noodleseed-cli 0.1.4

package/node_modules/@noodle-borg/auth/dist/jwt-issuer.d.ts

@@ -0,0 +1,21 @@
+import type { SigningKeyProvider } from './signer.js';
+export interface AccessTokenClaims {
+    /** Token issuer — the Noodle self-hosted authorization server (`NOODLE_OAUTH_ISSUER`). */
+    readonly issuer: string;
+    /** Subject — the Google subject of the authenticated owner. */
+    readonly subject: string;
+    /** Audience — the canonical tenant MCP URL the token is bound to (RFC 8707). */
+    readonly audience: string;
+    /** End-user email, when available. */
+    readonly email?: string;
+    /** Space-delimited scopes, when any. */
+    readonly scope?: string;
+}
+/**
+ * Mint a short-lived RS256 access token for the owner-only data plane (OA-2, [ADR 0042]). This is exactly the
+ * token the OA-1 resource-server verifier (`createJwtVerifier`) validates: `iss` = the Noodle AS, `aud` = the
+ * canonical tenant MCP URL (RFC 8707 resource binding), `sub` = the Google subject. The raw token is opaque to
+ * the MCP client; only the resource server reads it, and the raw value dies at the verifier ([ADR 0005]).
+ */
+export declare function mintAccessToken(provider: SigningKeyProvider, claims: AccessTokenClaims, ttlSeconds: number): Promise<string>;
+//# sourceMappingURL=jwt-issuer.d.ts.map

package/node_modules/@noodle-borg/auth/dist/jwt-issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-issuer.d.ts","sourceRoot":"","sources":["../src/jwt-issuer.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEtD,MAAM,WAAW,iBAAiB;IAChC,0FAA0F;IAC1F,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,gFAAgF;IAChF,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,sCAAsC;IACtC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,kBAAkB,EAC5B,MAAM,EAAE,iBAAiB,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,CAcjB"}

package/node_modules/@noodle-borg/auth/dist/jwt-issuer.js

@@ -0,0 +1,24 @@
+import { randomUUID } from 'node:crypto';
+import { SignJWT } from 'jose';
+/**
+ * Mint a short-lived RS256 access token for the owner-only data plane (OA-2, [ADR 0042]). This is exactly the
+ * token the OA-1 resource-server verifier (`createJwtVerifier`) validates: `iss` = the Noodle AS, `aud` = the
+ * canonical tenant MCP URL (RFC 8707 resource binding), `sub` = the Google subject. The raw token is opaque to
+ * the MCP client; only the resource server reads it, and the raw value dies at the verifier ([ADR 0005]).
+ */
+export async function mintAccessToken(provider, claims, ttlSeconds) {
+    const key = await provider.signingKey();
+    const jwt = new SignJWT({
+        ...(claims.email !== undefined ? { email: claims.email } : {}),
+        ...(claims.scope !== undefined ? { scope: claims.scope } : {}),
+    })
+        .setProtectedHeader({ alg: key.alg, kid: key.kid, typ: 'at+jwt' })
+        .setIssuer(claims.issuer)
+        .setSubject(claims.subject)
+        .setAudience(claims.audience)
+        .setIssuedAt()
+        .setJti(randomUUID())
+        .setExpirationTime(`${ttlSeconds}s`);
+    return jwt.sign(key.privateKey);
+}
+//# sourceMappingURL=jwt-issuer.js.map

package/node_modules/@noodle-borg/auth/dist/jwt-issuer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-issuer.js","sourceRoot":"","sources":["../src/jwt-issuer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAgB/B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAA4B,EAC5B,MAAyB,EACzB,UAAkB;IAElB,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,OAAO,CAAC;QACtB,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;SACjE,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;SACxB,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC;SAC1B,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;SAC5B,WAAW,EAAE;SACb,MAAM,CAAC,UAAU,EAAE,CAAC;SACpB,iBAAiB,CAAC,GAAG,UAAU,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC"}

package/node_modules/@noodle-borg/auth/dist/metadata.d.ts

@@ -0,0 +1,27 @@
+/**
+ * OAuth 2.0 Protected Resource Metadata (RFC 9728), the document an MCP client fetches after a `401` to
+ * discover which authorization server(s) protect a resource. The shape mirrors the MCP authorization spec
+ * (`2025-11-25`) and the official SDK's `OAuthProtectedResourceMetadata`; re-verify against the live spec
+ * before relying on optional fields (see `docs/references/mcp-source-notes.md`).
+ */
+export interface ProtectedResourceMetadata {
+    /** Canonical resource identifier — the tenant MCP endpoint URL the token must be audience-bound to. */
+    readonly resource: string;
+    /** Authorization servers that can issue tokens for this resource (the Noodle self-hosted AS, OA-2). */
+    readonly authorization_servers?: readonly string[];
+    /** How the bearer token may be presented. Noodle accepts the `Authorization` header only. */
+    readonly bearer_methods_supported?: readonly string[];
+}
+/** Build the protected-resource-metadata document for one resource. */
+export declare function protectedResourceMetadata(input: {
+    readonly resource: string;
+    readonly authorizationServers?: readonly string[];
+}): ProtectedResourceMetadata;
+/**
+ * Construct the RFC 9728 protected-resource-metadata URL for a resource URL: the well-known prefix is
+ * inserted **before** the resource path (e.g. `https://h/o/a/b/mcp` →
+ * `https://h/.well-known/oauth-protected-resource/o/a/b/mcp`). Mirrors the MCP SDK's
+ * `getOAuthProtectedResourceMetadataUrl`.
+ */
+export declare function protectedResourceMetadataUrl(resource: string | URL): string;
+//# sourceMappingURL=metadata.d.ts.map

package/node_modules/@noodle-borg/auth/dist/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB;IACxC,uGAAuG;IACvG,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,uGAAuG;IACvG,QAAQ,CAAC,qBAAqB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACnD,6FAA6F;IAC7F,QAAQ,CAAC,wBAAwB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACvD;AAED,uEAAuE;AACvE,wBAAgB,yBAAyB,CAAC,KAAK,EAAE;IAC/C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACnD,GAAG,yBAAyB,CAQ5B;AAED;;;;;GAKG;AACH,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,GAAG,MAAM,CAG3E"}

package/node_modules/@noodle-borg/auth/dist/metadata.js

@@ -0,0 +1,21 @@
+/** Build the protected-resource-metadata document for one resource. */
+export function protectedResourceMetadata(input) {
+    return {
+        resource: input.resource,
+        ...(input.authorizationServers && input.authorizationServers.length > 0
+            ? { authorization_servers: input.authorizationServers }
+            : {}),
+        bearer_methods_supported: ['header'],
+    };
+}
+/**
+ * Construct the RFC 9728 protected-resource-metadata URL for a resource URL: the well-known prefix is
+ * inserted **before** the resource path (e.g. `https://h/o/a/b/mcp` →
+ * `https://h/.well-known/oauth-protected-resource/o/a/b/mcp`). Mirrors the MCP SDK's
+ * `getOAuthProtectedResourceMetadataUrl`.
+ */
+export function protectedResourceMetadataUrl(resource) {
+    const url = new URL(resource);
+    return `${url.origin}/.well-known/oauth-protected-resource${url.pathname}`;
+}
+//# sourceMappingURL=metadata.js.map

package/node_modules/@noodle-borg/auth/dist/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAeA,uEAAuE;AACvE,MAAM,UAAU,yBAAyB,CAAC,KAGzC;IACC,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,GAAG,CAAC,KAAK,CAAC,oBAAoB,IAAI,KAAK,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;YACrE,CAAC,CAAC,EAAE,qBAAqB,EAAE,KAAK,CAAC,oBAAoB,EAAE;YACvD,CAAC,CAAC,EAAE,CAAC;QACP,wBAAwB,EAAE,CAAC,QAAQ,CAAC;KACrC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,4BAA4B,CAAC,QAAsB;IACjE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,OAAO,GAAG,GAAG,CAAC,MAAM,wCAAwC,GAAG,CAAC,QAAQ,EAAE,CAAC;AAC7E,CAAC"}

package/node_modules/@noodle-borg/auth/dist/signer.d.ts

@@ -0,0 +1,45 @@
+import type { JSONWebKeySet, JWTVerifyGetKey } from 'jose';
+import { importPKCS8 } from 'jose';
+/** The key type jose accepts for signing (CryptoKey/KeyObject), referenced without the DOM `CryptoKey` global. */
+type SigningCryptoKey = Awaited<ReturnType<typeof importPKCS8>>;
+/**
+ * Signing-key custody for the self-hosted authorization server (OA-2, [ADR 0042]). The provider owns the
+ * private key used to sign access tokens and publishes the matching public key as a JWKS (read by the OA-1
+ * resource-server verifier via its `jwksUri`, or in-process via {@link verifierKey}).
+ *
+ * Two implementations are anticipated: a **static** RS256 key for alpha (this file) and a **KMS-wrapped**
+ * key as a fast-follow (mirroring [ADR 0037]) — the private key would then never leave KMS. The interface is
+ * async on purpose so the KMS variant slots in behind it unchanged.
+ */
+export interface SigningKey {
+    /** JWS algorithm (RS256 for alpha). */
+    readonly alg: string;
+    /** Stable key id (JWK thumbprint) — set in the token header and the published JWK. */
+    readonly kid: string;
+    /** The private signing key. */
+    readonly privateKey: SigningCryptoKey;
+}
+export interface SigningKeyProvider {
+    /** The active signing key (custody owns the private material). */
+    signingKey(): Promise<SigningKey>;
+    /** The public JWK Set served at the JWKS endpoint and consumed by the resource-server verifier. */
+    publicJwks(): Promise<JSONWebKeySet>;
+    /** A local verify resolver over the public key(s) — no HTTP fetch (tests + same-process verification). */
+    verifierKey(): Promise<JWTVerifyGetKey>;
+}
+export interface StaticSigningKeyOptions {
+    /**
+     * A PKCS#8 PEM-encoded RSA private key (e.g. from `NOODLE_OAUTH_SIGNING_KEY`). When omitted, a fresh
+     * keypair is generated at construction — convenient for dev/tests, but the key is lost on restart, so
+     * production must supply one.
+     */
+    readonly privateKeyPem?: string;
+}
+/**
+ * A {@link SigningKeyProvider} backed by a single static RS256 key. With `privateKeyPem` the key is imported
+ * (extractable, so the public JWK can be derived); otherwise one is generated. The public JWK is stripped to
+ * its public members only — private fields never reach {@link publicJwks}.
+ */
+export declare function createStaticSigningKeyProvider(options?: StaticSigningKeyOptions): Promise<SigningKeyProvider>;
+export {};
+//# sourceMappingURL=signer.d.ts.map

package/node_modules/@noodle-borg/auth/dist/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAO,eAAe,EAAE,MAAM,MAAM,CAAC;AAChE,OAAO,EAKL,WAAW,EACZ,MAAM,MAAM,CAAC;AAEd,kHAAkH;AAClH,KAAK,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC,CAAC;AAEhE;;;;;;;;GAQG;AACH,MAAM,WAAW,UAAU;IACzB,uCAAuC;IACvC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,sFAAsF;IACtF,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,+BAA+B;IAC/B,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC;CACvC;AAED,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,UAAU,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,mGAAmG;IACnG,UAAU,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;IACrC,0GAA0G;IAC1G,WAAW,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC;CACzC;AAID,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;GAIG;AACH,wBAAsB,8BAA8B,CAClD,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,kBAAkB,CAAC,CAkB7B"}

package/node_modules/@noodle-borg/auth/dist/signer.js

@@ -0,0 +1,47 @@
+import { calculateJwkThumbprint, createLocalJWKSet, exportJWK, generateKeyPair, importPKCS8, } from 'jose';
+const RS256 = 'RS256';
+/**
+ * A {@link SigningKeyProvider} backed by a single static RS256 key. With `privateKeyPem` the key is imported
+ * (extractable, so the public JWK can be derived); otherwise one is generated. The public JWK is stripped to
+ * its public members only — private fields never reach {@link publicJwks}.
+ */
+export async function createStaticSigningKeyProvider(options = {}) {
+    const privateKey = options.privateKeyPem
+        ? await importPKCS8(options.privateKeyPem, RS256, { extractable: true })
+        : (await generateKeyPair(RS256, { extractable: true })).privateKey;
+    // Derive the public JWK from the private key, keeping only public members (never publish d/p/q/...).
+    const publicJwk = toPublicJwk(await exportJWK(privateKey));
+    const kid = await calculateJwkThumbprint(publicJwk);
+    const publishedJwk = { ...publicJwk, kid, alg: RS256, use: 'sig' };
+    const jwks = { keys: [publishedJwk] };
+    const resolver = createLocalJWKSet(jwks);
+    const key = { alg: RS256, kid, privateKey };
+    return {
+        signingKey: () => Promise.resolve(key),
+        publicJwks: () => Promise.resolve(jwks),
+        verifierKey: () => Promise.resolve(resolver),
+    };
+}
+/** Keep only the public members of a JWK by key type — strips RSA `d/p/q/...` and EC/OKP private `d`. */
+function toPublicJwk(jwk) {
+    switch (jwk.kty) {
+        case 'RSA':
+            return pick(jwk, ['kty', 'n', 'e']);
+        case 'EC':
+            return pick(jwk, ['kty', 'crv', 'x', 'y']);
+        case 'OKP':
+            return pick(jwk, ['kty', 'crv', 'x']);
+        default:
+            throw new Error(`unsupported signing key type: ${String(jwk.kty)}`);
+    }
+}
+function pick(jwk, keys) {
+    const out = {};
+    for (const key of keys) {
+        const value = jwk[key];
+        if (value !== undefined)
+            out[key] = value;
+    }
+    return out;
+}
+//# sourceMappingURL=signer.js.map

package/node_modules/@noodle-borg/auth/dist/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AACA,OAAO,EACL,sBAAsB,EACtB,iBAAiB,EACjB,SAAS,EACT,eAAe,EACf,WAAW,GACZ,MAAM,MAAM,CAAC;AAgCd,MAAM,KAAK,GAAG,OAAO,CAAC;AAWtB;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,UAAmC,EAAE;IAErC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa;QACtC,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QACxE,CAAC,CAAC,CAAC,MAAM,eAAe,CAAC,KAAK,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;IAErE,qGAAqG;IACrG,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,MAAM,sBAAsB,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,YAAY,GAAQ,EAAE,GAAG,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACxE,MAAM,IAAI,GAAkB,EAAE,IAAI,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC;IACrD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACzC,MAAM,GAAG,GAAe,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC;IAExD,OAAO;QACL,UAAU,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;QACtC,UAAU,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;QACvC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,yGAAyG;AACzG,SAAS,WAAW,CAAC,GAAQ;IAC3B,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,KAAK;YACR,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QACtC,KAAK,IAAI;YACP,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7C,KAAK,KAAK;YACR,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;QACxC;YACE,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,IAAI,CAAC,GAAQ,EAAE,IAA4B;IAClD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,KAAK,SAAS;YAAE,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IAC5C,CAAC;IACD,OAAO,GAAU,CAAC;AACpB,CAAC"}

package/node_modules/@noodle-borg/auth/dist/verify.d.ts

@@ -0,0 +1,42 @@
+import type { JWTVerifyGetKey } from 'jose';
+/**
+ * A verified end-user identity, derived from a validated access token. This is **claims only** — the raw
+ * bearer token dies at the verifier and never crosses into execution (ADR 0005 / 0018). It is the minimum
+ * the data plane needs to make an owner-only authorization decision.
+ */
+export interface VerifiedIdentity {
+    /** Stable subject identifier (the upstream Google subject, threaded through the Noodle AS). */
+    readonly subject: string;
+    /** OAuth scopes carried by the token (empty when none). */
+    readonly scopes: readonly string[];
+    /** The token's audience (RFC 8707 resource binding), when present. */
+    readonly audience?: string;
+    /** The end-user email, when the token carries one. */
+    readonly email?: string;
+    /** Expiry in seconds since the epoch, when present. */
+    readonly expiresAt?: number;
+}
+export interface JwtVerifierConfig {
+    /** Expected token issuer — the Noodle self-hosted authorization server (OA-2). */
+    readonly issuer: string;
+    /** JWKS endpoint of the issuer (signature keys). Required unless {@link keyResolver} is supplied. */
+    readonly jwksUri?: string;
+    /**
+     * A pre-resolved JWK key resolver, used instead of fetching {@link jwksUri}. This is the seam tests and
+     * a future static/KMS signer use to validate without a live JWKS endpoint.
+     */
+    readonly keyResolver?: JWTVerifyGetKey;
+}
+/**
+ * Verify an access token and return its identity, or `null` if the token is missing/invalid/expired. When a
+ * `resource` is supplied, the token's `aud` MUST equal it (RFC 8707 resource binding) — this is how the data
+ * plane binds a token to the specific tenant MCP endpoint it was issued for.
+ */
+export type TokenVerifier = (token: string, resource?: string) => Promise<VerifiedIdentity | null>;
+/**
+ * Build a {@link TokenVerifier} backed by `jose` (ADR 0023). Validates the signature (via JWKS or an injected
+ * resolver), the issuer, expiry, and — when a `resource` is given at call time — the audience. Any failure
+ * resolves to `null`; the verifier never throws, so a bad token is a clean `401`, not a `500`.
+ */
+export declare function createJwtVerifier(config: JwtVerifierConfig): TokenVerifier;
+//# sourceMappingURL=verify.d.ts.map

package/node_modules/@noodle-borg/auth/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAc,eAAe,EAAE,MAAM,MAAM,CAAC;AAGxD;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,+FAA+F;IAC/F,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,2DAA2D;IAC3D,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;IACnC,sEAAsE;IACtE,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,sDAAsD;IACtD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,uDAAuD;IACvD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,kFAAkF;IAClF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,qGAAqG;IACrG,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,eAAe,CAAC;CACxC;AAED;;;;GAIG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;AAEnG;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,aAAa,CAc1E"}

package/node_modules/@noodle-borg/auth/dist/verify.js

@@ -0,0 +1,48 @@
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+/**
+ * Build a {@link TokenVerifier} backed by `jose` (ADR 0023). Validates the signature (via JWKS or an injected
+ * resolver), the issuer, expiry, and — when a `resource` is given at call time — the audience. Any failure
+ * resolves to `null`; the verifier never throws, so a bad token is a clean `401`, not a `500`.
+ */
+export function createJwtVerifier(config) {
+    const getKey = config.keyResolver ?? createRemoteJWKSet(new URL(requireJwksUri(config)));
+    return async (token, resource) => {
+        try {
+            const { payload } = await jwtVerify(token, getKey, {
+                issuer: config.issuer,
+                ...(resource !== undefined ? { audience: resource } : {}),
+            });
+            return toIdentity(payload);
+        }
+        catch {
+            return null;
+        }
+    };
+}
+function requireJwksUri(config) {
+    if (config.jwksUri === undefined || config.jwksUri === '') {
+        throw new Error('createJwtVerifier requires either a jwksUri or a keyResolver');
+    }
+    return config.jwksUri;
+}
+function toIdentity(payload) {
+    if (typeof payload.sub !== 'string' || payload.sub.length === 0)
+        return null;
+    const aud = Array.isArray(payload.aud) ? payload.aud[0] : payload.aud;
+    return {
+        subject: payload.sub,
+        scopes: parseScopes(payload),
+        ...(typeof aud === 'string' ? { audience: aud } : {}),
+        ...(typeof payload.email === 'string' ? { email: payload.email } : {}),
+        ...(typeof payload.exp === 'number' ? { expiresAt: payload.exp } : {}),
+    };
+}
+function parseScopes(payload) {
+    const raw = payload.scope ?? payload.scopes;
+    if (typeof raw === 'string')
+        return raw.split(' ').filter((s) => s.length > 0);
+    if (Array.isArray(raw))
+        return raw.filter((s) => typeof s === 'string');
+    return [];
+}
+//# sourceMappingURL=verify.js.map

package/node_modules/@noodle-borg/auth/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAuCrD;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAyB;IACzD,MAAM,MAAM,GACV,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC5E,OAAO,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;QAC/B,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE;gBACjD,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC1D,CAAC,CAAC;YACH,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,MAAyB;IAC/C,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,CAAC,OAAO,KAAK,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC;AAED,SAAS,UAAU,CAAC,OAAmB;IACrC,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IACtE,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG;QACpB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC;QAC5B,GAAG,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrD,GAAG,CAAC,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,GAAG,CAAC,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvE,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,OAAmB;IACtC,MAAM,GAAG,GACN,OAAmC,CAAC,KAAK,IAAK,OAAmC,CAAC,MAAM,CAAC;IAC5F,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACrF,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/node_modules/@noodle-borg/auth/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@noodle-borg/auth",
+  "version": "0.0.0",
+  "private": true,
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  },
+  "dependencies": {
+    "jose": "^6.2.3"
+  },
+  "devDependencies": {
+    "@types/node": "^24.0.0"
+  }
+}

package/node_modules/@noodle-borg/authoring/dist/index.d.ts

@@ -0,0 +1,200 @@
+import type { Manifest, OperationField, OperationSignature } from '@noodle-borg/compiler';
+import { type ConnectorFile, type HttpConnectorDef } from '@noodle-borg/connector-defs';
+import { z } from 'zod';
+export type { ConnectorFile, HttpConnectorDef };
+export { z };
+/**
+ * Options for `ConnectorBuilder.http(...)` — an HTTP connector's transport, auth, and operations. `id`
+ * and `version` come from `connector(id).version(v)`; `kind` defaults to `custom`. The shape is derived
+ * from the canonical `HttpConnectorDef`, so it stays in lockstep with `@noodle-borg/connector-defs`.
+ */
+export type HttpConnectorOptions = HttpConnectorDef['http'] & Pick<HttpConnectorDef, 'operations'>;
+type JsonSchema = Record<string, unknown>;
+export interface ServerOptions {
+    readonly title: string;
+    readonly version: string;
+}
+export interface ToolOptions {
+    readonly description: string;
+    readonly input: JsonSchema | z.ZodType;
+    readonly output?: JsonSchema | z.ZodType;
+    /**
+     * Tool-surface visibility (SEP-1865 `_meta.ui.visibility`). Default `['model', 'app']`. Set `['app']`
+     * for a **UI-only helper** — hidden from `tools/list` (the model never sees it) but still callable from
+     * a widget via `callServerTool`. A model-surface concern, not authorization.
+     */
+    readonly visibility?: ('model' | 'app')[];
+    readonly fulfil: (ctx: ToolContext) => unknown | Promise<unknown>;
+}
+export interface ToolContext {
+    readonly input: SymbolicScope;
+    readonly connectors: Record<string, ConnectorClient>;
+}
+/**
+ * The `fulfil` context for a resource or prompt. `args` is the input scope — a templated resource's
+ * extracted URI variables, or a prompt's supplied arguments — and `connectors` are the `.use()`
+ * connectors. The return value (a string, a symbolic ref, or a structure) becomes the content/messages.
+ */
+export interface ResourceContext {
+    readonly args: SymbolicScope;
+    readonly connectors: Record<string, ConnectorClient>;
+}
+export interface ResourceOptions {
+    /** A fixed URI (`docs://changelog`) or a simple `{var}` URI template (`tickets://{id}`). */
+    readonly uri: string;
+    readonly title?: string;
+    readonly description?: string;
+    readonly mimeType?: string;
+    readonly fulfil: (ctx: ResourceContext) => unknown | Promise<unknown>;
+}
+/** A prompt argument descriptor when not derived from a Zod object. */
+export interface PromptArgument {
+    readonly name: string;
+    readonly description?: string;
+    readonly required?: boolean;
+}
+export interface PromptOptions {
+    readonly title?: string;
+    readonly description?: string;
+    /** Either a Zod object (descriptors derived from its shape) or an explicit descriptor list. */
+    readonly arguments?: z.ZodType | readonly PromptArgument[];
+    readonly fulfil: (ctx: ResourceContext) => unknown | Promise<unknown>;
+}
+/** Host-enforced CSP capability metadata for a widget (mirrors the manifest `widgets[].csp` block). */
+export interface WidgetCsp {
+    readonly connectDomains?: string[];
+    readonly resourceDomains?: string[];
+    readonly frameDomains?: string[];
+    readonly baseUriDomains?: string[];
+}
+/**
+ * An MCP Apps widget: a `ui://` UI resource (the self-contained `html` body) linked to `tool` via
+ * `_meta.ui.resourceUri`. The compiler emits the resource + the tool link ([ADR 0022]). `html` is the
+ * raw-`text/html` escape hatch (a declarative `screen` surface is a later slice); `csp`/`permissions`
+ * are host-enforced capability metadata. Secrets/tokens never reach widget HTML.
+ */
+export interface WidgetOptions {
+    readonly tool: string;
+    readonly html: string;
+    readonly title?: string;
+    readonly description?: string;
+    readonly csp?: WidgetCsp;
+    readonly permissions?: Record<string, boolean>;
+}
+export type SymbolicScope = Ref & Record<string, Ref>;
+export type ConnectorClient = Record<string, (args?: Readonly<Record<string, unknown>>) => Ref>;
+export interface ConnectorOperationOptions {
+    readonly type: OperationSignature['type'];
+    readonly input?: Readonly<Record<string, OperationField>>;
+    readonly output?: Readonly<Record<string, OperationField>>;
+}
+/** Optional resource bounds for a sandboxed compute operation. */
+export interface ComputeLimits {
+    readonly timeoutMs?: number;
+    readonly memoryBytes?: number;
+    readonly maxOutputBytes?: number;
+    readonly maxHostCalls?: number;
+}
+export interface ComputeHost {
+    callOperation(name: string, args: Readonly<Record<string, unknown>>): unknown;
+}
+/**
+ * A sandboxed-compute operation authored in TypeScript. `run` is your actual function — it is serialized
+ * to source (via `Function.prototype.toString`) and shipped as the connector's `code`, then executed in a
+ * WASM/QuickJS sandbox with no ambient authority. It must be **self-contained** (no references to
+ * surrounding scope, imports, `fetch`, `process`, etc.). When it needs backing systems, declare `calls`
+ * and use the sandbox `callOperation` capability rather than ambient network access.
+ */
+export interface ComputeOperationOptions {
+    readonly type?: OperationSignature['type'];
+    readonly input?: Readonly<Record<string, OperationField>>;
+    readonly output?: Readonly<Record<string, OperationField>>;
+    readonly run: (input: any, host: ComputeHost) => unknown;
+    readonly limits?: ComputeLimits;
+    readonly calls?: Readonly<Record<string, string>>;
+}
+/** A connector operation's fulfilment, carried by the builder so it can be emitted to a catalog. */
+export interface ConnectorOpDefinition {
+    readonly kind: 'compute';
+    readonly type: OperationSignature['type'];
+    readonly input: Readonly<Record<string, OperationField>>;
+    readonly output: Readonly<Record<string, OperationField>>;
+    readonly code: string;
+    readonly limits?: ComputeLimits;
+    readonly calls?: Readonly<Record<string, string>>;
+}
+export interface ConnectorRef {
+    readonly id: string;
+    readonly version: string;
+    readonly operations: Readonly<Record<string, OperationSignature>>;
+    /** Per-operation fulfilment (present for operations declared with `.compute()`), used to emit a catalog. */
+    readonly definitions?: Readonly<Record<string, ConnectorOpDefinition>>;
+    /** HTTP fulfilment (present for connectors declared with `.http()`), emitted to the catalog verbatim. */
+    readonly httpDef?: HttpConnectorDef;
+}
+/**
+ * The connector-catalog document the SDK emits — the exact shape `compileConnectors` consumes (YAML or
+ * JSON). It is the canonical `ConnectorFile` from `@noodle-borg/connector-defs`, so an emitted catalog is
+ * validated against the same schema a hand-written `connectors.yaml` is.
+ */
+export type ConnectorCatalogDoc = ConnectorFile;
+export interface ServerDefinition {
+    /** Tool-facing connectors: aliased in the manifest `connectors` block and callable inside `fulfil`. */
+    use(connectors: Readonly<Record<string, ConnectorRef>>): ServerDefinition;
+    /**
+     * Catalog-only connectors reached *only* via a compute connector's `callOperation` (never by a tool).
+     * They are emitted to the catalog but **not** aliased in the manifest, so they don't trip the
+     * compiler's `unused_connector_alias` check. A connector must be in `use` **or** `provides` to be
+     * emitted.
+     */
+    provides(connectors: Readonly<Record<string, ConnectorRef>>): ServerDefinition;
+    tool(name: string, options: ToolOptions): ServerDefinition;
+    /** Attach an MCP resource (fulfilment-backed, like a tool). Its URI may be fixed or a `{var}` template. */
+    resource(name: string, options: ResourceOptions): ServerDefinition;
+    /** Attach an MCP prompt (fulfilment-backed). Its `arguments` feed the fulfilment's input scope. */
+    prompt(name: string, options: PromptOptions): ServerDefinition;
+    /** Attach an MCP Apps widget: a `ui://` UI resource linked to `options.tool` by `_meta.ui.resourceUri`. */
+    widget(name: string, options: WidgetOptions): ServerDefinition;
+    toManifest(): Promise<Manifest>;
+    /**
+     * Emit the connector catalog: every `use`/`provides` connector that has fulfilment — `.http()` and
+     * `.compute()` connectors — validated against `connectorFileSchema`. Returns `undefined` when no
+     * connector has fulfilment (e.g. a pure signature-only server).
+     */
+    toConnectorCatalog(): ConnectorCatalogDoc | undefined;
+}
+export declare function server(name: string, options: ServerOptions): ServerDefinition;
+export declare function connector(id: string): {
+    version(version: string): ConnectorBuilder;
+};
+export declare function when<T>(condition: Cond, record: () => T): T;
+export declare function isServerDefinition(value: unknown): value is ServerDefinition;
+export declare class ConnectorBuilder implements ConnectorRef {
+    readonly id: string;
+    readonly version: string;
+    readonly operations: Readonly<Record<string, OperationSignature>>;
+    readonly definitions: Readonly<Record<string, ConnectorOpDefinition>>;
+    readonly httpDef?: HttpConnectorDef;
+    constructor(id: string, version: string, operations?: Readonly<Record<string, OperationSignature>>, definitions?: Readonly<Record<string, ConnectorOpDefinition>>, httpDef?: HttpConnectorDef);
+    /** Declare an operation by signature only (fulfilment supplied elsewhere, e.g. a catalog by `id@version`). */
+    operation(name: string, options: ConnectorOperationOptions): ConnectorBuilder;
+    /**
+     * Declare this as an **HTTP connector**: transport (`baseUrl`/`allowedOrigins`), `bearer`/`apiKey` auth
+     * naming a secret reference, and `${...}`-mapped operations. The connector carries its own fulfilment
+     * (mirroring how `.compute()` carries its `code`) and is emitted to the catalog when `.use()`/
+     * `.provides()`-d. The typed options are validated against the canonical schema at author time.
+     */
+    http(options: HttpConnectorOptions): ConnectorBuilder;
+    /** Declare a sandboxed-compute operation: `run` is your function, shipped as the connector's `code`. */
+    compute(name: string, options: ComputeOperationOptions): ConnectorBuilder;
+}
+export interface Ref {
+    readonly path: string;
+    equals(value: unknown): Cond;
+    optional(): Ref;
+    toExpression(): string;
+}
+export interface Cond {
+    toExpression(): string;
+}
+//# sourceMappingURL=index.d.ts.map

package/node_modules/@noodle-borg/authoring/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC1F,OAAO,EAEL,KAAK,aAAa,EAElB,KAAK,gBAAgB,EACtB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,CAAC;AAChD,OAAO,EAAE,CAAC,EAAE,CAAC;AAEb;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;AAEnG,KAAK,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAE1C,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC;IACvC,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,OAAO,CAAC;IACzC;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC;IAC1C,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACnE;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;CACtD;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;CACtD;AAED,MAAM,WAAW,eAAe;IAC9B,4FAA4F;IAC5F,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACvE;AAED,uEAAuE;AACvE,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,+FAA+F;IAC/F,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,OAAO,GAAG,SAAS,cAAc,EAAE,CAAC;IAC3D,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACvE;AAED,uGAAuG;AACvG,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChD;AAED,MAAM,MAAM,aAAa,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AACtD,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;AAEhG,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAC1D,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;CAC5D;AAED,kEAAkE;AAClE,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,OAAO,CAAC;CAC/E;AAED;;;;;;GAMG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,CAAC,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAC1D,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAE3D,QAAQ,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC;IACzD,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACnD;AAED,oGAAoG;AACpG,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC1C,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IACzD,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAC1D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAClE,4GAA4G;IAC5G,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IACvE,yGAAyG;IACzG,QAAQ,CAAC,OAAO,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG,aAAa,CAAC;AAEhD,MAAM,WAAW,gBAAgB;IAC/B,uGAAuG;IACvG,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,GAAG,gBAAgB,CAAC;IAC1E;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,GAAG,gBAAgB,CAAC;IAC/E,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,GAAG,gBAAgB,CAAC;IAC3D,2GAA2G;IAC3G,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,gBAAgB,CAAC;IACnE,mGAAmG;IACnG,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,gBAAgB,CAAC;IAC/D,2GAA2G;IAC3G,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,gBAAgB,CAAC;IAC/D,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAChC;;;;OAIG;IACH,kBAAkB,IAAI,mBAAmB,GAAG,SAAS,CAAC;CACvD;AAqCD,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,gBAAgB,CAE7E;AAED,wBAAgB,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG;IACrC,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,CAAC;CAC5C,CAMA;AA8BD,wBAAgB,IAAI,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAW3D;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,gBAAgB,CAM5E;AAED,qBAAa,gBAAiB,YAAW,YAAY;IAMjD,QAAQ,CAAC,EAAE,EAAE,MAAM;IACnB,QAAQ,CAAC,OAAO,EAAE,MAAM;IAN1B,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAClE,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC,CAAC;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,gBAAgB,CAAC;gBAGzB,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACxB,UAAU,GAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAM,EAC7D,WAAW,GAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAM,EACjE,OAAO,CAAC,EAAE,gBAAgB;IAQ5B,8GAA8G;IAC9G,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,yBAAyB,GAAG,gBAAgB;IAiB7E;;;;;OAKG;IACH,IAAI,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB;IA2BrD,wGAAwG;IACxG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,GAAG,gBAAgB;CA2B1E;AA4TD,MAAM,WAAW,GAAG;IAClB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;IAC7B,QAAQ,IAAI,GAAG,CAAC;IAChB,YAAY,IAAI,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,IAAI;IACnB,YAAY,IAAI,MAAM,CAAC;CACxB"}