npm - unotoken - Versions diffs - 0.1.0 - Mend

unotoken 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (122) hide show

package/README.md +360 -0
package/dist/cli.d.ts +17 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +1207 -0
package/dist/cli.js.map +1 -0
package/dist/client.d.ts +15 -0
package/dist/client.d.ts.map +1 -0
package/dist/client.js +15 -0
package/dist/client.js.map +1 -0
package/dist/db.d.ts +52 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +97 -0
package/dist/db.js.map +1 -0
package/dist/dotenv.d.ts +69 -0
package/dist/dotenv.d.ts.map +1 -0
package/dist/dotenv.js +115 -0
package/dist/dotenv.js.map +1 -0
package/dist/env-mapper.d.ts +55 -0
package/dist/env-mapper.d.ts.map +1 -0
package/dist/env-mapper.js +97 -0
package/dist/env-mapper.js.map +1 -0
package/dist/exec.d.ts +80 -0
package/dist/exec.d.ts.map +1 -0
package/dist/exec.js +214 -0
package/dist/exec.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +43 -0
package/dist/index.js.map +1 -0
package/dist/oauth/commands.d.ts +151 -0
package/dist/oauth/commands.d.ts.map +1 -0
package/dist/oauth/commands.js +322 -0
package/dist/oauth/commands.js.map +1 -0
package/dist/oauth/config.d.ts +84 -0
package/dist/oauth/config.d.ts.map +1 -0
package/dist/oauth/config.js +156 -0
package/dist/oauth/config.js.map +1 -0
package/dist/oauth/crypto-helpers.d.ts +44 -0
package/dist/oauth/crypto-helpers.d.ts.map +1 -0
package/dist/oauth/crypto-helpers.js +94 -0
package/dist/oauth/crypto-helpers.js.map +1 -0
package/dist/oauth/device-secret.d.ts +57 -0
package/dist/oauth/device-secret.d.ts.map +1 -0
package/dist/oauth/device-secret.js +106 -0
package/dist/oauth/device-secret.js.map +1 -0
package/dist/oauth/flow.d.ts +112 -0
package/dist/oauth/flow.d.ts.map +1 -0
package/dist/oauth/flow.js +255 -0
package/dist/oauth/flow.js.map +1 -0
package/dist/oauth/index.d.ts +18 -0
package/dist/oauth/index.d.ts.map +1 -0
package/dist/oauth/index.js +24 -0
package/dist/oauth/index.js.map +1 -0
package/dist/oauth/key-wrap.d.ts +146 -0
package/dist/oauth/key-wrap.d.ts.map +1 -0
package/dist/oauth/key-wrap.js +275 -0
package/dist/oauth/key-wrap.js.map +1 -0
package/dist/oauth/pkce.d.ts +29 -0
package/dist/oauth/pkce.d.ts.map +1 -0
package/dist/oauth/pkce.js +34 -0
package/dist/oauth/pkce.js.map +1 -0
package/dist/oauth/provider.d.ts +79 -0
package/dist/oauth/provider.d.ts.map +1 -0
package/dist/oauth/provider.js +10 -0
package/dist/oauth/provider.js.map +1 -0
package/dist/oauth/providers/github.d.ts +75 -0
package/dist/oauth/providers/github.d.ts.map +1 -0
package/dist/oauth/providers/github.js +119 -0
package/dist/oauth/providers/github.js.map +1 -0
package/dist/oauth/providers/google.d.ts +115 -0
package/dist/oauth/providers/google.d.ts.map +1 -0
package/dist/oauth/providers/google.js +285 -0
package/dist/oauth/providers/google.js.map +1 -0
package/dist/sdk.d.ts +8 -0
package/dist/sdk.d.ts.map +1 -0
package/dist/sdk.js +8 -0
package/dist/sdk.js.map +1 -0
package/dist/server.d.ts +33 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +287 -0
package/dist/server.js.map +1 -0
package/dist/signatures/approval-codes.d.ts +192 -0
package/dist/signatures/approval-codes.d.ts.map +1 -0
package/dist/signatures/approval-codes.js +407 -0
package/dist/signatures/approval-codes.js.map +1 -0
package/dist/signatures/commands.d.ts +108 -0
package/dist/signatures/commands.d.ts.map +1 -0
package/dist/signatures/commands.js +270 -0
package/dist/signatures/commands.js.map +1 -0
package/dist/signatures/devices.d.ts +165 -0
package/dist/signatures/devices.d.ts.map +1 -0
package/dist/signatures/devices.js +344 -0
package/dist/signatures/devices.js.map +1 -0
package/dist/signatures/email-config.d.ts +102 -0
package/dist/signatures/email-config.d.ts.map +1 -0
package/dist/signatures/email-config.js +188 -0
package/dist/signatures/email-config.js.map +1 -0
package/dist/signatures/email.d.ts +106 -0
package/dist/signatures/email.d.ts.map +1 -0
package/dist/signatures/email.js +180 -0
package/dist/signatures/email.js.map +1 -0
package/dist/signatures/fingerprint.d.ts +70 -0
package/dist/signatures/fingerprint.d.ts.map +1 -0
package/dist/signatures/fingerprint.js +123 -0
package/dist/signatures/fingerprint.js.map +1 -0
package/dist/signatures/guard.d.ts +118 -0
package/dist/signatures/guard.d.ts.map +1 -0
package/dist/signatures/guard.js +310 -0
package/dist/signatures/guard.js.map +1 -0
package/dist/signatures/resend.d.ts +84 -0
package/dist/signatures/resend.d.ts.map +1 -0
package/dist/signatures/resend.js +248 -0
package/dist/signatures/resend.js.map +1 -0
package/dist/token-requests.d.ts +80 -0
package/dist/token-requests.d.ts.map +1 -0
package/dist/token-requests.js +201 -0
package/dist/token-requests.js.map +1 -0
package/dist/tokens.d.ts +80 -0
package/dist/tokens.d.ts.map +1 -0
package/dist/tokens.js +150 -0
package/dist/tokens.js.map +1 -0
package/package.json +62 -0

package/dist/signatures/guard.js ADDED Viewed

@@ -0,0 +1,310 @@
+/**
+ * Device approval guard for unotoken.
+ *
+ * This module provides a guard that checks whether the current device is
+ * approved before allowing vault operations. It integrates:
+ * - Device fingerprinting (fingerprint.ts)
+ * - Known devices registry (devices.ts)
+ * - Email configuration (email-config.ts)
+ * - Approval codes (approval-codes.ts)
+ * - Email sending (resend.ts)
+ *
+ * The guard runs BEFORE vault unlock -- a new device cannot even attempt
+ * to unlock without approval.
+ *
+ * Usage patterns:
+ * 1. CLI (TTY): Prompts interactively for the 6-digit code
+ * 2. SDK (programmatic): Throws DeviceApprovalRequired with instructions
+ *
+ * Graceful degradation: If no email is configured, the guard allows the
+ * operation to proceed (signatures are opt-in via email config).
+ *
+ * @module
+ */
+import { generateDeviceFingerprint, getDefaultDeviceName } from './fingerprint.js';
+import { checkDevice, DevicesDatabase } from './devices.js';
+import { loadEmailConfig, maskEmail } from './email-config.js';
+import { createApprovalCode, verifyApprovalCode } from './approval-codes.js';
+import { sendApprovalEmail } from './resend.js';
+// ─── Error ──────────────────────────────────────────────────────────
+/**
+ * Error thrown when a device requires approval but is used programmatically
+ * (no TTY to prompt the user).
+ *
+ * The caller (app/cloud service) is responsible for:
+ * 1. Sending the code via approveDevice()
+ * 2. Collecting the code from the user
+ * 3. Calling completeApproval() with the code
+ */
+export class DeviceApprovalRequired extends Error {
+    /** The device fingerprint that needs approval */
+    fingerprint;
+    /** The masked email where the code was sent (or null if not sent) */
+    maskedEmail;
+    /** Whether a code was actually sent */
+    codeSent;
+    constructor(fingerprint, maskedEmail, codeSent) {
+        const emailPart = maskedEmail
+            ? ` A code has been sent to ${maskedEmail}.`
+            : '';
+        super(`Device not approved. This device (${fingerprint.slice(0, 12)}...) must be approved before accessing the vault.${emailPart}` +
+            ` Use approveDevice() to complete the approval flow.`);
+        this.name = 'DeviceApprovalRequired';
+        this.fingerprint = fingerprint;
+        this.maskedEmail = maskedEmail;
+        this.codeSent = codeSent;
+    }
+}
+// ─── Guard Implementation ───────────────────────────────────────────
+/**
+ * Check if the current device is approved and handle the approval flow.
+ *
+ * This is the main entry point for device checks. It should be called
+ * before any vault operation (unlock, get, set, list).
+ *
+ * Flow:
+ * 1. Generate device fingerprint
+ * 2. Check if device is known (auto-approves first device)
+ * 3. If known: allow operation, update last_seen
+ * 4. If unknown:
+ *    a. If no email configured: allow (graceful degradation)
+ *    b. If TTY: send code, prompt user, verify, register device
+ *    c. If no TTY: throw DeviceApprovalRequired
+ *
+ * @param options - Guard configuration
+ * @returns Result indicating whether the operation should proceed
+ * @throws DeviceApprovalRequired when used programmatically and device is unknown
+ */
+export async function deviceGuard(options = {}) {
+    const { baseDir, readLine, writeOutput = (msg) => process.stderr.write(msg), writeError = (msg) => process.stderr.write(msg), } = options;
+    const isTTY = options.isTTY ?? (process.stdin.isTTY === true);
+    // 1. Generate fingerprint and device name
+    const fingerprint = generateDeviceFingerprint(baseDir);
+    const deviceName = getDefaultDeviceName();
+    // 2. Check device status
+    const deviceCheck = await checkDevice(fingerprint, deviceName, baseDir);
+    // 3. Device is known -- allow operation
+    if (deviceCheck.known) {
+        return {
+            allowed: true,
+            newlyApproved: false,
+            autoApproved: deviceCheck.autoApproved,
+            deviceName,
+            fingerprint,
+        };
+    }
+    // 4. Device is unknown -- check email config
+    const emailConfig = loadEmailConfig(baseDir);
+    const emailConfigured = emailConfig !== null && emailConfig.verified === true;
+    // 4a. No email configured -- graceful degradation
+    if (!emailConfigured) {
+        writeOutput('No email configured. Run `unotoken config email <address>` to enable device signatures.\n');
+        return {
+            allowed: true,
+            newlyApproved: false,
+            autoApproved: false,
+            deviceName,
+            fingerprint,
+            reason: 'no_email_configured',
+        };
+    }
+    const maskedAddr = maskEmail(emailConfig.email);
+    // 4b. TTY mode -- interactive approval
+    if (isTTY && readLine) {
+        return interactiveApproval({
+            fingerprint,
+            deviceName,
+            email: emailConfig.email,
+            maskedEmail: maskedAddr,
+            baseDir,
+            readLine,
+            writeOutput,
+            writeError,
+        });
+    }
+    // 4c. Non-TTY / SDK mode -- throw error
+    // Try to send the code proactively so the caller can collect it
+    let codeSent = false;
+    try {
+        const codeResult = await createApprovalCode(fingerprint, baseDir);
+        if (codeResult) {
+            // Send the email
+            const context = {
+                deviceName,
+                timestamp: new Date().toISOString(),
+            };
+            const sendResult = await sendApprovalEmail(emailConfig.email, codeResult.code, context, fingerprint, baseDir);
+            codeSent = sendResult.success;
+        }
+    }
+    catch {
+        // Best-effort -- if sending fails, the caller will need to retry
+    }
+    throw new DeviceApprovalRequired(fingerprint, maskedAddr, codeSent);
+}
+/**
+ * Run the interactive device approval flow (TTY mode).
+ *
+ * Sends an approval code to the user's email and prompts for entry.
+ */
+async function interactiveApproval(opts) {
+    const { fingerprint, deviceName, email, maskedEmail, baseDir, readLine, writeOutput, writeError, } = opts;
+    // Create an approval code
+    const codeResult = await createApprovalCode(fingerprint, baseDir);
+    if (!codeResult) {
+        writeError('Rate limit exceeded. Too many approval codes requested. Please wait before trying again.\n');
+        return {
+            allowed: false,
+            newlyApproved: false,
+            autoApproved: false,
+            deviceName,
+            fingerprint,
+            reason: 'rate_limited',
+        };
+    }
+    // Send the email
+    const context = {
+        deviceName,
+        timestamp: new Date().toISOString(),
+    };
+    const sendResult = await sendApprovalEmail(email, codeResult.code, context, fingerprint, baseDir);
+    if (!sendResult.success) {
+        writeError(`Failed to send approval code: ${sendResult.error ?? 'Unknown error'}\n`);
+        return {
+            allowed: false,
+            newlyApproved: false,
+            autoApproved: false,
+            deviceName,
+            fingerprint,
+            reason: 'email_send_failed',
+        };
+    }
+    writeOutput(`New device detected. Sending approval code to ${maskedEmail}...\n`);
+    // Prompt for code (up to 3 attempts handled by approval-codes engine)
+    const MAX_PROMPT_ATTEMPTS = 3;
+    for (let i = 0; i < MAX_PROMPT_ATTEMPTS; i++) {
+        const userInput = await readLine('Enter approval code: ');
+        const trimmed = userInput.trim();
+        const verifyResult = await verifyApprovalCode(fingerprint, trimmed, baseDir);
+        if (verifyResult.valid) {
+            // Register the device
+            const db = await DevicesDatabase.open(baseDir);
+            try {
+                db.registerDevice(fingerprint, deviceName, 'email_code');
+            }
+            finally {
+                db.close();
+            }
+            writeOutput(`Device approved: ${deviceName}\n`);
+            return {
+                allowed: true,
+                newlyApproved: true,
+                autoApproved: false,
+                deviceName,
+                fingerprint,
+            };
+        }
+        // Check if we should give more attempts
+        if (verifyResult.reason?.includes('Maximum attempts') || verifyResult.reason?.includes('No active')) {
+            writeError('Code expired. Run the command again to get a new code.\n');
+            return {
+                allowed: false,
+                newlyApproved: false,
+                autoApproved: false,
+                deviceName,
+                fingerprint,
+                reason: 'max_attempts_or_expired',
+            };
+        }
+        // Extract remaining attempts from reason
+        const remainingMatch = verifyResult.reason?.match(/(\d+) attempt/);
+        const remaining = remainingMatch ? parseInt(remainingMatch[1], 10) : MAX_PROMPT_ATTEMPTS - i - 1;
+        writeError(`Invalid code. ${remaining} attempt${remaining === 1 ? '' : 's'} remaining.\n`);
+    }
+    // Should not reach here normally (approval-codes engine handles attempt limits)
+    writeError('Code expired. Run the command again to get a new code.\n');
+    return {
+        allowed: false,
+        newlyApproved: false,
+        autoApproved: false,
+        deviceName,
+        fingerprint,
+        reason: 'max_attempts_or_expired',
+    };
+}
+// ─── Programmatic Approval ──────────────────────────────────────────
+/**
+ * Programmatically approve a device with an approval code.
+ *
+ * For use by SDK consumers who caught DeviceApprovalRequired and collected
+ * the code from the user via their own UI.
+ *
+ * @param fingerprint - The device fingerprint from the error
+ * @param code - The 6-digit code entered by the user
+ * @param baseDir - Optional base directory for config/database files
+ * @returns Object with `approved` boolean and optional `reason`
+ */
+export async function approveDevice(fingerprint, code, baseDir) {
+    const deviceName = getDefaultDeviceName();
+    const verifyResult = await verifyApprovalCode(fingerprint, code, baseDir);
+    if (!verifyResult.valid) {
+        return {
+            approved: false,
+            deviceName,
+            reason: verifyResult.reason,
+        };
+    }
+    // Register the device
+    const db = await DevicesDatabase.open(baseDir);
+    try {
+        db.registerDevice(fingerprint, deviceName, 'email_code');
+    }
+    finally {
+        db.close();
+    }
+    return { approved: true, deviceName };
+}
+/**
+ * Send an approval code to the user's configured email for a specific device.
+ *
+ * For use by SDK consumers who need to initiate the approval flow programmatically.
+ *
+ * @param fingerprint - The device fingerprint
+ * @param baseDir - Optional base directory for config/database files
+ * @returns Object with `sent` boolean, `maskedEmail`, and optional `error`
+ */
+export async function sendDeviceApprovalCode(fingerprint, baseDir) {
+    const emailConfig = loadEmailConfig(baseDir);
+    if (!emailConfig || !emailConfig.verified) {
+        return {
+            sent: false,
+            error: 'No verified email configured. Run `unotoken config email <address>` first.',
+        };
+    }
+    const codeResult = await createApprovalCode(fingerprint, baseDir);
+    if (!codeResult) {
+        return {
+            sent: false,
+            maskedEmail: maskEmail(emailConfig.email),
+            error: 'Rate limit exceeded. Too many approval codes requested.',
+        };
+    }
+    const deviceName = getDefaultDeviceName();
+    const context = {
+        deviceName,
+        timestamp: new Date().toISOString(),
+    };
+    const sendResult = await sendApprovalEmail(emailConfig.email, codeResult.code, context, fingerprint, baseDir);
+    if (!sendResult.success) {
+        return {
+            sent: false,
+            maskedEmail: maskEmail(emailConfig.email),
+            error: sendResult.error,
+        };
+    }
+    return {
+        sent: true,
+        maskedEmail: maskEmail(emailConfig.email),
+    };
+}
+//# sourceMappingURL=guard.js.map

package/dist/signatures/guard.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"guard.js","sourceRoot":"","sources":["../../src/signatures/guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACnF,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC7E,OAAO,EAAE,iBAAiB,EAA6B,MAAM,aAAa,CAAC;AAgC3E,uEAAuE;AAEvE;;;;;;;;GAQG;AACH,MAAM,OAAO,sBAAuB,SAAQ,KAAK;IAC/C,iDAAiD;IACjD,WAAW,CAAS;IACpB,qEAAqE;IACrE,WAAW,CAAgB;IAC3B,uCAAuC;IACvC,QAAQ,CAAU;IAElB,YACE,WAAmB,EACnB,WAA0B,EAC1B,QAAiB;QAEjB,MAAM,SAAS,GAAG,WAAW;YAC3B,CAAC,CAAC,4BAA4B,WAAW,GAAG;YAC5C,CAAC,CAAC,EAAE,CAAC;QACP,KAAK,CACH,qCAAqC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,oDAAoD,SAAS,EAAE;YAC5H,qDAAqD,CACtD,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QACrC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;CACF;AAED,uEAAuE;AAEvE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAA8B,EAAE;IAEhC,MAAM,EACJ,OAAO,EACP,QAAQ,EACR,WAAW,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EACxD,UAAU,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,GACxD,GAAG,OAAO,CAAC;IAEZ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC;IAE9D,0CAA0C;IAC1C,MAAM,WAAW,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;IAE1C,yBAAyB;IACzB,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAExE,wCAAwC;IACxC,IAAI,WAAW,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,aAAa,EAAE,KAAK;YACpB,YAAY,EAAE,WAAW,CAAC,YAAY;YACtC,UAAU;YACV,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,eAAe,GAAG,WAAW,KAAK,IAAI,IAAI,WAAW,CAAC,QAAQ,KAAK,IAAI,CAAC;IAE9E,kDAAkD;IAClD,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,WAAW,CACT,2FAA2F,CAC5F,CAAC;QACF,OAAO;YACL,OAAO,EAAE,IAAI;YACb,aAAa,EAAE,KAAK;YACpB,YAAY,EAAE,KAAK;YACnB,UAAU;YACV,WAAW;YACX,MAAM,EAAE,qBAAqB;SAC9B,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IAEhD,uCAAuC;IACvC,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACtB,OAAO,mBAAmB,CAAC;YACzB,WAAW;YACX,UAAU;YACV,KAAK,EAAE,WAAW,CAAC,KAAK;YACxB,WAAW,EAAE,UAAU;YACvB,OAAO;YACP,QAAQ;YACR,WAAW;YACX,UAAU;SACX,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,gEAAgE;IAChE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAClE,IAAI,UAAU,EAAE,CAAC;YACf,iBAAiB;YACjB,MAAM,OAAO,GAAyB;gBACpC,UAAU;gBACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC,CAAC;YACF,MAAM,UAAU,GAAG,MAAM,iBAAiB,CACxC,WAAW,CAAC,KAAK,EACjB,UAAU,CAAC,IAAI,EACf,OAAO,EACP,WAAW,EACX,OAAO,CACR,CAAC;YACF,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iEAAiE;IACnE,CAAC;IAED,MAAM,IAAI,sBAAsB,CAAC,WAAW,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACtE,CAAC;AAeD;;;;GAIG;AACH,KAAK,UAAU,mBAAmB,CAChC,IAAgC;IAEhC,MAAM,EACJ,WAAW,EACX,UAAU,EACV,KAAK,EACL,WAAW,EACX,OAAO,EACP,QAAQ,EACR,WAAW,EACX,UAAU,GACX,GAAG,IAAI,CAAC;IAET,0BAA0B;IAC1B,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,UAAU,CACR,4FAA4F,CAC7F,CAAC;QACF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,KAAK;YACpB,YAAY,EAAE,KAAK;YACnB,UAAU;YACV,WAAW;YACX,MAAM,EAAE,cAAc;SACvB,CAAC;IACJ,CAAC;IAED,iBAAiB;IACjB,MAAM,OAAO,GAAyB;QACpC,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,iBAAiB,CACxC,KAAK,EACL,UAAU,CAAC,IAAI,EACf,OAAO,EACP,WAAW,EACX,OAAO,CACR,CAAC;IAEF,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,UAAU,CACR,iCAAiC,UAAU,CAAC,KAAK,IAAI,eAAe,IAAI,CACzE,CAAC;QACF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,KAAK;YACpB,YAAY,EAAE,KAAK;YACnB,UAAU;YACV,WAAW;YACX,MAAM,EAAE,mBAAmB;SAC5B,CAAC;IACJ,CAAC;IAED,WAAW,CACT,iDAAiD,WAAW,OAAO,CACpE,CAAC;IAEF,sEAAsE;IACtE,MAAM,mBAAmB,GAAG,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,mBAAmB,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,uBAAuB,CAAC,CAAC;QAC1D,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QAEjC,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAE7E,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,sBAAsB;YACtB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC;gBACH,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAC3D,CAAC;oBAAS,CAAC;gBACT,EAAE,CAAC,KAAK,EAAE,CAAC;YACb,CAAC;YAED,WAAW,CAAC,oBAAoB,UAAU,IAAI,CAAC,CAAC;YAChD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,IAAI;gBACnB,YAAY,EAAE,KAAK;gBACnB,UAAU;gBACV,WAAW;aACZ,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,kBAAkB,CAAC,IAAI,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACpG,UAAU,CAAC,0DAA0D,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,aAAa,EAAE,KAAK;gBACpB,YAAY,EAAE,KAAK;gBACnB,UAAU;gBACV,WAAW;gBACX,MAAM,EAAE,yBAAyB;aAClC,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,mBAAmB,GAAG,CAAC,GAAG,CAAC,CAAC;QAEjG,UAAU,CACR,iBAAiB,SAAS,WAAW,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,eAAe,CAC/E,CAAC;IACJ,CAAC;IAED,gFAAgF;IAChF,UAAU,CAAC,0DAA0D,CAAC,CAAC;IACvE,OAAO;QACL,OAAO,EAAE,KAAK;QACd,aAAa,EAAE,KAAK;QACpB,YAAY,EAAE,KAAK;QACnB,UAAU;QACV,WAAW;QACX,MAAM,EAAE,yBAAyB;KAClC,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,WAAmB,EACnB,IAAY,EACZ,OAAgB;IAEhB,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;IAE1C,MAAM,YAAY,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAE1E,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,UAAU;YACV,MAAM,EAAE,YAAY,CAAC,MAAM;SAC5B,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC;QACH,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;IAC3D,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,WAAmB,EACnB,OAAgB;IAEhB,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAE7C,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1C,OAAO;YACL,IAAI,EAAE,KAAK;YACX,KAAK,EAAE,4EAA4E;SACpF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,IAAI,EAAE,KAAK;YACX,WAAW,EAAE,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC;YACzC,KAAK,EAAE,yDAAyD;SACjE,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAyB;QACpC,UAAU;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,iBAAiB,CACxC,WAAW,CAAC,KAAK,EACjB,UAAU,CAAC,IAAI,EACf,OAAO,EACP,WAAW,EACX,OAAO,CACR,CAAC;IAEF,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO;YACL,IAAI,EAAE,KAAK;YACX,WAAW,EAAE,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC;YACzC,KAAK,EAAE,UAAU,CAAC,KAAK;SACxB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,IAAI;QACV,WAAW,EAAE,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC;KAC1C,CAAC;AACJ,CAAC"}

package/dist/signatures/resend.d.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * Resend API integration for unotoken device approval emails.
+ *
+ * Uses the Resend REST API directly (no SDK dependency) to send
+ * branded 6-digit approval codes for device verification.
+ *
+ * Features:
+ * - Built-in Resend API key (Indigo-hosted, rate-limited) for zero-config setup
+ * - Configurable override for users who want their own Resend account
+ * - Rate limiting: max 3 emails per device per hour to prevent abuse
+ *
+ * @module
+ */
+export interface ApprovalEmailContext {
+    /** Human-friendly device name (e.g., "stefan@macbook") */
+    deviceName: string;
+    /** ISO 8601 timestamp of when the code was generated */
+    timestamp: string;
+    /** IP address hint (best-effort, may be "unknown") */
+    ipHint?: string;
+}
+export interface SendEmailResult {
+    /** Whether the email was sent successfully */
+    success: boolean;
+    /** Resend message ID (if successful) */
+    messageId?: string;
+    /** Error message (if failed) */
+    error?: string;
+}
+/**
+ * Check if sending another email for this device fingerprint is allowed.
+ *
+ * @param deviceFingerprint - The device fingerprint to check
+ * @returns true if under the rate limit
+ */
+export declare function isRateLimited(deviceFingerprint: string): boolean;
+/**
+ * Get remaining sends in the current rate limit window.
+ *
+ * @param deviceFingerprint - The device fingerprint
+ * @returns Number of remaining sends allowed
+ */
+export declare function remainingSends(deviceFingerprint: string): number;
+/**
+ * Reset rate limit state (for testing).
+ */
+export declare function resetRateLimits(): void;
+/**
+ * Get the effective Resend API key.
+ *
+ * Checks for a user-configured custom key first, falls back to built-in.
+ *
+ * @param baseDir - Optional base directory for email config
+ * @returns The Resend API key to use
+ */
+export declare function getResendApiKey(baseDir?: string): string;
+/**
+ * Build the HTML email body for a device approval code.
+ *
+ * @param code - The 6-digit approval code
+ * @param context - Additional context about the request
+ * @returns HTML string for the email body
+ */
+export declare function buildApprovalEmailHtml(code: string, context: ApprovalEmailContext): string;
+/**
+ * Build the plain text email body for a device approval code.
+ *
+ * @param code - The 6-digit approval code
+ * @param context - Additional context about the request
+ * @returns Plain text string for the email body
+ */
+export declare function buildApprovalEmailText(code: string, context: ApprovalEmailContext): string;
+/**
+ * Send a device approval email via the Resend API.
+ *
+ * @param to - Recipient email address
+ * @param code - The 6-digit approval code
+ * @param context - Additional context (device name, timestamp, IP)
+ * @param deviceFingerprint - Device fingerprint for rate limiting
+ * @param baseDir - Optional base directory for email config (API key lookup)
+ * @returns Result object with success status and optional message ID
+ */
+export declare function sendApprovalEmail(to: string, code: string, context: ApprovalEmailContext, deviceFingerprint: string, baseDir?: string): Promise<SendEmailResult>;
+//# sourceMappingURL=resend.d.ts.map

package/dist/signatures/resend.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resend.d.ts","sourceRoot":"","sources":["../../src/signatures/resend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAqBH,MAAM,WAAW,oBAAoB;IACnC,0DAA0D;IAC1D,UAAU,EAAE,MAAM,CAAC;IACnB,wDAAwD;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IACjB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAeD;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAQhE;AAeD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAKhE;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,IAAI,CAEtC;AAID;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAGxD;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,MAAM,CAmC1F;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,MAAM,CA4B1F;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,EAAE,EAAE,MAAM,EACV,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,oBAAoB,EAC7B,iBAAiB,EAAE,MAAM,EACzB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA4D1B"}

package/dist/signatures/resend.js ADDED Viewed

@@ -0,0 +1,248 @@
+/**
+ * Resend API integration for unotoken device approval emails.
+ *
+ * Uses the Resend REST API directly (no SDK dependency) to send
+ * branded 6-digit approval codes for device verification.
+ *
+ * Features:
+ * - Built-in Resend API key (Indigo-hosted, rate-limited) for zero-config setup
+ * - Configurable override for users who want their own Resend account
+ * - Rate limiting: max 3 emails per device per hour to prevent abuse
+ *
+ * @module
+ */
+import { loadEmailConfig } from './email-config.js';
+// ─── Constants ──────────────────────────────────────────────────────
+/**
+ * Built-in Resend API key for zero-config device approval emails.
+ *
+ * This is an Indigo-hosted key with rate limits applied. Users who need
+ * higher throughput should configure their own key with:
+ *   unotoken config email --resend-key <key>
+ */
+const BUILT_IN_RESEND_API_KEY = 're_placeholder_builtin_key';
+const RESEND_API_URL = 'https://api.resend.com/emails';
+const FROM_ADDRESS = 'unotoken <noreply@getindigo.ai>';
+// ─── Rate Limiting ──────────────────────────────────────────────────
+/**
+ * In-memory rate limit tracker.
+ *
+ * Tracks email send timestamps per device fingerprint. Resets on process
+ * restart (acceptable since this is a CLI tool, not a long-running server).
+ */
+const rateLimitMap = new Map();
+const MAX_EMAILS_PER_HOUR = 3;
+const RATE_LIMIT_WINDOW_MS = 60 * 60 * 1000; // 1 hour
+/**
+ * Check if sending another email for this device fingerprint is allowed.
+ *
+ * @param deviceFingerprint - The device fingerprint to check
+ * @returns true if under the rate limit
+ */
+export function isRateLimited(deviceFingerprint) {
+    const now = Date.now();
+    const timestamps = rateLimitMap.get(deviceFingerprint) ?? [];
+    // Filter to only timestamps within the window
+    const recent = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+    return recent.length >= MAX_EMAILS_PER_HOUR;
+}
+/**
+ * Record a sent email for rate limiting.
+ *
+ * @param deviceFingerprint - The device fingerprint
+ */
+function recordSend(deviceFingerprint) {
+    const now = Date.now();
+    const timestamps = rateLimitMap.get(deviceFingerprint) ?? [];
+    const recent = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+    recent.push(now);
+    rateLimitMap.set(deviceFingerprint, recent);
+}
+/**
+ * Get remaining sends in the current rate limit window.
+ *
+ * @param deviceFingerprint - The device fingerprint
+ * @returns Number of remaining sends allowed
+ */
+export function remainingSends(deviceFingerprint) {
+    const now = Date.now();
+    const timestamps = rateLimitMap.get(deviceFingerprint) ?? [];
+    const recent = timestamps.filter((t) => now - t < RATE_LIMIT_WINDOW_MS);
+    return Math.max(0, MAX_EMAILS_PER_HOUR - recent.length);
+}
+/**
+ * Reset rate limit state (for testing).
+ */
+export function resetRateLimits() {
+    rateLimitMap.clear();
+}
+// ─── Email Sending ──────────────────────────────────────────────────
+/**
+ * Get the effective Resend API key.
+ *
+ * Checks for a user-configured custom key first, falls back to built-in.
+ *
+ * @param baseDir - Optional base directory for email config
+ * @returns The Resend API key to use
+ */
+export function getResendApiKey(baseDir) {
+    const config = loadEmailConfig(baseDir);
+    return config?.resendApiKey ?? BUILT_IN_RESEND_API_KEY;
+}
+/**
+ * Build the HTML email body for a device approval code.
+ *
+ * @param code - The 6-digit approval code
+ * @param context - Additional context about the request
+ * @returns HTML string for the email body
+ */
+export function buildApprovalEmailHtml(code, context) {
+    const timestamp = new Date(context.timestamp).toLocaleString();
+    const ipLine = context.ipHint && context.ipHint !== 'unknown'
+        ? `<p style="color:#666;font-size:13px;margin:4px 0;">IP: ${escapeHtml(context.ipHint)}</p>`
+        : '';
+    return `
+<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;max-width:480px;margin:0 auto;padding:20px;">
+  <h2 style="color:#1a1a1a;margin-bottom:4px;">Device Approval Code</h2>
+  <p style="color:#666;margin-top:0;">A new device is requesting access to your unotoken vault.</p>
+  <div style="background:#f4f4f5;border-radius:8px;padding:24px;text-align:center;margin:24px 0;">
+    <p style="color:#666;font-size:13px;margin:0 0 8px 0;">Your approval code:</p>
+    <div style="font-size:36px;font-weight:700;letter-spacing:8px;color:#1a1a1a;font-family:monospace;">${escapeHtml(code)}</div>
+    <p style="color:#999;font-size:12px;margin:8px 0 0 0;">Expires in 5 minutes</p>
+  </div>
+  <div style="background:#fafafa;border-radius:6px;padding:12px 16px;margin:16px 0;">
+    <p style="color:#666;font-size:13px;margin:4px 0;"><strong>Device:</strong> ${escapeHtml(context.deviceName)}</p>
+    <p style="color:#666;font-size:13px;margin:4px 0;"><strong>Time:</strong> ${escapeHtml(timestamp)}</p>
+    ${ipLine}
+  </div>
+  <p style="color:#999;font-size:12px;margin-top:24px;">
+    If you did not request this, someone may be trying to access your vault from a new device.
+    You can safely ignore this email -- the code will expire automatically.
+  </p>
+  <hr style="border:none;border-top:1px solid #eee;margin:24px 0;">
+  <p style="color:#bbb;font-size:11px;">Sent by unotoken -- secure secret vault</p>
+</body>
+</html>`.trim();
+}
+/**
+ * Build the plain text email body for a device approval code.
+ *
+ * @param code - The 6-digit approval code
+ * @param context - Additional context about the request
+ * @returns Plain text string for the email body
+ */
+export function buildApprovalEmailText(code, context) {
+    const timestamp = new Date(context.timestamp).toLocaleString();
+    const ipLine = context.ipHint && context.ipHint !== 'unknown'
+        ? `IP: ${context.ipHint}\n`
+        : '';
+    return [
+        'Device Approval Code',
+        '====================',
+        '',
+        'A new device is requesting access to your unotoken vault.',
+        '',
+        `Your approval code: ${code}`,
+        '',
+        'This code expires in 5 minutes.',
+        '',
+        `Device: ${context.deviceName}`,
+        `Time: ${timestamp}`,
+        ipLine ? ipLine.trim() : null,
+        '',
+        'If you did not request this, someone may be trying to access your',
+        'vault from a new device. You can safely ignore this email.',
+        '',
+        '---',
+        'Sent by unotoken',
+    ]
+        .filter((line) => line !== null)
+        .join('\n');
+}
+/**
+ * Send a device approval email via the Resend API.
+ *
+ * @param to - Recipient email address
+ * @param code - The 6-digit approval code
+ * @param context - Additional context (device name, timestamp, IP)
+ * @param deviceFingerprint - Device fingerprint for rate limiting
+ * @param baseDir - Optional base directory for email config (API key lookup)
+ * @returns Result object with success status and optional message ID
+ */
+export async function sendApprovalEmail(to, code, context, deviceFingerprint, baseDir) {
+    // Rate limit check
+    if (isRateLimited(deviceFingerprint)) {
+        return {
+            success: false,
+            error: `Rate limit exceeded: maximum ${MAX_EMAILS_PER_HOUR} approval emails per device per hour. Please wait before requesting a new code.`,
+        };
+    }
+    const apiKey = getResendApiKey(baseDir);
+    const htmlBody = buildApprovalEmailHtml(code, context);
+    const textBody = buildApprovalEmailText(code, context);
+    try {
+        const response = await fetch(RESEND_API_URL, {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${apiKey}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                from: FROM_ADDRESS,
+                to: [to],
+                subject: `${code} is your unotoken device approval code`,
+                html: htmlBody,
+                text: textBody,
+            }),
+        });
+        if (!response.ok) {
+            const errorBody = await response.text();
+            let errorMsg;
+            try {
+                const parsed = JSON.parse(errorBody);
+                errorMsg = parsed.message ?? parsed.error ?? errorBody;
+            }
+            catch {
+                errorMsg = errorBody;
+            }
+            return {
+                success: false,
+                error: `Resend API error (${response.status}): ${errorMsg}`,
+            };
+        }
+        const data = (await response.json());
+        // Record successful send for rate limiting
+        recordSend(deviceFingerprint);
+        return {
+            success: true,
+            messageId: data.id,
+        };
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+            success: false,
+            error: `Failed to send email: ${msg}`,
+        };
+    }
+}
+// ─── Helpers ────────────────────────────────────────────────────────
+/**
+ * Escape HTML entities to prevent XSS in email body.
+ */
+function escapeHtml(str) {
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+//# sourceMappingURL=resend.js.map

package/dist/signatures/resend.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resend.js","sourceRoot":"","sources":["../../src/signatures/resend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,uEAAuE;AAEvE;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAG,4BAA4B,CAAC;AAE7D,MAAM,cAAc,GAAG,+BAA+B,CAAC;AAEvD,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAsBvD,uEAAuE;AAEvE;;;;;GAKG;AACH,MAAM,YAAY,GAAG,IAAI,GAAG,EAAoB,CAAC;AAEjD,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,oBAAoB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAEtD;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,iBAAyB;IACrD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IAE7D,8CAA8C;IAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,oBAAoB,CAAC,CAAC;IAExE,OAAO,MAAM,CAAC,MAAM,IAAI,mBAAmB,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,iBAAyB;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IAC7D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,oBAAoB,CAAC,CAAC;IACxE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjB,YAAY,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,iBAAyB;IACtD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IAC7D,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,GAAG,oBAAoB,CAAC,CAAC;IACxE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,mBAAmB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,YAAY,CAAC,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,uEAAuE;AAEvE;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,OAAO,MAAM,EAAE,YAAY,IAAI,uBAAuB,CAAC;AACzD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY,EAAE,OAA6B;IAChF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC;IAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAC3D,CAAC,CAAC,0DAA0D,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM;QAC5F,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;;;;;;;;;;0GAUiG,UAAU,CAAC,IAAI,CAAC;;;;;kFAKxC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC;gFAChC,UAAU,CAAC,SAAS,CAAC;MAC/F,MAAM;;;;;;;;;;;QAWJ,CAAC,IAAI,EAAE,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAY,EAAE,OAA6B;IAChF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC;IAC/D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAC3D,CAAC,CAAC,OAAO,OAAO,CAAC,MAAM,IAAI;QAC3B,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,sBAAsB;QACtB,sBAAsB;QACtB,EAAE;QACF,2DAA2D;QAC3D,EAAE;QACF,uBAAuB,IAAI,EAAE;QAC7B,EAAE;QACF,iCAAiC;QACjC,EAAE;QACF,WAAW,OAAO,CAAC,UAAU,EAAE;QAC/B,SAAS,SAAS,EAAE;QACpB,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;QAC7B,EAAE;QACF,mEAAmE;QACnE,4DAA4D;QAC5D,EAAE;QACF,KAAK;QACL,kBAAkB;KACnB;SACE,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC;SAC/B,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,EAAU,EACV,IAAY,EACZ,OAA6B,EAC7B,iBAAyB,EACzB,OAAgB;IAEhB,mBAAmB;IACnB,IAAI,aAAa,CAAC,iBAAiB,CAAC,EAAE,CAAC;QACrC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,gCAAgC,mBAAmB,iFAAiF;SAC5I,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAEvD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,cAAc,EAAE;YAC3C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,EAAE;gBACnC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,IAAI,EAAE,YAAY;gBAClB,EAAE,EAAE,CAAC,EAAE,CAAC;gBACR,OAAO,EAAE,GAAG,IAAI,wCAAwC;gBACxD,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,QAAQ;aACf,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,IAAI,QAAgB,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBACrC,QAAQ,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC;gBACP,QAAQ,GAAG,SAAS,CAAC;YACvB,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,qBAAqB,QAAQ,CAAC,MAAM,MAAM,QAAQ,EAAE;aAC5D,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAoB,CAAC;QAExD,2CAA2C;QAC3C,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE9B,OAAO;YACL,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,IAAI,CAAC,EAAE;SACnB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,yBAAyB,GAAG,EAAE;SACtC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,uEAAuE;AAEvE;;GAEG;AACH,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,GAAG;SACP,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC"}