oauth.do 0.1.15 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +245 -9
  3. package/bin/duckdb-auth +71 -0
  4. package/dist/cli.js +129 -329
  5. package/dist/cli.js.map +1 -1
  6. package/dist/hono.d.ts +124 -0
  7. package/dist/hono.js +599 -0
  8. package/dist/hono.js.map +1 -0
  9. package/dist/index.d.ts +5 -89
  10. package/dist/index.js +24 -24
  11. package/dist/index.js.map +1 -1
  12. package/dist/node.d.ts +2 -1
  13. package/dist/node.js +108 -73
  14. package/dist/node.js.map +1 -1
  15. package/dist/react.d.ts +200 -0
  16. package/dist/react.js +67 -0
  17. package/dist/react.js.map +1 -0
  18. package/dist/session-hono.d.ts +143 -0
  19. package/dist/session-hono.js +406 -0
  20. package/dist/session-hono.js.map +1 -0
  21. package/dist/session.d.ts +83 -0
  22. package/dist/session.js +114 -0
  23. package/dist/session.js.map +1 -0
  24. package/dist/types-export.d.ts +90 -0
  25. package/dist/types-export.js +3 -0
  26. package/dist/types-export.js.map +1 -0
  27. package/package.json +83 -9
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/storage.ts","../src/config.ts","../src/auth.ts","../src/device.ts","../src/github-device.ts","../src/index.ts"],"names":["getEnv","data","createSecureStorage"],"mappings":";;;;;;;;;;;AAAA,IAAA,eAAA,GAAA,EAAA;AAAA,QAAA,CAAA,eAAA,EAAA;AAAA,EAAA,qBAAA,EAAA,MAAA,qBAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,oBAAA,EAAA,MAAA,oBAAA;AAAA,EAAA,wBAAA,EAAA,MAAA,wBAAA;AAAA,EAAA,kBAAA,EAAA,MAAA,kBAAA;AAAA,EAAA,sBAAA,EAAA,MAAA,sBAAA;AAAA,EAAA,mBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AASA,SAAS,MAAA,GAAkB;AAC1B,EAAA,OAAO,OAAO,YAAY,WAAA,IACzB,OAAA,CAAQ,YAAY,IAAA,IACpB,OAAA,CAAQ,SAAS,IAAA,IAAQ,IAAA;AAC3B;AAKA,SAASA,QAAO,GAAA,EAAiC;AAChD,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,GAAM,GAAG,CAAA,EAAG,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAChF,EAAA,OAAO,MAAA;AACR;AA4dO,SAAS,oBAAoB,WAAA,EAAoC;AAEvE,EAAA,IAAI,QAAO,EAAG;AACb,IAAA,OAAO,IAAI,uBAAuB,WAAW,CAAA;AAAA,EAC9C;AAGA,EAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,IAAA,OAAO,IAAI,wBAAA,EAAyB;AAAA,EACrC;AAGA,EAAA,OAAO,IAAI,kBAAA,EAAmB;AAC/B;AA9fA,IAGM,kBACA,gBAAA,CAAA,CA2BO,oBAAA,CAAA,CAwHA,sBAAA,CAAA,CAiJA,gBAAA,CAAA,CAgEA,oBAmBA,wBAAA,CAAA,CA6BA;AAxZb,IAAA,YAAA,GAAA,KAAA,CAAA;AAAA,EAAA,gBAAA,GAAA;AAGA,IAAM,gBAAA,GAAmB,UAAA;AACzB,IAAM,gBAAA,GAAmB,cAAA;AA2BlB,IAAM,uBAAN,MAAmD;AAAA,MACjD,MAAA,GAAyC,IAAA;AAAA,MACzC,WAAA,GAAc,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMtB,MAAc,SAAA,GAAqD;AAClE,QAAA,IAAI,KAAK,WAAA,EAAa;AACrB,UAAA,OAAO,IAAA,CAAK,MAAA;AAAA,QACb;AAEA,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI;AAEH,UAAA,MAAM,QAAA,GAAW,MAAM,OAAO,QAAQ,CAAA;AAEtC,UAAA,MAAM,YAAA,GAAgB,SAAiB,OAAA,IAAW,QAAA;AAClD,UAAA,IAAA,CAAK,MAAA,GAAS,YAAA;AAGd,UAAA,IAAI,OAAO,IAAA,CAAK,MAAA,CAAO,WAAA,KAAgB,UAAA,EAAY;AAClD,YAAA,IAAIA,OAAAA,CAAO,OAAO,CAAA,EAAG;AACpB,cAAA,OAAA,CAAQ,KAAK,yDAAA,EAA2D,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA,YACjG;AACA,YAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AACd,YAAA,OAAO,IAAA;AAAA,UACR;AAEA,UAAA,OAAO,IAAA,CAAK,MAAA;AAAA,QACb,SAAS,KAAA,EAAO;AAGf,UAAA,IAAIA,OAAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,mCAAmC,KAAK,CAAA;AAAA,UACtD;AACA,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AACxC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,QAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,UAAA,OAAO,IAAA;AAAA,QACR;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,CAAO,WAAA,CAAY,kBAAkB,gBAAgB,CAAA;AACzE,UAAA,OAAO,KAAA;AAAA,QACR,SAAS,KAAA,EAAO;AACf,UAAA,IAAIA,OAAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,sCAAsC,KAAK,CAAA;AAAA,UACzD;AACA,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,UAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,YAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,UACjD;AAEA,UAAA,MAAM,MAAA,CAAO,WAAA,CAAY,gBAAA,EAAkB,gBAAA,EAAkB,KAAK,CAAA;AAAA,QACnE,SAAS,KAAA,EAAY;AAEpB,UAAA,IAAI,OAAO,IAAA,KAAS,kBAAA,IAAsB,OAAO,OAAA,EAAS,QAAA,CAAS,oBAAoB,CAAA,EAAG;AACzF,YAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,UAC1E;AACA,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kCAAA,EAAqC,KAAK,CAAA,CAAE,CAAA;AAAA,QAC7D;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,QAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,UAAA;AAAA,QACD;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,CAAO,cAAA,CAAe,gBAAA,EAAkB,gBAAgB,CAAA;AAAA,QAC/D,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,WAAA,GAAgC;AACrC,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,UAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,YAAA,OAAO,KAAA;AAAA,UACR;AAIA,UAAA,MAAM,MAAA,CAAO,WAAA,CAAY,gBAAA,EAAkB,UAAU,CAAA;AACrD,UAAA,OAAO,IAAA;AAAA,QACR,SAAS,KAAA,EAAO;AACf,UAAA,IAAIA,OAAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,2BAA2B,KAAK,CAAA;AAAA,UAC9C;AACA,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,KACD;AAUO,IAAM,yBAAN,MAAqD;AAAA,MACnD,SAAA,GAA2B,IAAA;AAAA,MAC3B,SAAA,GAA2B,IAAA;AAAA,MAC3B,WAAA,GAAc,KAAA;AAAA,MACd,UAAA;AAAA,MAER,YAAY,UAAA,EAAqB;AAChC,QAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,MACnB;AAAA,MAEA,MAAc,IAAA,GAAyB;AACtC,QAAA,IAAI,IAAA,CAAK,WAAA,EAAa,OAAO,IAAA,CAAK,SAAA,KAAc,IAAA;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,EAAO,EAAG,OAAO,KAAA;AAEtB,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,IAAI,CAAA;AAC5B,UAAA,MAAM,IAAA,GAAO,MAAM,OAAO,MAAM,CAAA;AAGhC,UAAA,IAAI,KAAK,UAAA,EAAY;AAEpB,YAAA,MAAM,eAAe,IAAA,CAAK,UAAA,CAAW,UAAA,CAAW,IAAI,IACjD,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,IAAA,CAAK,UAAA,CAAW,MAAM,CAAC,CAAC,IAChD,IAAA,CAAK,UAAA;AAER,YAAA,IAAA,CAAK,SAAA,GAAY,YAAA;AACjB,YAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,YAAY,CAAA;AAAA,UAC3C,CAAA,MAAO;AAEN,YAAA,IAAA,CAAK,YAAY,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,WAAW,CAAA;AACpD,YAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,OAAO,CAAA;AAAA,UACnD;AACA,UAAA,OAAO,IAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AAExC,QAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,YAAA,EAAa;AACrC,QAAA,IAAI,IAAA,EAAM;AACT,UAAA,OAAO,IAAA,CAAK,WAAA;AAAA,QACb;AAGA,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,IAAA,CAAK,KAAK,SAAS,CAAA;AAC1C,UAAA,MAAM,IAAA,GAAO,MAAM,IAAA,GAAO,GAAA;AAE1B,UAAA,IAAI,IAAA,KAAS,GAAA,IAASA,OAAAA,CAAO,OAAO,CAAA,EAAG;AACtC,YAAA,OAAA,CAAQ,IAAA;AAAA,cACP,iDAAiD,IAAA,CAAK,QAAA,CAAS,CAAC,CAAC,CAAA,gCAAA,EAChC,KAAK,SAAS,CAAA;AAAA,aAChD;AAAA,UACD;AAEA,UAAA,MAAM,UAAU,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACzD,UAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,UAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC5B,YAAA,MAAMC,KAAAA,GAAO,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAC/B,YAAA,OAAOA,KAAAA,CAAK,WAAA;AAAA,UACb;AAEA,UAAA,OAAO,OAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAE5C,QAAA,MAAM,KAAK,YAAA,CAAa,EAAE,aAAa,KAAA,CAAM,IAAA,IAAQ,CAAA;AAAA,MACtD;AAAA,MAEA,MAAM,YAAA,GAAgD;AACrD,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,UAAU,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACzD,UAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,UAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC5B,YAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,UAC1B;AAGA,UAAA,OAAO,EAAE,aAAa,OAAA,EAAQ;AAAA,QAC/B,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,aAAa,IAAA,EAAsC;AACxD,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,EAAK,IAAM,CAAC,IAAA,CAAK,SAAA,IAAa,CAAC,IAAA,CAAK,SAAA,EAAW;AAC/D,UAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,QAC7C;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAM,IAAA,CAAK,SAAA,EAAW,EAAE,SAAA,EAAW,IAAA,EAAM,IAAA,EAAM,GAAA,EAAO,CAAA;AAC/D,UAAA,MAAM,EAAA,CAAG,SAAA,CAAU,IAAA,CAAK,SAAA,EAAW,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA,EAAG,EAAE,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,KAAO,CAAA;AAC3F,UAAA,MAAM,EAAA,CAAG,KAAA,CAAM,IAAA,CAAK,SAAA,EAAW,GAAK,CAAA;AAAA,QACrC,SAAS,KAAA,EAAO;AACf,UAAA,OAAA,CAAQ,KAAA,CAAM,8BAA8B,KAAK,CAAA;AACjD,UAAA,MAAM,KAAA;AAAA,QACP;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,MAAK,IAAM,CAAC,KAAK,SAAA,EAAW;AAE7C,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA;AAAA,QAC/B,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,cAAA,GAAkF;AACvF,QAAA,MAAM,KAAK,IAAA,EAAK;AAChB,QAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,QAAQ,IAAA,EAAM,IAAA,EAAM,KAAK,SAAA,EAAU;AAAA,MAC3D;AAAA,KACD;AASO,IAAM,mBAAN,MAA+C;AAAA,MAC7C,SAAA,GAA2B,IAAA;AAAA,MAC3B,SAAA,GAA2B,IAAA;AAAA,MAC3B,WAAA,GAAc,KAAA;AAAA,MAEtB,MAAc,IAAA,GAAyB;AACtC,QAAA,IAAI,IAAA,CAAK,WAAA,EAAa,OAAO,IAAA,CAAK,SAAA,KAAc,IAAA;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,EAAO,EAAG,OAAO,KAAA;AAEtB,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,IAAI,CAAA;AAC5B,UAAA,MAAM,IAAA,GAAO,MAAM,OAAO,MAAM,CAAA;AAChC,UAAA,IAAA,CAAK,YAAY,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,WAAW,CAAA;AACpD,UAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,OAAO,CAAA;AAClD,UAAA,OAAO,IAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AACxC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,QAAQ,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACvD,UAAA,OAAO,MAAM,IAAA,EAAK;AAAA,QACnB,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,EAAK,IAAM,CAAC,IAAA,CAAK,SAAA,IAAa,CAAC,IAAA,CAAK,SAAA,EAAW;AAC/D,UAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,QAC7C;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,GAAG,KAAA,CAAM,IAAA,CAAK,WAAW,EAAE,SAAA,EAAW,MAAM,CAAA;AAClD,UAAA,MAAM,EAAA,CAAG,SAAA,CAAU,IAAA,CAAK,SAAA,EAAW,OAAO,OAAO,CAAA;AAAA,QAClD,SAAS,KAAA,EAAO;AACf,UAAA,OAAA,CAAQ,KAAA,CAAM,yBAAyB,KAAK,CAAA;AAC5C,UAAA,MAAM,KAAA;AAAA,QACP;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,MAAK,IAAM,CAAC,KAAK,SAAA,EAAW;AAE7C,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA;AAAA,QAC/B,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA,KACD;AAKO,IAAM,qBAAN,MAAiD;AAAA,MAC/C,KAAA,GAAuB,IAAA;AAAA,MAE/B,MAAM,QAAA,GAAmC;AACxC,QAAA,OAAO,IAAA,CAAK,KAAA;AAAA,MACb;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,MACd;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAA,CAAK,KAAA,GAAQ,IAAA;AAAA,MACd;AAAA,KACD;AAKO,IAAM,2BAAN,MAAuD;AAAA,MACrD,GAAA,GAAM,gBAAA;AAAA,MAEd,MAAM,QAAA,GAAmC;AACxC,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA,OAAO,IAAA;AAAA,QACR;AACA,QAAA,OAAO,YAAA,CAAa,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAAA,MACrC;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,QAChD;AACA,QAAA,YAAA,CAAa,OAAA,CAAQ,IAAA,CAAK,GAAA,EAAK,KAAK,CAAA;AAAA,MACrC;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA;AAAA,QACD;AACA,QAAA,YAAA,CAAa,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,MACjC;AAAA,KACD;AAMO,IAAM,wBAAN,MAAoD;AAAA,MAClD,eAAA;AAAA,MACA,WAAA;AAAA,MACA,gBAAA,GAAwC,IAAA;AAAA,MAEhD,WAAA,GAAc;AACb,QAAA,IAAA,CAAK,eAAA,GAAkB,IAAI,oBAAA,EAAqB;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAI,sBAAA,EAAuB;AAAA,MAC/C;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,mBAAA,GAA6C;AAC1D,QAAA,IAAI,KAAK,gBAAA,EAAkB;AAC1B,UAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,QACb;AAGA,QAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,UAAA,IAAA,CAAK,mBAAmB,IAAA,CAAK,eAAA;AAC7B,UAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,QACb;AAGA,QAAA,IAAA,CAAK,mBAAmB,IAAA,CAAK,WAAA;AAC7B,QAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,MACb;AAAA,MAEA,MAAM,QAAA,GAAmC;AAExC,QAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,eAAA,CAAgB,QAAA,EAAS;AAC1D,QAAA,IAAI,aAAA,EAAe;AAClB,UAAA,OAAO,aAAA;AAAA,QACR;AAGA,QAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,WAAA,CAAY,QAAA,EAAS;AAClD,QAAA,IAAI,SAAA,EAAW;AAEd,UAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,YAAA,IAAI;AACH,cAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,QAAA,CAAS,SAAS,CAAA;AAC7C,cAAA,MAAM,IAAA,CAAK,YAAY,WAAA,EAAY;AACnC,cAAA,IAAID,OAAAA,CAAO,OAAO,CAAA,EAAG;AACpB,gBAAA,OAAA,CAAQ,IAAI,sCAAsC,CAAA;AAAA,cACnD;AAAA,YACD,CAAA,CAAA,MAAQ;AAAA,YAER;AAAA,UACD;AACA,UAAA,OAAO,SAAA;AAAA,QACR;AAEA,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,mBAAA,EAAoB;AAC/C,QAAA,MAAM,OAAA,CAAQ,SAAS,KAAK,CAAA;AAAA,MAC7B;AAAA,MAEA,MAAM,WAAA,GAA6B;AAElC,QAAA,MAAM,OAAA,CAAQ,GAAA,CAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,CAAC,CAAA;AAAA,MACvF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,cAAA,GAA0E;AAC/E,QAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,UAAA,OAAO,EAAE,IAAA,EAAM,UAAA,EAAY,MAAA,EAAQ,IAAA,EAAK;AAAA,QACzC;AACA,QAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,IAAA,EAAK;AAAA,MACrC;AAAA,KACD;AAAA,EAAA;AAAA,CAAA,CAAA;;;AC/dA,SAAS,OAAO,GAAA,EAAiC;AAEhD,EAAA,IAAK,UAAA,CAAmB,GAAG,CAAA,EAAG,OAAQ,WAAmB,GAAG,CAAA;AAE5D,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,GAAM,GAAG,CAAA,EAAG,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAChF,EAAA,OAAO,MAAA;AACR;AAMA,IAAI,YAAA,GAA8F;AAAA,EACjG,QAAQ,MAAA,CAAO,eAAe,CAAA,IAAK,MAAA,CAAO,SAAS,CAAA,IAAK,iBAAA;AAAA,EACxD,QAAA,EAAU,MAAA,CAAO,iBAAiB,CAAA,IAAK,mCAAA;AAAA,EACvC,aAAA,EAAe,MAAA,CAAO,sBAAsB,CAAA,IAAK,gBAAA;AAAA,EACjD,OAAO,UAAA,CAAW,KAAA;AAAA,EAClB,WAAA,EAAa,OAAO,oBAAoB;AACzC,CAAA;AAKO,SAAS,UAAU,MAAA,EAA2B;AACpD,EAAA,YAAA,GAAe;AAAA,IACd,GAAG,YAAA;AAAA,IACH,GAAG;AAAA,GACJ;AACD;AAKO,SAAS,SAAA,GAA2F;AAC1G,EAAA,OAAO,YAAA;AACR;;;AChCA,eAAe,cAAc,KAAA,EAAwC;AACpE,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AACtC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,OAAQ,KAAA,CAAc,QAAQ,UAAA,EAAY;AAC1E,IAAA,OAAO,MAAO,MAAc,GAAA,EAAI;AAAA,EACjC;AACA,EAAA,OAAO,IAAA;AACR;AAKA,SAASA,QAAO,GAAA,EAAiC;AAEhD,EAAA,IAAK,UAAA,CAAmB,GAAG,CAAA,EAAG,OAAQ,WAAmB,GAAG,CAAA;AAE5D,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,GAAM,GAAG,CAAA,EAAG,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAChF,EAAA,OAAO,MAAA;AACR;AASA,eAAsB,QAAQ,KAAA,EAAqC;AAClE,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,SAAA,GAAY,KAAA,IAASA,OAAAA,CAAO,UAAU,CAAA,IAAK,EAAA;AAEjD,EAAA,IAAI,CAAC,SAAA,EAAW;AACf,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACrB;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,GAAA,CAAA,EAAO;AAAA,MAC1D,MAAA,EAAQ,KAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,SAAS,CAAA,CAAA;AAAA,QACpC,cAAA,EAAgB;AAAA;AACjB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC5B,QAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,MACrB;AACA,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,SAAA,EAAU;AAAA,EACjC,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,eAAe,KAAK,CAAA;AAClC,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACrB;AACD;AASA,eAAsB,MAAM,WAAA,EAIJ;AACvB,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,MAAA,CAAA,EAAU;AAAA,MAC7D,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB;AAAA,OACjB;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW;AAAA,KAChC,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,cAAA,EAAiB,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,EAAE,IAAA,EAAM,IAAA,CAAK,IAAA,EAAM,KAAA,EAAO,KAAK,KAAA,EAAM;AAAA,EAC7C,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,gBAAgB,KAAK,CAAA;AACnC,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAQA,eAAsB,OAAO,KAAA,EAA+B;AAC3D,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,SAAA,GAAY,KAAA,IAASA,OAAAA,CAAO,UAAU,CAAA,IAAK,EAAA;AAEjD,EAAA,IAAI,CAAC,SAAA,EAAW;AACf,IAAA;AAAA,EACD;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,OAAA,CAAA,EAAW;AAAA,MAC9D,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,SAAS,CAAA,CAAA;AAAA,QACpC,cAAA,EAAgB;AAAA;AACjB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,gBAAA,EAAmB,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IACtD;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,iBAAiB,KAAK,CAAA;AAAA,EACrC;AACD;AAGA,IAAM,iBAAA,GAAoB,IAAI,EAAA,GAAK,GAAA;AAKnC,SAAS,eAAe,SAAA,EAA6B;AACpD,EAAA,IAAI,CAAC,WAAW,OAAO,KAAA;AACvB,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,IAAK,SAAA,GAAY,iBAAA;AAClC;AAaA,eAAsB,QAAA,GAAmC;AAExD,EAAA,MAAM,UAAA,GAAaA,QAAO,gBAAgB,CAAA;AAC1C,EAAA,IAAI,YAAY,OAAO,UAAA;AACvB,EAAA,MAAM,OAAA,GAAUA,QAAO,UAAU,CAAA;AACjC,EAAA,IAAI,SAAS,OAAO,OAAA;AAIpB,EAAA,IAAI;AAEH,IAAA,MAAM,EAAE,GAAA,EAAI,GAAI,MAAM,OAAO,oBAAoB,CAAA;AAEjD,IAAA,MAAM,YAAA,GAAe,MAAM,aAAA,CAAe,GAAA,CAAY,cAAc,CAAA;AACpE,IAAA,IAAI,cAAc,OAAO,YAAA;AAEzB,IAAA,MAAM,OAAA,GAAU,MAAM,aAAA,CAAe,GAAA,CAAY,QAAQ,CAAA;AACzD,IAAA,IAAI,SAAS,OAAO,OAAA;AAAA,EACrB,CAAA,CAAA,MAAQ;AAAA,EAER;AAGA,EAAA,IAAI;AACH,IAAA,MAAM,EAAE,mBAAA,EAAAE,oBAAAA,EAAoB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AACtC,IAAA,MAAM,SAAS,SAAA,EAAU;AACzB,IAAA,MAAM,OAAA,GAAUA,oBAAAA,CAAoB,MAAA,CAAO,WAAW,CAAA;AAGtD,IAAA,MAAM,YAAY,OAAA,CAAQ,YAAA,GAAe,MAAM,OAAA,CAAQ,cAAa,GAAI,IAAA;AAExE,IAAA,IAAI,SAAA,EAAW;AAEd,MAAA,IAAI,CAAC,cAAA,CAAe,SAAA,CAAU,SAAS,CAAA,EAAG;AACzC,QAAA,OAAO,SAAA,CAAU,WAAA;AAAA,MAClB;AAGA,MAAA,IAAI,UAAU,YAAA,EAAc;AAC3B,QAAA,IAAI;AACH,UAAA,MAAM,SAAA,GAAY,MAAM,kBAAA,CAAmB,SAAA,CAAU,YAAY,CAAA;AAGjE,UAAA,MAAM,SAAA,GAAY,UAAU,UAAA,GACzB,IAAA,CAAK,KAAI,GAAI,SAAA,CAAU,aAAa,GAAA,GACpC,KAAA,CAAA;AAGH,UAAA,MAAM,OAAA,GAA2B;AAAA,YAChC,aAAa,SAAA,CAAU,YAAA;AAAA,YACvB,YAAA,EAAc,SAAA,CAAU,aAAA,IAAiB,SAAA,CAAU,YAAA;AAAA,YACnD;AAAA,WACD;AAEA,UAAA,IAAI,QAAQ,YAAA,EAAc;AACzB,YAAA,MAAM,OAAA,CAAQ,aAAa,OAAO,CAAA;AAAA,UACnC,CAAA,MAAO;AACN,YAAA,MAAM,OAAA,CAAQ,QAAA,CAAS,SAAA,CAAU,YAAY,CAAA;AAAA,UAC9C;AAEA,UAAA,OAAO,SAAA,CAAU,YAAA;AAAA,QAClB,CAAA,CAAA,MAAQ;AAEP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAGA,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,OAAO,MAAM,QAAQ,QAAA,EAAS;AAAA,EAC/B,CAAA,CAAA,MAAQ;AAEP,IAAA,OAAO,IAAA;AAAA,EACR;AACD;AAKA,eAAsB,gBAAgB,KAAA,EAAkC;AACvE,EAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,KAAK,CAAA;AAClC,EAAA,OAAO,OAAO,IAAA,KAAS,IAAA;AACxB;AAgBO,SAAS,IAAA,GAAqB;AACpC,EAAA,OAAO,QAAA;AACR;AAQA,eAAsB,mBAAmB,YAAA,EAA8C;AACtF,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,mDAAA,EAAqD;AAAA,IACxF,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACR,cAAA,EAAgB;AAAA,KACjB;AAAA,IACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,MACzB,UAAA,EAAY,eAAA;AAAA,MACZ,aAAA,EAAe,YAAA;AAAA,MACf,WAAW,MAAA,CAAO;AAAA,KAClB,EAAE,QAAA;AAAS,GACZ,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,SAAS,MAAM,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,EAC1E;AAEA,EAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAC7B;AAiDO,SAAS,aAAa,OAAA,EAOlB;AACV,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,MAAA,CAAO,QAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,UAAA,IAAc,MAAA,CAAO,aAAA;AAEhD,EAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,IAClC,SAAA,EAAW,QAAA;AAAA,IACX,cAAc,OAAA,CAAQ,WAAA;AAAA,IACtB,aAAA,EAAe,QAAQ,YAAA,IAAgB,MAAA;AAAA,IACvC,KAAA,EAAO,QAAQ,KAAA,IAAS;AAAA,GACxB,CAAA;AAED,EAAA,IAAI,QAAQ,KAAA,EAAO;AAClB,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClC;AAEA,EAAA,OAAO,CAAA,QAAA,EAAW,UAAU,CAAA,WAAA,EAAc,MAAA,CAAO,UAAU,CAAA,CAAA;AAC5D;;;ACvVA,eAAsB,eAAA,CAAgB,OAAA,GAA6B,EAAC,EAAyC;AAC5G,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,uGAAuG,CAAA;AAAA,EACxH;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,GAAA,GAAM,uDAAA;AACZ,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAChC,WAAW,MAAA,CAAO,QAAA;AAAA,MAClB,KAAA,EAAO;AAAA,KACP,CAAA;AAGD,IAAA,IAAI,QAAQ,QAAA,EAAU;AACrB,MAAA,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY,OAAA,CAAQ,QAAQ,CAAA;AAAA,IACtC;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,GAAA,EAAK;AAAA,MACxC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB;AAAA,OACjB;AAAA,MACA,IAAA,EAAM,KAAK,QAAA;AAAS,KACpB,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IACrF;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,IAAA;AAAA,EACR,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,+BAA+B,KAAK,CAAA;AAClD,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAUA,eAAsB,aAAA,CACrB,UAAA,EACA,QAAA,GAAmB,CAAA,EACnB,YAAoB,GAAA,EACK;AACzB,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,EAAA,MAAM,UAAU,SAAA,GAAY,GAAA;AAC5B,EAAA,IAAI,kBAAkB,QAAA,GAAW,GAAA;AAEjC,EAAA,OAAO,IAAA,EAAM;AAEZ,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,OAAA,EAAS;AACrC,MAAA,MAAM,IAAI,MAAM,iDAAiD,CAAA;AAAA,IAClE;AAGA,IAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,eAAe,CAAC,CAAA;AAEnE,IAAA,IAAI;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,mDAAA,EAAqD;AAAA,QACxF,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACR,cAAA,EAAgB;AAAA,SACjB;AAAA,QACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,UACzB,UAAA,EAAY,8CAAA;AAAA,UACZ,WAAA,EAAa,UAAA;AAAA,UACb,WAAW,MAAA,CAAO;AAAA,SAClB,EAAE,QAAA;AAAS,OACZ,CAAA;AAED,MAAA,IAAI,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,QAAA,OAAO,IAAA;AAAA,MACR;AAGA,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK,CAAE,MAAM,OAAO,EAAE,KAAA,EAAO,SAAA,EAAU,CAAE,CAAA;AAC3E,MAAA,MAAM,KAAA,GAAS,UAAU,KAAA,IAAS,SAAA;AAElC,MAAA,QAAQ,KAAA;AAAO,QACd,KAAK,uBAAA;AAEJ,UAAA;AAAA,QAED,KAAK,WAAA;AAEJ,UAAA,eAAA,IAAmB,GAAA;AACnB,UAAA;AAAA,QAED,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,QAExC,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,QAEtC;AACC,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,KAAK,CAAA,CAAE,CAAA;AAAA;AAClD,IACD,SAAS,KAAA,EAAO;AAEf,MAAA,IAAI,iBAAiB,KAAA,EAAO;AAC3B,QAAA,MAAM,KAAA;AAAA,MACP;AAEA,MAAA;AAAA,IACD;AAAA,EACD;AACD;;;ACpEA,eAAsB,sBACrB,OAAA,EACoC;AACpC,EAAA,MAAM,EAAE,QAAA,EAAU,KAAA,GAAQ,sBAAA,EAAuB,GAAI,OAAA;AACrD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,QAAA,EAAU;AACd,IAAA,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAA,EACxE;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,GAAA,GAAM,sCAAA;AACZ,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAChC,SAAA,EAAW,QAAA;AAAA,MACX;AAAA,KACA,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,GAAA,EAAK;AAAA,MACrC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB,mCAAA;AAAA,QAChB,QAAA,EAAU;AAAA,OACX;AAAA,MACA;AAAA,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IAC5F;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAQjC,IAAA,OAAO;AAAA,MACN,YAAY,IAAA,CAAK,WAAA;AAAA,MACjB,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,iBAAiB,IAAA,CAAK,gBAAA;AAAA,MACtB,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,UAAU,IAAA,CAAK;AAAA,KAChB;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,sCAAsC,KAAK,CAAA;AACzD,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAwBA,eAAsB,oBAAA,CACrB,YACA,OAAA,EAC+B;AAC/B,EAAA,MAAM,EAAE,QAAA,EAAU,QAAA,GAAW,CAAA,EAAG,SAAA,GAAY,KAAI,GAAI,OAAA;AACpD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,QAAA,EAAU;AACd,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EACjE;AAEA,EAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,EAAA,MAAM,UAAU,SAAA,GAAY,GAAA;AAC5B,EAAA,IAAI,kBAAkB,QAAA,GAAW,GAAA;AAEjC,EAAA,OAAO,IAAA,EAAM;AAEZ,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,OAAA,EAAS;AACrC,MAAA,MAAM,IAAI,MAAM,wDAAwD,CAAA;AAAA,IACzE;AAGA,IAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,eAAe,CAAC,CAAA;AAEnE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,6CAAA;AACZ,MAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,QAChC,SAAA,EAAW,QAAA;AAAA,QACX,WAAA,EAAa,UAAA;AAAA,QACb,UAAA,EAAY;AAAA,OACZ,CAAA;AAED,MAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,GAAA,EAAK;AAAA,QACrC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACR,cAAA,EAAgB,mCAAA;AAAA,UAChB,QAAA,EAAU;AAAA,SACX;AAAA,QACA;AAAA,OACA,CAAA;AAED,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAKjC,MAAA,IAAI,kBAAkB,IAAA,EAAM;AAC3B,QAAA,OAAO;AAAA,UACN,aAAa,IAAA,CAAK,YAAA;AAAA,UAClB,WAAW,IAAA,CAAK,UAAA;AAAA,UAChB,OAAO,IAAA,CAAK;AAAA,SACb;AAAA,MACD;AAGA,MAAA,MAAM,KAAA,GAAS,KAAK,KAAA,IAAS,SAAA;AAE7B,MAAA,QAAQ,KAAA;AAAO,QACd,KAAK,uBAAA;AAEJ,UAAA;AAAA,QAED,KAAK,WAAA;AAEJ,UAAA,eAAA,IAAmB,GAAA;AACnB,UAAA;AAAA,QAED,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,QAExC,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,QAEtC;AACC,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,KAAK,CAAA,CAAE,CAAA;AAAA;AACzD,IACD,SAAS,KAAA,EAAO;AAEf,MAAA,IAAI,iBAAiB,KAAA,EAAO;AAC3B,QAAA,MAAM,KAAA;AAAA,MACP;AAEA,MAAA;AAAA,IACD;AAAA,EACD;AACD;AAiBA,eAAsB,aAAA,CACrB,WAAA,EACA,OAAA,GAAoC,EAAC,EACf;AACtB,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,WAAA,EAAa;AACjB,IAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,EAClD;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,6BAAA,EAA+B;AAAA,MAC/D,MAAA,EAAQ,KAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,WAAW,CAAA,CAAA;AAAA,QACtC,QAAA,EAAU,6BAAA;AAAA,QACV,sBAAA,EAAwB;AAAA;AACzB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0BAAA,EAA6B,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IAClF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAQjC,IAAA,OAAO;AAAA,MACN,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK;AAAA,KACjB;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,4BAA4B,KAAK,CAAA;AAC/C,IAAA,MAAM,KAAA;AAAA,EACP;AACD;;;AC1QA,YAAA,EAAA","file":"index.js","sourcesContent":["import type { TokenStorage, StoredTokenData } from './types.js'\n\n// Keychain service and account identifiers\nconst KEYCHAIN_SERVICE = 'oauth.do'\nconst KEYCHAIN_ACCOUNT = 'access_token'\n\n/**\n * Check if we're running in a Node.js environment\n */\nfunction isNode(): boolean {\n\treturn typeof process !== 'undefined' &&\n\t\tprocess.versions != null &&\n\t\tprocess.versions.node != null\n}\n\n/**\n * Safe environment variable access\n */\nfunction getEnv(key: string): string | undefined {\n\tif (typeof process !== 'undefined' && process.env?.[key]) return process.env[key]\n\treturn undefined\n}\n\n/**\n * Keychain-based token storage using OS credential manager\n * - macOS: Keychain\n * - Windows: Credential Manager\n * - Linux: Secret Service (libsecret)\n *\n * This is the most secure option for CLI token storage.\n */\nexport class KeychainTokenStorage implements TokenStorage {\n\tprivate keytar: typeof import('keytar') | null = null\n\tprivate initialized = false\n\n\t/**\n\t * Lazily load keytar module\n\t * Returns null if keytar is not available (e.g., missing native dependencies)\n\t */\n\tprivate async getKeytar(): Promise<typeof import('keytar') | null> {\n\t\tif (this.initialized) {\n\t\t\treturn this.keytar\n\t\t}\n\n\t\tthis.initialized = true\n\n\t\ttry {\n\t\t\t// Dynamic import to handle cases where keytar native module isn't available\n\t\t\tconst imported = await import('keytar')\n\t\t\t// Handle ESM/CJS interop - keytar is CommonJS, so functions may be on .default\n\t\t\tconst keytarModule = (imported as any).default || imported\n\t\t\tthis.keytar = keytarModule as typeof import('keytar')\n\n\t\t\t// Verify the module loaded correctly by checking for expected function\n\t\t\tif (typeof this.keytar.getPassword !== 'function') {\n\t\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\t\tconsole.warn('Keytar module loaded but getPassword is not a function:', Object.keys(this.keytar))\n\t\t\t\t}\n\t\t\t\tthis.keytar = null\n\t\t\t\treturn null\n\t\t\t}\n\n\t\t\treturn this.keytar\n\t\t} catch (error) {\n\t\t\t// keytar requires native dependencies that may not be available\n\t\t\t// Fall back gracefully\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Keychain storage not available:', error)\n\t\t\t}\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\tconst keytar = await this.getKeytar()\n\t\tif (!keytar) {\n\t\t\treturn null\n\t\t}\n\n\t\ttry {\n\t\t\tconst token = await keytar.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT)\n\t\t\treturn token\n\t\t} catch (error) {\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Failed to get token from keychain:', error)\n\t\t\t}\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\ttry {\n\t\t\tconst keytar = await this.getKeytar()\n\t\t\tif (!keytar) {\n\t\t\t\tthrow new Error('Keychain storage not available')\n\t\t\t}\n\n\t\t\tawait keytar.setPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, token)\n\t\t} catch (error: any) {\n\t\t\t// Check if this is a native module error vs an actual keychain error\n\t\t\tif (error?.code === 'MODULE_NOT_FOUND' || error?.message?.includes('Cannot find module')) {\n\t\t\t\tthrow new Error('Keychain storage not available: native module not built')\n\t\t\t}\n\t\t\tthrow new Error(`Failed to save token to keychain: ${error}`)\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tconst keytar = await this.getKeytar()\n\t\tif (!keytar) {\n\t\t\treturn\n\t\t}\n\n\t\ttry {\n\t\t\tawait keytar.deletePassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT)\n\t\t} catch {\n\t\t\t// Ignore errors if credential doesn't exist\n\t\t}\n\t}\n\n\t/**\n\t * Check if keychain storage is available on this system\n\t */\n\tasync isAvailable(): Promise<boolean> {\n\t\ttry {\n\t\t\tconst keytar = await this.getKeytar()\n\t\t\tif (!keytar) {\n\t\t\t\treturn false\n\t\t\t}\n\n\t\t\t// Try a read operation to verify keychain access\n\t\t\t// This will throw if native module is not built\n\t\t\tawait keytar.getPassword(KEYCHAIN_SERVICE, '__test__')\n\t\t\treturn true\n\t\t} catch (error) {\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Keychain not available:', error)\n\t\t\t}\n\t\t\treturn false\n\t\t}\n\t}\n}\n\n/**\n * Secure file-based token storage for CLI\n * Stores token in ~/.oauth.do/token with restricted permissions (0600)\n *\n * This is the default storage for Node.js CLI because it doesn't require\n * GUI authorization popups like the keychain does on macOS.\n * Only works in Node.js environment.\n */\nexport class SecureFileTokenStorage implements TokenStorage {\n\tprivate tokenPath: string | null = null\n\tprivate configDir: string | null = null\n\tprivate initialized = false\n\tprivate customPath?: string\n\n\tconstructor(customPath?: string) {\n\t\tthis.customPath = customPath\n\t}\n\n\tprivate async init(): Promise<boolean> {\n\t\tif (this.initialized) return this.tokenPath !== null\n\t\tthis.initialized = true\n\n\t\tif (!isNode()) return false\n\n\t\ttry {\n\t\t\tconst os = await import('os')\n\t\t\tconst path = await import('path')\n\n\t\t\t// Use custom path if provided\n\t\t\tif (this.customPath) {\n\t\t\t\t// Expand ~ to home directory\n\t\t\t\tconst expandedPath = this.customPath.startsWith('~/')\n\t\t\t\t\t? path.join(os.homedir(), this.customPath.slice(2))\n\t\t\t\t\t: this.customPath\n\n\t\t\t\tthis.tokenPath = expandedPath\n\t\t\t\tthis.configDir = path.dirname(expandedPath)\n\t\t\t} else {\n\t\t\t\t// Default path\n\t\t\t\tthis.configDir = path.join(os.homedir(), '.oauth.do')\n\t\t\t\tthis.tokenPath = path.join(this.configDir, 'token')\n\t\t\t}\n\t\t\treturn true\n\t\t} catch {\n\t\t\treturn false\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\t// Try to get from token data first (new format)\n\t\tconst data = await this.getTokenData()\n\t\tif (data) {\n\t\t\treturn data.accessToken\n\t\t}\n\n\t\t// Fall back to legacy plain text format\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst stats = await fs.stat(this.tokenPath)\n\t\t\tconst mode = stats.mode & 0o777\n\n\t\t\tif (mode !== 0o600 && getEnv('DEBUG')) {\n\t\t\t\tconsole.warn(\n\t\t\t\t\t`Warning: Token file has insecure permissions (${mode.toString(8)}). ` +\n\t\t\t\t\t\t`Expected 600. Run: chmod 600 ${this.tokenPath}`\n\t\t\t\t)\n\t\t\t}\n\n\t\t\tconst content = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\tconst trimmed = content.trim()\n\n\t\t\t// Check if it's JSON (new format) or plain token (legacy)\n\t\t\tif (trimmed.startsWith('{')) {\n\t\t\t\tconst data = JSON.parse(trimmed) as StoredTokenData\n\t\t\t\treturn data.accessToken\n\t\t\t}\n\n\t\t\treturn trimmed\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\t// Store as token data for consistency, trimming whitespace\n\t\tawait this.setTokenData({ accessToken: token.trim() })\n\t}\n\n\tasync getTokenData(): Promise<StoredTokenData | null> {\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst content = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\tconst trimmed = content.trim()\n\n\t\t\t// Check if it's JSON format\n\t\t\tif (trimmed.startsWith('{')) {\n\t\t\t\treturn JSON.parse(trimmed) as StoredTokenData\n\t\t\t}\n\n\t\t\t// Legacy plain text format - convert to token data\n\t\t\treturn { accessToken: trimmed }\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setTokenData(data: StoredTokenData): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath || !this.configDir) {\n\t\t\tthrow new Error('File storage not available')\n\t\t}\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.mkdir(this.configDir, { recursive: true, mode: 0o700 })\n\t\t\tawait fs.writeFile(this.tokenPath, JSON.stringify(data), { encoding: 'utf-8', mode: 0o600 })\n\t\t\tawait fs.chmod(this.tokenPath, 0o600)\n\t\t} catch (error) {\n\t\t\tconsole.error('Failed to save token data:', error)\n\t\t\tthrow error\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath) return\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.unlink(this.tokenPath)\n\t\t} catch {\n\t\t\t// Ignore errors if file doesn't exist\n\t\t}\n\t}\n\n\t/**\n\t * Get information about the storage backend\n\t */\n\tasync getStorageInfo(): Promise<{ type: 'file'; secure: boolean; path: string | null }> {\n\t\tawait this.init()\n\t\treturn { type: 'file', secure: true, path: this.tokenPath }\n\t}\n}\n\n/**\n * File-based token storage for CLI (legacy, less secure)\n * Stores token in ~/.oauth.do/token\n * Only works in Node.js environment.\n *\n * @deprecated Use SecureFileTokenStorage or KeychainTokenStorage instead\n */\nexport class FileTokenStorage implements TokenStorage {\n\tprivate tokenPath: string | null = null\n\tprivate configDir: string | null = null\n\tprivate initialized = false\n\n\tprivate async init(): Promise<boolean> {\n\t\tif (this.initialized) return this.tokenPath !== null\n\t\tthis.initialized = true\n\n\t\tif (!isNode()) return false\n\n\t\ttry {\n\t\t\tconst os = await import('os')\n\t\t\tconst path = await import('path')\n\t\t\tthis.configDir = path.join(os.homedir(), '.oauth.do')\n\t\t\tthis.tokenPath = path.join(this.configDir, 'token')\n\t\t\treturn true\n\t\t} catch {\n\t\t\treturn false\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst token = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\treturn token.trim()\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath || !this.configDir) {\n\t\t\tthrow new Error('File storage not available')\n\t\t}\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.mkdir(this.configDir, { recursive: true })\n\t\t\tawait fs.writeFile(this.tokenPath, token, 'utf-8')\n\t\t} catch (error) {\n\t\t\tconsole.error('Failed to save token:', error)\n\t\t\tthrow error\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath) return\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.unlink(this.tokenPath)\n\t\t} catch {\n\t\t\t// Ignore errors if file doesn't exist\n\t\t}\n\t}\n}\n\n/**\n * In-memory token storage (for browser or testing)\n */\nexport class MemoryTokenStorage implements TokenStorage {\n\tprivate token: string | null = null\n\n\tasync getToken(): Promise<string | null> {\n\t\treturn this.token\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tthis.token = token\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tthis.token = null\n\t}\n}\n\n/**\n * LocalStorage-based token storage (for browser)\n */\nexport class LocalStorageTokenStorage implements TokenStorage {\n\tprivate key = 'oauth.do:token'\n\n\tasync getToken(): Promise<string | null> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\treturn null\n\t\t}\n\t\treturn localStorage.getItem(this.key)\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\tthrow new Error('localStorage is not available')\n\t\t}\n\t\tlocalStorage.setItem(this.key, token)\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\treturn\n\t\t}\n\t\tlocalStorage.removeItem(this.key)\n\t}\n}\n\n/**\n * Composite token storage that tries multiple storage backends\n * Attempts keychain first, then falls back to secure file storage\n */\nexport class CompositeTokenStorage implements TokenStorage {\n\tprivate keychainStorage: KeychainTokenStorage\n\tprivate fileStorage: SecureFileTokenStorage\n\tprivate preferredStorage: TokenStorage | null = null\n\n\tconstructor() {\n\t\tthis.keychainStorage = new KeychainTokenStorage()\n\t\tthis.fileStorage = new SecureFileTokenStorage()\n\t}\n\n\t/**\n\t * Determine the best available storage backend\n\t */\n\tprivate async getPreferredStorage(): Promise<TokenStorage> {\n\t\tif (this.preferredStorage) {\n\t\t\treturn this.preferredStorage\n\t\t}\n\n\t\t// Try keychain first\n\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\tthis.preferredStorage = this.keychainStorage\n\t\t\treturn this.preferredStorage\n\t\t}\n\n\t\t// Fall back to secure file storage\n\t\tthis.preferredStorage = this.fileStorage\n\t\treturn this.preferredStorage\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\t// First, check keychain\n\t\tconst keychainToken = await this.keychainStorage.getToken()\n\t\tif (keychainToken) {\n\t\t\treturn keychainToken\n\t\t}\n\n\t\t// Fall back to file storage (for migration from old installations)\n\t\tconst fileToken = await this.fileStorage.getToken()\n\t\tif (fileToken) {\n\t\t\t// Migrate token to keychain if available\n\t\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\t\ttry {\n\t\t\t\t\tawait this.keychainStorage.setToken(fileToken)\n\t\t\t\t\tawait this.fileStorage.removeToken()\n\t\t\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\t\t\tconsole.log('Migrated token from file to keychain')\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Continue with file token if migration fails\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn fileToken\n\t\t}\n\n\t\treturn null\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tconst storage = await this.getPreferredStorage()\n\t\tawait storage.setToken(token)\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\t// Remove from both storages to ensure complete logout\n\t\tawait Promise.all([this.keychainStorage.removeToken(), this.fileStorage.removeToken()])\n\t}\n\n\t/**\n\t * Get information about the current storage backend\n\t */\n\tasync getStorageInfo(): Promise<{ type: 'keychain' | 'file'; secure: boolean }> {\n\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\treturn { type: 'keychain', secure: true }\n\t\t}\n\t\treturn { type: 'file', secure: true }\n\t}\n}\n\n/**\n * Create the default token storage\n * - Node.js: Uses secure file storage (~/.oauth.do/token with 0600 permissions)\n * - Browser: Uses localStorage\n * - Worker: Uses in-memory storage (tokens should be passed via env bindings)\n *\n * Note: We use file storage by default because keychain storage on macOS\n * requires GUI authorization popups, which breaks automation and agent workflows.\n *\n * @param storagePath - Optional custom path for token storage (e.g., '~/.studio/tokens.json')\n */\nexport function createSecureStorage(storagePath?: string): TokenStorage {\n\t// Node.js - use secure file storage (no keychain popups)\n\tif (isNode()) {\n\t\treturn new SecureFileTokenStorage(storagePath)\n\t}\n\n\t// Browser - use localStorage\n\tif (typeof localStorage !== 'undefined') {\n\t\treturn new LocalStorageTokenStorage()\n\t}\n\n\t// Workers/other - use memory storage\n\treturn new MemoryTokenStorage()\n}\n","import type { OAuthConfig } from './types.js'\n\n/**\n * Safe environment variable access (works in Node, browser, and Workers)\n */\nfunction getEnv(key: string): string | undefined {\n\t// Check globalThis first (Workers)\n\tif ((globalThis as any)[key]) return (globalThis as any)[key]\n\t// Check process.env (Node.js)\n\tif (typeof process !== 'undefined' && process.env?.[key]) return process.env[key]\n\treturn undefined\n}\n\n/**\n * Global OAuth configuration\n * Note: storagePath is optional and may be undefined\n */\nlet globalConfig: Omit<Required<OAuthConfig>, 'storagePath'> & Pick<OAuthConfig, 'storagePath'> = {\n\tapiUrl: getEnv('OAUTH_API_URL') || getEnv('API_URL') || 'https://apis.do',\n\tclientId: getEnv('OAUTH_CLIENT_ID') || 'client_01JQYTRXK9ZPD8JPJTKDCRB656',\n\tauthKitDomain: getEnv('OAUTH_AUTHKIT_DOMAIN') || 'login.oauth.do',\n\tfetch: globalThis.fetch,\n\tstoragePath: getEnv('OAUTH_STORAGE_PATH'),\n}\n\n/**\n * Configure OAuth settings\n */\nexport function configure(config: OAuthConfig): void {\n\tglobalConfig = {\n\t\t...globalConfig,\n\t\t...config,\n\t}\n}\n\n/**\n * Get current configuration\n */\nexport function getConfig(): Omit<Required<OAuthConfig>, 'storagePath'> & Pick<OAuthConfig, 'storagePath'> {\n\treturn globalConfig\n}\n","import { getConfig } from './config.js'\nimport type { User, AuthResult, TokenResponse, StoredTokenData } from './types.js'\n\n/**\n * Resolve a secret that could be a plain string or a secrets store binding\n * Secrets store bindings have a .get() method that returns a Promise<string>\n * @see https://developers.cloudflare.com/workers/configuration/secrets/#secrets-store\n */\nasync function resolveSecret(value: unknown): Promise<string | null> {\n\tif (!value) return null\n\tif (typeof value === 'string') return value\n\tif (typeof value === 'object' && typeof (value as any).get === 'function') {\n\t\treturn await (value as any).get()\n\t}\n\treturn null\n}\n\n/**\n * Safe environment variable access (works in Node, browser, and Workers)\n */\nfunction getEnv(key: string): string | undefined {\n\t// Check globalThis first (Workers)\n\tif ((globalThis as any)[key]) return (globalThis as any)[key]\n\t// Check process.env (Node.js)\n\tif (typeof process !== 'undefined' && process.env?.[key]) return process.env[key]\n\treturn undefined\n}\n\n/**\n * Get current authenticated user\n * Calls GET /me endpoint\n *\n * @param token - Optional authentication token (will use DO_TOKEN env var if not provided)\n * @returns Authentication result with user info or null if not authenticated\n */\nexport async function getUser(token?: string): Promise<AuthResult> {\n\tconst config = getConfig()\n\tconst authToken = token || getEnv('DO_TOKEN') || ''\n\n\tif (!authToken) {\n\t\treturn { user: null }\n\t}\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/me`, {\n\t\t\tmethod: 'GET',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${authToken}`,\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tif (response.status === 401) {\n\t\t\t\treturn { user: null }\n\t\t\t}\n\t\t\tthrow new Error(`Authentication failed: ${response.statusText}`)\n\t\t}\n\n\t\tconst user = (await response.json()) as User\n\t\treturn { user, token: authToken }\n\t} catch (error) {\n\t\tconsole.error('Auth error:', error)\n\t\treturn { user: null }\n\t}\n}\n\n/**\n * Initiate login flow\n * Calls POST /login endpoint\n *\n * @param credentials - Login credentials (email, password, etc.)\n * @returns Authentication result with user info and token\n */\nexport async function login(credentials: {\n\temail?: string\n\tpassword?: string\n\t[key: string]: any\n}): Promise<AuthResult> {\n\tconst config = getConfig()\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/login`, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t\tbody: JSON.stringify(credentials),\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`Login failed: ${response.statusText}`)\n\t\t}\n\n\t\tconst data = (await response.json()) as { user: User; token: string }\n\t\treturn { user: data.user, token: data.token }\n\t} catch (error) {\n\t\tconsole.error('Login error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Logout current user\n * Calls POST /logout endpoint\n *\n * @param token - Optional authentication token (will use DO_TOKEN env var if not provided)\n */\nexport async function logout(token?: string): Promise<void> {\n\tconst config = getConfig()\n\tconst authToken = token || getEnv('DO_TOKEN') || ''\n\n\tif (!authToken) {\n\t\treturn\n\t}\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/logout`, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${authToken}`,\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconsole.warn(`Logout warning: ${response.statusText}`)\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('Logout error:', error)\n\t}\n}\n\n// Buffer time before expiration to trigger refresh (5 minutes)\nconst REFRESH_BUFFER_MS = 5 * 60 * 1000\n\n/**\n * Check if token is expired or about to expire\n */\nfunction isTokenExpired(expiresAt?: number): boolean {\n\tif (!expiresAt) return false // Can't determine, assume valid\n\treturn Date.now() >= expiresAt - REFRESH_BUFFER_MS\n}\n\n/**\n * Get token from environment or stored credentials\n *\n * Checks in order:\n * 1. globalThis.DO_ADMIN_TOKEN / DO_TOKEN (Workers legacy)\n * 2. process.env.DO_ADMIN_TOKEN / DO_TOKEN (Node.js)\n * 3. cloudflare:workers env import (Workers 2025+) - supports secrets store bindings\n * 4. Stored token (keychain/secure file) - with automatic refresh if expired\n *\n * @see https://developers.cloudflare.com/changelog/2025-03-17-importable-env/\n */\nexport async function getToken(): Promise<string | null> {\n\t// Check env vars first (globalThis for Workers legacy, process.env for Node)\n\tconst adminToken = getEnv('DO_ADMIN_TOKEN')\n\tif (adminToken) return adminToken\n\tconst doToken = getEnv('DO_TOKEN')\n\tif (doToken) return doToken\n\n\t// Try cloudflare:workers env import (Workers 2025+)\n\t// Supports both plain strings and secrets store bindings\n\ttry {\n\t\t// @ts-ignore - cloudflare:workers only available in Workers runtime\n\t\tconst { env } = await import('cloudflare:workers')\n\n\t\tconst cfAdminToken = await resolveSecret((env as any).DO_ADMIN_TOKEN)\n\t\tif (cfAdminToken) return cfAdminToken\n\n\t\tconst cfToken = await resolveSecret((env as any).DO_TOKEN)\n\t\tif (cfToken) return cfToken\n\t} catch {\n\t\t// Not in Workers environment or env not available\n\t}\n\n\t// Try stored token (Node.js only - uses keychain/file storage)\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\n\t\t// Get full token data if available\n\t\tconst tokenData = storage.getTokenData ? await storage.getTokenData() : null\n\n\t\tif (tokenData) {\n\t\t\t// If token is not expired, return it\n\t\t\tif (!isTokenExpired(tokenData.expiresAt)) {\n\t\t\t\treturn tokenData.accessToken\n\t\t\t}\n\n\t\t\t// Token is expired - try to refresh if we have a refresh token\n\t\t\tif (tokenData.refreshToken) {\n\t\t\t\ttry {\n\t\t\t\t\tconst newTokens = await refreshAccessToken(tokenData.refreshToken)\n\n\t\t\t\t\t// Calculate new expiration time\n\t\t\t\t\tconst expiresAt = newTokens.expires_in\n\t\t\t\t\t\t? Date.now() + newTokens.expires_in * 1000\n\t\t\t\t\t\t: undefined\n\n\t\t\t\t\t// Store new token data\n\t\t\t\t\tconst newData: StoredTokenData = {\n\t\t\t\t\t\taccessToken: newTokens.access_token,\n\t\t\t\t\t\trefreshToken: newTokens.refresh_token || tokenData.refreshToken,\n\t\t\t\t\t\texpiresAt,\n\t\t\t\t\t}\n\n\t\t\t\t\tif (storage.setTokenData) {\n\t\t\t\t\t\tawait storage.setTokenData(newData)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tawait storage.setToken(newTokens.access_token)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn newTokens.access_token\n\t\t\t\t} catch {\n\t\t\t\t\t// Refresh failed - return null (caller should re-authenticate)\n\t\t\t\t\treturn null\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Expired but no refresh token - return null\n\t\t\treturn null\n\t\t}\n\n\t\t// Fall back to simple token storage (no expiration tracking)\n\t\treturn await storage.getToken()\n\t} catch {\n\t\t// Storage not available (browser/worker) - return null\n\t\treturn null\n\t}\n}\n\n/**\n * Check if user is authenticated (has valid token)\n */\nexport async function isAuthenticated(token?: string): Promise<boolean> {\n\tconst result = await getUser(token)\n\treturn result.user !== null\n}\n\n/**\n * Auth provider function type for HTTP clients\n */\nexport type AuthProvider = () => string | null | undefined | Promise<string | null | undefined>\n\n/**\n * Create an auth provider function for HTTP clients (apis.do, rpc.do)\n * Returns a function that resolves to a token string\n *\n * @example\n * import { auth } from 'oauth.do'\n * const getAuth = auth()\n * const token = await getAuth()\n */\nexport function auth(): AuthProvider {\n\treturn getToken\n}\n\n/**\n * Refresh an access token using a refresh token\n *\n * @param refreshToken - The refresh token from the original auth response\n * @returns New token response with fresh access_token (and possibly new refresh_token)\n */\nexport async function refreshAccessToken(refreshToken: string): Promise<TokenResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for token refresh')\n\t}\n\n\tconst response = await config.fetch('https://auth.apis.do/user_management/authenticate', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t},\n\t\tbody: new URLSearchParams({\n\t\t\tgrant_type: 'refresh_token',\n\t\t\trefresh_token: refreshToken,\n\t\t\tclient_id: config.clientId,\n\t\t}).toString(),\n\t})\n\n\tif (!response.ok) {\n\t\tconst errorText = await response.text()\n\t\tthrow new Error(`Token refresh failed: ${response.status} - ${errorText}`)\n\t}\n\n\treturn (await response.json()) as TokenResponse\n}\n\n/**\n * Get stored token data from storage\n */\nexport async function getStoredTokenData(): Promise<StoredTokenData | null> {\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\t\tif (storage.getTokenData) {\n\t\t\treturn await storage.getTokenData()\n\t\t}\n\t\t// Fall back to just access token\n\t\tconst token = await storage.getToken()\n\t\treturn token ? { accessToken: token } : null\n\t} catch {\n\t\treturn null\n\t}\n}\n\n/**\n * Store token data including refresh token\n */\nexport async function storeTokenData(data: StoredTokenData): Promise<void> {\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\t\tif (storage.setTokenData) {\n\t\t\tawait storage.setTokenData(data)\n\t\t} else {\n\t\t\tawait storage.setToken(data.accessToken)\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('Failed to store token data:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Build OAuth authorization URL\n *\n * @example\n * const url = buildAuthUrl({\n * redirectUri: 'https://myapp.com/callback',\n * scope: 'openid profile email',\n * })\n */\nexport function buildAuthUrl(options: {\n\tredirectUri: string\n\tscope?: string\n\tstate?: string\n\tresponseType?: string\n\tclientId?: string\n\tauthDomain?: string\n}): string {\n\tconst config = getConfig()\n\tconst clientId = options.clientId || config.clientId\n\tconst authDomain = options.authDomain || config.authKitDomain\n\n\tconst params = new URLSearchParams({\n\t\tclient_id: clientId,\n\t\tredirect_uri: options.redirectUri,\n\t\tresponse_type: options.responseType || 'code',\n\t\tscope: options.scope || 'openid profile email',\n\t})\n\n\tif (options.state) {\n\t\tparams.set('state', options.state)\n\t}\n\n\treturn `https://${authDomain}/authorize?${params.toString()}`\n}\n","import { getConfig } from './config.js'\nimport type { DeviceAuthorizationResponse, TokenResponse, TokenError } from './types.js'\n\n/**\n * OAuth provider options for direct provider login\n * Bypasses AuthKit login screen and goes directly to the provider\n */\nexport type OAuthProvider = 'GitHubOAuth' | 'GoogleOAuth' | 'MicrosoftOAuth' | 'AppleOAuth'\n\nexport interface DeviceAuthOptions {\n\t/** OAuth provider to use directly (bypasses AuthKit login screen) */\n\tprovider?: OAuthProvider\n}\n\n/**\n * Initiate device authorization flow\n * Following OAuth 2.0 Device Authorization Grant (RFC 8628)\n *\n * @param options - Optional settings including provider for direct OAuth\n * @returns Device authorization response with codes and URIs\n */\nexport async function authorizeDevice(options: DeviceAuthOptions = {}): Promise<DeviceAuthorizationResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for device authorization. Set OAUTH_CLIENT_ID or configure({ clientId: \"...\" })')\n\t}\n\n\ttry {\n\t\tconst url = 'https://auth.apis.do/user_management/authorize/device'\n\t\tconst body = new URLSearchParams({\n\t\t\tclient_id: config.clientId,\n\t\t\tscope: 'openid profile email',\n\t\t})\n\n\t\t// Add provider if specified (bypasses AuthKit login screen)\n\t\tif (options.provider) {\n\t\t\tbody.set('provider', options.provider)\n\t\t}\n\n\t\tconst response = await config.fetch(url, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t},\n\t\t\tbody: body.toString(),\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`Device authorization failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = (await response.json()) as DeviceAuthorizationResponse\n\t\treturn data\n\t} catch (error) {\n\t\tconsole.error('Device authorization error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Poll for tokens after device authorization\n *\n * @param deviceCode - Device code from authorization response\n * @param interval - Polling interval in seconds (default: 5)\n * @param expiresIn - Expiration time in seconds (default: 600)\n * @returns Token response with access token and user info\n */\nexport async function pollForTokens(\n\tdeviceCode: string,\n\tinterval: number = 5,\n\texpiresIn: number = 600\n): Promise<TokenResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for token polling')\n\t}\n\n\tconst startTime = Date.now()\n\tconst timeout = expiresIn * 1000\n\tlet currentInterval = interval * 1000\n\n\twhile (true) {\n\t\t// Check if expired\n\t\tif (Date.now() - startTime > timeout) {\n\t\t\tthrow new Error('Device authorization expired. Please try again.')\n\t\t}\n\n\t\t// Wait for interval\n\t\tawait new Promise((resolve) => setTimeout(resolve, currentInterval))\n\n\t\ttry {\n\t\t\tconst response = await config.fetch('https://auth.apis.do/user_management/authenticate', {\n\t\t\t\tmethod: 'POST',\n\t\t\t\theaders: {\n\t\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t},\n\t\t\t\tbody: new URLSearchParams({\n\t\t\t\t\tgrant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n\t\t\t\t\tdevice_code: deviceCode,\n\t\t\t\t\tclient_id: config.clientId,\n\t\t\t\t}).toString(),\n\t\t\t})\n\n\t\t\tif (response.ok) {\n\t\t\t\tconst data = (await response.json()) as TokenResponse\n\t\t\t\treturn data\n\t\t\t}\n\n\t\t\t// Handle error responses\n\t\t\tconst errorData = (await response.json().catch(() => ({ error: 'unknown' }))) as { error?: string }\n\t\t\tconst error = (errorData.error || 'unknown') as TokenError\n\n\t\t\tswitch (error) {\n\t\t\t\tcase 'authorization_pending':\n\t\t\t\t\t// Continue polling\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'slow_down':\n\t\t\t\t\t// Increase interval by 5 seconds\n\t\t\t\t\tcurrentInterval += 5000\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'access_denied':\n\t\t\t\t\tthrow new Error('Access denied by user')\n\n\t\t\t\tcase 'expired_token':\n\t\t\t\t\tthrow new Error('Device code expired')\n\n\t\t\t\tdefault:\n\t\t\t\t\tthrow new Error(`Token polling failed: ${error}`)\n\t\t\t}\n\t\t} catch (error) {\n\t\t\t// If it's our thrown error, re-throw it\n\t\t\tif (error instanceof Error) {\n\t\t\t\tthrow error\n\t\t\t}\n\t\t\t// Otherwise continue polling\n\t\t\tcontinue\n\t\t}\n\t}\n}\n","/**\n * GitHub Device Flow implementation\n * Following OAuth 2.0 Device Authorization Grant (RFC 8628)\n * https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow\n */\n\nexport interface GitHubDeviceFlowOptions {\n\t/** GitHub OAuth App client ID */\n\tclientId: string\n\t/** OAuth scopes (default: 'user:email read:user') */\n\tscope?: string\n\t/** Custom fetch implementation */\n\tfetch?: typeof fetch\n}\n\nexport interface GitHubDeviceAuthResponse {\n\t/** Device verification code */\n\tdeviceCode: string\n\t/** User verification code to display */\n\tuserCode: string\n\t/** Verification URI for user to visit */\n\tverificationUri: string\n\t/** Expiration time in seconds */\n\texpiresIn: number\n\t/** Polling interval in seconds */\n\tinterval: number\n}\n\nexport interface GitHubTokenResponse {\n\t/** Access token for GitHub API */\n\taccessToken: string\n\t/** Token type (typically 'bearer') */\n\ttokenType: string\n\t/** Granted scopes */\n\tscope: string\n}\n\nexport interface GitHubUser {\n\t/** Numeric GitHub user ID (critical for sqid generation) */\n\tid: number\n\t/** GitHub username */\n\tlogin: string\n\t/** User's email (may be null if not public) */\n\temail: string | null\n\t/** User's display name */\n\tname: string | null\n\t/** Avatar image URL */\n\tavatarUrl: string\n}\n\ntype GitHubTokenError =\n\t| 'authorization_pending'\n\t| 'slow_down'\n\t| 'expired_token'\n\t| 'access_denied'\n\t| 'unknown'\n\n/**\n * Start GitHub Device Flow\n *\n * Initiates device authorization flow by requesting device and user codes.\n *\n * @param options - Client ID, scope, and optional custom fetch\n * @returns Device authorization response with codes and URIs\n *\n * @example\n * ```ts\n * const auth = await startGitHubDeviceFlow({\n * clientId: 'Ov23liABCDEFGHIJKLMN',\n * scope: 'user:email read:user'\n * })\n *\n * console.log(`Visit ${auth.verificationUri} and enter code: ${auth.userCode}`)\n * ```\n */\nexport async function startGitHubDeviceFlow(\n\toptions: GitHubDeviceFlowOptions\n): Promise<GitHubDeviceAuthResponse> {\n\tconst { clientId, scope = 'user:email read:user' } = options\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!clientId) {\n\t\tthrow new Error('GitHub client ID is required for device authorization')\n\t}\n\n\ttry {\n\t\tconst url = 'https://github.com/login/device/code'\n\t\tconst body = new URLSearchParams({\n\t\t\tclient_id: clientId,\n\t\t\tscope,\n\t\t})\n\n\t\tconst response = await fetchImpl(url, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t'Accept': 'application/json',\n\t\t\t},\n\t\t\tbody,\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`GitHub device authorization failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = await response.json() as {\n\t\t\tdevice_code: string\n\t\t\tuser_code: string\n\t\t\tverification_uri: string\n\t\t\texpires_in: number\n\t\t\tinterval: number\n\t\t}\n\n\t\treturn {\n\t\t\tdeviceCode: data.device_code,\n\t\t\tuserCode: data.user_code,\n\t\t\tverificationUri: data.verification_uri,\n\t\t\texpiresIn: data.expires_in,\n\t\t\tinterval: data.interval,\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('GitHub device authorization error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Poll GitHub Device Flow for access token\n *\n * Polls GitHub's token endpoint until user completes authorization.\n * Handles all error states including authorization_pending, slow_down, etc.\n *\n * @param deviceCode - Device code from startGitHubDeviceFlow\n * @param options - Client ID and optional custom fetch\n * @returns Token response with access token\n *\n * @example\n * ```ts\n * const auth = await startGitHubDeviceFlow({ clientId: '...' })\n * // User completes authorization...\n * const token = await pollGitHubDeviceFlow(auth.deviceCode, {\n * clientId: '...',\n * interval: auth.interval,\n * expiresIn: auth.expiresIn\n * })\n * console.log('Access token:', token.accessToken)\n * ```\n */\nexport async function pollGitHubDeviceFlow(\n\tdeviceCode: string,\n\toptions: GitHubDeviceFlowOptions & { interval?: number; expiresIn?: number }\n): Promise<GitHubTokenResponse> {\n\tconst { clientId, interval = 5, expiresIn = 900 } = options\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!clientId) {\n\t\tthrow new Error('GitHub client ID is required for token polling')\n\t}\n\n\tconst startTime = Date.now()\n\tconst timeout = expiresIn * 1000\n\tlet currentInterval = interval * 1000\n\n\twhile (true) {\n\t\t// Check if expired\n\t\tif (Date.now() - startTime > timeout) {\n\t\t\tthrow new Error('GitHub device authorization expired. Please try again.')\n\t\t}\n\n\t\t// Wait for interval\n\t\tawait new Promise((resolve) => setTimeout(resolve, currentInterval))\n\n\t\ttry {\n\t\t\tconst url = 'https://github.com/login/oauth/access_token'\n\t\t\tconst body = new URLSearchParams({\n\t\t\t\tclient_id: clientId,\n\t\t\t\tdevice_code: deviceCode,\n\t\t\t\tgrant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n\t\t\t})\n\n\t\t\tconst response = await fetchImpl(url, {\n\t\t\t\tmethod: 'POST',\n\t\t\t\theaders: {\n\t\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t\t'Accept': 'application/json',\n\t\t\t\t},\n\t\t\t\tbody,\n\t\t\t})\n\n\t\t\tconst data = await response.json() as\n\t\t\t\t| { access_token: string; token_type: string; scope: string }\n\t\t\t\t| { error: string; error_description?: string; error_uri?: string }\n\n\t\t\t// Check for success\n\t\t\tif ('access_token' in data) {\n\t\t\t\treturn {\n\t\t\t\t\taccessToken: data.access_token,\n\t\t\t\t\ttokenType: data.token_type,\n\t\t\t\t\tscope: data.scope,\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Handle error responses\n\t\t\tconst error = (data.error || 'unknown') as GitHubTokenError\n\n\t\t\tswitch (error) {\n\t\t\t\tcase 'authorization_pending':\n\t\t\t\t\t// Continue polling\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'slow_down':\n\t\t\t\t\t// Increase interval by 5 seconds\n\t\t\t\t\tcurrentInterval += 5000\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'access_denied':\n\t\t\t\t\tthrow new Error('Access denied by user')\n\n\t\t\t\tcase 'expired_token':\n\t\t\t\t\tthrow new Error('Device code expired')\n\n\t\t\t\tdefault:\n\t\t\t\t\tthrow new Error(`GitHub token polling failed: ${error}`)\n\t\t\t}\n\t\t} catch (error) {\n\t\t\t// If it's our thrown error, re-throw it\n\t\t\tif (error instanceof Error) {\n\t\t\t\tthrow error\n\t\t\t}\n\t\t\t// Otherwise continue polling\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\n/**\n * Get GitHub user information\n *\n * Fetches authenticated user's profile from GitHub API.\n *\n * @param accessToken - GitHub access token\n * @param options - Optional custom fetch implementation\n * @returns GitHub user profile\n *\n * @example\n * ```ts\n * const user = await getGitHubUser(token.accessToken)\n * console.log(`Logged in as ${user.login} (ID: ${user.id})`)\n * ```\n */\nexport async function getGitHubUser(\n\taccessToken: string,\n\toptions: { fetch?: typeof fetch } = {}\n): Promise<GitHubUser> {\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!accessToken) {\n\t\tthrow new Error('GitHub access token is required')\n\t}\n\n\ttry {\n\t\tconst response = await fetchImpl('https://api.github.com/user', {\n\t\t\tmethod: 'GET',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${accessToken}`,\n\t\t\t\t'Accept': 'application/vnd.github+json',\n\t\t\t\t'X-GitHub-Api-Version': '2022-11-28',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`GitHub user fetch failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = await response.json() as {\n\t\t\tid: number\n\t\t\tlogin: string\n\t\t\temail: string | null\n\t\t\tname: string | null\n\t\t\tavatar_url: string\n\t\t}\n\n\t\treturn {\n\t\t\tid: data.id,\n\t\t\tlogin: data.login,\n\t\t\temail: data.email,\n\t\t\tname: data.name,\n\t\t\tavatarUrl: data.avatar_url,\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('GitHub user fetch error:', error)\n\t\tthrow error\n\t}\n}\n","/**\n * oauth.do - OAuth authentication SDK and CLI for .do Platform\n *\n * This is the browser-safe entry point.\n * For CLI utilities that open the browser, import from 'oauth.do/cli'\n *\n * @packageDocumentation\n */\n\n// Browser-safe auth utilities\nexport { auth, getUser, login, logout, getToken, isAuthenticated, buildAuthUrl } from './auth.js'\nexport type { AuthProvider } from './auth.js'\nexport { configure, getConfig } from './config.js'\nexport { authorizeDevice, pollForTokens } from './device.js'\n\n// GitHub Device Flow\nexport {\n\tstartGitHubDeviceFlow,\n\tpollGitHubDeviceFlow,\n\tgetGitHubUser,\n} from './github-device.js'\nexport type {\n\tGitHubDeviceFlowOptions,\n\tGitHubDeviceAuthResponse,\n\tGitHubTokenResponse,\n\tGitHubUser,\n} from './github-device.js'\n\n// Storage utilities (browser-safe - uses dynamic imports for Node.js features)\nexport {\n\tFileTokenStorage,\n\tMemoryTokenStorage,\n\tLocalStorageTokenStorage,\n\tSecureFileTokenStorage,\n\tKeychainTokenStorage,\n\tCompositeTokenStorage,\n\tcreateSecureStorage,\n} from './storage.js'\n\n// Types\nexport type {\n\tOAuthConfig,\n\tUser,\n\tAuthResult,\n\tDeviceAuthorizationResponse,\n\tTokenResponse,\n\tTokenError,\n\tTokenStorage,\n} from './types.js'\n\n// Re-export login types only (not functions - they use 'open' package)\nexport type { LoginOptions, LoginResult, OAuthProvider } from './login.js'\n"]}
1
+ {"version":3,"sources":["../src/utils.ts","../src/storage.ts","../src/config.ts","../src/auth.ts","../src/device.ts","../src/github-device.ts","../src/index.ts"],"names":["data","createSecureStorage"],"mappings":";;;;;;;;;;;AAUO,SAAS,OAAO,GAAA,EAAiC;AAEvD,EAAA,IAAK,UAAA,CAAmB,GAAG,CAAA,EAAG,OAAQ,WAAmB,GAAG,CAAA;AAE5D,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,GAAM,GAAG,CAAA,EAAG,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAChF,EAAA,OAAO,MAAA;AACR;AAhBA,IAAA,UAAA,GAAA,KAAA,CAAA;AAAA,EAAA,cAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,eAAA,GAAA,EAAA;AAAA,QAAA,CAAA,eAAA,EAAA;AAAA,EAAA,qBAAA,EAAA,MAAA,qBAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,oBAAA,EAAA,MAAA,oBAAA;AAAA,EAAA,wBAAA,EAAA,MAAA,wBAAA;AAAA,EAAA,kBAAA,EAAA,MAAA,kBAAA;AAAA,EAAA,sBAAA,EAAA,MAAA,sBAAA;AAAA,EAAA,mBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAUA,SAAS,MAAA,GAAkB;AAC1B,EAAA,OAAO,OAAO,YAAY,WAAA,IACzB,OAAA,CAAQ,YAAY,IAAA,IACpB,OAAA,CAAQ,SAAS,IAAA,IAAQ,IAAA;AAC3B;AA4dO,SAAS,oBAAoB,WAAA,EAAoC;AAEvE,EAAA,IAAI,QAAO,EAAG;AACb,IAAA,OAAO,IAAI,uBAAuB,WAAW,CAAA;AAAA,EAC9C;AAGA,EAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,IAAA,OAAO,IAAI,wBAAA,EAAyB;AAAA,EACrC;AAGA,EAAA,OAAO,IAAI,kBAAA,EAAmB;AAC/B;AAvfA,IAIM,kBACA,gBAAA,CAAA,CAmBO,oBAAA,CAAA,CAwHA,sBAAA,CAAA,CAiJA,gBAAA,CAAA,CAgEA,oBAmBA,wBAAA,CAAA,CA6BA;AAjZb,IAAA,YAAA,GAAA,KAAA,CAAA;AAAA,EAAA,gBAAA,GAAA;AACA,IAAA,UAAA,EAAA;AAGA,IAAM,gBAAA,GAAmB,UAAA;AACzB,IAAM,gBAAA,GAAmB,cAAA;AAmBlB,IAAM,uBAAN,MAAmD;AAAA,MACjD,MAAA,GAAyC,IAAA;AAAA,MACzC,WAAA,GAAc,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAMtB,MAAc,SAAA,GAAqD;AAClE,QAAA,IAAI,KAAK,WAAA,EAAa;AACrB,UAAA,OAAO,IAAA,CAAK,MAAA;AAAA,QACb;AAEA,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI;AAEH,UAAA,MAAM,QAAA,GAAW,MAAM,OAAO,QAAQ,CAAA;AAEtC,UAAA,MAAM,YAAA,GAAgB,SAAiB,OAAA,IAAW,QAAA;AAClD,UAAA,IAAA,CAAK,MAAA,GAAS,YAAA;AAGd,UAAA,IAAI,OAAO,IAAA,CAAK,MAAA,CAAO,WAAA,KAAgB,UAAA,EAAY;AAClD,YAAA,IAAI,MAAA,CAAO,OAAO,CAAA,EAAG;AACpB,cAAA,OAAA,CAAQ,KAAK,yDAAA,EAA2D,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA,YACjG;AACA,YAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AACd,YAAA,OAAO,IAAA;AAAA,UACR;AAEA,UAAA,OAAO,IAAA,CAAK,MAAA;AAAA,QACb,SAAS,KAAA,EAAO;AAGf,UAAA,IAAI,MAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,mCAAmC,KAAK,CAAA;AAAA,UACtD;AACA,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AACxC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,QAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,UAAA,OAAO,IAAA;AAAA,QACR;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,KAAA,GAAQ,MAAM,MAAA,CAAO,WAAA,CAAY,kBAAkB,gBAAgB,CAAA;AACzE,UAAA,OAAO,KAAA;AAAA,QACR,SAAS,KAAA,EAAO;AACf,UAAA,IAAI,MAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,sCAAsC,KAAK,CAAA;AAAA,UACzD;AACA,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,UAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,YAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,UACjD;AAEA,UAAA,MAAM,MAAA,CAAO,WAAA,CAAY,gBAAA,EAAkB,gBAAA,EAAkB,KAAK,CAAA;AAAA,QACnE,SAAS,KAAA,EAAY;AAEpB,UAAA,IAAI,OAAO,IAAA,KAAS,kBAAA,IAAsB,OAAO,OAAA,EAAS,QAAA,CAAS,oBAAoB,CAAA,EAAG;AACzF,YAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,UAC1E;AACA,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kCAAA,EAAqC,KAAK,CAAA,CAAE,CAAA;AAAA,QAC7D;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,QAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,UAAA;AAAA,QACD;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,CAAO,cAAA,CAAe,gBAAA,EAAkB,gBAAgB,CAAA;AAAA,QAC/D,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,WAAA,GAAgC;AACrC,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,EAAU;AACpC,UAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,YAAA,OAAO,KAAA;AAAA,UACR;AAIA,UAAA,MAAM,MAAA,CAAO,WAAA,CAAY,gBAAA,EAAkB,UAAU,CAAA;AACrD,UAAA,OAAO,IAAA;AAAA,QACR,SAAS,KAAA,EAAO;AACf,UAAA,IAAI,MAAA,CAAO,OAAO,CAAA,EAAG;AACpB,YAAA,OAAA,CAAQ,IAAA,CAAK,2BAA2B,KAAK,CAAA;AAAA,UAC9C;AACA,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,KACD;AAUO,IAAM,yBAAN,MAAqD;AAAA,MACnD,SAAA,GAA2B,IAAA;AAAA,MAC3B,SAAA,GAA2B,IAAA;AAAA,MAC3B,WAAA,GAAc,KAAA;AAAA,MACd,UAAA;AAAA,MAER,YAAY,UAAA,EAAqB;AAChC,QAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,MACnB;AAAA,MAEA,MAAc,IAAA,GAAyB;AACtC,QAAA,IAAI,IAAA,CAAK,WAAA,EAAa,OAAO,IAAA,CAAK,SAAA,KAAc,IAAA;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,EAAO,EAAG,OAAO,KAAA;AAEtB,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,IAAI,CAAA;AAC5B,UAAA,MAAM,IAAA,GAAO,MAAM,OAAO,MAAM,CAAA;AAGhC,UAAA,IAAI,KAAK,UAAA,EAAY;AAEpB,YAAA,MAAM,eAAe,IAAA,CAAK,UAAA,CAAW,UAAA,CAAW,IAAI,IACjD,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,IAAA,CAAK,UAAA,CAAW,MAAM,CAAC,CAAC,IAChD,IAAA,CAAK,UAAA;AAER,YAAA,IAAA,CAAK,SAAA,GAAY,YAAA;AACjB,YAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,YAAY,CAAA;AAAA,UAC3C,CAAA,MAAO;AAEN,YAAA,IAAA,CAAK,YAAY,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,WAAW,CAAA;AACpD,YAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,OAAO,CAAA;AAAA,UACnD;AACA,UAAA,OAAO,IAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AAExC,QAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,YAAA,EAAa;AACrC,QAAA,IAAI,IAAA,EAAM;AACT,UAAA,OAAO,IAAA,CAAK,WAAA;AAAA,QACb;AAGA,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,IAAA,CAAK,KAAK,SAAS,CAAA;AAC1C,UAAA,MAAM,IAAA,GAAO,MAAM,IAAA,GAAO,GAAA;AAE1B,UAAA,IAAI,IAAA,KAAS,GAAA,IAAS,MAAA,CAAO,OAAO,CAAA,EAAG;AACtC,YAAA,OAAA,CAAQ,IAAA;AAAA,cACP,iDAAiD,IAAA,CAAK,QAAA,CAAS,CAAC,CAAC,CAAA,gCAAA,EAChC,KAAK,SAAS,CAAA;AAAA,aAChD;AAAA,UACD;AAEA,UAAA,MAAM,UAAU,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACzD,UAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,UAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC5B,YAAA,MAAMA,KAAAA,GAAO,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AAC/B,YAAA,OAAOA,KAAAA,CAAK,WAAA;AAAA,UACb;AAEA,UAAA,OAAO,OAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAE5C,QAAA,MAAM,KAAK,YAAA,CAAa,EAAE,aAAa,KAAA,CAAM,IAAA,IAAQ,CAAA;AAAA,MACtD;AAAA,MAEA,MAAM,YAAA,GAAgD;AACrD,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,UAAU,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACzD,UAAA,MAAM,OAAA,GAAU,QAAQ,IAAA,EAAK;AAG7B,UAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAG;AAC5B,YAAA,OAAO,IAAA,CAAK,MAAM,OAAO,CAAA;AAAA,UAC1B;AAGA,UAAA,OAAO,EAAE,aAAa,OAAA,EAAQ;AAAA,QAC/B,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,aAAa,IAAA,EAAsC;AACxD,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,EAAK,IAAM,CAAC,IAAA,CAAK,SAAA,IAAa,CAAC,IAAA,CAAK,SAAA,EAAW;AAC/D,UAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,QAC7C;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAM,IAAA,CAAK,SAAA,EAAW,EAAE,SAAA,EAAW,IAAA,EAAM,IAAA,EAAM,GAAA,EAAO,CAAA;AAC/D,UAAA,MAAM,EAAA,CAAG,SAAA,CAAU,IAAA,CAAK,SAAA,EAAW,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA,EAAG,EAAE,QAAA,EAAU,OAAA,EAAS,IAAA,EAAM,KAAO,CAAA;AAC3F,UAAA,MAAM,EAAA,CAAG,KAAA,CAAM,IAAA,CAAK,SAAA,EAAW,GAAK,CAAA;AAAA,QACrC,SAAS,KAAA,EAAO;AACf,UAAA,OAAA,CAAQ,KAAA,CAAM,8BAA8B,KAAK,CAAA;AACjD,UAAA,MAAM,KAAA;AAAA,QACP;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,MAAK,IAAM,CAAC,KAAK,SAAA,EAAW;AAE7C,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA;AAAA,QAC/B,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,cAAA,GAAkF;AACvF,QAAA,MAAM,KAAK,IAAA,EAAK;AAChB,QAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,QAAQ,IAAA,EAAM,IAAA,EAAM,KAAK,SAAA,EAAU;AAAA,MAC3D;AAAA,KACD;AASO,IAAM,mBAAN,MAA+C;AAAA,MAC7C,SAAA,GAA2B,IAAA;AAAA,MAC3B,SAAA,GAA2B,IAAA;AAAA,MAC3B,WAAA,GAAc,KAAA;AAAA,MAEtB,MAAc,IAAA,GAAyB;AACtC,QAAA,IAAI,IAAA,CAAK,WAAA,EAAa,OAAO,IAAA,CAAK,SAAA,KAAc,IAAA;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,QAAA,IAAI,CAAC,MAAA,EAAO,EAAG,OAAO,KAAA;AAEtB,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,IAAI,CAAA;AAC5B,UAAA,MAAM,IAAA,GAAO,MAAM,OAAO,MAAM,CAAA;AAChC,UAAA,IAAA,CAAK,YAAY,IAAA,CAAK,IAAA,CAAK,EAAA,CAAG,OAAA,IAAW,WAAW,CAAA;AACpD,UAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,OAAO,CAAA;AAClD,UAAA,OAAO,IAAA;AAAA,QACR,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,KAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,QAAA,GAAmC;AACxC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,MAAW,CAAC,IAAA,CAAK,WAAW,OAAO,IAAA;AAEpD,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,QAAQ,MAAM,EAAA,CAAG,QAAA,CAAS,IAAA,CAAK,WAAW,OAAO,CAAA;AACvD,UAAA,OAAO,MAAM,IAAA,EAAK;AAAA,QACnB,CAAA,CAAA,MAAQ;AACP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,IAAA,EAAK,IAAM,CAAC,IAAA,CAAK,SAAA,IAAa,CAAC,IAAA,CAAK,SAAA,EAAW;AAC/D,UAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,QAC7C;AAEA,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,GAAG,KAAA,CAAM,IAAA,CAAK,WAAW,EAAE,SAAA,EAAW,MAAM,CAAA;AAClD,UAAA,MAAM,EAAA,CAAG,SAAA,CAAU,IAAA,CAAK,SAAA,EAAW,OAAO,OAAO,CAAA;AAAA,QAClD,SAAS,KAAA,EAAO;AACf,UAAA,OAAA,CAAQ,KAAA,CAAM,yBAAyB,KAAK,CAAA;AAC5C,UAAA,MAAM,KAAA;AAAA,QACP;AAAA,MACD;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,CAAE,MAAM,IAAA,CAAK,MAAK,IAAM,CAAC,KAAK,SAAA,EAAW;AAE7C,QAAA,IAAI;AACH,UAAA,MAAM,EAAA,GAAK,MAAM,OAAO,aAAa,CAAA;AACrC,UAAA,MAAM,EAAA,CAAG,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA;AAAA,QAC/B,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACD;AAAA,KACD;AAKO,IAAM,qBAAN,MAAiD;AAAA,MAC/C,KAAA,GAAuB,IAAA;AAAA,MAE/B,MAAM,QAAA,GAAmC;AACxC,QAAA,OAAO,IAAA,CAAK,KAAA;AAAA,MACb;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,MACd;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAA,CAAK,KAAA,GAAQ,IAAA;AAAA,MACd;AAAA,KACD;AAKO,IAAM,2BAAN,MAAuD;AAAA,MACrD,GAAA,GAAM,gBAAA;AAAA,MAEd,MAAM,QAAA,GAAmC;AACxC,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA,OAAO,IAAA;AAAA,QACR;AACA,QAAA,OAAO,YAAA,CAAa,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAAA,MACrC;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,QAChD;AACA,QAAA,YAAA,CAAa,OAAA,CAAQ,IAAA,CAAK,GAAA,EAAK,KAAK,CAAA;AAAA,MACrC;AAAA,MAEA,MAAM,WAAA,GAA6B;AAClC,QAAA,IAAI,OAAO,iBAAiB,WAAA,EAAa;AACxC,UAAA;AAAA,QACD;AACA,QAAA,YAAA,CAAa,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,MACjC;AAAA,KACD;AAMO,IAAM,wBAAN,MAAoD;AAAA,MAClD,eAAA;AAAA,MACA,WAAA;AAAA,MACA,gBAAA,GAAwC,IAAA;AAAA,MAEhD,WAAA,GAAc;AACb,QAAA,IAAA,CAAK,eAAA,GAAkB,IAAI,oBAAA,EAAqB;AAChD,QAAA,IAAA,CAAK,WAAA,GAAc,IAAI,sBAAA,EAAuB;AAAA,MAC/C;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,mBAAA,GAA6C;AAC1D,QAAA,IAAI,KAAK,gBAAA,EAAkB;AAC1B,UAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,QACb;AAGA,QAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,UAAA,IAAA,CAAK,mBAAmB,IAAA,CAAK,eAAA;AAC7B,UAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,QACb;AAGA,QAAA,IAAA,CAAK,mBAAmB,IAAA,CAAK,WAAA;AAC7B,QAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,MACb;AAAA,MAEA,MAAM,QAAA,GAAmC;AAExC,QAAA,MAAM,aAAA,GAAgB,MAAM,IAAA,CAAK,eAAA,CAAgB,QAAA,EAAS;AAC1D,QAAA,IAAI,aAAA,EAAe;AAClB,UAAA,OAAO,aAAA;AAAA,QACR;AAGA,QAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,WAAA,CAAY,QAAA,EAAS;AAClD,QAAA,IAAI,SAAA,EAAW;AAEd,UAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,YAAA,IAAI;AACH,cAAA,MAAM,IAAA,CAAK,eAAA,CAAgB,QAAA,CAAS,SAAS,CAAA;AAC7C,cAAA,MAAM,IAAA,CAAK,YAAY,WAAA,EAAY;AACnC,cAAA,IAAI,MAAA,CAAO,OAAO,CAAA,EAAG;AACpB,gBAAA,OAAA,CAAQ,IAAI,sCAAsC,CAAA;AAAA,cACnD;AAAA,YACD,CAAA,CAAA,MAAQ;AAAA,YAER;AAAA,UACD;AACA,UAAA,OAAO,SAAA;AAAA,QACR;AAEA,QAAA,OAAO,IAAA;AAAA,MACR;AAAA,MAEA,MAAM,SAAS,KAAA,EAA8B;AAC5C,QAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,mBAAA,EAAoB;AAC/C,QAAA,MAAM,OAAA,CAAQ,SAAS,KAAK,CAAA;AAAA,MAC7B;AAAA,MAEA,MAAM,WAAA,GAA6B;AAElC,QAAA,MAAM,OAAA,CAAQ,GAAA,CAAI,CAAC,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG,IAAA,CAAK,WAAA,CAAY,WAAA,EAAa,CAAC,CAAA;AAAA,MACvF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,cAAA,GAA0E;AAC/E,QAAA,IAAI,MAAM,IAAA,CAAK,eAAA,CAAgB,WAAA,EAAY,EAAG;AAC7C,UAAA,OAAO,EAAE,IAAA,EAAM,UAAA,EAAY,MAAA,EAAQ,IAAA,EAAK;AAAA,QACzC;AACA,QAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,IAAA,EAAK;AAAA,MACrC;AAAA,KACD;AAAA,EAAA;AAAA,CAAA,CAAA;;;AC5dA,UAAA,EAAA;AAMA,IAAI,YAAA,GAA8F;AAAA,EACjG,QAAQ,MAAA,CAAO,eAAe,CAAA,IAAK,MAAA,CAAO,SAAS,CAAA,IAAK,iBAAA;AAAA,EACxD,QAAA,EAAU,MAAA,CAAO,iBAAiB,CAAA,IAAK,mCAAA;AAAA,EACvC,aAAA,EAAe,MAAA,CAAO,sBAAsB,CAAA,IAAK,gBAAA;AAAA,EACjD,OAAO,UAAA,CAAW,KAAA;AAAA,EAClB,WAAA,EAAa,OAAO,oBAAoB;AACzC,CAAA;AAKO,SAAS,UAAU,MAAA,EAA2B;AACpD,EAAA,YAAA,GAAe;AAAA,IACd,GAAG,YAAA;AAAA,IACH,GAAG;AAAA,GACJ;AACD;AAKO,SAAS,SAAA,GAA2F;AAC1G,EAAA,OAAO,YAAA;AACR;;;AC7BA,UAAA,EAAA;AAQA,eAAe,cAAc,KAAA,EAAwC;AACpE,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AACtC,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,OAAQ,KAAA,CAAc,QAAQ,UAAA,EAAY;AAC1E,IAAA,OAAO,MAAO,MAAc,GAAA,EAAI;AAAA,EACjC;AACA,EAAA,OAAO,IAAA;AACR;AASA,eAAsB,QAAQ,KAAA,EAAqC;AAClE,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,SAAA,GAAY,KAAA,IAAS,MAAA,CAAO,UAAU,CAAA,IAAK,EAAA;AAEjD,EAAA,IAAI,CAAC,SAAA,EAAW;AACf,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACrB;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,GAAA,CAAA,EAAO;AAAA,MAC1D,MAAA,EAAQ,KAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,SAAS,CAAA,CAAA;AAAA,QACpC,cAAA,EAAgB;AAAA;AACjB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC5B,QAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,MACrB;AACA,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,SAAA,EAAU;AAAA,EACjC,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,eAAe,KAAK,CAAA;AAClC,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACrB;AACD;AASA,eAAsB,MAAM,WAAA,EAIJ;AACvB,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,MAAA,CAAA,EAAU;AAAA,MAC7D,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB;AAAA,OACjB;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW;AAAA,KAChC,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,cAAA,EAAiB,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IACvD;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,EAAE,IAAA,EAAM,IAAA,CAAK,IAAA,EAAM,KAAA,EAAO,KAAK,KAAA,EAAM;AAAA,EAC7C,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,gBAAgB,KAAK,CAAA;AACnC,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAQA,eAAsB,OAAO,KAAA,EAA+B;AAC3D,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,SAAA,GAAY,KAAA,IAAS,MAAA,CAAO,UAAU,CAAA,IAAK,EAAA;AAEjD,EAAA,IAAI,CAAC,SAAA,EAAW;AACf,IAAA;AAAA,EACD;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,WAAW,MAAM,MAAA,CAAO,MAAM,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,OAAA,CAAA,EAAW;AAAA,MAC9D,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,SAAS,CAAA,CAAA;AAAA,QACpC,cAAA,EAAgB;AAAA;AACjB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,gBAAA,EAAmB,QAAA,CAAS,UAAU,CAAA,CAAE,CAAA;AAAA,IACtD;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,iBAAiB,KAAK,CAAA;AAAA,EACrC;AACD;AAGA,IAAM,iBAAA,GAAoB,IAAI,EAAA,GAAK,GAAA;AAKnC,SAAS,eAAe,SAAA,EAA6B;AACpD,EAAA,IAAI,CAAC,WAAW,OAAO,KAAA;AACvB,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,IAAK,SAAA,GAAY,iBAAA;AAClC;AAaA,eAAsB,QAAA,GAAmC;AAExD,EAAA,MAAM,UAAA,GAAa,OAAO,gBAAgB,CAAA;AAC1C,EAAA,IAAI,YAAY,OAAO,UAAA;AACvB,EAAA,MAAM,OAAA,GAAU,OAAO,UAAU,CAAA;AACjC,EAAA,IAAI,SAAS,OAAO,OAAA;AAIpB,EAAA,IAAI;AAEH,IAAA,MAAM,EAAE,GAAA,EAAI,GAAI,MAAM,OAAO,oBAAoB,CAAA;AAEjD,IAAA,MAAM,YAAA,GAAe,MAAM,aAAA,CAAe,GAAA,CAAY,cAAc,CAAA;AACpE,IAAA,IAAI,cAAc,OAAO,YAAA;AAEzB,IAAA,MAAM,OAAA,GAAU,MAAM,aAAA,CAAe,GAAA,CAAY,QAAQ,CAAA;AACzD,IAAA,IAAI,SAAS,OAAO,OAAA;AAAA,EACrB,CAAA,CAAA,MAAQ;AAAA,EAER;AAGA,EAAA,IAAI;AACH,IAAA,MAAM,EAAE,mBAAA,EAAAC,oBAAAA,EAAoB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,YAAA,EAAA,EAAA,eAAA,CAAA,CAAA;AACtC,IAAA,MAAM,SAAS,SAAA,EAAU;AACzB,IAAA,MAAM,OAAA,GAAUA,oBAAAA,CAAoB,MAAA,CAAO,WAAW,CAAA;AAGtD,IAAA,MAAM,YAAY,OAAA,CAAQ,YAAA,GAAe,MAAM,OAAA,CAAQ,cAAa,GAAI,IAAA;AAExE,IAAA,IAAI,SAAA,EAAW;AAEd,MAAA,IAAI,CAAC,cAAA,CAAe,SAAA,CAAU,SAAS,CAAA,EAAG;AACzC,QAAA,OAAO,SAAA,CAAU,WAAA;AAAA,MAClB;AAGA,MAAA,IAAI,UAAU,YAAA,EAAc;AAC3B,QAAA,IAAI;AACH,UAAA,MAAM,SAAA,GAAY,MAAM,kBAAA,CAAmB,SAAA,CAAU,YAAY,CAAA;AAGjE,UAAA,MAAM,SAAA,GAAY,UAAU,UAAA,GACzB,IAAA,CAAK,KAAI,GAAI,SAAA,CAAU,aAAa,GAAA,GACpC,KAAA,CAAA;AAGH,UAAA,MAAM,OAAA,GAA2B;AAAA,YAChC,aAAa,SAAA,CAAU,YAAA;AAAA,YACvB,YAAA,EAAc,SAAA,CAAU,aAAA,IAAiB,SAAA,CAAU,YAAA;AAAA,YACnD;AAAA,WACD;AAEA,UAAA,IAAI,QAAQ,YAAA,EAAc;AACzB,YAAA,MAAM,OAAA,CAAQ,aAAa,OAAO,CAAA;AAAA,UACnC,CAAA,MAAO;AACN,YAAA,MAAM,OAAA,CAAQ,QAAA,CAAS,SAAA,CAAU,YAAY,CAAA;AAAA,UAC9C;AAEA,UAAA,OAAO,SAAA,CAAU,YAAA;AAAA,QAClB,CAAA,CAAA,MAAQ;AAEP,UAAA,OAAO,IAAA;AAAA,QACR;AAAA,MACD;AAGA,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,OAAO,MAAM,QAAQ,QAAA,EAAS;AAAA,EAC/B,CAAA,CAAA,MAAQ;AAEP,IAAA,OAAO,IAAA;AAAA,EACR;AACD;AAKA,eAAsB,gBAAgB,KAAA,EAAkC;AACvE,EAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,KAAK,CAAA;AAClC,EAAA,OAAO,OAAO,IAAA,KAAS,IAAA;AACxB;AAgBO,SAAS,IAAA,GAAqB;AACpC,EAAA,OAAO,QAAA;AACR;AAQA,eAAsB,mBAAmB,YAAA,EAA8C;AACtF,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,mDAAA,EAAqD;AAAA,IACxF,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACR,cAAA,EAAgB;AAAA,KACjB;AAAA,IACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,MACzB,UAAA,EAAY,eAAA;AAAA,MACZ,aAAA,EAAe,YAAA;AAAA,MACf,WAAW,MAAA,CAAO;AAAA,KAClB,EAAE,QAAA;AAAS,GACZ,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,SAAS,MAAM,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,EAC1E;AAEA,EAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAC7B;AAiDO,SAAS,aAAa,OAAA,EAOlB;AACV,EAAA,MAAM,SAAS,SAAA,EAAU;AACzB,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,MAAA,CAAO,QAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,UAAA,IAAc,MAAA,CAAO,aAAA;AAEhD,EAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB;AAAA,IAClC,SAAA,EAAW,QAAA;AAAA,IACX,cAAc,OAAA,CAAQ,WAAA;AAAA,IACtB,aAAA,EAAe,QAAQ,YAAA,IAAgB,MAAA;AAAA,IACvC,KAAA,EAAO,QAAQ,KAAA,IAAS;AAAA,GACxB,CAAA;AAED,EAAA,IAAI,QAAQ,KAAA,EAAO;AAClB,IAAA,MAAA,CAAO,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClC;AAEA,EAAA,OAAO,CAAA,QAAA,EAAW,UAAU,CAAA,WAAA,EAAc,MAAA,CAAO,UAAU,CAAA,CAAA;AAC5D;;;AC7UA,eAAsB,eAAA,CAAgB,OAAA,GAA6B,EAAC,EAAyC;AAC5G,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,uGAAuG,CAAA;AAAA,EACxH;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,GAAA,GAAM,uDAAA;AACZ,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAChC,WAAW,MAAA,CAAO,QAAA;AAAA,MAClB,KAAA,EAAO;AAAA,KACP,CAAA;AAGD,IAAA,IAAI,QAAQ,QAAA,EAAU;AACrB,MAAA,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY,OAAA,CAAQ,QAAQ,CAAA;AAAA,IACtC;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,GAAA,EAAK;AAAA,MACxC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB;AAAA,OACjB;AAAA,MACA,IAAA,EAAM,KAAK,QAAA;AAAS,KACpB,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IACrF;AAEA,IAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,IAAA,OAAO,IAAA;AAAA,EACR,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,+BAA+B,KAAK,CAAA;AAClD,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAUA,eAAsB,aAAA,CACrB,UAAA,EACA,QAAA,GAAmB,CAAA,EACnB,YAAoB,GAAA,EACK;AACzB,EAAA,MAAM,SAAS,SAAA,EAAU;AAEzB,EAAA,IAAI,CAAC,OAAO,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,EAC1D;AAEA,EAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,EAAA,MAAM,UAAU,SAAA,GAAY,GAAA;AAC5B,EAAA,IAAI,kBAAkB,QAAA,GAAW,GAAA;AAEjC,EAAA,OAAO,IAAA,EAAM;AAEZ,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,OAAA,EAAS;AACrC,MAAA,MAAM,IAAI,MAAM,iDAAiD,CAAA;AAAA,IAClE;AAGA,IAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,eAAe,CAAC,CAAA;AAEnE,IAAA,IAAI;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,KAAA,CAAM,mDAAA,EAAqD;AAAA,QACxF,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACR,cAAA,EAAgB;AAAA,SACjB;AAAA,QACA,IAAA,EAAM,IAAI,eAAA,CAAgB;AAAA,UACzB,UAAA,EAAY,8CAAA;AAAA,UACZ,WAAA,EAAa,UAAA;AAAA,UACb,WAAW,MAAA,CAAO;AAAA,SAClB,EAAE,QAAA;AAAS,OACZ,CAAA;AAED,MAAA,IAAI,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,QAAA,OAAO,IAAA;AAAA,MACR;AAGA,MAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK,CAAE,MAAM,OAAO,EAAE,KAAA,EAAO,SAAA,EAAU,CAAE,CAAA;AAC3E,MAAA,MAAM,KAAA,GAAS,UAAU,KAAA,IAAS,SAAA;AAElC,MAAA,QAAQ,KAAA;AAAO,QACd,KAAK,uBAAA;AAEJ,UAAA;AAAA,QAED,KAAK,WAAA;AAEJ,UAAA,eAAA,IAAmB,GAAA;AACnB,UAAA;AAAA,QAED,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,QAExC,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,QAEtC;AACC,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,KAAK,CAAA,CAAE,CAAA;AAAA;AAClD,IACD,SAAS,KAAA,EAAO;AAEf,MAAA,IAAI,iBAAiB,KAAA,EAAO;AAC3B,QAAA,MAAM,KAAA;AAAA,MACP;AAEA,MAAA;AAAA,IACD;AAAA,EACD;AACD;;;ACpEA,eAAsB,sBACrB,OAAA,EACoC;AACpC,EAAA,MAAM,EAAE,QAAA,EAAU,KAAA,GAAQ,sBAAA,EAAuB,GAAI,OAAA;AACrD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,QAAA,EAAU;AACd,IAAA,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAA,EACxE;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,GAAA,GAAM,sCAAA;AACZ,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAChC,SAAA,EAAW,QAAA;AAAA,MACX;AAAA,KACA,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,GAAA,EAAK;AAAA,MACrC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB,mCAAA;AAAA,QAChB,QAAA,EAAU;AAAA,OACX;AAAA,MACA;AAAA,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IAC5F;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAQjC,IAAA,OAAO;AAAA,MACN,YAAY,IAAA,CAAK,WAAA;AAAA,MACjB,UAAU,IAAA,CAAK,SAAA;AAAA,MACf,iBAAiB,IAAA,CAAK,gBAAA;AAAA,MACtB,WAAW,IAAA,CAAK,UAAA;AAAA,MAChB,UAAU,IAAA,CAAK;AAAA,KAChB;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,sCAAsC,KAAK,CAAA;AACzD,IAAA,MAAM,KAAA;AAAA,EACP;AACD;AAwBA,eAAsB,oBAAA,CACrB,YACA,OAAA,EAC+B;AAC/B,EAAA,MAAM,EAAE,QAAA,EAAU,QAAA,GAAW,CAAA,EAAG,SAAA,GAAY,KAAI,GAAI,OAAA;AACpD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,QAAA,EAAU;AACd,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EACjE;AAEA,EAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,EAAA,MAAM,UAAU,SAAA,GAAY,GAAA;AAC5B,EAAA,IAAI,kBAAkB,QAAA,GAAW,GAAA;AAEjC,EAAA,OAAO,IAAA,EAAM;AAEZ,IAAA,IAAI,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,OAAA,EAAS;AACrC,MAAA,MAAM,IAAI,MAAM,wDAAwD,CAAA;AAAA,IACzE;AAGA,IAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,eAAe,CAAC,CAAA;AAEnE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,6CAAA;AACZ,MAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,QAChC,SAAA,EAAW,QAAA;AAAA,QACX,WAAA,EAAa,UAAA;AAAA,QACb,UAAA,EAAY;AAAA,OACZ,CAAA;AAED,MAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,GAAA,EAAK;AAAA,QACrC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACR,cAAA,EAAgB,mCAAA;AAAA,UAChB,QAAA,EAAU;AAAA,SACX;AAAA,QACA;AAAA,OACA,CAAA;AAED,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAKjC,MAAA,IAAI,kBAAkB,IAAA,EAAM;AAC3B,QAAA,OAAO;AAAA,UACN,aAAa,IAAA,CAAK,YAAA;AAAA,UAClB,WAAW,IAAA,CAAK,UAAA;AAAA,UAChB,OAAO,IAAA,CAAK;AAAA,SACb;AAAA,MACD;AAGA,MAAA,MAAM,KAAA,GAAS,KAAK,KAAA,IAAS,SAAA;AAE7B,MAAA,QAAQ,KAAA;AAAO,QACd,KAAK,uBAAA;AAEJ,UAAA;AAAA,QAED,KAAK,WAAA;AAEJ,UAAA,eAAA,IAAmB,GAAA;AACnB,UAAA;AAAA,QAED,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,uBAAuB,CAAA;AAAA,QAExC,KAAK,eAAA;AACJ,UAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,QAEtC;AACC,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,KAAK,CAAA,CAAE,CAAA;AAAA;AACzD,IACD,SAAS,KAAA,EAAO;AAEf,MAAA,IAAI,iBAAiB,KAAA,EAAO;AAC3B,QAAA,MAAM,KAAA;AAAA,MACP;AAEA,MAAA;AAAA,IACD;AAAA,EACD;AACD;AAiBA,eAAsB,aAAA,CACrB,WAAA,EACA,OAAA,GAAoC,EAAC,EACf;AACtB,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,KAAA,IAAS,UAAA,CAAW,KAAA;AAE9C,EAAA,IAAI,CAAC,WAAA,EAAa;AACjB,IAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,EAClD;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,6BAAA,EAA+B;AAAA,MAC/D,MAAA,EAAQ,KAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,eAAA,EAAiB,UAAU,WAAW,CAAA,CAAA;AAAA,QACtC,QAAA,EAAU,6BAAA;AAAA,QACV,sBAAA,EAAwB;AAAA;AACzB,KACA,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0BAAA,EAA6B,SAAS,UAAU,CAAA,GAAA,EAAM,SAAS,CAAA,CAAE,CAAA;AAAA,IAClF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAQjC,IAAA,OAAO;AAAA,MACN,IAAI,IAAA,CAAK,EAAA;AAAA,MACT,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,WAAW,IAAA,CAAK;AAAA,KACjB;AAAA,EACD,SAAS,KAAA,EAAO;AACf,IAAA,OAAA,CAAQ,KAAA,CAAM,4BAA4B,KAAK,CAAA;AAC/C,IAAA,MAAM,KAAA;AAAA,EACP;AACD;;;AC1QA,YAAA,EAAA","file":"index.js","sourcesContent":["/**\n * Safe environment variable access (works in Node, browser, and Workers)\n *\n * Checks in order:\n * 1. globalThis (Cloudflare Workers legacy)\n * 2. process.env (Node.js)\n *\n * @param key - The environment variable key to look up\n * @returns The environment variable value or undefined if not found\n */\nexport function getEnv(key: string): string | undefined {\n\t// Check globalThis first (Workers)\n\tif ((globalThis as any)[key]) return (globalThis as any)[key]\n\t// Check process.env (Node.js)\n\tif (typeof process !== 'undefined' && process.env?.[key]) return process.env[key]\n\treturn undefined\n}\n","import type { TokenStorage, StoredTokenData } from './types.js'\nimport { getEnv } from './utils.js'\n\n// Keychain service and account identifiers\nconst KEYCHAIN_SERVICE = 'oauth.do'\nconst KEYCHAIN_ACCOUNT = 'access_token'\n\n/**\n * Check if we're running in a Node.js environment\n */\nfunction isNode(): boolean {\n\treturn typeof process !== 'undefined' &&\n\t\tprocess.versions != null &&\n\t\tprocess.versions.node != null\n}\n\n/**\n * Keychain-based token storage using OS credential manager\n * - macOS: Keychain\n * - Windows: Credential Manager\n * - Linux: Secret Service (libsecret)\n *\n * This is the most secure option for CLI token storage.\n */\nexport class KeychainTokenStorage implements TokenStorage {\n\tprivate keytar: typeof import('keytar') | null = null\n\tprivate initialized = false\n\n\t/**\n\t * Lazily load keytar module\n\t * Returns null if keytar is not available (e.g., missing native dependencies)\n\t */\n\tprivate async getKeytar(): Promise<typeof import('keytar') | null> {\n\t\tif (this.initialized) {\n\t\t\treturn this.keytar\n\t\t}\n\n\t\tthis.initialized = true\n\n\t\ttry {\n\t\t\t// Dynamic import to handle cases where keytar native module isn't available\n\t\t\tconst imported = await import('keytar')\n\t\t\t// Handle ESM/CJS interop - keytar is CommonJS, so functions may be on .default\n\t\t\tconst keytarModule = (imported as any).default || imported\n\t\t\tthis.keytar = keytarModule as typeof import('keytar')\n\n\t\t\t// Verify the module loaded correctly by checking for expected function\n\t\t\tif (typeof this.keytar.getPassword !== 'function') {\n\t\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\t\tconsole.warn('Keytar module loaded but getPassword is not a function:', Object.keys(this.keytar))\n\t\t\t\t}\n\t\t\t\tthis.keytar = null\n\t\t\t\treturn null\n\t\t\t}\n\n\t\t\treturn this.keytar\n\t\t} catch (error) {\n\t\t\t// keytar requires native dependencies that may not be available\n\t\t\t// Fall back gracefully\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Keychain storage not available:', error)\n\t\t\t}\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\tconst keytar = await this.getKeytar()\n\t\tif (!keytar) {\n\t\t\treturn null\n\t\t}\n\n\t\ttry {\n\t\t\tconst token = await keytar.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT)\n\t\t\treturn token\n\t\t} catch (error) {\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Failed to get token from keychain:', error)\n\t\t\t}\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\ttry {\n\t\t\tconst keytar = await this.getKeytar()\n\t\t\tif (!keytar) {\n\t\t\t\tthrow new Error('Keychain storage not available')\n\t\t\t}\n\n\t\t\tawait keytar.setPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, token)\n\t\t} catch (error: any) {\n\t\t\t// Check if this is a native module error vs an actual keychain error\n\t\t\tif (error?.code === 'MODULE_NOT_FOUND' || error?.message?.includes('Cannot find module')) {\n\t\t\t\tthrow new Error('Keychain storage not available: native module not built')\n\t\t\t}\n\t\t\tthrow new Error(`Failed to save token to keychain: ${error}`)\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tconst keytar = await this.getKeytar()\n\t\tif (!keytar) {\n\t\t\treturn\n\t\t}\n\n\t\ttry {\n\t\t\tawait keytar.deletePassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT)\n\t\t} catch {\n\t\t\t// Ignore errors if credential doesn't exist\n\t\t}\n\t}\n\n\t/**\n\t * Check if keychain storage is available on this system\n\t */\n\tasync isAvailable(): Promise<boolean> {\n\t\ttry {\n\t\t\tconst keytar = await this.getKeytar()\n\t\t\tif (!keytar) {\n\t\t\t\treturn false\n\t\t\t}\n\n\t\t\t// Try a read operation to verify keychain access\n\t\t\t// This will throw if native module is not built\n\t\t\tawait keytar.getPassword(KEYCHAIN_SERVICE, '__test__')\n\t\t\treturn true\n\t\t} catch (error) {\n\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\tconsole.warn('Keychain not available:', error)\n\t\t\t}\n\t\t\treturn false\n\t\t}\n\t}\n}\n\n/**\n * Secure file-based token storage for CLI\n * Stores token in ~/.oauth.do/token with restricted permissions (0600)\n *\n * This is the default storage for Node.js CLI because it doesn't require\n * GUI authorization popups like the keychain does on macOS.\n * Only works in Node.js environment.\n */\nexport class SecureFileTokenStorage implements TokenStorage {\n\tprivate tokenPath: string | null = null\n\tprivate configDir: string | null = null\n\tprivate initialized = false\n\tprivate customPath?: string\n\n\tconstructor(customPath?: string) {\n\t\tthis.customPath = customPath\n\t}\n\n\tprivate async init(): Promise<boolean> {\n\t\tif (this.initialized) return this.tokenPath !== null\n\t\tthis.initialized = true\n\n\t\tif (!isNode()) return false\n\n\t\ttry {\n\t\t\tconst os = await import('os')\n\t\t\tconst path = await import('path')\n\n\t\t\t// Use custom path if provided\n\t\t\tif (this.customPath) {\n\t\t\t\t// Expand ~ to home directory\n\t\t\t\tconst expandedPath = this.customPath.startsWith('~/')\n\t\t\t\t\t? path.join(os.homedir(), this.customPath.slice(2))\n\t\t\t\t\t: this.customPath\n\n\t\t\t\tthis.tokenPath = expandedPath\n\t\t\t\tthis.configDir = path.dirname(expandedPath)\n\t\t\t} else {\n\t\t\t\t// Default path\n\t\t\t\tthis.configDir = path.join(os.homedir(), '.oauth.do')\n\t\t\t\tthis.tokenPath = path.join(this.configDir, 'token')\n\t\t\t}\n\t\t\treturn true\n\t\t} catch {\n\t\t\treturn false\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\t// Try to get from token data first (new format)\n\t\tconst data = await this.getTokenData()\n\t\tif (data) {\n\t\t\treturn data.accessToken\n\t\t}\n\n\t\t// Fall back to legacy plain text format\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst stats = await fs.stat(this.tokenPath)\n\t\t\tconst mode = stats.mode & 0o777\n\n\t\t\tif (mode !== 0o600 && getEnv('DEBUG')) {\n\t\t\t\tconsole.warn(\n\t\t\t\t\t`Warning: Token file has insecure permissions (${mode.toString(8)}). ` +\n\t\t\t\t\t\t`Expected 600. Run: chmod 600 ${this.tokenPath}`\n\t\t\t\t)\n\t\t\t}\n\n\t\t\tconst content = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\tconst trimmed = content.trim()\n\n\t\t\t// Check if it's JSON (new format) or plain token (legacy)\n\t\t\tif (trimmed.startsWith('{')) {\n\t\t\t\tconst data = JSON.parse(trimmed) as StoredTokenData\n\t\t\t\treturn data.accessToken\n\t\t\t}\n\n\t\t\treturn trimmed\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\t// Store as token data for consistency, trimming whitespace\n\t\tawait this.setTokenData({ accessToken: token.trim() })\n\t}\n\n\tasync getTokenData(): Promise<StoredTokenData | null> {\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst content = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\tconst trimmed = content.trim()\n\n\t\t\t// Check if it's JSON format\n\t\t\tif (trimmed.startsWith('{')) {\n\t\t\t\treturn JSON.parse(trimmed) as StoredTokenData\n\t\t\t}\n\n\t\t\t// Legacy plain text format - convert to token data\n\t\t\treturn { accessToken: trimmed }\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setTokenData(data: StoredTokenData): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath || !this.configDir) {\n\t\t\tthrow new Error('File storage not available')\n\t\t}\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.mkdir(this.configDir, { recursive: true, mode: 0o700 })\n\t\t\tawait fs.writeFile(this.tokenPath, JSON.stringify(data), { encoding: 'utf-8', mode: 0o600 })\n\t\t\tawait fs.chmod(this.tokenPath, 0o600)\n\t\t} catch (error) {\n\t\t\tconsole.error('Failed to save token data:', error)\n\t\t\tthrow error\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath) return\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.unlink(this.tokenPath)\n\t\t} catch {\n\t\t\t// Ignore errors if file doesn't exist\n\t\t}\n\t}\n\n\t/**\n\t * Get information about the storage backend\n\t */\n\tasync getStorageInfo(): Promise<{ type: 'file'; secure: boolean; path: string | null }> {\n\t\tawait this.init()\n\t\treturn { type: 'file', secure: true, path: this.tokenPath }\n\t}\n}\n\n/**\n * File-based token storage for CLI (legacy, less secure)\n * Stores token in ~/.oauth.do/token\n * Only works in Node.js environment.\n *\n * @deprecated Use SecureFileTokenStorage or KeychainTokenStorage instead\n */\nexport class FileTokenStorage implements TokenStorage {\n\tprivate tokenPath: string | null = null\n\tprivate configDir: string | null = null\n\tprivate initialized = false\n\n\tprivate async init(): Promise<boolean> {\n\t\tif (this.initialized) return this.tokenPath !== null\n\t\tthis.initialized = true\n\n\t\tif (!isNode()) return false\n\n\t\ttry {\n\t\t\tconst os = await import('os')\n\t\t\tconst path = await import('path')\n\t\t\tthis.configDir = path.join(os.homedir(), '.oauth.do')\n\t\t\tthis.tokenPath = path.join(this.configDir, 'token')\n\t\t\treturn true\n\t\t} catch {\n\t\t\treturn false\n\t\t}\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\tif (!(await this.init()) || !this.tokenPath) return null\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tconst token = await fs.readFile(this.tokenPath, 'utf-8')\n\t\t\treturn token.trim()\n\t\t} catch {\n\t\t\treturn null\n\t\t}\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath || !this.configDir) {\n\t\t\tthrow new Error('File storage not available')\n\t\t}\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.mkdir(this.configDir, { recursive: true })\n\t\t\tawait fs.writeFile(this.tokenPath, token, 'utf-8')\n\t\t} catch (error) {\n\t\t\tconsole.error('Failed to save token:', error)\n\t\t\tthrow error\n\t\t}\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (!(await this.init()) || !this.tokenPath) return\n\n\t\ttry {\n\t\t\tconst fs = await import('fs/promises')\n\t\t\tawait fs.unlink(this.tokenPath)\n\t\t} catch {\n\t\t\t// Ignore errors if file doesn't exist\n\t\t}\n\t}\n}\n\n/**\n * In-memory token storage (for browser or testing)\n */\nexport class MemoryTokenStorage implements TokenStorage {\n\tprivate token: string | null = null\n\n\tasync getToken(): Promise<string | null> {\n\t\treturn this.token\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tthis.token = token\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tthis.token = null\n\t}\n}\n\n/**\n * LocalStorage-based token storage (for browser)\n */\nexport class LocalStorageTokenStorage implements TokenStorage {\n\tprivate key = 'oauth.do:token'\n\n\tasync getToken(): Promise<string | null> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\treturn null\n\t\t}\n\t\treturn localStorage.getItem(this.key)\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\tthrow new Error('localStorage is not available')\n\t\t}\n\t\tlocalStorage.setItem(this.key, token)\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\tif (typeof localStorage === 'undefined') {\n\t\t\treturn\n\t\t}\n\t\tlocalStorage.removeItem(this.key)\n\t}\n}\n\n/**\n * Composite token storage that tries multiple storage backends\n * Attempts keychain first, then falls back to secure file storage\n */\nexport class CompositeTokenStorage implements TokenStorage {\n\tprivate keychainStorage: KeychainTokenStorage\n\tprivate fileStorage: SecureFileTokenStorage\n\tprivate preferredStorage: TokenStorage | null = null\n\n\tconstructor() {\n\t\tthis.keychainStorage = new KeychainTokenStorage()\n\t\tthis.fileStorage = new SecureFileTokenStorage()\n\t}\n\n\t/**\n\t * Determine the best available storage backend\n\t */\n\tprivate async getPreferredStorage(): Promise<TokenStorage> {\n\t\tif (this.preferredStorage) {\n\t\t\treturn this.preferredStorage\n\t\t}\n\n\t\t// Try keychain first\n\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\tthis.preferredStorage = this.keychainStorage\n\t\t\treturn this.preferredStorage\n\t\t}\n\n\t\t// Fall back to secure file storage\n\t\tthis.preferredStorage = this.fileStorage\n\t\treturn this.preferredStorage\n\t}\n\n\tasync getToken(): Promise<string | null> {\n\t\t// First, check keychain\n\t\tconst keychainToken = await this.keychainStorage.getToken()\n\t\tif (keychainToken) {\n\t\t\treturn keychainToken\n\t\t}\n\n\t\t// Fall back to file storage (for migration from old installations)\n\t\tconst fileToken = await this.fileStorage.getToken()\n\t\tif (fileToken) {\n\t\t\t// Migrate token to keychain if available\n\t\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\t\ttry {\n\t\t\t\t\tawait this.keychainStorage.setToken(fileToken)\n\t\t\t\t\tawait this.fileStorage.removeToken()\n\t\t\t\t\tif (getEnv('DEBUG')) {\n\t\t\t\t\t\tconsole.log('Migrated token from file to keychain')\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Continue with file token if migration fails\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn fileToken\n\t\t}\n\n\t\treturn null\n\t}\n\n\tasync setToken(token: string): Promise<void> {\n\t\tconst storage = await this.getPreferredStorage()\n\t\tawait storage.setToken(token)\n\t}\n\n\tasync removeToken(): Promise<void> {\n\t\t// Remove from both storages to ensure complete logout\n\t\tawait Promise.all([this.keychainStorage.removeToken(), this.fileStorage.removeToken()])\n\t}\n\n\t/**\n\t * Get information about the current storage backend\n\t */\n\tasync getStorageInfo(): Promise<{ type: 'keychain' | 'file'; secure: boolean }> {\n\t\tif (await this.keychainStorage.isAvailable()) {\n\t\t\treturn { type: 'keychain', secure: true }\n\t\t}\n\t\treturn { type: 'file', secure: true }\n\t}\n}\n\n/**\n * Create the default token storage\n * - Node.js: Uses secure file storage (~/.oauth.do/token with 0600 permissions)\n * - Browser: Uses localStorage\n * - Worker: Uses in-memory storage (tokens should be passed via env bindings)\n *\n * Note: We use file storage by default because keychain storage on macOS\n * requires GUI authorization popups, which breaks automation and agent workflows.\n *\n * @param storagePath - Optional custom path for token storage (e.g., '~/.studio/tokens.json')\n */\nexport function createSecureStorage(storagePath?: string): TokenStorage {\n\t// Node.js - use secure file storage (no keychain popups)\n\tif (isNode()) {\n\t\treturn new SecureFileTokenStorage(storagePath)\n\t}\n\n\t// Browser - use localStorage\n\tif (typeof localStorage !== 'undefined') {\n\t\treturn new LocalStorageTokenStorage()\n\t}\n\n\t// Workers/other - use memory storage\n\treturn new MemoryTokenStorage()\n}\n","import type { OAuthConfig } from './types.js'\nimport { getEnv } from './utils.js'\n\n/**\n * Global OAuth configuration\n * Note: storagePath is optional and may be undefined\n */\nlet globalConfig: Omit<Required<OAuthConfig>, 'storagePath'> & Pick<OAuthConfig, 'storagePath'> = {\n\tapiUrl: getEnv('OAUTH_API_URL') || getEnv('API_URL') || 'https://apis.do',\n\tclientId: getEnv('OAUTH_CLIENT_ID') || 'client_01JQYTRXK9ZPD8JPJTKDCRB656',\n\tauthKitDomain: getEnv('OAUTH_AUTHKIT_DOMAIN') || 'login.oauth.do',\n\tfetch: globalThis.fetch,\n\tstoragePath: getEnv('OAUTH_STORAGE_PATH'),\n}\n\n/**\n * Configure OAuth settings\n */\nexport function configure(config: OAuthConfig): void {\n\tglobalConfig = {\n\t\t...globalConfig,\n\t\t...config,\n\t}\n}\n\n/**\n * Get current configuration\n */\nexport function getConfig(): Omit<Required<OAuthConfig>, 'storagePath'> & Pick<OAuthConfig, 'storagePath'> {\n\treturn globalConfig\n}\n","import { getConfig } from './config.js'\nimport { getEnv } from './utils.js'\nimport type { User, AuthResult, TokenResponse, StoredTokenData } from './types.js'\n\n/**\n * Resolve a secret that could be a plain string or a secrets store binding\n * Secrets store bindings have a .get() method that returns a Promise<string>\n * @see https://developers.cloudflare.com/workers/configuration/secrets/#secrets-store\n */\nasync function resolveSecret(value: unknown): Promise<string | null> {\n\tif (!value) return null\n\tif (typeof value === 'string') return value\n\tif (typeof value === 'object' && typeof (value as any).get === 'function') {\n\t\treturn await (value as any).get()\n\t}\n\treturn null\n}\n\n/**\n * Get current authenticated user\n * Calls GET /me endpoint\n *\n * @param token - Optional authentication token (will use DO_TOKEN env var if not provided)\n * @returns Authentication result with user info or null if not authenticated\n */\nexport async function getUser(token?: string): Promise<AuthResult> {\n\tconst config = getConfig()\n\tconst authToken = token || getEnv('DO_TOKEN') || ''\n\n\tif (!authToken) {\n\t\treturn { user: null }\n\t}\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/me`, {\n\t\t\tmethod: 'GET',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${authToken}`,\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tif (response.status === 401) {\n\t\t\t\treturn { user: null }\n\t\t\t}\n\t\t\tthrow new Error(`Authentication failed: ${response.statusText}`)\n\t\t}\n\n\t\tconst user = (await response.json()) as User\n\t\treturn { user, token: authToken }\n\t} catch (error) {\n\t\tconsole.error('Auth error:', error)\n\t\treturn { user: null }\n\t}\n}\n\n/**\n * Initiate login flow\n * Calls POST /login endpoint\n *\n * @param credentials - Login credentials (email, password, etc.)\n * @returns Authentication result with user info and token\n */\nexport async function login(credentials: {\n\temail?: string\n\tpassword?: string\n\t[key: string]: any\n}): Promise<AuthResult> {\n\tconst config = getConfig()\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/login`, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t\tbody: JSON.stringify(credentials),\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`Login failed: ${response.statusText}`)\n\t\t}\n\n\t\tconst data = (await response.json()) as { user: User; token: string }\n\t\treturn { user: data.user, token: data.token }\n\t} catch (error) {\n\t\tconsole.error('Login error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Logout current user\n * Calls POST /logout endpoint\n *\n * @param token - Optional authentication token (will use DO_TOKEN env var if not provided)\n */\nexport async function logout(token?: string): Promise<void> {\n\tconst config = getConfig()\n\tconst authToken = token || getEnv('DO_TOKEN') || ''\n\n\tif (!authToken) {\n\t\treturn\n\t}\n\n\ttry {\n\t\tconst response = await config.fetch(`${config.apiUrl}/logout`, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${authToken}`,\n\t\t\t\t'Content-Type': 'application/json',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconsole.warn(`Logout warning: ${response.statusText}`)\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('Logout error:', error)\n\t}\n}\n\n// Buffer time before expiration to trigger refresh (5 minutes)\nconst REFRESH_BUFFER_MS = 5 * 60 * 1000\n\n/**\n * Check if token is expired or about to expire\n */\nfunction isTokenExpired(expiresAt?: number): boolean {\n\tif (!expiresAt) return false // Can't determine, assume valid\n\treturn Date.now() >= expiresAt - REFRESH_BUFFER_MS\n}\n\n/**\n * Get token from environment or stored credentials\n *\n * Checks in order:\n * 1. globalThis.DO_ADMIN_TOKEN / DO_TOKEN (Workers legacy)\n * 2. process.env.DO_ADMIN_TOKEN / DO_TOKEN (Node.js)\n * 3. cloudflare:workers env import (Workers 2025+) - supports secrets store bindings\n * 4. Stored token (keychain/secure file) - with automatic refresh if expired\n *\n * @see https://developers.cloudflare.com/changelog/2025-03-17-importable-env/\n */\nexport async function getToken(): Promise<string | null> {\n\t// Check env vars first (globalThis for Workers legacy, process.env for Node)\n\tconst adminToken = getEnv('DO_ADMIN_TOKEN')\n\tif (adminToken) return adminToken\n\tconst doToken = getEnv('DO_TOKEN')\n\tif (doToken) return doToken\n\n\t// Try cloudflare:workers env import (Workers 2025+)\n\t// Supports both plain strings and secrets store bindings\n\ttry {\n\t\t// @ts-ignore - cloudflare:workers only available in Workers runtime\n\t\tconst { env } = await import('cloudflare:workers')\n\n\t\tconst cfAdminToken = await resolveSecret((env as any).DO_ADMIN_TOKEN)\n\t\tif (cfAdminToken) return cfAdminToken\n\n\t\tconst cfToken = await resolveSecret((env as any).DO_TOKEN)\n\t\tif (cfToken) return cfToken\n\t} catch {\n\t\t// Not in Workers environment or env not available\n\t}\n\n\t// Try stored token (Node.js only - uses keychain/file storage)\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\n\t\t// Get full token data if available\n\t\tconst tokenData = storage.getTokenData ? await storage.getTokenData() : null\n\n\t\tif (tokenData) {\n\t\t\t// If token is not expired, return it\n\t\t\tif (!isTokenExpired(tokenData.expiresAt)) {\n\t\t\t\treturn tokenData.accessToken\n\t\t\t}\n\n\t\t\t// Token is expired - try to refresh if we have a refresh token\n\t\t\tif (tokenData.refreshToken) {\n\t\t\t\ttry {\n\t\t\t\t\tconst newTokens = await refreshAccessToken(tokenData.refreshToken)\n\n\t\t\t\t\t// Calculate new expiration time\n\t\t\t\t\tconst expiresAt = newTokens.expires_in\n\t\t\t\t\t\t? Date.now() + newTokens.expires_in * 1000\n\t\t\t\t\t\t: undefined\n\n\t\t\t\t\t// Store new token data\n\t\t\t\t\tconst newData: StoredTokenData = {\n\t\t\t\t\t\taccessToken: newTokens.access_token,\n\t\t\t\t\t\trefreshToken: newTokens.refresh_token || tokenData.refreshToken,\n\t\t\t\t\t\texpiresAt,\n\t\t\t\t\t}\n\n\t\t\t\t\tif (storage.setTokenData) {\n\t\t\t\t\t\tawait storage.setTokenData(newData)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tawait storage.setToken(newTokens.access_token)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn newTokens.access_token\n\t\t\t\t} catch {\n\t\t\t\t\t// Refresh failed - return null (caller should re-authenticate)\n\t\t\t\t\treturn null\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Expired but no refresh token - return null\n\t\t\treturn null\n\t\t}\n\n\t\t// Fall back to simple token storage (no expiration tracking)\n\t\treturn await storage.getToken()\n\t} catch {\n\t\t// Storage not available (browser/worker) - return null\n\t\treturn null\n\t}\n}\n\n/**\n * Check if user is authenticated (has valid token)\n */\nexport async function isAuthenticated(token?: string): Promise<boolean> {\n\tconst result = await getUser(token)\n\treturn result.user !== null\n}\n\n/**\n * Auth provider function type for HTTP clients\n */\nexport type AuthProvider = () => string | null | undefined | Promise<string | null | undefined>\n\n/**\n * Create an auth provider function for HTTP clients (apis.do, rpc.do)\n * Returns a function that resolves to a token string\n *\n * @example\n * import { auth } from 'oauth.do'\n * const getAuth = auth()\n * const token = await getAuth()\n */\nexport function auth(): AuthProvider {\n\treturn getToken\n}\n\n/**\n * Refresh an access token using a refresh token\n *\n * @param refreshToken - The refresh token from the original auth response\n * @returns New token response with fresh access_token (and possibly new refresh_token)\n */\nexport async function refreshAccessToken(refreshToken: string): Promise<TokenResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for token refresh')\n\t}\n\n\tconst response = await config.fetch('https://auth.apis.do/user_management/authenticate', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t},\n\t\tbody: new URLSearchParams({\n\t\t\tgrant_type: 'refresh_token',\n\t\t\trefresh_token: refreshToken,\n\t\t\tclient_id: config.clientId,\n\t\t}).toString(),\n\t})\n\n\tif (!response.ok) {\n\t\tconst errorText = await response.text()\n\t\tthrow new Error(`Token refresh failed: ${response.status} - ${errorText}`)\n\t}\n\n\treturn (await response.json()) as TokenResponse\n}\n\n/**\n * Get stored token data from storage\n */\nexport async function getStoredTokenData(): Promise<StoredTokenData | null> {\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\t\tif (storage.getTokenData) {\n\t\t\treturn await storage.getTokenData()\n\t\t}\n\t\t// Fall back to just access token\n\t\tconst token = await storage.getToken()\n\t\treturn token ? { accessToken: token } : null\n\t} catch {\n\t\treturn null\n\t}\n}\n\n/**\n * Store token data including refresh token\n */\nexport async function storeTokenData(data: StoredTokenData): Promise<void> {\n\ttry {\n\t\tconst { createSecureStorage } = await import('./storage.js')\n\t\tconst config = getConfig()\n\t\tconst storage = createSecureStorage(config.storagePath)\n\t\tif (storage.setTokenData) {\n\t\t\tawait storage.setTokenData(data)\n\t\t} else {\n\t\t\tawait storage.setToken(data.accessToken)\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('Failed to store token data:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Build OAuth authorization URL\n *\n * @example\n * const url = buildAuthUrl({\n * redirectUri: 'https://myapp.com/callback',\n * scope: 'openid profile email',\n * })\n */\nexport function buildAuthUrl(options: {\n\tredirectUri: string\n\tscope?: string\n\tstate?: string\n\tresponseType?: string\n\tclientId?: string\n\tauthDomain?: string\n}): string {\n\tconst config = getConfig()\n\tconst clientId = options.clientId || config.clientId\n\tconst authDomain = options.authDomain || config.authKitDomain\n\n\tconst params = new URLSearchParams({\n\t\tclient_id: clientId,\n\t\tredirect_uri: options.redirectUri,\n\t\tresponse_type: options.responseType || 'code',\n\t\tscope: options.scope || 'openid profile email',\n\t})\n\n\tif (options.state) {\n\t\tparams.set('state', options.state)\n\t}\n\n\treturn `https://${authDomain}/authorize?${params.toString()}`\n}\n","import { getConfig } from './config.js'\nimport type { DeviceAuthorizationResponse, TokenResponse, TokenError } from './types.js'\n\n/**\n * OAuth provider options for direct provider login\n * Bypasses AuthKit login screen and goes directly to the provider\n */\nexport type OAuthProvider = 'GitHubOAuth' | 'GoogleOAuth' | 'MicrosoftOAuth' | 'AppleOAuth'\n\nexport interface DeviceAuthOptions {\n\t/** OAuth provider to use directly (bypasses AuthKit login screen) */\n\tprovider?: OAuthProvider\n}\n\n/**\n * Initiate device authorization flow\n * Following OAuth 2.0 Device Authorization Grant (RFC 8628)\n *\n * @param options - Optional settings including provider for direct OAuth\n * @returns Device authorization response with codes and URIs\n */\nexport async function authorizeDevice(options: DeviceAuthOptions = {}): Promise<DeviceAuthorizationResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for device authorization. Set OAUTH_CLIENT_ID or configure({ clientId: \"...\" })')\n\t}\n\n\ttry {\n\t\tconst url = 'https://auth.apis.do/user_management/authorize/device'\n\t\tconst body = new URLSearchParams({\n\t\t\tclient_id: config.clientId,\n\t\t\tscope: 'openid profile email',\n\t\t})\n\n\t\t// Add provider if specified (bypasses AuthKit login screen)\n\t\tif (options.provider) {\n\t\t\tbody.set('provider', options.provider)\n\t\t}\n\n\t\tconst response = await config.fetch(url, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t},\n\t\t\tbody: body.toString(),\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`Device authorization failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = (await response.json()) as DeviceAuthorizationResponse\n\t\treturn data\n\t} catch (error) {\n\t\tconsole.error('Device authorization error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Poll for tokens after device authorization\n *\n * @param deviceCode - Device code from authorization response\n * @param interval - Polling interval in seconds (default: 5)\n * @param expiresIn - Expiration time in seconds (default: 600)\n * @returns Token response with access token and user info\n */\nexport async function pollForTokens(\n\tdeviceCode: string,\n\tinterval: number = 5,\n\texpiresIn: number = 600\n): Promise<TokenResponse> {\n\tconst config = getConfig()\n\n\tif (!config.clientId) {\n\t\tthrow new Error('Client ID is required for token polling')\n\t}\n\n\tconst startTime = Date.now()\n\tconst timeout = expiresIn * 1000\n\tlet currentInterval = interval * 1000\n\n\twhile (true) {\n\t\t// Check if expired\n\t\tif (Date.now() - startTime > timeout) {\n\t\t\tthrow new Error('Device authorization expired. Please try again.')\n\t\t}\n\n\t\t// Wait for interval\n\t\tawait new Promise((resolve) => setTimeout(resolve, currentInterval))\n\n\t\ttry {\n\t\t\tconst response = await config.fetch('https://auth.apis.do/user_management/authenticate', {\n\t\t\t\tmethod: 'POST',\n\t\t\t\theaders: {\n\t\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t},\n\t\t\t\tbody: new URLSearchParams({\n\t\t\t\t\tgrant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n\t\t\t\t\tdevice_code: deviceCode,\n\t\t\t\t\tclient_id: config.clientId,\n\t\t\t\t}).toString(),\n\t\t\t})\n\n\t\t\tif (response.ok) {\n\t\t\t\tconst data = (await response.json()) as TokenResponse\n\t\t\t\treturn data\n\t\t\t}\n\n\t\t\t// Handle error responses\n\t\t\tconst errorData = (await response.json().catch(() => ({ error: 'unknown' }))) as { error?: string }\n\t\t\tconst error = (errorData.error || 'unknown') as TokenError\n\n\t\t\tswitch (error) {\n\t\t\t\tcase 'authorization_pending':\n\t\t\t\t\t// Continue polling\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'slow_down':\n\t\t\t\t\t// Increase interval by 5 seconds\n\t\t\t\t\tcurrentInterval += 5000\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'access_denied':\n\t\t\t\t\tthrow new Error('Access denied by user')\n\n\t\t\t\tcase 'expired_token':\n\t\t\t\t\tthrow new Error('Device code expired')\n\n\t\t\t\tdefault:\n\t\t\t\t\tthrow new Error(`Token polling failed: ${error}`)\n\t\t\t}\n\t\t} catch (error) {\n\t\t\t// If it's our thrown error, re-throw it\n\t\t\tif (error instanceof Error) {\n\t\t\t\tthrow error\n\t\t\t}\n\t\t\t// Otherwise continue polling\n\t\t\tcontinue\n\t\t}\n\t}\n}\n","/**\n * GitHub Device Flow implementation\n * Following OAuth 2.0 Device Authorization Grant (RFC 8628)\n * https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow\n */\n\nexport interface GitHubDeviceFlowOptions {\n\t/** GitHub OAuth App client ID */\n\tclientId: string\n\t/** OAuth scopes (default: 'user:email read:user') */\n\tscope?: string\n\t/** Custom fetch implementation */\n\tfetch?: typeof fetch\n}\n\nexport interface GitHubDeviceAuthResponse {\n\t/** Device verification code */\n\tdeviceCode: string\n\t/** User verification code to display */\n\tuserCode: string\n\t/** Verification URI for user to visit */\n\tverificationUri: string\n\t/** Expiration time in seconds */\n\texpiresIn: number\n\t/** Polling interval in seconds */\n\tinterval: number\n}\n\nexport interface GitHubTokenResponse {\n\t/** Access token for GitHub API */\n\taccessToken: string\n\t/** Token type (typically 'bearer') */\n\ttokenType: string\n\t/** Granted scopes */\n\tscope: string\n}\n\nexport interface GitHubUser {\n\t/** Numeric GitHub user ID (critical for sqid generation) */\n\tid: number\n\t/** GitHub username */\n\tlogin: string\n\t/** User's email (may be null if not public) */\n\temail: string | null\n\t/** User's display name */\n\tname: string | null\n\t/** Avatar image URL */\n\tavatarUrl: string\n}\n\ntype GitHubTokenError =\n\t| 'authorization_pending'\n\t| 'slow_down'\n\t| 'expired_token'\n\t| 'access_denied'\n\t| 'unknown'\n\n/**\n * Start GitHub Device Flow\n *\n * Initiates device authorization flow by requesting device and user codes.\n *\n * @param options - Client ID, scope, and optional custom fetch\n * @returns Device authorization response with codes and URIs\n *\n * @example\n * ```ts\n * const auth = await startGitHubDeviceFlow({\n * clientId: 'Ov23liABCDEFGHIJKLMN',\n * scope: 'user:email read:user'\n * })\n *\n * console.log(`Visit ${auth.verificationUri} and enter code: ${auth.userCode}`)\n * ```\n */\nexport async function startGitHubDeviceFlow(\n\toptions: GitHubDeviceFlowOptions\n): Promise<GitHubDeviceAuthResponse> {\n\tconst { clientId, scope = 'user:email read:user' } = options\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!clientId) {\n\t\tthrow new Error('GitHub client ID is required for device authorization')\n\t}\n\n\ttry {\n\t\tconst url = 'https://github.com/login/device/code'\n\t\tconst body = new URLSearchParams({\n\t\t\tclient_id: clientId,\n\t\t\tscope,\n\t\t})\n\n\t\tconst response = await fetchImpl(url, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t'Accept': 'application/json',\n\t\t\t},\n\t\t\tbody,\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`GitHub device authorization failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = await response.json() as {\n\t\t\tdevice_code: string\n\t\t\tuser_code: string\n\t\t\tverification_uri: string\n\t\t\texpires_in: number\n\t\t\tinterval: number\n\t\t}\n\n\t\treturn {\n\t\t\tdeviceCode: data.device_code,\n\t\t\tuserCode: data.user_code,\n\t\t\tverificationUri: data.verification_uri,\n\t\t\texpiresIn: data.expires_in,\n\t\t\tinterval: data.interval,\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('GitHub device authorization error:', error)\n\t\tthrow error\n\t}\n}\n\n/**\n * Poll GitHub Device Flow for access token\n *\n * Polls GitHub's token endpoint until user completes authorization.\n * Handles all error states including authorization_pending, slow_down, etc.\n *\n * @param deviceCode - Device code from startGitHubDeviceFlow\n * @param options - Client ID and optional custom fetch\n * @returns Token response with access token\n *\n * @example\n * ```ts\n * const auth = await startGitHubDeviceFlow({ clientId: '...' })\n * // User completes authorization...\n * const token = await pollGitHubDeviceFlow(auth.deviceCode, {\n * clientId: '...',\n * interval: auth.interval,\n * expiresIn: auth.expiresIn\n * })\n * console.log('Access token:', token.accessToken)\n * ```\n */\nexport async function pollGitHubDeviceFlow(\n\tdeviceCode: string,\n\toptions: GitHubDeviceFlowOptions & { interval?: number; expiresIn?: number }\n): Promise<GitHubTokenResponse> {\n\tconst { clientId, interval = 5, expiresIn = 900 } = options\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!clientId) {\n\t\tthrow new Error('GitHub client ID is required for token polling')\n\t}\n\n\tconst startTime = Date.now()\n\tconst timeout = expiresIn * 1000\n\tlet currentInterval = interval * 1000\n\n\twhile (true) {\n\t\t// Check if expired\n\t\tif (Date.now() - startTime > timeout) {\n\t\t\tthrow new Error('GitHub device authorization expired. Please try again.')\n\t\t}\n\n\t\t// Wait for interval\n\t\tawait new Promise((resolve) => setTimeout(resolve, currentInterval))\n\n\t\ttry {\n\t\t\tconst url = 'https://github.com/login/oauth/access_token'\n\t\t\tconst body = new URLSearchParams({\n\t\t\t\tclient_id: clientId,\n\t\t\t\tdevice_code: deviceCode,\n\t\t\t\tgrant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n\t\t\t})\n\n\t\t\tconst response = await fetchImpl(url, {\n\t\t\t\tmethod: 'POST',\n\t\t\t\theaders: {\n\t\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t\t\t'Accept': 'application/json',\n\t\t\t\t},\n\t\t\t\tbody,\n\t\t\t})\n\n\t\t\tconst data = await response.json() as\n\t\t\t\t| { access_token: string; token_type: string; scope: string }\n\t\t\t\t| { error: string; error_description?: string; error_uri?: string }\n\n\t\t\t// Check for success\n\t\t\tif ('access_token' in data) {\n\t\t\t\treturn {\n\t\t\t\t\taccessToken: data.access_token,\n\t\t\t\t\ttokenType: data.token_type,\n\t\t\t\t\tscope: data.scope,\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Handle error responses\n\t\t\tconst error = (data.error || 'unknown') as GitHubTokenError\n\n\t\t\tswitch (error) {\n\t\t\t\tcase 'authorization_pending':\n\t\t\t\t\t// Continue polling\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'slow_down':\n\t\t\t\t\t// Increase interval by 5 seconds\n\t\t\t\t\tcurrentInterval += 5000\n\t\t\t\t\tcontinue\n\n\t\t\t\tcase 'access_denied':\n\t\t\t\t\tthrow new Error('Access denied by user')\n\n\t\t\t\tcase 'expired_token':\n\t\t\t\t\tthrow new Error('Device code expired')\n\n\t\t\t\tdefault:\n\t\t\t\t\tthrow new Error(`GitHub token polling failed: ${error}`)\n\t\t\t}\n\t\t} catch (error) {\n\t\t\t// If it's our thrown error, re-throw it\n\t\t\tif (error instanceof Error) {\n\t\t\t\tthrow error\n\t\t\t}\n\t\t\t// Otherwise continue polling\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\n/**\n * Get GitHub user information\n *\n * Fetches authenticated user's profile from GitHub API.\n *\n * @param accessToken - GitHub access token\n * @param options - Optional custom fetch implementation\n * @returns GitHub user profile\n *\n * @example\n * ```ts\n * const user = await getGitHubUser(token.accessToken)\n * console.log(`Logged in as ${user.login} (ID: ${user.id})`)\n * ```\n */\nexport async function getGitHubUser(\n\taccessToken: string,\n\toptions: { fetch?: typeof fetch } = {}\n): Promise<GitHubUser> {\n\tconst fetchImpl = options.fetch || globalThis.fetch\n\n\tif (!accessToken) {\n\t\tthrow new Error('GitHub access token is required')\n\t}\n\n\ttry {\n\t\tconst response = await fetchImpl('https://api.github.com/user', {\n\t\t\tmethod: 'GET',\n\t\t\theaders: {\n\t\t\t\t'Authorization': `Bearer ${accessToken}`,\n\t\t\t\t'Accept': 'application/vnd.github+json',\n\t\t\t\t'X-GitHub-Api-Version': '2022-11-28',\n\t\t\t},\n\t\t})\n\n\t\tif (!response.ok) {\n\t\t\tconst errorText = await response.text()\n\t\t\tthrow new Error(`GitHub user fetch failed: ${response.statusText} - ${errorText}`)\n\t\t}\n\n\t\tconst data = await response.json() as {\n\t\t\tid: number\n\t\t\tlogin: string\n\t\t\temail: string | null\n\t\t\tname: string | null\n\t\t\tavatar_url: string\n\t\t}\n\n\t\treturn {\n\t\t\tid: data.id,\n\t\t\tlogin: data.login,\n\t\t\temail: data.email,\n\t\t\tname: data.name,\n\t\t\tavatarUrl: data.avatar_url,\n\t\t}\n\t} catch (error) {\n\t\tconsole.error('GitHub user fetch error:', error)\n\t\tthrow error\n\t}\n}\n","/**\n * oauth.do - Simple, secure authentication for humans and AI agents\n *\n * This is the browser-safe entry point with universal functions.\n * For Node.js CLI utilities that open the browser, import from 'oauth.do/node'\n *\n * @packageDocumentation\n */\n\n// Browser-safe auth utilities\nexport { auth, getUser, login, logout, getToken, isAuthenticated, buildAuthUrl } from './auth.js'\nexport type { AuthProvider } from './auth.js'\nexport { configure, getConfig } from './config.js'\nexport { authorizeDevice, pollForTokens } from './device.js'\n\n// GitHub Device Flow\nexport {\n\tstartGitHubDeviceFlow,\n\tpollGitHubDeviceFlow,\n\tgetGitHubUser,\n} from './github-device.js'\nexport type {\n\tGitHubDeviceFlowOptions,\n\tGitHubDeviceAuthResponse,\n\tGitHubTokenResponse,\n\tGitHubUser,\n} from './github-device.js'\n\n// Storage utilities (browser-safe - uses dynamic imports for Node.js features)\nexport {\n\tFileTokenStorage,\n\tMemoryTokenStorage,\n\tLocalStorageTokenStorage,\n\tSecureFileTokenStorage,\n\tKeychainTokenStorage,\n\tCompositeTokenStorage,\n\tcreateSecureStorage,\n} from './storage.js'\n\n// Types\nexport type {\n\tOAuthConfig,\n\tUser,\n\tAuthResult,\n\tDeviceAuthorizationResponse,\n\tTokenResponse,\n\tTokenError,\n\tTokenStorage,\n} from './types.js'\n\n// Re-export login types only (not functions - they use 'open' package)\nexport type { LoginOptions, LoginResult, OAuthProvider } from './login.js'\n"]}
package/dist/node.d.ts CHANGED
@@ -1 +1,2 @@
1
- export { AuthProvider, AuthResult, CompositeTokenStorage, DeviceAuthorizationResponse, FileTokenStorage, GitHubDeviceAuthResponse, GitHubDeviceFlowOptions, GitHubTokenResponse, GitHubUser, KeychainTokenStorage, LocalStorageTokenStorage, LoginOptions, LoginResult, MemoryTokenStorage, OAuthConfig, OAuthProvider, SecureFileTokenStorage, TokenError, TokenResponse, TokenStorage, User, auth, authorizeDevice, buildAuthUrl, configure, createSecureStorage, e as ensureLoggedIn, a as ensureLoggedOut, f as forceLogin, getConfig, getGitHubUser, getToken, getUser, isAuthenticated, login, logout, pollForTokens, pollGitHubDeviceFlow, startGitHubDeviceFlow } from './index.js';
1
+ export { AuthProvider, CompositeTokenStorage, FileTokenStorage, GitHubDeviceAuthResponse, GitHubDeviceFlowOptions, GitHubTokenResponse, GitHubUser, KeychainTokenStorage, LocalStorageTokenStorage, LoginOptions, LoginResult, MemoryTokenStorage, OAuthProvider, SecureFileTokenStorage, auth, authorizeDevice, buildAuthUrl, configure, createSecureStorage, e as ensureLoggedIn, a as ensureLoggedOut, f as forceLogin, getConfig, getGitHubUser, getToken, getUser, isAuthenticated, login, logout, pollForTokens, pollGitHubDeviceFlow, startGitHubDeviceFlow } from './index.js';
2
+ export { AuthResult, DeviceAuthorizationResponse, OAuthConfig, TokenError, TokenResponse, TokenStorage, User } from './types-export.js';
package/dist/node.js CHANGED
@@ -8,6 +8,17 @@ var __export = (target, all) => {
8
8
  __defProp(target, name, { get: all[name], enumerable: true });
9
9
  };
10
10
 
11
+ // src/utils.ts
12
+ function getEnv(key) {
13
+ if (globalThis[key]) return globalThis[key];
14
+ if (typeof process !== "undefined" && process.env?.[key]) return process.env[key];
15
+ return void 0;
16
+ }
17
+ var init_utils = __esm({
18
+ "src/utils.ts"() {
19
+ }
20
+ });
21
+
11
22
  // src/storage.ts
12
23
  var storage_exports = {};
13
24
  __export(storage_exports, {
@@ -22,10 +33,6 @@ __export(storage_exports, {
22
33
  function isNode() {
23
34
  return typeof process !== "undefined" && process.versions != null && process.versions.node != null;
24
35
  }
25
- function getEnv2(key) {
26
- if (typeof process !== "undefined" && process.env?.[key]) return process.env[key];
27
- return void 0;
28
- }
29
36
  function createSecureStorage(storagePath) {
30
37
  if (isNode()) {
31
38
  return new SecureFileTokenStorage(storagePath);
@@ -38,6 +45,7 @@ function createSecureStorage(storagePath) {
38
45
  var KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, KeychainTokenStorage, SecureFileTokenStorage, FileTokenStorage, MemoryTokenStorage, LocalStorageTokenStorage, CompositeTokenStorage;
39
46
  var init_storage = __esm({
40
47
  "src/storage.ts"() {
48
+ init_utils();
41
49
  KEYCHAIN_SERVICE = "oauth.do";
42
50
  KEYCHAIN_ACCOUNT = "access_token";
43
51
  KeychainTokenStorage = class {
@@ -57,7 +65,7 @@ var init_storage = __esm({
57
65
  const keytarModule = imported.default || imported;
58
66
  this.keytar = keytarModule;
59
67
  if (typeof this.keytar.getPassword !== "function") {
60
- if (getEnv2("DEBUG")) {
68
+ if (getEnv("DEBUG")) {
61
69
  console.warn("Keytar module loaded but getPassword is not a function:", Object.keys(this.keytar));
62
70
  }
63
71
  this.keytar = null;
@@ -65,7 +73,7 @@ var init_storage = __esm({
65
73
  }
66
74
  return this.keytar;
67
75
  } catch (error) {
68
- if (getEnv2("DEBUG")) {
76
+ if (getEnv("DEBUG")) {
69
77
  console.warn("Keychain storage not available:", error);
70
78
  }
71
79
  return null;
@@ -80,7 +88,7 @@ var init_storage = __esm({
80
88
  const token = await keytar.getPassword(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
81
89
  return token;
82
90
  } catch (error) {
83
- if (getEnv2("DEBUG")) {
91
+ if (getEnv("DEBUG")) {
84
92
  console.warn("Failed to get token from keychain:", error);
85
93
  }
86
94
  return null;
@@ -122,7 +130,7 @@ var init_storage = __esm({
122
130
  await keytar.getPassword(KEYCHAIN_SERVICE, "__test__");
123
131
  return true;
124
132
  } catch (error) {
125
- if (getEnv2("DEBUG")) {
133
+ if (getEnv("DEBUG")) {
126
134
  console.warn("Keychain not available:", error);
127
135
  }
128
136
  return false;
@@ -167,7 +175,7 @@ var init_storage = __esm({
167
175
  const fs = await import('fs/promises');
168
176
  const stats = await fs.stat(this.tokenPath);
169
177
  const mode = stats.mode & 511;
170
- if (mode !== 384 && getEnv2("DEBUG")) {
178
+ if (mode !== 384 && getEnv("DEBUG")) {
171
179
  console.warn(
172
180
  `Warning: Token file has insecure permissions (${mode.toString(8)}). Expected 600. Run: chmod 600 ${this.tokenPath}`
173
181
  );
@@ -346,7 +354,7 @@ var init_storage = __esm({
346
354
  try {
347
355
  await this.keychainStorage.setToken(fileToken);
348
356
  await this.fileStorage.removeToken();
349
- if (getEnv2("DEBUG")) {
357
+ if (getEnv("DEBUG")) {
350
358
  console.log("Migrated token from file to keychain");
351
359
  }
352
360
  } catch {
@@ -377,11 +385,7 @@ var init_storage = __esm({
377
385
  });
378
386
 
379
387
  // src/config.ts
380
- function getEnv(key) {
381
- if (globalThis[key]) return globalThis[key];
382
- if (typeof process !== "undefined" && process.env?.[key]) return process.env[key];
383
- return void 0;
384
- }
388
+ init_utils();
385
389
  var globalConfig = {
386
390
  apiUrl: getEnv("OAUTH_API_URL") || getEnv("API_URL") || "https://apis.do",
387
391
  clientId: getEnv("OAUTH_CLIENT_ID") || "client_01JQYTRXK9ZPD8JPJTKDCRB656",
@@ -400,6 +404,7 @@ function getConfig() {
400
404
  }
401
405
 
402
406
  // src/auth.ts
407
+ init_utils();
403
408
  async function resolveSecret(value) {
404
409
  if (!value) return null;
405
410
  if (typeof value === "string") return value;
@@ -408,14 +413,9 @@ async function resolveSecret(value) {
408
413
  }
409
414
  return null;
410
415
  }
411
- function getEnv3(key) {
412
- if (globalThis[key]) return globalThis[key];
413
- if (typeof process !== "undefined" && process.env?.[key]) return process.env[key];
414
- return void 0;
415
- }
416
416
  async function getUser(token) {
417
417
  const config = getConfig();
418
- const authToken = token || getEnv3("DO_TOKEN") || "";
418
+ const authToken = token || getEnv("DO_TOKEN") || "";
419
419
  if (!authToken) {
420
420
  return { user: null };
421
421
  }
@@ -462,7 +462,7 @@ async function login(credentials) {
462
462
  }
463
463
  async function logout(token) {
464
464
  const config = getConfig();
465
- const authToken = token || getEnv3("DO_TOKEN") || "";
465
+ const authToken = token || getEnv("DO_TOKEN") || "";
466
466
  if (!authToken) {
467
467
  return;
468
468
  }
@@ -487,9 +487,9 @@ function isTokenExpired(expiresAt) {
487
487
  return Date.now() >= expiresAt - REFRESH_BUFFER_MS;
488
488
  }
489
489
  async function getToken() {
490
- const adminToken = getEnv3("DO_ADMIN_TOKEN");
490
+ const adminToken = getEnv("DO_ADMIN_TOKEN");
491
491
  if (adminToken) return adminToken;
492
- const doToken = getEnv3("DO_TOKEN");
492
+ const doToken = getEnv("DO_TOKEN");
493
493
  if (doToken) return doToken;
494
494
  try {
495
495
  const { env } = await import('cloudflare:workers');
@@ -800,13 +800,94 @@ init_storage();
800
800
  // src/login.ts
801
801
  init_storage();
802
802
  var REFRESH_BUFFER_MS2 = 5 * 60 * 1e3;
803
+ var loginInProgress = null;
804
+ var refreshInProgress = null;
803
805
  function isTokenExpired2(expiresAt) {
804
806
  if (!expiresAt) return false;
805
807
  return Date.now() >= expiresAt - REFRESH_BUFFER_MS2;
806
808
  }
809
+ async function doRefresh(tokenData, storage) {
810
+ if (refreshInProgress) {
811
+ return refreshInProgress;
812
+ }
813
+ refreshInProgress = (async () => {
814
+ try {
815
+ const newTokens = await refreshAccessToken(tokenData.refreshToken);
816
+ const expiresAt = newTokens.expires_in ? Date.now() + newTokens.expires_in * 1e3 : void 0;
817
+ const newData = {
818
+ accessToken: newTokens.access_token,
819
+ refreshToken: newTokens.refresh_token || tokenData.refreshToken,
820
+ expiresAt
821
+ };
822
+ if (storage?.setTokenData) {
823
+ await storage.setTokenData(newData);
824
+ } else if (storage?.setToken) {
825
+ await storage.setToken(newTokens.access_token);
826
+ }
827
+ return { token: newTokens.access_token, isNewLogin: false };
828
+ } finally {
829
+ refreshInProgress = null;
830
+ }
831
+ })();
832
+ return refreshInProgress;
833
+ }
834
+ async function doDeviceLogin(options) {
835
+ if (loginInProgress) {
836
+ return loginInProgress;
837
+ }
838
+ const config = getConfig();
839
+ const {
840
+ openBrowser = true,
841
+ print = console.log,
842
+ provider,
843
+ storage = createSecureStorage(config.storagePath)
844
+ } = options;
845
+ loginInProgress = (async () => {
846
+ try {
847
+ print("\nLogging in...\n");
848
+ const authResponse = await authorizeDevice({ provider });
849
+ print(`To complete login:`);
850
+ print(` 1. Visit: ${authResponse.verification_uri}`);
851
+ print(` 2. Enter code: ${authResponse.user_code}`);
852
+ print(`
853
+ Or open: ${authResponse.verification_uri_complete}
854
+ `);
855
+ if (openBrowser) {
856
+ try {
857
+ const open = await import('open');
858
+ await open.default(authResponse.verification_uri_complete);
859
+ print("Browser opened automatically\n");
860
+ } catch {
861
+ }
862
+ }
863
+ print("Waiting for authorization...\n");
864
+ const tokenResponse = await pollForTokens(
865
+ authResponse.device_code,
866
+ authResponse.interval,
867
+ authResponse.expires_in
868
+ );
869
+ const expiresAt = tokenResponse.expires_in ? Date.now() + tokenResponse.expires_in * 1e3 : void 0;
870
+ const newData = {
871
+ accessToken: tokenResponse.access_token,
872
+ refreshToken: tokenResponse.refresh_token,
873
+ expiresAt
874
+ };
875
+ if (storage.setTokenData) {
876
+ await storage.setTokenData(newData);
877
+ } else {
878
+ await storage.setToken(tokenResponse.access_token);
879
+ }
880
+ print("Login successful!\n");
881
+ return { token: tokenResponse.access_token, isNewLogin: true };
882
+ } finally {
883
+ loginInProgress = null;
884
+ }
885
+ })();
886
+ return loginInProgress;
887
+ }
807
888
  async function ensureLoggedIn(options = {}) {
808
889
  const config = getConfig();
809
- const { openBrowser = true, print = console.log, provider, storage = createSecureStorage(config.storagePath) } = options;
890
+ const { storage = createSecureStorage(config.storagePath) } = options;
810
891
  const tokenData = storage.getTokenData ? await storage.getTokenData() : null;
811
892
  const existingToken = tokenData?.accessToken || await storage.getToken();
812
893
  if (existingToken) {
@@ -815,19 +896,7 @@ async function ensureLoggedIn(options = {}) {
815
896
  }
816
897
  if (tokenData?.refreshToken) {
817
898
  try {
818
- const newTokens = await refreshAccessToken(tokenData.refreshToken);
819
- const expiresAt2 = newTokens.expires_in ? Date.now() + newTokens.expires_in * 1e3 : void 0;
820
- const newData2 = {
821
- accessToken: newTokens.access_token,
822
- refreshToken: newTokens.refresh_token || tokenData.refreshToken,
823
- expiresAt: expiresAt2
824
- };
825
- if (storage.setTokenData) {
826
- await storage.setTokenData(newData2);
827
- } else {
828
- await storage.setToken(newTokens.access_token);
829
- }
830
- return { token: newTokens.access_token, isNewLogin: false };
899
+ return await doRefresh(tokenData, storage);
831
900
  } catch (error) {
832
901
  console.warn("Token refresh failed:", error);
833
902
  }
@@ -839,41 +908,7 @@ async function ensureLoggedIn(options = {}) {
839
908
  }
840
909
  }
841
910
  }
842
- print("\nLogging in...\n");
843
- const authResponse = await authorizeDevice({ provider });
844
- print(`To complete login:`);
845
- print(` 1. Visit: ${authResponse.verification_uri}`);
846
- print(` 2. Enter code: ${authResponse.user_code}`);
847
- print(`
848
- Or open: ${authResponse.verification_uri_complete}
849
- `);
850
- if (openBrowser) {
851
- try {
852
- const open = await import('open');
853
- await open.default(authResponse.verification_uri_complete);
854
- print("Browser opened automatically\n");
855
- } catch {
856
- }
857
- }
858
- print("Waiting for authorization...\n");
859
- const tokenResponse = await pollForTokens(
860
- authResponse.device_code,
861
- authResponse.interval,
862
- authResponse.expires_in
863
- );
864
- const expiresAt = tokenResponse.expires_in ? Date.now() + tokenResponse.expires_in * 1e3 : void 0;
865
- const newData = {
866
- accessToken: tokenResponse.access_token,
867
- refreshToken: tokenResponse.refresh_token,
868
- expiresAt
869
- };
870
- if (storage.setTokenData) {
871
- await storage.setTokenData(newData);
872
- } else {
873
- await storage.setToken(tokenResponse.access_token);
874
- }
875
- print("Login successful!\n");
876
- return { token: tokenResponse.access_token, isNewLogin: true };
911
+ return doDeviceLogin(options);
877
912
  }
878
913
  async function forceLogin(options = {}) {
879
914
  const config = getConfig();