-key.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AA8C5B;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAoB;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,WAAW,CAAC;IACpD,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,SAAS,CAAC;IAE1D,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,0CAA0C;YAC1C,IAAI,MAA0B,CAAC;YAE/B,iCAAiC;YACjC,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,WAAW,EAAE,CAAW,CAAC;YAEzD,mCAAmC;YACnC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,cAAc,CAAW,CAAC;YAC/C,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,+BAA+B,UAAU,UAChD,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,OAAO,cAAc,kBAAkB,CAAC,CAAC,CAAC,EACrE,EAAE;iBACH,CAAC,CAAC;YACL,CAAC;YAED,sBAAsB;YACtB,IAAI,OAAO,GAAG,KAAK,CAAC;YAEpB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,wBAAwB;gBACxB,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;gBACrC,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAC5C,CAAC;iBAAM,CAAC;gBACN,oBAAoB;gBACpB,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACzC,CAAC;YAED,uBAAuB;YACvB,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;gBAC5B,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;gBAC1D,OAAO,GAAG,OAAO,IAAI,WAAW,CAAC;YACnC,CAAC;YAED,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,KAAK,EAAE,cAAc;oBACrB,OAAO,EAAE,iBAAiB;iBAC3B,CAAC,CAAC;YACL,CAAC;YAED,uBAAuB;YACvB,GAAG,CAAC,IAAI,GAAG;gBACT,aAAa,EAAE,IAAI;gBACnB,SAAS,EAAE;oBACT,MAAM,EAAE,IAAI;iBACb;gBACD,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,sCAAsC;gBACrD,QAAQ,EAAE,UAAU,UAAU,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;gBACxD,OAAO,EAAE,SAAS;aACnB,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,2BAA2B;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,IAAI;IAClD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9C,OAAO,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,MAAe;IAC9D,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC;IACzE,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;AAC1B,CAAC;AAcD,MAAM,UAAU,0BAA0B,CAAC,OAK1C;IACC,MAAM,GAAG,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAE7B,IAAI,SAA2B,CAAC;IAChC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO;QACL,GAAG;QACH,MAAM;QACN,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,SAAS;QACT,SAAS;QACT,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,GAAW,EACX,QAAyC,EACzC,cAAyB;IAEzB,mBAAmB;IACnB,IAAI,QAAQ,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC1D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACzD,CAAC;IAED,eAAe;IACf,IAAI,cAAc,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QACtC,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAChD,QAAQ,CAAC,MAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,MAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CACnE,CAAC;QACF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC"}

package/dist/auth/client.d.ts

@@ -0,0 +1,151 @@
+import { ProtectedResourceMetadata, AuthorizationServerMetadata, ClientRegistrationRequest, ClientRegistrationResponse, TokenResponse, McpAuthClientConfig } from './types.js';
+import { PKCEParams } from './pkce.js';
+/**
+ * OAuth 2.1 Client for MCP
+ *
+ * Handles:
+ * - Protected Resource Metadata discovery (RFC 9728)
+ * - Authorization Server Metadata discovery (RFC 8414)
+ * - Dynamic Client Registration (RFC 7591)
+ * - Authorization Code Flow with PKCE (OAuth 2.1)
+ * - Token refresh and revocation
+ */
+export declare class OAuth2Client {
+    private config;
+    constructor(config: McpAuthClientConfig);
+    /**
+     * Discover Protected Resource Metadata (RFC 9728)
+     *
+     * Tries:
+     * 1. WWW-Authenticate header from 401 response
+     * 2. Well-known URI at resource path
+     * 3. Well-known URI at root
+     *
+     * @param resourceUrl - URL of the MCP server
+     */
+    discoverProtectedResourceMetadata(resourceUrl: string): Promise<ProtectedResourceMetadata>;
+    /**
+     * Discover Authorization Server Metadata (RFC 8414)
+     *
+     * Supports both:
+     * - OAuth 2.0 Authorization Server Metadata (RFC 8414)
+     * - OpenID Connect Discovery 1.0
+     *
+     * @param issuer - Authorization server issuer URL
+     */
+    discoverAuthorizationServerMetadata(issuer: string): Promise<AuthorizationServerMetadata>;
+    /**
+     * Register client dynamically (RFC 7591)
+     *
+     * @param registrationEndpoint - Client registration endpoint
+     * @param metadata - Client metadata
+     */
+    registerClient(registrationEndpoint: string, metadata: ClientRegistrationRequest): Promise<ClientRegistrationResponse>;
+    /**
+     * Start authorization flow
+     *
+     * Generates authorization URL with PKCE parameters
+     *
+     * @param authzEndpoint - Authorization endpoint
+     * @param clientId - OAuth client ID
+     * @param redirectUri - Redirect URI
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     * @returns Authorization URL and PKCE parameters (store for token exchange)
+     */
+    startAuthorizationFlow(options: {
+        authorizationEndpoint: string;
+        clientId: string;
+        redirectUri: string;
+        scope?: string;
+        resource?: string;
+        state?: string;
+    }): Promise<{
+        authUrl: string;
+        state: string;
+        pkce: PKCEParams;
+    }>;
+    /**
+     * Exchange authorization code for access token
+     *
+     * @param code - Authorization code from callback
+     * @param pkce - PKCE parameters from startAuthorizationFlow
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret (for confidential clients)
+     * @param redirectUri - Redirect URI (must match authorization request)
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    exchangeCodeForToken(options: {
+        code: string;
+        pkce: PKCEParams;
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        redirectUri: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Refresh access token
+     *
+     * @param refreshToken - Refresh token
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Optional: request different scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    refreshToken(options: {
+        refreshToken: string;
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        scope?: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Get client credentials token (for server-to-server)
+     *
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    getClientCredentialsToken(options: {
+        tokenEndpoint: string;
+        clientId: string;
+        clientSecret: string;
+        scope?: string;
+        resource?: string;
+    }): Promise<TokenResponse>;
+    /**
+     * Revoke token (access or refresh)
+     *
+     * @param token - Token to revoke
+     * @param revocationEndpoint - Revocation endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param tokenTypeHint - 'access_token' or 'refresh_token'
+     */
+    revokeToken(options: {
+        token: string;
+        revocationEndpoint: string;
+        clientId: string;
+        clientSecret?: string;
+        tokenTypeHint?: 'access_token' | 'refresh_token';
+    }): Promise<void>;
+    /**
+     * Make token request
+     */
+    private tokenRequest;
+    /**
+     * Fetch metadata from URL
+     */
+    private fetchMetadata;
+    /**
+     * Generate random state for CSRF protection
+     */
+    private generateState;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/auth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/auth/client.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,2BAA2B,EAC3B,yBAAyB,EACzB,0BAA0B,EAC1B,aAAa,EAIb,mBAAmB,EACpB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAsB,UAAU,EAAuB,MAAM,WAAW,CAAC;AAGhF;;;;;;;;;GASG;AAEH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIvC;;;;;;;;;OASG;IACG,iCAAiC,CACrC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,yBAAyB,CAAC;IAyCrC;;;;;;;;OAQG;IACG,mCAAmC,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,2BAA2B,CAAC;IAmDvC;;;;;OAKG;IACG,cAAc,CAClB,oBAAoB,EAAE,MAAM,EAC5B,QAAQ,EAAE,yBAAyB,GAClC,OAAO,CAAC,0BAA0B,CAAC;IAqBtC;;;;;;;;;;;OAWG;IACG,sBAAsB,CAAC,OAAO,EAAE;QACpC,qBAAqB,EAAE,MAAM,CAAC;QAC9B,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,OAAO,CAAC;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,UAAU,CAAC;KAClB,CAAC;IA+BF;;;;;;;;;;OAUG;IACG,oBAAoB,CAAC,OAAO,EAAE;QAClC,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,UAAU,CAAC;QACjB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IA6B1B;;;;;;;;;OASG;IACG,YAAY,CAAC,OAAO,EAAE;QAC1B,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IA8B1B;;;;;;;;OAQG;IACG,yBAAyB,CAAC,OAAO,EAAE;QACvC,aAAa,EAAE,MAAM,CAAC;QACtB,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,aAAa,CAAC;IAyB1B;;;;;;;;OAQG;IACG,WAAW,CAAC,OAAO,EAAE;QACzB,KAAK,EAAE,MAAM,CAAC;QACd,kBAAkB,EAAE,MAAM,CAAC;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,aAAa,CAAC,EAAE,cAAc,GAAG,eAAe,CAAC;KAClD,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCjB;;OAEG;YACW,YAAY;IAuB1B;;OAEG;YACW,aAAa;IAa3B;;OAEG;IACH,OAAO,CAAC,aAAa;CAGtB"}

package/dist/auth/client.js

@@ -0,0 +1,330 @@
+import crypto from 'crypto';
+import { generatePKCEParams, validatePKCESupport } from './pkce.js';
+import { parseWWWAuthenticateHeader, getWellKnownMetadataUris } from './server-metadata.js';
+/**
+ * OAuth 2.1 Client for MCP
+ *
+ * Handles:
+ * - Protected Resource Metadata discovery (RFC 9728)
+ * - Authorization Server Metadata discovery (RFC 8414)
+ * - Dynamic Client Registration (RFC 7591)
+ * - Authorization Code Flow with PKCE (OAuth 2.1)
+ * - Token refresh and revocation
+ */
+export class OAuth2Client {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * Discover Protected Resource Metadata (RFC 9728)
+     *
+     * Tries:
+     * 1. WWW-Authenticate header from 401 response
+     * 2. Well-known URI at resource path
+     * 3. Well-known URI at root
+     *
+     * @param resourceUrl - URL of the MCP server
+     */
+    async discoverProtectedResourceMetadata(resourceUrl) {
+        // Step 1: Try making a request to get 401 with WWW-Authenticate header
+        try {
+            const response = await fetch(resourceUrl, {
+                method: 'GET',
+                headers: { Accept: 'application/json' },
+            });
+            if (response.status === 401) {
+                const wwwAuth = response.headers.get('WWW-Authenticate');
+                if (wwwAuth) {
+                    const parsed = parseWWWAuthenticateHeader(wwwAuth);
+                    if (parsed?.resourceMetadata) {
+                        // Found metadata URL in header
+                        return await this.fetchMetadata(parsed.resourceMetadata);
+                    }
+                }
+            }
+        }
+        catch (error) {
+            // Ignore errors, try well-known URIs
+        }
+        // Step 2: Try well-known URIs
+        const url = new URL(resourceUrl);
+        const wellKnownUris = getWellKnownMetadataUris(url);
+        for (const uri of wellKnownUris) {
+            try {
+                return await this.fetchMetadata(uri);
+            }
+            catch (error) {
+                // Try next URI
+                continue;
+            }
+        }
+        throw new Error(`Failed to discover protected resource metadata for ${resourceUrl}. ` +
+            'Server must implement RFC 9728 (Protected Resource Metadata).');
+    }
+    /**
+     * Discover Authorization Server Metadata (RFC 8414)
+     *
+     * Supports both:
+     * - OAuth 2.0 Authorization Server Metadata (RFC 8414)
+     * - OpenID Connect Discovery 1.0
+     *
+     * @param issuer - Authorization server issuer URL
+     */
+    async discoverAuthorizationServerMetadata(issuer) {
+        const issuerUrl = new URL(issuer);
+        const wellKnownUrls = [];
+        // For issuer URLs with path components
+        if (issuerUrl.pathname && issuerUrl.pathname !== '/') {
+            const path = issuerUrl.pathname;
+            // OAuth 2.0 with path insertion
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/oauth-authorization-server${path}`);
+            // OpenID Connect with path insertion
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/openid-configuration${path}`);
+            // OpenID Connect with path appending
+            wellKnownUrls.push(`${issuer}/.well-known/openid-configuration`);
+        }
+        else {
+            // For issuer URLs without path components
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/oauth-authorization-server`);
+            wellKnownUrls.push(`${issuerUrl.origin}/.well-known/openid-configuration`);
+        }
+        // Try each URL
+        for (const url of wellKnownUrls) {
+            try {
+                const metadata = await this.fetchMetadata(url);
+                // Validate PKCE support (REQUIRED by OAuth 2.1)
+                if (!validatePKCESupport(metadata.code_challenge_methods_supported)) {
+                    throw new Error('Authorization server does not support PKCE (S256). ' +
+                        'OAuth 2.1 requires PKCE support. Cannot proceed.');
+                }
+                return metadata;
+            }
+            catch (error) {
+                // Try next URL
+                continue;
+            }
+        }
+        throw new Error(`Failed to discover authorization server metadata for ${issuer}. ` +
+            'Server must implement RFC 8414 or OpenID Connect Discovery.');
+    }
+    /**
+     * Register client dynamically (RFC 7591)
+     *
+     * @param registrationEndpoint - Client registration endpoint
+     * @param metadata - Client metadata
+     */
+    async registerClient(registrationEndpoint, metadata) {
+        const response = await fetch(registrationEndpoint, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Accept': 'application/json',
+            },
+            body: JSON.stringify(metadata),
+        });
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({}));
+            throw new Error(`Client registration failed: ${response.status} - ${error.error_description || error.error || 'Unknown error'}`);
+        }
+        const result = await response.json();
+        return result;
+    }
+    /**
+     * Start authorization flow
+     *
+     * Generates authorization URL with PKCE parameters
+     *
+     * @param authzEndpoint - Authorization endpoint
+     * @param clientId - OAuth client ID
+     * @param redirectUri - Redirect URI
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     * @returns Authorization URL and PKCE parameters (store for token exchange)
+     */
+    async startAuthorizationFlow(options) {
+        // Generate PKCE parameters (S256 required by OAuth 2.1)
+        const pkce = generatePKCEParams('S256');
+        // Generate state for CSRF protection
+        const state = options.state || this.generateState();
+        // Build authorization URL
+        const params = new URLSearchParams({
+            response_type: 'code',
+            client_id: options.clientId,
+            redirect_uri: options.redirectUri,
+            state,
+            code_challenge: pkce.code_challenge,
+            code_challenge_method: pkce.code_challenge_method,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            // RFC 8707 - Resource Indicators
+            params.append('resource', options.resource);
+        }
+        const authUrl = `${options.authorizationEndpoint}?${params.toString()}`;
+        return { authUrl, state, pkce };
+    }
+    /**
+     * Exchange authorization code for access token
+     *
+     * @param code - Authorization code from callback
+     * @param pkce - PKCE parameters from startAuthorizationFlow
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret (for confidential clients)
+     * @param redirectUri - Redirect URI (must match authorization request)
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async exchangeCodeForToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: options.code,
+            redirect_uri: options.redirectUri,
+            client_id: options.clientId,
+            code_verifier: options.pkce.code_verifier,
+        });
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        };
+        // Client authentication
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Refresh access token
+     *
+     * @param refreshToken - Refresh token
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Optional: request different scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async refreshToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: options.refreshToken,
+            client_id: options.clientId,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+        };
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Get client credentials token (for server-to-server)
+     *
+     * @param tokenEndpoint - Token endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param scope - Requested scopes
+     * @param resource - Resource indicator (RFC 8707)
+     */
+    async getClientCredentialsToken(options) {
+        const params = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_id: options.clientId,
+        });
+        if (options.scope) {
+            params.append('scope', options.scope);
+        }
+        if (options.resource) {
+            params.append('resource', options.resource);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+            'Authorization': `Basic ${Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64')}`,
+        };
+        return await this.tokenRequest(options.tokenEndpoint, params, headers);
+    }
+    /**
+     * Revoke token (access or refresh)
+     *
+     * @param token - Token to revoke
+     * @param revocationEndpoint - Revocation endpoint
+     * @param clientId - OAuth client ID
+     * @param clientSecret - OAuth client secret
+     * @param tokenTypeHint - 'access_token' or 'refresh_token'
+     */
+    async revokeToken(options) {
+        const params = new URLSearchParams({
+            token: options.token,
+            client_id: options.clientId,
+        });
+        if (options.tokenTypeHint) {
+            params.append('token_type_hint', options.tokenTypeHint);
+        }
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        };
+        if (options.clientSecret) {
+            const credentials = Buffer.from(`${options.clientId}:${options.clientSecret}`).toString('base64');
+            headers['Authorization'] = `Basic ${credentials}`;
+        }
+        const response = await fetch(options.revocationEndpoint, {
+            method: 'POST',
+            headers,
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`Token revocation failed: ${response.status} ${response.statusText}`);
+        }
+    }
+    /**
+     * Make token request
+     */
+    async tokenRequest(endpoint, params, headers) {
+        const response = await fetch(endpoint, {
+            method: 'POST',
+            headers,
+            body: params.toString(),
+        });
+        const data = await response.json();
+        if (!response.ok) {
+            const error = data;
+            throw new Error(`Token request failed: ${error.error} - ${error.error_description || 'Unknown error'}`);
+        }
+        return data;
+    }
+    /**
+     * Fetch metadata from URL
+     */
+    async fetchMetadata(url) {
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: { Accept: 'application/json' },
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to fetch metadata from ${url}: ${response.status}`);
+        }
+        return await response.json();
+    }
+    /**
+     * Generate random state for CSRF protection
+     */
+    generateState() {
+        return crypto.randomBytes(16).toString('hex');
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/auth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/auth/client.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAY5B,OAAO,EAAE,kBAAkB,EAAc,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAChF,OAAO,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAE5F;;;;;;;;;GASG;AAEH,MAAM,OAAO,YAAY;IACf,MAAM,CAAsB;IAEpC,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,iCAAiC,CACrC,WAAmB;QAEnB,uEAAuE;QACvE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBACxC,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;aACxC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;gBACzD,IAAI,OAAO,EAAE,CAAC;oBACZ,MAAM,MAAM,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;oBACnD,IAAI,MAAM,EAAE,gBAAgB,EAAE,CAAC;wBAC7B,+BAA+B;wBAC/B,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;oBAC3D,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qCAAqC;QACvC,CAAC;QAED,8BAA8B;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;QACjC,MAAM,aAAa,GAAG,wBAAwB,CAAC,GAAG,CAAC,CAAC;QAEpD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe;gBACf,SAAS;YACX,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,sDAAsD,WAAW,IAAI;YACrE,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,mCAAmC,CACvC,MAAc;QAEd,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,aAAa,GAAa,EAAE,CAAC;QAEnC,uCAAuC;QACvC,IAAI,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YACrD,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;YAChC,gCAAgC;YAChC,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,0CAA0C,IAAI,EAAE,CACpE,CAAC;YACF,qCAAqC;YACrC,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,oCAAoC,IAAI,EAAE,CAC9D,CAAC;YACF,qCAAqC;YACrC,aAAa,CAAC,IAAI,CAAC,GAAG,MAAM,mCAAmC,CAAC,CAAC;QACnE,CAAC;aAAM,CAAC;YACN,0CAA0C;YAC1C,aAAa,CAAC,IAAI,CAChB,GAAG,SAAS,CAAC,MAAM,yCAAyC,CAC7D,CAAC;YACF,aAAa,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,mCAAmC,CAAC,CAAC;QAC7E,CAAC;QAED,eAAe;QACf,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;gBAE/C,gDAAgD;gBAChD,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EAAE,CAAC;oBACpE,MAAM,IAAI,KAAK,CACb,qDAAqD;wBACrD,kDAAkD,CACnD,CAAC;gBACJ,CAAC;gBAED,OAAO,QAAuC,CAAC;YACjD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAe;gBACf,SAAS;YACX,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CACb,wDAAwD,MAAM,IAAI;YAClE,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAClB,oBAA4B,EAC5B,QAAmC;QAEnC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oBAAoB,EAAE;YACjD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;aAC7B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC3D,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,MAAM,KAAK,CAAC,iBAAiB,IAAI,KAAK,CAAC,KAAK,IAAI,eAAe,EAAE,CAChH,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAgC,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,sBAAsB,CAAC,OAO5B;QAKC,wDAAwD;QACxD,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAExC,qCAAqC;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QAEpD,0BAA0B;QAC1B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,aAAa,EAAE,MAAM;YACrB,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,YAAY,EAAE,OAAO,CAAC,WAAW;YACjC,KAAK;YACL,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;SAClD,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,iCAAiC;YACjC,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,OAAO,CAAC,qBAAqB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAExE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,oBAAoB,CAAC,OAQ1B;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,WAAW;YACjC,SAAS,EAAE,OAAO,CAAC,QAAQ;YAC3B,aAAa,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa;SAC1C,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B,CAAC;QAEF,wBAAwB;QACxB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAAC,OAOlB;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,OAAO,CAAC,YAAY;YACnC,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;SAC7B,CAAC;QAEF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,yBAAyB,CAAC,OAM/B;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;YACnD,QAAQ,EAAE,kBAAkB;YAC5B,eAAe,EAAE,SAAS,MAAM,CAAC,IAAI,CACnC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;SACvB,CAAC;QAEF,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IACzE,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,WAAW,CAAC,OAMjB;QACC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,OAAO,CAAC,QAAQ;SAC5B,CAAC,CAAC;QAEH,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAC9C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,kBAAkB,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY,CACxB,QAAgB,EAChB,MAAuB,EACvB,OAA+B;QAE/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAEnC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,KAAK,GAAG,IAAmB,CAAC;YAClC,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,CAAC,KAAK,MAAM,KAAK,CAAC,iBAAiB,IAAI,eAAe,EAAE,CACvF,CAAC;QACJ,CAAC;QAED,OAAO,IAAqB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,aAAa,CAAC,GAAW;QACrC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,aAAa;QACnB,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;CACF"}