noodleseed-cli 0.1.4

package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.js

@@ -0,0 +1,176 @@
+/**
+ * Relational {@link OAuthStore} for the self-hosted authorization server (OA-2,
+ * [ADR 0042](../../../../docs/decisions/0042-self-hosted-oauth-authorization-server.md)). Shares the injected
+ * `pg.Pool` with {@link PostgresArtifactStore} so the AS state lives in the same strongly-consistent store
+ * that backs deployments — any Cloud Run instance can complete a flow another started.
+ *
+ * Single-use semantics are enforced in SQL: `DELETE … RETURNING` (codes, pending auth, refresh tokens) is
+ * row-atomic, so two concurrent redemptions of the same value yield exactly one winner; the loser gets zero
+ * rows. Expired rows are still deleted on consume (and returned as `undefined`), which doubles as cleanup.
+ */
+export class PostgresOAuthStore {
+    #pool;
+    constructor(pool) {
+        this.#pool = pool;
+    }
+    /** Create the OAuth tables if absent (idempotent). Run once at startup before serving AS endpoints. */
+    async ensureSchema() {
+        await this.#pool.query(`
+      CREATE TABLE IF NOT EXISTS oauth_clients (
+        client_id  text PRIMARY KEY,
+        client     jsonb NOT NULL,
+        created_at timestamptz NOT NULL DEFAULT now()
+      )
+    `);
+        await this.#pool.query(`
+      CREATE TABLE IF NOT EXISTS oauth_pending_authorizations (
+        state          text PRIMARY KEY,
+        client_id      text NOT NULL,
+        redirect_uri   text NOT NULL,
+        code_challenge text NOT NULL,
+        client_state   text,
+        resource       text NOT NULL,
+        scope          text,
+        expires_at     timestamptz NOT NULL
+      )
+    `);
+        await this.#pool.query(`
+      CREATE TABLE IF NOT EXISTS oauth_authorization_codes (
+        code           text PRIMARY KEY,
+        client_id      text NOT NULL,
+        code_challenge text NOT NULL,
+        redirect_uri   text NOT NULL,
+        resource       text NOT NULL,
+        owner_subject  text NOT NULL,
+        owner_email    text,
+        scope          text,
+        expires_at     timestamptz NOT NULL
+      )
+    `);
+        await this.#pool.query(`
+      CREATE TABLE IF NOT EXISTS oauth_refresh_tokens (
+        token         text PRIMARY KEY,
+        client_id     text NOT NULL,
+        owner_subject text NOT NULL,
+        owner_email   text,
+        resource      text NOT NULL,
+        scope         text,
+        expires_at    timestamptz NOT NULL
+      )
+    `);
+    }
+    async getClient(clientId) {
+        const { rows } = await this.#pool.query('SELECT client FROM oauth_clients WHERE client_id = $1', [clientId]);
+        return rows[0]?.client;
+    }
+    async putClient(client) {
+        await this.#pool.query(`INSERT INTO oauth_clients (client_id, client) VALUES ($1, $2::jsonb)
+       ON CONFLICT (client_id) DO UPDATE SET client = EXCLUDED.client`, [client.client_id, JSON.stringify(client)]);
+        return client;
+    }
+    async createPendingAuthorization(record) {
+        await this.#pool.query(`INSERT INTO oauth_pending_authorizations
+         (state, client_id, redirect_uri, code_challenge, client_state, resource, scope, expires_at)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, to_timestamp($8))`, [
+            record.state,
+            record.clientId,
+            record.redirectUri,
+            record.codeChallenge,
+            record.clientState ?? null,
+            record.resource,
+            record.scope ?? null,
+            record.expiresAt,
+        ]);
+    }
+    async consumePendingAuthorization(state) {
+        const { rows } = await this.#pool.query('DELETE FROM oauth_pending_authorizations WHERE state = $1 RETURNING *', [state]);
+        const row = rows[0];
+        if (!row || !live(row.expires_at))
+            return undefined;
+        return {
+            state: row.state,
+            clientId: row.client_id,
+            redirectUri: row.redirect_uri,
+            codeChallenge: row.code_challenge,
+            ...(row.client_state !== null ? { clientState: row.client_state } : {}),
+            resource: row.resource,
+            ...(row.scope !== null ? { scope: row.scope } : {}),
+            expiresAt: epochSeconds(row.expires_at),
+        };
+    }
+    async createAuthorizationCode(record) {
+        await this.#pool.query(`INSERT INTO oauth_authorization_codes
+         (code, client_id, code_challenge, redirect_uri, resource, owner_subject, owner_email, scope, expires_at)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, to_timestamp($9))`, [
+            record.code,
+            record.clientId,
+            record.codeChallenge,
+            record.redirectUri,
+            record.resource,
+            record.ownerSubject,
+            record.ownerEmail ?? null,
+            record.scope ?? null,
+            record.expiresAt,
+        ]);
+    }
+    async getAuthorizationCode(code) {
+        const { rows } = await this.#pool.query('SELECT * FROM oauth_authorization_codes WHERE code = $1 AND expires_at > now()', [code]);
+        const row = rows[0];
+        return row ? authCodeRowToRecord(row) : undefined;
+    }
+    async redeemAuthorizationCode(code) {
+        const { rows } = await this.#pool.query('DELETE FROM oauth_authorization_codes WHERE code = $1 RETURNING *', [code]);
+        const row = rows[0];
+        if (!row || !live(row.expires_at))
+            return undefined;
+        return authCodeRowToRecord(row);
+    }
+    async createRefreshToken(record) {
+        await this.#pool.query(`INSERT INTO oauth_refresh_tokens
+         (token, client_id, owner_subject, owner_email, resource, scope, expires_at)
+       VALUES ($1, $2, $3, $4, $5, $6, to_timestamp($7))`, [
+            record.token,
+            record.clientId,
+            record.ownerSubject,
+            record.ownerEmail ?? null,
+            record.resource,
+            record.scope ?? null,
+            record.expiresAt,
+        ]);
+    }
+    async consumeRefreshToken(token) {
+        const { rows } = await this.#pool.query('DELETE FROM oauth_refresh_tokens WHERE token = $1 RETURNING *', [token]);
+        const row = rows[0];
+        if (!row || !live(row.expires_at))
+            return undefined;
+        return {
+            token: row.token,
+            clientId: row.client_id,
+            ownerSubject: row.owner_subject,
+            ...(row.owner_email !== null ? { ownerEmail: row.owner_email } : {}),
+            resource: row.resource,
+            ...(row.scope !== null ? { scope: row.scope } : {}),
+            expiresAt: epochSeconds(row.expires_at),
+        };
+    }
+}
+function authCodeRowToRecord(row) {
+    return {
+        code: row.code,
+        clientId: row.client_id,
+        codeChallenge: row.code_challenge,
+        redirectUri: row.redirect_uri,
+        resource: row.resource,
+        ownerSubject: row.owner_subject,
+        ...(row.owner_email !== null ? { ownerEmail: row.owner_email } : {}),
+        ...(row.scope !== null ? { scope: row.scope } : {}),
+        expiresAt: epochSeconds(row.expires_at),
+    };
+}
+function epochSeconds(date) {
+    return Math.floor(new Date(date).getTime() / 1000);
+}
+function live(expiresAt) {
+    return new Date(expiresAt).getTime() > Date.now();
+}
+//# sourceMappingURL=store-postgres.js.map

package/node_modules/@noodle-borg/service/dist/oauth/store-postgres.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store-postgres.js","sourceRoot":"","sources":["../../src/oauth/store-postgres.ts"],"names":[],"mappings":"AASA;;;;;;;;;GASG;AACH,MAAM,OAAO,kBAAkB;IACpB,KAAK,CAAO;IAErB,YAAY,IAAU;QACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;IAED,uGAAuG;IACvG,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;;;;;;KAMtB,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;;;;;;;;;;;KAWtB,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;;;;;;;;;;;;KAYtB,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;;;;;;;;;;KAUtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACrC,uDAAuD,EACvD,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,MAAkC;QAChD,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB;sEACgE,EAChE,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAC3C,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,0BAA0B,CAAC,MAAkC;QACjE,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB;;6DAEuD,EACvD;YACE,MAAM,CAAC,KAAK;YACZ,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,WAAW;YAClB,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,WAAW,IAAI,IAAI;YAC1B,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,MAAM,CAAC,SAAS;SACjB,CACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,KAAa;QAEb,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACrC,uEAAuE,EACvE,CAAC,KAAK,CAAC,CACR,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,SAAS,CAAC;QACpD,OAAO;YACL,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,QAAQ,EAAE,GAAG,CAAC,SAAS;YACvB,WAAW,EAAE,GAAG,CAAC,YAAY;YAC7B,aAAa,EAAE,GAAG,CAAC,cAAc;YACjC,GAAG,CAAC,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvE,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;SACxC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,MAA+B;QAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB;;iEAE2D,EAC3D;YACE,MAAM,CAAC,IAAI;YACX,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,aAAa;YACpB,MAAM,CAAC,WAAW;YAClB,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,YAAY;YACnB,MAAM,CAAC,UAAU,IAAI,IAAI;YACzB,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,MAAM,CAAC,SAAS;SACjB,CACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,IAAY;QACrC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACrC,gFAAgF,EAChF,CAAC,IAAI,CAAC,CACP,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,OAAO,GAAG,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAY;QACxC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACrC,mEAAmE,EACnE,CAAC,IAAI,CAAC,CACP,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,SAAS,CAAC;QACpD,OAAO,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,MAA0B;QACjD,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACpB;;yDAEmD,EACnD;YACE,MAAM,CAAC,KAAK;YACZ,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,YAAY;YACnB,MAAM,CAAC,UAAU,IAAI,IAAI;YACzB,MAAM,CAAC,QAAQ;YACf,MAAM,CAAC,KAAK,IAAI,IAAI;YACpB,MAAM,CAAC,SAAS;SACjB,CACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,KAAa;QACrC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CACrC,+DAA+D,EAC/D,CAAC,KAAK,CAAC,CACR,CAAC;QACF,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,SAAS,CAAC;QACpD,OAAO;YACL,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,QAAQ,EAAE,GAAG,CAAC,SAAS;YACvB,YAAY,EAAE,GAAG,CAAC,aAAa;YAC/B,GAAG,CAAC,GAAG,CAAC,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACpE,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;SACxC,CAAC;IACJ,CAAC;CACF;AAmCD,SAAS,mBAAmB,CAAC,GAAgB;IAC3C,OAAO;QACL,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,QAAQ,EAAE,GAAG,CAAC,SAAS;QACvB,aAAa,EAAE,GAAG,CAAC,cAAc;QACjC,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,YAAY,EAAE,GAAG,CAAC,aAAa;QAC/B,GAAG,CAAC,GAAG,CAAC,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,SAAS,EAAE,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;KACxC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAU;IAC9B,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,IAAI,CAAC,SAAe;IAC3B,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AACpD,CAAC"}

package/node_modules/@noodle-borg/service/dist/oauth/store.d.ts

@@ -0,0 +1,85 @@
+import type { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+/**
+ * Durable state for the self-hosted OAuth authorization server (OA-2,
+ * [ADR 0042](../../../../docs/decisions/0042-self-hosted-oauth-authorization-server.md)). All four record
+ * kinds are short-lived OAuth state that must be **multi-instance-safe** (any Cloud Run instance can complete
+ * a flow another instance started — [ADR 0036](../../../../docs/decisions/0036-stateless-registry-lazy-recompile.md)),
+ * so they live in the shared store, not process memory.
+ *
+ * Opaque secrets (authorization codes, refresh tokens, the Google-leg `state` nonce) are keyed by their
+ * **hash** — the caller hashes the raw value and passes only the hash here, so a store dump never yields a
+ * usable credential. This module is the dumb keyed store; entropy, hashing, and TTL policy live in the
+ * provider layer.
+ */
+/** A PKCE-bound, single-use authorization code (the `code` field is the hash of the raw code). */
+export interface AuthorizationCodeRecord {
+    readonly code: string;
+    readonly clientId: string;
+    /** PKCE `code_challenge` (S256). Validated by the SDK token handler before redemption. */
+    readonly codeChallenge: string;
+    readonly redirectUri: string;
+    /** Canonical tenant MCP URL the resulting token is bound to (RFC 8707 audience). */
+    readonly resource: string;
+    /** The authenticated owner's Google subject. */
+    readonly ownerSubject: string;
+    readonly ownerEmail?: string;
+    readonly scope?: string;
+    /** Expiry, epoch seconds. */
+    readonly expiresAt: number;
+}
+/** State carried across the "Sign in with Google" round-trip (`state` is the hash of the Google `state` nonce). */
+export interface PendingAuthorizationRecord {
+    readonly state: string;
+    readonly clientId: string;
+    readonly redirectUri: string;
+    readonly codeChallenge: string;
+    /** The MCP client's own `state`, echoed back on the final redirect. */
+    readonly clientState?: string;
+    readonly resource: string;
+    readonly scope?: string;
+    readonly expiresAt: number;
+}
+/** A rotating, revocable refresh token (`token` is the hash of the raw refresh token). */
+export interface RefreshTokenRecord {
+    readonly token: string;
+    readonly clientId: string;
+    readonly ownerSubject: string;
+    readonly ownerEmail?: string;
+    readonly resource: string;
+    readonly scope?: string;
+    readonly expiresAt: number;
+}
+export interface OAuthStore {
+    /** Dynamic client registration (RFC 7591): persist + read the SDK-generated client info. */
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    putClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+    /** Pending authorization (single-use): created in `authorize`, consumed in the Google callback. */
+    createPendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    consumePendingAuthorization(state: string): Promise<PendingAuthorizationRecord | undefined>;
+    /** Authorization code: created after consent, read non-destructively for the PKCE challenge, then redeemed once. */
+    createAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    /** Atomic single-use redeem — returns the record only on the first call for a live, unredeemed code. */
+    redeemAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    /** Refresh token: created on token issuance, consumed once on rotation (reuse → `undefined`). */
+    createRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    consumeRefreshToken(token: string): Promise<RefreshTokenRecord | undefined>;
+}
+/**
+ * In-memory {@link OAuthStore} for tests and non-persistent dev. Single-use operations are atomic by
+ * construction: the check-and-delete runs synchronously (no `await` between read and mutation), so two
+ * concurrent redemptions of the same code/token resolve with exactly one winner.
+ */
+export declare class InMemoryOAuthStore implements OAuthStore {
+    #private;
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    putClient(client: OAuthClientInformationFull): Promise<OAuthClientInformationFull>;
+    createPendingAuthorization(record: PendingAuthorizationRecord): Promise<void>;
+    consumePendingAuthorization(state: string): Promise<PendingAuthorizationRecord | undefined>;
+    createAuthorizationCode(record: AuthorizationCodeRecord): Promise<void>;
+    getAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    redeemAuthorizationCode(code: string): Promise<AuthorizationCodeRecord | undefined>;
+    createRefreshToken(record: RefreshTokenRecord): Promise<void>;
+    consumeRefreshToken(token: string): Promise<RefreshTokenRecord | undefined>;
+}
+//# sourceMappingURL=store.d.ts.map

package/node_modules/@noodle-borg/service/dist/oauth/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/oauth/store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAE3F;;;;;;;;;;;GAWG;AAEH,kGAAkG;AAClG,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,0FAA0F;IAC1F,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,oFAAoF;IACpF,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,mHAAmH;AACnH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,uEAAuE;IACvE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,0FAA0F;AAC1F,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,UAAU;IACzB,4FAA4F;IAC5F,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC,CAAC;IAC7E,SAAS,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAEnF,mGAAmG;IACnG,0BAA0B,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC,CAAC;IAE5F,oHAAoH;IACpH,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC,CAAC;IACjF,wGAAwG;IACxG,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC,CAAC;IAEpF,iGAAiG;IACjG,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9D,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,CAAC;CAC7E;AAMD;;;;GAIG;AACH,qBAAa,kBAAmB,YAAW,UAAU;;IAMnD,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAI5E,SAAS,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAKlF,0BAA0B,CAAC,MAAM,EAAE,0BAA0B,GAAG,OAAO,CAAC,IAAI,CAAC;IAK7E,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAM3F,uBAAuB,CAAC,MAAM,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;IAKvE,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAKhF,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,GAAG,SAAS,CAAC;IAOnF,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IAK7D,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC;CAM5E"}

package/node_modules/@noodle-borg/service/dist/oauth/store.js

@@ -0,0 +1,57 @@
+function live(expiresAt) {
+    return expiresAt * 1000 > Date.now();
+}
+/**
+ * In-memory {@link OAuthStore} for tests and non-persistent dev. Single-use operations are atomic by
+ * construction: the check-and-delete runs synchronously (no `await` between read and mutation), so two
+ * concurrent redemptions of the same code/token resolve with exactly one winner.
+ */
+export class InMemoryOAuthStore {
+    #clients = new Map();
+    #pending = new Map();
+    #codes = new Map();
+    #refresh = new Map();
+    getClient(clientId) {
+        return Promise.resolve(this.#clients.get(clientId));
+    }
+    putClient(client) {
+        this.#clients.set(client.client_id, client);
+        return Promise.resolve(client);
+    }
+    createPendingAuthorization(record) {
+        this.#pending.set(record.state, record);
+        return Promise.resolve();
+    }
+    consumePendingAuthorization(state) {
+        const record = this.#pending.get(state);
+        this.#pending.delete(state); // single-use: gone whether or not it was still live
+        return Promise.resolve(record && live(record.expiresAt) ? record : undefined);
+    }
+    createAuthorizationCode(record) {
+        this.#codes.set(record.code, record);
+        return Promise.resolve();
+    }
+    getAuthorizationCode(code) {
+        const record = this.#codes.get(code);
+        return Promise.resolve(record && live(record.expiresAt) ? record : undefined);
+    }
+    redeemAuthorizationCode(code) {
+        const record = this.#codes.get(code);
+        if (record === undefined)
+            return Promise.resolve(undefined);
+        this.#codes.delete(code); // atomic single-use: the second concurrent redeem sees nothing
+        return Promise.resolve(live(record.expiresAt) ? record : undefined);
+    }
+    createRefreshToken(record) {
+        this.#refresh.set(record.token, record);
+        return Promise.resolve();
+    }
+    consumeRefreshToken(token) {
+        const record = this.#refresh.get(token);
+        if (record === undefined)
+            return Promise.resolve(undefined);
+        this.#refresh.delete(token); // rotation: a refresh token is single-use; reuse → undefined
+        return Promise.resolve(live(record.expiresAt) ? record : undefined);
+    }
+}
+//# sourceMappingURL=store.js.map

package/node_modules/@noodle-borg/service/dist/oauth/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/oauth/store.ts"],"names":[],"mappings":"AA4EA,SAAS,IAAI,CAAC,SAAiB;IAC7B,OAAO,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,kBAAkB;IACpB,QAAQ,GAAG,IAAI,GAAG,EAAsC,CAAC;IACzD,QAAQ,GAAG,IAAI,GAAG,EAAsC,CAAC;IACzD,MAAM,GAAG,IAAI,GAAG,EAAmC,CAAC;IACpD,QAAQ,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE1D,SAAS,CAAC,QAAgB;QACxB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,SAAS,CAAC,MAAkC;QAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5C,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,0BAA0B,CAAC,MAAkC;QAC3D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B,CAAC,KAAa;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,oDAAoD;QACjF,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAChF,CAAC;IAED,uBAAuB,CAAC,MAA+B;QACrD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACrC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,oBAAoB,CAAC,IAAY;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAChF,CAAC;IAED,uBAAuB,CAAC,IAAY;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,+DAA+D;QACzF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACtE,CAAC;IAED,kBAAkB,CAAC,MAA0B;QAC3C,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,mBAAmB,CAAC,KAAa;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC5D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,6DAA6D;QAC1F,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACtE,CAAC;CACF"}

package/node_modules/@noodle-borg/service/dist/oauth/tokens.d.ts

@@ -0,0 +1,8 @@
+/** A high-entropy (256-bit) opaque token — used for authorization codes, refresh tokens, and the Google `state` nonce. */
+export declare function randomToken(): string;
+/**
+ * SHA-256 hash (hex) of an opaque token. The authorization server stores only the hash, so a store dump
+ * never yields a usable credential; the raw value is returned to the client and re-hashed on lookup.
+ */
+export declare function hashToken(raw: string): string;
+//# sourceMappingURL=tokens.d.ts.map

package/node_modules/@noodle-borg/service/dist/oauth/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../src/oauth/tokens.ts"],"names":[],"mappings":"AAEA,0HAA0H;AAC1H,wBAAgB,WAAW,IAAI,MAAM,CAEpC;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE7C"}

package/node_modules/@noodle-borg/service/dist/oauth/tokens.js

@@ -0,0 +1,13 @@
+import { createHash, randomBytes } from 'node:crypto';
+/** A high-entropy (256-bit) opaque token — used for authorization codes, refresh tokens, and the Google `state` nonce. */
+export function randomToken() {
+    return randomBytes(32).toString('base64url');
+}
+/**
+ * SHA-256 hash (hex) of an opaque token. The authorization server stores only the hash, so a store dump
+ * never yields a usable credential; the raw value is returned to the client and re-hashed on lookup.
+ */
+export function hashToken(raw) {
+    return createHash('sha256').update(raw).digest('hex');
+}
+//# sourceMappingURL=tokens.js.map

package/node_modules/@noodle-borg/service/dist/oauth/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../src/oauth/tokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,0HAA0H;AAC1H,MAAM,UAAU,WAAW;IACzB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACxD,CAAC"}

package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.d.ts

@@ -0,0 +1,36 @@
+import type { WrappingMasterKey } from '@noodle-borg/runtime';
+/**
+ * Cloud KMS master-key (KEK) custodian (ADR 0037). The KEK never leaves KMS: this adapter only asks KMS to
+ * **wrap/unwrap** a per-record 32-byte data key (DEK), which `SecretBox` uses for v2 envelope encryption.
+ *
+ * Lives in `service` (not `runtime`) so the heavy `@google-cloud/kms` SDK stays out of the runtime/CLI
+ * dependency graph; `serveService` dynamic-imports this module only when a KMS key is configured, and the
+ * SDK itself is loaded lazily on the first wrap/unwrap (or never, when a `client` is injected in tests).
+ */
+export interface GcpKmsConfig {
+    /**
+     * Cloud KMS **cryptoKey** resource name: `projects/P/locations/L/keyRings/R/cryptoKeys/K`. Symmetric
+     * encrypt/decrypt operate on the cryptoKey (not a version) — KMS uses the primary version to encrypt and
+     * auto-selects the version to decrypt, so this is rotation-safe (old ciphertexts keep decrypting).
+     */
+    readonly keyName: string;
+    /** Injected client (tests). Defaults to a real `KeyManagementServiceClient`, lazily imported. */
+    readonly client?: KmsClient;
+}
+/** The slice of the Cloud KMS client this adapter uses. Lets tests inject a fake (no SDK, no network). */
+export interface KmsClient {
+    encrypt(request: {
+        name: string;
+        plaintext: Buffer;
+    }): Promise<[{
+        ciphertext?: Uint8Array | string | null;
+    }, ...unknown[]]>;
+    decrypt(request: {
+        name: string;
+        ciphertext: Buffer;
+    }): Promise<[{
+        plaintext?: Uint8Array | string | null;
+    }, ...unknown[]]>;
+}
+export declare function gcpKmsMasterKeyProvider(config: GcpKmsConfig): WrappingMasterKey;
+//# sourceMappingURL=kms-master-key.d.ts.map

package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-master-key.d.ts","sourceRoot":"","sources":["../../src/secret/kms-master-key.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D;;;;;;;GAOG;AACH,MAAM,WAAW,YAAY;IAC3B;;;;OAIG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,iGAAiG;IACjG,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC;CAC7B;AAED,0GAA0G;AAC1G,MAAM,WAAW,SAAS;IACxB,OAAO,CAAC,OAAO,EAAE;QACf,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;KACnB,GAAG,OAAO,CAAC,CAAC;QAAE,UAAU,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAA;KAAE,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC;IACzE,OAAO,CAAC,OAAO,EAAE;QACf,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC,CAAC;QAAE,SAAS,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAAA;KAAE,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC;CACzE;AAWD,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,YAAY,GAAG,iBAAiB,CAsC/E"}

package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.js

@@ -0,0 +1,51 @@
+/**
+ * Build a {@link WrappingMasterKey} backed by Cloud KMS. `wrapDek`/`unwrapDek` call KMS
+ * `encrypt`/`decrypt` on the configured cryptoKey; `keyId` records that cryptoKey name in each sealed
+ * record. A decrypt that returns anything other than 32 bytes is rejected (defends against a misconfigured
+ * key wrapping the wrong material).
+ */
+/** A Cloud KMS cryptoKey resource name: `projects/P/locations/L/keyRings/R/cryptoKeys/K` (version optional). */
+const CRYPTO_KEY_NAME = /^projects\/[^/]+\/locations\/[^/]+\/keyRings\/[^/]+\/cryptoKeys\/[^/]+/;
+export function gcpKmsMasterKeyProvider(config) {
+    const name = config.keyName;
+    // Fail closed at construction (symmetry with `staticMasterKeyProvider`): a misconfigured KMS key must
+    // crash boot, not defer to an opaque per-deploy decrypt failure after the service is already serving.
+    if (!CRYPTO_KEY_NAME.test(name.trim())) {
+        throw new Error('Cloud KMS key name must be a cryptoKey resource ' +
+            '(projects/<p>/locations/<l>/keyRings/<r>/cryptoKeys/<k>)');
+    }
+    let clientPromise;
+    const getClient = () => {
+        if (config.client)
+            return Promise.resolve(config.client);
+        // Lazy: the SDK loads only on first real use, never in injected-client (test) paths.
+        clientPromise ??= import('@google-cloud/kms').then((m) => new m.KeyManagementServiceClient());
+        return clientPromise;
+    };
+    return {
+        kind: 'wrapping',
+        keyId: name,
+        async wrapDek(dek) {
+            const client = await getClient();
+            const [res] = await client.encrypt({ name, plaintext: dek });
+            return toBuffer(res.ciphertext, 'encrypt ciphertext');
+        },
+        async unwrapDek(wrapped) {
+            const client = await getClient();
+            const [res] = await client.decrypt({ name, ciphertext: wrapped });
+            const dek = toBuffer(res.plaintext, 'decrypt plaintext');
+            if (dek.length !== 32) {
+                throw new Error('Cloud KMS decrypt returned a non-32-byte data key');
+            }
+            return dek;
+        },
+    };
+}
+/** Coerce a KMS payload (Buffer/Uint8Array in gRPC; base64 string in REST) to a non-empty Buffer. */
+function toBuffer(value, what) {
+    // `.length === 0` catches the empty-string (REST `""`) and zero-length-buffer shapes too, not just null.
+    if (value == null || value.length === 0)
+        throw new Error(`Cloud KMS ${what} was empty`);
+    return typeof value === 'string' ? Buffer.from(value, 'base64') : Buffer.from(value);
+}
+//# sourceMappingURL=kms-master-key.js.map

package/node_modules/@noodle-borg/service/dist/secret/kms-master-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-master-key.js","sourceRoot":"","sources":["../../src/secret/kms-master-key.ts"],"names":[],"mappings":"AAiCA;;;;;GAKG;AACH,gHAAgH;AAChH,MAAM,eAAe,GAAG,wEAAwE,CAAC;AAEjG,MAAM,UAAU,uBAAuB,CAAC,MAAoB;IAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC;IAC5B,sGAAsG;IACtG,sGAAsG;IACtG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,kDAAkD;YAChD,0DAA0D,CAC7D,CAAC;IACJ,CAAC;IACD,IAAI,aAA6C,CAAC;IAClD,MAAM,SAAS,GAAG,GAAuB,EAAE;QACzC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzD,qFAAqF;QACrF,aAAa,KAAK,MAAM,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAChD,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,0BAA0B,EAA0B,CAClE,CAAC;QACF,OAAO,aAAa,CAAC;IACvB,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,IAAI;QACX,KAAK,CAAC,OAAO,CAAC,GAAG;YACf,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,OAAO,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC;QACxD,CAAC;QACD,KAAK,CAAC,SAAS,CAAC,OAAO;YACrB,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;YAClE,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;YACzD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACvE,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;KACF,CAAC;AACJ,CAAC;AAED,qGAAqG;AACrG,SAAS,QAAQ,CAAC,KAA6C,EAAE,IAAY;IAC3E,yGAAyG;IACzG,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,aAAa,IAAI,YAAY,CAAC,CAAC;IACxF,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACvF,CAAC"}