@agent-native/core 0.15.5 → 0.15.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (166) hide show
  1. package/dist/client/AgentPanel.d.ts.map +1 -1
  2. package/dist/client/AgentPanel.js +3 -2
  3. package/dist/client/AgentPanel.js.map +1 -1
  4. package/dist/client/AssistantChat.d.ts.map +1 -1
  5. package/dist/client/AssistantChat.js +14 -2
  6. package/dist/client/AssistantChat.js.map +1 -1
  7. package/dist/client/components/CodeRequiredDialog.js +1 -1
  8. package/dist/client/components/CodeRequiredDialog.js.map +1 -1
  9. package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
  10. package/dist/client/settings/BackgroundAgentSection.js +2 -1
  11. package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
  12. package/dist/client/settings/BrowserSection.d.ts.map +1 -1
  13. package/dist/client/settings/BrowserSection.js +3 -2
  14. package/dist/client/settings/BrowserSection.js.map +1 -1
  15. package/dist/client/settings/SettingsPanel.js +1 -1
  16. package/dist/client/settings/SettingsPanel.js.map +1 -1
  17. package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
  18. package/dist/client/settings/VoiceTranscriptionSection.js +1 -0
  19. package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
  20. package/dist/client/settings/useBuilderStatus.d.ts +1 -0
  21. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  22. package/dist/client/settings/useBuilderStatus.js +120 -23
  23. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  24. package/dist/client/settings/useBuilderStatus.spec.js +85 -7
  25. package/dist/client/settings/useBuilderStatus.spec.js.map +1 -1
  26. package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
  27. package/dist/client/transcription/BuilderTranscriptionCta.js +7 -2
  28. package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
  29. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  30. package/dist/server/agent-chat-plugin.js +3 -1
  31. package/dist/server/agent-chat-plugin.js.map +1 -1
  32. package/dist/server/auth.d.ts.map +1 -1
  33. package/dist/server/auth.js +19 -2
  34. package/dist/server/auth.js.map +1 -1
  35. package/dist/server/builder-browser.d.ts +8 -0
  36. package/dist/server/builder-browser.d.ts.map +1 -1
  37. package/dist/server/builder-browser.js +78 -4
  38. package/dist/server/builder-browser.js.map +1 -1
  39. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  40. package/dist/server/core-routes-plugin.js +55 -23
  41. package/dist/server/core-routes-plugin.js.map +1 -1
  42. package/package.json +1 -1
  43. package/dist/client/dev-mode.d.ts +0 -14
  44. package/dist/client/dev-mode.d.ts.map +0 -1
  45. package/dist/client/dev-mode.js +0 -14
  46. package/dist/client/dev-mode.js.map +0 -1
  47. package/dist/client/extensions/EmbeddedTool.d.ts +0 -20
  48. package/dist/client/extensions/EmbeddedTool.d.ts.map +0 -1
  49. package/dist/client/extensions/EmbeddedTool.js +0 -199
  50. package/dist/client/extensions/EmbeddedTool.js.map +0 -1
  51. package/dist/client/extensions/ToolEditor.d.ts +0 -5
  52. package/dist/client/extensions/ToolEditor.d.ts.map +0 -1
  53. package/dist/client/extensions/ToolEditor.js +0 -129
  54. package/dist/client/extensions/ToolEditor.js.map +0 -1
  55. package/dist/client/extensions/ToolViewer.d.ts +0 -5
  56. package/dist/client/extensions/ToolViewer.d.ts.map +0 -1
  57. package/dist/client/extensions/ToolViewer.js +0 -400
  58. package/dist/client/extensions/ToolViewer.js.map +0 -1
  59. package/dist/client/extensions/ToolViewerPage.d.ts +0 -2
  60. package/dist/client/extensions/ToolViewerPage.d.ts.map +0 -1
  61. package/dist/client/extensions/ToolViewerPage.js +0 -24
  62. package/dist/client/extensions/ToolViewerPage.js.map +0 -1
  63. package/dist/client/extensions/ToolsListPage.d.ts +0 -2
  64. package/dist/client/extensions/ToolsListPage.d.ts.map +0 -1
  65. package/dist/client/extensions/ToolsListPage.js +0 -67
  66. package/dist/client/extensions/ToolsListPage.js.map +0 -1
  67. package/dist/client/extensions/ToolsSidebarSection.d.ts +0 -2
  68. package/dist/client/extensions/ToolsSidebarSection.d.ts.map +0 -1
  69. package/dist/client/extensions/ToolsSidebarSection.js +0 -236
  70. package/dist/client/extensions/ToolsSidebarSection.js.map +0 -1
  71. package/dist/client/extensions/tool-order.d.ts +0 -7
  72. package/dist/client/extensions/tool-order.d.ts.map +0 -1
  73. package/dist/client/extensions/tool-order.js +0 -47
  74. package/dist/client/extensions/tool-order.js.map +0 -1
  75. package/dist/client/tools/EmbeddedTool.d.ts +0 -20
  76. package/dist/client/tools/EmbeddedTool.d.ts.map +0 -1
  77. package/dist/client/tools/EmbeddedTool.js +0 -199
  78. package/dist/client/tools/EmbeddedTool.js.map +0 -1
  79. package/dist/client/tools/ExtensionSlot.d.ts +0 -27
  80. package/dist/client/tools/ExtensionSlot.d.ts.map +0 -1
  81. package/dist/client/tools/ExtensionSlot.js +0 -96
  82. package/dist/client/tools/ExtensionSlot.js.map +0 -1
  83. package/dist/client/tools/ToolEditor.d.ts +0 -5
  84. package/dist/client/tools/ToolEditor.d.ts.map +0 -1
  85. package/dist/client/tools/ToolEditor.js +0 -129
  86. package/dist/client/tools/ToolEditor.js.map +0 -1
  87. package/dist/client/tools/ToolViewer.d.ts +0 -5
  88. package/dist/client/tools/ToolViewer.d.ts.map +0 -1
  89. package/dist/client/tools/ToolViewer.js +0 -400
  90. package/dist/client/tools/ToolViewer.js.map +0 -1
  91. package/dist/client/tools/ToolViewerPage.d.ts +0 -2
  92. package/dist/client/tools/ToolViewerPage.d.ts.map +0 -1
  93. package/dist/client/tools/ToolViewerPage.js +0 -24
  94. package/dist/client/tools/ToolViewerPage.js.map +0 -1
  95. package/dist/client/tools/ToolsListPage.d.ts +0 -2
  96. package/dist/client/tools/ToolsListPage.d.ts.map +0 -1
  97. package/dist/client/tools/ToolsListPage.js +0 -67
  98. package/dist/client/tools/ToolsListPage.js.map +0 -1
  99. package/dist/client/tools/ToolsSidebarSection.d.ts +0 -2
  100. package/dist/client/tools/ToolsSidebarSection.d.ts.map +0 -1
  101. package/dist/client/tools/ToolsSidebarSection.js +0 -236
  102. package/dist/client/tools/ToolsSidebarSection.js.map +0 -1
  103. package/dist/client/tools/iframe-bridge.d.ts +0 -38
  104. package/dist/client/tools/iframe-bridge.d.ts.map +0 -1
  105. package/dist/client/tools/iframe-bridge.js +0 -207
  106. package/dist/client/tools/iframe-bridge.js.map +0 -1
  107. package/dist/client/tools/index.d.ts +0 -8
  108. package/dist/client/tools/index.d.ts.map +0 -1
  109. package/dist/client/tools/index.js +0 -8
  110. package/dist/client/tools/index.js.map +0 -1
  111. package/dist/client/tools/tool-order.d.ts +0 -7
  112. package/dist/client/tools/tool-order.d.ts.map +0 -1
  113. package/dist/client/tools/tool-order.js +0 -47
  114. package/dist/client/tools/tool-order.js.map +0 -1
  115. package/dist/server/local-migration.d.ts +0 -41
  116. package/dist/server/local-migration.d.ts.map +0 -1
  117. package/dist/server/local-migration.js +0 -235
  118. package/dist/server/local-migration.js.map +0 -1
  119. package/dist/tools/actions.d.ts +0 -3
  120. package/dist/tools/actions.d.ts.map +0 -1
  121. package/dist/tools/actions.js +0 -272
  122. package/dist/tools/actions.js.map +0 -1
  123. package/dist/tools/fetch-tool.d.ts +0 -23
  124. package/dist/tools/fetch-tool.d.ts.map +0 -1
  125. package/dist/tools/fetch-tool.js +0 -178
  126. package/dist/tools/fetch-tool.js.map +0 -1
  127. package/dist/tools/html-shell.d.ts +0 -45
  128. package/dist/tools/html-shell.d.ts.map +0 -1
  129. package/dist/tools/html-shell.js +0 -514
  130. package/dist/tools/html-shell.js.map +0 -1
  131. package/dist/tools/proxy-security.d.ts +0 -12
  132. package/dist/tools/proxy-security.d.ts.map +0 -1
  133. package/dist/tools/proxy-security.js +0 -158
  134. package/dist/tools/proxy-security.js.map +0 -1
  135. package/dist/tools/routes.d.ts +0 -2
  136. package/dist/tools/routes.d.ts.map +0 -1
  137. package/dist/tools/routes.js +0 -627
  138. package/dist/tools/routes.js.map +0 -1
  139. package/dist/tools/schema.d.ts +0 -664
  140. package/dist/tools/schema.d.ts.map +0 -1
  141. package/dist/tools/schema.js +0 -146
  142. package/dist/tools/schema.js.map +0 -1
  143. package/dist/tools/slots/routes.d.ts +0 -15
  144. package/dist/tools/slots/routes.d.ts.map +0 -1
  145. package/dist/tools/slots/routes.js +0 -94
  146. package/dist/tools/slots/routes.js.map +0 -1
  147. package/dist/tools/slots/schema.d.ts +0 -303
  148. package/dist/tools/slots/schema.d.ts.map +0 -1
  149. package/dist/tools/slots/schema.js +0 -76
  150. package/dist/tools/slots/schema.js.map +0 -1
  151. package/dist/tools/slots/store.d.ts +0 -66
  152. package/dist/tools/slots/store.d.ts.map +0 -1
  153. package/dist/tools/slots/store.js +0 -227
  154. package/dist/tools/slots/store.js.map +0 -1
  155. package/dist/tools/store.d.ts +0 -40
  156. package/dist/tools/store.d.ts.map +0 -1
  157. package/dist/tools/store.js +0 -193
  158. package/dist/tools/store.js.map +0 -1
  159. package/dist/tools/theme.d.ts +0 -2
  160. package/dist/tools/theme.d.ts.map +0 -1
  161. package/dist/tools/theme.js +0 -67
  162. package/dist/tools/theme.js.map +0 -1
  163. package/dist/tools/url-safety.d.ts +0 -24
  164. package/dist/tools/url-safety.d.ts.map +0 -1
  165. package/dist/tools/url-safety.js +0 -224
  166. package/dist/tools/url-safety.js.map +0 -1
package/dist/server/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,SAAS,EACT,YAAY,EACZ,SAAS,GACV,MAAM,IAAI,CAAC;AAIZ,6EAA6E;AAC7E,0EAA0E;AAC1E,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,8EAA8E;AAC9E,4EAA4E;AAC5E,yDAAyD;AACzD,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,GAAG,GAAI,KAAa,CAAC,GAAc,CAAC;IAC1C,MAAM,GAAG,GAAI,KAAa,CAAC,OAEd,CAAC;IACd,IAAI,GAAG,EAAE,gBAAgB,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC/D,IAAI,GAAG,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC;gBAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;gBACtD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;oBAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,8DAA8D;oBAC9D,2DAA2D;oBAC3D,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChD,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAGD,OAAO,EACL,SAAS,EACT,UAAU,EACV,OAAO,EACP,cAAc,GACf,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE7E,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,eAAe,EACf,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,UAAU,IAAI,iBAAiB,EAE/B,cAAc,EACd,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,8BAA8B,GAE/B,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,oCAAoC,GACrC,MAAM,sBAAsB,CAAC;AAE9B;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAAC;AACvB,CAAC;AAuID,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;KAC/C,WAAW,EAAE;KACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;KAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;AAC3B,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,CAAC;AAErE;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACtC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,OAAO,OAAO,IAAI,SAAS,CAAC;AAC9B,CAAC;AAED,MAAM,iBAAiB,GAAG,CAAC,CAAC,eAAe,EAAE,CAAC;AAE9C,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB;IAC1C,CAAC,CAAC,YAAY;IACd,CAAC,CAAC,iBAAiB;QACjB,CAAC,CAAC,sBAAsB;QACxB,CAAC,CAAC,aAAa;YACb,CAAC,CAAC,cAAc,aAAa,EAAE;YAC/B,CAAC,CAAC,YAAY,CAAC;AAErB;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAEvC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI;gBAAE,SAAS;YAEnD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC;gBACH,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,2DAA2D;YAC7D,CAAC;YACD,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,+BAA+B,CAAC,KAAc;IACrD,OAAO,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,kCAAkC;IACzC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,IAAI,aAAa;QAAE,KAAK,CAAC,GAAG,CAAC,cAAc,aAAa,EAAE,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,0EAA0E;IAC1E,4EAA4E;IAC5E,kDAAkD;IAClD,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAC;IACxC,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAc;IAClD,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC7C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AACD,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACjE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CACL,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QAC3B,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC5C,IACE,GAAG,CAAC,QAAQ,KAAK,QAAQ;YACzB,CAAC,QAAQ,KAAK,eAAe;gBAC3B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,YAAY;gBACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACnC,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAc,EACd,KAAa,EACb,UAAmC,EAAE;IAErC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IAC/C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CAAC,IAAI,CAAC,8BAA8B,EAAE;QAC3C,KAAK;QACL,GAAG,EAAE,kBAAkB,EAAE;QACzB,IAAI;QACJ,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QACrC,kBAAkB,EAAE,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC;QACzD,eAAe,EACb,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC;QACvE,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC;AACD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAErD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,KAAK,0BAA0B;YAAE,OAAO,GAAG,CAAC;QAC7D,OAAO,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,oBAAoB,CACjC,KAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,EAAE,GAAG,SAAS,CAAC;IACjB,CAAC;IACD,mEAAmE;IACnE,MAAM,UAAU,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,MAAM,UAAU,GACd,UAAU,KAAK,WAAW;QAC1B,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,kBAAkB;QACjC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,MAAM,cAAc,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iCAAiC,CACxC,QAAkB;IAElB,IAAI,CAAC;QACH,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAExB,CAAC;QACF,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,YAAY,KAAK,UAAU;YACxC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE;YACxB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;iBAC9B,KAAK,CAAC,aAAa,CAAC;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,oEAAoE;YACpE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CACpB,sDAAsD,CACvD,CAAC;YACF,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,MAAgB;IACrD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,IACE,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACnC,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC1C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED,SAAS,8BAA8B,CAAC,KAAc;IACpD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,MAAM,IAAI,+BAA+B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,qEAAqE;IACrE,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,KAAK,eAAe,CAAC;AAC7E,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,CAAC,8BAA8B,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAChE,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,8BAA8B,GAAa;IAC/C,yCAAyC;IACzC,sBAAsB;IACtB,wCAAwC;IACxC,kBAAkB;IAClB,yCAAyC;IACzC,iBAAiB;CAClB,CAAC;AAEF,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,GAAG,GAAI,KAA+B,EAAE,OAAO,CAAC;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,8BAA8B,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,oEAAoE;AACpE,8EAA8E;AAE9E,IAAI,mBAA8C,CAAC;AACnD,IAAI,aAAa,GAAG,eAAe,CAAC;AAEpC,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC;;;;yBAIE,OAAO,EAAE;;SAEzB,CAAC,CACH,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,sEAAsE;YACtE,mBAAmB,GAAG,SAAS,CAAC;YAChC,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,sBAAsB,CAAI,EAAoB;IAC3D,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,IAAI,CAAC,EAAE,IAAI,KAAK,OAAO;YAAE,MAAM,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,MAAM,CAAC,CAAC;QACvC,mBAAmB,GAAG,SAAS,CAAC;QAChC,MAAM,kBAAkB,EAAE,CAAC;QAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAa,EAAE,KAAc;IAC5D,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,UAAU,EAAE;YACf,CAAC,CAAC,yJAAyJ;YAC3J,CAAC,CAAC,6EAA6E;QACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,sCAAsC;QAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,CACjD,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,wDAAwD;QAC7D,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAgB,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,IAAI,gBAAgB,GAClB,IAAI,CAAC;AAiBP,IAAI,gBAAgB,GAA2B,IAAI,CAAC;AACpD,MAAM,gCAAgC,GAAG,IAAI,OAAO,EAAmB,CAAC;AAExE,SAAS,2BAA2B,CAClC,UAAqD,EAAE;IAEvD,OAAO,6BAA6B,CAClC,OAAO,CAAC,oBAAoB,IAAI,2BAA2B,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CACrC,UAGI,EAAE;IAEN,MAAM,GAAG,GAAG,8BAA8B,EAAE,CAAC;IAC7C,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,uBAAuB,IAAI,GAAG,CAAC,WAAW;QAC/D,cAAc,EAAE,OAAO,CAAC,0BAA0B,IAAI,GAAG,CAAC,cAAc;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,GAAU,EACV,OAAgB;IAEhB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,gCAAgC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAU;IACpD,OAAO,gCAAgC,CAAC,GAAG,CAAC,GAAa,CAAC,KAAK,KAAK,CAAC;AACvE,CAAC;AA0BD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAClE,MAAM,6BAA6B,GAAG,aAAa,CAAC;AACpD,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAC;IAC9C,mBAAmB;IACnB,uBAAuB;CACxB,CAAC,CAAC;AAEH,iEAAiE;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9C,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,wEAAwE;IACxE,yEAAyE;IACzE,kBAAkB;IAClB,KAAK,0BAA0B,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,KAAkC;IAElC,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,KAAK,+BAA+B,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,0BAA0B,CACvC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,OAAO,MAAM,EAAE,EAAE,GAAG,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,MAAc,EACd,KAAkC;IAElC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,UAAU,CACd,OAAO,MAAM,EAAE,EACf,GAAG,6BAA6B,GAAG,OAAO,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B,CACzC,MAAc;IAEd,IAAI,CAAC;QACH,wEAAwE;QACxE,6EAA6E;QAC7E,wDAAwD;QACxD,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yEAAyE;YAC9E,IAAI,EAAE,CAAC,OAAO,MAAM,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAkB,CAAC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACrD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;aAC5D,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG;YAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;AAErB;;;;GAIG;AACH,IAAI,YAAY,GAEL,IAAI,CAAC;AAEhB;;;;;;;GAOG;AACH,IAAI,WAAW,GAAiB,IAAI,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAc;IAEd,IAAI,CAAC,YAAY;QAAE,OAAO,CAAC,sCAAsC;IACjE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAc;IAItC,wEAAwE;IACxE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,kCAAkC;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACxD,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE;QACjD,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC/D,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAa,CAAC,CAAC;IACvE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;IACrE,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;IACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,kFAAkF,CACnF,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB;IAC5B,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS;YAAE,OAAO;QAE3C,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAU;IACzC,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,OAAO,CAAC,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc;IAI7C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACvE,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG;QACzD,MAAM,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;KACrD,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IACE,CAAC,QAAQ;QACT,CAAC,oCAAoC,EAAE;QACvC,CAAC,4BAA4B,CAAC,cAAc,CAAC;QAC7C,OAAO,KAAK,GAAG,QAAQ,gBAAgB;QACvC,OAAO,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,EAChD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAClD,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACf,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC5C,IACE,CAAC,KAAK;QACN,KAAK,KAAK,kBAAkB,EAAE;QAC9B,CAAC,2BAA2B,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;QACtB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,KAAK,GAAG,cAAc,GAAG,MAAM,EAAE,EAAE;KAC7D,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAW;IACrD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAC9D,qBAAqB,CACtB,CAAC;IACF,OAAO,oCAAoC,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAc,EAAE,CAAS;IAClE,IAAI,CAAC,KAAK,gCAAgC,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,OAAO,OAAO,CAAC,kCAAkC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,KAAK,iCAAiC,EAAE,CAAC;QAC5C,OAAO,OAAO,CACZ,oCAAoC,CAClC,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAC/C,CACF,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB;IAGxB,OAAO,KAAK,EAAE,KAAc,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC;QAChC,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAE/B,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC;QAC5E,MAAM,CAAC,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;QACjE,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IACE,CAAC,CAAC,UAAU,CAAC,sBAAsB,CAAC;YACpC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,4CAA4C,EAClD,CAAC;YACD,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,IAAI,iDAAiD,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,0EAA0E;QAC1E,0DAA0D;QAC1D,IAAI,CAAC,KAAK,0CAA0C,EAAE,CAAC;YACrD,OAAO;QACT,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,wEAAwE;QACxE,IAAI,CAAC,KAAK,sDAAsD,EAAE,CAAC;YACjE,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,uEAAuE;QACvE,IAAI,CAAC,KAAK,oBAAoB,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,uEAAuE;QACvE,oEAAoE;QACpE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,kCAAkC,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,sEAAsE;QACtE,iDAAiD;QACjD,IAAI,CAAC,KAAK,uCAAuC,EAAE,CAAC;YAClD,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,uEAAuE;QACvE,oEAAoE;QACpE,qEAAqE;QACrE,uCAAuC;QACvC,EAAE;QACF,qEAAqE;QACrE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,+DAA+D;QAC/D,oCAAoC;QACpC,EAAE;QACF,IAAI,CAAC,KAAK,wBAAwB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,UAAU,GAAG,cAAc,CAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC5C,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;iBAClC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;gBAC7B,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;aACxD,CAAC,CAAC;QACL,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,6CAA6C;QAC7C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,IAAI,GAAG,EAAE;iBAC/C,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;gBAC7B,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;aACxD,CAAC,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,IACE,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACnB,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,oEAAoE;QACpE,kEAAkE;QAClE,qEAAqE;QACrE,iEAAiE;QACjE,gCAAgC;QAChC,IAAI,CAAC,KAAK,aAAa;YAAE,OAAO;QAChC,IAAI,YAAY,CAAC,aAAa,EAAE,WAAW,CAAC;YAAE,OAAO;QACrD,IAAI,iCAAiC,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,OAAO;QACxD,IAAI,4BAA4B,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,OAAO;YAAE,OAAO;QAEpB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC7D,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,uEAAuE;QACvE,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,iEAAiE;QACjE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,yBAAyB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;QACtC,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;YAC7B,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,sBAAsB,GAAG,WAAW,CAAC;AAC3C,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,KAAK,UAAU,yBAAyB,CACtC,KAAc,EACd,UAAkB;IAElB,IAAI,CAAC,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,GAAG,CAAC,qCAAqC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE3E,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,+CAA+C;YACpD,IAAI,EAAE,CAAC,sBAAsB,CAAC;SAC/B,CAAC,CAAC;QACH,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,kEAAkE;QAClE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,sDAAsD;QACtD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC1C,GAAG,EAAE,8CAA8C;YACnD,IAAI,EAAE,CAAC,sBAAsB,CAAC;SAC/B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,wEAAwE;QACxE,sEAAsE;QACtE,8BAA8B;QAC9B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE;oBACJ,KAAK,EAAE,sBAAsB;oBAC7B,QAAQ,EAAE,yBAAyB;oBACnC,IAAI,EAAE,KAAK;iBACZ;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YACxC,IAAI,EAAE;gBACJ,KAAK,EAAE,sBAAsB;gBAC7B,QAAQ,EAAE,yBAAyB;aACpC;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAEhC,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QAEvD,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;YACtB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;SAClC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,mEAAmE;QACnE,gEAAgE;QAChE,qDAAqD;QACrD,OAAO,CAAC,IAAI,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,SAG7B;IACC,OAAO;QACL,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK;QAC3B,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE;QACzB,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI;QACzB,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK;QAC/B,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,oBAAoB,IAAI,SAAS;KAC5D,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAc;IAC7C,oDAAoD;IACpD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;IAC1C,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;QAE5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,mEAAmE;QACnE,oEAAoE;QACpE,mEAAmE;QACnE,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9D,wCAAwC;IAC1C,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kDAAkD;QAClD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,iBAAiB,EAAE,CAAC;YAC/B,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;oBACxC,OAAO,EAAE,KAAK,CAAC,OAAO;iBACvB,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;oBAC3B,OAAO,oBAAoB,CAAC,SAAS,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kCAAkC;QAClC,qEAAqE;QACrE,sEAAsE;QACtE,gEAAgE;QAChE,oEAAoE;QACpE,uEAAuE;QACvE,wEAAwE;QACxE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,KAAc;IAEd,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,QAA8B,CAAC;IAC/D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACzC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc,EAAE,KAAa;IACrE,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE;QACnC,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAS,KAAa,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;QACvD,MAAM,GAAG,GAAuB,GAAG,EAAE,GAAG,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,YAAY,CAAC,GAAW,EAAE,WAAqB;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,eAAe,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,KAAe;IACpD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAC9B,MAAM,UAAU,GACd,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAc,EACd,IAAY,EACZ,MAAuB;IAEvB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IACE,IAAI,KAAK,gBAAgB;QACzB,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAClC,IAAI,KAAK,MAAM;QACf,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QACxB,IAAI,KAAK,cAAc;QACvB,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAChC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,0BAA0B,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,uBAAuB,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,SAAS,iCAAiC,CAAC,WAAoB;IAC7D,IACE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,EAC/C,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAC5D,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,IAAI,CAAC,YAAY;QAAE,OAAO,EAAE,CAAC;IAC7B,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;QAChC,eAAe;QACf,aAAa;QACb,KAAK;QACL,OAAO;QACP,QAAQ;QACR,MAAM;QACN,SAAS;QACT,UAAU;QACV,YAAY;KACb,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC;QAAE,OAAO,EAAE,CAAC;IACnD,IAAI,CAAC,2BAA2B,CAAC,YAAY,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1D,OAAO,IAAI,YAAY,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAoC,EAAE;IAC/D,MAAM,kBAAkB,GACtB,cAAc,EAAE,IAAI,iCAAiC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7E,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAyMoB,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA+FvD,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,KAAK,UAAU,qBAAqB,CAClC,GAAU,EACV,OAAoB;IAEpB,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,wEAAwE;IACxE,0EAA0E;IAC1E,KAAK,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,cAAc,EAAE,cAAc,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,yCAAyC;IACzC,IACE,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,sBAAsB,KAAK,KAAK,EACxC,CAAC;QACD,kCAAkC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9C,KAAK,MAAM,EAAE,IAAI;YACf,gCAAgC;YAChC,gCAAgC;SACjC,EAAE,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,QAAQ;YACR,gDAAgD;YAChD,kDAAkD;SACnD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,oEAAoE;YACpE,uDAAuD;YACvD,mEAAmE;YACnE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YACnD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC3C,CAAC;YACD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1B,MAAM,OAAO,GACX,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC;YACxE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC,OAAkB,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,6BAA6B;YAC7B,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;YAC7B,MAAM,SAAS,GACb,OAAO,WAAW,KAAK,QAAQ;gBAC7B,CAAC,CAAC,kBAAkB,CAAC,WAAW,EAAE;oBAC9B,oBAAoB,EAAE,qBAAqB,CAAC,KAAK,CAAC;oBAClD,cAAc,EAAE,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAC;iBACpD,CAAC;gBACJ,CAAC,CAAC,GAAG,CAAC;YACV,MAAM,SAAS,GAAG,SAAS,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,MAAM,KAAK,GAAG,gBAAgB,CAAC;gBAC7B,WAAW;gBACX,OAAO;gBACP,UAAU,EAAE,KAAK;gBACjB,GAAG,EAAE,kBAAkB,EAAE;gBACzB,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;YACH,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE;gBACrC,MAAM;gBACN,OAAO;gBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;gBAC5C,SAAS;gBACT,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,GAAG;gBAC5B,SAAS,EACP,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;oBAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG;aAClD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;gBACxC,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,QAAQ;gBACrB,MAAM,EAAE,gBAAgB;gBACxB,KAAK;aACN,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,gDAAgD,MAAM,EAAE,CAAC;YACzE,IAAI,CAAC,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,CAAC,CAAC,CACH,CAAC;QAEF,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;YACjE,IAAI,aAAa;gBAAE,OAAO,aAAa,CAAC;YACxC,IAAI,cAAkC,CAAC;YACvC,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAc,CAAC;gBAClC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAClE,KAAK,CAAC,KAA2B,EACjC,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,CACnD,CAAC;gBACF,cAAc,GAAG,MAAM,CAAC;gBACxB,eAAe,GAAG,OAAO,CAAC;gBAC1B,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM;oBACN,OAAO;oBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;oBAC5C,OAAO,EAAE,CAAC,CAAC,IAAI;oBACf,SAAS;iBACV,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK;wBAC5C,CAAC,CAAC,KAAK,CAAC,KAAK;wBACb,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,mBAAmB,GACvB,OAAO,KAAK,CAAC,iBAAiB,KAAK,QAAQ;wBAC3C,KAAK,CAAC,iBAAiB;wBACrB,CAAC,CAAC,KAAK,CAAC,iBAAiB;wBACzB,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,GAAG,GACP,mBAAmB;wBACnB,aAAa;wBACb,4BAA4B,CAAC;oBAC/B,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,0BAA0B,GAAG,EAAE;4BACxC,IAAI,EAAE,aAAa,IAAI,4BAA4B;yBACpD,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;wBACZ,IAAI,EAAE,aAAa;qBACpB,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBACD,iEAAiE;gBACjE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,OAAO;gBACP,IAAI,CAAC,yBAAyB,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC;oBACnD,MAAM,GAAG,GACP,4EAA4E,CAAC;oBAC/E,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,GAAG;4BACZ,IAAI,EAAE,sBAAsB;yBAC7B,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;oBAClE,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;qBACpD;oBACD,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,IAAI;wBACJ,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;wBACxC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAqB;wBAChD,YAAY,EAAE,WAAW;wBACzB,UAAU,EAAE,oBAAoB;qBACjC,CAAC;iBACH,CAAC,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,KAAK,CACb,MAAM,CAAC,iBAAiB;wBACtB,MAAM,CAAC,KAAK;wBACZ,uBAAuB,CAC1B,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,+CAA+C,EAC/C,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE,EAAE,CAChE,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,IAAI,CAAC,KAAK;oBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,qDAAqD;gBACrD,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBAED,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE;oBAC9D,oBAAoB,EAAE,KAAK;oBAC3B,OAAO;iBACR,CAAC,CAAC;gBACH,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;oBACrD,MAAM;oBACN,OAAO;oBACP,eAAe,EAAE,CAAC,CAAC,YAAY;oBAC/B,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;iBACvC,CAAC,CAAC;gBAEH,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;oBAC3B,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;wBAC5B,KAAK,EAAE,YAAY;wBACnB,KAAK;wBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;qBAChD,CAAC,CAAC;oBACH,+DAA+D;oBAC/D,6DAA6D;oBAC7D,0DAA0D;oBAC1D,KAAK,0BAA0B,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;oBAC7D,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;wBACrD,MAAM;wBACN,OAAO;qBACR,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,qBAAqB,CAAC,KAAK,EAAE,KAAK,EAAE;oBACzC,YAAY;oBACZ,OAAO;oBACP,SAAS;oBACT,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAC;gBAC7C,IAAI,cAAc,EAAE,CAAC;oBACnB,uBAAuB,CAAC,cAAc,EAAE;wBACtC,OAAO,EAAE,0BAA0B,GAAG,EAAE;wBACxC,IAAI,EAAE,gBAAgB;qBACvB,CAAC,CAAC;gBACL,CAAC;gBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,eAAe;oBACxB,OAAO,EAAE,GAAG;iBACb,CAAC,CAAC;gBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,qEAAqE;IACrE,mEAAmE;IACnE,GAAG,CAAC,GAAG,CACL,sCAAsC,EACtC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,OAA6B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC3C,qEAAqE;YACrE,sEAAsE;YACtE,qEAAqE;YACrE,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,kEAAkE;gBAClE,cAAc;gBACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,CAAC;YACD,KAAK;gBACH,OAAO,IAAI,MAAM;oBACf,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;oBACpD,CAAC,CAAC;wBACE,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;qBAC1B,CAAC;QACV,CAAC;QACD,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,oEAAoE;QACpE,gDAAgD;QAChD,KAAK,aAAa,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC;QACpC,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;YACrB,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;gBAC3C,MAAM;gBACN,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;gBAC5B,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI;aACvB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,CAAC;QACD,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC3D,mBAAmB,CAAC,KAAK,EAAE,kBAAkB,EAAE;YAC7C,MAAM;YACN,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;SAC7C,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IACpD,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IAEvC,2EAA2E;IAC3E,qEAAqE;IACrE,wEAAwE;IACxE,6CAA6C;IAC7C,MAAM,gBAAgB,GAAqB;QACzC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxE,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAEnD,kEAAkE;IAClE,GAAG,CAAC,GAAG,CACL,wBAAwB,EACxB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QACxD,MAAM,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QAEpE,iEAAiE;QACjE,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,iEAAiE;QACjE,8DAA8D;QAC9D,+DAA+D;QAC/D,IAAI,UAA8B,CAAC;QACnC,IAAI,WAA+B,CAAC;QACpC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAI,KAAK,CAAC,GAAe,CAAC,KAAK,EAAE,CAAC;gBAC9C,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAE3C,CAAC;gBACd,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;YACD,mEAAmE;YACnE,gEAAgE;YAChE,qEAAqE;YACrE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;oBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAC5B,GAAG,EAAE,qDAAqD;wBAC1D,IAAI,EAAE,CAAC,kBAAkB,UAAU,EAAE,CAAC;qBACvC,CAAC,CAAC;oBACH,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAA2B,CAAC;gBAC1D,CAAC;gBAAC,MAAM,CAAC;oBACP,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;QACzD,MAAM,UAAU,GACd,QAAQ,IAAI,IAAI;YAChB,OAAQ,QAAgB,CAAC,MAAM,KAAK,QAAQ;YAC5C,OAAQ,QAAgB,CAAC,OAAO,EAAE,GAAG,KAAK,UAAU,CAAC;QAEvD,mEAAmE;QACnE,gEAAgE;QAChE,2EAA2E;QAC3E,qEAAqE;QACrE,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,iDAAiD;QACjD,IACE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,GAAG,GAAG,YAAY,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,4DAA4D;QAC5D,IACE,eAAe;YACf,WAAW;YACX,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;gBACvB,+DAA+D;gBAC/D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,8DAA8D;gBAC9D,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,6GAA6G;oBAClH,IAAI,EAAE,CAAC,WAAW,CAAC;iBACpB,CAAC,CAAC;gBAEH,0DAA0D;gBAC1D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,2CAA2C;gBAC3C,EAAE;gBACF,8DAA8D;gBAC9D,8DAA8D;gBAC9D,2DAA2D;gBAC3D,MAAM,eAAe,GAAG,iCAAiC,CACvD,QAAoB,CACrB,CAAC;gBAEF,qDAAqD;gBACrD,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,wDAAwD;wBAC7D,IAAI,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;qBACrC,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;gBAED,4DAA4D;gBAC5D,2DAA2D;gBAC3D,4DAA4D;gBAC5D,iEAAiE;gBACjE,IAAI,CAAC;oBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAChC,GAAG,EAAE,uCAAuC;wBAC5C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;oBACH,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAEpC,CAAC;oBACd,IAAI,SAAS,EAAE,CAAC;wBACd,IAAI,eAAe,EAAE,CAAC;4BACpB,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,qDAAqD;gCAC1D,IAAI,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC;6BACnC,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,sCAAsC;gCAC3C,IAAI,EAAE,CAAC,SAAS,CAAC;6BAClB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,yCAAyC;gBAC3C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CACH,CAAC;IAEF,kDAAkD;IAClD,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEnC,4BAA4B;QAC5B,IACE,IAAI,EAAE,KAAK;YACX,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC9B,YAAY,CAAC,MAAM,GAAG,CAAC,EACvB,CAAC;YACD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;YACpC,CAAC;YACD,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC5D,MAAM,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACvC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;YAC/C,OAAO,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QACxD,CAAC;QAED,uCAAuC;QACvC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,oEAAoE;YACpE,gEAAgE;YAChE,uDAAuD;YACvD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,qDAAqD;IACrD,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAChC,MAAM,WAAW,GACf,OAAO,IAAI,EAAE,WAAW,KAAK,QAAQ;YACnC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,GAAG,CAAC;QAEV,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE;aAClE,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,mDAAmD;IACnD,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,qEAAqE;IACrE,mEAAmE;IACnE,gEAAgE;IAChE,iEAAiE;IACjE,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;YACvB,oEAAoE;YACpE,sBAAsB;YACtB,IAAI,MAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBAChC,GAAG,EAAE,uCAAuC;oBAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAuB,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,MAAM,CAAC;qBACf,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,sCAAsC;oBAC3C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;YAED,gEAAgE;YAChE,kEAAkE;YAClE,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,4CAA4C;YAC9C,CAAC;YAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,kCAAkC;IAClC,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,yEAAyE;IACzE,yEAAyE;IACzE,sCAAsC;IACtC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC,CACH,CAAC;IAEF,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,SAAS,GACb,OAAO,CAAC,SAAS;QACjB,iBAAiB,CAAC;YAChB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;YAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,CAAC;IACL,gBAAgB,GAAG;QACjB,SAAS;QACT,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,iEAAiE;AACjE,8EAA8E;AAE9E,SAAS,oBAAoB,CAC3B,GAAU,EACV,YAAsB,EACtB,cAAwB,EAAE,EAC1B,oBAAoB,GAAG,2BAA2B,EAAE,EACpD,uBAAuB,GAAG,8BAA8B,EAAE;IAE1D,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,IACE,CAAC,IAAI,EAAE,KAAK;YACZ,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC9B,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,EACzC,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QACpC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACvC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/C,OAAO,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,gBAAgB,GAAG;QACjB,SAAS,EAAE,iBAAiB,EAAE;QAC9B,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAChC,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;QAC7C,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,SAAS,uBAAuB,CAAC,GAAU;IACzC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;aACrD,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAU,EACV,UAAuB,EAAE;IAEzB,0EAA0E;IAC1E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,yDAAyD;IACzD,EAAE;IACF,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,IAAI,YAAY,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,sBAAsB,KAAK,KAAK,EAAE,CAAC;YAC7C,kCAAkC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,oEAAoE;QACpE,2EAA2E;QAC3E,0EAA0E;QAC1E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;QACxC,CAAC;QACD,IAAI,gBAAgB,EAAE,CAAC;YACrB,IACE,OAAO,CAAC,UAAU;gBAClB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,kBAAkB,EAC1B,CAAC;gBACD,gBAAgB,CAAC,SAAS;oBACxB,OAAO,CAAC,SAAS;wBACjB,iBAAiB,CAAC;4BAChB,UAAU,EAAE,OAAO,CAAC,UAAU;4BAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;4BAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;4BAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;yBACvC,CAAC,CAAC;YACP,CAAC;YACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,gBAAgB,CAAC,WAAW,GAAG;oBAC7B,GAAG,CAAC,gBAAgB,CAAC,WAAW,IAAI,EAAE,CAAC;oBACvC,GAAG,OAAO,CAAC,WAAW;iBACvB,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACjC,gBAAgB,CAAC,oBAAoB;oBACnC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;gBACpC,gBAAgB,CAAC,uBAAuB;oBACtC,OAAO,CAAC,uBAAuB,CAAC;YACpC,CAAC;YACD,IAAI,OAAO,CAAC,0BAA0B,EAAE,CAAC;gBACvC,gBAAgB,CAAC,0BAA0B;oBACzC,OAAO,CAAC,0BAA0B,CAAC;YACvC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,gEAAgE;IAChE,YAAY,GAAG,IAAI,CAAC;IACpB,gBAAgB,GAAG,IAAI,CAAC;IACxB,WAAW,GAAG,GAAG,CAAC;IAElB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACvB,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,gBAAgB,GAAG,IAAI,CAAC;IACxB,aAAa,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;IAC9C,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IACxC,CAAC;IAED,oCAAoC;IACpC,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACnD,CAAC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,WAAW;gBAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;YAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,IAAI,iBAAiB,EAAE,CAAC;QAC/D,gBAAgB,GAAG;YACjB,SAAS,EAAE,aAAa;YACxB,GAAG,CAAC,OAAO,CAAC,SAAS;gBACnB,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAChC,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;iBAC9C,CAAC;YACN,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QAErC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,oBAAoB,CAClB,GAAG,EACH,MAAM,EACN,WAAW,EACX,oBAAoB,EACpB,uBAAuB,CACxB,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,iCAAiC,MAAM,CAAC,MAAM,8BAA8B,CAC7E,CAAC;QACJ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,uEAAuE,CACxE,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kDAAkD,EAAE,GAAG,CAAC,CAAC;QACvE,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC7B,kEAAkE;QAClE,oEAAoE;QACpE,+DAA+D;QAC/D,MAAM,SAAS,GACb,OAAO,CAAC,SAAS;YACjB,iBAAiB,CAAC;gBAChB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;gBAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;aACvC,CAAC,CAAC;QACL,gBAAgB,GAAG;YACjB,SAAS;YACT,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAU,EAAE,WAAmB;IACjE,oBAAoB,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;AAC3C,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport {\n defineEventHandler,\n getMethod,\n getQuery,\n getRequestIP,\n sendRedirect,\n setResponseHeader,\n setResponseStatus,\n getCookie,\n setCookie,\n deleteCookie,\n getHeader,\n} from \"h3\";\nimport type { H3Event } from \"h3\";\nimport type { H3AppShim } from \"./framework-request-handler.js\";\n\n// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx\n// runtime), event.url and event.req share the same underlying URL object.\n// When registerMiddleware strips the mount prefix from event.url.pathname, it\n// also mutates event.req.url (NodeRequestURL setter updates nodeReq.url).\n// Better Auth's router uses new URL(request.url).pathname to extract the\n// sub-route, so it must receive the original full URL — not the stripped one.\n// registerMiddleware saves the original pathname in event.context so we can\n// reconstruct a fresh Request with the correct URL here.\nfunction toWebRequest(event: H3Event): Request {\n const req = (event as any).req as Request;\n const ctx = (event as any).context as\n | { _mountedPathname?: string; _mountPrefix?: string }\n | undefined;\n if (ctx?._mountedPathname && ctx._mountPrefix) {\n try {\n const url = new URL(req.url);\n const mountedPathname = stripAppBasePath(ctx._mountedPathname);\n if (url.pathname !== mountedPathname) {\n url.pathname = mountedPathname;\n const method = req.method.toUpperCase();\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n return new Request(url.href, {\n method: req.method,\n headers: req.headers,\n // Body may already be partially consumed; pass through as-is.\n // GET/HEAD cannot have a body — omit to avoid spec errors.\n ...(hasBody ? { body: req.body, duplex: \"half\" } : {}),\n } as any);\n }\n } catch {\n // URL reconstruction failed — fall through and use original req.\n }\n }\n return req;\n}\n\ntype H3App = H3AppShim;\nimport {\n getDbExec,\n isPostgres,\n intType,\n retryOnDdlRace,\n} from \"../db/client.js\";\nimport { getBetterAuth, getBetterAuthSync } from \"./better-auth-instance.js\";\nimport type { BetterAuthConfig } from \"./better-auth-instance.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { getOnboardingHtml, getResetPasswordHtml } from \"./onboarding-html.js\";\nimport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n readDesktopSso,\n writeDesktopSso,\n clearDesktopSso,\n} from \"./desktop-sso.js\";\nimport {\n isElectron as isElectronRequest,\n getOrigin,\n getAppBasePath,\n getAppUrl,\n encodeOAuthState,\n decodeOAuthState,\n createOAuthSession,\n oauthCallbackResponse,\n oauthErrorPage,\n resolveOAuthRedirectUri,\n isAllowedOAuthRedirectUri,\n} from \"./google-oauth.js\";\nimport { safeOAuthReturnUrl } from \"./oauth-return-url.js\";\nimport { captureAuthError } from \"./sentry.js\";\nimport { extractOAuthStateAppId } from \"../shared/oauth-state.js\";\nimport { isValidWorkspaceAppIdFormat } from \"../shared/workspace-app-id.js\";\nimport {\n normalizeWorkspaceAppAudience,\n workspaceAppAudienceFromEnv,\n workspaceAppRouteAccessFromEnv,\n type WorkspaceAppAudience,\n} from \"../shared/workspace-app-audience.js\";\nimport {\n BUILDER_CONNECT_OWNER_COOKIE,\n BUILDER_CONNECT_PARAM,\n verifyBuilderConnectTokenAndGetOwner,\n} from \"./builder-browser.js\";\n\n/**\n * Get the configured session max age. Desktop SSO broker writes from\n * OAuth flows read this so expiration stays consistent with the cookie.\n */\nexport function getSessionMaxAge(): number {\n return sessionMaxAge;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthSession {\n email: string;\n userId?: string;\n token?: string;\n /** Display name from the auth provider, when available (Better Auth user.name). */\n name?: string;\n /** Active organization ID (from Better Auth organization plugin) */\n orgId?: string;\n /** User's role in the active organization (owner/admin/member) */\n orgRole?: string;\n}\n\nexport interface AuthOptions {\n /** Session max age in seconds. Default: 30 days */\n maxAge?: number;\n /**\n * Custom getSession implementation (for BYOA — Auth.js, Clerk, etc.).\n * When provided, Better Auth is bypassed entirely.\n */\n getSession?: (event: H3Event) => Promise<AuthSession | null>;\n /**\n * Paths that are accessible without authentication.\n * Supports prefix matching: \"/book\" matches /book/anything.\n * Both page routes and API routes can be made public.\n */\n publicPaths?: string[];\n /**\n * Workspace-level audience for the app.\n *\n * \"internal\" keeps the existing behavior: every app page requires an\n * authenticated workspace member unless listed in publicPaths.\n *\n * \"public\" lets unauthenticated visitors load page routes, while framework\n * and API routes remain protected unless explicitly listed in publicPaths.\n */\n workspaceAppAudience?: WorkspaceAppAudience;\n /**\n * Workspace app page paths that anonymous visitors can load.\n * Uses the same prefix matching as publicPaths, but only for page routes:\n * framework, API, and .well-known routes stay protected.\n */\n workspaceAppPublicPaths?: string[];\n /**\n * Workspace app page paths that still require auth when the app audience is\n * public. Useful for public sites with login-only admin/management pages.\n */\n workspaceAppProtectedPaths?: string[];\n /**\n * Custom login page HTML. When provided, this HTML is served to\n * unauthenticated page requests instead of the built-in login form.\n * Use this for custom login flows (e.g., \"Sign in with Google\" button).\n */\n loginHtml?: string;\n /**\n * Hide email/password forms on the built-in login page and show only the\n * Google sign-in button. Use this for templates (mail, calendar) where\n * Google connection is required anyway. Has no effect when `loginHtml`\n * is provided.\n */\n googleOnly?: boolean;\n /**\n * Mount the framework's generic Google sign-in routes.\n *\n * Set this to false when a template owns `/_agent-native/google/auth-url`\n * and `/_agent-native/google/callback` itself because it needs broader\n * product scopes and persisted API tokens, not just identity sign-in.\n */\n mountGoogleOAuthRoutes?: boolean;\n /**\n * Additional Google OAuth scopes to request beyond the default identity\n * scopes (`openid`, `email`, `profile`). When set, Better Auth's Google\n * social provider asks for these up front, requests a refresh token\n * (`access_type=offline`), and forces the consent screen so the refresh\n * token is reissued on every sign-in.\n *\n * Tokens land in Better Auth's `account` table, and a database hook\n * mirrors them into `oauth_tokens` so template code (mail's Gmail client,\n * calendar's events fetcher, etc.) can pick them up without a separate\n * \"Connect Google\" round-trip.\n *\n * Example for the mail template:\n * ```ts\n * googleScopes: [\n * \"https://www.googleapis.com/auth/gmail.readonly\",\n * \"https://www.googleapis.com/auth/gmail.send\",\n * ],\n * ```\n */\n googleScopes?: string[];\n /**\n * Product marketing content shown alongside the sign-in form.\n * When provided, the page uses a split layout: marketing on the left,\n * sign-in form on the right.\n */\n marketing?: {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n };\n /**\n * Optional host-scoped notice shown before the built-in Google sign-in\n * redirects to Google.\n */\n googleSignInNotice?: {\n host?: string;\n title: string;\n body: string | string[];\n continueLabel?: string;\n cancelLabel?: string;\n };\n /**\n * Google sign-in flow: `'popup'`, `'redirect'`, or `'auto'` (default).\n *\n * - `'auto'` — popup in normal browsers and Builder web iframes, redirect in\n * Electron and Builder desktop preview/editor surfaces.\n * - `'popup'` — force popup everywhere.\n * - `'redirect'` — force redirect everywhere.\n *\n * Falls back to the `GOOGLE_AUTH_MODE` env var, then `'auto'`.\n */\n googleAuthMode?: GoogleAuthMode;\n /**\n * Additional Better Auth configuration (social providers, plugins, etc.)\n */\n betterAuth?: BetterAuthConfig;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/**\n * Cookie name for the framework's session cookie.\n *\n * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps\n * running on different localhost ports share one cookie jar. When multiple\n * templates run side-by-side (`dev:all`, the desktop app, multi-template\n * deploys on a shared domain), they would otherwise stomp on each other's\n * `an_session` cookie and ping-pong each other into a logged-out state.\n *\n * When `APP_NAME` is set, suffix the cookie so each app gets its own slot.\n *\n * Workspace exception: in workspace mode (`AGENT_NATIVE_WORKSPACE=1`),\n * every app shares the same origin AND the same DB, and cross-app SSO is\n * the desired behavior — signing into Dispatch should mean you're signed\n * in across the workspace's other apps too. Per-app suffixes break that.\n * Use a single workspace-wide cookie so the legacy `an_session_*` token\n * flow set by `setFrameworkSessionCookie` (which the Builder OAuth popup\n * exchange relies on — see `desktop-exchange` and `oauthCallbackResponse`)\n * is recognised by every app in the workspace.\n *\n * Cross-subdomain exception: when `COOKIE_DOMAIN` is set (e.g.\n * `.agent-native.com` for first-party deploys where each app is its own\n * subdomain — mail.agent-native.com, calendar.agent-native.com, …),\n * use the unsuffixed `an_session` and emit `Domain=<COOKIE_DOMAIN>` so\n * the cookie is shared across every subdomain. Signing into one app\n * signs the user into all of them. Per-app suffixes would defeat the\n * shared cookie since each subdomain reads a different name.\n */\nconst APP_NAME_SLUG = (process.env.APP_NAME || \"\")\n .toLowerCase()\n .replace(/[^a-z0-9]+/g, \"_\")\n .replace(/^_+|_+$/g, \"\");\nconst IS_WORKSPACE_MODE = process.env.AGENT_NATIVE_WORKSPACE === \"1\";\n\n/**\n * When set, the framework session cookie is shared across every subdomain\n * matching this domain (e.g. `.agent-native.com`). Reads `COOKIE_DOMAIN`.\n * Returns undefined when unset so cookies stay scoped to the origin host.\n */\nexport function getCookieDomain(): string | undefined {\n const raw = process.env.COOKIE_DOMAIN;\n if (!raw) return undefined;\n const trimmed = raw.trim();\n return trimmed || undefined;\n}\n\nconst HAS_COOKIE_DOMAIN = !!getCookieDomain();\n\nexport const COOKIE_NAME = HAS_COOKIE_DOMAIN\n ? \"an_session\"\n : IS_WORKSPACE_MODE\n ? \"an_session_workspace\"\n : APP_NAME_SLUG\n ? `an_session_${APP_NAME_SLUG}`\n : \"an_session\";\n\n/**\n * Cookie domain attribute spread into every `setCookie`/`deleteCookie`.\n * Empty when `COOKIE_DOMAIN` isn't set so the cookie stays scoped to the\n * single origin (current production default for non-first-party apps).\n */\nexport function cookieDomainAttrs(): { domain?: string } {\n const domain = getCookieDomain();\n return domain ? { domain } : {};\n}\n\nfunction getCookieValues(event: H3Event, name: string): string[] {\n const values: string[] = [];\n const raw = getHeader(event, \"cookie\");\n\n if (raw) {\n for (const part of String(raw).split(\";\")) {\n const trimmed = part.trim();\n if (!trimmed) continue;\n const eq = trimmed.indexOf(\"=\");\n if (eq <= 0) continue;\n if (trimmed.slice(0, eq).trim() !== name) continue;\n\n let value = trimmed.slice(eq + 1).trim();\n if (value.startsWith('\"') && value.endsWith('\"')) {\n value = value.slice(1, -1);\n }\n try {\n value = decodeURIComponent(value);\n } catch {\n // Keep the raw cookie value if it was not percent-encoded.\n }\n if (value && !values.includes(value)) values.push(value);\n }\n }\n\n // H3's cookie parser keeps only the first duplicate name. Preserve it as a\n // fallback for mock/runtime shapes that do not expose the raw Cookie header.\n const parsed = getCookie(event, name);\n if (parsed && !values.includes(parsed)) values.push(parsed);\n\n return values;\n}\n\nfunction getFrameworkSessionCookieValues(event: H3Event): string[] {\n return getCookieValues(event, COOKIE_NAME);\n}\n\nfunction frameworkSessionCookieNamesToClear(): string[] {\n const names = new Set([COOKIE_NAME]);\n if (APP_NAME_SLUG) names.add(`an_session_${APP_NAME_SLUG}`);\n return [...names];\n}\n\nfunction deleteCookieFromEveryScope(event: H3Event, name: string): void {\n // Clear host-only cookies first. When COOKIE_DOMAIN was introduced, stale\n // host-only `an_session` cookies could shadow the new domain cookie because\n // browsers send older same-path duplicates first.\n deleteCookie(event, name, { path: \"/\" });\n const domainAttrs = cookieDomainAttrs();\n if (domainAttrs.domain) {\n deleteCookie(event, name, { path: \"/\", ...domainAttrs });\n }\n}\n\nfunction clearFrameworkSessionCookies(event: H3Event): void {\n for (const name of frameworkSessionCookieNamesToClear()) {\n deleteCookieFromEveryScope(event, name);\n }\n}\n\nasync function getLegacyCookieSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n const email = await getSessionEmail(cookie);\n if (email) return { email, token: cookie };\n }\n return null;\n}\nfunction getOAuthStateAppId(): string | undefined {\n const raw = process.env.APP_NAME || process.env.npm_package_name;\n if (!raw) return undefined;\n const slug = raw\n .toLowerCase()\n .replace(/[^a-z0-9-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return slug || undefined;\n}\n\nfunction oauthDebugFlowId(flowId: unknown): string | undefined {\n return typeof flowId === \"string\" && flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthDebugUrlPath(value: unknown): string | undefined {\n if (typeof value !== \"string\" || !value) return undefined;\n try {\n const url = new URL(value);\n return url.pathname;\n } catch {\n return undefined;\n }\n}\n\nfunction isBuilderOAuthRequest(event: H3Event): boolean {\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n return (\n /Electron/i.test(userAgent) ||\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer)\n );\n}\n\nfunction builderPreviewReturnOrigin(event: H3Event): string | undefined {\n const referer = getHeader(event, \"referer\") || \"\";\n if (!referer) return undefined;\n try {\n const url = new URL(referer);\n const hostname = url.hostname.toLowerCase();\n if (\n url.protocol === \"https:\" &&\n (hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\"))\n ) {\n return url.origin;\n }\n } catch {}\n return undefined;\n}\n\nfunction logGoogleOAuthDebug(\n event: H3Event,\n phase: string,\n details: Record<string, unknown> = {},\n): void {\n const { flowId, ...rest } = details;\n const reqUrl = event.node?.req?.url ?? event.path ?? \"\";\n const path = reqUrl.split(\"?\")[0] || undefined;\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n console.info(\"[agent-native][google-oauth]\", {\n phase,\n app: getOAuthStateAppId(),\n path,\n flow: oauthDebugFlowId(flowId),\n electron: /Electron/i.test(userAgent),\n agentNativeDesktop: /AgentNativeDesktop/i.test(userAgent),\n builderReferrer:\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer),\n ...rest,\n });\n}\nconst DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days\n\n// ---------------------------------------------------------------------------\n// Environment helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Check if we're in a development/test environment.\n * Used for cookie security settings, not for auth bypass.\n */\nexport function isDevEnvironment(): boolean {\n const env = process.env.NODE_ENV;\n return env === \"development\" || env === \"test\";\n}\n\n/**\n * Validate a `?return=` URL for the /_agent-native/sign-in entrypoint.\n *\n * Parses the candidate against a sentinel base origin; any input that\n * resolves to a different origin (network-path references, absolute URLs,\n * `data:` / `javascript:` schemes, backslash-bypass tricks WHATWG normalises\n * to `//`) gets rejected and falls back to \"/\". Control characters are\n * stripped up front to defend against header-injection. Returns the\n * normalised path the parser produced — never the raw input.\n *\n * Exported for unit tests.\n */\nexport function safeReturnPath(raw: string | null | undefined): string {\n if (!raw) return \"/\";\n if (/[\\x00-\\x1f]/.test(raw)) return \"/\";\n try {\n const parsed = new URL(raw, \"http://safe-base.invalid\");\n if (parsed.origin !== \"http://safe-base.invalid\") return \"/\";\n return parsed.pathname + parsed.search + parsed.hash;\n } catch {\n return \"/\";\n }\n}\n\n/**\n * Read the desktop-SSO broker file, but only if the request is plausibly\n * from the Electron desktop app *and* coming from the local machine.\n *\n * The broker file lives in the user's home directory and trusts the local\n * trust boundary — a non-loopback request that pretends to be Electron\n * via User-Agent must NEVER be allowed to read it. We additionally refuse\n * any read in production builds: the desktop app launches with\n * `NODE_ENV=development` (or unset), and any web-hosted production deploy\n * has no business consulting a per-user file on the server's homedir\n * even if one exists.\n *\n * Returns null when the safety checks fail or the file isn't present.\n */\nasync function readDesktopSsoSafely(\n event: H3Event,\n): Promise<Awaited<ReturnType<typeof readDesktopSso>>> {\n if (process.env.NODE_ENV === \"production\") return null;\n if (!isElectronRequest(event)) return null;\n // Loopback-only: 127.0.0.1, ::1, and the IPv4-mapped form.\n let ip: string | undefined;\n try {\n ip = getRequestIP(event) ?? undefined;\n } catch {\n ip = undefined;\n }\n // Strip an optional zone id (e.g. \"fe80::1%en0\") before comparing.\n const normalised = (ip ?? \"\").split(\"%\")[0];\n const isLoopback =\n normalised === \"127.0.0.1\" ||\n normalised === \"::1\" ||\n normalised === \"::ffff:127.0.0.1\" ||\n normalised.startsWith(\"127.\");\n if (!isLoopback) return null;\n return await readDesktopSso();\n}\n\n/**\n * Extract the framework session token from a Better Auth response's\n * Set-Cookie headers, if any. Used by the password-reset path to skip\n * the freshly-minted session when revoking sibling sessions for the\n * user. Returns undefined if no session cookie was minted (the common\n * case — Better Auth's reset doesn't auto-sign-in by default).\n */\nfunction extractSessionTokenFromSetCookies(\n response: Response,\n): string | undefined {\n try {\n // Headers may have multiple Set-Cookie entries; iterate via getSetCookie\n // when available (Node 20+ / undici), else fall back to comma split.\n const headers = response.headers as Headers & {\n getSetCookie?: () => string[];\n };\n const setCookies =\n typeof headers.getSetCookie === \"function\"\n ? headers.getSetCookie()\n : (headers.get(\"set-cookie\") ?? \"\")\n .split(/,(?=[^;]+=)/)\n .map((s) => s.trim())\n .filter(Boolean);\n for (const sc of setCookies) {\n // Better Auth's session cookie name is configurable but defaults to\n // `<prefix>.session_token`. Match either the Better Auth default or\n // our COOKIE_NAME (`an_session`) on the same line.\n const match = sc.match(\n /(?:^|\\s|;)(an_session|[\\w.-]*session_token)=([^;]+)/i,\n );\n if (match) return match[2];\n }\n } catch {\n // Best-effort; treat as no token.\n }\n return undefined;\n}\n\n// ---------------------------------------------------------------------------\n// ACCESS_TOKEN resolution\n// ---------------------------------------------------------------------------\n\nfunction getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n for (const t of multi.split(\",\")) {\n const trimmed = t.trim();\n if (trimmed && !tokens.includes(trimmed)) tokens.push(trimmed);\n }\n }\n return tokens;\n}\n\nfunction safeTokenMatch(input: string, tokens: string[]): boolean {\n const inputBuf = Buffer.from(input);\n for (const token of tokens) {\n const tokenBuf = Buffer.from(token);\n if (\n inputBuf.length === tokenBuf.length &&\n crypto.timingSafeEqual(inputBuf, tokenBuf)\n ) {\n return true;\n }\n }\n return false;\n}\n\nfunction getBearerSessionToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(auth.trim());\n return match?.[1]?.trim() || undefined;\n}\n\nasync function getBearerLegacySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n const email = await getSessionEmail(bearerToken);\n return email ? { email, token: bearerToken } : null;\n}\n\nfunction shouldExposeSessionTokenInBody(event: H3Event): boolean {\n const origin = getHeader(event, \"origin\");\n if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin)) return true;\n\n // Some native WebViews do not consistently emit an Origin header for\n // programmatic fetches. The desktop app marks same-server requests with\n // X-Request-Source; browsers can only use that cross-origin after our CORS\n // allowlist has approved the origin, and same-origin pages already receive\n // an equivalent httpOnly session cookie on successful login.\n return !origin && getHeader(event, \"x-request-source\") === \"clips-desktop\";\n}\n\nfunction authLoginResponse(\n event: H3Event,\n token: string,\n email?: string,\n): { ok: true; token?: string; email?: string } {\n if (!shouldExposeSessionTokenInBody(event)) return { ok: true };\n return email ? { ok: true, token, email } : { ok: true, token };\n}\n\n/**\n * Bad-credential / already-registered errors are normal user behavior, not\n * bugs we want to investigate. Filtering them out keeps Sentry signal\n * actionable — a real anomaly (DB error, Better Auth init crash, missing\n * table) shows up clearly because it doesn't match any of these patterns.\n */\nconst EXPECTED_AUTH_FAILURE_PATTERNS: RegExp[] = [\n /invalid\\s+(email|password|credentials)/i,\n /password.*incorrect/i,\n /user\\s+(not\\s+found|already\\s+exists)/i,\n /email\\s+already/i,\n /already\\s+(exists|registered|in\\s+use)/i,\n /not\\s+verified/i,\n];\n\nfunction isExpectedAuthFailure(error: unknown): boolean {\n const msg = (error as { message?: unknown })?.message;\n if (typeof msg !== \"string\") return false;\n return EXPECTED_AUTH_FAILURE_PATTERNS.some((re) => re.test(msg));\n}\n\n// ---------------------------------------------------------------------------\n// Legacy session store — kept for backward compat (addSession/getSessionEmail)\n// Used by google-oauth.ts for mobile deep linking session creation.\n// ---------------------------------------------------------------------------\n\nlet _sessionInitPromise: Promise<void> | undefined;\nlet sessionMaxAge = DEFAULT_MAX_AGE;\n\nasync function ensureSessionTable(): Promise<void> {\n if (!_sessionInitPromise) {\n _sessionInitPromise = (async () => {\n const client = getDbExec();\n await retryOnDdlRace(() =>\n client.execute(`\n CREATE TABLE IF NOT EXISTS sessions (\n token TEXT PRIMARY KEY,\n email TEXT,\n created_at ${intType()} NOT NULL\n )\n `),\n );\n try {\n await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);\n } catch {\n // Column already exists\n }\n })().catch((err) => {\n // Don't cache the rejection — let the next caller retry a fresh init.\n _sessionInitPromise = undefined;\n throw err;\n });\n }\n return _sessionInitPromise;\n}\n\n/**\n * Re-run any `sessions`-table op once if Postgres reports the relation is\n * missing. Covers the case where a prior `ensureSessionTable()` resolved but\n * the table wasn't actually present (e.g. a race where the CREATE was dropped\n * on a reused pool connection, or a cached resolved promise from a prior\n * DB URL). Forces a fresh init, then retries the caller's op.\n */\nasync function retryIfSessionsMissing<T>(op: () => Promise<T>): Promise<T> {\n try {\n return await op();\n } catch (e: any) {\n if (e?.code !== \"42P01\") throw e;\n const msg = String(e?.message ?? \"\");\n if (!msg.includes(\"sessions\")) throw e;\n _sessionInitPromise = undefined;\n await ensureSessionTable();\n return await op();\n }\n}\n\n/**\n * Create a new session in the legacy sessions table.\n * Used by google-oauth.ts for mobile deep linking.\n */\nexport async function addSession(token: string, email?: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: isPostgres()\n ? `INSERT INTO sessions (token, email, created_at) VALUES (?, ?, ?) ON CONFLICT (token) DO UPDATE SET email=EXCLUDED.email, created_at=EXCLUDED.created_at`\n : `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,\n args: [token, email ?? null, Date.now()],\n }),\n );\n}\n\n/** Remove a session from the legacy sessions table. */\nexport async function removeSession(token: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n}\n\n/**\n * Look up the email associated with a legacy session token.\n * Returns null if the session doesn't exist, is expired, or has no email.\n */\nexport async function getSessionEmail(token: string): Promise<string | null> {\n await ensureSessionTable();\n const client = getDbExec();\n const { rows } = await retryIfSessionsMissing(() =>\n client.execute({\n sql: `SELECT email, created_at FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n if (rows.length === 0) return null;\n const createdAt = rows[0].created_at as number;\n if (Date.now() - createdAt > sessionMaxAge * 1000) {\n await client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n });\n return null;\n }\n return (rows[0].email as string) ?? null;\n}\n\n// ---------------------------------------------------------------------------\n// getSession — the auth contract\n// ---------------------------------------------------------------------------\n\nlet customGetSession: ((event: H3Event) => Promise<AuthSession | null>) | null =\n null;\n\n/**\n * Mutable config for the auth guard. Stored separately from the guard function\n * so that a custom auth plugin can update the login HTML / public paths even\n * after the default plugin has already installed the middleware (a race that\n * occurs in production serverless environments where the default plugin is\n * auto-mounted before the template's custom auth plugin runs).\n */\ninterface AuthGuardConfig {\n loginHtml: string;\n getLoginHtml?: (event: H3Event, rawPath: string) => string;\n publicPaths: string[];\n workspaceAppAudience: WorkspaceAppAudience;\n workspaceAppPublicPaths: string[];\n workspaceAppProtectedPaths: string[];\n}\nlet _authGuardConfig: AuthGuardConfig | null = null;\nconst _genericGoogleOAuthRoutesEnabled = new WeakMap<object, boolean>();\n\nfunction resolveWorkspaceAppAudience(\n options: Pick<AuthOptions, \"workspaceAppAudience\"> = {},\n): WorkspaceAppAudience {\n return normalizeWorkspaceAppAudience(\n options.workspaceAppAudience ?? workspaceAppAudienceFromEnv(),\n );\n}\n\nfunction resolveWorkspaceAppRouteAccess(\n options: Pick<\n AuthOptions,\n \"workspaceAppPublicPaths\" | \"workspaceAppProtectedPaths\"\n > = {},\n): { publicPaths: string[]; protectedPaths: string[] } {\n const env = workspaceAppRouteAccessFromEnv();\n return {\n publicPaths: options.workspaceAppPublicPaths ?? env.publicPaths,\n protectedPaths: options.workspaceAppProtectedPaths ?? env.protectedPaths,\n };\n}\n\nfunction setGenericGoogleOAuthRoutesEnabled(\n app: H3App,\n enabled: boolean,\n): void {\n if (app && typeof app === \"object\") {\n _genericGoogleOAuthRoutesEnabled.set(app, enabled);\n }\n}\n\nfunction areGenericGoogleOAuthRoutesEnabled(app: H3App): boolean {\n return _genericGoogleOAuthRoutesEnabled.get(app as object) !== false;\n}\n\n// Desktop OAuth exchange store — holds session tokens keyed by a unique flow\n// ID so native apps (Tauri, Electron) that open OAuth in the system browser\n// can retrieve the token after the callback completes on the server.\n//\n// Primary: in-memory Map (fast, works for single-instance dev/preview builds).\n// Fallback: sessions table with a \"dex:\" prefixed key for cross-instance\n// durability (Cloudflare Workers, multi-region deployments). The value stored\n// in the `email` column is \"{realToken}::{userEmail}\" so both can be recovered\n// from a single DB lookup.\nexport interface DesktopExchangeErrorPayload {\n message: string;\n code?: string;\n accountId?: string;\n existingOwner?: string;\n attemptedOwner?: string;\n}\n\ntype DesktopExchangeEntry =\n | { token: string; email: string; expiresAt: number }\n | { error: DesktopExchangeErrorPayload; expiresAt: number };\ntype DesktopExchangeStoredEntry =\n | { token: string; email: string }\n | { error: DesktopExchangeErrorPayload };\n\nconst _desktopExchanges = new Map<string, DesktopExchangeEntry>();\nconst DESKTOP_EXCHANGE_ERROR_PREFIX = \"__error__::\";\nconst DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([\n \"tauri://localhost\",\n \"http://localhost:1420\",\n]);\n\n// 5-minute TTL for exchange entries (short — single-use tokens).\nconst DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;\n\nexport function setDesktopExchange(\n flowId: string,\n token: string,\n email: string,\n) {\n _desktopExchanges.set(flowId, {\n token,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Persist to DB so the token survives cross-instance routing (e.g. when\n // templates call this helper directly instead of going through the OAuth\n // callback path).\n void persistDesktopExchangeToDB(flowId, token, email);\n}\n\nexport function setDesktopExchangeError(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n) {\n _desktopExchanges.set(flowId, {\n error,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n void persistDesktopExchangeErrorToDB(flowId, error);\n}\n\n/**\n * Persist a desktop exchange entry to the sessions table so it survives\n * cross-instance routing (e.g. Cloudflare Workers). Stored under a synthetic\n * token key \"dex:{flowId}\"; the `email` column packs both the real session\n * token and the user email so they can be recovered in one query.\n * Non-fatal — if the DB isn't ready yet the in-memory Map still works for\n * same-instance requests.\n */\nasync function persistDesktopExchangeToDB(\n flowId: string,\n token: string,\n email: string,\n): Promise<void> {\n try {\n await addSession(`dex:${flowId}`, `${token}::${email}`);\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\nasync function persistDesktopExchangeErrorToDB(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n): Promise<void> {\n try {\n const payload = Buffer.from(JSON.stringify(error)).toString(\"base64url\");\n await addSession(\n `dex:${flowId}`,\n `${DESKTOP_EXCHANGE_ERROR_PREFIX}${payload}`,\n );\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\n/**\n * Retrieve and consume a desktop exchange entry from the DB fallback.\n * Returns null if not found or already consumed.\n */\nasync function consumeDesktopExchangeFromDB(\n flowId: string,\n): Promise<DesktopExchangeStoredEntry | null> {\n try {\n // Atomic DELETE...RETURNING prevents token replay: two concurrent polls\n // cannot both retrieve the token because only one DELETE will match the row.\n // SQLite ≥3.35 and PostgreSQL both support this syntax.\n // The created_at predicate enforces the 5-minute TTL so stale DB entries\n // (e.g. the desktop app never polled) are rejected rather than silently\n // redeemed with the session table's default 30-day TTL.\n const client = getDbExec();\n const { rows } = await client.execute({\n sql: `DELETE FROM sessions WHERE token = ? AND created_at > ? RETURNING email`,\n args: [`dex:${flowId}`, Date.now() - DESKTOP_EXCHANGE_TTL_MS],\n });\n if (rows.length === 0) return null;\n const packed = (rows[0].email ?? rows[0][0]) as string | null;\n if (!packed) return null;\n if (packed.startsWith(DESKTOP_EXCHANGE_ERROR_PREFIX)) {\n const raw = packed.slice(DESKTOP_EXCHANGE_ERROR_PREFIX.length);\n return {\n error: JSON.parse(Buffer.from(raw, \"base64url\").toString()),\n };\n }\n const sepIdx = packed.indexOf(\"::\");\n if (sepIdx === -1) return null;\n return { token: packed.slice(0, sepIdx), email: packed.slice(sepIdx + 2) };\n } catch {\n return null;\n }\n}\n\nsetInterval(() => {\n const now = Date.now();\n for (const [k, v] of _desktopExchanges) {\n if (v.expiresAt < now) _desktopExchanges.delete(k);\n }\n}, 60_000).unref?.();\n\n/**\n * Module-level auth guard function. Set by autoMountAuth() when auth is active.\n * Called by the server middleware to enforce auth on ALL requests (not just\n * /_agent-native/* routes).\n */\nlet _authGuardFn:\n | ((event: H3Event) => Promise<Response | object | string | void>)\n | null = null;\n\n/**\n * The H3 app the auth routes + guard were last mounted on. Module-level\n * state survives Vite HMR restarts, but each HMR cycle creates a fresh\n * nitroApp/H3 instance whose middleware array is empty again. Tracking the\n * app here lets autoMountAuth detect \"same module state, new app\" and\n * re-mount routes instead of silently skipping them because `_authGuardFn`\n * looks populated from a previous cycle.\n */\nlet _mountedApp: H3App | null = null;\n\n/**\n * Run the auth guard on an event. Returns a Response/object to block the\n * request (login page or 401), or undefined to allow it through.\n *\n * Called by the default server middleware (server/middleware/auth.ts) to\n * enforce auth on page routes and API routes — not just framework routes.\n */\nexport async function runAuthGuard(\n event: H3Event,\n): Promise<Response | object | string | void> {\n if (!_authGuardFn) return; // Auth not mounted (local mode, etc.)\n return _authGuardFn(event);\n}\n\n// ---------------------------------------------------------------------------\n// Auth guard factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create an auth guard function that checks session and blocks\n * unauthenticated requests. Returns the login HTML for page routes\n * or a 401 JSON response for API routes.\n *\n * Reads loginHtml and publicPaths from _authGuardConfig on every request\n * so that a custom plugin can update them after the default has already\n * installed this middleware (the production race condition fix).\n */\nfunction applyCorsHeaders(event: H3Event): {\n hasOrigin: boolean;\n allowed: boolean;\n} {\n // Framework-level CORS. The auth guard runs before any of the app's own\n // route handlers, so we need to set CORS here too — otherwise a 401\n // response would be missing the Allow-Origin header and the browser\n // blocks the response body (making it look like a network error\n // rather than \"unauthenticated\").\n const origin = getHeader(event, \"origin\");\n if (!origin) return { hasOrigin: false, allowed: true };\n const allowedOrigin = getAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n if (!allowedOrigin) return { hasOrigin: true, allowed: false };\n setResponseHeader(event, \"Access-Control-Allow-Origin\", allowedOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF\",\n );\n return { hasOrigin: true, allowed: true };\n}\n\nfunction createAuthCorsHandler() {\n return defineEventHandler((event) => {\n const cors = applyCorsHeaders(event);\n if (getMethod(event) !== \"OPTIONS\") return;\n\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n setResponseStatus(event, 204);\n return \"\";\n });\n}\n\nfunction mountAuthCorsMiddleware(app: H3App): void {\n const handler = createAuthCorsHandler();\n app.use(\"/_agent-native/auth\", handler);\n app.use(\"/_agent-native/google\", handler);\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n return (\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/_agent-native/\") &&\n (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n );\n}\n\nfunction getRequestPathAndSearch(event: H3Event): {\n rawPath: string;\n search: string;\n} {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return { rawPath: mountedPathname, search: event.url?.search || \"\" };\n }\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n return {\n rawPath: queryStart >= 0 ? url.slice(0, queryStart) : url,\n search: queryStart >= 0 ? url.slice(queryStart) : \"\",\n };\n}\n\nfunction workspaceOAuthCallbackRelayResponse(\n event: H3Event,\n): Response | undefined {\n const { rawPath, search } = getRequestPathAndSearch(event);\n const normalizedPath = stripAppBasePath(rawPath);\n const basePath = getAppBasePath();\n if (\n !basePath ||\n !isWorkspaceOAuthCallbackRelayEnabled() ||\n !isFrameworkOAuthCallbackPath(normalizedPath) ||\n rawPath === `${basePath}/_agent-native` ||\n rawPath.startsWith(`${basePath}/_agent-native/`)\n ) {\n return undefined;\n }\n\n const state = new URLSearchParams(\n search.startsWith(\"?\") ? search.slice(1) : search,\n ).get(\"state\");\n const appId = extractOAuthStateAppId(state);\n if (\n !appId ||\n appId === getOAuthStateAppId() ||\n !isValidWorkspaceAppIdFormat(appId)\n ) {\n return undefined;\n }\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: `/${appId}${normalizedPath}${search}` },\n });\n}\n\nfunction verifiedBuilderConnectOwnerFromUrl(url: string): string | null {\n const queryStart = url.indexOf(\"?\");\n if (queryStart < 0) return null;\n const token = new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_CONNECT_PARAM,\n );\n return verifyBuilderConnectTokenAndGetOwner(token);\n}\n\nfunction shouldBypassAuthForBuilderConnect(event: H3Event, p: string): boolean {\n if (p === \"/_agent-native/builder/connect\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n return Boolean(verifiedBuilderConnectOwnerFromUrl(url));\n }\n\n if (p === \"/_agent-native/builder/callback\") {\n return Boolean(\n verifyBuilderConnectTokenAndGetOwner(\n getCookie(event, BUILDER_CONNECT_OWNER_COOKIE),\n ),\n );\n }\n\n return false;\n}\n\nfunction createAuthGuardFn(): (\n event: H3Event,\n) => Promise<Response | object | string | void> {\n return async (event: H3Event) => {\n const config = _authGuardConfig;\n if (!config) return;\n const { publicPaths } = config;\n\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml = config.getLoginHtml?.(event, rawPath) ?? config.loginHtml;\n const p = stripAppBasePath(rawPath);\n const normalizedUrl = queryStart >= 0 ? `${p}${url.slice(queryStart)}` : p;\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n\n // Emit CORS headers on every request the guard sees so that even\n // error responses (401) reach the browser.\n const cors = applyCorsHeaders(event);\n // Preflight short-circuit: the browser sends OPTIONS before the real\n // credentialed request. Must return success without invoking auth.\n if (getMethod(event) === \"OPTIONS\") {\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n setResponseStatus(event, 204);\n return \"\";\n }\n\n // Skip auth routes and specific Google OAuth endpoints that must be public\n // (callback and auth-url). Other Google endpoints like /status require auth.\n if (\n p.startsWith(\"/_agent-native/auth/\") ||\n p === \"/_agent-native/google/callback\" ||\n p === \"/_agent-native/google/auth-url\" ||\n p === \"/_agent-native/google/add-account/callback\"\n ) {\n return;\n }\n\n // Integration webhook endpoints verify authenticity via platform-specific\n // signature verification (Slack HMAC, Telegram token, etc.), not sessions.\n if (/^\\/_agent-native\\/integrations\\/[^/]+\\/webhook$/.test(p)) {\n return;\n }\n\n // Internal processor endpoint for the integration webhook fanout. The\n // webhook handler enqueues a task to SQL and dispatches a fresh HTTP POST\n // to this endpoint so the agent loop runs in its own function execution\n // (cross-platform serverless-safe — see `integrations/webhook-handler.ts`).\n // Authenticity is verified via an HMAC token signed with A2A_SECRET, plus\n // an atomic SQL claim that prevents duplicate processing.\n if (p === \"/_agent-native/integrations/process-task\") {\n return;\n }\n\n // Internal processor endpoint for deferred A2A continuations created by\n // integration tasks. It uses the same HMAC internal-token scheme as the\n // primary integration processor, so it must bypass cookie/session auth.\n if (p === \"/_agent-native/integrations/process-a2a-continuation\") {\n return;\n }\n\n // A2A endpoint verifies authenticity via JWT signed with the org's A2A\n // secret (or the global A2A_SECRET fallback), not via session cookies.\n if (p === \"/_agent-native/a2a\") {\n return;\n }\n\n // Internal processor endpoint for the A2A async-mode fanout. Mirrors the\n // integration webhook fanout: when `message/send` is called with\n // `async: true`, the JSON-RPC handler enqueues to a2a_tasks and self-\n // fires a POST here so the handler runs in a fresh function execution.\n // Authenticity is verified via an HMAC token signed with A2A_SECRET\n // (same scheme as /_agent-native/integrations/process-task).\n if (p === \"/_agent-native/a2a/_process-task\") {\n return;\n }\n\n // A2A secret receive endpoint — verifies authenticity via JWT signed\n // with the calling app's A2A secret, not via session cookies. Used to\n // sync the org A2A secret across connected apps.\n if (p === \"/_agent-native/org/a2a-secret/receive\") {\n return;\n }\n\n // Force-sign-in entrypoint. Templates send viewers from public pages\n // (share links, embeds) here with a `?return=<path>` query — anonymous\n // visitors get the loginHtml, and once they sign in the loginHtml's\n // post-login reload re-hits this same URL with a session cookie set,\n // so we 302 them to the original page.\n //\n // `return` is validated by parsing it against a sentinel base origin\n // and checking the resolved origin still matches. This rejects every\n // open-redirect shape — `//evil.com/...` (network-path reference),\n // `/\\evil.com/...` (WHATWG URL parser normalises `\\` to `/` in HTTP\n // URLs, so a naive prefix check on `//` misses this), absolute URLs\n // like `https://evil.com`, and `data:` / `javascript:` schemes. The\n // reconstructed path comes from the parsed segments so any leftover\n // quirks get normalised. Control chars (incl. CR/LF for header\n // injection) are rejected up front.\n //\n if (p === \"/_agent-native/sign-in\") {\n const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : \"\";\n const safeReturn = safeReturnPath(\n new URLSearchParams(queryStr).get(\"return\"),\n );\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: safeReturn },\n });\n }\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }\n\n // Auth entry pages are framework-owned pages, not app routes. When a user\n // already has a session, redirect them back to the mounted app instead of\n // letting React Router try to render /login.\n if (p === \"/login\" || p === \"/signup\") {\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: getAppBasePath() || \"/\" },\n });\n }\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }\n\n // Skip static assets (Vite chunks, fonts, images, etc.)\n if (\n p.startsWith(\"/assets/\") ||\n p.startsWith(\"/_build/\") ||\n p.endsWith(\".js\") ||\n p.endsWith(\".css\") ||\n p.endsWith(\".map\") ||\n p.endsWith(\".ico\") ||\n p.endsWith(\".png\") ||\n p.endsWith(\".svg\") ||\n p.endsWith(\".woff2\") ||\n p.endsWith(\".woff\")\n ) {\n return;\n }\n\n // React Router 7's lazy route discovery fetches `/__manifest?p=...` to\n // resolve manifest patches for `<Link>`s the user might click. The\n // auth fallback returning loginHtml here makes RR fail to parse the\n // body as RSC, surfacing as a console error and (when the visitor\n // already errored elsewhere) blocking the app from rendering. Let it\n // through — it returns a tiny RSC-encoded manifest of the public\n // route tree, no per-user data.\n if (p === \"/__manifest\") return;\n if (isPublicPath(normalizedUrl, publicPaths)) return;\n if (shouldBypassAuthForBuilderConnect(event, p)) return;\n if (isPublicWorkspacePageRequest(event, p, config)) {\n return;\n }\n\n const session = await getSession(event);\n if (session) return;\n\n if (p.startsWith(\"/api/\") || p.startsWith(\"/_agent-native/\")) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n // Local-dev convenience: on the first page GET of a freshly-scaffolded\n // app, transparently create + sign in `dev@local` instead of showing the\n // sign-up form. Gated on NODE_ENV=development AND no real users in the\n // DB, so production and any app that has ever had a real signup are\n // unaffected. See maybeAutoCreateDevSession for full conditions.\n if (getMethod(event) === \"GET\") {\n const autoSession = await maybeAutoCreateDevSession(event, url);\n if (autoSession) return autoSession;\n }\n\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n };\n}\n\nconst AUTO_DEV_ACCOUNT_EMAIL = \"dev@local\";\nconst AUTO_DEV_ACCOUNT_PASSWORD = \"local-dev-account\";\n\n/**\n * Local-dev convenience: skip the sign-up wall on first run.\n *\n * When NODE_ENV=development AND the `user` table has no rows for any\n * email other than `dev@local`, transparently sign up (or sign back in\n * to) the auto-managed dev account and return a 302 to the original URL\n * with a session cookie set. A developer who just ran `pnpm dev` lands\n * in the app immediately instead of being asked to fill in name + email\n * + password to try the framework.\n *\n * Auto-create fires exactly once per local DB: as soon as `dev@local`\n * (or any real user) exists in the `user` table, the helper returns\n * null and the normal login flow takes over. Signing out then leaves\n * the user on the regular sign-in form; without this guard the\n * post-logout reload would silently re-create the session.\n *\n * The fixed password is intentional: it means a developer who signs\n * out can sign back in with `dev@local` / `local-dev-account` from\n * the regular login form. To get the auto-flow back, drop the user\n * row or wipe the local DB. Set\n * `AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1` to opt out entirely\n * (useful for tests that exercise the unauthenticated branch). This\n * is local-only — the helper is gated on NODE_ENV.\n */\nasync function maybeAutoCreateDevSession(\n event: H3Event,\n redirectTo: string,\n): Promise<Response | null> {\n if (!isDevEnvironment()) return null;\n if (process.env.AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT === \"1\") return null;\n\n try {\n const db = getDbExec();\n const { rows: realUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email != ? LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (realUsers.length > 0) return null;\n\n // If `dev@local` already exists, this is not a freshly-scaffolded\n // app — the user has been through the auto-create flow at least\n // once. Skip auto-create so signing out actually works: without\n // this guard, the post-logout reload immediately re-creates the\n // session and the user is stuck in dev@local forever (or has to\n // set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1). To get the demo\n // experience back, drop the row or wipe the local DB.\n const { rows: devUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email = ? LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (devUsers.length > 0) return null;\n\n const auth = await getBetterAuth();\n if (!auth) return null;\n\n // Idempotent sign-up: succeeds on first run, throws an \"already exists\"\n // failure on subsequent runs (which we swallow before falling through\n // to the sign-in path below).\n try {\n await auth.api.signUpEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: AUTO_DEV_ACCOUNT_PASSWORD,\n name: \"Dev\",\n },\n });\n } catch (e) {\n if (!isExpectedAuthFailure(e)) throw e;\n }\n\n const result = await auth.api.signInEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: AUTO_DEV_ACCOUNT_PASSWORD,\n },\n });\n if (!result?.token) return null;\n\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: redirectTo },\n });\n } catch (e) {\n // Local-dev only — log to console for debugging, but don't surface\n // through Sentry. Falling back to the regular login form is the\n // correct user-facing behavior when this path fails.\n console.warn(\"[agent-native] auto dev account skipped:\", e);\n return null;\n }\n}\n\n/**\n * Map a Better Auth session to our AuthSession type.\n */\nfunction mapBetterAuthSession(baSession: {\n user: { id: string; email: string; name?: string };\n session: { token: string; activeOrganizationId?: string };\n}): AuthSession {\n return {\n email: baSession.user.email,\n userId: baSession.user.id,\n name: baSession.user.name,\n token: baSession.session?.token,\n orgId: baSession.session?.activeOrganizationId ?? undefined,\n };\n}\n\n/**\n * Get the current auth session for a request.\n *\n * Resolution chain:\n * 1. ACCESS_TOKEN → check legacy cookie-based token sessions\n * 2. BYOA custom getSession → delegate to template callback\n * 3. Bearer legacy session → check Authorization: Bearer against sessions\n * 4. Better Auth → check session via Better Auth API (cookie or Bearer)\n * 5. Legacy cookie → check an_session cookie in legacy sessions table\n * 6. Desktop SSO broker (Electron loopback only)\n * 7. Mobile _session query param → promote to cookie\n *\n * Returns `null` for unauthenticated requests. There is no dev-mode bypass:\n * local development uses the same Better Auth signup flow as production. The\n * onboarding/sign-in page is served by `runAuthGuard` for any unauthenticated\n * page load.\n */\nexport async function getSession(event: H3Event): Promise<AuthSession | null> {\n // 1. ACCESS_TOKEN check (programmatic/agent access)\n const accessTokens = getAccessTokens();\n if (accessTokens.length > 0) {\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n }\n\n // 2. BYOA custom getSession\n if (customGetSession) {\n const session = await customGetSession(event);\n if (session) return session;\n\n const bearerSession = await getBearerLegacySession(event);\n if (bearerSession) return bearerSession;\n\n // Desktop SSO broker: even with BYOA auth, fall back to the broker\n // for Electron requests so cross-template SSO works for custom-auth\n // templates too. Gated on `readDesktopSsoSafely` so a non-loopback\n // request that spoofs `User-Agent: ... Electron/...` cannot read the\n // home-dir broker file (and so production builds never consult it).\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) return { email: sso.email, token: sso.token };\n // Fall through to mobile _session check\n } else {\n // 3. Bearer legacy session. Desktop/native clients can persist a session\n // token outside the WebView cookie jar and attach it to all app requests.\n const bearerSession = await getBearerLegacySession(event);\n if (bearerSession) return bearerSession;\n\n // 4. Better Auth session (cookie or Bearer token)\n try {\n const ba = getBetterAuthSync();\n if (ba) {\n const baSession = await ba.api.getSession({\n headers: event.headers,\n });\n if (baSession?.user?.email) {\n return mapBetterAuthSession(baSession);\n }\n }\n } catch (e) {\n console.error(\"[auth] ba.api.getSession error:\", e);\n }\n\n // 5. Legacy cookie fallback (for sessions created before migration)\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n\n // 6. Desktop SSO broker fallback.\n // Each template in the Electron desktop app has its own database, so\n // a session token created by one template doesn't resolve in another.\n // When an Electron request has no resolvable session, trust the\n // home-dir SSO record written by whichever template the user signed\n // into. Gated on `readDesktopSsoSafely`: requires Electron User-Agent,\n // a loopback (127.0.0.1 / ::1) source IP, and a non-production NODE_ENV\n // — anything else is rejected so a hostile network request cannot\n // impersonate whichever email last signed into the desktop app.\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) {\n return { email: sso.email, token: sso.token };\n }\n }\n\n // 7. Mobile WebView bridge — _session query param\n const querySession = await promoteQuerySession(event);\n if (querySession) return querySession;\n\n return null;\n}\n\nasync function promoteQuerySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const qToken = getQuery(event)?._session as string | undefined;\n if (!qToken) return null;\n const email = await getSessionEmail(qToken);\n if (!email) return null;\n setFrameworkSessionCookie(event, qToken);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n return { email, token: qToken };\n}\n\nfunction isReadMethod(event: H3Event): boolean {\n const method = getMethod(event);\n return method === \"GET\" || method === \"HEAD\";\n}\n\n/**\n * Cookie attributes that work in both same-site and third-party iframe\n * contexts. Over HTTPS we emit `SameSite=None; Secure; Partitioned` —\n * `None`+`Secure` is required by browsers to ship the cookie back inside a\n * cross-origin iframe at all; `Partitioned` keeps the cookie working under\n * Chrome's third-party-cookie deprecation by binding it to the embedding\n * site's storage partition. (Better Auth already sets the same trio on its\n * own session cookie; this matches so the framework's legacy cookie —\n * which the Builder OAuth popup exchange writes via\n * `setFrameworkSessionCookie` — survives iframe contexts too.) Plain-HTTP\n * dev keeps the default `SameSite=Lax`; `None` requires Secure, and\n * `Partitioned` only takes effect alongside `Secure`.\n */\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setFrameworkSessionCookie(event: H3Event, token: string): void {\n clearFrameworkSessionCookies(event);\n setCookie(event, COOKIE_NAME, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: sessionMaxAge,\n });\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const req: any = (event as any).req ?? event.node?.req;\n const url: string | undefined = req?.url;\n if (typeof url === \"string\" && url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// Public path matching\n// ---------------------------------------------------------------------------\n\nfunction isPublicPath(url: string, publicPaths: string[]): boolean {\n const p = url.split(\"?\")[0];\n return matchesPathList(p, publicPaths);\n}\n\nfunction matchesPathList(path: string, paths: string[]): boolean {\n return paths.some((candidate) => {\n const normalized =\n candidate.length > 1 && candidate.endsWith(\"/\")\n ? candidate.slice(0, -1)\n : candidate;\n return path === normalized || path.startsWith(normalized + \"/\");\n });\n}\n\nfunction isPublicWorkspacePageRequest(\n event: H3Event,\n path: string,\n config: AuthGuardConfig,\n): boolean {\n if (!isReadMethod(event)) return false;\n if (\n path === \"/_agent-native\" ||\n path.startsWith(\"/_agent-native/\") ||\n path === \"/api\" ||\n path.startsWith(\"/api/\") ||\n path === \"/.well-known\" ||\n path.startsWith(\"/.well-known/\")\n ) {\n return false;\n }\n if (matchesPathList(path, config.workspaceAppProtectedPaths)) return false;\n if (matchesPathList(path, config.workspaceAppPublicPaths)) return true;\n return config.workspaceAppAudience === \"public\";\n}\n\nfunction stripAppBasePath(pathname: string): string {\n const basePath = getAppBasePath();\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\n// ---------------------------------------------------------------------------\n// Login page HTML (ACCESS_TOKEN mode)\n// ---------------------------------------------------------------------------\n\nfunction inferWorkspaceBasePathFromRequest(requestPath?: string): string {\n if (\n process.env.AGENT_NATIVE_WORKSPACE !== \"1\" &&\n process.env.VITE_AGENT_NATIVE_WORKSPACE !== \"1\"\n ) {\n return \"\";\n }\n if (!requestPath || !requestPath.startsWith(\"/\")) return \"\";\n const firstSegment = requestPath.split(/[/?#]/)[1];\n if (!firstSegment) return \"\";\n const reservedRootPaths = new Set([\n \"_agent-native\",\n \".well-known\",\n \"api\",\n \"login\",\n \"signup\",\n \"apps\",\n \"new-app\",\n \"approval\",\n \"extensions\",\n ]);\n if (reservedRootPaths.has(firstSegment)) return \"\";\n if (!isValidWorkspaceAppIdFormat(firstSegment)) return \"\";\n return `/${firstSegment}`;\n}\n\nfunction getTokenLoginHtml(options: { requestPath?: string } = {}): string {\n const configuredBasePath =\n getAppBasePath() || inferWorkspaceBasePathFromRequest(options.requestPath);\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\n<title>Private app</title>\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n :root {\n color-scheme: dark;\n --bg: #09090b;\n --panel: #141417;\n --panel-soft: #1b1b20;\n --border: rgba(255,255,255,0.1);\n --border-strong: rgba(255,255,255,0.18);\n --text: #f4f4f5;\n --muted: #a1a1aa;\n --subtle: #71717a;\n --error: #fca5a5;\n --error-bg: rgba(127,29,29,0.18);\n --success: #86efac;\n --success-bg: rgba(20,83,45,0.2);\n --info: #c4b5fd;\n --info-bg: rgba(76,29,149,0.18);\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n background:\n radial-gradient(circle at top left, rgba(63,63,70,0.24), transparent 32rem),\n linear-gradient(180deg, #111114 0%, var(--bg) 58%);\n color: var(--text);\n display: flex;\n align-items: center;\n justify-content: center;\n min-height: 100vh;\n padding: 1rem;\n }\n .card {\n width: 100%;\n max-width: 420px;\n padding: 2rem;\n background: color-mix(in srgb, var(--panel) 94%, transparent);\n border: 1px solid var(--border);\n border-radius: 12px;\n box-shadow: 0 24px 80px rgba(0,0,0,0.35);\n }\n .eyebrow {\n display: inline-flex;\n align-items: center;\n min-height: 1.5rem;\n padding: 0 0.625rem;\n margin-bottom: 1rem;\n border: 1px solid var(--border);\n border-radius: 999px;\n color: var(--muted);\n background: rgba(255,255,255,0.04);\n font-size: 0.75rem;\n font-weight: 500;\n }\n h1 {\n font-size: 1.375rem;\n line-height: 1.2;\n font-weight: 650;\n margin-bottom: 0.5rem;\n color: var(--text);\n letter-spacing: 0;\n }\n .intro {\n margin-bottom: 1.5rem;\n color: var(--muted);\n font-size: 0.9375rem;\n line-height: 1.55;\n }\n label {\n display: flex;\n align-items: baseline;\n justify-content: space-between;\n gap: 0.75rem;\n font-size: 0.8125rem;\n color: var(--muted);\n margin-bottom: 0.375rem;\n }\n label span:last-child {\n color: var(--subtle);\n font-size: 0.75rem;\n }\n .input-wrap { position: relative; }\n input {\n width: 100%;\n min-height: 2.75rem;\n padding: 0.625rem 0.75rem;\n background: #0f0f12;\n border: 1px solid var(--border);\n border-radius: 8px;\n color: var(--text);\n font-size: 0.9375rem;\n outline: none;\n }\n input:focus {\n border-color: var(--border-strong);\n box-shadow: 0 0 0 3px rgba(255,255,255,0.08);\n }\n input::placeholder { color: #52525b; }\n button {\n width: 100%;\n min-height: 2.75rem;\n margin-top: 1rem;\n padding: 0.625rem 0.875rem;\n background: var(--text);\n color: #000;\n border: none;\n border-radius: 8px;\n font-size: 0.9375rem;\n font-weight: 600;\n cursor: pointer;\n transition: transform 120ms ease, opacity 120ms ease, background 120ms ease;\n }\n button:hover:not(:disabled) { background: #e4e4e7; transform: translateY(-1px); }\n button:disabled { opacity: 0.55; cursor: wait; }\n .hint {\n margin-top: 0.75rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n .msg {\n display: none;\n margin-top: 0.875rem;\n padding: 0.75rem;\n border-radius: 8px;\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n .msg.show { display: block; }\n .msg.error {\n color: var(--error);\n background: var(--error-bg);\n border: 1px solid rgba(248,113,113,0.22);\n }\n .msg.success {\n color: var(--success);\n background: var(--success-bg);\n border: 1px solid rgba(74,222,128,0.18);\n }\n .msg.info {\n color: var(--info);\n background: var(--info-bg);\n border: 1px solid rgba(167,139,250,0.2);\n }\n details {\n margin-top: 1rem;\n padding-top: 1rem;\n border-top: 1px solid var(--border);\n }\n summary {\n cursor: pointer;\n color: var(--muted);\n font-size: 0.8125rem;\n font-weight: 600;\n }\n details p {\n margin-top: 0.75rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.5;\n }\n code {\n color: #e4e4e7;\n background: var(--panel-soft);\n border: 1px solid var(--border);\n border-radius: 5px;\n padding: 0.075rem 0.25rem;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;\n font-size: 0.78rem;\n }\n @media (max-width: 480px) {\n .card { padding: 1.5rem; }\n h1 { font-size: 1.25rem; }\n }\n</style>\n</head>\n<body>\n<div class=\"card\">\n <div class=\"eyebrow\">Private deployment</div>\n <h1>This app is private</h1>\n <p class=\"intro\">Enter the shared app access token to continue. This is the value configured for this app, not your deploy provider account token.</p>\n <form id=\"form\">\n <label for=\"token\"><span>App ACCESS_TOKEN</span><span>Required</span></label>\n <div class=\"input-wrap\">\n <input id=\"token\" type=\"password\" autocomplete=\"current-password\" autofocus placeholder=\"Paste the shared app token\" />\n </div>\n <button id=\"submit\" type=\"submit\">Continue</button>\n <p class=\"hint\">If someone sent you this app, ask them for the shared app token. If you own the deploy, use the exact value saved as <code>ACCESS_TOKEN</code> or one of <code>ACCESS_TOKENS</code>.</p>\n <p class=\"msg error\" id=\"msg\" role=\"alert\"></p>\n </form>\n <details>\n <summary>Where do I find this?</summary>\n <p>Create or copy the app's shared token from your deployment environment variables. The key should be <code>ACCESS_TOKEN</code> for one token or <code>ACCESS_TOKENS</code> for a comma-separated list. Redeploy after changing it.</p>\n </details>\n</div>\n<script>\n var configuredBasePath = ${JSON.stringify(configuredBasePath)};\n function __anBasePath() {\n if (\n configuredBasePath &&\n (window.location.pathname === configuredBasePath ||\n window.location.pathname.indexOf(configuredBasePath + '/') === 0)\n ) {\n return configuredBasePath;\n }\n var marker = '/_agent-native';\n var idx = window.location.pathname.indexOf(marker);\n return idx > 0 ? window.location.pathname.slice(0, idx) : '';\n }\n function __anPath(path) {\n return __anBasePath() + path;\n }\n function setMessage(kind, text) {\n var msg = document.getElementById('msg');\n msg.textContent = text;\n msg.className = 'msg ' + kind + ' show';\n }\n function clearMessage() {\n var msg = document.getElementById('msg');\n msg.textContent = '';\n msg.className = 'msg error';\n }\n function setBusy(isBusy) {\n var button = document.getElementById('submit');\n var input = document.getElementById('token');\n button.disabled = isBusy;\n input.disabled = isBusy;\n button.textContent = isBusy ? 'Checking...' : 'Continue';\n }\n async function readJsonSafely(res) {\n try {\n return await res.json();\n } catch (_err) {\n return null;\n }\n }\n async function verifySession() {\n var res = await fetch(__anPath('/_agent-native/auth/session'), {\n method: 'GET',\n credentials: 'same-origin',\n cache: 'no-store',\n headers: { 'Accept': 'application/json' },\n });\n if (!res.ok) return false;\n var data = await readJsonSafely(res);\n return !!data && !data.error;\n }\n document.getElementById('form').addEventListener('submit', async (e) => {\n e.preventDefault();\n var token = document.getElementById('token').value.trim();\n if (!token) {\n setMessage('error', 'Paste the shared app token to continue.');\n return;\n }\n clearMessage();\n setBusy(true);\n setMessage('info', 'Checking the app token...');\n try {\n var res = await fetch(__anPath('/_agent-native/auth/login'), {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Accept': 'application/json',\n },\n credentials: 'same-origin',\n body: JSON.stringify({ token: token }),\n });\n if (!res.ok) {\n var badTokenMessage = 'That token was not accepted. Use this app\\\\'s shared ACCESS_TOKEN, not your deploy provider account token.';\n if (res.status === 404) {\n badTokenMessage = 'Could not reach this app\\\\'s auth endpoint. If this app is mounted under a path, confirm APP_BASE_PATH and VITE_APP_BASE_PATH match the deploy path.';\n }\n setMessage('error', badTokenMessage);\n setBusy(false);\n return;\n }\n var hasSession = await verifySession();\n if (!hasSession) {\n setMessage('error', 'The token was accepted, but the browser did not keep the session cookie. Try opening the app in a new tab, or check cookie restrictions for this domain.');\n setBusy(false);\n return;\n }\n setMessage('success', 'Signed in. Opening the app...');\n window.location.replace(window.location.href);\n } catch (_err) {\n setMessage('error', 'Could not contact the auth endpoint. Check the deploy status, then try again.');\n setBusy(false);\n }\n });\n</script>\n</body>\n</html>`;\n}\n\n// ---------------------------------------------------------------------------\n// mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes\n// ---------------------------------------------------------------------------\n\nasync function mountBetterAuthRoutes(\n app: H3App,\n options: AuthOptions,\n): Promise<void> {\n const publicPaths = [...(options.publicPaths ?? [])];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n // The A2A agent card is part of an open protocol — other agents must be\n // able to discover it without auth. Same for favicons and similar probes.\n for (const pp of [\"/.well-known\", \"/favicon.ico\", \"/favicon.png\"]) {\n if (!publicPaths.includes(pp)) publicPaths.push(pp);\n }\n\n // Auto-add Google OAuth routes when credentials are configured. Templates\n // that need broader product scopes (mail/calendar) opt out and provide\n // their own Nitro routes at these paths.\n if (\n process.env.GOOGLE_CLIENT_ID &&\n process.env.GOOGLE_CLIENT_SECRET &&\n options.mountGoogleOAuthRoutes !== false\n ) {\n setGenericGoogleOAuthRoutesEnabled(app, true);\n for (const gp of [\n \"/_agent-native/google/callback\",\n \"/_agent-native/google/auth-url\",\n ]) {\n if (!publicPaths.includes(gp)) publicPaths.push(gp);\n }\n\n const googleScopes = [\n \"openid\",\n \"https://www.googleapis.com/auth/userinfo.email\",\n \"https://www.googleapis.com/auth/userinfo.profile\",\n ].join(\" \");\n\n app.use(\n \"/_agent-native/google/auth-url\",\n defineEventHandler((event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n // Validate the user-supplied `redirect_uri` against the framework's\n // server-side allowlist (must be same-origin and under\n // `/_agent-native/...`). Reject anything else so an attacker can't\n // smuggle a different already-registered redirect URI past Google's\n // host-prefix matching. See HIGH-1 in 09-oauth-session.md.\n const redirectUri = resolveOAuthRedirectUri(event);\n if (redirectUri === null) {\n setResponseStatus(event, 400);\n return { error: \"Invalid redirect_uri\" };\n }\n const q = getQuery(event);\n const desktop =\n isElectronRequest(event) || q.desktop === \"1\" || q.desktop === \"true\";\n const flowId = desktop ? (q.flow_id as string) || undefined : undefined;\n // Validate the caller's return param up front and only embed it\n // into the OAuth state when it normalises to a non-root path —\n // skip embedding \"/\" (the default fallback) so the state stays\n // small for the common case.\n const returnQuery = q.return;\n const validated =\n typeof returnQuery === \"string\"\n ? safeOAuthReturnUrl(returnQuery, {\n allowDefaultLoopback: isBuilderOAuthRequest(event),\n allowedOrigins: [builderPreviewReturnOrigin(event)],\n })\n : \"/\";\n const returnUrl = validated !== \"/\" ? validated : undefined;\n const state = encodeOAuthState({\n redirectUri,\n desktop,\n addAccount: false,\n app: getOAuthStateAppId(),\n returnUrl,\n flowId,\n });\n logGoogleOAuthDebug(event, \"auth-url\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n returnUrl,\n redirect: q.redirect === \"1\",\n workspace:\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\",\n });\n const params = new URLSearchParams({\n client_id: process.env.GOOGLE_CLIENT_ID!,\n redirect_uri: redirectUri,\n response_type: \"code\",\n scope: googleScopes,\n access_type: \"online\",\n prompt: \"select_account\",\n state,\n });\n const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;\n if (q.redirect === \"1\") {\n return sendRedirect(event, authUrl, 302);\n }\n return { url: authUrl };\n }),\n );\n\n app.use(\n \"/_agent-native/google/callback\",\n defineEventHandler(async (event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n let callbackFlowId: string | undefined;\n let callbackDesktop = false;\n try {\n const query = getQuery(event);\n const code = query.code as string;\n const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(\n query.state as string | undefined,\n getAppUrl(event, \"/_agent-native/google/callback\"),\n );\n callbackFlowId = flowId;\n callbackDesktop = desktop;\n logGoogleOAuthDebug(event, \"callback-start\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n hasCode: !!code,\n returnUrl,\n });\n if (!code) {\n const providerError =\n typeof query.error === \"string\" && query.error\n ? query.error\n : undefined;\n const providerDescription =\n typeof query.error_description === \"string\" &&\n query.error_description\n ? query.error_description\n : undefined;\n const msg =\n providerDescription ||\n providerError ||\n \"Missing authorization code\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: `Google sign-in failed: ${msg}`,\n code: providerError || \"missing_authorization_code\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n code: providerError,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n // Defence in depth: the state is HMAC-signed, but if the signing\n // key ever leaked an attacker could mint state with their own\n // redirect_uri. Re-validate against the same allowlist used at\n // auth-url time so the token exchange is always sent to a URI we\n // own.\n if (!isAllowedOAuthRedirectUri(redirectUri, event)) {\n const msg =\n \"Invalid Google OAuth redirect URI in state. Restart sign-in from this app.\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: msg,\n code: \"invalid_redirect_uri\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n\n const tokenRes = await fetch(\"https://oauth2.googleapis.com/token\", {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n code,\n client_id: process.env.GOOGLE_CLIENT_ID!,\n client_secret: process.env.GOOGLE_CLIENT_SECRET!,\n redirect_uri: redirectUri,\n grant_type: \"authorization_code\",\n }),\n });\n const tokens = await tokenRes.json();\n if (!tokenRes.ok) {\n throw new Error(\n tokens.error_description ||\n tokens.error ||\n \"Token exchange failed\",\n );\n }\n\n const userRes = await fetch(\n \"https://www.googleapis.com/oauth2/v2/userinfo\",\n { headers: { Authorization: `Bearer ${tokens.access_token}` } },\n );\n const user = await userRes.json();\n const email = user.email as string;\n if (!email) throw new Error(\"Could not get email from Google\");\n // Reject unverified Google addresses. Google returns\n // `verified_email: false` for accounts where ownership of the\n // address hasn't been proven (rare on consumer accounts but\n // reachable on Workspace tenants that allow it). Without this\n // check, an attacker could sign up as `victim@example.com` on\n // Google without controlling the inbox and take over a local\n // password account that already exists at that address (Better\n // Auth's accountLinking auto-merges trusted-provider sign-ins).\n if (user.verified_email !== true) {\n throw new Error(\n \"Google account email is not verified. Please verify your email with Google and try again.\",\n );\n }\n\n const { sessionToken } = await createOAuthSession(event, email, {\n hasProductionSession: false,\n desktop,\n });\n logGoogleOAuthDebug(event, \"callback-session-created\", {\n flowId,\n desktop,\n hasSessionToken: !!sessionToken,\n emailDomain: email.split(\"@\")[1] || \"\",\n });\n\n if (flowId && sessionToken) {\n _desktopExchanges.set(flowId, {\n token: sessionToken,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Also persist to DB for cross-instance durability (Cloudflare\n // Workers, multi-region). Fire-and-forget — in-memory Map is\n // still the primary fast path for same-instance requests.\n void persistDesktopExchangeToDB(flowId, sessionToken, email);\n logGoogleOAuthDebug(event, \"callback-exchange-stored\", {\n flowId,\n desktop,\n });\n }\n\n return oauthCallbackResponse(event, email, {\n sessionToken,\n desktop,\n returnUrl,\n flowId,\n });\n } catch (error: any) {\n const msg = error.message || \"Unknown error\";\n if (callbackFlowId) {\n setDesktopExchangeError(callbackFlowId, {\n message: `Google sign-in failed: ${msg}`,\n code: \"callback_error\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId: callbackFlowId,\n desktop: callbackDesktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n }),\n );\n }\n\n // Desktop OAuth exchange — native apps (Tauri tray, Electron) open OAuth\n // in the system browser but need a way to retrieve the session token\n // afterwards since they don't share a cookie jar with the browser.\n app.use(\n \"/_agent-native/auth/desktop-exchange\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const query = getQuery(event);\n const flowId = query.flow_id as string | undefined;\n if (!flowId) {\n setResponseStatus(event, 400);\n return { error: \"Missing flow_id\" };\n }\n let entry = _desktopExchanges.get(flowId);\n if (!entry || entry.expiresAt < Date.now()) {\n // In-memory miss — fall back to the DB-persisted entry. This handles\n // cross-instance routing (Cloudflare Workers, multi-region) where the\n // OAuth callback and the polling request may hit different isolates.\n const fromDb = await consumeDesktopExchangeFromDB(flowId);\n if (!fromDb) {\n // Don't log on the pending path — clients poll every second for up\n // to 5 minutes, so logging here floods telemetry. The auth-url,\n // callback-start, callback-session-created, exchange-success, and\n // exchange-error breadcrumbs already cover every meaningful state\n // transition.\n return { pending: true, flow: oauthDebugFlowId(flowId) };\n }\n entry =\n \"error\" in fromDb\n ? { error: fromDb.error, expiresAt: Date.now() + 1 }\n : {\n token: fromDb.token,\n email: fromDb.email,\n expiresAt: Date.now() + 1,\n };\n }\n _desktopExchanges.delete(flowId);\n // Also wipe the DB-persisted entry so it cannot be replayed via the\n // DB fallback path after in-memory consumption.\n void removeSession(`dex:${flowId}`);\n if (\"error\" in entry) {\n logGoogleOAuthDebug(event, \"exchange-error\", {\n flowId,\n message: entry.error.message,\n code: entry.error.code,\n });\n return { error: entry.error.message, ...entry.error };\n }\n // Make the exchange itself establish the app session. Older clients\n // still make a follow-up /auth/session?_session=... request, but the\n // OAuth handoff should not depend on that second request succeeding.\n setFrameworkSessionCookie(event, entry.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n logGoogleOAuthDebug(event, \"exchange-success\", {\n flowId,\n emailDomain: entry.email.split(\"@\")[1] || \"\",\n });\n return { token: entry.token, email: entry.email };\n }),\n );\n\n const accessTokens = getAccessTokens();\n\n // Initialize Better Auth. Forward `googleScopes` into the BetterAuthConfig\n // so the social provider requests the broader product scopes (Gmail,\n // Calendar, etc.) up front during the primary sign-in — eliminating the\n // need for a separate \"Connect Google\" page.\n const betterAuthConfig: BetterAuthConfig = {\n ...(options.betterAuth ?? {}),\n ...(options.googleScopes ? { googleScopes: options.googleScopes } : {}),\n };\n const auth = await getBetterAuth(betterAuthConfig);\n\n // Mount Better Auth catch-all handler at /_agent-native/auth/ba/*\n app.use(\n \"/_agent-native/auth/ba\",\n defineEventHandler(async (event) => {\n const reqPath = event.url?.pathname ?? event.path ?? \"\";\n const isResetPassword =\n reqPath.includes(\"reset-password\") && getMethod(event) === \"POST\";\n\n // Pre-read the body for reset-password so we can auto-verify the\n // user's email after they save the new password. CRUCIAL: clone\n // the Request first — h3 v2 `event.req` is the live web Request,\n // and `.text()`/`.json()` consume the stream. The same `event.req`\n // is handed to Better Auth below; without the clone, Better Auth\n // sees an empty body, fails Zod validation, and returns 400 —\n // which the reset page renders as \"the link may have expired\".\n let resetToken: string | undefined;\n let resetUserId: string | undefined;\n if (isResetPassword) {\n try {\n const cloned = (event.req as Request).clone();\n const body = (await cloned.json().catch(() => undefined)) as\n | { token?: string }\n | undefined;\n resetToken = body?.token;\n } catch {\n // ignore — Better Auth will handle validation\n }\n // Look up userId BEFORE calling auth.handler — Better Auth deletes\n // the verification row as part of the reset, so by the time the\n // handler returns 200 the row is gone and we can't recover the user.\n if (resetToken) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n const rows = await db.execute({\n sql: \"SELECT value FROM verification WHERE identifier = ?\",\n args: [`reset-password:${resetToken}`],\n });\n resetUserId = rows.rows[0]?.value as string | undefined;\n } catch {\n // Best-effort — if we can't read the verification row we just\n // skip auto-verify; the user can verify normally.\n }\n }\n }\n\n const response = await auth.handler(toWebRequest(event));\n const isResponse =\n response != null &&\n typeof (response as any).status === \"number\" &&\n typeof (response as any).headers?.get === \"function\";\n\n // After email verification, add ?verified=1 to the redirect so the\n // login page can show \"Email verified!\". MUTATE the response in\n // place — `new Response(null, { headers: new Headers(response.headers) })`\n // collapses multiple Set-Cookie headers into one comma-joined value,\n // which browsers reject. With `autoSignInAfterVerification: true`\n // Better Auth emits 2–3 Set-Cookie headers (session token + cookie\n // cache + dontRememberToken); losing them strands the user on the\n // login page even though verification succeeded.\n if (\n reqPath.includes(\"verify-email\") &&\n isResponse &&\n (response as Response).status >= 300 &&\n (response as Response).status < 400\n ) {\n const loc = response.headers.get(\"location\");\n if (loc && !/[?&]verified=/.test(loc)) {\n const sep = loc.includes(\"?\") ? \"&\" : \"?\";\n response.headers.set(\"location\", loc + sep + \"verified=1\");\n }\n }\n\n // Auto-verify email after a successful password reset. The user\n // proved email ownership by receiving and using the reset link, so\n // we don't want them stuck behind `requireEmailVerification` after\n // resetting — that's the exact escape hatch they just used.\n if (\n isResetPassword &&\n resetUserId &&\n isResponse &&\n (response as Response).status >= 200 &&\n (response as Response).status < 300\n ) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n // Use boolean literals for cross-dialect portability: Postgres\n // stores `email_verified` as BOOLEAN and rejects integer 1/0,\n // SQLite accepts TRUE/FALSE as aliases for 1/0 (since 3.23).\n // Quote `\"user\"` because it's a reserved keyword in Postgres.\n await db.execute({\n sql: 'UPDATE \"user\" SET email_verified = TRUE WHERE id = ? AND (email_verified = FALSE OR email_verified IS NULL)',\n args: [resetUserId],\n });\n\n // Revoke every existing session for this user so a stolen\n // cookie doesn't outlive the password it was paired with. We\n // do this AFTER Better Auth's response has been generated so\n // the freshly-minted post-reset session (if any) is captured\n // by the response's Set-Cookie header — but `auth.handler` for\n // reset-password does not auto-sign-in by default, so the\n // common path is \"wipe everything; user signs in with new\n // password.\" The legacy `sessions` table is also wiped by\n // joining through the `user.email` column.\n //\n // Skip the freshly-minted Better Auth session id when present\n // (auto-sign-in plugins / future config). Reading it from the\n // response avoids racing against Better Auth's own writes.\n const newSessionToken = extractSessionTokenFromSetCookies(\n response as Response,\n );\n\n // 1. Better Auth `session` table — keyed by user_id.\n if (newSessionToken) {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ? AND token <> ?',\n args: [resetUserId, newSessionToken],\n });\n } else {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [resetUserId],\n });\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column. The\n // reset-password verification row holds the user's id, not\n // their email, so we look up the email first. Best-effort —\n // skip silently if the lookup fails so the response still ships.\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [resetUserId],\n });\n const userEmail = (rows[0]?.email ?? rows[0]?.[0]) as\n | string\n | undefined;\n if (userEmail) {\n if (newSessionToken) {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ? AND token <> ?\",\n args: [userEmail, newSessionToken],\n });\n } else {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [userEmail],\n });\n }\n }\n } catch {\n // Best-effort — don't block the response\n }\n } catch {\n // Best-effort — don't block the response\n }\n }\n\n return response;\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/login\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n\n // Legacy ACCESS_TOKEN login\n if (\n body?.token &&\n typeof body.token === \"string\" &&\n accessTokens.length > 0\n ) {\n if (!safeTokenMatch(body.token, accessTokens)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid token\" };\n }\n const sessionToken = crypto.randomBytes(32).toString(\"hex\");\n await addSession(sessionToken, \"user\");\n setFrameworkSessionCookie(event, sessionToken);\n return authLoginResponse(event, sessionToken, \"user\");\n }\n\n // Email/password login via Better Auth\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n // signInEmail succeeded but returned no token — typically means the\n // email isn't verified yet. Don't return { ok: true } without a\n // session or the frontend will reload into a dead end.\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/register\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n const callbackURL =\n typeof body?.callbackURL === \"string\"\n ? safeReturnPath(body.callbackURL)\n : \"/\";\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0], callbackURL },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/logout\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if no Better Auth session\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n // POST /_agent-native/auth/logout-all — revoke every session row for\n // the authenticated user across both auth tables. Companion to the\n // password-reset session-revocation logic; lets a user sign out\n // everywhere from one device. Requires an authenticated session.\n app.use(\n \"/_agent-native/auth/logout-all\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Not authenticated\" };\n }\n try {\n const db = getDbExec();\n // 1. Resolve user_id from email so we can wipe Better Auth sessions\n // by their FK column.\n let userId: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT id FROM \"user\" WHERE email = ?',\n args: [session.email],\n });\n userId = (rows[0]?.id ?? rows[0]?.[0]) as string | undefined;\n } catch {\n // User table may not exist on token-only deployments — skip.\n }\n if (userId) {\n try {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [userId],\n });\n } catch {\n // Best-effort.\n }\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column.\n try {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [session.email],\n });\n } catch {\n // Best-effort.\n }\n\n // 3. Drop the current request's cookie and best-effort sign out\n // of Better Auth (so the response sets the proper expiry header).\n clearFrameworkSessionCookies(event);\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore — sessions are already gone in DB.\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n } catch (e: any) {\n setResponseStatus(event, 500);\n return { error: e?.message || \"Failed to revoke sessions\" };\n }\n }),\n );\n\n // GET /_agent-native/auth/session\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n // GET /_agent-native/auth/reset — HTML page shown when a user clicks the\n // reset link in their email. Reads ?token=... and POSTs to Better Auth's\n // /reset-password endpoint on submit.\n app.use(\n \"/_agent-native/auth/reset\",\n defineEventHandler((event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n return new Response(getResetPasswordHtml(), {\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }),\n );\n\n // Auth guard — stored both in framework middleware registry AND in\n // _authGuardFn so the server middleware can enforce it on ALL routes.\n const loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n _authGuardConfig = {\n loginHtml,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountTokenOnlyRoutes — ACCESS_TOKEN-only auth (no Better Auth)\n// ---------------------------------------------------------------------------\n\nfunction mountTokenOnlyRoutes(\n app: H3App,\n accessTokens: string[],\n publicPaths: string[] = [],\n workspaceAppAudience = resolveWorkspaceAppAudience(),\n workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(),\n): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n if (\n !body?.token ||\n typeof body.token !== \"string\" ||\n !safeTokenMatch(body.token, accessTokens)\n ) {\n setResponseStatus(event, 401);\n return { error: \"Invalid token\" };\n }\n const sessionToken = crypto.randomBytes(32).toString(\"hex\");\n await addSession(sessionToken, \"user\");\n setFrameworkSessionCookie(event, sessionToken);\n return authLoginResponse(event, sessionToken, \"user\");\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n _authGuardConfig = {\n loginHtml: getTokenLoginHtml(),\n getLoginHtml: (_event, rawPath) =>\n getTokenLoginHtml({ requestPath: rawPath }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails\n// ---------------------------------------------------------------------------\n\nfunction mountAuthFallbackRoutes(app: H3App): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const auth = await getBetterAuth();\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0] },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if Better Auth is still unavailable\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n}\n\n// ---------------------------------------------------------------------------\n// autoMountAuth — the recommended entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Automatically configure auth based on environment and configuration:\n *\n * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.\n * - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.\n * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.\n * Users see an onboarding page to create an account on first visit.\n *\n * Local development uses the same Better Auth flow as production. Email\n * verification is automatically skipped in dev/test environments and when\n * no email provider is configured (see `shouldSkipEmailVerification`), so a\n * fresh local clone only needs an email + password to get started.\n *\n * Returns true if auth was mounted, false if skipped.\n */\nexport async function autoMountAuth(\n app: H3App,\n options: AuthOptions = {},\n): Promise<boolean> {\n // If auth is already mounted on THIS app (e.g., default plugin ran before\n // custom plugin in the same server boot), don't re-mount routes — but DO\n // update the live config if custom options like googleOnly or loginHtml\n // were provided. createAuthGuardFn() reads from _authGuardConfig on every\n // request, so updating it here takes effect immediately.\n //\n // We gate on `_mountedApp === app` because module-level state survives\n // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh\n // H3 app, empty middleware) would short-circuit here and end up with no\n // auth routes mounted at all.\n if (_authGuardFn && _mountedApp === app) {\n if (options.mountGoogleOAuthRoutes === false) {\n setGenericGoogleOAuthRoutesEnabled(app, false);\n }\n // A custom getSession always wins — even if the default auth plugin\n // mounted first (which happens in production where bootstrapDefaultPlugins\n // can't see the template's server/plugins/ dir and auto-mounts defaults).\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n if (_authGuardConfig) {\n if (\n options.googleOnly ||\n options.loginHtml ||\n options.marketing ||\n options.googleSignInNotice\n ) {\n _authGuardConfig.loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n }\n if (options.publicPaths) {\n _authGuardConfig.publicPaths = [\n ...(_authGuardConfig.publicPaths ?? []),\n ...options.publicPaths,\n ];\n }\n if (options.workspaceAppAudience) {\n _authGuardConfig.workspaceAppAudience =\n resolveWorkspaceAppAudience(options);\n }\n if (options.workspaceAppPublicPaths) {\n _authGuardConfig.workspaceAppPublicPaths =\n options.workspaceAppPublicPaths;\n }\n if (options.workspaceAppProtectedPaths) {\n _authGuardConfig.workspaceAppProtectedPaths =\n options.workspaceAppProtectedPaths;\n }\n }\n return true;\n }\n\n // Fresh app (first boot, or HMR created a new Nitro instance) — reset\n // the guard so the mount path below installs it on the new app.\n _authGuardFn = null;\n _authGuardConfig = null;\n _mountedApp = app;\n\n if (!app) {\n if (isDevEnvironment()) {\n customGetSession = null;\n return false;\n }\n throw new Error(\n \"autoMountAuth: H3 app is required. In Nitro plugins, pass nitroApp.h3App.\",\n );\n }\n\n // Reset globals\n customGetSession = null;\n sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;\n const publicPaths = options.publicPaths ?? [];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n mountAuthCorsMiddleware(app);\n\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n\n // BYOA — custom getSession provider\n if (customGetSession) {\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(() => ({ ok: true })),\n );\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n const byoaLoginHtml = options.loginHtml ?? getTokenLoginHtml();\n _authGuardConfig = {\n loginHtml: byoaLoginHtml,\n ...(options.loginHtml\n ? {}\n : {\n getLoginHtml: (_event, rawPath) =>\n getTokenLoginHtml({ requestPath: rawPath }),\n }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n\n if (process.env.DEBUG)\n console.log(\"[agent-native] Auth enabled — custom getSession provider.\");\n return true;\n }\n\n // ACCESS_TOKEN-only mode\n const tokens = getAccessTokens();\n if (tokens.length > 0) {\n mountTokenOnlyRoutes(\n app,\n tokens,\n publicPaths,\n workspaceAppAudience,\n workspaceAppRouteAccess,\n );\n if (process.env.DEBUG)\n console.log(\n `[agent-native] Auth enabled — ${tokens.length} access token(s) configured.`,\n );\n return true;\n }\n\n // Default: Better Auth (account-first)\n try {\n await mountBetterAuthRoutes(app, options);\n if (process.env.DEBUG)\n console.log(\n \"[agent-native] Auth enabled — Better Auth (accounts + organizations).\",\n );\n } catch (err) {\n console.error(\"[agent-native] Failed to initialize Better Auth:\", err);\n mountAuthFallbackRoutes(app);\n // CRITICAL: Even if Better Auth fails, register the auth guard so\n // unauthenticated users can't access the app. They'll see the login\n // page but won't be able to sign in until the DB is available.\n const loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n _authGuardConfig = {\n loginHtml,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n console.log(\n \"[agent-native] Auth guard registered despite init failure — app is locked.\",\n );\n }\n return true;\n}\n\n// ---------------------------------------------------------------------------\n// Deprecated — kept for backward compat\n// ---------------------------------------------------------------------------\n\n/**\n * @deprecated Use `autoMountAuth(app, options?)` instead.\n */\nexport function mountAuthMiddleware(app: H3App, accessToken: string): void {\n mountTokenOnlyRoutes(app, [accessToken]);\n}\n"]}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,SAAS,EACT,YAAY,EACZ,SAAS,GACV,MAAM,IAAI,CAAC;AAIZ,6EAA6E;AAC7E,0EAA0E;AAC1E,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,8EAA8E;AAC9E,4EAA4E;AAC5E,yDAAyD;AACzD,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,GAAG,GAAI,KAAa,CAAC,GAAc,CAAC;IAC1C,MAAM,GAAG,GAAI,KAAa,CAAC,OAEd,CAAC;IACd,IAAI,GAAG,EAAE,gBAAgB,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC/D,IAAI,GAAG,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC;gBAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;gBACtD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;oBAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,8DAA8D;oBAC9D,2DAA2D;oBAC3D,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChD,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAGD,OAAO,EACL,SAAS,EACT,UAAU,EACV,OAAO,EACP,cAAc,GACf,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE7E,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE/E,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,eAAe,EACf,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,UAAU,IAAI,iBAAiB,EAE/B,cAAc,EACd,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,8BAA8B,GAE/B,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,mBAAmB,EACnB,qCAAqC,EACrC,oCAAoC,GACrC,MAAM,sBAAsB,CAAC;AAE9B;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAAC;AACvB,CAAC;AAuID,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;KAC/C,WAAW,EAAE;KACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;KAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;AAC3B,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG,CAAC;AAErE;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACtC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,OAAO,OAAO,IAAI,SAAS,CAAC;AAC9B,CAAC;AAED,MAAM,iBAAiB,GAAG,CAAC,CAAC,eAAe,EAAE,CAAC;AAE9C,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB;IAC1C,CAAC,CAAC,YAAY;IACd,CAAC,CAAC,iBAAiB;QACjB,CAAC,CAAC,sBAAsB;QACxB,CAAC,CAAC,aAAa;YACb,CAAC,CAAC,cAAc,aAAa,EAAE;YAC/B,CAAC,CAAC,YAAY,CAAC;AAErB;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAEvC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI;gBAAE,SAAS;YAEnD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC;gBACH,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,2DAA2D;YAC7D,CAAC;YACD,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,+BAA+B,CAAC,KAAc;IACrD,OAAO,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,kCAAkC;IACzC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;IACrC,IAAI,aAAa;QAAE,KAAK,CAAC,GAAG,CAAC,cAAc,aAAa,EAAE,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,0EAA0E;IAC1E,4EAA4E;IAC5E,kDAAkD;IAClD,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAC;IACxC,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAc;IAClD,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5D,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC7C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AACD,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACjE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CACL,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QAC3B,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC5C,IACE,GAAG,CAAC,QAAQ,KAAK,QAAQ;YACzB,CAAC,QAAQ,KAAK,eAAe;gBAC3B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,YAAY;gBACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACnC,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAc,EACd,KAAa,EACb,UAAmC,EAAE;IAErC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IAC/C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CAAC,IAAI,CAAC,8BAA8B,EAAE;QAC3C,KAAK;QACL,GAAG,EAAE,kBAAkB,EAAE;QACzB,IAAI;QACJ,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QACrC,kBAAkB,EAAE,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC;QACzD,eAAe,EACb,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC;QACvE,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC;AACD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAErD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,KAAK,0BAA0B;YAAE,OAAO,GAAG,CAAC;QAC7D,OAAO,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,oBAAoB,CACjC,KAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,2DAA2D;IAC3D,IAAI,EAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,EAAE,GAAG,SAAS,CAAC;IACjB,CAAC;IACD,mEAAmE;IACnE,MAAM,UAAU,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,MAAM,UAAU,GACd,UAAU,KAAK,WAAW;QAC1B,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,kBAAkB;QACjC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,OAAO,MAAM,cAAc,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iCAAiC,CACxC,QAAkB;IAElB,IAAI,CAAC;QACH,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAExB,CAAC;QACF,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,YAAY,KAAK,UAAU;YACxC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE;YACxB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;iBAC9B,KAAK,CAAC,aAAa,CAAC;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,oEAAoE;YACpE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CACpB,sDAAsD,CACvD,CAAC;YACF,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,MAAgB;IACrD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,IACE,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACnC,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC1C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED,SAAS,8BAA8B,CAAC,KAAc;IACpD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,MAAM,IAAI,+BAA+B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,qEAAqE;IACrE,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,KAAK,eAAe,CAAC;AAC7E,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,CAAC,8BAA8B,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAChE,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,8BAA8B,GAAa;IAC/C,yCAAyC;IACzC,sBAAsB;IACtB,wCAAwC;IACxC,kBAAkB;IAClB,yCAAyC;IACzC,iBAAiB;CAClB,CAAC;AAEF,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,GAAG,GAAI,KAA+B,EAAE,OAAO,CAAC;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,8BAA8B,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,oEAAoE;AACpE,8EAA8E;AAE9E,IAAI,mBAA8C,CAAC;AACnD,IAAI,aAAa,GAAG,eAAe,CAAC;AAEpC,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC;;;;yBAIE,OAAO,EAAE;;SAEzB,CAAC,CACH,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,sEAAsE;YACtE,mBAAmB,GAAG,SAAS,CAAC;YAChC,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,sBAAsB,CAAI,EAAoB;IAC3D,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,IAAI,CAAC,EAAE,IAAI,KAAK,OAAO;YAAE,MAAM,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,MAAM,CAAC,CAAC;QACvC,mBAAmB,GAAG,SAAS,CAAC;QAChC,MAAM,kBAAkB,EAAE,CAAC;QAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAa,EAAE,KAAc;IAC5D,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,UAAU,EAAE;YACf,CAAC,CAAC,yJAAyJ;YAC3J,CAAC,CAAC,6EAA6E;QACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,sCAAsC;QAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,CACjD,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,wDAAwD;QAC7D,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAgB,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,IAAI,gBAAgB,GAClB,IAAI,CAAC;AAiBP,IAAI,gBAAgB,GAA2B,IAAI,CAAC;AACpD,MAAM,gCAAgC,GAAG,IAAI,OAAO,EAAmB,CAAC;AAExE,SAAS,2BAA2B,CAClC,UAAqD,EAAE;IAEvD,OAAO,6BAA6B,CAClC,OAAO,CAAC,oBAAoB,IAAI,2BAA2B,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CACrC,UAGI,EAAE;IAEN,MAAM,GAAG,GAAG,8BAA8B,EAAE,CAAC;IAC7C,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,uBAAuB,IAAI,GAAG,CAAC,WAAW;QAC/D,cAAc,EAAE,OAAO,CAAC,0BAA0B,IAAI,GAAG,CAAC,cAAc;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,GAAU,EACV,OAAgB;IAEhB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,gCAAgC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAU;IACpD,OAAO,gCAAgC,CAAC,GAAG,CAAC,GAAa,CAAC,KAAK,KAAK,CAAC;AACvE,CAAC;AA0BD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAClE,MAAM,6BAA6B,GAAG,aAAa,CAAC;AACpD,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAC;IAC9C,mBAAmB;IACnB,uBAAuB;CACxB,CAAC,CAAC;AAEH,iEAAiE;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9C,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,wEAAwE;IACxE,yEAAyE;IACzE,kBAAkB;IAClB,KAAK,0BAA0B,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,KAAkC;IAElC,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,KAAK,+BAA+B,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,0BAA0B,CACvC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,OAAO,MAAM,EAAE,EAAE,GAAG,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,MAAc,EACd,KAAkC;IAElC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,UAAU,CACd,OAAO,MAAM,EAAE,EACf,GAAG,6BAA6B,GAAG,OAAO,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B,CACzC,MAAc;IAEd,IAAI,CAAC;QACH,wEAAwE;QACxE,6EAA6E;QAC7E,wDAAwD;QACxD,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yEAAyE;YAC9E,IAAI,EAAE,CAAC,OAAO,MAAM,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAkB,CAAC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACrD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;aAC5D,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG;YAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;AAErB;;;;GAIG;AACH,IAAI,YAAY,GAEL,IAAI,CAAC;AAEhB;;;;;;;GAOG;AACH,IAAI,WAAW,GAAiB,IAAI,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAc;IAEd,IAAI,CAAC,YAAY;QAAE,OAAO,CAAC,sCAAsC;IACjE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAc;IAItC,wEAAwE;IACxE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,kCAAkC;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACxD,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE;QACjD,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;IACH,IAAI,CAAC,aAAa;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC/D,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAa,CAAC,CAAC;IACvE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;IACrE,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;IACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,kFAAkF,CACnF,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB;IAC5B,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS;YAAE,OAAO;QAE3C,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAU;IACzC,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,OAAO,CAAC,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc;IAI7C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACvE,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG;QACzD,MAAM,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;KACrD,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IACE,CAAC,QAAQ;QACT,CAAC,oCAAoC,EAAE;QACvC,CAAC,4BAA4B,CAAC,cAAc,CAAC;QAC7C,OAAO,KAAK,GAAG,QAAQ,gBAAgB;QACvC,OAAO,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,EAChD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAClD,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACf,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC5C,IACE,CAAC,KAAK;QACN,KAAK,KAAK,kBAAkB,EAAE;QAC9B,CAAC,2BAA2B,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;QACtB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,KAAK,GAAG,cAAc,GAAG,MAAM,EAAE,EAAE;KAC7D,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAW;IACrD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAC9D,qBAAqB,CACtB,CAAC;IACF,OAAO,oCAAoC,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAc,EAAE,CAAS;IAClE,IAAI,CAAC,KAAK,gCAAgC,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,OAAO,OAAO,CAAC,kCAAkC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,KAAK,iCAAiC,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,KAAK,GACT,UAAU,IAAI,CAAC;YACb,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAChD,mBAAmB,CACpB;YACH,CAAC,CAAC,IAAI,CAAC;QACX,sEAAsE;QACtE,qEAAqE;QACrE,iEAAiE;QACjE,qEAAqE;QACrE,6DAA6D;QAC7D,mEAAmE;QACnE,mEAAmE;QACnE,uBAAuB;QACvB,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;QAC1D,IAAI,UAAU;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,OAAO,CACZ,qCAAqC,CAAC,KAAK,CAAC;YAC5C,oCAAoC,CAClC,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAC/C,CACF,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB;IAGxB,OAAO,KAAK,EAAE,KAAc,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC;QAChC,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAE/B,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC;QAC5E,MAAM,CAAC,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;QACjE,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IACE,CAAC,CAAC,UAAU,CAAC,sBAAsB,CAAC;YACpC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,4CAA4C,EAClD,CAAC;YACD,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,IAAI,iDAAiD,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,0EAA0E;QAC1E,0DAA0D;QAC1D,IAAI,CAAC,KAAK,0CAA0C,EAAE,CAAC;YACrD,OAAO;QACT,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,wEAAwE;QACxE,IAAI,CAAC,KAAK,sDAAsD,EAAE,CAAC;YACjE,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,uEAAuE;QACvE,IAAI,CAAC,KAAK,oBAAoB,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,uEAAuE;QACvE,oEAAoE;QACpE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,kCAAkC,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,sEAAsE;QACtE,iDAAiD;QACjD,IAAI,CAAC,KAAK,uCAAuC,EAAE,CAAC;YAClD,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,uEAAuE;QACvE,oEAAoE;QACpE,qEAAqE;QACrE,uCAAuC;QACvC,EAAE;QACF,qEAAqE;QACrE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,+DAA+D;QAC/D,oCAAoC;QACpC,EAAE;QACF,IAAI,CAAC,KAAK,wBAAwB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,UAAU,GAAG,cAAc,CAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC5C,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;iBAClC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;gBAC7B,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;aACxD,CAAC,CAAC;QACL,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,6CAA6C;QAC7C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,IAAI,GAAG,EAAE;iBAC/C,CAAC,CAAC;YACL,CAAC;YACD,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;gBAC7B,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;aACxD,CAAC,CAAC;QACL,CAAC;QAED,wDAAwD;QACxD,IACE,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACnB,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,oEAAoE;QACpE,kEAAkE;QAClE,qEAAqE;QACrE,iEAAiE;QACjE,gCAAgC;QAChC,IAAI,CAAC,KAAK,aAAa;YAAE,OAAO;QAChC,IAAI,YAAY,CAAC,aAAa,EAAE,WAAW,CAAC;YAAE,OAAO;QACrD,IAAI,iCAAiC,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,OAAO;QACxD,IAAI,4BAA4B,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,OAAO;YAAE,OAAO;QAEpB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC7D,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,uEAAuE;QACvE,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,iEAAiE;QACjE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,yBAAyB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;QACtC,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,SAAS,EAAE;YAC7B,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,sBAAsB,GAAG,WAAW,CAAC;AAC3C,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,KAAK,UAAU,yBAAyB,CACtC,KAAc,EACd,UAAkB;IAElB,IAAI,CAAC,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,GAAG,CAAC,qCAAqC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAE3E,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,+CAA+C;YACpD,IAAI,EAAE,CAAC,sBAAsB,CAAC;SAC/B,CAAC,CAAC;QACH,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,kEAAkE;QAClE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,sDAAsD;QACtD,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC1C,GAAG,EAAE,8CAA8C;YACnD,IAAI,EAAE,CAAC,sBAAsB,CAAC;SAC/B,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAErC,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,wEAAwE;QACxE,sEAAsE;QACtE,8BAA8B;QAC9B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE;oBACJ,KAAK,EAAE,sBAAsB;oBAC7B,QAAQ,EAAE,yBAAyB;oBACnC,IAAI,EAAE,KAAK;iBACZ;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YACxC,IAAI,EAAE;gBACJ,KAAK,EAAE,sBAAsB;gBAC7B,QAAQ,EAAE,yBAAyB;aACpC;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAEhC,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QAEvD,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;YACtB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;SAClC,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,mEAAmE;QACnE,gEAAgE;QAChE,qDAAqD;QACrD,OAAO,CAAC,IAAI,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,SAG7B;IACC,OAAO;QACL,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK;QAC3B,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE;QACzB,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI;QACzB,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK;QAC/B,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,oBAAoB,IAAI,SAAS;KAC5D,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAc;IAC7C,oDAAoD;IACpD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;IAC1C,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;QAE5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,mEAAmE;QACnE,oEAAoE;QACpE,mEAAmE;QACnE,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9D,wCAAwC;IAC1C,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,0EAA0E;QAC1E,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kDAAkD;QAClD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,iBAAiB,EAAE,CAAC;YAC/B,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;oBACxC,OAAO,EAAE,KAAK,CAAC,OAAO;iBACvB,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;oBAC3B,OAAO,oBAAoB,CAAC,SAAS,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kCAAkC;QAClC,qEAAqE;QACrE,sEAAsE;QACtE,gEAAgE;QAChE,oEAAoE;QACpE,uEAAuE;QACvE,wEAAwE;QACxE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,KAAc;IAEd,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,QAA8B,CAAC;IAC/D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACzC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc,EAAE,KAAa;IACrE,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE;QACnC,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAS,KAAa,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;QACvD,MAAM,GAAG,GAAuB,GAAG,EAAE,GAAG,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,YAAY,CAAC,GAAW,EAAE,WAAqB;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,eAAe,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,KAAe;IACpD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAC9B,MAAM,UAAU,GACd,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAc,EACd,IAAY,EACZ,MAAuB;IAEvB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IACE,IAAI,KAAK,gBAAgB;QACzB,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAClC,IAAI,KAAK,MAAM;QACf,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QACxB,IAAI,KAAK,cAAc;QACvB,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAChC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,0BAA0B,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,uBAAuB,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E,SAAS,iCAAiC,CAAC,WAAoB;IAC7D,IACE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,EAC/C,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAC5D,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,IAAI,CAAC,YAAY;QAAE,OAAO,EAAE,CAAC;IAC7B,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;QAChC,eAAe;QACf,aAAa;QACb,KAAK;QACL,OAAO;QACP,QAAQ;QACR,MAAM;QACN,SAAS;QACT,UAAU;QACV,YAAY;KACb,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,GAAG,CAAC,YAAY,CAAC;QAAE,OAAO,EAAE,CAAC;IACnD,IAAI,CAAC,2BAA2B,CAAC,YAAY,CAAC;QAAE,OAAO,EAAE,CAAC;IAC1D,OAAO,IAAI,YAAY,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAoC,EAAE;IAC/D,MAAM,kBAAkB,GACtB,cAAc,EAAE,IAAI,iCAAiC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7E,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAyMoB,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA+FvD,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,KAAK,UAAU,qBAAqB,CAClC,GAAU,EACV,OAAoB;IAEpB,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,wEAAwE;IACxE,0EAA0E;IAC1E,KAAK,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,cAAc,EAAE,cAAc,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,yCAAyC;IACzC,IACE,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,sBAAsB,KAAK,KAAK,EACxC,CAAC;QACD,kCAAkC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9C,KAAK,MAAM,EAAE,IAAI;YACf,gCAAgC;YAChC,gCAAgC;SACjC,EAAE,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,QAAQ;YACR,gDAAgD;YAChD,kDAAkD;SACnD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,oEAAoE;YACpE,uDAAuD;YACvD,mEAAmE;YACnE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YACnD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC3C,CAAC;YACD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1B,MAAM,OAAO,GACX,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC;YACxE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC,OAAkB,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,6BAA6B;YAC7B,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;YAC7B,MAAM,SAAS,GACb,OAAO,WAAW,KAAK,QAAQ;gBAC7B,CAAC,CAAC,kBAAkB,CAAC,WAAW,EAAE;oBAC9B,oBAAoB,EAAE,qBAAqB,CAAC,KAAK,CAAC;oBAClD,cAAc,EAAE,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAC;iBACpD,CAAC;gBACJ,CAAC,CAAC,GAAG,CAAC;YACV,MAAM,SAAS,GAAG,SAAS,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,MAAM,KAAK,GAAG,gBAAgB,CAAC;gBAC7B,WAAW;gBACX,OAAO;gBACP,UAAU,EAAE,KAAK;gBACjB,GAAG,EAAE,kBAAkB,EAAE;gBACzB,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;YACH,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE;gBACrC,MAAM;gBACN,OAAO;gBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;gBAC5C,SAAS;gBACT,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,GAAG;gBAC5B,SAAS,EACP,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;oBAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG;aAClD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;gBACxC,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,QAAQ;gBACrB,MAAM,EAAE,gBAAgB;gBACxB,KAAK;aACN,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,gDAAgD,MAAM,EAAE,CAAC;YACzE,IAAI,CAAC,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACvB,OAAO,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;YAC3C,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,CAAC,CAAC,CACH,CAAC;QAEF,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;YACjE,IAAI,aAAa;gBAAE,OAAO,aAAa,CAAC;YACxC,IAAI,cAAkC,CAAC;YACvC,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAc,CAAC;gBAClC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAClE,KAAK,CAAC,KAA2B,EACjC,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,CACnD,CAAC;gBACF,cAAc,GAAG,MAAM,CAAC;gBACxB,eAAe,GAAG,OAAO,CAAC;gBAC1B,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM;oBACN,OAAO;oBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;oBAC5C,OAAO,EAAE,CAAC,CAAC,IAAI;oBACf,SAAS;iBACV,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK;wBAC5C,CAAC,CAAC,KAAK,CAAC,KAAK;wBACb,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,mBAAmB,GACvB,OAAO,KAAK,CAAC,iBAAiB,KAAK,QAAQ;wBAC3C,KAAK,CAAC,iBAAiB;wBACrB,CAAC,CAAC,KAAK,CAAC,iBAAiB;wBACzB,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,GAAG,GACP,mBAAmB;wBACnB,aAAa;wBACb,4BAA4B,CAAC;oBAC/B,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,0BAA0B,GAAG,EAAE;4BACxC,IAAI,EAAE,aAAa,IAAI,4BAA4B;yBACpD,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;wBACZ,IAAI,EAAE,aAAa;qBACpB,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBACD,iEAAiE;gBACjE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,OAAO;gBACP,IAAI,CAAC,yBAAyB,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC;oBACnD,MAAM,GAAG,GACP,4EAA4E,CAAC;oBAC/E,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,GAAG;4BACZ,IAAI,EAAE,sBAAsB;yBAC7B,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;oBAClE,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;qBACpD;oBACD,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,IAAI;wBACJ,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;wBACxC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAqB;wBAChD,YAAY,EAAE,WAAW;wBACzB,UAAU,EAAE,oBAAoB;qBACjC,CAAC;iBACH,CAAC,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,KAAK,CACb,MAAM,CAAC,iBAAiB;wBACtB,MAAM,CAAC,KAAK;wBACZ,uBAAuB,CAC1B,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,+CAA+C,EAC/C,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE,EAAE,CAChE,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,IAAI,CAAC,KAAK;oBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,qDAAqD;gBACrD,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBAED,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE;oBAC9D,oBAAoB,EAAE,KAAK;oBAC3B,OAAO;iBACR,CAAC,CAAC;gBACH,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;oBACrD,MAAM;oBACN,OAAO;oBACP,eAAe,EAAE,CAAC,CAAC,YAAY;oBAC/B,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;iBACvC,CAAC,CAAC;gBAEH,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;oBAC3B,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;wBAC5B,KAAK,EAAE,YAAY;wBACnB,KAAK;wBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;qBAChD,CAAC,CAAC;oBACH,+DAA+D;oBAC/D,6DAA6D;oBAC7D,0DAA0D;oBAC1D,KAAK,0BAA0B,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;oBAC7D,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;wBACrD,MAAM;wBACN,OAAO;qBACR,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,qBAAqB,CAAC,KAAK,EAAE,KAAK,EAAE;oBACzC,YAAY;oBACZ,OAAO;oBACP,SAAS;oBACT,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAC;gBAC7C,IAAI,cAAc,EAAE,CAAC;oBACnB,uBAAuB,CAAC,cAAc,EAAE;wBACtC,OAAO,EAAE,0BAA0B,GAAG,EAAE;wBACxC,IAAI,EAAE,gBAAgB;qBACvB,CAAC,CAAC;gBACL,CAAC;gBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,eAAe;oBACxB,OAAO,EAAE,GAAG;iBACb,CAAC,CAAC;gBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,qEAAqE;IACrE,mEAAmE;IACnE,GAAG,CAAC,GAAG,CACL,sCAAsC,EACtC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,OAA6B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC3C,qEAAqE;YACrE,sEAAsE;YACtE,qEAAqE;YACrE,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,kEAAkE;gBAClE,cAAc;gBACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,CAAC;YACD,KAAK;gBACH,OAAO,IAAI,MAAM;oBACf,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;oBACpD,CAAC,CAAC;wBACE,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;qBAC1B,CAAC;QACV,CAAC;QACD,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,oEAAoE;QACpE,gDAAgD;QAChD,KAAK,aAAa,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC;QACpC,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;YACrB,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;gBAC3C,MAAM;gBACN,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;gBAC5B,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI;aACvB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,CAAC;QACD,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC3D,mBAAmB,CAAC,KAAK,EAAE,kBAAkB,EAAE;YAC7C,MAAM;YACN,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;SAC7C,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IACpD,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IAEvC,2EAA2E;IAC3E,qEAAqE;IACrE,wEAAwE;IACxE,6CAA6C;IAC7C,MAAM,gBAAgB,GAAqB;QACzC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxE,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAEnD,kEAAkE;IAClE,GAAG,CAAC,GAAG,CACL,wBAAwB,EACxB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QACxD,MAAM,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QAEpE,iEAAiE;QACjE,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,iEAAiE;QACjE,8DAA8D;QAC9D,+DAA+D;QAC/D,IAAI,UAA8B,CAAC;QACnC,IAAI,WAA+B,CAAC;QACpC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAI,KAAK,CAAC,GAAe,CAAC,KAAK,EAAE,CAAC;gBAC9C,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAE3C,CAAC;gBACd,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;YACD,mEAAmE;YACnE,gEAAgE;YAChE,qEAAqE;YACrE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;oBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAC5B,GAAG,EAAE,qDAAqD;wBAC1D,IAAI,EAAE,CAAC,kBAAkB,UAAU,EAAE,CAAC;qBACvC,CAAC,CAAC;oBACH,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAA2B,CAAC;gBAC1D,CAAC;gBAAC,MAAM,CAAC;oBACP,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;QACzD,MAAM,UAAU,GACd,QAAQ,IAAI,IAAI;YAChB,OAAQ,QAAgB,CAAC,MAAM,KAAK,QAAQ;YAC5C,OAAQ,QAAgB,CAAC,OAAO,EAAE,GAAG,KAAK,UAAU,CAAC;QAEvD,mEAAmE;QACnE,gEAAgE;QAChE,2EAA2E;QAC3E,qEAAqE;QACrE,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,iDAAiD;QACjD,IACE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,GAAG,GAAG,YAAY,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,4DAA4D;QAC5D,IACE,eAAe;YACf,WAAW;YACX,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;gBACvB,+DAA+D;gBAC/D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,8DAA8D;gBAC9D,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,6GAA6G;oBAClH,IAAI,EAAE,CAAC,WAAW,CAAC;iBACpB,CAAC,CAAC;gBAEH,0DAA0D;gBAC1D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,2CAA2C;gBAC3C,EAAE;gBACF,8DAA8D;gBAC9D,8DAA8D;gBAC9D,2DAA2D;gBAC3D,MAAM,eAAe,GAAG,iCAAiC,CACvD,QAAoB,CACrB,CAAC;gBAEF,qDAAqD;gBACrD,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,wDAAwD;wBAC7D,IAAI,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;qBACrC,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;gBAED,4DAA4D;gBAC5D,2DAA2D;gBAC3D,4DAA4D;gBAC5D,iEAAiE;gBACjE,IAAI,CAAC;oBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAChC,GAAG,EAAE,uCAAuC;wBAC5C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;oBACH,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAEpC,CAAC;oBACd,IAAI,SAAS,EAAE,CAAC;wBACd,IAAI,eAAe,EAAE,CAAC;4BACpB,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,qDAAqD;gCAC1D,IAAI,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC;6BACnC,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,sCAAsC;gCAC3C,IAAI,EAAE,CAAC,SAAS,CAAC;6BAClB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,yCAAyC;gBAC3C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CACH,CAAC;IAEF,kDAAkD;IAClD,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEnC,4BAA4B;QAC5B,IACE,IAAI,EAAE,KAAK;YACX,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC9B,YAAY,CAAC,MAAM,GAAG,CAAC,EACvB,CAAC;YACD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;YACpC,CAAC;YACD,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC5D,MAAM,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YACvC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;YAC/C,OAAO,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QACxD,CAAC;QAED,uCAAuC;QACvC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,oEAAoE;YACpE,gEAAgE;YAChE,uDAAuD;YACvD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,qDAAqD;IACrD,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAChC,MAAM,WAAW,GACf,OAAO,IAAI,EAAE,WAAW,KAAK,QAAQ;YACnC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,GAAG,CAAC;QAEV,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE;aAClE,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,mDAAmD;IACnD,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,qEAAqE;IACrE,mEAAmE;IACnE,gEAAgE;IAChE,iEAAiE;IACjE,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;YACvB,oEAAoE;YACpE,sBAAsB;YACtB,IAAI,MAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBAChC,GAAG,EAAE,uCAAuC;oBAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAuB,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,MAAM,CAAC;qBACf,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,sCAAsC;oBAC3C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;YAED,gEAAgE;YAChE,kEAAkE;YAClE,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,4CAA4C;YAC9C,CAAC;YAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,kCAAkC;IAClC,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,yEAAyE;IACzE,yEAAyE;IACzE,sCAAsC;IACtC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC,CACH,CAAC;IAEF,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,SAAS,GACb,OAAO,CAAC,SAAS;QACjB,iBAAiB,CAAC;YAChB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;YAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,CAAC;IACL,gBAAgB,GAAG;QACjB,SAAS;QACT,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,iEAAiE;AACjE,8EAA8E;AAE9E,SAAS,oBAAoB,CAC3B,GAAU,EACV,YAAsB,EACtB,cAAwB,EAAE,EAC1B,oBAAoB,GAAG,2BAA2B,EAAE,EACpD,uBAAuB,GAAG,8BAA8B,EAAE;IAE1D,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,IACE,CAAC,IAAI,EAAE,KAAK;YACZ,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC9B,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,EACzC,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QACpC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACvC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/C,OAAO,iBAAiB,CAAC,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,gBAAgB,GAAG;QACjB,SAAS,EAAE,iBAAiB,EAAE;QAC9B,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAChC,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;QAC7C,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,SAAS,uBAAuB,CAAC,GAAU;IACzC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;aACrD,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAU,EACV,UAAuB,EAAE;IAEzB,0EAA0E;IAC1E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,yDAAyD;IACzD,EAAE;IACF,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,IAAI,YAAY,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,sBAAsB,KAAK,KAAK,EAAE,CAAC;YAC7C,kCAAkC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,oEAAoE;QACpE,2EAA2E;QAC3E,0EAA0E;QAC1E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;QACxC,CAAC;QACD,IAAI,gBAAgB,EAAE,CAAC;YACrB,IACE,OAAO,CAAC,UAAU;gBAClB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,kBAAkB,EAC1B,CAAC;gBACD,gBAAgB,CAAC,SAAS;oBACxB,OAAO,CAAC,SAAS;wBACjB,iBAAiB,CAAC;4BAChB,UAAU,EAAE,OAAO,CAAC,UAAU;4BAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;4BAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;4BAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;yBACvC,CAAC,CAAC;YACP,CAAC;YACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,gBAAgB,CAAC,WAAW,GAAG;oBAC7B,GAAG,CAAC,gBAAgB,CAAC,WAAW,IAAI,EAAE,CAAC;oBACvC,GAAG,OAAO,CAAC,WAAW;iBACvB,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACjC,gBAAgB,CAAC,oBAAoB;oBACnC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;gBACpC,gBAAgB,CAAC,uBAAuB;oBACtC,OAAO,CAAC,uBAAuB,CAAC;YACpC,CAAC;YACD,IAAI,OAAO,CAAC,0BAA0B,EAAE,CAAC;gBACvC,gBAAgB,CAAC,0BAA0B;oBACzC,OAAO,CAAC,0BAA0B,CAAC;YACvC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,gEAAgE;IAChE,YAAY,GAAG,IAAI,CAAC;IACpB,gBAAgB,GAAG,IAAI,CAAC;IACxB,WAAW,GAAG,GAAG,CAAC;IAElB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACvB,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,gBAAgB,GAAG,IAAI,CAAC;IACxB,aAAa,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;IAC9C,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IACxC,CAAC;IAED,oCAAoC;IACpC,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACnD,CAAC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,WAAW;gBAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;YAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,IAAI,iBAAiB,EAAE,CAAC;QAC/D,gBAAgB,GAAG;YACjB,SAAS,EAAE,aAAa;YACxB,GAAG,CAAC,OAAO,CAAC,SAAS;gBACnB,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAChC,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;iBAC9C,CAAC;YACN,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QAErC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yBAAyB;IACzB,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,oBAAoB,CAClB,GAAG,EACH,MAAM,EACN,WAAW,EACX,oBAAoB,EACpB,uBAAuB,CACxB,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,iCAAiC,MAAM,CAAC,MAAM,8BAA8B,CAC7E,CAAC;QACJ,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,uEAAuE,CACxE,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kDAAkD,EAAE,GAAG,CAAC,CAAC;QACvE,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC7B,kEAAkE;QAClE,oEAAoE;QACpE,+DAA+D;QAC/D,MAAM,SAAS,GACb,OAAO,CAAC,SAAS;YACjB,iBAAiB,CAAC;gBAChB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;gBAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;aACvC,CAAC,CAAC;QACL,gBAAgB,GAAG;YACjB,SAAS;YACT,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAU,EAAE,WAAmB;IACjE,oBAAoB,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;AAC3C,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport {\n defineEventHandler,\n getMethod,\n getQuery,\n getRequestIP,\n sendRedirect,\n setResponseHeader,\n setResponseStatus,\n getCookie,\n setCookie,\n deleteCookie,\n getHeader,\n} from \"h3\";\nimport type { H3Event } from \"h3\";\nimport type { H3AppShim } from \"./framework-request-handler.js\";\n\n// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx\n// runtime), event.url and event.req share the same underlying URL object.\n// When registerMiddleware strips the mount prefix from event.url.pathname, it\n// also mutates event.req.url (NodeRequestURL setter updates nodeReq.url).\n// Better Auth's router uses new URL(request.url).pathname to extract the\n// sub-route, so it must receive the original full URL — not the stripped one.\n// registerMiddleware saves the original pathname in event.context so we can\n// reconstruct a fresh Request with the correct URL here.\nfunction toWebRequest(event: H3Event): Request {\n const req = (event as any).req as Request;\n const ctx = (event as any).context as\n | { _mountedPathname?: string; _mountPrefix?: string }\n | undefined;\n if (ctx?._mountedPathname && ctx._mountPrefix) {\n try {\n const url = new URL(req.url);\n const mountedPathname = stripAppBasePath(ctx._mountedPathname);\n if (url.pathname !== mountedPathname) {\n url.pathname = mountedPathname;\n const method = req.method.toUpperCase();\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n return new Request(url.href, {\n method: req.method,\n headers: req.headers,\n // Body may already be partially consumed; pass through as-is.\n // GET/HEAD cannot have a body — omit to avoid spec errors.\n ...(hasBody ? { body: req.body, duplex: \"half\" } : {}),\n } as any);\n }\n } catch {\n // URL reconstruction failed — fall through and use original req.\n }\n }\n return req;\n}\n\ntype H3App = H3AppShim;\nimport {\n getDbExec,\n isPostgres,\n intType,\n retryOnDdlRace,\n} from \"../db/client.js\";\nimport { getBetterAuth, getBetterAuthSync } from \"./better-auth-instance.js\";\nimport type { BetterAuthConfig } from \"./better-auth-instance.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { getOnboardingHtml, getResetPasswordHtml } from \"./onboarding-html.js\";\nimport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n readDesktopSso,\n writeDesktopSso,\n clearDesktopSso,\n} from \"./desktop-sso.js\";\nimport {\n isElectron as isElectronRequest,\n getOrigin,\n getAppBasePath,\n getAppUrl,\n encodeOAuthState,\n decodeOAuthState,\n createOAuthSession,\n oauthCallbackResponse,\n oauthErrorPage,\n resolveOAuthRedirectUri,\n isAllowedOAuthRedirectUri,\n} from \"./google-oauth.js\";\nimport { safeOAuthReturnUrl } from \"./oauth-return-url.js\";\nimport { captureAuthError } from \"./sentry.js\";\nimport { extractOAuthStateAppId } from \"../shared/oauth-state.js\";\nimport { isValidWorkspaceAppIdFormat } from \"../shared/workspace-app-id.js\";\nimport {\n normalizeWorkspaceAppAudience,\n workspaceAppAudienceFromEnv,\n workspaceAppRouteAccessFromEnv,\n type WorkspaceAppAudience,\n} from \"../shared/workspace-app-audience.js\";\nimport {\n BUILDER_CONNECT_OWNER_COOKIE,\n BUILDER_CONNECT_PARAM,\n BUILDER_STATE_PARAM,\n verifyBuilderCallbackStateAndGetOwner,\n verifyBuilderConnectTokenAndGetOwner,\n} from \"./builder-browser.js\";\n\n/**\n * Get the configured session max age. Desktop SSO broker writes from\n * OAuth flows read this so expiration stays consistent with the cookie.\n */\nexport function getSessionMaxAge(): number {\n return sessionMaxAge;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthSession {\n email: string;\n userId?: string;\n token?: string;\n /** Display name from the auth provider, when available (Better Auth user.name). */\n name?: string;\n /** Active organization ID (from Better Auth organization plugin) */\n orgId?: string;\n /** User's role in the active organization (owner/admin/member) */\n orgRole?: string;\n}\n\nexport interface AuthOptions {\n /** Session max age in seconds. Default: 30 days */\n maxAge?: number;\n /**\n * Custom getSession implementation (for BYOA — Auth.js, Clerk, etc.).\n * When provided, Better Auth is bypassed entirely.\n */\n getSession?: (event: H3Event) => Promise<AuthSession | null>;\n /**\n * Paths that are accessible without authentication.\n * Supports prefix matching: \"/book\" matches /book/anything.\n * Both page routes and API routes can be made public.\n */\n publicPaths?: string[];\n /**\n * Workspace-level audience for the app.\n *\n * \"internal\" keeps the existing behavior: every app page requires an\n * authenticated workspace member unless listed in publicPaths.\n *\n * \"public\" lets unauthenticated visitors load page routes, while framework\n * and API routes remain protected unless explicitly listed in publicPaths.\n */\n workspaceAppAudience?: WorkspaceAppAudience;\n /**\n * Workspace app page paths that anonymous visitors can load.\n * Uses the same prefix matching as publicPaths, but only for page routes:\n * framework, API, and .well-known routes stay protected.\n */\n workspaceAppPublicPaths?: string[];\n /**\n * Workspace app page paths that still require auth when the app audience is\n * public. Useful for public sites with login-only admin/management pages.\n */\n workspaceAppProtectedPaths?: string[];\n /**\n * Custom login page HTML. When provided, this HTML is served to\n * unauthenticated page requests instead of the built-in login form.\n * Use this for custom login flows (e.g., \"Sign in with Google\" button).\n */\n loginHtml?: string;\n /**\n * Hide email/password forms on the built-in login page and show only the\n * Google sign-in button. Use this for templates (mail, calendar) where\n * Google connection is required anyway. Has no effect when `loginHtml`\n * is provided.\n */\n googleOnly?: boolean;\n /**\n * Mount the framework's generic Google sign-in routes.\n *\n * Set this to false when a template owns `/_agent-native/google/auth-url`\n * and `/_agent-native/google/callback` itself because it needs broader\n * product scopes and persisted API tokens, not just identity sign-in.\n */\n mountGoogleOAuthRoutes?: boolean;\n /**\n * Additional Google OAuth scopes to request beyond the default identity\n * scopes (`openid`, `email`, `profile`). When set, Better Auth's Google\n * social provider asks for these up front, requests a refresh token\n * (`access_type=offline`), and forces the consent screen so the refresh\n * token is reissued on every sign-in.\n *\n * Tokens land in Better Auth's `account` table, and a database hook\n * mirrors them into `oauth_tokens` so template code (mail's Gmail client,\n * calendar's events fetcher, etc.) can pick them up without a separate\n * \"Connect Google\" round-trip.\n *\n * Example for the mail template:\n * ```ts\n * googleScopes: [\n * \"https://www.googleapis.com/auth/gmail.readonly\",\n * \"https://www.googleapis.com/auth/gmail.send\",\n * ],\n * ```\n */\n googleScopes?: string[];\n /**\n * Product marketing content shown alongside the sign-in form.\n * When provided, the page uses a split layout: marketing on the left,\n * sign-in form on the right.\n */\n marketing?: {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n };\n /**\n * Optional host-scoped notice shown before the built-in Google sign-in\n * redirects to Google.\n */\n googleSignInNotice?: {\n host?: string;\n title: string;\n body: string | string[];\n continueLabel?: string;\n cancelLabel?: string;\n };\n /**\n * Google sign-in flow: `'popup'`, `'redirect'`, or `'auto'` (default).\n *\n * - `'auto'` — popup in normal browsers and Builder web iframes, redirect in\n * Electron and Builder desktop preview/editor surfaces.\n * - `'popup'` — force popup everywhere.\n * - `'redirect'` — force redirect everywhere.\n *\n * Falls back to the `GOOGLE_AUTH_MODE` env var, then `'auto'`.\n */\n googleAuthMode?: GoogleAuthMode;\n /**\n * Additional Better Auth configuration (social providers, plugins, etc.)\n */\n betterAuth?: BetterAuthConfig;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/**\n * Cookie name for the framework's session cookie.\n *\n * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps\n * running on different localhost ports share one cookie jar. When multiple\n * templates run side-by-side (`dev:all`, the desktop app, multi-template\n * deploys on a shared domain), they would otherwise stomp on each other's\n * `an_session` cookie and ping-pong each other into a logged-out state.\n *\n * When `APP_NAME` is set, suffix the cookie so each app gets its own slot.\n *\n * Workspace exception: in workspace mode (`AGENT_NATIVE_WORKSPACE=1`),\n * every app shares the same origin AND the same DB, and cross-app SSO is\n * the desired behavior — signing into Dispatch should mean you're signed\n * in across the workspace's other apps too. Per-app suffixes break that.\n * Use a single workspace-wide cookie so the legacy `an_session_*` token\n * flow set by `setFrameworkSessionCookie` (which the Builder OAuth popup\n * exchange relies on — see `desktop-exchange` and `oauthCallbackResponse`)\n * is recognised by every app in the workspace.\n *\n * Cross-subdomain exception: when `COOKIE_DOMAIN` is set (e.g.\n * `.agent-native.com` for first-party deploys where each app is its own\n * subdomain — mail.agent-native.com, calendar.agent-native.com, …),\n * use the unsuffixed `an_session` and emit `Domain=<COOKIE_DOMAIN>` so\n * the cookie is shared across every subdomain. Signing into one app\n * signs the user into all of them. Per-app suffixes would defeat the\n * shared cookie since each subdomain reads a different name.\n */\nconst APP_NAME_SLUG = (process.env.APP_NAME || \"\")\n .toLowerCase()\n .replace(/[^a-z0-9]+/g, \"_\")\n .replace(/^_+|_+$/g, \"\");\nconst IS_WORKSPACE_MODE = process.env.AGENT_NATIVE_WORKSPACE === \"1\";\n\n/**\n * When set, the framework session cookie is shared across every subdomain\n * matching this domain (e.g. `.agent-native.com`). Reads `COOKIE_DOMAIN`.\n * Returns undefined when unset so cookies stay scoped to the origin host.\n */\nexport function getCookieDomain(): string | undefined {\n const raw = process.env.COOKIE_DOMAIN;\n if (!raw) return undefined;\n const trimmed = raw.trim();\n return trimmed || undefined;\n}\n\nconst HAS_COOKIE_DOMAIN = !!getCookieDomain();\n\nexport const COOKIE_NAME = HAS_COOKIE_DOMAIN\n ? \"an_session\"\n : IS_WORKSPACE_MODE\n ? \"an_session_workspace\"\n : APP_NAME_SLUG\n ? `an_session_${APP_NAME_SLUG}`\n : \"an_session\";\n\n/**\n * Cookie domain attribute spread into every `setCookie`/`deleteCookie`.\n * Empty when `COOKIE_DOMAIN` isn't set so the cookie stays scoped to the\n * single origin (current production default for non-first-party apps).\n */\nexport function cookieDomainAttrs(): { domain?: string } {\n const domain = getCookieDomain();\n return domain ? { domain } : {};\n}\n\nfunction getCookieValues(event: H3Event, name: string): string[] {\n const values: string[] = [];\n const raw = getHeader(event, \"cookie\");\n\n if (raw) {\n for (const part of String(raw).split(\";\")) {\n const trimmed = part.trim();\n if (!trimmed) continue;\n const eq = trimmed.indexOf(\"=\");\n if (eq <= 0) continue;\n if (trimmed.slice(0, eq).trim() !== name) continue;\n\n let value = trimmed.slice(eq + 1).trim();\n if (value.startsWith('\"') && value.endsWith('\"')) {\n value = value.slice(1, -1);\n }\n try {\n value = decodeURIComponent(value);\n } catch {\n // Keep the raw cookie value if it was not percent-encoded.\n }\n if (value && !values.includes(value)) values.push(value);\n }\n }\n\n // H3's cookie parser keeps only the first duplicate name. Preserve it as a\n // fallback for mock/runtime shapes that do not expose the raw Cookie header.\n const parsed = getCookie(event, name);\n if (parsed && !values.includes(parsed)) values.push(parsed);\n\n return values;\n}\n\nfunction getFrameworkSessionCookieValues(event: H3Event): string[] {\n return getCookieValues(event, COOKIE_NAME);\n}\n\nfunction frameworkSessionCookieNamesToClear(): string[] {\n const names = new Set([COOKIE_NAME]);\n if (APP_NAME_SLUG) names.add(`an_session_${APP_NAME_SLUG}`);\n return [...names];\n}\n\nfunction deleteCookieFromEveryScope(event: H3Event, name: string): void {\n // Clear host-only cookies first. When COOKIE_DOMAIN was introduced, stale\n // host-only `an_session` cookies could shadow the new domain cookie because\n // browsers send older same-path duplicates first.\n deleteCookie(event, name, { path: \"/\" });\n const domainAttrs = cookieDomainAttrs();\n if (domainAttrs.domain) {\n deleteCookie(event, name, { path: \"/\", ...domainAttrs });\n }\n}\n\nfunction clearFrameworkSessionCookies(event: H3Event): void {\n for (const name of frameworkSessionCookieNamesToClear()) {\n deleteCookieFromEveryScope(event, name);\n }\n}\n\nasync function getLegacyCookieSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n const email = await getSessionEmail(cookie);\n if (email) return { email, token: cookie };\n }\n return null;\n}\nfunction getOAuthStateAppId(): string | undefined {\n const raw = process.env.APP_NAME || process.env.npm_package_name;\n if (!raw) return undefined;\n const slug = raw\n .toLowerCase()\n .replace(/[^a-z0-9-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return slug || undefined;\n}\n\nfunction oauthDebugFlowId(flowId: unknown): string | undefined {\n return typeof flowId === \"string\" && flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthDebugUrlPath(value: unknown): string | undefined {\n if (typeof value !== \"string\" || !value) return undefined;\n try {\n const url = new URL(value);\n return url.pathname;\n } catch {\n return undefined;\n }\n}\n\nfunction isBuilderOAuthRequest(event: H3Event): boolean {\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n return (\n /Electron/i.test(userAgent) ||\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer)\n );\n}\n\nfunction builderPreviewReturnOrigin(event: H3Event): string | undefined {\n const referer = getHeader(event, \"referer\") || \"\";\n if (!referer) return undefined;\n try {\n const url = new URL(referer);\n const hostname = url.hostname.toLowerCase();\n if (\n url.protocol === \"https:\" &&\n (hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\"))\n ) {\n return url.origin;\n }\n } catch {}\n return undefined;\n}\n\nfunction logGoogleOAuthDebug(\n event: H3Event,\n phase: string,\n details: Record<string, unknown> = {},\n): void {\n const { flowId, ...rest } = details;\n const reqUrl = event.node?.req?.url ?? event.path ?? \"\";\n const path = reqUrl.split(\"?\")[0] || undefined;\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n console.info(\"[agent-native][google-oauth]\", {\n phase,\n app: getOAuthStateAppId(),\n path,\n flow: oauthDebugFlowId(flowId),\n electron: /Electron/i.test(userAgent),\n agentNativeDesktop: /AgentNativeDesktop/i.test(userAgent),\n builderReferrer:\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer),\n ...rest,\n });\n}\nconst DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days\n\n// ---------------------------------------------------------------------------\n// Environment helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Check if we're in a development/test environment.\n * Used for cookie security settings, not for auth bypass.\n */\nexport function isDevEnvironment(): boolean {\n const env = process.env.NODE_ENV;\n return env === \"development\" || env === \"test\";\n}\n\n/**\n * Validate a `?return=` URL for the /_agent-native/sign-in entrypoint.\n *\n * Parses the candidate against a sentinel base origin; any input that\n * resolves to a different origin (network-path references, absolute URLs,\n * `data:` / `javascript:` schemes, backslash-bypass tricks WHATWG normalises\n * to `//`) gets rejected and falls back to \"/\". Control characters are\n * stripped up front to defend against header-injection. Returns the\n * normalised path the parser produced — never the raw input.\n *\n * Exported for unit tests.\n */\nexport function safeReturnPath(raw: string | null | undefined): string {\n if (!raw) return \"/\";\n if (/[\\x00-\\x1f]/.test(raw)) return \"/\";\n try {\n const parsed = new URL(raw, \"http://safe-base.invalid\");\n if (parsed.origin !== \"http://safe-base.invalid\") return \"/\";\n return parsed.pathname + parsed.search + parsed.hash;\n } catch {\n return \"/\";\n }\n}\n\n/**\n * Read the desktop-SSO broker file, but only if the request is plausibly\n * from the Electron desktop app *and* coming from the local machine.\n *\n * The broker file lives in the user's home directory and trusts the local\n * trust boundary — a non-loopback request that pretends to be Electron\n * via User-Agent must NEVER be allowed to read it. We additionally refuse\n * any read in production builds: the desktop app launches with\n * `NODE_ENV=development` (or unset), and any web-hosted production deploy\n * has no business consulting a per-user file on the server's homedir\n * even if one exists.\n *\n * Returns null when the safety checks fail or the file isn't present.\n */\nasync function readDesktopSsoSafely(\n event: H3Event,\n): Promise<Awaited<ReturnType<typeof readDesktopSso>>> {\n if (process.env.NODE_ENV === \"production\") return null;\n if (!isElectronRequest(event)) return null;\n // Loopback-only: 127.0.0.1, ::1, and the IPv4-mapped form.\n let ip: string | undefined;\n try {\n ip = getRequestIP(event) ?? undefined;\n } catch {\n ip = undefined;\n }\n // Strip an optional zone id (e.g. \"fe80::1%en0\") before comparing.\n const normalised = (ip ?? \"\").split(\"%\")[0];\n const isLoopback =\n normalised === \"127.0.0.1\" ||\n normalised === \"::1\" ||\n normalised === \"::ffff:127.0.0.1\" ||\n normalised.startsWith(\"127.\");\n if (!isLoopback) return null;\n return await readDesktopSso();\n}\n\n/**\n * Extract the framework session token from a Better Auth response's\n * Set-Cookie headers, if any. Used by the password-reset path to skip\n * the freshly-minted session when revoking sibling sessions for the\n * user. Returns undefined if no session cookie was minted (the common\n * case — Better Auth's reset doesn't auto-sign-in by default).\n */\nfunction extractSessionTokenFromSetCookies(\n response: Response,\n): string | undefined {\n try {\n // Headers may have multiple Set-Cookie entries; iterate via getSetCookie\n // when available (Node 20+ / undici), else fall back to comma split.\n const headers = response.headers as Headers & {\n getSetCookie?: () => string[];\n };\n const setCookies =\n typeof headers.getSetCookie === \"function\"\n ? headers.getSetCookie()\n : (headers.get(\"set-cookie\") ?? \"\")\n .split(/,(?=[^;]+=)/)\n .map((s) => s.trim())\n .filter(Boolean);\n for (const sc of setCookies) {\n // Better Auth's session cookie name is configurable but defaults to\n // `<prefix>.session_token`. Match either the Better Auth default or\n // our COOKIE_NAME (`an_session`) on the same line.\n const match = sc.match(\n /(?:^|\\s|;)(an_session|[\\w.-]*session_token)=([^;]+)/i,\n );\n if (match) return match[2];\n }\n } catch {\n // Best-effort; treat as no token.\n }\n return undefined;\n}\n\n// ---------------------------------------------------------------------------\n// ACCESS_TOKEN resolution\n// ---------------------------------------------------------------------------\n\nfunction getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n for (const t of multi.split(\",\")) {\n const trimmed = t.trim();\n if (trimmed && !tokens.includes(trimmed)) tokens.push(trimmed);\n }\n }\n return tokens;\n}\n\nfunction safeTokenMatch(input: string, tokens: string[]): boolean {\n const inputBuf = Buffer.from(input);\n for (const token of tokens) {\n const tokenBuf = Buffer.from(token);\n if (\n inputBuf.length === tokenBuf.length &&\n crypto.timingSafeEqual(inputBuf, tokenBuf)\n ) {\n return true;\n }\n }\n return false;\n}\n\nfunction getBearerSessionToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(auth.trim());\n return match?.[1]?.trim() || undefined;\n}\n\nasync function getBearerLegacySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n const email = await getSessionEmail(bearerToken);\n return email ? { email, token: bearerToken } : null;\n}\n\nfunction shouldExposeSessionTokenInBody(event: H3Event): boolean {\n const origin = getHeader(event, \"origin\");\n if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin)) return true;\n\n // Some native WebViews do not consistently emit an Origin header for\n // programmatic fetches. The desktop app marks same-server requests with\n // X-Request-Source; browsers can only use that cross-origin after our CORS\n // allowlist has approved the origin, and same-origin pages already receive\n // an equivalent httpOnly session cookie on successful login.\n return !origin && getHeader(event, \"x-request-source\") === \"clips-desktop\";\n}\n\nfunction authLoginResponse(\n event: H3Event,\n token: string,\n email?: string,\n): { ok: true; token?: string; email?: string } {\n if (!shouldExposeSessionTokenInBody(event)) return { ok: true };\n return email ? { ok: true, token, email } : { ok: true, token };\n}\n\n/**\n * Bad-credential / already-registered errors are normal user behavior, not\n * bugs we want to investigate. Filtering them out keeps Sentry signal\n * actionable — a real anomaly (DB error, Better Auth init crash, missing\n * table) shows up clearly because it doesn't match any of these patterns.\n */\nconst EXPECTED_AUTH_FAILURE_PATTERNS: RegExp[] = [\n /invalid\\s+(email|password|credentials)/i,\n /password.*incorrect/i,\n /user\\s+(not\\s+found|already\\s+exists)/i,\n /email\\s+already/i,\n /already\\s+(exists|registered|in\\s+use)/i,\n /not\\s+verified/i,\n];\n\nfunction isExpectedAuthFailure(error: unknown): boolean {\n const msg = (error as { message?: unknown })?.message;\n if (typeof msg !== \"string\") return false;\n return EXPECTED_AUTH_FAILURE_PATTERNS.some((re) => re.test(msg));\n}\n\n// ---------------------------------------------------------------------------\n// Legacy session store — kept for backward compat (addSession/getSessionEmail)\n// Used by google-oauth.ts for mobile deep linking session creation.\n// ---------------------------------------------------------------------------\n\nlet _sessionInitPromise: Promise<void> | undefined;\nlet sessionMaxAge = DEFAULT_MAX_AGE;\n\nasync function ensureSessionTable(): Promise<void> {\n if (!_sessionInitPromise) {\n _sessionInitPromise = (async () => {\n const client = getDbExec();\n await retryOnDdlRace(() =>\n client.execute(`\n CREATE TABLE IF NOT EXISTS sessions (\n token TEXT PRIMARY KEY,\n email TEXT,\n created_at ${intType()} NOT NULL\n )\n `),\n );\n try {\n await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);\n } catch {\n // Column already exists\n }\n })().catch((err) => {\n // Don't cache the rejection — let the next caller retry a fresh init.\n _sessionInitPromise = undefined;\n throw err;\n });\n }\n return _sessionInitPromise;\n}\n\n/**\n * Re-run any `sessions`-table op once if Postgres reports the relation is\n * missing. Covers the case where a prior `ensureSessionTable()` resolved but\n * the table wasn't actually present (e.g. a race where the CREATE was dropped\n * on a reused pool connection, or a cached resolved promise from a prior\n * DB URL). Forces a fresh init, then retries the caller's op.\n */\nasync function retryIfSessionsMissing<T>(op: () => Promise<T>): Promise<T> {\n try {\n return await op();\n } catch (e: any) {\n if (e?.code !== \"42P01\") throw e;\n const msg = String(e?.message ?? \"\");\n if (!msg.includes(\"sessions\")) throw e;\n _sessionInitPromise = undefined;\n await ensureSessionTable();\n return await op();\n }\n}\n\n/**\n * Create a new session in the legacy sessions table.\n * Used by google-oauth.ts for mobile deep linking.\n */\nexport async function addSession(token: string, email?: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: isPostgres()\n ? `INSERT INTO sessions (token, email, created_at) VALUES (?, ?, ?) ON CONFLICT (token) DO UPDATE SET email=EXCLUDED.email, created_at=EXCLUDED.created_at`\n : `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,\n args: [token, email ?? null, Date.now()],\n }),\n );\n}\n\n/** Remove a session from the legacy sessions table. */\nexport async function removeSession(token: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n}\n\n/**\n * Look up the email associated with a legacy session token.\n * Returns null if the session doesn't exist, is expired, or has no email.\n */\nexport async function getSessionEmail(token: string): Promise<string | null> {\n await ensureSessionTable();\n const client = getDbExec();\n const { rows } = await retryIfSessionsMissing(() =>\n client.execute({\n sql: `SELECT email, created_at FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n if (rows.length === 0) return null;\n const createdAt = rows[0].created_at as number;\n if (Date.now() - createdAt > sessionMaxAge * 1000) {\n await client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n });\n return null;\n }\n return (rows[0].email as string) ?? null;\n}\n\n// ---------------------------------------------------------------------------\n// getSession — the auth contract\n// ---------------------------------------------------------------------------\n\nlet customGetSession: ((event: H3Event) => Promise<AuthSession | null>) | null =\n null;\n\n/**\n * Mutable config for the auth guard. Stored separately from the guard function\n * so that a custom auth plugin can update the login HTML / public paths even\n * after the default plugin has already installed the middleware (a race that\n * occurs in production serverless environments where the default plugin is\n * auto-mounted before the template's custom auth plugin runs).\n */\ninterface AuthGuardConfig {\n loginHtml: string;\n getLoginHtml?: (event: H3Event, rawPath: string) => string;\n publicPaths: string[];\n workspaceAppAudience: WorkspaceAppAudience;\n workspaceAppPublicPaths: string[];\n workspaceAppProtectedPaths: string[];\n}\nlet _authGuardConfig: AuthGuardConfig | null = null;\nconst _genericGoogleOAuthRoutesEnabled = new WeakMap<object, boolean>();\n\nfunction resolveWorkspaceAppAudience(\n options: Pick<AuthOptions, \"workspaceAppAudience\"> = {},\n): WorkspaceAppAudience {\n return normalizeWorkspaceAppAudience(\n options.workspaceAppAudience ?? workspaceAppAudienceFromEnv(),\n );\n}\n\nfunction resolveWorkspaceAppRouteAccess(\n options: Pick<\n AuthOptions,\n \"workspaceAppPublicPaths\" | \"workspaceAppProtectedPaths\"\n > = {},\n): { publicPaths: string[]; protectedPaths: string[] } {\n const env = workspaceAppRouteAccessFromEnv();\n return {\n publicPaths: options.workspaceAppPublicPaths ?? env.publicPaths,\n protectedPaths: options.workspaceAppProtectedPaths ?? env.protectedPaths,\n };\n}\n\nfunction setGenericGoogleOAuthRoutesEnabled(\n app: H3App,\n enabled: boolean,\n): void {\n if (app && typeof app === \"object\") {\n _genericGoogleOAuthRoutesEnabled.set(app, enabled);\n }\n}\n\nfunction areGenericGoogleOAuthRoutesEnabled(app: H3App): boolean {\n return _genericGoogleOAuthRoutesEnabled.get(app as object) !== false;\n}\n\n// Desktop OAuth exchange store — holds session tokens keyed by a unique flow\n// ID so native apps (Tauri, Electron) that open OAuth in the system browser\n// can retrieve the token after the callback completes on the server.\n//\n// Primary: in-memory Map (fast, works for single-instance dev/preview builds).\n// Fallback: sessions table with a \"dex:\" prefixed key for cross-instance\n// durability (Cloudflare Workers, multi-region deployments). The value stored\n// in the `email` column is \"{realToken}::{userEmail}\" so both can be recovered\n// from a single DB lookup.\nexport interface DesktopExchangeErrorPayload {\n message: string;\n code?: string;\n accountId?: string;\n existingOwner?: string;\n attemptedOwner?: string;\n}\n\ntype DesktopExchangeEntry =\n | { token: string; email: string; expiresAt: number }\n | { error: DesktopExchangeErrorPayload; expiresAt: number };\ntype DesktopExchangeStoredEntry =\n | { token: string; email: string }\n | { error: DesktopExchangeErrorPayload };\n\nconst _desktopExchanges = new Map<string, DesktopExchangeEntry>();\nconst DESKTOP_EXCHANGE_ERROR_PREFIX = \"__error__::\";\nconst DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([\n \"tauri://localhost\",\n \"http://localhost:1420\",\n]);\n\n// 5-minute TTL for exchange entries (short — single-use tokens).\nconst DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;\n\nexport function setDesktopExchange(\n flowId: string,\n token: string,\n email: string,\n) {\n _desktopExchanges.set(flowId, {\n token,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Persist to DB so the token survives cross-instance routing (e.g. when\n // templates call this helper directly instead of going through the OAuth\n // callback path).\n void persistDesktopExchangeToDB(flowId, token, email);\n}\n\nexport function setDesktopExchangeError(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n) {\n _desktopExchanges.set(flowId, {\n error,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n void persistDesktopExchangeErrorToDB(flowId, error);\n}\n\n/**\n * Persist a desktop exchange entry to the sessions table so it survives\n * cross-instance routing (e.g. Cloudflare Workers). Stored under a synthetic\n * token key \"dex:{flowId}\"; the `email` column packs both the real session\n * token and the user email so they can be recovered in one query.\n * Non-fatal — if the DB isn't ready yet the in-memory Map still works for\n * same-instance requests.\n */\nasync function persistDesktopExchangeToDB(\n flowId: string,\n token: string,\n email: string,\n): Promise<void> {\n try {\n await addSession(`dex:${flowId}`, `${token}::${email}`);\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\nasync function persistDesktopExchangeErrorToDB(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n): Promise<void> {\n try {\n const payload = Buffer.from(JSON.stringify(error)).toString(\"base64url\");\n await addSession(\n `dex:${flowId}`,\n `${DESKTOP_EXCHANGE_ERROR_PREFIX}${payload}`,\n );\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\n/**\n * Retrieve and consume a desktop exchange entry from the DB fallback.\n * Returns null if not found or already consumed.\n */\nasync function consumeDesktopExchangeFromDB(\n flowId: string,\n): Promise<DesktopExchangeStoredEntry | null> {\n try {\n // Atomic DELETE...RETURNING prevents token replay: two concurrent polls\n // cannot both retrieve the token because only one DELETE will match the row.\n // SQLite ≥3.35 and PostgreSQL both support this syntax.\n // The created_at predicate enforces the 5-minute TTL so stale DB entries\n // (e.g. the desktop app never polled) are rejected rather than silently\n // redeemed with the session table's default 30-day TTL.\n const client = getDbExec();\n const { rows } = await client.execute({\n sql: `DELETE FROM sessions WHERE token = ? AND created_at > ? RETURNING email`,\n args: [`dex:${flowId}`, Date.now() - DESKTOP_EXCHANGE_TTL_MS],\n });\n if (rows.length === 0) return null;\n const packed = (rows[0].email ?? rows[0][0]) as string | null;\n if (!packed) return null;\n if (packed.startsWith(DESKTOP_EXCHANGE_ERROR_PREFIX)) {\n const raw = packed.slice(DESKTOP_EXCHANGE_ERROR_PREFIX.length);\n return {\n error: JSON.parse(Buffer.from(raw, \"base64url\").toString()),\n };\n }\n const sepIdx = packed.indexOf(\"::\");\n if (sepIdx === -1) return null;\n return { token: packed.slice(0, sepIdx), email: packed.slice(sepIdx + 2) };\n } catch {\n return null;\n }\n}\n\nsetInterval(() => {\n const now = Date.now();\n for (const [k, v] of _desktopExchanges) {\n if (v.expiresAt < now) _desktopExchanges.delete(k);\n }\n}, 60_000).unref?.();\n\n/**\n * Module-level auth guard function. Set by autoMountAuth() when auth is active.\n * Called by the server middleware to enforce auth on ALL requests (not just\n * /_agent-native/* routes).\n */\nlet _authGuardFn:\n | ((event: H3Event) => Promise<Response | object | string | void>)\n | null = null;\n\n/**\n * The H3 app the auth routes + guard were last mounted on. Module-level\n * state survives Vite HMR restarts, but each HMR cycle creates a fresh\n * nitroApp/H3 instance whose middleware array is empty again. Tracking the\n * app here lets autoMountAuth detect \"same module state, new app\" and\n * re-mount routes instead of silently skipping them because `_authGuardFn`\n * looks populated from a previous cycle.\n */\nlet _mountedApp: H3App | null = null;\n\n/**\n * Run the auth guard on an event. Returns a Response/object to block the\n * request (login page or 401), or undefined to allow it through.\n *\n * Called by the default server middleware (server/middleware/auth.ts) to\n * enforce auth on page routes and API routes — not just framework routes.\n */\nexport async function runAuthGuard(\n event: H3Event,\n): Promise<Response | object | string | void> {\n if (!_authGuardFn) return; // Auth not mounted (local mode, etc.)\n return _authGuardFn(event);\n}\n\n// ---------------------------------------------------------------------------\n// Auth guard factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create an auth guard function that checks session and blocks\n * unauthenticated requests. Returns the login HTML for page routes\n * or a 401 JSON response for API routes.\n *\n * Reads loginHtml and publicPaths from _authGuardConfig on every request\n * so that a custom plugin can update them after the default has already\n * installed this middleware (the production race condition fix).\n */\nfunction applyCorsHeaders(event: H3Event): {\n hasOrigin: boolean;\n allowed: boolean;\n} {\n // Framework-level CORS. The auth guard runs before any of the app's own\n // route handlers, so we need to set CORS here too — otherwise a 401\n // response would be missing the Allow-Origin header and the browser\n // blocks the response body (making it look like a network error\n // rather than \"unauthenticated\").\n const origin = getHeader(event, \"origin\");\n if (!origin) return { hasOrigin: false, allowed: true };\n const allowedOrigin = getAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n if (!allowedOrigin) return { hasOrigin: true, allowed: false };\n setResponseHeader(event, \"Access-Control-Allow-Origin\", allowedOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF\",\n );\n return { hasOrigin: true, allowed: true };\n}\n\nfunction createAuthCorsHandler() {\n return defineEventHandler((event) => {\n const cors = applyCorsHeaders(event);\n if (getMethod(event) !== \"OPTIONS\") return;\n\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n setResponseStatus(event, 204);\n return \"\";\n });\n}\n\nfunction mountAuthCorsMiddleware(app: H3App): void {\n const handler = createAuthCorsHandler();\n app.use(\"/_agent-native/auth\", handler);\n app.use(\"/_agent-native/google\", handler);\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n return (\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/_agent-native/\") &&\n (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n );\n}\n\nfunction getRequestPathAndSearch(event: H3Event): {\n rawPath: string;\n search: string;\n} {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return { rawPath: mountedPathname, search: event.url?.search || \"\" };\n }\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n return {\n rawPath: queryStart >= 0 ? url.slice(0, queryStart) : url,\n search: queryStart >= 0 ? url.slice(queryStart) : \"\",\n };\n}\n\nfunction workspaceOAuthCallbackRelayResponse(\n event: H3Event,\n): Response | undefined {\n const { rawPath, search } = getRequestPathAndSearch(event);\n const normalizedPath = stripAppBasePath(rawPath);\n const basePath = getAppBasePath();\n if (\n !basePath ||\n !isWorkspaceOAuthCallbackRelayEnabled() ||\n !isFrameworkOAuthCallbackPath(normalizedPath) ||\n rawPath === `${basePath}/_agent-native` ||\n rawPath.startsWith(`${basePath}/_agent-native/`)\n ) {\n return undefined;\n }\n\n const state = new URLSearchParams(\n search.startsWith(\"?\") ? search.slice(1) : search,\n ).get(\"state\");\n const appId = extractOAuthStateAppId(state);\n if (\n !appId ||\n appId === getOAuthStateAppId() ||\n !isValidWorkspaceAppIdFormat(appId)\n ) {\n return undefined;\n }\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: `/${appId}${normalizedPath}${search}` },\n });\n}\n\nfunction verifiedBuilderConnectOwnerFromUrl(url: string): string | null {\n const queryStart = url.indexOf(\"?\");\n if (queryStart < 0) return null;\n const token = new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_CONNECT_PARAM,\n );\n return verifyBuilderConnectTokenAndGetOwner(token);\n}\n\nfunction shouldBypassAuthForBuilderConnect(event: H3Event, p: string): boolean {\n if (p === \"/_agent-native/builder/connect\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n return Boolean(verifiedBuilderConnectOwnerFromUrl(url));\n }\n\n if (p === \"/_agent-native/builder/callback\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const state =\n queryStart >= 0\n ? new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_STATE_PARAM,\n )\n : null;\n // The signed `_an_state` only authenticates the popup back to our app\n // when the redirect chain through Builder dropped the session cookie\n // (preview hosts, third-party-cookie blockers, etc). It is NOT a\n // bearer credential that should let *any* request through. We bypass\n // the auth guard only when no session exists (the legitimate\n // session-lost popup case) — when a session IS present, the normal\n // guard runs and the callback handler cross-checks the state owner\n // against the session.\n const hasSession = Boolean(getCookie(event, COOKIE_NAME));\n if (hasSession) return false;\n return Boolean(\n verifyBuilderCallbackStateAndGetOwner(state) ||\n verifyBuilderConnectTokenAndGetOwner(\n getCookie(event, BUILDER_CONNECT_OWNER_COOKIE),\n ),\n );\n }\n\n return false;\n}\n\nfunction createAuthGuardFn(): (\n event: H3Event,\n) => Promise<Response | object | string | void> {\n return async (event: H3Event) => {\n const config = _authGuardConfig;\n if (!config) return;\n const { publicPaths } = config;\n\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml = config.getLoginHtml?.(event, rawPath) ?? config.loginHtml;\n const p = stripAppBasePath(rawPath);\n const normalizedUrl = queryStart >= 0 ? `${p}${url.slice(queryStart)}` : p;\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n\n // Emit CORS headers on every request the guard sees so that even\n // error responses (401) reach the browser.\n const cors = applyCorsHeaders(event);\n // Preflight short-circuit: the browser sends OPTIONS before the real\n // credentialed request. Must return success without invoking auth.\n if (getMethod(event) === \"OPTIONS\") {\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n setResponseStatus(event, 204);\n return \"\";\n }\n\n // Skip auth routes and specific Google OAuth endpoints that must be public\n // (callback and auth-url). Other Google endpoints like /status require auth.\n if (\n p.startsWith(\"/_agent-native/auth/\") ||\n p === \"/_agent-native/google/callback\" ||\n p === \"/_agent-native/google/auth-url\" ||\n p === \"/_agent-native/google/add-account/callback\"\n ) {\n return;\n }\n\n // Integration webhook endpoints verify authenticity via platform-specific\n // signature verification (Slack HMAC, Telegram token, etc.), not sessions.\n if (/^\\/_agent-native\\/integrations\\/[^/]+\\/webhook$/.test(p)) {\n return;\n }\n\n // Internal processor endpoint for the integration webhook fanout. The\n // webhook handler enqueues a task to SQL and dispatches a fresh HTTP POST\n // to this endpoint so the agent loop runs in its own function execution\n // (cross-platform serverless-safe — see `integrations/webhook-handler.ts`).\n // Authenticity is verified via an HMAC token signed with A2A_SECRET, plus\n // an atomic SQL claim that prevents duplicate processing.\n if (p === \"/_agent-native/integrations/process-task\") {\n return;\n }\n\n // Internal processor endpoint for deferred A2A continuations created by\n // integration tasks. It uses the same HMAC internal-token scheme as the\n // primary integration processor, so it must bypass cookie/session auth.\n if (p === \"/_agent-native/integrations/process-a2a-continuation\") {\n return;\n }\n\n // A2A endpoint verifies authenticity via JWT signed with the org's A2A\n // secret (or the global A2A_SECRET fallback), not via session cookies.\n if (p === \"/_agent-native/a2a\") {\n return;\n }\n\n // Internal processor endpoint for the A2A async-mode fanout. Mirrors the\n // integration webhook fanout: when `message/send` is called with\n // `async: true`, the JSON-RPC handler enqueues to a2a_tasks and self-\n // fires a POST here so the handler runs in a fresh function execution.\n // Authenticity is verified via an HMAC token signed with A2A_SECRET\n // (same scheme as /_agent-native/integrations/process-task).\n if (p === \"/_agent-native/a2a/_process-task\") {\n return;\n }\n\n // A2A secret receive endpoint — verifies authenticity via JWT signed\n // with the calling app's A2A secret, not via session cookies. Used to\n // sync the org A2A secret across connected apps.\n if (p === \"/_agent-native/org/a2a-secret/receive\") {\n return;\n }\n\n // Force-sign-in entrypoint. Templates send viewers from public pages\n // (share links, embeds) here with a `?return=<path>` query — anonymous\n // visitors get the loginHtml, and once they sign in the loginHtml's\n // post-login reload re-hits this same URL with a session cookie set,\n // so we 302 them to the original page.\n //\n // `return` is validated by parsing it against a sentinel base origin\n // and checking the resolved origin still matches. This rejects every\n // open-redirect shape — `//evil.com/...` (network-path reference),\n // `/\\evil.com/...` (WHATWG URL parser normalises `\\` to `/` in HTTP\n // URLs, so a naive prefix check on `//` misses this), absolute URLs\n // like `https://evil.com`, and `data:` / `javascript:` schemes. The\n // reconstructed path comes from the parsed segments so any leftover\n // quirks get normalised. Control chars (incl. CR/LF for header\n // injection) are rejected up front.\n //\n if (p === \"/_agent-native/sign-in\") {\n const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : \"\";\n const safeReturn = safeReturnPath(\n new URLSearchParams(queryStr).get(\"return\"),\n );\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: safeReturn },\n });\n }\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }\n\n // Auth entry pages are framework-owned pages, not app routes. When a user\n // already has a session, redirect them back to the mounted app instead of\n // letting React Router try to render /login.\n if (p === \"/login\" || p === \"/signup\") {\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: getAppBasePath() || \"/\" },\n });\n }\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }\n\n // Skip static assets (Vite chunks, fonts, images, etc.)\n if (\n p.startsWith(\"/assets/\") ||\n p.startsWith(\"/_build/\") ||\n p.endsWith(\".js\") ||\n p.endsWith(\".css\") ||\n p.endsWith(\".map\") ||\n p.endsWith(\".ico\") ||\n p.endsWith(\".png\") ||\n p.endsWith(\".svg\") ||\n p.endsWith(\".woff2\") ||\n p.endsWith(\".woff\")\n ) {\n return;\n }\n\n // React Router 7's lazy route discovery fetches `/__manifest?p=...` to\n // resolve manifest patches for `<Link>`s the user might click. The\n // auth fallback returning loginHtml here makes RR fail to parse the\n // body as RSC, surfacing as a console error and (when the visitor\n // already errored elsewhere) blocking the app from rendering. Let it\n // through — it returns a tiny RSC-encoded manifest of the public\n // route tree, no per-user data.\n if (p === \"/__manifest\") return;\n if (isPublicPath(normalizedUrl, publicPaths)) return;\n if (shouldBypassAuthForBuilderConnect(event, p)) return;\n if (isPublicWorkspacePageRequest(event, p, config)) {\n return;\n }\n\n const session = await getSession(event);\n if (session) return;\n\n if (p.startsWith(\"/api/\") || p.startsWith(\"/_agent-native/\")) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n // Local-dev convenience: on the first page GET of a freshly-scaffolded\n // app, transparently create + sign in `dev@local` instead of showing the\n // sign-up form. Gated on NODE_ENV=development AND no real users in the\n // DB, so production and any app that has ever had a real signup are\n // unaffected. See maybeAutoCreateDevSession for full conditions.\n if (getMethod(event) === \"GET\") {\n const autoSession = await maybeAutoCreateDevSession(event, url);\n if (autoSession) return autoSession;\n }\n\n return new Response(loginHtml, {\n status: 200,\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n };\n}\n\nconst AUTO_DEV_ACCOUNT_EMAIL = \"dev@local\";\nconst AUTO_DEV_ACCOUNT_PASSWORD = \"local-dev-account\";\n\n/**\n * Local-dev convenience: skip the sign-up wall on first run.\n *\n * When NODE_ENV=development AND the `user` table has no rows for any\n * email other than `dev@local`, transparently sign up (or sign back in\n * to) the auto-managed dev account and return a 302 to the original URL\n * with a session cookie set. A developer who just ran `pnpm dev` lands\n * in the app immediately instead of being asked to fill in name + email\n * + password to try the framework.\n *\n * Auto-create fires exactly once per local DB: as soon as `dev@local`\n * (or any real user) exists in the `user` table, the helper returns\n * null and the normal login flow takes over. Signing out then leaves\n * the user on the regular sign-in form; without this guard the\n * post-logout reload would silently re-create the session.\n *\n * The fixed password is intentional: it means a developer who signs\n * out can sign back in with `dev@local` / `local-dev-account` from\n * the regular login form. To get the auto-flow back, drop the user\n * row or wipe the local DB. Set\n * `AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1` to opt out entirely\n * (useful for tests that exercise the unauthenticated branch). This\n * is local-only — the helper is gated on NODE_ENV.\n */\nasync function maybeAutoCreateDevSession(\n event: H3Event,\n redirectTo: string,\n): Promise<Response | null> {\n if (!isDevEnvironment()) return null;\n if (process.env.AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT === \"1\") return null;\n\n try {\n const db = getDbExec();\n const { rows: realUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email != ? LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (realUsers.length > 0) return null;\n\n // If `dev@local` already exists, this is not a freshly-scaffolded\n // app — the user has been through the auto-create flow at least\n // once. Skip auto-create so signing out actually works: without\n // this guard, the post-logout reload immediately re-creates the\n // session and the user is stuck in dev@local forever (or has to\n // set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1). To get the demo\n // experience back, drop the row or wipe the local DB.\n const { rows: devUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email = ? LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (devUsers.length > 0) return null;\n\n const auth = await getBetterAuth();\n if (!auth) return null;\n\n // Idempotent sign-up: succeeds on first run, throws an \"already exists\"\n // failure on subsequent runs (which we swallow before falling through\n // to the sign-in path below).\n try {\n await auth.api.signUpEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: AUTO_DEV_ACCOUNT_PASSWORD,\n name: \"Dev\",\n },\n });\n } catch (e) {\n if (!isExpectedAuthFailure(e)) throw e;\n }\n\n const result = await auth.api.signInEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: AUTO_DEV_ACCOUNT_PASSWORD,\n },\n });\n if (!result?.token) return null;\n\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: redirectTo },\n });\n } catch (e) {\n // Local-dev only — log to console for debugging, but don't surface\n // through Sentry. Falling back to the regular login form is the\n // correct user-facing behavior when this path fails.\n console.warn(\"[agent-native] auto dev account skipped:\", e);\n return null;\n }\n}\n\n/**\n * Map a Better Auth session to our AuthSession type.\n */\nfunction mapBetterAuthSession(baSession: {\n user: { id: string; email: string; name?: string };\n session: { token: string; activeOrganizationId?: string };\n}): AuthSession {\n return {\n email: baSession.user.email,\n userId: baSession.user.id,\n name: baSession.user.name,\n token: baSession.session?.token,\n orgId: baSession.session?.activeOrganizationId ?? undefined,\n };\n}\n\n/**\n * Get the current auth session for a request.\n *\n * Resolution chain:\n * 1. ACCESS_TOKEN → check legacy cookie-based token sessions\n * 2. BYOA custom getSession → delegate to template callback\n * 3. Bearer legacy session → check Authorization: Bearer against sessions\n * 4. Better Auth → check session via Better Auth API (cookie or Bearer)\n * 5. Legacy cookie → check an_session cookie in legacy sessions table\n * 6. Desktop SSO broker (Electron loopback only)\n * 7. Mobile _session query param → promote to cookie\n *\n * Returns `null` for unauthenticated requests. There is no dev-mode bypass:\n * local development uses the same Better Auth signup flow as production. The\n * onboarding/sign-in page is served by `runAuthGuard` for any unauthenticated\n * page load.\n */\nexport async function getSession(event: H3Event): Promise<AuthSession | null> {\n // 1. ACCESS_TOKEN check (programmatic/agent access)\n const accessTokens = getAccessTokens();\n if (accessTokens.length > 0) {\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n }\n\n // 2. BYOA custom getSession\n if (customGetSession) {\n const session = await customGetSession(event);\n if (session) return session;\n\n const bearerSession = await getBearerLegacySession(event);\n if (bearerSession) return bearerSession;\n\n // Desktop SSO broker: even with BYOA auth, fall back to the broker\n // for Electron requests so cross-template SSO works for custom-auth\n // templates too. Gated on `readDesktopSsoSafely` so a non-loopback\n // request that spoofs `User-Agent: ... Electron/...` cannot read the\n // home-dir broker file (and so production builds never consult it).\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) return { email: sso.email, token: sso.token };\n // Fall through to mobile _session check\n } else {\n // 3. Bearer legacy session. Desktop/native clients can persist a session\n // token outside the WebView cookie jar and attach it to all app requests.\n const bearerSession = await getBearerLegacySession(event);\n if (bearerSession) return bearerSession;\n\n // 4. Better Auth session (cookie or Bearer token)\n try {\n const ba = getBetterAuthSync();\n if (ba) {\n const baSession = await ba.api.getSession({\n headers: event.headers,\n });\n if (baSession?.user?.email) {\n return mapBetterAuthSession(baSession);\n }\n }\n } catch (e) {\n console.error(\"[auth] ba.api.getSession error:\", e);\n }\n\n // 5. Legacy cookie fallback (for sessions created before migration)\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n\n // 6. Desktop SSO broker fallback.\n // Each template in the Electron desktop app has its own database, so\n // a session token created by one template doesn't resolve in another.\n // When an Electron request has no resolvable session, trust the\n // home-dir SSO record written by whichever template the user signed\n // into. Gated on `readDesktopSsoSafely`: requires Electron User-Agent,\n // a loopback (127.0.0.1 / ::1) source IP, and a non-production NODE_ENV\n // — anything else is rejected so a hostile network request cannot\n // impersonate whichever email last signed into the desktop app.\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) {\n return { email: sso.email, token: sso.token };\n }\n }\n\n // 7. Mobile WebView bridge — _session query param\n const querySession = await promoteQuerySession(event);\n if (querySession) return querySession;\n\n return null;\n}\n\nasync function promoteQuerySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const qToken = getQuery(event)?._session as string | undefined;\n if (!qToken) return null;\n const email = await getSessionEmail(qToken);\n if (!email) return null;\n setFrameworkSessionCookie(event, qToken);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n return { email, token: qToken };\n}\n\nfunction isReadMethod(event: H3Event): boolean {\n const method = getMethod(event);\n return method === \"GET\" || method === \"HEAD\";\n}\n\n/**\n * Cookie attributes that work in both same-site and third-party iframe\n * contexts. Over HTTPS we emit `SameSite=None; Secure; Partitioned` —\n * `None`+`Secure` is required by browsers to ship the cookie back inside a\n * cross-origin iframe at all; `Partitioned` keeps the cookie working under\n * Chrome's third-party-cookie deprecation by binding it to the embedding\n * site's storage partition. (Better Auth already sets the same trio on its\n * own session cookie; this matches so the framework's legacy cookie —\n * which the Builder OAuth popup exchange writes via\n * `setFrameworkSessionCookie` — survives iframe contexts too.) Plain-HTTP\n * dev keeps the default `SameSite=Lax`; `None` requires Secure, and\n * `Partitioned` only takes effect alongside `Secure`.\n */\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setFrameworkSessionCookie(event: H3Event, token: string): void {\n clearFrameworkSessionCookies(event);\n setCookie(event, COOKIE_NAME, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: sessionMaxAge,\n });\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const req: any = (event as any).req ?? event.node?.req;\n const url: string | undefined = req?.url;\n if (typeof url === \"string\" && url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// Public path matching\n// ---------------------------------------------------------------------------\n\nfunction isPublicPath(url: string, publicPaths: string[]): boolean {\n const p = url.split(\"?\")[0];\n return matchesPathList(p, publicPaths);\n}\n\nfunction matchesPathList(path: string, paths: string[]): boolean {\n return paths.some((candidate) => {\n const normalized =\n candidate.length > 1 && candidate.endsWith(\"/\")\n ? candidate.slice(0, -1)\n : candidate;\n return path === normalized || path.startsWith(normalized + \"/\");\n });\n}\n\nfunction isPublicWorkspacePageRequest(\n event: H3Event,\n path: string,\n config: AuthGuardConfig,\n): boolean {\n if (!isReadMethod(event)) return false;\n if (\n path === \"/_agent-native\" ||\n path.startsWith(\"/_agent-native/\") ||\n path === \"/api\" ||\n path.startsWith(\"/api/\") ||\n path === \"/.well-known\" ||\n path.startsWith(\"/.well-known/\")\n ) {\n return false;\n }\n if (matchesPathList(path, config.workspaceAppProtectedPaths)) return false;\n if (matchesPathList(path, config.workspaceAppPublicPaths)) return true;\n return config.workspaceAppAudience === \"public\";\n}\n\nfunction stripAppBasePath(pathname: string): string {\n const basePath = getAppBasePath();\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\n// ---------------------------------------------------------------------------\n// Login page HTML (ACCESS_TOKEN mode)\n// ---------------------------------------------------------------------------\n\nfunction inferWorkspaceBasePathFromRequest(requestPath?: string): string {\n if (\n process.env.AGENT_NATIVE_WORKSPACE !== \"1\" &&\n process.env.VITE_AGENT_NATIVE_WORKSPACE !== \"1\"\n ) {\n return \"\";\n }\n if (!requestPath || !requestPath.startsWith(\"/\")) return \"\";\n const firstSegment = requestPath.split(/[/?#]/)[1];\n if (!firstSegment) return \"\";\n const reservedRootPaths = new Set([\n \"_agent-native\",\n \".well-known\",\n \"api\",\n \"login\",\n \"signup\",\n \"apps\",\n \"new-app\",\n \"approval\",\n \"extensions\",\n ]);\n if (reservedRootPaths.has(firstSegment)) return \"\";\n if (!isValidWorkspaceAppIdFormat(firstSegment)) return \"\";\n return `/${firstSegment}`;\n}\n\nfunction getTokenLoginHtml(options: { requestPath?: string } = {}): string {\n const configuredBasePath =\n getAppBasePath() || inferWorkspaceBasePathFromRequest(options.requestPath);\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\n<title>Private app</title>\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n :root {\n color-scheme: dark;\n --bg: #09090b;\n --panel: #141417;\n --panel-soft: #1b1b20;\n --border: rgba(255,255,255,0.1);\n --border-strong: rgba(255,255,255,0.18);\n --text: #f4f4f5;\n --muted: #a1a1aa;\n --subtle: #71717a;\n --error: #fca5a5;\n --error-bg: rgba(127,29,29,0.18);\n --success: #86efac;\n --success-bg: rgba(20,83,45,0.2);\n --info: #c4b5fd;\n --info-bg: rgba(76,29,149,0.18);\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n background:\n radial-gradient(circle at top left, rgba(63,63,70,0.24), transparent 32rem),\n linear-gradient(180deg, #111114 0%, var(--bg) 58%);\n color: var(--text);\n display: flex;\n align-items: center;\n justify-content: center;\n min-height: 100vh;\n padding: 1rem;\n }\n .card {\n width: 100%;\n max-width: 420px;\n padding: 2rem;\n background: color-mix(in srgb, var(--panel) 94%, transparent);\n border: 1px solid var(--border);\n border-radius: 12px;\n box-shadow: 0 24px 80px rgba(0,0,0,0.35);\n }\n .eyebrow {\n display: inline-flex;\n align-items: center;\n min-height: 1.5rem;\n padding: 0 0.625rem;\n margin-bottom: 1rem;\n border: 1px solid var(--border);\n border-radius: 999px;\n color: var(--muted);\n background: rgba(255,255,255,0.04);\n font-size: 0.75rem;\n font-weight: 500;\n }\n h1 {\n font-size: 1.375rem;\n line-height: 1.2;\n font-weight: 650;\n margin-bottom: 0.5rem;\n color: var(--text);\n letter-spacing: 0;\n }\n .intro {\n margin-bottom: 1.5rem;\n color: var(--muted);\n font-size: 0.9375rem;\n line-height: 1.55;\n }\n label {\n display: flex;\n align-items: baseline;\n justify-content: space-between;\n gap: 0.75rem;\n font-size: 0.8125rem;\n color: var(--muted);\n margin-bottom: 0.375rem;\n }\n label span:last-child {\n color: var(--subtle);\n font-size: 0.75rem;\n }\n .input-wrap { position: relative; }\n input {\n width: 100%;\n min-height: 2.75rem;\n padding: 0.625rem 0.75rem;\n background: #0f0f12;\n border: 1px solid var(--border);\n border-radius: 8px;\n color: var(--text);\n font-size: 0.9375rem;\n outline: none;\n }\n input:focus {\n border-color: var(--border-strong);\n box-shadow: 0 0 0 3px rgba(255,255,255,0.08);\n }\n input::placeholder { color: #52525b; }\n button {\n width: 100%;\n min-height: 2.75rem;\n margin-top: 1rem;\n padding: 0.625rem 0.875rem;\n background: var(--text);\n color: #000;\n border: none;\n border-radius: 8px;\n font-size: 0.9375rem;\n font-weight: 600;\n cursor: pointer;\n transition: transform 120ms ease, opacity 120ms ease, background 120ms ease;\n }\n button:hover:not(:disabled) { background: #e4e4e7; transform: translateY(-1px); }\n button:disabled { opacity: 0.55; cursor: wait; }\n .hint {\n margin-top: 0.75rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n .msg {\n display: none;\n margin-top: 0.875rem;\n padding: 0.75rem;\n border-radius: 8px;\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n .msg.show { display: block; }\n .msg.error {\n color: var(--error);\n background: var(--error-bg);\n border: 1px solid rgba(248,113,113,0.22);\n }\n .msg.success {\n color: var(--success);\n background: var(--success-bg);\n border: 1px solid rgba(74,222,128,0.18);\n }\n .msg.info {\n color: var(--info);\n background: var(--info-bg);\n border: 1px solid rgba(167,139,250,0.2);\n }\n details {\n margin-top: 1rem;\n padding-top: 1rem;\n border-top: 1px solid var(--border);\n }\n summary {\n cursor: pointer;\n color: var(--muted);\n font-size: 0.8125rem;\n font-weight: 600;\n }\n details p {\n margin-top: 0.75rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.5;\n }\n code {\n color: #e4e4e7;\n background: var(--panel-soft);\n border: 1px solid var(--border);\n border-radius: 5px;\n padding: 0.075rem 0.25rem;\n font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;\n font-size: 0.78rem;\n }\n @media (max-width: 480px) {\n .card { padding: 1.5rem; }\n h1 { font-size: 1.25rem; }\n }\n</style>\n</head>\n<body>\n<div class=\"card\">\n <div class=\"eyebrow\">Private deployment</div>\n <h1>This app is private</h1>\n <p class=\"intro\">Enter the shared app access token to continue. This is the value configured for this app, not your deploy provider account token.</p>\n <form id=\"form\">\n <label for=\"token\"><span>App ACCESS_TOKEN</span><span>Required</span></label>\n <div class=\"input-wrap\">\n <input id=\"token\" type=\"password\" autocomplete=\"current-password\" autofocus placeholder=\"Paste the shared app token\" />\n </div>\n <button id=\"submit\" type=\"submit\">Continue</button>\n <p class=\"hint\">If someone sent you this app, ask them for the shared app token. If you own the deploy, use the exact value saved as <code>ACCESS_TOKEN</code> or one of <code>ACCESS_TOKENS</code>.</p>\n <p class=\"msg error\" id=\"msg\" role=\"alert\"></p>\n </form>\n <details>\n <summary>Where do I find this?</summary>\n <p>Create or copy the app's shared token from your deployment environment variables. The key should be <code>ACCESS_TOKEN</code> for one token or <code>ACCESS_TOKENS</code> for a comma-separated list. Redeploy after changing it.</p>\n </details>\n</div>\n<script>\n var configuredBasePath = ${JSON.stringify(configuredBasePath)};\n function __anBasePath() {\n if (\n configuredBasePath &&\n (window.location.pathname === configuredBasePath ||\n window.location.pathname.indexOf(configuredBasePath + '/') === 0)\n ) {\n return configuredBasePath;\n }\n var marker = '/_agent-native';\n var idx = window.location.pathname.indexOf(marker);\n return idx > 0 ? window.location.pathname.slice(0, idx) : '';\n }\n function __anPath(path) {\n return __anBasePath() + path;\n }\n function setMessage(kind, text) {\n var msg = document.getElementById('msg');\n msg.textContent = text;\n msg.className = 'msg ' + kind + ' show';\n }\n function clearMessage() {\n var msg = document.getElementById('msg');\n msg.textContent = '';\n msg.className = 'msg error';\n }\n function setBusy(isBusy) {\n var button = document.getElementById('submit');\n var input = document.getElementById('token');\n button.disabled = isBusy;\n input.disabled = isBusy;\n button.textContent = isBusy ? 'Checking...' : 'Continue';\n }\n async function readJsonSafely(res) {\n try {\n return await res.json();\n } catch (_err) {\n return null;\n }\n }\n async function verifySession() {\n var res = await fetch(__anPath('/_agent-native/auth/session'), {\n method: 'GET',\n credentials: 'same-origin',\n cache: 'no-store',\n headers: { 'Accept': 'application/json' },\n });\n if (!res.ok) return false;\n var data = await readJsonSafely(res);\n return !!data && !data.error;\n }\n document.getElementById('form').addEventListener('submit', async (e) => {\n e.preventDefault();\n var token = document.getElementById('token').value.trim();\n if (!token) {\n setMessage('error', 'Paste the shared app token to continue.');\n return;\n }\n clearMessage();\n setBusy(true);\n setMessage('info', 'Checking the app token...');\n try {\n var res = await fetch(__anPath('/_agent-native/auth/login'), {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Accept': 'application/json',\n },\n credentials: 'same-origin',\n body: JSON.stringify({ token: token }),\n });\n if (!res.ok) {\n var badTokenMessage = 'That token was not accepted. Use this app\\\\'s shared ACCESS_TOKEN, not your deploy provider account token.';\n if (res.status === 404) {\n badTokenMessage = 'Could not reach this app\\\\'s auth endpoint. If this app is mounted under a path, confirm APP_BASE_PATH and VITE_APP_BASE_PATH match the deploy path.';\n }\n setMessage('error', badTokenMessage);\n setBusy(false);\n return;\n }\n var hasSession = await verifySession();\n if (!hasSession) {\n setMessage('error', 'The token was accepted, but the browser did not keep the session cookie. Try opening the app in a new tab, or check cookie restrictions for this domain.');\n setBusy(false);\n return;\n }\n setMessage('success', 'Signed in. Opening the app...');\n window.location.replace(window.location.href);\n } catch (_err) {\n setMessage('error', 'Could not contact the auth endpoint. Check the deploy status, then try again.');\n setBusy(false);\n }\n });\n</script>\n</body>\n</html>`;\n}\n\n// ---------------------------------------------------------------------------\n// mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes\n// ---------------------------------------------------------------------------\n\nasync function mountBetterAuthRoutes(\n app: H3App,\n options: AuthOptions,\n): Promise<void> {\n const publicPaths = [...(options.publicPaths ?? [])];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n // The A2A agent card is part of an open protocol — other agents must be\n // able to discover it without auth. Same for favicons and similar probes.\n for (const pp of [\"/.well-known\", \"/favicon.ico\", \"/favicon.png\"]) {\n if (!publicPaths.includes(pp)) publicPaths.push(pp);\n }\n\n // Auto-add Google OAuth routes when credentials are configured. Templates\n // that need broader product scopes (mail/calendar) opt out and provide\n // their own Nitro routes at these paths.\n if (\n process.env.GOOGLE_CLIENT_ID &&\n process.env.GOOGLE_CLIENT_SECRET &&\n options.mountGoogleOAuthRoutes !== false\n ) {\n setGenericGoogleOAuthRoutesEnabled(app, true);\n for (const gp of [\n \"/_agent-native/google/callback\",\n \"/_agent-native/google/auth-url\",\n ]) {\n if (!publicPaths.includes(gp)) publicPaths.push(gp);\n }\n\n const googleScopes = [\n \"openid\",\n \"https://www.googleapis.com/auth/userinfo.email\",\n \"https://www.googleapis.com/auth/userinfo.profile\",\n ].join(\" \");\n\n app.use(\n \"/_agent-native/google/auth-url\",\n defineEventHandler((event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n // Validate the user-supplied `redirect_uri` against the framework's\n // server-side allowlist (must be same-origin and under\n // `/_agent-native/...`). Reject anything else so an attacker can't\n // smuggle a different already-registered redirect URI past Google's\n // host-prefix matching. See HIGH-1 in 09-oauth-session.md.\n const redirectUri = resolveOAuthRedirectUri(event);\n if (redirectUri === null) {\n setResponseStatus(event, 400);\n return { error: \"Invalid redirect_uri\" };\n }\n const q = getQuery(event);\n const desktop =\n isElectronRequest(event) || q.desktop === \"1\" || q.desktop === \"true\";\n const flowId = desktop ? (q.flow_id as string) || undefined : undefined;\n // Validate the caller's return param up front and only embed it\n // into the OAuth state when it normalises to a non-root path —\n // skip embedding \"/\" (the default fallback) so the state stays\n // small for the common case.\n const returnQuery = q.return;\n const validated =\n typeof returnQuery === \"string\"\n ? safeOAuthReturnUrl(returnQuery, {\n allowDefaultLoopback: isBuilderOAuthRequest(event),\n allowedOrigins: [builderPreviewReturnOrigin(event)],\n })\n : \"/\";\n const returnUrl = validated !== \"/\" ? validated : undefined;\n const state = encodeOAuthState({\n redirectUri,\n desktop,\n addAccount: false,\n app: getOAuthStateAppId(),\n returnUrl,\n flowId,\n });\n logGoogleOAuthDebug(event, \"auth-url\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n returnUrl,\n redirect: q.redirect === \"1\",\n workspace:\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\",\n });\n const params = new URLSearchParams({\n client_id: process.env.GOOGLE_CLIENT_ID!,\n redirect_uri: redirectUri,\n response_type: \"code\",\n scope: googleScopes,\n access_type: \"online\",\n prompt: \"select_account\",\n state,\n });\n const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;\n if (q.redirect === \"1\") {\n return sendRedirect(event, authUrl, 302);\n }\n return { url: authUrl };\n }),\n );\n\n app.use(\n \"/_agent-native/google/callback\",\n defineEventHandler(async (event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n let callbackFlowId: string | undefined;\n let callbackDesktop = false;\n try {\n const query = getQuery(event);\n const code = query.code as string;\n const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(\n query.state as string | undefined,\n getAppUrl(event, \"/_agent-native/google/callback\"),\n );\n callbackFlowId = flowId;\n callbackDesktop = desktop;\n logGoogleOAuthDebug(event, \"callback-start\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n hasCode: !!code,\n returnUrl,\n });\n if (!code) {\n const providerError =\n typeof query.error === \"string\" && query.error\n ? query.error\n : undefined;\n const providerDescription =\n typeof query.error_description === \"string\" &&\n query.error_description\n ? query.error_description\n : undefined;\n const msg =\n providerDescription ||\n providerError ||\n \"Missing authorization code\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: `Google sign-in failed: ${msg}`,\n code: providerError || \"missing_authorization_code\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n code: providerError,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n // Defence in depth: the state is HMAC-signed, but if the signing\n // key ever leaked an attacker could mint state with their own\n // redirect_uri. Re-validate against the same allowlist used at\n // auth-url time so the token exchange is always sent to a URI we\n // own.\n if (!isAllowedOAuthRedirectUri(redirectUri, event)) {\n const msg =\n \"Invalid Google OAuth redirect URI in state. Restart sign-in from this app.\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: msg,\n code: \"invalid_redirect_uri\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n\n const tokenRes = await fetch(\"https://oauth2.googleapis.com/token\", {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n code,\n client_id: process.env.GOOGLE_CLIENT_ID!,\n client_secret: process.env.GOOGLE_CLIENT_SECRET!,\n redirect_uri: redirectUri,\n grant_type: \"authorization_code\",\n }),\n });\n const tokens = await tokenRes.json();\n if (!tokenRes.ok) {\n throw new Error(\n tokens.error_description ||\n tokens.error ||\n \"Token exchange failed\",\n );\n }\n\n const userRes = await fetch(\n \"https://www.googleapis.com/oauth2/v2/userinfo\",\n { headers: { Authorization: `Bearer ${tokens.access_token}` } },\n );\n const user = await userRes.json();\n const email = user.email as string;\n if (!email) throw new Error(\"Could not get email from Google\");\n // Reject unverified Google addresses. Google returns\n // `verified_email: false` for accounts where ownership of the\n // address hasn't been proven (rare on consumer accounts but\n // reachable on Workspace tenants that allow it). Without this\n // check, an attacker could sign up as `victim@example.com` on\n // Google without controlling the inbox and take over a local\n // password account that already exists at that address (Better\n // Auth's accountLinking auto-merges trusted-provider sign-ins).\n if (user.verified_email !== true) {\n throw new Error(\n \"Google account email is not verified. Please verify your email with Google and try again.\",\n );\n }\n\n const { sessionToken } = await createOAuthSession(event, email, {\n hasProductionSession: false,\n desktop,\n });\n logGoogleOAuthDebug(event, \"callback-session-created\", {\n flowId,\n desktop,\n hasSessionToken: !!sessionToken,\n emailDomain: email.split(\"@\")[1] || \"\",\n });\n\n if (flowId && sessionToken) {\n _desktopExchanges.set(flowId, {\n token: sessionToken,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Also persist to DB for cross-instance durability (Cloudflare\n // Workers, multi-region). Fire-and-forget — in-memory Map is\n // still the primary fast path for same-instance requests.\n void persistDesktopExchangeToDB(flowId, sessionToken, email);\n logGoogleOAuthDebug(event, \"callback-exchange-stored\", {\n flowId,\n desktop,\n });\n }\n\n return oauthCallbackResponse(event, email, {\n sessionToken,\n desktop,\n returnUrl,\n flowId,\n });\n } catch (error: any) {\n const msg = error.message || \"Unknown error\";\n if (callbackFlowId) {\n setDesktopExchangeError(callbackFlowId, {\n message: `Google sign-in failed: ${msg}`,\n code: \"callback_error\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId: callbackFlowId,\n desktop: callbackDesktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n }),\n );\n }\n\n // Desktop OAuth exchange — native apps (Tauri tray, Electron) open OAuth\n // in the system browser but need a way to retrieve the session token\n // afterwards since they don't share a cookie jar with the browser.\n app.use(\n \"/_agent-native/auth/desktop-exchange\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const query = getQuery(event);\n const flowId = query.flow_id as string | undefined;\n if (!flowId) {\n setResponseStatus(event, 400);\n return { error: \"Missing flow_id\" };\n }\n let entry = _desktopExchanges.get(flowId);\n if (!entry || entry.expiresAt < Date.now()) {\n // In-memory miss — fall back to the DB-persisted entry. This handles\n // cross-instance routing (Cloudflare Workers, multi-region) where the\n // OAuth callback and the polling request may hit different isolates.\n const fromDb = await consumeDesktopExchangeFromDB(flowId);\n if (!fromDb) {\n // Don't log on the pending path — clients poll every second for up\n // to 5 minutes, so logging here floods telemetry. The auth-url,\n // callback-start, callback-session-created, exchange-success, and\n // exchange-error breadcrumbs already cover every meaningful state\n // transition.\n return { pending: true, flow: oauthDebugFlowId(flowId) };\n }\n entry =\n \"error\" in fromDb\n ? { error: fromDb.error, expiresAt: Date.now() + 1 }\n : {\n token: fromDb.token,\n email: fromDb.email,\n expiresAt: Date.now() + 1,\n };\n }\n _desktopExchanges.delete(flowId);\n // Also wipe the DB-persisted entry so it cannot be replayed via the\n // DB fallback path after in-memory consumption.\n void removeSession(`dex:${flowId}`);\n if (\"error\" in entry) {\n logGoogleOAuthDebug(event, \"exchange-error\", {\n flowId,\n message: entry.error.message,\n code: entry.error.code,\n });\n return { error: entry.error.message, ...entry.error };\n }\n // Make the exchange itself establish the app session. Older clients\n // still make a follow-up /auth/session?_session=... request, but the\n // OAuth handoff should not depend on that second request succeeding.\n setFrameworkSessionCookie(event, entry.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n logGoogleOAuthDebug(event, \"exchange-success\", {\n flowId,\n emailDomain: entry.email.split(\"@\")[1] || \"\",\n });\n return { token: entry.token, email: entry.email };\n }),\n );\n\n const accessTokens = getAccessTokens();\n\n // Initialize Better Auth. Forward `googleScopes` into the BetterAuthConfig\n // so the social provider requests the broader product scopes (Gmail,\n // Calendar, etc.) up front during the primary sign-in — eliminating the\n // need for a separate \"Connect Google\" page.\n const betterAuthConfig: BetterAuthConfig = {\n ...(options.betterAuth ?? {}),\n ...(options.googleScopes ? { googleScopes: options.googleScopes } : {}),\n };\n const auth = await getBetterAuth(betterAuthConfig);\n\n // Mount Better Auth catch-all handler at /_agent-native/auth/ba/*\n app.use(\n \"/_agent-native/auth/ba\",\n defineEventHandler(async (event) => {\n const reqPath = event.url?.pathname ?? event.path ?? \"\";\n const isResetPassword =\n reqPath.includes(\"reset-password\") && getMethod(event) === \"POST\";\n\n // Pre-read the body for reset-password so we can auto-verify the\n // user's email after they save the new password. CRUCIAL: clone\n // the Request first — h3 v2 `event.req` is the live web Request,\n // and `.text()`/`.json()` consume the stream. The same `event.req`\n // is handed to Better Auth below; without the clone, Better Auth\n // sees an empty body, fails Zod validation, and returns 400 —\n // which the reset page renders as \"the link may have expired\".\n let resetToken: string | undefined;\n let resetUserId: string | undefined;\n if (isResetPassword) {\n try {\n const cloned = (event.req as Request).clone();\n const body = (await cloned.json().catch(() => undefined)) as\n | { token?: string }\n | undefined;\n resetToken = body?.token;\n } catch {\n // ignore — Better Auth will handle validation\n }\n // Look up userId BEFORE calling auth.handler — Better Auth deletes\n // the verification row as part of the reset, so by the time the\n // handler returns 200 the row is gone and we can't recover the user.\n if (resetToken) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n const rows = await db.execute({\n sql: \"SELECT value FROM verification WHERE identifier = ?\",\n args: [`reset-password:${resetToken}`],\n });\n resetUserId = rows.rows[0]?.value as string | undefined;\n } catch {\n // Best-effort — if we can't read the verification row we just\n // skip auto-verify; the user can verify normally.\n }\n }\n }\n\n const response = await auth.handler(toWebRequest(event));\n const isResponse =\n response != null &&\n typeof (response as any).status === \"number\" &&\n typeof (response as any).headers?.get === \"function\";\n\n // After email verification, add ?verified=1 to the redirect so the\n // login page can show \"Email verified!\". MUTATE the response in\n // place — `new Response(null, { headers: new Headers(response.headers) })`\n // collapses multiple Set-Cookie headers into one comma-joined value,\n // which browsers reject. With `autoSignInAfterVerification: true`\n // Better Auth emits 2–3 Set-Cookie headers (session token + cookie\n // cache + dontRememberToken); losing them strands the user on the\n // login page even though verification succeeded.\n if (\n reqPath.includes(\"verify-email\") &&\n isResponse &&\n (response as Response).status >= 300 &&\n (response as Response).status < 400\n ) {\n const loc = response.headers.get(\"location\");\n if (loc && !/[?&]verified=/.test(loc)) {\n const sep = loc.includes(\"?\") ? \"&\" : \"?\";\n response.headers.set(\"location\", loc + sep + \"verified=1\");\n }\n }\n\n // Auto-verify email after a successful password reset. The user\n // proved email ownership by receiving and using the reset link, so\n // we don't want them stuck behind `requireEmailVerification` after\n // resetting — that's the exact escape hatch they just used.\n if (\n isResetPassword &&\n resetUserId &&\n isResponse &&\n (response as Response).status >= 200 &&\n (response as Response).status < 300\n ) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n // Use boolean literals for cross-dialect portability: Postgres\n // stores `email_verified` as BOOLEAN and rejects integer 1/0,\n // SQLite accepts TRUE/FALSE as aliases for 1/0 (since 3.23).\n // Quote `\"user\"` because it's a reserved keyword in Postgres.\n await db.execute({\n sql: 'UPDATE \"user\" SET email_verified = TRUE WHERE id = ? AND (email_verified = FALSE OR email_verified IS NULL)',\n args: [resetUserId],\n });\n\n // Revoke every existing session for this user so a stolen\n // cookie doesn't outlive the password it was paired with. We\n // do this AFTER Better Auth's response has been generated so\n // the freshly-minted post-reset session (if any) is captured\n // by the response's Set-Cookie header — but `auth.handler` for\n // reset-password does not auto-sign-in by default, so the\n // common path is \"wipe everything; user signs in with new\n // password.\" The legacy `sessions` table is also wiped by\n // joining through the `user.email` column.\n //\n // Skip the freshly-minted Better Auth session id when present\n // (auto-sign-in plugins / future config). Reading it from the\n // response avoids racing against Better Auth's own writes.\n const newSessionToken = extractSessionTokenFromSetCookies(\n response as Response,\n );\n\n // 1. Better Auth `session` table — keyed by user_id.\n if (newSessionToken) {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ? AND token <> ?',\n args: [resetUserId, newSessionToken],\n });\n } else {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [resetUserId],\n });\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column. The\n // reset-password verification row holds the user's id, not\n // their email, so we look up the email first. Best-effort —\n // skip silently if the lookup fails so the response still ships.\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [resetUserId],\n });\n const userEmail = (rows[0]?.email ?? rows[0]?.[0]) as\n | string\n | undefined;\n if (userEmail) {\n if (newSessionToken) {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ? AND token <> ?\",\n args: [userEmail, newSessionToken],\n });\n } else {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [userEmail],\n });\n }\n }\n } catch {\n // Best-effort — don't block the response\n }\n } catch {\n // Best-effort — don't block the response\n }\n }\n\n return response;\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/login\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n\n // Legacy ACCESS_TOKEN login\n if (\n body?.token &&\n typeof body.token === \"string\" &&\n accessTokens.length > 0\n ) {\n if (!safeTokenMatch(body.token, accessTokens)) {\n setResponseStatus(event, 401);\n return { error: \"Invalid token\" };\n }\n const sessionToken = crypto.randomBytes(32).toString(\"hex\");\n await addSession(sessionToken, \"user\");\n setFrameworkSessionCookie(event, sessionToken);\n return authLoginResponse(event, sessionToken, \"user\");\n }\n\n // Email/password login via Better Auth\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n // signInEmail succeeded but returned no token — typically means the\n // email isn't verified yet. Don't return { ok: true } without a\n // session or the frontend will reload into a dead end.\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/register\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n const callbackURL =\n typeof body?.callbackURL === \"string\"\n ? safeReturnPath(body.callbackURL)\n : \"/\";\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0], callbackURL },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/logout\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if no Better Auth session\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n // POST /_agent-native/auth/logout-all — revoke every session row for\n // the authenticated user across both auth tables. Companion to the\n // password-reset session-revocation logic; lets a user sign out\n // everywhere from one device. Requires an authenticated session.\n app.use(\n \"/_agent-native/auth/logout-all\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Not authenticated\" };\n }\n try {\n const db = getDbExec();\n // 1. Resolve user_id from email so we can wipe Better Auth sessions\n // by their FK column.\n let userId: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT id FROM \"user\" WHERE email = ?',\n args: [session.email],\n });\n userId = (rows[0]?.id ?? rows[0]?.[0]) as string | undefined;\n } catch {\n // User table may not exist on token-only deployments — skip.\n }\n if (userId) {\n try {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [userId],\n });\n } catch {\n // Best-effort.\n }\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column.\n try {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [session.email],\n });\n } catch {\n // Best-effort.\n }\n\n // 3. Drop the current request's cookie and best-effort sign out\n // of Better Auth (so the response sets the proper expiry header).\n clearFrameworkSessionCookies(event);\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore — sessions are already gone in DB.\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n } catch (e: any) {\n setResponseStatus(event, 500);\n return { error: e?.message || \"Failed to revoke sessions\" };\n }\n }),\n );\n\n // GET /_agent-native/auth/session\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n // GET /_agent-native/auth/reset — HTML page shown when a user clicks the\n // reset link in their email. Reads ?token=... and POSTs to Better Auth's\n // /reset-password endpoint on submit.\n app.use(\n \"/_agent-native/auth/reset\",\n defineEventHandler((event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n return new Response(getResetPasswordHtml(), {\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }),\n );\n\n // Auth guard — stored both in framework middleware registry AND in\n // _authGuardFn so the server middleware can enforce it on ALL routes.\n const loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n _authGuardConfig = {\n loginHtml,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountTokenOnlyRoutes — ACCESS_TOKEN-only auth (no Better Auth)\n// ---------------------------------------------------------------------------\n\nfunction mountTokenOnlyRoutes(\n app: H3App,\n accessTokens: string[],\n publicPaths: string[] = [],\n workspaceAppAudience = resolveWorkspaceAppAudience(),\n workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(),\n): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n if (\n !body?.token ||\n typeof body.token !== \"string\" ||\n !safeTokenMatch(body.token, accessTokens)\n ) {\n setResponseStatus(event, 401);\n return { error: \"Invalid token\" };\n }\n const sessionToken = crypto.randomBytes(32).toString(\"hex\");\n await addSession(sessionToken, \"user\");\n setFrameworkSessionCookie(event, sessionToken);\n return authLoginResponse(event, sessionToken, \"user\");\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n _authGuardConfig = {\n loginHtml: getTokenLoginHtml(),\n getLoginHtml: (_event, rawPath) =>\n getTokenLoginHtml({ requestPath: rawPath }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails\n// ---------------------------------------------------------------------------\n\nfunction mountAuthFallbackRoutes(app: H3App): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const auth = await getBetterAuth();\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0] },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if Better Auth is still unavailable\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n}\n\n// ---------------------------------------------------------------------------\n// autoMountAuth — the recommended entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Automatically configure auth based on environment and configuration:\n *\n * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.\n * - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.\n * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.\n * Users see an onboarding page to create an account on first visit.\n *\n * Local development uses the same Better Auth flow as production. Email\n * verification is automatically skipped in dev/test environments and when\n * no email provider is configured (see `shouldSkipEmailVerification`), so a\n * fresh local clone only needs an email + password to get started.\n *\n * Returns true if auth was mounted, false if skipped.\n */\nexport async function autoMountAuth(\n app: H3App,\n options: AuthOptions = {},\n): Promise<boolean> {\n // If auth is already mounted on THIS app (e.g., default plugin ran before\n // custom plugin in the same server boot), don't re-mount routes — but DO\n // update the live config if custom options like googleOnly or loginHtml\n // were provided. createAuthGuardFn() reads from _authGuardConfig on every\n // request, so updating it here takes effect immediately.\n //\n // We gate on `_mountedApp === app` because module-level state survives\n // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh\n // H3 app, empty middleware) would short-circuit here and end up with no\n // auth routes mounted at all.\n if (_authGuardFn && _mountedApp === app) {\n if (options.mountGoogleOAuthRoutes === false) {\n setGenericGoogleOAuthRoutesEnabled(app, false);\n }\n // A custom getSession always wins — even if the default auth plugin\n // mounted first (which happens in production where bootstrapDefaultPlugins\n // can't see the template's server/plugins/ dir and auto-mounts defaults).\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n if (_authGuardConfig) {\n if (\n options.googleOnly ||\n options.loginHtml ||\n options.marketing ||\n options.googleSignInNotice\n ) {\n _authGuardConfig.loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n }\n if (options.publicPaths) {\n _authGuardConfig.publicPaths = [\n ...(_authGuardConfig.publicPaths ?? []),\n ...options.publicPaths,\n ];\n }\n if (options.workspaceAppAudience) {\n _authGuardConfig.workspaceAppAudience =\n resolveWorkspaceAppAudience(options);\n }\n if (options.workspaceAppPublicPaths) {\n _authGuardConfig.workspaceAppPublicPaths =\n options.workspaceAppPublicPaths;\n }\n if (options.workspaceAppProtectedPaths) {\n _authGuardConfig.workspaceAppProtectedPaths =\n options.workspaceAppProtectedPaths;\n }\n }\n return true;\n }\n\n // Fresh app (first boot, or HMR created a new Nitro instance) — reset\n // the guard so the mount path below installs it on the new app.\n _authGuardFn = null;\n _authGuardConfig = null;\n _mountedApp = app;\n\n if (!app) {\n if (isDevEnvironment()) {\n customGetSession = null;\n return false;\n }\n throw new Error(\n \"autoMountAuth: H3 app is required. In Nitro plugins, pass nitroApp.h3App.\",\n );\n }\n\n // Reset globals\n customGetSession = null;\n sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;\n const publicPaths = options.publicPaths ?? [];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n mountAuthCorsMiddleware(app);\n\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n\n // BYOA — custom getSession provider\n if (customGetSession) {\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(() => ({ ok: true })),\n );\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n const byoaLoginHtml = options.loginHtml ?? getTokenLoginHtml();\n _authGuardConfig = {\n loginHtml: byoaLoginHtml,\n ...(options.loginHtml\n ? {}\n : {\n getLoginHtml: (_event, rawPath) =>\n getTokenLoginHtml({ requestPath: rawPath }),\n }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n\n if (process.env.DEBUG)\n console.log(\"[agent-native] Auth enabled — custom getSession provider.\");\n return true;\n }\n\n // ACCESS_TOKEN-only mode\n const tokens = getAccessTokens();\n if (tokens.length > 0) {\n mountTokenOnlyRoutes(\n app,\n tokens,\n publicPaths,\n workspaceAppAudience,\n workspaceAppRouteAccess,\n );\n if (process.env.DEBUG)\n console.log(\n `[agent-native] Auth enabled — ${tokens.length} access token(s) configured.`,\n );\n return true;\n }\n\n // Default: Better Auth (account-first)\n try {\n await mountBetterAuthRoutes(app, options);\n if (process.env.DEBUG)\n console.log(\n \"[agent-native] Auth enabled — Better Auth (accounts + organizations).\",\n );\n } catch (err) {\n console.error(\"[agent-native] Failed to initialize Better Auth:\", err);\n mountAuthFallbackRoutes(app);\n // CRITICAL: Even if Better Auth fails, register the auth guard so\n // unauthenticated users can't access the app. They'll see the login\n // page but won't be able to sign in until the DB is available.\n const loginHtml =\n options.loginHtml ??\n getOnboardingHtml({\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n });\n _authGuardConfig = {\n loginHtml,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n console.log(\n \"[agent-native] Auth guard registered despite init failure — app is locked.\",\n );\n }\n return true;\n}\n\n// ---------------------------------------------------------------------------\n// Deprecated — kept for backward compat\n// ---------------------------------------------------------------------------\n\n/**\n * @deprecated Use `autoMountAuth(app, options?)` instead.\n */\nexport function mountAuthMiddleware(app: H3App, accessToken: string): void {\n mountTokenOnlyRoutes(app, [accessToken]);\n}\n"]}