@agent-native/core 0.63.3 → 0.63.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/dist/client/blocks/library/AnnotatedCodeBlock.d.ts.map +1 -1
  2. package/dist/client/blocks/library/AnnotatedCodeBlock.js +23 -19
  3. package/dist/client/blocks/library/AnnotatedCodeBlock.js.map +1 -1
  4. package/dist/client/blocks/library/diagram.d.ts.map +1 -1
  5. package/dist/client/blocks/library/diagram.js +10 -11
  6. package/dist/client/blocks/library/diagram.js.map +1 -1
  7. package/dist/client/blocks/library/wireframe.d.ts.map +1 -1
  8. package/dist/client/blocks/library/wireframe.js +2 -1
  9. package/dist/client/blocks/library/wireframe.js.map +1 -1
  10. package/dist/server/auth.d.ts.map +1 -1
  11. package/dist/server/auth.js +5 -1
  12. package/dist/server/auth.js.map +1 -1
  13. package/dist/server/onboarding-html.d.ts.map +1 -1
  14. package/dist/server/onboarding-html.js +50 -5
  15. package/dist/server/onboarding-html.js.map +1 -1
  16. package/docs/content/template-analytics.md +11 -41
  17. package/docs/content/template-assets.md +8 -3
  18. package/docs/content/template-brain.md +6 -1
  19. package/docs/content/template-calendar.md +13 -59
  20. package/docs/content/template-chat.md +6 -9
  21. package/docs/content/template-clips.md +11 -16
  22. package/docs/content/template-content.md +14 -48
  23. package/docs/content/template-design.md +7 -2
  24. package/docs/content/template-dispatch.md +6 -9
  25. package/docs/content/template-forms.md +10 -13
  26. package/docs/content/template-mail.md +12 -27
  27. package/docs/content/template-plan.md +6 -1
  28. package/docs/content/template-slides.md +14 -75
  29. package/docs/content/template-videos.md +11 -52
  30. package/package.json +1 -1
package/dist/server/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,SAAS,EACT,YAAY,EACZ,SAAS,GACV,MAAM,IAAI,CAAC;AAGZ,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,8BAA8B,EAC9B,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AAExC,6EAA6E;AAC7E,0EAA0E;AAC1E,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,8EAA8E;AAC9E,4EAA4E;AAC5E,yDAAyD;AACzD,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,GAAG,GAAI,KAAa,CAAC,GAAc,CAAC;IAC1C,MAAM,GAAG,GAAI,KAAa,CAAC,OAEd,CAAC;IACd,IAAI,GAAG,EAAE,gBAAgB,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC/D,IAAI,GAAG,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC;gBAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;gBACtD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;oBAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,8DAA8D;oBAC9D,2DAA2D;oBAC3D,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChD,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAGD,OAAO,EACL,SAAS,EACT,UAAU,EACV,OAAO,EACP,cAAc,EACd,eAAe,GAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE7E,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,oBAAoB,GAErB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,eAAe,EACf,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,UAAU,IAAI,iBAAiB,EAC/B,cAAc,EACd,SAAS,EACT,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EACL,6BAA6B,EAC7B,gCAAgC,EAChC,8BAA8B,EAC9B,8BAA8B,EAC9B,+BAA+B,EAC/B,qCAAqC,GACtC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,8BAA8B,GAE/B,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,mBAAmB,EACnB,qCAAqC,EACrC,oCAAoC,GACrC,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAClD,yEAAyE;AACzE,2EAA2E;AAC3E,6DAA6D;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAAC;AACvB,CAAC;AAyID,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,qBAAqB,GAAG,0BAA0B,EAAE,CAAC;AAE3D;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,qBAAqB,CAAC,qBAAqB,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,qBAAqB,CAAC,mBAAmB,CAAC;AACrE,MAAM,CAAC,MAAM,yBAAyB,GACpC,qBAAqB,CAAC,sBAAsB,CAAC;AAE/C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAEvC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI;gBAAE,SAAS;YAEnD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC;gBACH,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,2DAA2D;YAC7D,CAAC;YACD,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,KAAc;IAC5D,OAAO,gCAAgC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,gCAAgC,CACvC,KAAc;IAEd,MAAM,OAAO,GAA2C,EAAE,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,KAAK,MAAM,KAAK,IAAI,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,kCAAkC;IACzC,OAAO,qBAAqB,CAAC,2BAA2B,CAAC;AAC3D,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,2EAA2E;IAC3E,6DAA6D;IAC7D,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,KAAK,MAAM,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,EAAE,CAAC;QACzE,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,KAAc;IACzD,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,gCAAgC,CAAC,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,IAAI,KAAK,WAAW;gBAAE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AACD,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACjE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CACL,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QAC3B,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC5C,IACE,GAAG,CAAC,QAAQ,KAAK,QAAQ;YACzB,CAAC,QAAQ,KAAK,eAAe;gBAC3B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,YAAY;gBACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACnC,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAc,EACd,KAAa,EACb,UAAmC,EAAE;IAErC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IAC/C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CAAC,IAAI,CAAC,8BAA8B,EAAE;QAC3C,KAAK;QACL,GAAG,EAAE,kBAAkB,EAAE;QACzB,IAAI;QACJ,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QACrC,kBAAkB,EAAE,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC;QACzD,eAAe,EACb,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC;QACvE,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC;AACD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAErD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,KAAK,0BAA0B;YAAE,OAAO,GAAG,CAAC;QAC7D,OAAO,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAc;IACnD,MAAM,MAAM,GAAG,gBAAgB,CAAC;IAChC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjE,MAAM,SAAS,GACb,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;IACpE,OAAO,SAAS,CAAC,CAAC,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAsB;IACtD,wEAAwE;IACxE,MAAM,UAAU,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,OAAO,CACL,UAAU,KAAK,WAAW;QAC1B,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,kBAAkB;QACjC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAC9B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,EAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,EAAE,GAAG,SAAS,CAAC;IACjB,CAAC;IACD,OAAO,iBAAiB,CAAC,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,oBAAoB,CACjC,KAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,MAAM,cAAc,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iCAAiC,CACxC,QAAkB;IAElB,IAAI,CAAC;QACH,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAExB,CAAC;QACF,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,YAAY,KAAK,UAAU;YACxC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE;YACxB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;iBAC9B,KAAK,CAAC,aAAa,CAAC;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,oEAAoE;YACpE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CACpB,sDAAsD,CACvD,CAAC;YACF,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,KAAK,UAAU,wBAAwB,CACrC,KAAc;IAEd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,CAAC,EAAE,mBAAmB,EAAE,EAAE,EAAE,UAAU,EAAE,sBAAsB,EAAE,CAAC,GACrE,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,MAAM,CAAC,uBAAuB,CAAC;YAC/B,MAAM,CAAC,wBAAwB,CAAC;SACjC,CAAC,CAAC;QACL,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,SAAS,EAAE;YACrD,WAAW,EAAE,mBAAmB,CAAC,KAAK,CAAC;YACvC,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7D,IAAI,CAAC,QAAQ,EAAE,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,MAAM,KAAK,GACT,QAAQ,CAAC,KAAK,IAAI,CAAC,MAAM,sBAAsB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QACvE,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,SAAS;YACzB,KAAK,EAAE,WAAW;YAClB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,MAAM,EAAE,OAAO,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,CACL,IAAI,KAAK,wBAAwB;QACjC,IAAI,CAAC,UAAU,CAAC,yBAAyB,CAAC,CAC3C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACnD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,OAAO,wBAAwB,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,8BAA8B,CAAC,KAAc;IACpD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,MAAM,IAAI,+BAA+B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,qEAAqE;IACrE,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,KAAK,eAAe,CAAC;AAC7E,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,CAAC,8BAA8B,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAChE,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,8BAA8B,GAAa;IAC/C,yCAAyC;IACzC,sBAAsB;IACtB,wCAAwC;IACxC,kBAAkB;IAClB,yCAAyC;IACzC,iBAAiB;CAClB,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,KAAc;IAClD,MAAM,GAAG,GAAI,KAA+B,EAAE,OAAO,CAAC;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,8BAA8B,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,oEAAoE;AACpE,8EAA8E;AAE9E,IAAI,mBAA8C,CAAC;AACnD,IAAI,aAAa,GAAG,eAAe,CAAC;AAEpC,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC;;;;yBAIE,OAAO,EAAE;;SAEzB,CAAC,CACH,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,sEAAsE;YACtE,mBAAmB,GAAG,SAAS,CAAC;YAChC,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,sBAAsB,CAAI,EAAoB;IAC3D,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,IAAI,CAAC,EAAE,IAAI,KAAK,OAAO;YAAE,MAAM,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,MAAM,CAAC,CAAC;QACvC,mBAAmB,GAAG,SAAS,CAAC;QAChC,MAAM,kBAAkB,EAAE,CAAC;QAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAa,EAAE,KAAc;IAC5D,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,UAAU,EAAE;YACf,CAAC,CAAC,yJAAyJ;YAC3J,CAAC,CAAC,6EAA6E;QACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,sCAAsC;QAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,CACjD,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,wDAAwD;QAC7D,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAgB,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,IAAI,gBAAgB,GAClB,IAAI,CAAC;AAiBP,IAAI,gBAAgB,GAA2B,IAAI,CAAC;AACpD,MAAM,gCAAgC,GAAG,IAAI,OAAO,EAAmB,CAAC;AAExE,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC;QACpC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC;QACxB,SAAS,CACV,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAAoB,EACpB,KAAe,EACf,OAAgB;IAEhB,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QACtD,WAAW,EAAE,OAAO;QACpB,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;KACpD,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAoB,EACpB,KAAe,EACf,OAAgB;IAEhB,OAAO,iBAAiB,CAAC,wBAAwB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,4BAA4B,CACnC,OAAoB;IAEpB,IAAI,OAAO,CAAC,SAAS;QAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC;IAC/D,OAAO;QACL,SAAS,EAAE,qBAAqB,CAAC,OAAO,CAAC;QACzC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAC/B,qBAAqB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAClC,UAAqD,EAAE;IAEvD,OAAO,6BAA6B,CAClC,OAAO,CAAC,oBAAoB,IAAI,2BAA2B,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CACrC,UAGI,EAAE;IAEN,MAAM,GAAG,GAAG,8BAA8B,EAAE,CAAC;IAC7C,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,uBAAuB,IAAI,GAAG,CAAC,WAAW;QAC/D,cAAc,EAAE,OAAO,CAAC,0BAA0B,IAAI,GAAG,CAAC,cAAc;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,GAAU,EACV,OAAgB;IAEhB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,gCAAgC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAU;IACpD,OAAO,gCAAgC,CAAC,GAAG,CAAC,GAAa,CAAC,KAAK,KAAK,CAAC;AACvE,CAAC;AA0BD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAClE,MAAM,6BAA6B,GAAG,aAAa,CAAC;AACpD,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAC;IAC9C,mBAAmB;IACnB,uBAAuB;CACxB,CAAC,CAAC;AAEH,iEAAiE;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9C,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,wEAAwE;IACxE,yEAAyE;IACzE,kBAAkB;IAClB,KAAK,0BAA0B,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,KAAkC;IAElC,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,KAAK,+BAA+B,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,0BAA0B,CACvC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,OAAO,MAAM,EAAE,EAAE,GAAG,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,MAAc,EACd,KAAkC;IAElC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,UAAU,CACd,OAAO,MAAM,EAAE,EACf,GAAG,6BAA6B,GAAG,OAAO,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B,CACzC,MAAc;IAEd,IAAI,CAAC;QACH,wEAAwE;QACxE,6EAA6E;QAC7E,wDAAwD;QACxD,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yEAAyE;YAC9E,IAAI,EAAE,CAAC,OAAO,MAAM,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAkB,CAAC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACrD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;aAC5D,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG;YAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;AAErB;;;;GAIG;AACH,IAAI,YAAY,GAEL,IAAI,CAAC;AAEhB;;;;;;;GAOG;AACH,IAAI,WAAW,GAAiB,IAAI,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAc;IAEd,IAAI,CAAC,YAAY;QAAE,OAAO,CAAC,sCAAsC;IACjE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAc;IAItC,wEAAwE;IACxE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,kCAAkC;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,CAC7B,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CACzD;SACE,WAAW,EAAE;SACb,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,MAAM,mBAAmB,GACvB,oBAAoB,CAAC,MAAM,CAAC;QAC5B,CAAC,yBAAyB,CAAC,KAAK,CAAC;YAC/B,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;YAC5D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YAClD,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;YAC9C,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;YAClD,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE;QACjD,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC;IACpE,IAAI,CAAC,cAAc;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAChE,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,cAAc,CAAC,CAAC;IACxE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAI,CAAC,mBAAmB,IAAI,8BAA8B,CAAC,cAAc,CAAC,EAAE,CAAC;QAC3E,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;IACvE,CAAC;IACD,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;IACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,mBAAmB;QACjB,CAAC,CAAC,4BAA4B;QAC9B,CAAC,CAAC;YACE,cAAc;YACd,eAAe;YACf,kBAAkB;YAClB,kBAAkB;YAClB,qBAAqB;YACrB,iBAAiB;YACjB,mBAAmB;SACpB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChB,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB;IAC5B,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS;YAAE,OAAO;QAE3C,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAU;IACzC,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,OAAO,CAAC,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc;IAI7C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACvE,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG;QACzD,MAAM,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;KACrD,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IACE,CAAC,QAAQ;QACT,CAAC,oCAAoC,EAAE;QACvC,CAAC,4BAA4B,CAAC,cAAc,CAAC;QAC7C,OAAO,KAAK,GAAG,QAAQ,gBAAgB;QACvC,OAAO,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,EAChD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAClD,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACf,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC5C,IACE,CAAC,KAAK;QACN,KAAK,KAAK,kBAAkB,EAAE;QAC9B,CAAC,2BAA2B,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;QACtB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,KAAK,GAAG,cAAc,GAAG,MAAM,EAAE,EAAE;KAC7D,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAW;IACrD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAC9D,qBAAqB,CACtB,CAAC;IACF,OAAO,oCAAoC,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAc,EAAE,CAAS;IAClE,IAAI,CAAC,KAAK,gCAAgC,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,OAAO,OAAO,CAAC,kCAAkC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,KAAK,iCAAiC,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,KAAK,GACT,UAAU,IAAI,CAAC;YACb,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAChD,mBAAmB,CACpB;YACH,CAAC,CAAC,IAAI,CAAC;QACX,sEAAsE;QACtE,uEAAuE;QACvE,uEAAuE;QACvE,0EAA0E;QAC1E,uEAAuE;QACvE,IAAI,qCAAqC,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAE9D,oEAAoE;QACpE,uEAAuE;QACvE,MAAM,UAAU,GAAG,+BAA+B,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QACrE,IAAI,UAAU;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,OAAO,CACZ,oCAAoC,CAClC,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAC/C,CACF,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,sBAAsB,GAC1B,oDAAoD,CAAC;AACvD,MAAM,0BAA0B,GAC9B,oDAAoD,CAAC;AACvD,MAAM,2BAA2B,GAC/B,qDAAqD,CAAC;AAExD,SAAS,cAAc,CAAC,KAAa;IACnC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,0BAA0B,CAAC,SAAiB,EAAE,KAAc;IACnE,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAClD,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GACrB,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC;QACtC,2BAA2B,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,cAAc,CAC7B,qCAAqC,CACnC,SAAS,CAAC,KAAK,EAAE,8BAA8B,CAAC,CACjD,CACF,CAAC;IACF,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,sCAAsC,QAAQ,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,CAAC,iDAAiD,QAAQ,IAAI,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CACP,2CAA2C,8BAA8B,IAAI,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,CACP,4CAA4C,+BAA+B,IAAI,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,6CAA6C,gCAAgC,IAAI,CAClF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,0CAA0C,6BAA6B,IAAI,CAC5E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,uCAAuC,QAAQ,IAAI,CAAC,CAAC;QAC/D,IAAI,CAAC,IAAI,CACP,2CAA2C,6BAA6B,IAAI,CAC7E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,CACL,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACb,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAC9B,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAc;IAC1D,OAAO,IAAI,QAAQ,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE;QAChE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,0EAA0E;YAC1E,qEAAqE;YACrE,yEAAyE;YACzE,wEAAwE;YACxE,uEAAuE;YACvE,4BAA4B;YAC5B,GAAG,yBAAyB;YAC5B,cAAc,EAAE,mBAAmB;SACpC;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc,EAAE,QAAgB;IAC7D,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,EAAE,WAAW,EAAE,CAAC;IACpE,IAAI,SAAS,KAAK,UAAU,IAAI,SAAS,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEpE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,WAAW,EAAE,CAAC;IACzD,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,iBAAiB;IAGxB,OAAO,KAAK,EAAE,KAAc,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC;QAChC,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAE/B,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC;QAC5E,MAAM,CAAC,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;QACjE,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IACE,CAAC,CAAC,UAAU,CAAC,sBAAsB,CAAC;YACpC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,4CAA4C,EAClD,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,yEAAyE;QACzE,qEAAqE;QACrE,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,CAAC,KAAK,qBAAqB,IAAI,CAAC,KAAK,gBAAgB,EAAE,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,IAAI,iDAAiD,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,0EAA0E;QAC1E,0DAA0D;QAC1D,IAAI,CAAC,KAAK,0CAA0C,EAAE,CAAC;YACrD,OAAO;QACT,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,wEAAwE;QACxE,IAAI,CAAC,KAAK,sDAAsD,EAAE,CAAC;YACjE,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,4EAA4E;QAC5E,0EAA0E;QAC1E,IAAI,CAAC,KAAK,yCAAyC,EAAE,CAAC;YACpD,OAAO;QACT,CAAC;QAED,2EAA2E;QAC3E,0EAA0E;QAC1E,6EAA6E;QAC7E,IAAI,CAAC,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACtD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,uEAAuE;QACvE,IAAI,CAAC,KAAK,oBAAoB,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,wEAAwE;QACxE,uEAAuE;QACvE,wEAAwE;QACxE,yEAAyE;QACzE,4EAA4E;QAC5E,+CAA+C;QAC/C,sEAAsE;QACtE,IAAI,CAAC,KAAK,oBAAoB,IAAI,CAAC,KAAK,qBAAqB,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,uEAAuE;QACvE,uEAAuE;QACvE,yEAAyE;QACzE,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,2BAA2B;QAC3B,EAAE;QACF,yEAAyE;QACzE,sEAAsE;QACtE,2DAA2D;QAC3D,yEAAyE;QACzE,oDAAoD;QACpD,EAAE;QACF,yEAAyE;QACzE,2EAA2E;QAC3E,0EAA0E;QAC1E,+DAA+D;QAC/D,IACE,CAAC,KAAK,4BAA4B;YAClC,CAAC,KAAK,yCAAyC;YAC/C,CAAC,KAAK,wCAAwC;YAC9C,CAAC,KAAK,oCAAoC;YAC1C,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,mCAAmC,EACzC,CAAC;YACD,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,mEAAmE;QACnE,uEAAuE;QACvE,mEAAmE;QACnE,qEAAqE;QACrE,yDAAyD;QACzD,IACE,oBAAoB,EAAE;YACtB,CAAC,CAAC,KAAK,+BAA+B;gBACpC,CAAC,KAAK,kCAAkC,CAAC,EAC3C,CAAC;YACD,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,uEAAuE;QACvE,oEAAoE;QACpE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,kCAAkC,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,sEAAsE;QACtE,iDAAiD;QACjD,IAAI,CAAC,KAAK,uCAAuC,EAAE,CAAC;YAClD,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,wEAAwE;QACxE,uEAAuE;QACvE,0EAA0E;QAC1E,2EAA2E;QAC3E,0EAA0E;QAC1E,2EAA2E;QAC3E,qEAAqE;QACrE,6EAA6E;QAC7E,yDAAyD;QACzD,IAAI,CAAC,KAAK,4BAA4B,EAAE,CAAC;YACvC,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,uEAAuE;QACvE,oEAAoE;QACpE,qEAAqE;QACrE,uCAAuC;QACvC,EAAE;QACF,qEAAqE;QACrE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,+DAA+D;QAC/D,oCAAoC;QACpC,EAAE;QACF,IAAI,CAAC,KAAK,wBAAwB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,UAAU,GAAG,cAAc,CAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC5C,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;iBAClC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,6CAA6C;QAC7C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,IAAI,GAAG,EAAE;iBAC/C,CAAC,CAAC;YACL,CAAC;YACD,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,wDAAwD;QACxD,IACE,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACnB,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,oEAAoE;QACpE,kEAAkE;QAClE,qEAAqE;QACrE,iEAAiE;QACjE,gCAAgC;QAChC,IAAI,CAAC,KAAK,aAAa;YAAE,OAAO;QAChC,IAAI,CAAC,KAAK,uCAAuC;YAAE,OAAO;QAC1D,IAAI,YAAY,CAAC,aAAa,EAAE,WAAW,CAAC;YAAE,OAAO;QACrD,IAAI,iCAAiC,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,OAAO;QACxD,IAAI,4BAA4B,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,OAAO;YAAE,OAAO;QAEpB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC7D,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YACrC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,uEAAuE;QACvE,kEAAkE;QAClE,mFAAmF;QACnF,oEAAoE;QACpE,iEAAiE;QACjE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,yBAAyB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;QACtC,CAAC;QAED,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC;AACJ,CAAC;AAED,2EAA2E;AAC3E,wEAAwE;AACxE,6EAA6E;AAC7E,2EAA2E;AAC3E,MAAM,sBAAsB,GAAG,gBAAgB,CAAC;AAChD,yEAAyE;AACzE,iDAAiD;AAEjD,2EAA2E;AAC3E,wEAAwE;AACxE,4EAA4E;AAC5E,0EAA0E;AAC1E,MAAM,6BAA6B,GAAG,WAAW,CAAC;AAElD,IAAI,yBAAyB,GAAG,KAAK,CAAC;AAEtC,SAAS,cAAc;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9D,OAAO,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,MAAM,CAAC;AAC3C,CAAC;AAED,SAAS,sBAAsB;IAC7B,IAAI,CAAC,cAAc,EAAE;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,yBAAyB,GAAG,IAAI,CAAC;QACjC,OAAO,CAAC,IAAI,CACV,6EAA6E,sBAAsB,EAAE,CACtG,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,EAAgC;IAEhC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;QAChC,GAAG,EAAE,oDAAoD;QACzD,IAAI,EAAE,CAAC,sBAAsB,EAAE,6BAA6B,CAAC;KAC9D,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;AACzB,CAAC;AAID,MAAM,8BAA8B,GAAG,IAAI,GAAG,EAG3C,CAAC;AAEJ,SAAS,4BAA4B;IACnC,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE,EAAE,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,IAA4D,EAC5D,EAAgC;IAEhC,MAAM,GAAG,GAAG,4BAA4B,EAAE,CAAC;IAC3C,IAAI,eAAe,GAAG,8BAA8B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9D,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEjE,eAAe,GAAG,CAAC,KAAK,IAAI,EAAE;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;oBACzB,IAAI,EAAE;wBACJ,KAAK,EAAE,sBAAsB;wBAC7B,QAAQ,EAAE,WAAW;wBACrB,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,kEAAkE;gBAClE,oEAAoE;gBACpE,qEAAqE;gBACrE,IAAI,MAAM,qBAAqB,CAAC,EAAE,CAAC;oBAAE,OAAO,IAAI,CAAC;gBACjD,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;oBAAE,MAAM,CAAC,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mEAAmE;YACnE,sEAAsE;YACtE,sDAAsD;YACtD,OAAO,CAAC,GAAG,CACT,gDAAgD;gBAC9C,eAAe,sBAAsB,IAAI;gBACzC,eAAe,WAAW,IAAI;gBAC9B,kEAAkE;gBAClE,+DAA+D,CAClE,CAAC;YAEF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QACnC,CAAC,CAAC,EAAE,CAAC;QAEL,8BAA8B,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;QACzD,eAAe;aACZ,OAAO,CAAC,GAAG,EAAE;YACZ,IAAI,8BAA8B,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,eAAe,EAAE,CAAC;gBAChE,8BAA8B,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC;IACrC,OAAO,MAAM,EAAE,QAAQ,IAAI,IAAI,CAAC;AAClC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,KAAK,UAAU,yBAAyB,CACtC,KAAc,EACd,UAAkB;IAElB,IAAI,CAAC,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,GAAG,CAAC,qCAAqC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3E,qEAAqE;IACrE,yEAAyE;IACzE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,iEAAiE;QACjE,oEAAoE;QACpE,2DAA2D;QAC3D,2BAA2B;QAC3B,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,wDAAwD;YAC7D,IAAI,EAAE,CAAC,sBAAsB,EAAE,6BAA6B,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,sEAAsE;QACtE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,iEAAiE;QACjE,mEAAmE;QACnE,0BAA0B;QAC1B,IAAI,MAAM,qBAAqB,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,mEAAmE;QACnE,oEAAoE;QACpE,yEAAyE;QACzE,mEAAmE;QACnE,yBAAyB;QACzB,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YACxC,IAAI,EAAE;gBACJ,KAAK,EAAE,sBAAsB;gBAC7B,QAAQ,EAAE,WAAW;aACtB;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAEhC,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QAEvD,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,qDAAqD;QACrD,OAAO,yBAAyB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,mEAAmE;QACnE,gEAAgE;QAChE,qDAAqD;QACrD,OAAO,CAAC,IAAI,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,SAG7B;IACC,OAAO;QACL,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK;QAC3B,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE;QACzB,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI;QACzB,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK;KAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,kBAAkB,CAAC,OAAoB;IACpD,IAAI,OAAO,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC;IAClC,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAc;IAC7C,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,iEAAiE;IACjE,MAAM,GAAG,GAAG,KAAK,CAAC,OAEjB,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,KAAK,IAAI,EAAE;QAC3C,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QACpD,OAAO,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAChE,CAAC,CAAC,EAAE,CAAC,CAAC;AACR,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,yEAAyE;IACzE,0EAA0E;IAC1E,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,sEAAsE;IACtE,4EAA4E;IAC5E,iDAAiD;IACjD,MAAM,YAAY,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAAC,CAAC;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,KAAK,EAAE,YAAY,CAAC,KAAK;YACzB,KAAK,EAAE,YAAY,CAAC,KAAK;YACzB,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;IAC1C,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;QAE5B,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACpD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,mEAAmE;QACnE,oEAAoE;QACpE,mEAAmE;QACnE,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9D,wCAAwC;IAC1C,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,0EAA0E;QAC1E,wEAAwE;QACxE,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACpD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kDAAkD;QAClD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,iBAAiB,EAAE,CAAC;YAC/B,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;oBACxC,OAAO,EAAE,KAAK,CAAC,OAAO;iBACvB,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;oBAC3B,OAAO,oBAAoB,CAAC,SAAS,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kCAAkC;QAClC,qEAAqE;QACrE,sEAAsE;QACtE,gEAAgE;QAChE,oEAAoE;QACpE,uEAAuE;QACvE,wEAAwE;QACxE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,mEAAmE;IACnE,2EAA2E;IAC3E,oEAAoE;IACpE,MAAM,mBAAmB,GAAG,sBAAsB,EAAE,CAAC;IACrD,IAAI,mBAAmB;QAAE,OAAO,mBAAmB,CAAC;IAEpD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,KAAc;IAEd,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,QAA8B,CAAC;IAC/D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACzC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc,EAAE,KAAa;IACrE,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE;QACnC,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAS,yBAAyB,CAChC,KAAc,EACd,QAAgB,EAChB,MAAM,GAAG,GAAG;IAEZ,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAClE,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAS,KAAa,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;QACvD,MAAM,GAAG,GAAuB,GAAG,EAAE,GAAG,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,YAAY,CAAC,GAAW,EAAE,WAAqB;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,eAAe,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,KAAe;IACpD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAC9B,MAAM,UAAU,GACd,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAc,EACd,IAAY,EACZ,MAAuB;IAEvB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IACE,IAAI,KAAK,gBAAgB;QACzB,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAClC,IAAI,KAAK,MAAM;QACf,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QACxB,IAAI,KAAK,cAAc;QACvB,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAChC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,0BAA0B,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,uBAAuB,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAE9E,SAAS,yBAAyB;IAChC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAqFD,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,KAAK,UAAU,qBAAqB,CAClC,GAAU,EACV,OAAoB;IAEpB,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,wEAAwE;IACxE,0EAA0E;IAC1E,KAAK,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,cAAc,EAAE,cAAc,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,yCAAyC;IACzC,IACE,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,sBAAsB,KAAK,KAAK,EACxC,CAAC;QACD,kCAAkC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9C,KAAK,MAAM,EAAE,IAAI;YACf,gCAAgC;YAChC,gCAAgC;SACjC,EAAE,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,QAAQ;YACR,gDAAgD;YAChD,kDAAkD;SACnD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,oEAAoE;YACpE,uDAAuD;YACvD,mEAAmE;YACnE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YACnD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC3C,CAAC;YACD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1B,MAAM,OAAO,GACX,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC;YACxE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC,OAAkB,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,6BAA6B;YAC7B,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;YAC7B,MAAM,SAAS,GACb,OAAO,WAAW,KAAK,QAAQ;gBAC7B,CAAC,CAAC,kBAAkB,CAAC,WAAW,EAAE;oBAC9B,oBAAoB,EAAE,qBAAqB,CAAC,KAAK,CAAC;oBAClD,cAAc,EAAE,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAC;iBACpD,CAAC;gBACJ,CAAC,CAAC,GAAG,CAAC;YACV,MAAM,SAAS,GAAG,SAAS,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,MAAM,KAAK,GAAG,gBAAgB,CAAC;gBAC7B,WAAW;gBACX,OAAO;gBACP,UAAU,EAAE,KAAK;gBACjB,GAAG,EAAE,kBAAkB,EAAE;gBACzB,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;YACH,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE;gBACrC,MAAM;gBACN,OAAO;gBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;gBAC5C,SAAS;gBACT,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,GAAG;gBAC5B,SAAS,EACP,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;oBAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG;aAClD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;gBACxC,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,QAAQ;gBACrB,MAAM,EAAE,gBAAgB;gBACxB,KAAK;aACN,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,gDAAgD,MAAM,EAAE,CAAC;YACzE,IAAI,CAAC,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACvB,mEAAmE;gBACnE,qEAAqE;gBACrE,oEAAoE;gBACpE,qEAAqE;gBACrE,mEAAmE;gBACnE,+DAA+D;gBAC/D,mEAAmE;gBACnE,mEAAmE;gBACnE,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,CAAC,CAAC,CACH,CAAC;QAEF,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;YACjE,IAAI,aAAa;gBAAE,OAAO,aAAa,CAAC;YACxC,IAAI,cAAkC,CAAC;YACvC,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAc,CAAC;gBAClC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAClE,KAAK,CAAC,KAA2B,EACjC,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,CACnD,CAAC;gBACF,cAAc,GAAG,MAAM,CAAC;gBACxB,eAAe,GAAG,OAAO,IAAI,KAAK,CAAC;gBACnC,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM;oBACN,OAAO;oBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;oBAC5C,OAAO,EAAE,CAAC,CAAC,IAAI;oBACf,SAAS;iBACV,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK;wBAC5C,CAAC,CAAC,KAAK,CAAC,KAAK;wBACb,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,mBAAmB,GACvB,OAAO,KAAK,CAAC,iBAAiB,KAAK,QAAQ;wBAC3C,KAAK,CAAC,iBAAiB;wBACrB,CAAC,CAAC,KAAK,CAAC,iBAAiB;wBACzB,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,GAAG,GACP,mBAAmB;wBACnB,aAAa;wBACb,4BAA4B,CAAC;oBAC/B,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,0BAA0B,GAAG,EAAE;4BACxC,IAAI,EAAE,aAAa,IAAI,4BAA4B;yBACpD,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;wBACZ,IAAI,EAAE,aAAa;qBACpB,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBACD,iEAAiE;gBACjE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,OAAO;gBACP,IAAI,CAAC,yBAAyB,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC;oBACnD,MAAM,GAAG,GACP,4EAA4E,CAAC;oBAC/E,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,GAAG;4BACZ,IAAI,EAAE,sBAAsB;yBAC7B,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;oBAClE,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;qBACpD;oBACD,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,IAAI;wBACJ,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;wBACxC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAqB;wBAChD,YAAY,EAAE,WAAW;wBACzB,UAAU,EAAE,oBAAoB;qBACjC,CAAC;iBACH,CAAC,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,KAAK,CACb,MAAM,CAAC,iBAAiB;wBACtB,MAAM,CAAC,KAAK;wBACZ,uBAAuB,CAC1B,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,+CAA+C,EAC/C,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE,EAAE,CAChE,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,IAAI,CAAC,KAAK;oBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,qDAAqD;gBACrD,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBACD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;oBAC5D,MAAM,UAAU,CAAC,UAAU,KAAK,EAAE,EAAE;wBAClC,KAAK,EAAE,IAAI,CAAC,OAAO;qBACpB,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;wBACjB,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,KAAK,CACN,CAAC;oBACJ,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE;oBAC9D,oBAAoB,EAAE,KAAK;oBAC3B,OAAO;iBACR,CAAC,CAAC;gBACH,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;oBACrD,MAAM;oBACN,OAAO;oBACP,eAAe,EAAE,CAAC,CAAC,YAAY;oBAC/B,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;iBACvC,CAAC,CAAC;gBAEH,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;oBAC3B,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;wBAC5B,KAAK,EAAE,YAAY;wBACnB,KAAK;wBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;qBAChD,CAAC,CAAC;oBACH,+DAA+D;oBAC/D,6DAA6D;oBAC7D,0DAA0D;oBAC1D,KAAK,0BAA0B,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;oBAC7D,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;wBACrD,MAAM;wBACN,OAAO;qBACR,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,qBAAqB,CAAC,KAAK,EAAE,KAAK,EAAE;oBACzC,YAAY;oBACZ,OAAO;oBACP,SAAS;oBACT,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAC;gBAC7C,IAAI,cAAc,EAAE,CAAC;oBACnB,uBAAuB,CAAC,cAAc,EAAE;wBACtC,OAAO,EAAE,0BAA0B,GAAG,EAAE;wBACxC,IAAI,EAAE,gBAAgB;qBACvB,CAAC,CAAC;gBACL,CAAC;gBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,eAAe;oBACxB,OAAO,EAAE,GAAG;iBACb,CAAC,CAAC;gBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,qEAAqE;IACrE,mEAAmE;IACnE,GAAG,CAAC,GAAG,CACL,sCAAsC,EACtC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,OAA6B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC3C,qEAAqE;YACrE,sEAAsE;YACtE,qEAAqE;YACrE,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,kEAAkE;gBAClE,cAAc;gBACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,CAAC;YACD,KAAK;gBACH,OAAO,IAAI,MAAM;oBACf,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;oBACpD,CAAC,CAAC;wBACE,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;qBAC1B,CAAC;QACV,CAAC;QACD,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,oEAAoE;QACpE,uEAAuE;QACvE,+DAA+D;QAC/D,6DAA6D;QAC7D,aAAa,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC3C,OAAO,CAAC,IAAI,CACV,4CAA4C,EAC5C,eAAe,CAAC,GAAG,CAAC,CACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;YACrB,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;gBAC3C,MAAM;gBACN,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;gBAC5B,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI;aACvB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,CAAC;QACD,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC3D,mBAAmB,CAAC,KAAK,EAAE,kBAAkB,EAAE;YAC7C,MAAM;YACN,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;SAC7C,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IACpD,CAAC,CAAC,CACH,CAAC;IAEF,2EAA2E;IAC3E,qEAAqE;IACrE,wEAAwE;IACxE,6CAA6C;IAC7C,MAAM,gBAAgB,GAAqB;QACzC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxE,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAEnD,kEAAkE;IAClE,GAAG,CAAC,GAAG,CACL,wBAAwB,EACxB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QACxD,MAAM,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QACpE,MAAM,uBAAuB,GAC3B,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAC3C,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QAC9B,MAAM,WAAW,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,cAAc,GAAG,WAAW,CAAC;QAEjC,iEAAiE;QACjE,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,iEAAiE;QACjE,8DAA8D;QAC9D,+DAA+D;QAC/D,IAAI,UAA8B,CAAC;QACnC,IAAI,WAA+B,CAAC;QACpC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,CAAC;gBACnC,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAE3C,CAAC;gBACd,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;YACD,mEAAmE;YACnE,gEAAgE;YAChE,qEAAqE;YACrE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;oBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAC5B,GAAG,EAAE,qDAAqD;wBAC1D,IAAI,EAAE,CAAC,kBAAkB,UAAU,EAAE,CAAC;qBACvC,CAAC,CAAC;oBACH,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAA2B,CAAC;gBAC1D,CAAC;gBAAC,MAAM,CAAC;oBACP,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;YACH,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,iEAAiE;QACjE,IAAI,uBAAuB,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,CAAC,MAAM,WAAW;qBAC5B,KAAK,EAAE;qBACP,IAAI,EAAE;qBACN,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAwC,CAAC;gBAClE,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBACjD,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;oBACrD,IAAI,WAAW,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;wBACrC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;wBACjD,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;wBACjC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;wBAChD,cAAc,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE;4BAC5C,MAAM,EAAE,WAAW,CAAC,MAAM;4BAC1B,OAAO;4BACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,IAAI,EAAE,WAAW,EAAE,CAAC;4BAC9C,MAAM,EAAE,MAAM;yBACqB,CAAC,CAAC;oBACzC,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,oBAAoB;YACtB,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,UAAU,GACd,QAAQ,IAAI,IAAI;YAChB,OAAQ,QAAgB,CAAC,MAAM,KAAK,QAAQ;YAC5C,OAAQ,QAAgB,CAAC,OAAO,EAAE,GAAG,KAAK,UAAU,CAAC;QAEvD,mEAAmE;QACnE,gEAAgE;QAChE,2EAA2E;QAC3E,qEAAqE;QACrE,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,iDAAiD;QACjD,IACE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,GAAG,GAAG,YAAY,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,4DAA4D;QAC5D,IACE,eAAe;YACf,WAAW;YACX,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;gBACvB,+DAA+D;gBAC/D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,8DAA8D;gBAC9D,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,6GAA6G;oBAClH,IAAI,EAAE,CAAC,WAAW,CAAC;iBACpB,CAAC,CAAC;gBAEH,0DAA0D;gBAC1D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,2CAA2C;gBAC3C,EAAE;gBACF,8DAA8D;gBAC9D,8DAA8D;gBAC9D,2DAA2D;gBAC3D,MAAM,eAAe,GAAG,iCAAiC,CACvD,QAAoB,CACrB,CAAC;gBAEF,qDAAqD;gBACrD,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,wDAAwD;wBAC7D,IAAI,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;qBACrC,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;gBAED,4DAA4D;gBAC5D,2DAA2D;gBAC3D,4DAA4D;gBAC5D,iEAAiE;gBACjE,IAAI,CAAC;oBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAChC,GAAG,EAAE,uCAAuC;wBAC5C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;oBACH,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAEpC,CAAC;oBACd,IAAI,SAAS,EAAE,CAAC;wBACd,IAAI,eAAe,EAAE,CAAC;4BACpB,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,qDAAqD;gCAC1D,IAAI,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC;6BACnC,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,sCAAsC;gCAC3C,IAAI,EAAE,CAAC,SAAS,CAAC;6BAClB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,yCAAyC;gBAC3C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CACH,CAAC;IAEF,kDAAkD;IAClD,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEnC,uCAAuC;QACvC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,oEAAoE;YACpE,gEAAgE;YAChE,uDAAuD;YACvD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,qDAAqD;IACrD,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAChC,MAAM,WAAW,GACf,OAAO,IAAI,EAAE,WAAW,KAAK,QAAQ;YACnC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,GAAG,CAAC;QAEV,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE;aAClE,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,mDAAmD;IACnD,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,qEAAqE;IACrE,mEAAmE;IACnE,gEAAgE;IAChE,iEAAiE;IACjE,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;YACvB,oEAAoE;YACpE,sBAAsB;YACtB,IAAI,MAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBAChC,GAAG,EAAE,uCAAuC;oBAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAuB,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,MAAM,CAAC;qBACf,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,sCAAsC;oBAC3C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;YAED,gEAAgE;YAChE,kEAAkE;YAClE,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,4CAA4C;YAC9C,CAAC;YAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,kCAAkC;IAClC,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,yEAAyE;IACzE,yEAAyE;IACzE,sCAAsC;IACtC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC,CACH,CAAC;IAEF,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IAC9D,gBAAgB,GAAG;QACjB,GAAG,eAAe;QAClB,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,SAAS,uBAAuB,CAAC,GAAU;IACzC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;aACrD,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAU,EACV,UAAuB,EAAE;IAEzB,0EAA0E;IAC1E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,yDAAyD;IACzD,EAAE;IACF,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,IAAI,YAAY,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,sBAAsB,KAAK,KAAK,EAAE,CAAC;YAC7C,kCAAkC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,oEAAoE;QACpE,2EAA2E;QAC3E,0EAA0E;QAC1E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;QACxC,CAAC;QACD,IAAI,gBAAgB,EAAE,CAAC;YACrB,IACE,OAAO,CAAC,UAAU;gBAClB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,kBAAkB,EAC1B,CAAC;gBACD,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;gBAC9D,gBAAgB,CAAC,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC;gBACvD,gBAAgB,CAAC,YAAY,GAAG,eAAe,CAAC,YAAY,CAAC;YAC/D,CAAC;YACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,gBAAgB,CAAC,WAAW,GAAG;oBAC7B,GAAG,CAAC,gBAAgB,CAAC,WAAW,IAAI,EAAE,CAAC;oBACvC,GAAG,OAAO,CAAC,WAAW;iBACvB,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACjC,gBAAgB,CAAC,oBAAoB;oBACnC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;gBACpC,gBAAgB,CAAC,uBAAuB;oBACtC,OAAO,CAAC,uBAAuB,CAAC;YACpC,CAAC;YACD,IAAI,OAAO,CAAC,0BAA0B,EAAE,CAAC;gBACvC,gBAAgB,CAAC,0BAA0B;oBACzC,OAAO,CAAC,0BAA0B,CAAC;YACvC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,gEAAgE;IAChE,YAAY,GAAG,IAAI,CAAC;IACpB,gBAAgB,GAAG,IAAI,CAAC;IACxB,WAAW,GAAG,GAAG,CAAC;IAElB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACvB,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,gBAAgB,GAAG,IAAI,CAAC;IACxB,aAAa,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;IAC9C,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IACxC,CAAC;IAED,oCAAoC;IACpC,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACnD,CAAC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,WAAW;gBAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;YAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,IAAI,yBAAyB,EAAE,CAAC;QACvE,gBAAgB,GAAG;YACjB,SAAS,EAAE,aAAa;YACxB,GAAG,CAAC,OAAO,CAAC,SAAS;gBACnB,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,YAAY,EAAE,GAAG,EAAE,CAAC,yBAAyB,EAAE;iBAChD,CAAC;YACN,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QAErC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,uEAAuE,CACxE,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kDAAkD,EAAE,GAAG,CAAC,CAAC;QACvE,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC7B,kEAAkE;QAClE,oEAAoE;QACpE,+DAA+D;QAC/D,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;QAC9D,gBAAgB,GAAG;YACjB,GAAG,eAAe;YAClB,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAU,EAAE,WAAmB;IACjE,KAAK,GAAG,CAAC;IACT,KAAK,WAAW,CAAC;IACjB,MAAM,IAAI,KAAK,CACb,iJAAiJ,CAClJ,CAAC;AACJ,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport {\n defineEventHandler,\n getMethod,\n getQuery,\n getRequestIP,\n setResponseHeader,\n setResponseStatus,\n getCookie,\n setCookie,\n deleteCookie,\n getHeader,\n} from \"h3\";\nimport type { H3Event } from \"h3\";\nimport type { H3AppShim } from \"./framework-request-handler.js\";\nimport { EMBED_START_PATH } from \"../shared/embed-auth.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n resolveEmbedSessionFromRequest,\n requestHasEmbedAuthMarker,\n} from \"./embed-session.js\";\nimport {\n EMBED_TRANSPLANT_HEADER,\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\n\n// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx\n// runtime), event.url and event.req share the same underlying URL object.\n// When registerMiddleware strips the mount prefix from event.url.pathname, it\n// also mutates event.req.url (NodeRequestURL setter updates nodeReq.url).\n// Better Auth's router uses new URL(request.url).pathname to extract the\n// sub-route, so it must receive the original full URL — not the stripped one.\n// registerMiddleware saves the original pathname in event.context so we can\n// reconstruct a fresh Request with the correct URL here.\nfunction toWebRequest(event: H3Event): Request {\n const req = (event as any).req as Request;\n const ctx = (event as any).context as\n | { _mountedPathname?: string; _mountPrefix?: string }\n | undefined;\n if (ctx?._mountedPathname && ctx._mountPrefix) {\n try {\n const url = new URL(req.url);\n const mountedPathname = stripAppBasePath(ctx._mountedPathname);\n if (url.pathname !== mountedPathname) {\n url.pathname = mountedPathname;\n const method = req.method.toUpperCase();\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n return new Request(url.href, {\n method: req.method,\n headers: req.headers,\n // Body may already be partially consumed; pass through as-is.\n // GET/HEAD cannot have a body — omit to avoid spec errors.\n ...(hasBody ? { body: req.body, duplex: \"half\" } : {}),\n } as any);\n }\n } catch {\n // URL reconstruction failed — fall through and use original req.\n }\n }\n return req;\n}\n\ntype H3App = H3AppShim;\nimport {\n getDbExec,\n isPostgres,\n intType,\n retryOnDdlRace,\n describeDbError,\n} from \"../db/client.js\";\nimport { getBetterAuth, getBetterAuthSync } from \"./better-auth-instance.js\";\nimport type { BetterAuthConfig } from \"./better-auth-instance.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport {\n getOnboardingHtml,\n getResetPasswordHtml,\n type OnboardingHtmlOptions,\n} from \"./onboarding-html.js\";\nimport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n readDesktopSso,\n writeDesktopSso,\n clearDesktopSso,\n} from \"./desktop-sso.js\";\nimport {\n isElectron as isElectronRequest,\n getAppBasePath,\n getAppUrl,\n getOrigin,\n encodeOAuthState,\n decodeOAuthState,\n createOAuthSession,\n oauthCallbackResponse,\n oauthErrorPage,\n resolveOAuthRedirectUri,\n isAllowedOAuthRedirectUri,\n} from \"./google-oauth.js\";\nimport { safeOAuthReturnUrl } from \"./oauth-return-url.js\";\nimport { captureAuthError } from \"./sentry.js\";\nimport { extractOAuthStateAppId } from \"../shared/oauth-state.js\";\nimport { isValidWorkspaceAppIdFormat } from \"../shared/workspace-app-id.js\";\nimport {\n AGENT_NATIVE_SOCIAL_IMAGE_ALT,\n AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT,\n AGENT_NATIVE_SOCIAL_IMAGE_PATH,\n AGENT_NATIVE_SOCIAL_IMAGE_TYPE,\n AGENT_NATIVE_SOCIAL_IMAGE_WIDTH,\n withAgentNativeSocialImageCacheBuster,\n} from \"../shared/social-meta.js\";\nimport { DEFAULT_SSR_CACHE_HEADERS } from \"../shared/cache-control.js\";\nimport {\n normalizeWorkspaceAppAudience,\n workspaceAppAudienceFromEnv,\n workspaceAppRouteAccessFromEnv,\n type WorkspaceAppAudience,\n} from \"../shared/workspace-app-audience.js\";\nimport { resolveAuthCookieNamespace } from \"./cookie-namespace.js\";\nimport {\n BUILDER_CONNECT_OWNER_COOKIE,\n BUILDER_CONNECT_PARAM,\n BUILDER_STATE_PARAM,\n verifyBuilderCallbackStateAndGetOwner,\n verifyBuilderConnectTokenAndGetOwner,\n} from \"./builder-browser.js\";\nimport { putSetting } from \"../settings/store.js\";\n// Pure env-read feature switch from a leaf module (no dependency back on\n// auth.ts), so the guard and the SSO route handler share one validator and\n// can never disagree about whether federated SSO is enabled.\nimport { isIdentitySsoEnabled } from \"./identity-sso-store.js\";\n\n/**\n * Get the configured session max age. Desktop SSO broker writes from\n * OAuth flows read this so expiration stays consistent with the cookie.\n */\nexport function getSessionMaxAge(): number {\n return sessionMaxAge;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthSession {\n email: string;\n userId?: string;\n token?: string;\n /** Display name from the auth provider, when available (Better Auth user.name). */\n name?: string;\n /** Profile image from the auth provider, when available. */\n image?: string;\n /** Active organization ID (resolved by getOrgContext from the framework's org_members table + the user's active-org-id setting; NOT the Better Auth organization plugin, which is intentionally not registered) */\n orgId?: string;\n /** User's role in the active organization (owner/admin/member) */\n orgRole?: string;\n}\n\nexport interface AuthOptions {\n /** Session max age in seconds. Default: 30 days */\n maxAge?: number;\n /**\n * Custom getSession implementation (for BYOA — Auth.js, Clerk, etc.).\n * When provided, Better Auth is bypassed entirely.\n */\n getSession?: (event: H3Event) => Promise<AuthSession | null>;\n /**\n * Paths that are accessible without authentication.\n * Supports prefix matching: \"/book\" matches /book/anything.\n * Both page routes and API routes can be made public.\n */\n publicPaths?: string[];\n /**\n * Workspace-level audience for the app.\n *\n * \"internal\" keeps the existing behavior: every app page requires an\n * authenticated workspace member unless listed in publicPaths.\n *\n * \"public\" lets unauthenticated visitors load page routes, while framework\n * and API routes remain protected unless explicitly listed in publicPaths.\n */\n workspaceAppAudience?: WorkspaceAppAudience;\n /**\n * Workspace app page paths that anonymous visitors can load.\n * Uses the same prefix matching as publicPaths, but only for page routes:\n * framework, API, and .well-known routes stay protected.\n */\n workspaceAppPublicPaths?: string[];\n /**\n * Workspace app page paths that still require auth when the app audience is\n * public. Useful for public sites with login-only admin/management pages.\n */\n workspaceAppProtectedPaths?: string[];\n /**\n * Custom login page HTML. When provided, this HTML is served to\n * unauthenticated page requests instead of the built-in login form.\n * Use this for custom login flows (e.g., \"Sign in with Google\" button).\n */\n loginHtml?: string;\n /**\n * Hide email/password forms on the built-in login page and show only the\n * Google sign-in button. Use this for templates (mail, calendar) where\n * Google connection is required anyway. Has no effect when `loginHtml`\n * is provided.\n */\n googleOnly?: boolean;\n /**\n * Mount the framework's generic Google sign-in routes.\n *\n * Set this to false when a template owns `/_agent-native/google/auth-url`\n * and `/_agent-native/google/callback` itself because it needs broader\n * product scopes and persisted API tokens, not just identity sign-in.\n */\n mountGoogleOAuthRoutes?: boolean;\n /**\n * Additional Google OAuth scopes to request beyond the default identity\n * scopes (`openid`, `email`, `profile`). When set, Better Auth's Google\n * social provider asks for these up front, requests a refresh token\n * (`access_type=offline`), and forces the consent screen so the refresh\n * token is reissued on every sign-in.\n *\n * Tokens land in Better Auth's `account` table, and a database hook\n * mirrors them into `oauth_tokens` so template code (mail's Gmail client,\n * calendar's events fetcher, etc.) can pick them up without a separate\n * \"Connect Google\" round-trip.\n *\n * Example for the mail template:\n * ```ts\n * googleScopes: [\n * \"https://www.googleapis.com/auth/gmail.readonly\",\n * \"https://www.googleapis.com/auth/gmail.send\",\n * ],\n * ```\n */\n googleScopes?: string[];\n /**\n * Product marketing content shown alongside the sign-in form.\n * When provided, the page uses a split layout: marketing on the left,\n * sign-in form on the right.\n */\n marketing?: {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n };\n /**\n * Optional host-scoped notice shown before the built-in Google sign-in\n * redirects to Google.\n */\n googleSignInNotice?: {\n host?: string;\n title: string;\n body: string | string[];\n continueLabel?: string;\n cancelLabel?: string;\n };\n /**\n * Google sign-in flow: `'popup'`, `'redirect'`, or `'auto'` (default).\n *\n * - `'auto'` — popup in normal browsers and Builder web iframes, redirect in\n * Electron and Builder desktop preview/editor surfaces.\n * - `'popup'` — force popup everywhere.\n * - `'redirect'` — force redirect everywhere.\n *\n * Falls back to the `GOOGLE_AUTH_MODE` env var, then `'auto'`.\n */\n googleAuthMode?: GoogleAuthMode;\n /**\n * Additional Better Auth configuration (social providers, plugins, etc.)\n */\n betterAuth?: BetterAuthConfig;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/**\n * Cookie name for the framework's session cookie.\n *\n * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps\n * running on different localhost ports share one cookie jar. When multiple\n * templates run side-by-side (eager repo dev, the desktop app, multi-template\n * deploys on a shared domain), they would otherwise stomp on each other's\n * `an_session` cookie and ping-pong each other into a logged-out state.\n *\n * When an isolated app slug is resolved, suffix the cookie so each app gets\n * its own slot.\n *\n * Workspace exception: in workspace mode (`AGENT_NATIVE_WORKSPACE=1`),\n * every app shares the same origin AND the same DB, and cross-app SSO is\n * the desired behavior — signing into Dispatch should mean you're signed\n * in across the workspace's other apps too. Per-app suffixes break that.\n * Use a single workspace-wide cookie so the legacy `an_session_*` token\n * flow set by `setFrameworkSessionCookie` (which the Builder OAuth popup\n * exchange relies on — see `desktop-exchange` and `oauthCallbackResponse`)\n * is recognised by every app in the workspace.\n *\n * Cross-subdomain exception: when `COOKIE_DOMAIN` is set for a custom domain,\n * use the unsuffixed `an_session` and emit `Domain=<COOKIE_DOMAIN>` so the\n * cookie is shared across every subdomain. First-party `*.agent-native.com`\n * apps are deliberately excluded from that behavior by default because each\n * hosted app has its own auth database; they use Dispatch identity federation\n * instead of a shared browser cookie.\n */\nconst AUTH_COOKIE_NAMESPACE = resolveAuthCookieNamespace();\n\n/**\n * When set, the framework session cookie is shared across every subdomain\n * matching this domain. Returns undefined when unset or deliberately ignored\n * for first-party hosted apps, so cookies stay scoped to the origin host.\n */\nexport function getCookieDomain(): string | undefined {\n return AUTH_COOKIE_NAMESPACE.frameworkCookieDomain;\n}\n\nexport const COOKIE_NAME = AUTH_COOKIE_NAMESPACE.frameworkCookieName;\nexport const BETTER_AUTH_COOKIE_PREFIX =\n AUTH_COOKIE_NAMESPACE.betterAuthCookiePrefix;\n\n/**\n * Cookie domain attribute spread into every `setCookie`/`deleteCookie`.\n * Empty when `COOKIE_DOMAIN` isn't set so the cookie stays scoped to the\n * single origin (current production default for non-first-party apps).\n */\nexport function cookieDomainAttrs(): { domain?: string } {\n const domain = getCookieDomain();\n return domain ? { domain } : {};\n}\n\nfunction getCookieValues(event: H3Event, name: string): string[] {\n const values: string[] = [];\n const raw = getHeader(event, \"cookie\");\n\n if (raw) {\n for (const part of String(raw).split(\";\")) {\n const trimmed = part.trim();\n if (!trimmed) continue;\n const eq = trimmed.indexOf(\"=\");\n if (eq <= 0) continue;\n if (trimmed.slice(0, eq).trim() !== name) continue;\n\n let value = trimmed.slice(eq + 1).trim();\n if (value.startsWith('\"') && value.endsWith('\"')) {\n value = value.slice(1, -1);\n }\n try {\n value = decodeURIComponent(value);\n } catch {\n // Keep the raw cookie value if it was not percent-encoded.\n }\n if (value && !values.includes(value)) values.push(value);\n }\n }\n\n // H3's cookie parser keeps only the first duplicate name. Preserve it as a\n // fallback for mock/runtime shapes that do not expose the raw Cookie header.\n const parsed = getCookie(event, name);\n if (parsed && !values.includes(parsed)) values.push(parsed);\n\n return values;\n}\n\nexport function getFrameworkSessionCookieValues(event: H3Event): string[] {\n return getFrameworkSessionCookieEntries(event).map((entry) => entry.value);\n}\n\nfunction getFrameworkSessionCookieEntries(\n event: H3Event,\n): Array<{ name: string; value: string }> {\n const entries: Array<{ name: string; value: string }> = [];\n const seenValues = new Set<string>();\n\n for (const name of frameworkSessionCookieNamesToClear()) {\n for (const value of getCookieValues(event, name)) {\n if (seenValues.has(value)) continue;\n seenValues.add(value);\n entries.push({ name, value });\n }\n }\n\n return entries;\n}\n\nfunction frameworkSessionCookieNamesToClear(): string[] {\n return AUTH_COOKIE_NAMESPACE.frameworkCookieNamesToClear;\n}\n\nfunction deleteCookieFromEveryScope(event: H3Event, name: string): void {\n // Clear host-only cookies first. Then clear any configured domain scope so\n // stale shared cookies stop shadowing isolated app sessions.\n deleteCookie(event, name, { path: \"/\" });\n for (const domain of AUTH_COOKIE_NAMESPACE.frameworkCookieDomainsToClear) {\n deleteCookie(event, name, { path: \"/\", domain });\n }\n}\n\nexport function clearFrameworkSessionCookies(event: H3Event): void {\n for (const name of frameworkSessionCookieNamesToClear()) {\n deleteCookieFromEveryScope(event, name);\n }\n}\n\nasync function getLegacyCookieSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n for (const { name, value } of getFrameworkSessionCookieEntries(event)) {\n const email = await getSessionEmail(value);\n if (email) {\n if (name !== COOKIE_NAME) setFrameworkSessionCookie(event, value);\n return { email, token: value };\n }\n }\n return null;\n}\nfunction getOAuthStateAppId(): string | undefined {\n const raw = process.env.APP_NAME || process.env.npm_package_name;\n if (!raw) return undefined;\n const slug = raw\n .toLowerCase()\n .replace(/[^a-z0-9-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return slug || undefined;\n}\n\nfunction oauthDebugFlowId(flowId: unknown): string | undefined {\n return typeof flowId === \"string\" && flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthDebugUrlPath(value: unknown): string | undefined {\n if (typeof value !== \"string\" || !value) return undefined;\n try {\n const url = new URL(value);\n return url.pathname;\n } catch {\n return undefined;\n }\n}\n\nfunction isBuilderOAuthRequest(event: H3Event): boolean {\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n return (\n /Electron/i.test(userAgent) ||\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer)\n );\n}\n\nfunction builderPreviewReturnOrigin(event: H3Event): string | undefined {\n const referer = getHeader(event, \"referer\") || \"\";\n if (!referer) return undefined;\n try {\n const url = new URL(referer);\n const hostname = url.hostname.toLowerCase();\n if (\n url.protocol === \"https:\" &&\n (hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\"))\n ) {\n return url.origin;\n }\n } catch {}\n return undefined;\n}\n\nfunction logGoogleOAuthDebug(\n event: H3Event,\n phase: string,\n details: Record<string, unknown> = {},\n): void {\n const { flowId, ...rest } = details;\n const reqUrl = event.node?.req?.url ?? event.path ?? \"\";\n const path = reqUrl.split(\"?\")[0] || undefined;\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n console.info(\"[agent-native][google-oauth]\", {\n phase,\n app: getOAuthStateAppId(),\n path,\n flow: oauthDebugFlowId(flowId),\n electron: /Electron/i.test(userAgent),\n agentNativeDesktop: /AgentNativeDesktop/i.test(userAgent),\n builderReferrer:\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer),\n ...rest,\n });\n}\nconst DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days\n\n// ---------------------------------------------------------------------------\n// Environment helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Check if we're in a development/test environment.\n * Used for cookie security settings, not for auth bypass.\n */\nexport function isDevEnvironment(): boolean {\n const env = process.env.NODE_ENV;\n return env === \"development\" || env === \"test\";\n}\n\n/**\n * Validate a `?return=` URL for the /_agent-native/sign-in entrypoint.\n *\n * Parses the candidate against a sentinel base origin; any input that\n * resolves to a different origin (network-path references, absolute URLs,\n * `data:` / `javascript:` schemes, backslash-bypass tricks WHATWG normalises\n * to `//`) gets rejected and falls back to \"/\". Control characters are\n * stripped up front to defend against header-injection. Returns the\n * normalised path the parser produced — never the raw input.\n *\n * Exported for unit tests.\n */\nexport function safeReturnPath(raw: string | null | undefined): string {\n if (!raw) return \"/\";\n if (/[\\x00-\\x1f]/.test(raw)) return \"/\";\n try {\n const parsed = new URL(raw, \"http://safe-base.invalid\");\n if (parsed.origin !== \"http://safe-base.invalid\") return \"/\";\n return parsed.pathname + parsed.search + parsed.hash;\n } catch {\n return \"/\";\n }\n}\n\n/**\n * Return the configured login HTML for this request, or `null` when no auth\n * guard is installed. Used by the `/_agent-native/open` deep-link route to\n * serve the same sign-in form the auth guard would — at the original deep\n * link URL — so the login form's `window.location.replace(href)` success\n * handler reloads the same URL and the (now authenticated) open route\n * proceeds. Mirrors the rawPath/getLoginHtml resolution in the auth guard.\n */\nexport function getConfiguredLoginHtml(event: H3Event): string | null {\n const config = _authGuardConfig;\n if (!config) return null;\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml =\n config.getLoginHtml?.(event, rawPath) ?? config.loginHtml ?? null;\n return loginHtml ? injectLoginSocialImageMeta(loginHtml, event) : null;\n}\n\n/**\n * True only when the request originates from the local machine — the raw\n * socket peer is `127.0.0.0/8`, `::1`, or the IPv4-mapped `::ffff:127.0.0.1`\n * (an optional IPv6 zone id like `fe80::1%en0` is stripped first).\n *\n * `getRequestIP(event)` is called WITHOUT `{ xForwardedFor: true }`, so it\n * returns the real connection peer and never an attacker-controlled\n * `X-Forwarded-For` value — a remote client cannot spoof its way past this.\n * Used to scope local-only conveniences (the desktop SSO broker and the dev\n * auto-account) so a directly network-reachable dev server never exposes\n * them to a remote visitor. NOTE: a reverse proxy / tunnel that connects to\n * the dev server over localhost still appears as loopback, so this is a\n * necessary but not sufficient gate — callers pair it with NODE_ENV and,\n * for the dev account, a throwaway per-DB password.\n */\nexport function isLoopbackAddress(ip: string | undefined): boolean {\n // Strip an optional IPv6 zone id (e.g. \"fe80::1%en0\") before comparing.\n const normalised = (ip ?? \"\").split(\"%\")[0];\n return (\n normalised === \"127.0.0.1\" ||\n normalised === \"::1\" ||\n normalised === \"::ffff:127.0.0.1\" ||\n normalised.startsWith(\"127.\")\n );\n}\n\n/**\n * True when the request's actual socket peer is loopback. Uses\n * `getRequestIP(event)` WITHOUT `{ xForwardedFor: true }`, so it reflects the\n * real connecting IP and a remote client cannot spoof it via the `Host` /\n * `X-Forwarded-*` headers. Use this — not a parsed `Host`-header origin — for\n * any \"is this local dev?\" security gate (MCP/connect dev-open).\n */\nexport function isLoopbackRequest(event: H3Event): boolean {\n let ip: string | undefined;\n try {\n ip = getRequestIP(event) ?? undefined;\n } catch {\n ip = undefined;\n }\n return isLoopbackAddress(ip);\n}\n\n/**\n * Read the desktop-SSO broker file, but only if the request is plausibly\n * from the Electron desktop app *and* coming from the local machine.\n *\n * The broker file lives in the user's home directory and trusts the local\n * trust boundary — a non-loopback request that pretends to be Electron\n * via User-Agent must NEVER be allowed to read it. We additionally refuse\n * any read in production builds: the desktop app launches with\n * `NODE_ENV=development` (or unset), and any web-hosted production deploy\n * has no business consulting a per-user file on the server's homedir\n * even if one exists.\n *\n * Returns null when the safety checks fail or the file isn't present.\n */\nasync function readDesktopSsoSafely(\n event: H3Event,\n): Promise<Awaited<ReturnType<typeof readDesktopSso>>> {\n if (process.env.NODE_ENV === \"production\") return null;\n if (!isElectronRequest(event)) return null;\n if (!isLoopbackRequest(event)) return null;\n return await readDesktopSso();\n}\n\n/**\n * Extract the framework session token from a Better Auth response's\n * Set-Cookie headers, if any. Used by the password-reset path to skip\n * the freshly-minted session when revoking sibling sessions for the\n * user. Returns undefined if no session cookie was minted (the common\n * case — Better Auth's reset doesn't auto-sign-in by default).\n */\nfunction extractSessionTokenFromSetCookies(\n response: Response,\n): string | undefined {\n try {\n // Headers may have multiple Set-Cookie entries; iterate via getSetCookie\n // when available (Node 20+ / undici), else fall back to comma split.\n const headers = response.headers as Headers & {\n getSetCookie?: () => string[];\n };\n const setCookies =\n typeof headers.getSetCookie === \"function\"\n ? headers.getSetCookie()\n : (headers.get(\"set-cookie\") ?? \"\")\n .split(/,(?=[^;]+=)/)\n .map((s) => s.trim())\n .filter(Boolean);\n for (const sc of setCookies) {\n // Better Auth's session cookie name is configurable but defaults to\n // `<prefix>.session_token`. Match either the Better Auth default or\n // our COOKIE_NAME (`an_session`) on the same line.\n const match = sc.match(\n /(?:^|\\s|;)(an_session|[\\w.-]*session_token)=([^;]+)/i,\n );\n if (match) return match[2];\n }\n } catch {\n // Best-effort; treat as no token.\n }\n return undefined;\n}\n\n// ---------------------------------------------------------------------------\n// ACCESS_TOKEN resolution\n// ---------------------------------------------------------------------------\n\nfunction getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n for (const t of multi.split(\",\")) {\n const trimmed = t.trim();\n if (trimmed && !tokens.includes(trimmed)) tokens.push(trimmed);\n }\n }\n return tokens;\n}\n\nfunction getBearerSessionToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(auth.trim());\n return match?.[1]?.trim() || undefined;\n}\n\nasync function getBearerLegacySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n const email = await getSessionEmail(bearerToken);\n return email ? { email, token: bearerToken } : null;\n}\n\n/**\n * Verify a connect-minted MCP OAuth access token presented as\n * `Authorization: Bearer <jwt>` and resolve it to a session.\n *\n * `agent-native connect` mints this token for the local Plans publish flow and\n * POSTs it to the HOSTED action route\n * `/_agent-native/actions/import-visual-plan-source`. That token is audience-\n * bound to the app's MCP resource (`{appUrl}/_agent-native/mcp`), not to the\n * legacy `sessions` table — so the legacy bearer lookup above never matches it.\n * Reuse the MCP surface's canonical `verifyAuth` here so the HTTP action surface\n * honors EXACTLY the tokens the MCP endpoint honors: same signature check, same\n * audience binding to THIS app's resource, same connect-token revocation gate.\n * It resolves to the same `{ userEmail, orgId }` identity the MCP path uses, so\n * downstream `accessFilter` / ownable-data scoping is identical.\n *\n * `allowDevOpen: false` and the `userEmail` guard ensure an invalid token (or a\n * bare ACCESS_TOKEN with no owner hint) never escalates to an unauthenticated\n * or unscoped identity on this path — it strictly adds acceptance of verified,\n * audience-bound caller tokens, nothing more.\n */\nasync function getMcpOAuthBearerSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const authHeader = getHeader(event, \"authorization\");\n if (!authHeader) return null;\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n\n try {\n const [{ getMcpOAuthResource }, { verifyAuth, resolveOrgIdFromDomain }] =\n await Promise.all([\n import(\"../mcp/oauth-route.js\"),\n import(\"../mcp/build-server.js\"),\n ]);\n const result = await verifyAuth(authHeader, undefined, {\n resourceUrl: getMcpOAuthResource(event),\n allowDevOpen: false,\n });\n const identity = result.authed ? result.identity : undefined;\n if (!identity?.userEmail) return null;\n const orgId =\n identity.orgId ?? (await resolveOrgIdFromDomain(identity.orgDomain));\n return {\n email: identity.userEmail,\n token: bearerToken,\n ...(orgId ? { orgId } : {}),\n };\n } catch (e) {\n console.error(\"[auth] MCP OAuth bearer verification error:\", e);\n return null;\n }\n}\n\nfunction isFrameworkActionRoute(event: H3Event): boolean {\n const { rawPath } = getRequestPathAndSearch(event);\n const path = stripAppBasePath(rawPath);\n return (\n path === \"/_agent-native/actions\" ||\n path.startsWith(\"/_agent-native/actions/\")\n );\n}\n\n/**\n * Resolve an `Authorization: Bearer` token to a session: first the legacy\n * `sessions` table (desktop/native persisted tokens), then, only on the\n * framework HTTP action surface, a connect-minted MCP OAuth access token (the\n * local Plans publish credential).\n */\nasync function getBearerSession(event: H3Event): Promise<AuthSession | null> {\n const legacy = await getBearerLegacySession(event);\n if (legacy) return legacy;\n if (!isFrameworkActionRoute(event)) return null;\n return getMcpOAuthBearerSession(event);\n}\n\nfunction shouldExposeSessionTokenInBody(event: H3Event): boolean {\n const origin = getHeader(event, \"origin\");\n if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin)) return true;\n\n // Some native WebViews do not consistently emit an Origin header for\n // programmatic fetches. The desktop app marks same-server requests with\n // X-Request-Source; browsers can only use that cross-origin after our CORS\n // allowlist has approved the origin, and same-origin pages already receive\n // an equivalent httpOnly session cookie on successful login.\n return !origin && getHeader(event, \"x-request-source\") === \"clips-desktop\";\n}\n\nfunction authLoginResponse(\n event: H3Event,\n token: string,\n email?: string,\n): { ok: true; token?: string; email?: string } {\n if (!shouldExposeSessionTokenInBody(event)) return { ok: true };\n return email ? { ok: true, token, email } : { ok: true, token };\n}\n\n/**\n * Bad-credential / already-registered errors are normal user behavior, not\n * bugs we want to investigate. Filtering them out keeps Sentry signal\n * actionable — a real anomaly (DB error, Better Auth init crash, missing\n * table) shows up clearly because it doesn't match any of these patterns.\n */\nconst EXPECTED_AUTH_FAILURE_PATTERNS: RegExp[] = [\n /invalid\\s+(email|password|credentials)/i,\n /password.*incorrect/i,\n /user\\s+(not\\s+found|already\\s+exists)/i,\n /email\\s+already/i,\n /already\\s+(exists|registered|in\\s+use)/i,\n /not\\s+verified/i,\n];\n\nexport function isExpectedAuthFailure(error: unknown): boolean {\n const msg = (error as { message?: unknown })?.message;\n if (typeof msg !== \"string\") return false;\n return EXPECTED_AUTH_FAILURE_PATTERNS.some((re) => re.test(msg));\n}\n\n// ---------------------------------------------------------------------------\n// Legacy session store — kept for backward compat (addSession/getSessionEmail)\n// Used by google-oauth.ts for mobile deep linking session creation.\n// ---------------------------------------------------------------------------\n\nlet _sessionInitPromise: Promise<void> | undefined;\nlet sessionMaxAge = DEFAULT_MAX_AGE;\n\nasync function ensureSessionTable(): Promise<void> {\n if (!_sessionInitPromise) {\n _sessionInitPromise = (async () => {\n const client = getDbExec();\n await retryOnDdlRace(() =>\n client.execute(`\n CREATE TABLE IF NOT EXISTS sessions (\n token TEXT PRIMARY KEY,\n email TEXT,\n created_at ${intType()} NOT NULL\n )\n `),\n );\n try {\n await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);\n } catch {\n // Column already exists\n }\n })().catch((err) => {\n // Don't cache the rejection — let the next caller retry a fresh init.\n _sessionInitPromise = undefined;\n throw err;\n });\n }\n return _sessionInitPromise;\n}\n\n/**\n * Re-run any `sessions`-table op once if Postgres reports the relation is\n * missing. Covers the case where a prior `ensureSessionTable()` resolved but\n * the table wasn't actually present (e.g. a race where the CREATE was dropped\n * on a reused pool connection, or a cached resolved promise from a prior\n * DB URL). Forces a fresh init, then retries the caller's op.\n */\nasync function retryIfSessionsMissing<T>(op: () => Promise<T>): Promise<T> {\n try {\n return await op();\n } catch (e: any) {\n if (e?.code !== \"42P01\") throw e;\n const msg = String(e?.message ?? \"\");\n if (!msg.includes(\"sessions\")) throw e;\n _sessionInitPromise = undefined;\n await ensureSessionTable();\n return await op();\n }\n}\n\n/**\n * Create a new session in the legacy sessions table.\n * Used by google-oauth.ts for mobile deep linking.\n */\nexport async function addSession(token: string, email?: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: isPostgres()\n ? `INSERT INTO sessions (token, email, created_at) VALUES (?, ?, ?) ON CONFLICT (token) DO UPDATE SET email=EXCLUDED.email, created_at=EXCLUDED.created_at`\n : `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,\n args: [token, email ?? null, Date.now()],\n }),\n );\n}\n\n/** Remove a session from the legacy sessions table. */\nexport async function removeSession(token: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n}\n\n/**\n * Look up the email associated with a legacy session token.\n * Returns null if the session doesn't exist, is expired, or has no email.\n */\nexport async function getSessionEmail(token: string): Promise<string | null> {\n await ensureSessionTable();\n const client = getDbExec();\n const { rows } = await retryIfSessionsMissing(() =>\n client.execute({\n sql: `SELECT email, created_at FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n if (rows.length === 0) return null;\n const createdAt = rows[0].created_at as number;\n if (Date.now() - createdAt > sessionMaxAge * 1000) {\n await client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n });\n return null;\n }\n return (rows[0].email as string) ?? null;\n}\n\n// ---------------------------------------------------------------------------\n// getSession — the auth contract\n// ---------------------------------------------------------------------------\n\nlet customGetSession: ((event: H3Event) => Promise<AuthSession | null>) | null =\n null;\n\n/**\n * Mutable config for the auth guard. Stored separately from the guard function\n * so that a custom auth plugin can update the login HTML / public paths even\n * after the default plugin has already installed the middleware (a race that\n * occurs in production serverless environments where the default plugin is\n * auto-mounted before the template's custom auth plugin runs).\n */\ninterface AuthGuardConfig {\n loginHtml: string;\n getLoginHtml?: (event: H3Event, rawPath: string) => string;\n publicPaths: string[];\n workspaceAppAudience: WorkspaceAppAudience;\n workspaceAppPublicPaths: string[];\n workspaceAppProtectedPaths: string[];\n}\nlet _authGuardConfig: AuthGuardConfig | null = null;\nconst _genericGoogleOAuthRoutesEnabled = new WeakMap<object, boolean>();\n\nfunction getRequestHost(event: H3Event): string | undefined {\n return (\n getHeader(event, \"x-forwarded-host\") ??\n getHeader(event, \"host\") ??\n undefined\n );\n}\n\nfunction getOnboardingHtmlOptions(\n options: AuthOptions,\n event?: H3Event,\n rawPath?: string,\n): OnboardingHtmlOptions {\n return {\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n requestHost: event ? getRequestHost(event) : undefined,\n requestPath: rawPath,\n requestOrigin: event ? getOrigin(event) : undefined,\n };\n}\n\nfunction getAuthOnboardingHtml(\n options: AuthOptions,\n event?: H3Event,\n rawPath?: string,\n): string {\n return getOnboardingHtml(getOnboardingHtmlOptions(options, event, rawPath));\n}\n\nfunction getOnboardingLoginHtmlConfig(\n options: AuthOptions,\n): Pick<AuthGuardConfig, \"loginHtml\" | \"getLoginHtml\"> {\n if (options.loginHtml) return { loginHtml: options.loginHtml };\n return {\n loginHtml: getAuthOnboardingHtml(options),\n getLoginHtml: (event, rawPath) =>\n getAuthOnboardingHtml(options, event, rawPath),\n };\n}\n\nfunction resolveWorkspaceAppAudience(\n options: Pick<AuthOptions, \"workspaceAppAudience\"> = {},\n): WorkspaceAppAudience {\n return normalizeWorkspaceAppAudience(\n options.workspaceAppAudience ?? workspaceAppAudienceFromEnv(),\n );\n}\n\nfunction resolveWorkspaceAppRouteAccess(\n options: Pick<\n AuthOptions,\n \"workspaceAppPublicPaths\" | \"workspaceAppProtectedPaths\"\n > = {},\n): { publicPaths: string[]; protectedPaths: string[] } {\n const env = workspaceAppRouteAccessFromEnv();\n return {\n publicPaths: options.workspaceAppPublicPaths ?? env.publicPaths,\n protectedPaths: options.workspaceAppProtectedPaths ?? env.protectedPaths,\n };\n}\n\nfunction setGenericGoogleOAuthRoutesEnabled(\n app: H3App,\n enabled: boolean,\n): void {\n if (app && typeof app === \"object\") {\n _genericGoogleOAuthRoutesEnabled.set(app, enabled);\n }\n}\n\nfunction areGenericGoogleOAuthRoutesEnabled(app: H3App): boolean {\n return _genericGoogleOAuthRoutesEnabled.get(app as object) !== false;\n}\n\n// Desktop OAuth exchange store — holds session tokens keyed by a unique flow\n// ID so native apps (Tauri, Electron) that open OAuth in the system browser\n// can retrieve the token after the callback completes on the server.\n//\n// Primary: in-memory Map (fast, works for single-instance dev/preview builds).\n// Fallback: sessions table with a \"dex:\" prefixed key for cross-instance\n// durability (Cloudflare Workers, multi-region deployments). The value stored\n// in the `email` column is \"{realToken}::{userEmail}\" so both can be recovered\n// from a single DB lookup.\nexport interface DesktopExchangeErrorPayload {\n message: string;\n code?: string;\n accountId?: string;\n existingOwner?: string;\n attemptedOwner?: string;\n}\n\ntype DesktopExchangeEntry =\n | { token: string; email: string; expiresAt: number }\n | { error: DesktopExchangeErrorPayload; expiresAt: number };\ntype DesktopExchangeStoredEntry =\n | { token: string; email: string }\n | { error: DesktopExchangeErrorPayload };\n\nconst _desktopExchanges = new Map<string, DesktopExchangeEntry>();\nconst DESKTOP_EXCHANGE_ERROR_PREFIX = \"__error__::\";\nconst DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([\n \"tauri://localhost\",\n \"http://localhost:1420\",\n]);\n\n// 5-minute TTL for exchange entries (short — single-use tokens).\nconst DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;\n\nexport function setDesktopExchange(\n flowId: string,\n token: string,\n email: string,\n) {\n _desktopExchanges.set(flowId, {\n token,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Persist to DB so the token survives cross-instance routing (e.g. when\n // templates call this helper directly instead of going through the OAuth\n // callback path).\n void persistDesktopExchangeToDB(flowId, token, email);\n}\n\nexport function setDesktopExchangeError(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n) {\n _desktopExchanges.set(flowId, {\n error,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n void persistDesktopExchangeErrorToDB(flowId, error);\n}\n\n/**\n * Persist a desktop exchange entry to the sessions table so it survives\n * cross-instance routing (e.g. Cloudflare Workers). Stored under a synthetic\n * token key \"dex:{flowId}\"; the `email` column packs both the real session\n * token and the user email so they can be recovered in one query.\n * Non-fatal — if the DB isn't ready yet the in-memory Map still works for\n * same-instance requests.\n */\nasync function persistDesktopExchangeToDB(\n flowId: string,\n token: string,\n email: string,\n): Promise<void> {\n try {\n await addSession(`dex:${flowId}`, `${token}::${email}`);\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\nasync function persistDesktopExchangeErrorToDB(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n): Promise<void> {\n try {\n const payload = Buffer.from(JSON.stringify(error)).toString(\"base64url\");\n await addSession(\n `dex:${flowId}`,\n `${DESKTOP_EXCHANGE_ERROR_PREFIX}${payload}`,\n );\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\n/**\n * Retrieve and consume a desktop exchange entry from the DB fallback.\n * Returns null if not found or already consumed.\n */\nasync function consumeDesktopExchangeFromDB(\n flowId: string,\n): Promise<DesktopExchangeStoredEntry | null> {\n try {\n // Atomic DELETE...RETURNING prevents token replay: two concurrent polls\n // cannot both retrieve the token because only one DELETE will match the row.\n // SQLite ≥3.35 and PostgreSQL both support this syntax.\n // The created_at predicate enforces the 5-minute TTL so stale DB entries\n // (e.g. the desktop app never polled) are rejected rather than silently\n // redeemed with the session table's default 30-day TTL.\n const client = getDbExec();\n const { rows } = await client.execute({\n sql: `DELETE FROM sessions WHERE token = ? AND created_at > ? RETURNING email`,\n args: [`dex:${flowId}`, Date.now() - DESKTOP_EXCHANGE_TTL_MS],\n });\n if (rows.length === 0) return null;\n const packed = (rows[0].email ?? rows[0][0]) as string | null;\n if (!packed) return null;\n if (packed.startsWith(DESKTOP_EXCHANGE_ERROR_PREFIX)) {\n const raw = packed.slice(DESKTOP_EXCHANGE_ERROR_PREFIX.length);\n return {\n error: JSON.parse(Buffer.from(raw, \"base64url\").toString()),\n };\n }\n const sepIdx = packed.indexOf(\"::\");\n if (sepIdx === -1) return null;\n return { token: packed.slice(0, sepIdx), email: packed.slice(sepIdx + 2) };\n } catch {\n return null;\n }\n}\n\nsetInterval(() => {\n const now = Date.now();\n for (const [k, v] of _desktopExchanges) {\n if (v.expiresAt < now) _desktopExchanges.delete(k);\n }\n}, 60_000).unref?.();\n\n/**\n * Module-level auth guard function. Set by autoMountAuth() when auth is active.\n * Called by the server middleware to enforce auth on ALL requests (not just\n * /_agent-native/* routes).\n */\nlet _authGuardFn:\n | ((event: H3Event) => Promise<Response | object | string | void>)\n | null = null;\n\n/**\n * The H3 app the auth routes + guard were last mounted on. Module-level\n * state survives Vite HMR restarts, but each HMR cycle creates a fresh\n * nitroApp/H3 instance whose middleware array is empty again. Tracking the\n * app here lets autoMountAuth detect \"same module state, new app\" and\n * re-mount routes instead of silently skipping them because `_authGuardFn`\n * looks populated from a previous cycle.\n */\nlet _mountedApp: H3App | null = null;\n\n/**\n * Run the auth guard on an event. Returns a Response/object to block the\n * request (login page or 401), or undefined to allow it through.\n *\n * Called by the default server middleware (server/middleware/auth.ts) to\n * enforce auth on page routes and API routes — not just framework routes.\n */\nexport async function runAuthGuard(\n event: H3Event,\n): Promise<Response | object | string | void> {\n if (!_authGuardFn) return; // Auth not mounted (local mode, etc.)\n return _authGuardFn(event);\n}\n\n// ---------------------------------------------------------------------------\n// Auth guard factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create an auth guard function that checks session and blocks\n * unauthenticated requests. Returns the login HTML for page routes\n * or a 401 JSON response for API routes.\n *\n * Reads loginHtml and publicPaths from _authGuardConfig on every request\n * so that a custom plugin can update them after the default has already\n * installed this middleware (the production race condition fix).\n */\nfunction applyCorsHeaders(event: H3Event): {\n hasOrigin: boolean;\n allowed: boolean;\n} {\n // Framework-level CORS. The auth guard runs before any of the app's own\n // route handlers, so we need to set CORS here too — otherwise a 401\n // response would be missing the Allow-Origin header and the browser\n // blocks the response body (making it look like a network error\n // rather than \"unauthenticated\").\n const origin = getHeader(event, \"origin\");\n if (!origin) return { hasOrigin: false, allowed: true };\n const requestedHeaders = String(\n getHeader(event, \"access-control-request-headers\") ?? \"\",\n )\n .toLowerCase()\n .split(\",\")\n .map((header) => header.trim());\n const mcpEmbedCorsRequest =\n isMcpEmbedCorsOrigin(origin) &&\n (requestHasEmbedAuthMarker(event) ||\n requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n Boolean(getHeader(event, EMBED_TARGET_HEADER)) ||\n Boolean(getHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n Boolean(getHeader(event, \"authorization\")));\n const allowedOrigin = getAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n const responseOrigin = mcpEmbedCorsRequest ? origin : allowedOrigin;\n if (!responseOrigin) return { hasOrigin: true, allowed: false };\n setResponseHeader(event, \"Access-Control-Allow-Origin\", responseOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n if (!mcpEmbedCorsRequest || shouldAllowMcpEmbedCredentials(responseOrigin)) {\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n }\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n mcpEmbedCorsRequest\n ? MCP_EMBED_CORS_ALLOW_HEADERS\n : [\n \"Content-Type\",\n \"Authorization\",\n \"X-Requested-With\",\n \"X-Request-Source\",\n \"X-Agent-Native-CSRF\",\n \"X-User-Timezone\",\n EMBED_TARGET_HEADER,\n ].join(\",\"),\n );\n return { hasOrigin: true, allowed: true };\n}\n\nfunction createAuthCorsHandler() {\n return defineEventHandler((event) => {\n const cors = applyCorsHeaders(event);\n if (getMethod(event) !== \"OPTIONS\") return;\n\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n setResponseStatus(event, 204);\n return \"\";\n });\n}\n\nfunction mountAuthCorsMiddleware(app: H3App): void {\n const handler = createAuthCorsHandler();\n app.use(\"/_agent-native/auth\", handler);\n app.use(\"/_agent-native/google\", handler);\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n return (\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/_agent-native/\") &&\n (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n );\n}\n\nfunction getRequestPathAndSearch(event: H3Event): {\n rawPath: string;\n search: string;\n} {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return { rawPath: mountedPathname, search: event.url?.search || \"\" };\n }\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n return {\n rawPath: queryStart >= 0 ? url.slice(0, queryStart) : url,\n search: queryStart >= 0 ? url.slice(queryStart) : \"\",\n };\n}\n\nfunction workspaceOAuthCallbackRelayResponse(\n event: H3Event,\n): Response | undefined {\n const { rawPath, search } = getRequestPathAndSearch(event);\n const normalizedPath = stripAppBasePath(rawPath);\n const basePath = getAppBasePath();\n if (\n !basePath ||\n !isWorkspaceOAuthCallbackRelayEnabled() ||\n !isFrameworkOAuthCallbackPath(normalizedPath) ||\n rawPath === `${basePath}/_agent-native` ||\n rawPath.startsWith(`${basePath}/_agent-native/`)\n ) {\n return undefined;\n }\n\n const state = new URLSearchParams(\n search.startsWith(\"?\") ? search.slice(1) : search,\n ).get(\"state\");\n const appId = extractOAuthStateAppId(state);\n if (\n !appId ||\n appId === getOAuthStateAppId() ||\n !isValidWorkspaceAppIdFormat(appId)\n ) {\n return undefined;\n }\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: `/${appId}${normalizedPath}${search}` },\n });\n}\n\nfunction verifiedBuilderConnectOwnerFromUrl(url: string): string | null {\n const queryStart = url.indexOf(\"?\");\n if (queryStart < 0) return null;\n const token = new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_CONNECT_PARAM,\n );\n return verifyBuilderConnectTokenAndGetOwner(token);\n}\n\nfunction shouldBypassAuthForBuilderConnect(event: H3Event, p: string): boolean {\n if (p === \"/_agent-native/builder/connect\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n return Boolean(verifiedBuilderConnectOwnerFromUrl(url));\n }\n\n if (p === \"/_agent-native/builder/callback\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const state =\n queryStart >= 0\n ? new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_STATE_PARAM,\n )\n : null;\n // The signed `_an_state` authenticates this specific Builder callback\n // flow back to our app. A stale localhost session cookie can otherwise\n // make the global guard reject the callback before the handler gets to\n // validate the state and owner. This only bypasses to the callback route;\n // the callback handler still verifies the signed owner / pending flow.\n if (verifyBuilderCallbackStateAndGetOwner(state)) return true;\n\n // The legacy owner cookie is broader and can be stale across shared\n // browser sessions, so keep it limited to the session-lost popup case.\n const hasSession = getFrameworkSessionCookieValues(event).length > 0;\n if (hasSession) return false;\n return Boolean(\n verifyBuilderConnectTokenAndGetOwner(\n getCookie(event, BUILDER_CONNECT_OWNER_COOKIE),\n ),\n );\n }\n\n return false;\n}\n\nconst LOGIN_OG_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bproperty=([\"'])og:image\\1)[^>]*>/i;\nconst LOGIN_TWITTER_CARD_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:card\\1)[^>]*>/i;\nconst LOGIN_TWITTER_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:image\\1)[^>]*>/i;\n\nfunction escapeHtmlAttr(value: string): string {\n return value\n .replace(/&/g, \"&amp;\")\n .replace(/</g, \"&lt;\")\n .replace(/>/g, \"&gt;\")\n .replace(/\"/g, \"&quot;\");\n}\n\nfunction injectLoginSocialImageMeta(loginHtml: string, event: H3Event): string {\n const headCloseIdx = loginHtml.indexOf(\"</head>\");\n if (headCloseIdx === -1) return loginHtml;\n\n const hasAnySocialImage =\n LOGIN_OG_IMAGE_META_RE.test(loginHtml) ||\n LOGIN_TWITTER_IMAGE_META_RE.test(loginHtml);\n const imageUrl = escapeHtmlAttr(\n withAgentNativeSocialImageCacheBuster(\n getAppUrl(event, AGENT_NATIVE_SOCIAL_IMAGE_PATH),\n ),\n );\n const tags: string[] = [];\n\n if (!hasAnySocialImage) {\n tags.push(`<meta property=\"og:image\" content=\"${imageUrl}\">`);\n tags.push(`<meta property=\"og:image:secure_url\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta property=\"og:image:type\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_TYPE}\">`,\n );\n tags.push(\n `<meta property=\"og:image:width\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_WIDTH}\">`,\n );\n tags.push(\n `<meta property=\"og:image:height\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT}\">`,\n );\n tags.push(\n `<meta property=\"og:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n if (!LOGIN_TWITTER_CARD_META_RE.test(loginHtml)) {\n tags.push(`<meta name=\"twitter:card\" content=\"summary_large_image\">`);\n }\n if (!hasAnySocialImage) {\n tags.push(`<meta name=\"twitter:image\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta name=\"twitter:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n\n if (tags.length === 0) return loginHtml;\n return (\n loginHtml.slice(0, headCloseIdx) +\n tags.join(\"\") +\n loginHtml.slice(headCloseIdx)\n );\n}\n\nfunction loginHtmlResponse(loginHtml: string, event: H3Event): Response {\n return new Response(injectLoginSocialImageMeta(loginHtml, event), {\n status: 200,\n headers: {\n \"Content-Type\": \"text/html; charset=utf-8\",\n // The sign-in document is part of the public server shell. Keep it on the\n // same short-fresh/long-SWR CDN policy as React Router SSR so hosted\n // template roots do not invoke origin just to render anonymous login UI.\n // The login HTML is env-INDEPENDENT (a Google-only app always renders a\n // working button), so a cached copy is never \"wrong\" — never downgrade\n // this to private/no-store.\n ...DEFAULT_SSR_CACHE_HEADERS,\n \"X-Robots-Tag\": \"noindex, nofollow\",\n },\n });\n}\n\nfunction isHtmlDocumentRequest(event: H3Event, pathname: string): boolean {\n if (!isReadMethod(event)) return false;\n if (pathname.endsWith(\".data\")) return false;\n\n const fetchDest = getHeader(event, \"sec-fetch-dest\")?.toLowerCase();\n if (fetchDest === \"document\" || fetchDest === \"iframe\") return true;\n\n const accept = getHeader(event, \"accept\")?.toLowerCase();\n return !accept || accept.includes(\"text/html\") || accept.includes(\"*/*\");\n}\n\nfunction createAuthGuardFn(): (\n event: H3Event,\n) => Promise<Response | object | string | void> {\n return async (event: H3Event) => {\n const config = _authGuardConfig;\n if (!config) return;\n const { publicPaths } = config;\n\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml = config.getLoginHtml?.(event, rawPath) ?? config.loginHtml;\n const p = stripAppBasePath(rawPath);\n const normalizedUrl = queryStart >= 0 ? `${p}${url.slice(queryStart)}` : p;\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n\n // Emit CORS headers on every request the guard sees so that even\n // error responses (401) reach the browser.\n const cors = applyCorsHeaders(event);\n // Preflight short-circuit: the browser sends OPTIONS before the real\n // credentialed request. Must return success without invoking auth.\n if (getMethod(event) === \"OPTIONS\") {\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n setResponseStatus(event, 204);\n return \"\";\n }\n\n // Skip auth routes and specific Google OAuth endpoints that must be public\n // (callback and auth-url). Other Google endpoints like /status require auth.\n if (\n p.startsWith(\"/_agent-native/auth/\") ||\n p === \"/_agent-native/google/callback\" ||\n p === \"/_agent-native/google/auth-url\" ||\n p === \"/_agent-native/google/add-account/callback\"\n ) {\n return;\n }\n\n // The deep-link route resolves the *browser* session itself and serves\n // the sign-in form inline when unauthenticated (so the post-login reload\n // returns to the same deep link). It must bypass the guard's blanket\n // 401-for-/_agent-native/* so an external-agent \"Open in … →\" link\n // clicked in any browser/webview lands correctly.\n if (p === \"/_agent-native/open\" || p === EMBED_START_PATH) {\n return;\n }\n\n // Integration webhook endpoints verify authenticity via platform-specific\n // signature verification (Slack HMAC, Telegram token, etc.), not sessions.\n if (/^\\/_agent-native\\/integrations\\/[^/]+\\/webhook$/.test(p)) {\n return;\n }\n\n // Internal processor endpoint for the integration webhook fanout. The\n // webhook handler enqueues a task to SQL and dispatches a fresh HTTP POST\n // to this endpoint so the agent loop runs in its own function execution\n // (cross-platform serverless-safe — see `integrations/webhook-handler.ts`).\n // Authenticity is verified via an HMAC token signed with A2A_SECRET, plus\n // an atomic SQL claim that prevents duplicate processing.\n if (p === \"/_agent-native/integrations/process-task\") {\n return;\n }\n\n // Internal processor endpoint for deferred A2A continuations created by\n // integration tasks. It uses the same HMAC internal-token scheme as the\n // primary integration processor, so it must bypass cookie/session auth.\n if (p === \"/_agent-native/integrations/process-a2a-continuation\") {\n return;\n }\n\n // Agent Teams durable sub-agent processor. Self-fired by `spawnTask` to run\n // a queued sub-agent in a fresh function invocation; authenticity is\n // verified by the same HMAC internal-token scheme plus an atomic SQL claim,\n // so it bypasses cookie/session auth (mirrors the integration processor).\n if (p === \"/_agent-native/agent-teams/_process-run\") {\n return;\n }\n\n // Read-only agent chat share links. The random token is the bearer secret;\n // the route returns a sanitized transcript plus bounded run summaries and\n // exposes no write surface, live event stream, tool payloads, or owner APIs.\n if (p.startsWith(\"/_agent-native/agent-chat/shared/\")) {\n return;\n }\n\n // A2A endpoint verifies authenticity via JWT signed with the org's A2A\n // secret (or the global A2A_SECRET fallback), not via session cookies.\n if (p === \"/_agent-native/a2a\") {\n return;\n }\n\n // MCP protocol endpoint. `mountMCP` runs its own `verifyAuth` (Bearer\n // ACCESS_TOKEN/ACCESS_TOKENS or A2A_SECRET JWT, open in dev) and is the\n // authoritative gate — exactly like A2A above. Without this bypass the\n // guard's blanket 401-for-/_agent-native/* below shadows that check, so\n // an external coding agent (Claude Code / Codex / Cowork) connecting via\n // the stdio proxy or HTTP can never reach it. Exact protocol endpoint only:\n // tolerate the common trailing slash, but keep\n // `/_agent-native/mcp/*` management subroutes on normal session auth.\n if (p === \"/_agent-native/mcp\" || p === \"/_agent-native/mcp/\") {\n return;\n }\n\n // MCP connect — frictionless external-agent connection. Like /open\n // above, the connect *page* resolves the browser session itself and\n // serves its own login form when unauthenticated (so the post-login\n // reload returns to the same URL, carrying the device user_code in the\n // query). The two unauthenticated device endpoints below are the CLI's\n // OAuth-style polling pair: `device/start` (mint a device+user code) and\n // `device/poll` (exchange an approved code for the token) — both must be\n // reachable without a browser session because the CLI has none. They are\n // protected by short-TTL, single-use, crypto-random codes + a creation\n // rate-limit, not cookies.\n //\n // The standard remote-MCP OAuth endpoints also bypass here: metadata and\n // dynamic client registration are public by design; `/oauth/token` is\n // protected by single-use auth codes / refresh tokens; and\n // `/oauth/authorize` resolves the browser session itself so it can serve\n // the login form at the original authorization URL.\n //\n // The legacy Connect endpoints that MINT or MUTATE on behalf of the user\n // (`/connect/token`, `/device/authorize`, `/tokens`, `/tokens/revoke`) are\n // intentionally NOT bypassed: they are POSTed by the in-page fetch with a\n // session cookie and the handler re-checks the session itself.\n if (\n p === \"/_agent-native/mcp/connect\" ||\n p === \"/_agent-native/mcp/connect/device/start\" ||\n p === \"/_agent-native/mcp/connect/device/poll\" ||\n p === \"/_agent-native/mcp/oauth/authorize\" ||\n p === \"/_agent-native/mcp/oauth/token\" ||\n p === \"/_agent-native/mcp/oauth/register\"\n ) {\n return;\n }\n\n // Cross-app SSO (\"Sign in with Agent-Native\") — CLIENT side. Both the\n // `/login` entry point and the `/callback` (hit by a user who is, by\n // definition, NOT yet signed in to THIS app) must bypass the blanket\n // 401-for-/_agent-native/*: they resolve / mint the browser session\n // themselves and verify a signature-bound, single-use, CSRF-stated\n // hub token — not a cookie. This bypass is GATED on the opt-in env var\n // so an unset `AGENT_NATIVE_IDENTITY_HUB_URL` is a true no-op (the\n // guard's behaviour is byte-for-byte unchanged when SSO is off). The\n // handler itself 404s when disabled as defence in depth.\n if (\n isIdentitySsoEnabled() &&\n (p === \"/_agent-native/identity/login\" ||\n p === \"/_agent-native/identity/callback\")\n ) {\n return;\n }\n\n // Internal processor endpoint for the A2A async-mode fanout. Mirrors the\n // integration webhook fanout: when `message/send` is called with\n // `async: true`, the JSON-RPC handler enqueues to a2a_tasks and self-\n // fires a POST here so the handler runs in a fresh function execution.\n // Authenticity is verified via an HMAC token signed with A2A_SECRET\n // (same scheme as /_agent-native/integrations/process-task).\n if (p === \"/_agent-native/a2a/_process-task\") {\n return;\n }\n\n // A2A secret receive endpoint — verifies authenticity via JWT signed\n // with the calling app's A2A secret, not via session cookies. Used to\n // sync the org A2A secret across connected apps.\n if (p === \"/_agent-native/org/a2a-secret/receive\") {\n return;\n }\n\n // Recap-image upload (POST /_agent-native/recap-image). The PR visual-recap\n // GitHub Action uploads a PNG here with the SAME `agent-native connect`\n // bearer token the MCP / action surface accepts — a connect-minted MCP\n // OAuth access token that `getSession` only honors on the action surface.\n // The handler re-runs the canonical `verifyAuth` itself (audience-bound to\n // this app's MCP resource) and 401s unauthenticated callers, so — exactly\n // like /_agent-native/a2a and the MCP endpoints above — it must bypass the\n // guard's blanket 401-for-/_agent-native/*. The anonymous read route\n // (`/recap-image/<token>.png`) is already public via the `.png` static-asset\n // branch below; this bypass is for the upload path only.\n if (p === \"/_agent-native/recap-image\") {\n return;\n }\n\n // Force-sign-in entrypoint. Templates send viewers from public pages\n // (share links, embeds) here with a `?return=<path>` query — anonymous\n // visitors get the loginHtml, and once they sign in the loginHtml's\n // post-login reload re-hits this same URL with a session cookie set,\n // so we 302 them to the original page.\n //\n // `return` is validated by parsing it against a sentinel base origin\n // and checking the resolved origin still matches. This rejects every\n // open-redirect shape — `//evil.com/...` (network-path reference),\n // `/\\evil.com/...` (WHATWG URL parser normalises `\\` to `/` in HTTP\n // URLs, so a naive prefix check on `//` misses this), absolute URLs\n // like `https://evil.com`, and `data:` / `javascript:` schemes. The\n // reconstructed path comes from the parsed segments so any leftover\n // quirks get normalised. Control chars (incl. CR/LF for header\n // injection) are rejected up front.\n //\n if (p === \"/_agent-native/sign-in\") {\n const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : \"\";\n const safeReturn = safeReturnPath(\n new URLSearchParams(queryStr).get(\"return\"),\n );\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: safeReturn },\n });\n }\n return loginHtmlResponse(loginHtml, event);\n }\n\n // Auth entry pages are framework-owned pages, not app routes. When a user\n // already has a session, redirect them back to the mounted app instead of\n // letting React Router try to render /login.\n if (p === \"/login\" || p === \"/signup\") {\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: getAppBasePath() || \"/\" },\n });\n }\n return loginHtmlResponse(loginHtml, event);\n }\n\n // Skip static assets (Vite chunks, fonts, images, etc.)\n if (\n p.startsWith(\"/assets/\") ||\n p.startsWith(\"/_build/\") ||\n p.endsWith(\".js\") ||\n p.endsWith(\".css\") ||\n p.endsWith(\".map\") ||\n p.endsWith(\".ico\") ||\n p.endsWith(\".png\") ||\n p.endsWith(\".svg\") ||\n p.endsWith(\".woff2\") ||\n p.endsWith(\".woff\")\n ) {\n return;\n }\n\n // React Router 7's lazy route discovery fetches `/__manifest?p=...` to\n // resolve manifest patches for `<Link>`s the user might click. The\n // auth fallback returning loginHtml here makes RR fail to parse the\n // body as RSC, surfacing as a console error and (when the visitor\n // already errored elsewhere) blocking the app from rendering. Let it\n // through — it returns a tiny RSC-encoded manifest of the public\n // route tree, no per-user data.\n if (p === \"/__manifest\") return;\n if (p === \"/_agent-native/speculation-rules.json\") return;\n if (isPublicPath(normalizedUrl, publicPaths)) return;\n if (shouldBypassAuthForBuilderConnect(event, p)) return;\n if (isPublicWorkspacePageRequest(event, p, config)) {\n return;\n }\n\n const session = await getSession(event);\n if (session) return;\n\n if (p.startsWith(\"/api/\") || p.startsWith(\"/_agent-native/\")) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n if (!isHtmlDocumentRequest(event, p)) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n // Local-dev convenience: on the first page GET of a freshly-scaffolded\n // app, transparently create + sign in `dev@local.test` instead of\n // showing the sign-up form. Gated on NODE_ENV=development AND no real users in the\n // DB, so production and any app that has ever had a real signup are\n // unaffected. See maybeAutoCreateDevSession for full conditions.\n if (getMethod(event) === \"GET\") {\n const autoSession = await maybeAutoCreateDevSession(event, url);\n if (autoSession) return autoSession;\n }\n\n return loginHtmlResponse(loginHtml, event);\n };\n}\n\n// `.test` is an RFC 6761 reserved TLD that never resolves, so this stays a\n// safe local-only address while still passing better-auth's `z.email()`\n// validator (a bare `dev@local` has no TLD and is rejected as INVALID_EMAIL,\n// which silently broke the zero-setup auto-sign-in on every fresh dev DB).\nconst AUTO_DEV_ACCOUNT_EMAIL = \"dev@local.test\";\n// No fixed password: maybeAutoCreateDevSession mints a random one per DB\n// and prints it to the console once (see there).\n\n// Pre-fix local dev DBs may already contain a `dev@local` user. Treat that\n// legacy address as the dev account too, so the \"any real users?\" check\n// below doesn't mistake the old auto-account for a real signup (which would\n// permanently disable auto-create) and the post-logout guard still fires.\nconst LEGACY_AUTO_DEV_ACCOUNT_EMAIL = \"dev@local\";\n\nlet authDisabledWarningLogged = false;\n\nfunction isAuthDisabled(): boolean {\n const value = process.env.AUTH_DISABLED?.trim().toLowerCase();\n return value === \"1\" || value === \"true\";\n}\n\nfunction getAuthDisabledSession(): AuthSession | null {\n if (!isAuthDisabled()) return null;\n if (!authDisabledWarningLogged) {\n authDisabledWarningLogged = true;\n console.warn(\n `[agent-native] AUTH_DISABLED — login/signup disabled; all requests run as ${AUTO_DEV_ACCOUNT_EMAIL}`,\n );\n }\n return { email: AUTO_DEV_ACCOUNT_EMAIL };\n}\n\nasync function hasAutoDevAccountUser(\n db: ReturnType<typeof getDbExec>,\n): Promise<boolean> {\n const { rows } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email IN (?, ?) LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL, LEGACY_AUTO_DEV_ACCOUNT_EMAIL],\n });\n return rows.length > 0;\n}\n\ntype AutoDevAccountCreationResult = { password: string } | null;\n\nconst autoDevAccountCreationPromises = new Map<\n string,\n Promise<AutoDevAccountCreationResult>\n>();\n\nfunction getAutoDevAccountCreationKey(): string {\n return `${process.cwd()}:${process.env.APP_BASE_PATH ?? \"\"}`;\n}\n\nasync function createAutoDevAccountForSession(\n auth: NonNullable<Awaited<ReturnType<typeof getBetterAuth>>>,\n db: ReturnType<typeof getDbExec>,\n): Promise<string | null> {\n const key = getAutoDevAccountCreationKey();\n let creationPromise = autoDevAccountCreationPromises.get(key);\n\n if (!creationPromise) {\n const devPassword = crypto.randomBytes(18).toString(\"base64url\");\n\n creationPromise = (async () => {\n try {\n await auth.api.signUpEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: devPassword,\n name: \"Dev\",\n },\n });\n } catch (e) {\n // Another process can still win the create race after our SELECT.\n // In-process first-page races share this promise and do not issue a\n // duplicate Better Auth signup, which keeps local SQLite logs quiet.\n if (await hasAutoDevAccountUser(db)) return null;\n if (!isExpectedAuthFailure(e)) throw e;\n return null;\n }\n\n // Print the throwaway credential exactly once so the developer can\n // sign back in manually after logout (auto-flow won't refire once the\n // dev row exists). Local console only — never Sentry.\n console.log(\n `\\n[agent-native] Local dev auto-login ready.\\n` +\n ` email: ${AUTO_DEV_ACCOUNT_EMAIL}\\n` +\n ` password: ${devPassword}\\n` +\n ` (random, this DB only — needed to sign back in after logout.\\n` +\n ` Set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1 to disable.)\\n`,\n );\n\n return { password: devPassword };\n })();\n\n autoDevAccountCreationPromises.set(key, creationPromise);\n creationPromise\n .finally(() => {\n if (autoDevAccountCreationPromises.get(key) === creationPromise) {\n autoDevAccountCreationPromises.delete(key);\n }\n })\n .catch(() => {});\n }\n\n const result = await creationPromise;\n return result?.password ?? null;\n}\n\n/**\n * Local-dev convenience: skip the sign-up wall on first run.\n *\n * When NODE_ENV=development AND the `user` table has no rows for any\n * email other than the dev account (`dev@local.test`, or the legacy\n * `dev@local` on pre-fix DBs), transparently sign up (or sign back in\n * to) the auto-managed dev account and return a 302 to the original URL\n * with a session cookie set. A developer who just ran `pnpm dev` lands\n * in the app immediately instead of being asked to fill in name + email\n * + password to try the framework.\n *\n * Auto-create fires exactly once per local DB: as soon as the dev\n * account (or any real user) exists in the `user` table, the helper\n * returns null and the normal login flow takes over. Signing out then\n * leaves the user on the regular sign-in form; without this guard the\n * post-logout reload would silently re-create the session.\n *\n * Hardening (this is a convenience, not an auth bypass — it uses the\n * real Better Auth sign-up/sign-in, but a known-credential local account\n * is still worth not shipping):\n * - **Loopback only.** Gated on `isLoopbackRequest`, so a tunnelled /\n * reverse-proxied / misconfigured-non-prod dev server never auto-signs\n * in a directly-remote visitor (mirrors the desktop SSO broker).\n * - **Random per-DB password.** The account password is freshly\n * generated on creation and printed to the server console exactly\n * once — there is no source-code-known credential. After logout the\n * auto-flow won't refire (dev row exists), so signing back in uses\n * that printed password; lost it ⇒ drop the row or wipe the local DB.\n * - **NODE_ENV.** Still gated on development/test.\n *\n * Set `AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1` to opt out entirely\n * (useful for tests that exercise the unauthenticated branch).\n */\nasync function maybeAutoCreateDevSession(\n event: H3Event,\n redirectTo: string,\n): Promise<Response | null> {\n if (!isDevEnvironment()) return null;\n if (process.env.AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT === \"1\") return null;\n // Local machine only: never auto-sign-in a remote visitor, even if a\n // dev server is exposed (tunnel, reverse proxy, misconfigured NODE_ENV).\n if (!isLoopbackRequest(event)) return null;\n\n try {\n const db = getDbExec();\n // Exclude BOTH the current and the legacy dev-account email so a\n // pre-fix local DB that still holds a `dev@local` row isn't treated\n // as having a \"real user\" (which would permanently disable\n // auto-create on that DB).\n const { rows: realUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email NOT IN (?, ?) LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL, LEGACY_AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (realUsers.length > 0) return null;\n\n // If the dev account already exists, this is not a freshly-scaffolded\n // app — the user has been through the auto-create flow at least\n // once. Skip auto-create so signing out actually works: without\n // this guard, the post-logout reload immediately re-creates the\n // session and the user is stuck in the dev account forever (or has\n // to set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1). To get the demo\n // experience back, drop the row or wipe the local DB. The legacy\n // `dev@local` address is matched too so pre-fix DBs still suppress\n // re-create after logout.\n if (await hasAutoDevAccountUser(db)) return null;\n\n const auth = await getBetterAuth();\n if (!auth) return null;\n\n // The dev account does not exist at this point (the devUsers check\n // above returned early otherwise). Concurrent in-process first page\n // loads share one signup promise so the losing request never asks Better\n // Auth to insert the same email and therefore never emits a SQLite\n // unique-constraint log.\n const devPassword = await createAutoDevAccountForSession(auth, db);\n if (!devPassword) return null;\n\n const result = await auth.api.signInEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: devPassword,\n },\n });\n if (!result?.token) return null;\n\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);\n\n // Emit the session cookie ON the 302 itself. Returning a bare\n // `new Response(...)` here drops the cookie staged on event.node.res\n // (see redirectWithStagedCookies), so the developer would 302 to the\n // app and immediately bounce back to the login form.\n return redirectWithStagedCookies(event, redirectTo);\n } catch (e) {\n // Local-dev only — log to console for debugging, but don't surface\n // through Sentry. Falling back to the regular login form is the\n // correct user-facing behavior when this path fails.\n console.warn(\"[agent-native] auto dev account skipped:\", e);\n return null;\n }\n}\n\n/**\n * Map a Better Auth session to our AuthSession type.\n */\nfunction mapBetterAuthSession(baSession: {\n user: { id: string; email: string; name?: string; image?: string | null };\n session: { token: string };\n}): AuthSession {\n return {\n email: baSession.user.email,\n userId: baSession.user.id,\n name: baSession.user.name,\n ...(baSession.user.image ? { image: baSession.user.image } : {}),\n token: baSession.session?.token,\n };\n}\n\n/**\n * Backfill `orgId` onto a resolved session using the canonical\n * `resolveOrgIdForEmail` (org_members + active-org-id user setting), so\n * every consumer of `session.orgId` agrees with `getOrgContext` on which\n * org is active.\n *\n */\nasync function backfillSessionOrg(session: AuthSession): Promise<AuthSession> {\n if (session.orgId) return session;\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n const orgId = await resolveOrgIdForEmail(session.email).catch(() => null);\n return orgId ? { ...session, orgId } : session;\n}\n\n/**\n * Get the current auth session for a request.\n *\n * Resolution chain:\n * 1. ACCESS_TOKEN → check legacy cookie-based token sessions\n * 2. Embed session → short-lived token minted by /_agent-native/embed/start\n * 3. BYOA custom getSession → delegate to template callback\n * 4. Bearer legacy session → check Authorization: Bearer against sessions\n * 5. Better Auth → check session via Better Auth API (cookie or Bearer)\n * 6. Legacy cookie → check an_session cookie in legacy sessions table\n * 7. Desktop SSO broker (Electron loopback only)\n * 8. Mobile _session query param → promote to cookie\n *\n * Returns `null` for unauthenticated requests. There is no dev-mode bypass:\n * local development uses the same Better Auth signup flow as production. The\n * onboarding/sign-in page is served by `runAuthGuard` for any unauthenticated\n * page load.\n */\nexport async function getSession(event: H3Event): Promise<AuthSession | null> {\n // Per-request memoization. The wider codebase calls `getSession` many\n // times per request (auth guard, action wrapper, route handler, plus the\n // org-backfill query inside `backfillSessionOrg`). Cache the resolved\n // session on `event.context` so the chain runs once per request.\n const ctx = event.context as {\n __anSessionCache?: Promise<AuthSession | null>;\n };\n return (ctx.__anSessionCache ??= (async () => {\n const session = await resolveSessionUncached(event);\n return session?.email ? backfillSessionOrg(session) : session;\n })());\n}\n\nasync function resolveSessionUncached(\n event: H3Event,\n): Promise<AuthSession | null> {\n // 1. MCP App embed session. This is a short-lived browser session minted\n // from a one-time ticket that was scoped to the authenticated MCP caller.\n // It lets an inline MCP App iframe load the real app without reusing the\n // MCP bearer token as a browser cookie. Resolve it FIRST: the token is\n // HMAC-verified and carries its own identity + org scope, and is the most\n // specific intent for an embed request. Checking it before the legacy\n // an_session cookie prevents a stale cookie (common when an ACCESS_TOKEN is\n // configured) from shadowing the embed identity.\n const embedSession = await resolveEmbedSessionFromRequest(event);\n if (embedSession) {\n return {\n email: embedSession.email,\n token: embedSession.token,\n ...(embedSession.orgId ? { orgId: embedSession.orgId } : {}),\n };\n }\n\n // 2. ACCESS_TOKEN check (programmatic/agent access)\n const accessTokens = getAccessTokens();\n if (accessTokens.length > 0) {\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n }\n\n // 3. BYOA custom getSession\n if (customGetSession) {\n const session = await customGetSession(event);\n if (session) return session;\n\n const bearerSession = await getBearerSession(event);\n if (bearerSession) return bearerSession;\n\n // Desktop SSO broker: even with BYOA auth, fall back to the broker\n // for Electron requests so cross-template SSO works for custom-auth\n // templates too. Gated on `readDesktopSsoSafely` so a non-loopback\n // request that spoofs `User-Agent: ... Electron/...` cannot read the\n // home-dir broker file (and so production builds never consult it).\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) return { email: sso.email, token: sso.token };\n // Fall through to mobile _session check\n } else {\n // 4. Bearer session. Desktop/native clients can persist a legacy session\n // token outside the WebView cookie jar and attach it to all app requests.\n // `agent-native connect` clients may present a connect-minted MCP OAuth\n // token, but only the framework action route accepts that fallback.\n const bearerSession = await getBearerSession(event);\n if (bearerSession) return bearerSession;\n\n // 5. Better Auth session (cookie or Bearer token)\n try {\n const ba = getBetterAuthSync();\n if (ba) {\n const baSession = await ba.api.getSession({\n headers: event.headers,\n });\n if (baSession?.user?.email) {\n return mapBetterAuthSession(baSession);\n }\n }\n } catch (e) {\n console.error(\"[auth] ba.api.getSession error:\", e);\n }\n\n // 6. Legacy cookie fallback (for sessions created before migration)\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n\n // 7. Desktop SSO broker fallback.\n // Each template in the Electron desktop app has its own database, so\n // a session token created by one template doesn't resolve in another.\n // When an Electron request has no resolvable session, trust the\n // home-dir SSO record written by whichever template the user signed\n // into. Gated on `readDesktopSsoSafely`: requires Electron User-Agent,\n // a loopback (127.0.0.1 / ::1) source IP, and a non-production NODE_ENV\n // — anything else is rejected so a hostile network request cannot\n // impersonate whichever email last signed into the desktop app.\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) {\n return { email: sso.email, token: sso.token };\n }\n }\n\n // 8. Mobile WebView bridge — _session query param\n const querySession = await promoteQuerySession(event);\n if (querySession) return querySession;\n\n // 9. AUTH_DISABLED fallback — only when no session resolved above.\n // Must run after BYOA customGetSession so infrastructure/custom auth keeps\n // caller identity instead of collapsing to the shared preview user.\n const authDisabledSession = getAuthDisabledSession();\n if (authDisabledSession) return authDisabledSession;\n\n return null;\n}\n\nasync function promoteQuerySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const qToken = getQuery(event)?._session as string | undefined;\n if (!qToken) return null;\n const email = await getSessionEmail(qToken);\n if (!email) return null;\n setFrameworkSessionCookie(event, qToken);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n return { email, token: qToken };\n}\n\nfunction isReadMethod(event: H3Event): boolean {\n const method = getMethod(event);\n return method === \"GET\" || method === \"HEAD\";\n}\n\n/**\n * Cookie attributes that work in both same-site and third-party iframe\n * contexts. Over HTTPS we emit `SameSite=None; Secure; Partitioned` —\n * `None`+`Secure` is required by browsers to ship the cookie back inside a\n * cross-origin iframe at all; `Partitioned` keeps the cookie working under\n * Chrome's third-party-cookie deprecation by binding it to the embedding\n * site's storage partition. (Better Auth already sets the same trio on its\n * own session cookie; this matches so the framework's legacy cookie —\n * which the Builder OAuth popup exchange writes via\n * `setFrameworkSessionCookie` — survives iframe contexts too.) Plain-HTTP\n * dev keeps the default `SameSite=Lax`; `None` requires Secure, and\n * `Partitioned` only takes effect alongside `Secure`.\n */\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setFrameworkSessionCookie(event: H3Event, token: string): void {\n clearFrameworkSessionCookies(event);\n setCookie(event, COOKIE_NAME, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: sessionMaxAge,\n });\n}\n\n/**\n * Build a redirect `Response` that carries whatever `Set-Cookie` headers were\n * just staged on the event (e.g. by `setFrameworkSessionCookie`).\n *\n * h3 v2's `setCookie` appends the cookie onto `event.res.headers`. When a\n * handler returns a plain object/string, h3's `prepareResponse` merges those\n * staged headers into the synthesized response, so the cookie survives. But\n * when a handler returns a web `Response`, `prepareResponse` only merges the\n * staged headers if the Response is 2xx — its `!val.ok` early-return hands a\n * non-2xx Response (like a 302) straight back WITHOUT merging. A bare\n * `new Response(\"\", { status: 302, headers: { Location } })` therefore 302s\n * the browser with no session cookie, so the zero-setup dev auto-sign-in\n * bounces straight back to the login form.\n *\n * Mirroring the staged cookies onto the redirect Response's own headers makes\n * them part of the Response that's returned as-is, so the 302 actually\n * carries the session cookie. (`event.res.headers` is also left intact for\n * any non-Response continuation path; h3 only skips the merge for the\n * Response branch, so there's no double-emit.)\n */\nfunction redirectWithStagedCookies(\n event: H3Event,\n location: string,\n status = 302,\n): Response {\n const headers = new Headers({ Location: location });\n const staged = event.res?.headers?.getSetCookie?.() ?? [];\n for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n return new Response(\"\", { status, headers });\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const req: any = (event as any).req ?? event.node?.req;\n const url: string | undefined = req?.url;\n if (typeof url === \"string\" && url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// Public path matching\n// ---------------------------------------------------------------------------\n\nfunction isPublicPath(url: string, publicPaths: string[]): boolean {\n const p = url.split(\"?\")[0];\n return matchesPathList(p, publicPaths);\n}\n\nfunction matchesPathList(path: string, paths: string[]): boolean {\n return paths.some((candidate) => {\n const normalized =\n candidate.length > 1 && candidate.endsWith(\"/\")\n ? candidate.slice(0, -1)\n : candidate;\n return path === normalized || path.startsWith(normalized + \"/\");\n });\n}\n\nfunction isPublicWorkspacePageRequest(\n event: H3Event,\n path: string,\n config: AuthGuardConfig,\n): boolean {\n if (!isReadMethod(event)) return false;\n if (\n path === \"/_agent-native\" ||\n path.startsWith(\"/_agent-native/\") ||\n path === \"/api\" ||\n path.startsWith(\"/api/\") ||\n path === \"/.well-known\" ||\n path.startsWith(\"/.well-known/\")\n ) {\n return false;\n }\n if (matchesPathList(path, config.workspaceAppProtectedPaths)) return false;\n if (matchesPathList(path, config.workspaceAppPublicPaths)) return true;\n return config.workspaceAppAudience === \"public\";\n}\n\nfunction stripAppBasePath(pathname: string): string {\n const basePath = getAppBasePath();\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\n// ---------------------------------------------------------------------------\n// Fallback login page HTML (custom auth with no login page configured)\n// ---------------------------------------------------------------------------\n\nfunction getCustomAuthRequiredHtml(): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\n<title>Authentication required</title>\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n :root {\n color-scheme: dark;\n --bg: #09090b;\n --panel: #141417;\n --panel-soft: #1b1b20;\n --border: rgba(255,255,255,0.1);\n --border-strong: rgba(255,255,255,0.18);\n --text: #f4f4f5;\n --muted: #a1a1aa;\n --subtle: #71717a;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n background: linear-gradient(180deg, #111114 0%, var(--bg) 58%);\n color: var(--text);\n display: flex;\n align-items: center;\n justify-content: center;\n min-height: 100vh;\n padding: 1rem;\n }\n .card {\n width: 100%;\n max-width: 420px;\n padding: 2rem;\n background: color-mix(in srgb, var(--panel) 94%, transparent);\n border: 1px solid var(--border);\n border-radius: 12px;\n box-shadow: 0 24px 80px rgba(0,0,0,0.35);\n }\n .eyebrow {\n display: inline-flex;\n align-items: center;\n min-height: 1.5rem;\n padding: 0 0.625rem;\n margin-bottom: 1rem;\n border: 1px solid var(--border);\n border-radius: 999px;\n color: var(--muted);\n background: rgba(255,255,255,0.04);\n font-size: 0.75rem;\n font-weight: 500;\n }\n h1 {\n font-size: 1.375rem;\n line-height: 1.2;\n font-weight: 650;\n margin-bottom: 0.5rem;\n color: var(--text);\n letter-spacing: 0;\n }\n .intro {\n margin-bottom: 1.5rem;\n color: var(--muted);\n font-size: 0.9375rem;\n line-height: 1.55;\n }\n .hint {\n margin-top: 1rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n @media (max-width: 480px) {\n .card { padding: 1.5rem; }\n h1 { font-size: 1.25rem; }\n }\n</style>\n</head>\n<body>\n<div class=\"card\">\n <div class=\"eyebrow\">Authentication required</div>\n <h1>Sign in is not configured</h1>\n <p class=\"intro\">This route requires an authenticated session, but this app's custom auth plugin did not provide a sign-in page.</p>\n <p class=\"hint\">If this route should be public, add it to the auth plugin's public route configuration. Otherwise configure a custom sign-in page for this app.</p>\n</div>\n</body>\n</html>`;\n}\n\n// ---------------------------------------------------------------------------\n// mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes\n// ---------------------------------------------------------------------------\n\nasync function mountBetterAuthRoutes(\n app: H3App,\n options: AuthOptions,\n): Promise<void> {\n const publicPaths = [...(options.publicPaths ?? [])];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n // The A2A agent card is part of an open protocol — other agents must be\n // able to discover it without auth. Same for favicons and similar probes.\n for (const pp of [\"/.well-known\", \"/favicon.ico\", \"/favicon.png\"]) {\n if (!publicPaths.includes(pp)) publicPaths.push(pp);\n }\n\n // Auto-add Google OAuth routes when credentials are configured. Templates\n // that need broader product scopes (mail/calendar) opt out and provide\n // their own Nitro routes at these paths.\n if (\n process.env.GOOGLE_CLIENT_ID &&\n process.env.GOOGLE_CLIENT_SECRET &&\n options.mountGoogleOAuthRoutes !== false\n ) {\n setGenericGoogleOAuthRoutesEnabled(app, true);\n for (const gp of [\n \"/_agent-native/google/callback\",\n \"/_agent-native/google/auth-url\",\n ]) {\n if (!publicPaths.includes(gp)) publicPaths.push(gp);\n }\n\n const googleScopes = [\n \"openid\",\n \"https://www.googleapis.com/auth/userinfo.email\",\n \"https://www.googleapis.com/auth/userinfo.profile\",\n ].join(\" \");\n\n app.use(\n \"/_agent-native/google/auth-url\",\n defineEventHandler((event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n // Validate the user-supplied `redirect_uri` against the framework's\n // server-side allowlist (must be same-origin and under\n // `/_agent-native/...`). Reject anything else so an attacker can't\n // smuggle a different already-registered redirect URI past Google's\n // host-prefix matching. See HIGH-1 in 09-oauth-session.md.\n const redirectUri = resolveOAuthRedirectUri(event);\n if (redirectUri === null) {\n setResponseStatus(event, 400);\n return { error: \"Invalid redirect_uri\" };\n }\n const q = getQuery(event);\n const desktop =\n isElectronRequest(event) || q.desktop === \"1\" || q.desktop === \"true\";\n const flowId = desktop ? (q.flow_id as string) || undefined : undefined;\n // Validate the caller's return param up front and only embed it\n // into the OAuth state when it normalises to a non-root path —\n // skip embedding \"/\" (the default fallback) so the state stays\n // small for the common case.\n const returnQuery = q.return;\n const validated =\n typeof returnQuery === \"string\"\n ? safeOAuthReturnUrl(returnQuery, {\n allowDefaultLoopback: isBuilderOAuthRequest(event),\n allowedOrigins: [builderPreviewReturnOrigin(event)],\n })\n : \"/\";\n const returnUrl = validated !== \"/\" ? validated : undefined;\n const state = encodeOAuthState({\n redirectUri,\n desktop,\n addAccount: false,\n app: getOAuthStateAppId(),\n returnUrl,\n flowId,\n });\n logGoogleOAuthDebug(event, \"auth-url\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n returnUrl,\n redirect: q.redirect === \"1\",\n workspace:\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\",\n });\n const params = new URLSearchParams({\n client_id: process.env.GOOGLE_CLIENT_ID!,\n redirect_uri: redirectUri,\n response_type: \"code\",\n scope: googleScopes,\n access_type: \"online\",\n prompt: \"select_account\",\n state,\n });\n const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;\n if (q.redirect === \"1\") {\n // Return a native web Response — NOT h3 v2's `sendRedirect`. Under\n // h3 `2.0.1-rc.20`, `sendRedirect = (_, loc, code) => redirect(...)`\n // ignores the event and returns a non-standard `HTTPResponse` class\n // instance; the framework request-handler shim doesn't unwrap it and\n // String()-coerces it to the literal text \"[object Object]\" with a\n // 200 status (no Location header), which broke the popup-based\n // Google sign-in in production. Web `Response` is the proven idiom\n // here — `oauthCallbackResponse`/`oauthErrorPage` use it and work.\n return new Response(null, {\n status: 302,\n headers: { Location: authUrl },\n });\n }\n return { url: authUrl };\n }),\n );\n\n app.use(\n \"/_agent-native/google/callback\",\n defineEventHandler(async (event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n let callbackFlowId: string | undefined;\n let callbackDesktop = false;\n try {\n const query = getQuery(event);\n const code = query.code as string;\n const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(\n query.state as string | undefined,\n getAppUrl(event, \"/_agent-native/google/callback\"),\n );\n callbackFlowId = flowId;\n callbackDesktop = desktop ?? false;\n logGoogleOAuthDebug(event, \"callback-start\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n hasCode: !!code,\n returnUrl,\n });\n if (!code) {\n const providerError =\n typeof query.error === \"string\" && query.error\n ? query.error\n : undefined;\n const providerDescription =\n typeof query.error_description === \"string\" &&\n query.error_description\n ? query.error_description\n : undefined;\n const msg =\n providerDescription ||\n providerError ||\n \"Missing authorization code\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: `Google sign-in failed: ${msg}`,\n code: providerError || \"missing_authorization_code\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n code: providerError,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n // Defence in depth: the state is HMAC-signed, but if the signing\n // key ever leaked an attacker could mint state with their own\n // redirect_uri. Re-validate against the same allowlist used at\n // auth-url time so the token exchange is always sent to a URI we\n // own.\n if (!isAllowedOAuthRedirectUri(redirectUri, event)) {\n const msg =\n \"Invalid Google OAuth redirect URI in state. Restart sign-in from this app.\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: msg,\n code: \"invalid_redirect_uri\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n\n const tokenRes = await fetch(\"https://oauth2.googleapis.com/token\", {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n code,\n client_id: process.env.GOOGLE_CLIENT_ID!,\n client_secret: process.env.GOOGLE_CLIENT_SECRET!,\n redirect_uri: redirectUri,\n grant_type: \"authorization_code\",\n }),\n });\n const tokens = await tokenRes.json();\n if (!tokenRes.ok) {\n throw new Error(\n tokens.error_description ||\n tokens.error ||\n \"Token exchange failed\",\n );\n }\n\n const userRes = await fetch(\n \"https://www.googleapis.com/oauth2/v2/userinfo\",\n { headers: { Authorization: `Bearer ${tokens.access_token}` } },\n );\n const user = await userRes.json();\n const email = user.email as string;\n if (!email) throw new Error(\"Could not get email from Google\");\n // Reject unverified Google addresses. Google returns\n // `verified_email: false` for accounts where ownership of the\n // address hasn't been proven (rare on consumer accounts but\n // reachable on Workspace tenants that allow it). Without this\n // check, an attacker could sign up as `victim@example.com` on\n // Google without controlling the inbox and take over a local\n // password account that already exists at that address (Better\n // Auth's accountLinking auto-merges trusted-provider sign-ins).\n if (user.verified_email !== true) {\n throw new Error(\n \"Google account email is not verified. Please verify your email with Google and try again.\",\n );\n }\n if (typeof user.picture === \"string\" && user.picture.trim()) {\n await putSetting(`avatar:${email}`, {\n image: user.picture,\n }).catch((error) => {\n console.warn(\n \"[auth] failed to store Google profile image:\",\n error,\n );\n });\n }\n\n const { sessionToken } = await createOAuthSession(event, email, {\n hasProductionSession: false,\n desktop,\n });\n logGoogleOAuthDebug(event, \"callback-session-created\", {\n flowId,\n desktop,\n hasSessionToken: !!sessionToken,\n emailDomain: email.split(\"@\")[1] || \"\",\n });\n\n if (flowId && sessionToken) {\n _desktopExchanges.set(flowId, {\n token: sessionToken,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Also persist to DB for cross-instance durability (Cloudflare\n // Workers, multi-region). Fire-and-forget — in-memory Map is\n // still the primary fast path for same-instance requests.\n void persistDesktopExchangeToDB(flowId, sessionToken, email);\n logGoogleOAuthDebug(event, \"callback-exchange-stored\", {\n flowId,\n desktop,\n });\n }\n\n return oauthCallbackResponse(event, email, {\n sessionToken,\n desktop,\n returnUrl,\n flowId,\n });\n } catch (error: any) {\n const msg = error.message || \"Unknown error\";\n if (callbackFlowId) {\n setDesktopExchangeError(callbackFlowId, {\n message: `Google sign-in failed: ${msg}`,\n code: \"callback_error\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId: callbackFlowId,\n desktop: callbackDesktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n }),\n );\n }\n\n // Desktop OAuth exchange — native apps (Tauri tray, Electron) open OAuth\n // in the system browser but need a way to retrieve the session token\n // afterwards since they don't share a cookie jar with the browser.\n app.use(\n \"/_agent-native/auth/desktop-exchange\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const query = getQuery(event);\n const flowId = query.flow_id as string | undefined;\n if (!flowId) {\n setResponseStatus(event, 400);\n return { error: \"Missing flow_id\" };\n }\n let entry = _desktopExchanges.get(flowId);\n if (!entry || entry.expiresAt < Date.now()) {\n // In-memory miss — fall back to the DB-persisted entry. This handles\n // cross-instance routing (Cloudflare Workers, multi-region) where the\n // OAuth callback and the polling request may hit different isolates.\n const fromDb = await consumeDesktopExchangeFromDB(flowId);\n if (!fromDb) {\n // Don't log on the pending path — clients poll every second for up\n // to 5 minutes, so logging here floods telemetry. The auth-url,\n // callback-start, callback-session-created, exchange-success, and\n // exchange-error breadcrumbs already cover every meaningful state\n // transition.\n return { pending: true, flow: oauthDebugFlowId(flowId) };\n }\n entry =\n \"error\" in fromDb\n ? { error: fromDb.error, expiresAt: Date.now() + 1 }\n : {\n token: fromDb.token,\n email: fromDb.email,\n expiresAt: Date.now() + 1,\n };\n }\n _desktopExchanges.delete(flowId);\n // Also wipe the DB-persisted entry so it cannot be replayed via the\n // DB fallback path after in-memory consumption. Best-effort: a dropped\n // Neon WebSocket rejects with a raw ErrorEvent, and a floating\n // rejection here surfaces as an unhandled promise rejection.\n removeSession(`dex:${flowId}`).catch((err) => {\n console.warn(\n \"[auth] desktop-exchange DB cleanup failed:\",\n describeDbError(err),\n );\n });\n if (\"error\" in entry) {\n logGoogleOAuthDebug(event, \"exchange-error\", {\n flowId,\n message: entry.error.message,\n code: entry.error.code,\n });\n return { error: entry.error.message, ...entry.error };\n }\n // Make the exchange itself establish the app session. Older clients\n // still make a follow-up /auth/session?_session=... request, but the\n // OAuth handoff should not depend on that second request succeeding.\n setFrameworkSessionCookie(event, entry.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n logGoogleOAuthDebug(event, \"exchange-success\", {\n flowId,\n emailDomain: entry.email.split(\"@\")[1] || \"\",\n });\n return { token: entry.token, email: entry.email };\n }),\n );\n\n // Initialize Better Auth. Forward `googleScopes` into the BetterAuthConfig\n // so the social provider requests the broader product scopes (Gmail,\n // Calendar, etc.) up front during the primary sign-in — eliminating the\n // need for a separate \"Connect Google\" page.\n const betterAuthConfig: BetterAuthConfig = {\n ...(options.betterAuth ?? {}),\n ...(options.googleScopes ? { googleScopes: options.googleScopes } : {}),\n };\n const auth = await getBetterAuth(betterAuthConfig);\n\n // Mount Better Auth catch-all handler at /_agent-native/auth/ba/*\n app.use(\n \"/_agent-native/auth/ba\",\n defineEventHandler(async (event) => {\n const reqPath = event.url?.pathname ?? event.path ?? \"\";\n const isResetPassword =\n reqPath.includes(\"reset-password\") && getMethod(event) === \"POST\";\n const isSendVerificationEmail =\n reqPath.includes(\"send-verification-email\") &&\n getMethod(event) === \"POST\";\n const authRequest = toWebRequest(event);\n let requestForAuth = authRequest;\n\n // Pre-read the body for reset-password so we can auto-verify the\n // user's email after they save the new password. CRUCIAL: clone\n // the Request first — h3 v2 `event.req` is the live web Request,\n // and `.text()`/`.json()` consume the stream. The same `event.req`\n // is handed to Better Auth below; without the clone, Better Auth\n // sees an empty body, fails Zod validation, and returns 400 —\n // which the reset page renders as \"the link may have expired\".\n let resetToken: string | undefined;\n let resetUserId: string | undefined;\n if (isResetPassword) {\n try {\n const cloned = authRequest.clone();\n const body = (await cloned.json().catch(() => undefined)) as\n | { token?: string }\n | undefined;\n resetToken = body?.token;\n } catch {\n // ignore — Better Auth will handle validation\n }\n // Look up userId BEFORE calling auth.handler — Better Auth deletes\n // the verification row as part of the reset, so by the time the\n // handler returns 200 the row is gone and we can't recover the user.\n if (resetToken) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n const rows = await db.execute({\n sql: \"SELECT value FROM verification WHERE identifier = ?\",\n args: [`reset-password:${resetToken}`],\n });\n resetUserId = rows.rows[0]?.value as string | undefined;\n } catch {\n // Best-effort — if we can't read the verification row we just\n // skip auto-verify; the user can verify normally.\n }\n }\n }\n\n // The signup wrapper sanitizes callbackURL before calling Better Auth,\n // but the resend endpoint is exposed directly so users can request a\n // fresh link while unauthenticated. Keep that path equally strict:\n // only same-origin relative return paths survive into the email.\n if (isSendVerificationEmail) {\n try {\n const body = (await authRequest\n .clone()\n .json()\n .catch(() => undefined)) as Record<string, unknown> | undefined;\n if (body && typeof body.callbackURL === \"string\") {\n const callbackURL = safeReturnPath(body.callbackURL);\n if (callbackURL !== body.callbackURL) {\n const headers = new Headers(authRequest.headers);\n headers.delete(\"content-length\");\n headers.set(\"content-type\", \"application/json\");\n requestForAuth = new Request(authRequest.url, {\n method: authRequest.method,\n headers,\n body: JSON.stringify({ ...body, callbackURL }),\n duplex: \"half\",\n } as RequestInit & { duplex: \"half\" });\n }\n }\n } catch {\n // Let Better Auth handle malformed bodies and return its normal\n // validation error.\n }\n }\n\n const response = await auth.handler(requestForAuth);\n const isResponse =\n response != null &&\n typeof (response as any).status === \"number\" &&\n typeof (response as any).headers?.get === \"function\";\n\n // After email verification, add ?verified=1 to the redirect so the\n // login page can show \"Email verified!\". MUTATE the response in\n // place — `new Response(null, { headers: new Headers(response.headers) })`\n // collapses multiple Set-Cookie headers into one comma-joined value,\n // which browsers reject. With `autoSignInAfterVerification: true`\n // Better Auth emits 2–3 Set-Cookie headers (session token + cookie\n // cache + dontRememberToken); losing them strands the user on the\n // login page even though verification succeeded.\n if (\n reqPath.includes(\"verify-email\") &&\n isResponse &&\n (response as Response).status >= 300 &&\n (response as Response).status < 400\n ) {\n const loc = response.headers.get(\"location\");\n if (loc && !/[?&]verified=/.test(loc)) {\n const sep = loc.includes(\"?\") ? \"&\" : \"?\";\n response.headers.set(\"location\", loc + sep + \"verified=1\");\n }\n }\n\n // Auto-verify email after a successful password reset. The user\n // proved email ownership by receiving and using the reset link, so\n // we don't want them stuck behind `requireEmailVerification` after\n // resetting — that's the exact escape hatch they just used.\n if (\n isResetPassword &&\n resetUserId &&\n isResponse &&\n (response as Response).status >= 200 &&\n (response as Response).status < 300\n ) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n // Use boolean literals for cross-dialect portability: Postgres\n // stores `email_verified` as BOOLEAN and rejects integer 1/0,\n // SQLite accepts TRUE/FALSE as aliases for 1/0 (since 3.23).\n // Quote `\"user\"` because it's a reserved keyword in Postgres.\n await db.execute({\n sql: 'UPDATE \"user\" SET email_verified = TRUE WHERE id = ? AND (email_verified = FALSE OR email_verified IS NULL)',\n args: [resetUserId],\n });\n\n // Revoke every existing session for this user so a stolen\n // cookie doesn't outlive the password it was paired with. We\n // do this AFTER Better Auth's response has been generated so\n // the freshly-minted post-reset session (if any) is captured\n // by the response's Set-Cookie header — but `auth.handler` for\n // reset-password does not auto-sign-in by default, so the\n // common path is \"wipe everything; user signs in with new\n // password.\" The legacy `sessions` table is also wiped by\n // joining through the `user.email` column.\n //\n // Skip the freshly-minted Better Auth session id when present\n // (auto-sign-in plugins / future config). Reading it from the\n // response avoids racing against Better Auth's own writes.\n const newSessionToken = extractSessionTokenFromSetCookies(\n response as Response,\n );\n\n // 1. Better Auth `session` table — keyed by user_id.\n if (newSessionToken) {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ? AND token <> ?',\n args: [resetUserId, newSessionToken],\n });\n } else {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [resetUserId],\n });\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column. The\n // reset-password verification row holds the user's id, not\n // their email, so we look up the email first. Best-effort —\n // skip silently if the lookup fails so the response still ships.\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [resetUserId],\n });\n const userEmail = (rows[0]?.email ?? rows[0]?.[0]) as\n | string\n | undefined;\n if (userEmail) {\n if (newSessionToken) {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ? AND token <> ?\",\n args: [userEmail, newSessionToken],\n });\n } else {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [userEmail],\n });\n }\n }\n } catch {\n // Best-effort — don't block the response\n }\n } catch {\n // Best-effort — don't block the response\n }\n }\n\n return response;\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/login\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n\n // Email/password login via Better Auth\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n // signInEmail succeeded but returned no token — typically means the\n // email isn't verified yet. Don't return { ok: true } without a\n // session or the frontend will reload into a dead end.\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/register\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n const callbackURL =\n typeof body?.callbackURL === \"string\"\n ? safeReturnPath(body.callbackURL)\n : \"/\";\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0], callbackURL },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/logout\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if no Better Auth session\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n // POST /_agent-native/auth/logout-all — revoke every session row for\n // the authenticated user across both auth tables. Companion to the\n // password-reset session-revocation logic; lets a user sign out\n // everywhere from one device. Requires an authenticated session.\n app.use(\n \"/_agent-native/auth/logout-all\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Not authenticated\" };\n }\n try {\n const db = getDbExec();\n // 1. Resolve user_id from email so we can wipe Better Auth sessions\n // by their FK column.\n let userId: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT id FROM \"user\" WHERE email = ?',\n args: [session.email],\n });\n userId = (rows[0]?.id ?? rows[0]?.[0]) as string | undefined;\n } catch {\n // User table may not exist on token-only deployments — skip.\n }\n if (userId) {\n try {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [userId],\n });\n } catch {\n // Best-effort.\n }\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column.\n try {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [session.email],\n });\n } catch {\n // Best-effort.\n }\n\n // 3. Drop the current request's cookie and best-effort sign out\n // of Better Auth (so the response sets the proper expiry header).\n clearFrameworkSessionCookies(event);\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore — sessions are already gone in DB.\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n } catch (e: any) {\n setResponseStatus(event, 500);\n return { error: e?.message || \"Failed to revoke sessions\" };\n }\n }),\n );\n\n // GET /_agent-native/auth/session\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n // GET /_agent-native/auth/reset — HTML page shown when a user clicks the\n // reset link in their email. Reads ?token=... and POSTs to Better Auth's\n // /reset-password endpoint on submit.\n app.use(\n \"/_agent-native/auth/reset\",\n defineEventHandler((event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n return new Response(getResetPasswordHtml(), {\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }),\n );\n\n // Auth guard — stored both in framework middleware registry AND in\n // _authGuardFn so the server middleware can enforce it on ALL routes.\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig = {\n ...loginHtmlConfig,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails\n// ---------------------------------------------------------------------------\n\nfunction mountAuthFallbackRoutes(app: H3App): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const auth = await getBetterAuth();\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0] },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if Better Auth is still unavailable\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n}\n\n// ---------------------------------------------------------------------------\n// autoMountAuth — the recommended entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Automatically configure auth based on environment and configuration:\n *\n * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.\n * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.\n * Users see an onboarding page to create an account on first visit.\n *\n * Local development uses the same Better Auth flow as production. Email\n * verification is automatically skipped in dev/test environments and when\n * no email provider is configured (see `shouldSkipEmailVerification`), so a\n * fresh local clone only needs an email + password to get started.\n *\n * Returns true if auth was mounted, false if skipped.\n */\nexport async function autoMountAuth(\n app: H3App,\n options: AuthOptions = {},\n): Promise<boolean> {\n // If auth is already mounted on THIS app (e.g., default plugin ran before\n // custom plugin in the same server boot), don't re-mount routes — but DO\n // update the live config if custom options like googleOnly or loginHtml\n // were provided. createAuthGuardFn() reads from _authGuardConfig on every\n // request, so updating it here takes effect immediately.\n //\n // We gate on `_mountedApp === app` because module-level state survives\n // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh\n // H3 app, empty middleware) would short-circuit here and end up with no\n // auth routes mounted at all.\n if (_authGuardFn && _mountedApp === app) {\n if (options.mountGoogleOAuthRoutes === false) {\n setGenericGoogleOAuthRoutesEnabled(app, false);\n }\n // A custom getSession always wins — even if the default auth plugin\n // mounted first (which happens in production where bootstrapDefaultPlugins\n // can't see the template's server/plugins/ dir and auto-mounts defaults).\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n if (_authGuardConfig) {\n if (\n options.googleOnly ||\n options.loginHtml ||\n options.marketing ||\n options.googleSignInNotice\n ) {\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig.loginHtml = loginHtmlConfig.loginHtml;\n _authGuardConfig.getLoginHtml = loginHtmlConfig.getLoginHtml;\n }\n if (options.publicPaths) {\n _authGuardConfig.publicPaths = [\n ...(_authGuardConfig.publicPaths ?? []),\n ...options.publicPaths,\n ];\n }\n if (options.workspaceAppAudience) {\n _authGuardConfig.workspaceAppAudience =\n resolveWorkspaceAppAudience(options);\n }\n if (options.workspaceAppPublicPaths) {\n _authGuardConfig.workspaceAppPublicPaths =\n options.workspaceAppPublicPaths;\n }\n if (options.workspaceAppProtectedPaths) {\n _authGuardConfig.workspaceAppProtectedPaths =\n options.workspaceAppProtectedPaths;\n }\n }\n return true;\n }\n\n // Fresh app (first boot, or HMR created a new Nitro instance) — reset\n // the guard so the mount path below installs it on the new app.\n _authGuardFn = null;\n _authGuardConfig = null;\n _mountedApp = app;\n\n if (!app) {\n if (isDevEnvironment()) {\n customGetSession = null;\n return false;\n }\n throw new Error(\n \"autoMountAuth: H3 app is required. In Nitro plugins, pass nitroApp.h3App.\",\n );\n }\n\n // Reset globals\n customGetSession = null;\n sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;\n const publicPaths = options.publicPaths ?? [];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n mountAuthCorsMiddleware(app);\n\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n\n // BYOA — custom getSession provider\n if (customGetSession) {\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(() => ({ ok: true })),\n );\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n const byoaLoginHtml = options.loginHtml ?? getCustomAuthRequiredHtml();\n _authGuardConfig = {\n loginHtml: byoaLoginHtml,\n ...(options.loginHtml\n ? {}\n : {\n getLoginHtml: () => getCustomAuthRequiredHtml(),\n }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n\n if (process.env.DEBUG)\n console.log(\"[agent-native] Auth enabled — custom getSession provider.\");\n return true;\n }\n\n // Default: Better Auth (account-first)\n try {\n await mountBetterAuthRoutes(app, options);\n if (process.env.DEBUG)\n console.log(\n \"[agent-native] Auth enabled — Better Auth (accounts + organizations).\",\n );\n } catch (err) {\n console.error(\"[agent-native] Failed to initialize Better Auth:\", err);\n mountAuthFallbackRoutes(app);\n // CRITICAL: Even if Better Auth fails, register the auth guard so\n // unauthenticated users can't access the app. They'll see the login\n // page but won't be able to sign in until the DB is available.\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig = {\n ...loginHtmlConfig,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n console.log(\n \"[agent-native] Auth guard registered despite init failure — app is locked.\",\n );\n }\n return true;\n}\n\n// ---------------------------------------------------------------------------\n// Deprecated — kept for backward compat\n// ---------------------------------------------------------------------------\n\n/**\n * @deprecated Use `autoMountAuth(app, options?)` instead.\n */\nexport function mountAuthMiddleware(app: H3App, accessToken: string): void {\n void app;\n void accessToken;\n throw new Error(\n \"mountAuthMiddleware(accessToken) has been removed. Use createAuthPlugin() or autoMountAuth() with Better Auth, or a custom getSession provider.\",\n );\n}\n"]}
1
+ {"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,SAAS,EACT,YAAY,EACZ,SAAS,GACV,MAAM,IAAI,CAAC;AAGZ,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,8BAA8B,EAC9B,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AAExC,6EAA6E;AAC7E,0EAA0E;AAC1E,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,8EAA8E;AAC9E,4EAA4E;AAC5E,yDAAyD;AACzD,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,GAAG,GAAI,KAAa,CAAC,GAAc,CAAC;IAC1C,MAAM,GAAG,GAAI,KAAa,CAAC,OAEd,CAAC;IACd,IAAI,GAAG,EAAE,gBAAgB,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC7B,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YAC/D,IAAI,GAAG,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,GAAG,eAAe,CAAC;gBAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;gBACtD,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE;oBAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,8DAA8D;oBAC9D,2DAA2D;oBAC3D,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAChD,CAAC,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAGD,OAAO,EACL,SAAS,EACT,UAAU,EACV,OAAO,EACP,cAAc,EACd,eAAe,GAChB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAE7E,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,iBAAiB,EACjB,oBAAoB,GAErB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,cAAc,EACd,eAAe,EACf,eAAe,GAChB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,UAAU,IAAI,iBAAiB,EAC/B,cAAc,EACd,SAAS,EACT,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EACL,6BAA6B,EAC7B,gCAAgC,EAChC,8BAA8B,EAC9B,8BAA8B,EAC9B,+BAA+B,EAC/B,qCAAqC,GACtC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AACvE,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,EAC3B,8BAA8B,GAE/B,MAAM,qCAAqC,CAAC;AAC7C,OAAO,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC;AACnE,OAAO,EACL,4BAA4B,EAC5B,qBAAqB,EACrB,mBAAmB,EACnB,qCAAqC,EACrC,oCAAoC,GACrC,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAClD,yEAAyE;AACzE,2EAA2E;AAC3E,6DAA6D;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,aAAa,CAAC;AACvB,CAAC;AAyID,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,qBAAqB,GAAG,0BAA0B,EAAE,CAAC;AAE3D;;;;GAIG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,qBAAqB,CAAC,qBAAqB,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,qBAAqB,CAAC,mBAAmB,CAAC;AACrE,MAAM,CAAC,MAAM,yBAAyB,GACpC,qBAAqB,CAAC,sBAAsB,CAAC;AAE/C;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,IAAY;IACnD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAEvC,IAAI,GAAG,EAAE,CAAC;QACR,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI;gBAAE,SAAS;YAEnD,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACjD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC;gBACH,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,2DAA2D;YAC7D,CAAC;YACD,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAE5D,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,KAAc;IAC5D,OAAO,gCAAgC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,gCAAgC,CACvC,KAAc;IAEd,MAAM,OAAO,GAA2C,EAAE,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,KAAK,MAAM,KAAK,IAAI,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YACpC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,kCAAkC;IACzC,OAAO,qBAAqB,CAAC,2BAA2B,CAAC;AAC3D,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,2EAA2E;IAC3E,6DAA6D;IAC7D,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,KAAK,MAAM,MAAM,IAAI,qBAAqB,CAAC,6BAA6B,EAAE,CAAC;QACzE,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,KAAc;IACzD,KAAK,MAAM,IAAI,IAAI,kCAAkC,EAAE,EAAE,CAAC;QACxD,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,gCAAgC,CAAC,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;QAC3C,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,IAAI,KAAK,WAAW;gBAAE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AACD,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACjE,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAG,GAAG;SACb,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CACL,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QAC3B,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC5C,IACE,GAAG,CAAC,QAAQ,KAAK,QAAQ;YACzB,CAAC,QAAQ,KAAK,eAAe;gBAC3B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,eAAe;gBAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACnC,QAAQ,KAAK,YAAY;gBACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EACnC,CAAC;YACD,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,mBAAmB,CAC1B,KAAc,EACd,KAAa,EACb,UAAmC,EAAE;IAErC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IAC/C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC;IACvD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CAAC,IAAI,CAAC,8BAA8B,EAAE;QAC3C,KAAK;QACL,GAAG,EAAE,kBAAkB,EAAE;QACzB,IAAI;QACJ,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC;QAC9B,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC;QACrC,kBAAkB,EAAE,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC;QACzD,eAAe,EACb,uDAAuD,CAAC,IAAI,CAAC,OAAO,CAAC;QACvE,GAAG,IAAI;KACR,CAAC,CAAC;AACL,CAAC;AACD,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAErD,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,cAAc,CAAC,GAA8B;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,GAAG,CAAC;IACrB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,0BAA0B,CAAC,CAAC;QACxD,IAAI,MAAM,CAAC,MAAM,KAAK,0BAA0B;YAAE,OAAO,GAAG,CAAC;QAC7D,OAAO,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,GAAG,CAAC;IACb,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAc;IACnD,MAAM,MAAM,GAAG,gBAAgB,CAAC;IAChC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjE,MAAM,SAAS,GACb,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;IACpE,OAAO,SAAS,CAAC,CAAC,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAsB;IACtD,wEAAwE;IACxE,MAAM,UAAU,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,OAAO,CACL,UAAU,KAAK,WAAW;QAC1B,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,kBAAkB;QACjC,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAC9B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,IAAI,EAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,EAAE,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,EAAE,GAAG,SAAS,CAAC;IACjB,CAAC;IACD,OAAO,iBAAiB,CAAC,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,oBAAoB,CACjC,KAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IACvD,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,MAAM,cAAc,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iCAAiC,CACxC,QAAkB;IAElB,IAAI,CAAC;QACH,yEAAyE;QACzE,qEAAqE;QACrE,MAAM,OAAO,GAAG,QAAQ,CAAC,OAExB,CAAC;QACF,MAAM,UAAU,GACd,OAAO,OAAO,CAAC,YAAY,KAAK,UAAU;YACxC,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE;YACxB,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;iBAC9B,KAAK,CAAC,aAAa,CAAC;iBACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;iBACpB,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,oEAAoE;YACpE,oEAAoE;YACpE,mDAAmD;YACnD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CACpB,sDAAsD,CACvD,CAAC;YACF,IAAI,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACzC,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IACjD,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,KAAK,UAAU,wBAAwB,CACrC,KAAc;IAEd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,IAAI,CAAC;QACH,MAAM,CAAC,EAAE,mBAAmB,EAAE,EAAE,EAAE,UAAU,EAAE,sBAAsB,EAAE,CAAC,GACrE,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,MAAM,CAAC,uBAAuB,CAAC;YAC/B,MAAM,CAAC,wBAAwB,CAAC;SACjC,CAAC,CAAC;QACL,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,SAAS,EAAE;YACrD,WAAW,EAAE,mBAAmB,CAAC,KAAK,CAAC;YACvC,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;QAC7D,IAAI,CAAC,QAAQ,EAAE,SAAS;YAAE,OAAO,IAAI,CAAC;QACtC,MAAM,KAAK,GACT,QAAQ,CAAC,KAAK,IAAI,CAAC,MAAM,sBAAsB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QACvE,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,SAAS;YACzB,KAAK,EAAE,WAAW;YAClB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC;IACJ,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,MAAM,EAAE,OAAO,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,CACL,IAAI,KAAK,wBAAwB;QACjC,IAAI,CAAC,UAAU,CAAC,yBAAyB,CAAC,CAC3C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAAC,KAAc;IAC5C,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;IACnD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,OAAO,wBAAwB,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,8BAA8B,CAAC,KAAc;IACpD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,MAAM,IAAI,+BAA+B,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvE,qEAAqE;IACrE,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,OAAO,CAAC,MAAM,IAAI,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,KAAK,eAAe,CAAC;AAC7E,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,CAAC,8BAA8B,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IAChE,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,8BAA8B,GAAa;IAC/C,yCAAyC;IACzC,sBAAsB;IACtB,wCAAwC;IACxC,kBAAkB;IAClB,yCAAyC;IACzC,iBAAiB;CAClB,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,KAAc;IAClD,MAAM,GAAG,GAAI,KAA+B,EAAE,OAAO,CAAC;IACtD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,8BAA8B,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,oEAAoE;AACpE,8EAA8E;AAE9E,IAAI,mBAA8C,CAAC;AACnD,IAAI,aAAa,GAAG,eAAe,CAAC;AAEpC,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,CAAC,KAAK,IAAI,EAAE;YAChC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,cAAc,CAAC,GAAG,EAAE,CACxB,MAAM,CAAC,OAAO,CAAC;;;;yBAIE,OAAO,EAAE;;SAEzB,CAAC,CACH,CAAC;YACF,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;QACH,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,sEAAsE;YACtE,mBAAmB,GAAG,SAAS,CAAC;YAChC,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,sBAAsB,CAAI,EAAoB;IAC3D,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,IAAI,CAAC,EAAE,IAAI,KAAK,OAAO;YAAE,MAAM,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,MAAM,CAAC,CAAC;QACvC,mBAAmB,GAAG,SAAS,CAAC;QAChC,MAAM,kBAAkB,EAAE,CAAC;QAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAa,EAAE,KAAc;IAC5D,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,UAAU,EAAE;YACf,CAAC,CAAC,yJAAyJ;YAC3J,CAAC,CAAC,6EAA6E;QACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,sBAAsB,CAAC,GAAG,EAAE,CAChC,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,sCAAsC;QAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,sBAAsB,CAAC,GAAG,EAAE,CACjD,MAAM,CAAC,OAAO,CAAC;QACb,GAAG,EAAE,wDAAwD;QAC7D,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CACH,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAgB,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,IAAI,gBAAgB,GAClB,IAAI,CAAC;AAiBP,IAAI,gBAAgB,GAA2B,IAAI,CAAC;AACpD,MAAM,gCAAgC,GAAG,IAAI,OAAO,EAAmB,CAAC;AAExE,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC;QACpC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC;QACxB,SAAS,CACV,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAAoB,EACpB,KAAe,EACf,OAAgB;IAEhB,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QACtD,WAAW,EAAE,OAAO;QACpB,aAAa,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;KACpD,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAoB,EACpB,KAAe,EACf,OAAgB;IAEhB,OAAO,iBAAiB,CAAC,wBAAwB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,4BAA4B,CACnC,OAAoB;IAEpB,IAAI,OAAO,CAAC,SAAS;QAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC;IAC/D,OAAO;QACL,SAAS,EAAE,qBAAqB,CAAC,OAAO,CAAC;QACzC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAC/B,qBAAqB,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAClC,UAAqD,EAAE;IAEvD,OAAO,6BAA6B,CAClC,OAAO,CAAC,oBAAoB,IAAI,2BAA2B,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CACrC,UAGI,EAAE;IAEN,MAAM,GAAG,GAAG,8BAA8B,EAAE,CAAC;IAC7C,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,uBAAuB,IAAI,GAAG,CAAC,WAAW;QAC/D,cAAc,EAAE,OAAO,CAAC,0BAA0B,IAAI,GAAG,CAAC,cAAc;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,kCAAkC,CACzC,GAAU,EACV,OAAgB;IAEhB,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnC,gCAAgC,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAU;IACpD,OAAO,gCAAgC,CAAC,GAAG,CAAC,GAAa,CAAC,KAAK,KAAK,CAAC;AACvE,CAAC;AA0BD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAClE,MAAM,6BAA6B,GAAG,aAAa,CAAC;AACpD,MAAM,+BAA+B,GAAG,IAAI,GAAG,CAAC;IAC9C,mBAAmB;IACnB,uBAAuB;CACxB,CAAC,CAAC;AAEH,iEAAiE;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE9C,MAAM,UAAU,kBAAkB,CAChC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,wEAAwE;IACxE,yEAAyE;IACzE,kBAAkB;IAClB,KAAK,0BAA0B,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,KAAkC;IAElC,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;QAC5B,KAAK;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;KAChD,CAAC,CAAC;IACH,KAAK,+BAA+B,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,0BAA0B,CACvC,MAAc,EACd,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,OAAO,MAAM,EAAE,EAAE,GAAG,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,MAAc,EACd,KAAkC;IAElC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,UAAU,CACd,OAAO,MAAM,EAAE,EACf,GAAG,6BAA6B,GAAG,OAAO,EAAE,CAC7C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B,CACzC,MAAc;IAEd,IAAI,CAAC;QACH,wEAAwE;QACxE,6EAA6E;QAC7E,wDAAwD;QACxD,yEAAyE;QACzE,wEAAwE;QACxE,wDAAwD;QACxD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;YACpC,GAAG,EAAE,yEAAyE;YAC9E,IAAI,EAAE,CAAC,OAAO,MAAM,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAkB,CAAC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACzB,IAAI,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACrD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;YAC/D,OAAO;gBACL,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;aAC5D,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,MAAM,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,WAAW,CAAC,GAAG,EAAE;IACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,CAAC,CAAC,SAAS,GAAG,GAAG;YAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC;AAErB;;;;GAIG;AACH,IAAI,YAAY,GAEL,IAAI,CAAC;AAEhB;;;;;;;GAOG;AACH,IAAI,WAAW,GAAiB,IAAI,CAAC;AAErC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,KAAc;IAEd,IAAI,CAAC,YAAY;QAAE,OAAO,CAAC,sCAAsC;IACjE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAc;IAItC,wEAAwE;IACxE,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,kCAAkC;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,CAC7B,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CACzD;SACE,WAAW,EAAE;SACb,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,MAAM,mBAAmB,GACvB,oBAAoB,CAAC,MAAM,CAAC;QAC5B,CAAC,yBAAyB,CAAC,KAAK,CAAC;YAC/B,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;YAC5D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YAClD,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;YAC9C,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;YAClD,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,oBAAoB,CAAC,MAAM,EAAE;QACjD,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC;IACpE,IAAI,CAAC,cAAc;QAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAChE,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,cAAc,CAAC,CAAC;IACxE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAI,CAAC,mBAAmB,IAAI,8BAA8B,CAAC,cAAc,CAAC,EAAE,CAAC;QAC3E,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;IACvE,CAAC;IACD,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;IACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,mBAAmB;QACjB,CAAC,CAAC,4BAA4B;QAC9B,CAAC,CAAC;YACE,cAAc;YACd,eAAe;YACf,kBAAkB;YAClB,kBAAkB;YAClB,qBAAqB;YACrB,iBAAiB;YACjB,mBAAmB;SACpB,CAAC,IAAI,CAAC,GAAG,CAAC,CAChB,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB;IAC5B,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS;YAAE,OAAO;QAE3C,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAU;IACzC,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,qBAAqB,EAAE,OAAO,CAAC,CAAC;IACxC,GAAG,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc;IAI7C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;IACvE,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;IACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG;QACzD,MAAM,EAAE,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE;KACrD,CAAC;AACJ,CAAC;AAED,SAAS,mCAAmC,CAC1C,KAAc;IAEd,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IACE,CAAC,QAAQ;QACT,CAAC,oCAAoC,EAAE;QACvC,CAAC,4BAA4B,CAAC,cAAc,CAAC;QAC7C,OAAO,KAAK,GAAG,QAAQ,gBAAgB;QACvC,OAAO,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,EAChD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAC/B,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAClD,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACf,MAAM,KAAK,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAC5C,IACE,CAAC,KAAK;QACN,KAAK,KAAK,kBAAkB,EAAE;QAC9B,CAAC,2BAA2B,CAAC,KAAK,CAAC,EACnC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;QACtB,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,KAAK,GAAG,cAAc,GAAG,MAAM,EAAE,EAAE;KAC7D,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kCAAkC,CAAC,GAAW;IACrD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAC9D,qBAAqB,CACtB,CAAC;IACF,OAAO,oCAAoC,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iCAAiC,CAAC,KAAc,EAAE,CAAS;IAClE,IAAI,CAAC,KAAK,gCAAgC,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,OAAO,OAAO,CAAC,kCAAkC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,KAAK,iCAAiC,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,KAAK,GACT,UAAU,IAAI,CAAC;YACb,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAChD,mBAAmB,CACpB;YACH,CAAC,CAAC,IAAI,CAAC;QACX,sEAAsE;QACtE,uEAAuE;QACvE,uEAAuE;QACvE,0EAA0E;QAC1E,uEAAuE;QACvE,IAAI,qCAAqC,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAE9D,oEAAoE;QACpE,uEAAuE;QACvE,MAAM,UAAU,GAAG,+BAA+B,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;QACrE,IAAI,UAAU;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,OAAO,CACZ,oCAAoC,CAClC,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,CAC/C,CACF,CAAC;IACJ,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,sBAAsB,GAC1B,oDAAoD,CAAC;AACvD,MAAM,0BAA0B,GAC9B,oDAAoD,CAAC;AACvD,MAAM,2BAA2B,GAC/B,qDAAqD,CAAC;AAExD,SAAS,cAAc,CAAC,KAAa;IACnC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,0BAA0B,CAAC,SAAiB,EAAE,KAAc;IACnE,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAClD,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GACrB,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC;QACtC,2BAA2B,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,cAAc,CAC7B,qCAAqC,CACnC,SAAS,CAAC,KAAK,EAAE,8BAA8B,CAAC,CACjD,CACF,CAAC;IACF,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,sCAAsC,QAAQ,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,CAAC,iDAAiD,QAAQ,IAAI,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CACP,2CAA2C,8BAA8B,IAAI,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,CACP,4CAA4C,+BAA+B,IAAI,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,6CAA6C,gCAAgC,IAAI,CAClF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,0CAA0C,6BAA6B,IAAI,CAC5E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,uCAAuC,QAAQ,IAAI,CAAC,CAAC;QAC/D,IAAI,CAAC,IAAI,CACP,2CAA2C,6BAA6B,IAAI,CAC7E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,CACL,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACb,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAC9B,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiB,EAAE,KAAc;IAC1D,OAAO,IAAI,QAAQ,CAAC,0BAA0B,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE;QAChE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,0BAA0B;YAC1C,0EAA0E;YAC1E,qEAAqE;YACrE,yEAAyE;YACzE,wEAAwE;YACxE,uEAAuE;YACvE,4BAA4B;YAC5B,GAAG,yBAAyB;YAC5B,cAAc,EAAE,mBAAmB;SACpC;KACF,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc,EAAE,QAAgB;IAC7D,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE7C,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,EAAE,WAAW,EAAE,CAAC;IACpE,IAAI,SAAS,KAAK,UAAU,IAAI,SAAS,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEpE,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,WAAW,EAAE,CAAC;IACzD,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,iBAAiB;IAGxB,OAAO,KAAK,EAAE,KAAc,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC;QAChC,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAE/B,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC;QACtD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACjE,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,SAAS,CAAC;QAC5E,MAAM,CAAC,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;QACjE,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,iEAAiE;QACjE,2CAA2C;QAC3C,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACrC,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACpC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,2EAA2E;QAC3E,6EAA6E;QAC7E,IACE,CAAC,CAAC,UAAU,CAAC,sBAAsB,CAAC;YACpC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,4CAA4C,EAClD,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,yEAAyE;QACzE,qEAAqE;QACrE,mEAAmE;QACnE,kDAAkD;QAClD,IAAI,CAAC,KAAK,qBAAqB,IAAI,CAAC,KAAK,gBAAgB,EAAE,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,IAAI,iDAAiD,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,0EAA0E;QAC1E,0DAA0D;QAC1D,IAAI,CAAC,KAAK,0CAA0C,EAAE,CAAC;YACrD,OAAO;QACT,CAAC;QAED,wEAAwE;QACxE,wEAAwE;QACxE,wEAAwE;QACxE,IAAI,CAAC,KAAK,sDAAsD,EAAE,CAAC;YACjE,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,4EAA4E;QAC5E,0EAA0E;QAC1E,IAAI,CAAC,KAAK,yCAAyC,EAAE,CAAC;YACpD,OAAO;QACT,CAAC;QAED,2EAA2E;QAC3E,0EAA0E;QAC1E,6EAA6E;QAC7E,IAAI,CAAC,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACtD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,uEAAuE;QACvE,IAAI,CAAC,KAAK,oBAAoB,EAAE,CAAC;YAC/B,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,wEAAwE;QACxE,uEAAuE;QACvE,wEAAwE;QACxE,yEAAyE;QACzE,4EAA4E;QAC5E,+CAA+C;QAC/C,sEAAsE;QACtE,IAAI,CAAC,KAAK,oBAAoB,IAAI,CAAC,KAAK,qBAAqB,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,uEAAuE;QACvE,uEAAuE;QACvE,yEAAyE;QACzE,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,2BAA2B;QAC3B,EAAE;QACF,yEAAyE;QACzE,sEAAsE;QACtE,2DAA2D;QAC3D,yEAAyE;QACzE,oDAAoD;QACpD,EAAE;QACF,yEAAyE;QACzE,2EAA2E;QAC3E,0EAA0E;QAC1E,+DAA+D;QAC/D,IACE,CAAC,KAAK,4BAA4B;YAClC,CAAC,KAAK,yCAAyC;YAC/C,CAAC,KAAK,wCAAwC;YAC9C,CAAC,KAAK,oCAAoC;YAC1C,CAAC,KAAK,gCAAgC;YACtC,CAAC,KAAK,mCAAmC,EACzC,CAAC;YACD,OAAO;QACT,CAAC;QAED,sEAAsE;QACtE,qEAAqE;QACrE,qEAAqE;QACrE,oEAAoE;QACpE,mEAAmE;QACnE,uEAAuE;QACvE,mEAAmE;QACnE,qEAAqE;QACrE,yDAAyD;QACzD,IACE,oBAAoB,EAAE;YACtB,CAAC,CAAC,KAAK,+BAA+B;gBACpC,CAAC,KAAK,kCAAkC,CAAC,EAC3C,CAAC;YACD,OAAO;QACT,CAAC;QAED,yEAAyE;QACzE,iEAAiE;QACjE,sEAAsE;QACtE,uEAAuE;QACvE,oEAAoE;QACpE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,kCAAkC,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,sEAAsE;QACtE,iDAAiD;QACjD,IAAI,CAAC,KAAK,uCAAuC,EAAE,CAAC;YAClD,OAAO;QACT,CAAC;QAED,4EAA4E;QAC5E,wEAAwE;QACxE,uEAAuE;QACvE,0EAA0E;QAC1E,2EAA2E;QAC3E,0EAA0E;QAC1E,2EAA2E;QAC3E,qEAAqE;QACrE,6EAA6E;QAC7E,yDAAyD;QACzD,IAAI,CAAC,KAAK,4BAA4B,EAAE,CAAC;YACvC,OAAO;QACT,CAAC;QAED,qEAAqE;QACrE,uEAAuE;QACvE,oEAAoE;QACpE,qEAAqE;QACrE,uCAAuC;QACvC,EAAE;QACF,qEAAqE;QACrE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,+DAA+D;QAC/D,oCAAoC;QACpC,EAAE;QACF,IAAI,CAAC,KAAK,wBAAwB,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,UAAU,GAAG,cAAc,CAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC5C,CAAC;YACF,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;iBAClC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,0EAA0E;QAC1E,0EAA0E;QAC1E,6CAA6C;QAC7C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClE,MAAM,UAAU,GAAG,cAAc,CAC/B,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC5C,CAAC;gBACF,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,QAAQ,EAAE,UAAU,KAAK,GAAG,CAAC,CAAC,CAAC,cAAc,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,UAAU;qBACpE;iBACF,CAAC,CAAC;YACL,CAAC;YACD,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,wDAAwD;QACxD,IACE,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC;YACxB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAClB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACnB,CAAC;YACD,OAAO;QACT,CAAC;QAED,uEAAuE;QACvE,mEAAmE;QACnE,oEAAoE;QACpE,kEAAkE;QAClE,qEAAqE;QACrE,iEAAiE;QACjE,gCAAgC;QAChC,IAAI,CAAC,KAAK,aAAa;YAAE,OAAO;QAChC,IAAI,CAAC,KAAK,uCAAuC;YAAE,OAAO;QAC1D,IAAI,YAAY,CAAC,aAAa,EAAE,WAAW,CAAC;YAAE,OAAO;QACrD,IAAI,iCAAiC,CAAC,KAAK,EAAE,CAAC,CAAC;YAAE,OAAO;QACxD,IAAI,4BAA4B,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,OAAO;YAAE,OAAO;QAEpB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC7D,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YACrC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACnC,CAAC;QAED,uEAAuE;QACvE,kEAAkE;QAClE,mFAAmF;QACnF,oEAAoE;QACpE,iEAAiE;QACjE,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,yBAAyB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAChE,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC;QACtC,CAAC;QAED,OAAO,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC;AACJ,CAAC;AAED,2EAA2E;AAC3E,wEAAwE;AACxE,6EAA6E;AAC7E,2EAA2E;AAC3E,MAAM,sBAAsB,GAAG,gBAAgB,CAAC;AAChD,yEAAyE;AACzE,iDAAiD;AAEjD,2EAA2E;AAC3E,wEAAwE;AACxE,4EAA4E;AAC5E,0EAA0E;AAC1E,MAAM,6BAA6B,GAAG,WAAW,CAAC;AAElD,IAAI,yBAAyB,GAAG,KAAK,CAAC;AAEtC,SAAS,cAAc;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9D,OAAO,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,MAAM,CAAC;AAC3C,CAAC;AAED,SAAS,sBAAsB;IAC7B,IAAI,CAAC,cAAc,EAAE;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,yBAAyB,GAAG,IAAI,CAAC;QACjC,OAAO,CAAC,IAAI,CACV,6EAA6E,sBAAsB,EAAE,CACtG,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,EAAgC;IAEhC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;QAChC,GAAG,EAAE,oDAAoD;QACzD,IAAI,EAAE,CAAC,sBAAsB,EAAE,6BAA6B,CAAC;KAC9D,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;AACzB,CAAC;AAID,MAAM,8BAA8B,GAAG,IAAI,GAAG,EAG3C,CAAC;AAEJ,SAAS,4BAA4B;IACnC,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,EAAE,EAAE,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,8BAA8B,CAC3C,IAA4D,EAC5D,EAAgC;IAEhC,MAAM,GAAG,GAAG,4BAA4B,EAAE,CAAC;IAC3C,IAAI,eAAe,GAAG,8BAA8B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE9D,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAEjE,eAAe,GAAG,CAAC,KAAK,IAAI,EAAE;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;oBACzB,IAAI,EAAE;wBACJ,KAAK,EAAE,sBAAsB;wBAC7B,QAAQ,EAAE,WAAW;wBACrB,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,kEAAkE;gBAClE,oEAAoE;gBACpE,qEAAqE;gBACrE,IAAI,MAAM,qBAAqB,CAAC,EAAE,CAAC;oBAAE,OAAO,IAAI,CAAC;gBACjD,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;oBAAE,MAAM,CAAC,CAAC;gBACvC,OAAO,IAAI,CAAC;YACd,CAAC;YAED,mEAAmE;YACnE,sEAAsE;YACtE,sDAAsD;YACtD,OAAO,CAAC,GAAG,CACT,gDAAgD;gBAC9C,eAAe,sBAAsB,IAAI;gBACzC,eAAe,WAAW,IAAI;gBAC9B,kEAAkE;gBAClE,+DAA+D,CAClE,CAAC;YAEF,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QACnC,CAAC,CAAC,EAAE,CAAC;QAEL,8BAA8B,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;QACzD,eAAe;aACZ,OAAO,CAAC,GAAG,EAAE;YACZ,IAAI,8BAA8B,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,eAAe,EAAE,CAAC;gBAChE,8BAA8B,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC;aACD,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC;IACrC,OAAO,MAAM,EAAE,QAAQ,IAAI,IAAI,CAAC;AAClC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,KAAK,UAAU,yBAAyB,CACtC,KAAc,EACd,UAAkB;IAElB,IAAI,CAAC,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,OAAO,CAAC,GAAG,CAAC,qCAAqC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3E,qEAAqE;IACrE,yEAAyE;IACzE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QACvB,iEAAiE;QACjE,oEAAoE;QACpE,2DAA2D;QAC3D,2BAA2B;QAC3B,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAE,wDAAwD;YAC7D,IAAI,EAAE,CAAC,sBAAsB,EAAE,6BAA6B,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEtC,sEAAsE;QACtE,gEAAgE;QAChE,gEAAgE;QAChE,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,iEAAiE;QACjE,mEAAmE;QACnE,0BAA0B;QAC1B,IAAI,MAAM,qBAAqB,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC;QAEjD,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,mEAAmE;QACnE,oEAAoE;QACpE,yEAAyE;QACzE,mEAAmE;QACnE,yBAAyB;QACzB,MAAM,WAAW,GAAG,MAAM,8BAA8B,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YACxC,IAAI,EAAE;gBACJ,KAAK,EAAE,sBAAsB;gBAC7B,QAAQ,EAAE,WAAW;aACtB;SACF,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,KAAK;YAAE,OAAO,IAAI,CAAC;QAEhC,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QAEvD,8DAA8D;QAC9D,qEAAqE;QACrE,qEAAqE;QACrE,qDAAqD;QACrD,OAAO,yBAAyB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,mEAAmE;QACnE,gEAAgE;QAChE,qDAAqD;QACrD,OAAO,CAAC,IAAI,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,SAG7B;IACC,OAAO;QACL,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK;QAC3B,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE;QACzB,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI;QACzB,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,KAAK,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK;KAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,kBAAkB,CAAC,OAAoB;IACpD,IAAI,OAAO,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC;IAClC,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AACjD,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAc;IAC7C,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,iEAAiE;IACjE,MAAM,GAAG,GAAG,KAAK,CAAC,OAEjB,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,KAAK,IAAI,EAAE;QAC3C,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QACpD,OAAO,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAChE,CAAC,CAAC,EAAE,CAAC,CAAC;AACR,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAc;IAEd,yEAAyE;IACzE,0EAA0E;IAC1E,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,sEAAsE;IACtE,4EAA4E;IAC5E,iDAAiD;IACjD,MAAM,YAAY,GAAG,MAAM,8BAA8B,CAAC,KAAK,CAAC,CAAC;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,KAAK,EAAE,YAAY,CAAC,KAAK;YACzB,KAAK,EAAE,YAAY,CAAC,KAAK;YACzB,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED,oDAAoD;IACpD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IACvC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;IAC1C,CAAC;IAED,4BAA4B;IAC5B,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;QAE5B,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACpD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,mEAAmE;QACnE,oEAAoE;QACpE,mEAAmE;QACnE,qEAAqE;QACrE,oEAAoE;QACpE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK;YAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAC9D,wCAAwC;IAC1C,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,0EAA0E;QAC1E,wEAAwE;QACxE,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;QACpD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kDAAkD;QAClD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,iBAAiB,EAAE,CAAC;YAC/B,IAAI,EAAE,EAAE,CAAC;gBACP,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;oBACxC,OAAO,EAAE,KAAK,CAAC,OAAO;iBACvB,CAAC,CAAC;gBACH,IAAI,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;oBAC3B,OAAO,oBAAoB,CAAC,SAAS,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,iCAAiC,EAAE,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,oEAAoE;QACpE,MAAM,aAAa,GAAG,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,aAAa;YAAE,OAAO,aAAa,CAAC;QAExC,kCAAkC;QAClC,qEAAqE;QACrE,sEAAsE;QACtE,gEAAgE;QAChE,oEAAoE;QACpE,uEAAuE;QACvE,wEAAwE;QACxE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,GAAG,GAAG,MAAM,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,GAAG,EAAE,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,mEAAmE;IACnE,2EAA2E;IAC3E,oEAAoE;IACpE,MAAM,mBAAmB,GAAG,sBAAsB,EAAE,CAAC;IACrD,IAAI,mBAAmB;QAAE,OAAO,mBAAmB,CAAC;IAEpD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,KAAc;IAEd,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,QAA8B,CAAC;IAC/D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACzC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc,EAAE,KAAa;IACrE,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE;QACnC,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAS,yBAAyB,CAChC,KAAc,EACd,QAAgB,EAChB,MAAM,GAAG,GAAG;IAEZ,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAClE,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAS,KAAa,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC;QACvD,MAAM,GAAG,GAAuB,GAAG,EAAE,GAAG,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACvE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,YAAY,CAAC,GAAW,EAAE,WAAqB;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,eAAe,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,KAAe;IACpD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAC9B,MAAM,UAAU,GACd,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC7C,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,4BAA4B,CACnC,KAAc,EACd,IAAY,EACZ,MAAuB;IAEvB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IACE,IAAI,KAAK,gBAAgB;QACzB,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAClC,IAAI,KAAK,MAAM;QACf,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QACxB,IAAI,KAAK,cAAc;QACvB,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAChC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,0BAA0B,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,uBAAuB,CAAC;QAAE,OAAO,IAAI,CAAC;IACvE,OAAO,MAAM,CAAC,oBAAoB,KAAK,QAAQ,CAAC;AAClD,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAE9E,SAAS,yBAAyB;IAChC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAqFD,CAAC;AACT,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,KAAK,UAAU,qBAAqB,CAClC,GAAU,EACV,OAAoB;IAEpB,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;IACrD,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,wEAAwE;IACxE,0EAA0E;IAC1E,KAAK,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,cAAc,EAAE,cAAc,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,yCAAyC;IACzC,IACE,OAAO,CAAC,GAAG,CAAC,gBAAgB;QAC5B,OAAO,CAAC,GAAG,CAAC,oBAAoB;QAChC,OAAO,CAAC,sBAAsB,KAAK,KAAK,EACxC,CAAC;QACD,kCAAkC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC9C,KAAK,MAAM,EAAE,IAAI;YACf,gCAAgC;YAChC,gCAAgC;SACjC,EAAE,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,QAAQ;YACR,gDAAgD;YAChD,kDAAkD;SACnD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,oEAAoE;YACpE,uDAAuD;YACvD,mEAAmE;YACnE,oEAAoE;YACpE,2DAA2D;YAC3D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YACnD,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC;YAC3C,CAAC;YACD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1B,MAAM,OAAO,GACX,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,KAAK,MAAM,CAAC;YACxE,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,CAAC,OAAkB,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YACxE,gEAAgE;YAChE,+DAA+D;YAC/D,+DAA+D;YAC/D,6BAA6B;YAC7B,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;YAC7B,MAAM,SAAS,GACb,OAAO,WAAW,KAAK,QAAQ;gBAC7B,CAAC,CAAC,kBAAkB,CAAC,WAAW,EAAE;oBAC9B,oBAAoB,EAAE,qBAAqB,CAAC,KAAK,CAAC;oBAClD,cAAc,EAAE,CAAC,0BAA0B,CAAC,KAAK,CAAC,CAAC;iBACpD,CAAC;gBACJ,CAAC,CAAC,GAAG,CAAC;YACV,MAAM,SAAS,GAAG,SAAS,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC5D,MAAM,KAAK,GAAG,gBAAgB,CAAC;gBAC7B,WAAW;gBACX,OAAO;gBACP,UAAU,EAAE,KAAK;gBACjB,GAAG,EAAE,kBAAkB,EAAE;gBACzB,SAAS;gBACT,MAAM;aACP,CAAC,CAAC;YACH,mBAAmB,CAAC,KAAK,EAAE,UAAU,EAAE;gBACrC,MAAM;gBACN,OAAO;gBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;gBAC5C,SAAS;gBACT,QAAQ,EAAE,CAAC,CAAC,QAAQ,KAAK,GAAG;gBAC5B,SAAS,EACP,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;oBAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG;aAClD,CAAC,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;gBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;gBACxC,YAAY,EAAE,WAAW;gBACzB,aAAa,EAAE,MAAM;gBACrB,KAAK,EAAE,YAAY;gBACnB,WAAW,EAAE,QAAQ;gBACrB,MAAM,EAAE,gBAAgB;gBACxB,KAAK;aACN,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,gDAAgD,MAAM,EAAE,CAAC;YACzE,IAAI,CAAC,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;gBACvB,mEAAmE;gBACnE,qEAAqE;gBACrE,oEAAoE;gBACpE,qEAAqE;gBACrE,mEAAmE;gBACnE,+DAA+D;gBAC/D,mEAAmE;gBACnE,mEAAmE;gBACnE,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE;iBAC/B,CAAC,CAAC;YACL,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,CAAC,CAAC,CACH,CAAC;QAEF,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,kCAAkC,CAAC,GAAG,CAAC;gBAAE,OAAO,SAAS,CAAC;YAC/D,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,aAAa,GAAG,mCAAmC,CAAC,KAAK,CAAC,CAAC;YACjE,IAAI,aAAa;gBAAE,OAAO,aAAa,CAAC;YACxC,IAAI,cAAkC,CAAC;YACvC,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAc,CAAC;gBAClC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAClE,KAAK,CAAC,KAA2B,EACjC,SAAS,CAAC,KAAK,EAAE,gCAAgC,CAAC,CACnD,CAAC;gBACF,cAAc,GAAG,MAAM,CAAC;gBACxB,eAAe,GAAG,OAAO,IAAI,KAAK,CAAC;gBACnC,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM;oBACN,OAAO;oBACP,YAAY,EAAE,iBAAiB,CAAC,WAAW,CAAC;oBAC5C,OAAO,EAAE,CAAC,CAAC,IAAI;oBACf,SAAS;iBACV,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK;wBAC5C,CAAC,CAAC,KAAK,CAAC,KAAK;wBACb,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,mBAAmB,GACvB,OAAO,KAAK,CAAC,iBAAiB,KAAK,QAAQ;wBAC3C,KAAK,CAAC,iBAAiB;wBACrB,CAAC,CAAC,KAAK,CAAC,iBAAiB;wBACzB,CAAC,CAAC,SAAS,CAAC;oBAChB,MAAM,GAAG,GACP,mBAAmB;wBACnB,aAAa;wBACb,4BAA4B,CAAC;oBAC/B,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,0BAA0B,GAAG,EAAE;4BACxC,IAAI,EAAE,aAAa,IAAI,4BAA4B;yBACpD,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;wBACZ,IAAI,EAAE,aAAa;qBACpB,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBACD,iEAAiE;gBACjE,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,OAAO;gBACP,IAAI,CAAC,yBAAyB,CAAC,WAAW,EAAE,KAAK,CAAC,EAAE,CAAC;oBACnD,MAAM,GAAG,GACP,4EAA4E,CAAC;oBAC/E,IAAI,MAAM,EAAE,CAAC;wBACX,uBAAuB,CAAC,MAAM,EAAE;4BAC9B,OAAO,EAAE,GAAG;4BACZ,IAAI,EAAE,sBAAsB;yBAC7B,CAAC,CAAC;oBACL,CAAC;oBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;wBAC3C,MAAM;wBACN,OAAO;wBACP,OAAO,EAAE,GAAG;qBACb,CAAC,CAAC;oBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;gBACrD,CAAC;gBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;oBAClE,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,mCAAmC;qBACpD;oBACD,IAAI,EAAE,IAAI,eAAe,CAAC;wBACxB,IAAI;wBACJ,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;wBACxC,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAqB;wBAChD,YAAY,EAAE,WAAW;wBACzB,UAAU,EAAE,oBAAoB;qBACjC,CAAC;iBACH,CAAC,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACrC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,MAAM,IAAI,KAAK,CACb,MAAM,CAAC,iBAAiB;wBACtB,MAAM,CAAC,KAAK;wBACZ,uBAAuB,CAC1B,CAAC;gBACJ,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,+CAA+C,EAC/C,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE,EAAE,EAAE,CAChE,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;gBAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAe,CAAC;gBACnC,IAAI,CAAC,KAAK;oBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBAC/D,qDAAqD;gBACrD,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;oBACjC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;gBACJ,CAAC;gBACD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;oBAC5D,MAAM,UAAU,CAAC,UAAU,KAAK,EAAE,EAAE;wBAClC,KAAK,EAAE,IAAI,CAAC,OAAO;qBACpB,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;wBACjB,OAAO,CAAC,IAAI,CACV,8CAA8C,EAC9C,KAAK,CACN,CAAC;oBACJ,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE;oBAC9D,oBAAoB,EAAE,KAAK;oBAC3B,OAAO;iBACR,CAAC,CAAC;gBACH,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;oBACrD,MAAM;oBACN,OAAO;oBACP,eAAe,EAAE,CAAC,CAAC,YAAY;oBAC/B,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;iBACvC,CAAC,CAAC;gBAEH,IAAI,MAAM,IAAI,YAAY,EAAE,CAAC;oBAC3B,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE;wBAC5B,KAAK,EAAE,YAAY;wBACnB,KAAK;wBACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,uBAAuB;qBAChD,CAAC,CAAC;oBACH,+DAA+D;oBAC/D,6DAA6D;oBAC7D,0DAA0D;oBAC1D,KAAK,0BAA0B,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;oBAC7D,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE;wBACrD,MAAM;wBACN,OAAO;qBACR,CAAC,CAAC;gBACL,CAAC;gBAED,OAAO,qBAAqB,CAAC,KAAK,EAAE,KAAK,EAAE;oBACzC,YAAY;oBACZ,OAAO;oBACP,SAAS;oBACT,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAC;gBAC7C,IAAI,cAAc,EAAE,CAAC;oBACnB,uBAAuB,CAAC,cAAc,EAAE;wBACtC,OAAO,EAAE,0BAA0B,GAAG,EAAE;wBACxC,IAAI,EAAE,gBAAgB;qBACvB,CAAC,CAAC;gBACL,CAAC;gBACD,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;oBAC3C,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,eAAe;oBACxB,OAAO,EAAE,GAAG;iBACb,CAAC,CAAC;gBACH,OAAO,cAAc,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,qEAAqE;IACrE,mEAAmE;IACnE,GAAG,CAAC,GAAG,CACL,sCAAsC,EACtC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,OAA6B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC3C,qEAAqE;YACrE,sEAAsE;YACtE,qEAAqE;YACrE,MAAM,MAAM,GAAG,MAAM,4BAA4B,CAAC,MAAM,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,mEAAmE;gBACnE,gEAAgE;gBAChE,kEAAkE;gBAClE,kEAAkE;gBAClE,cAAc;gBACd,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,CAAC;YACD,KAAK;gBACH,OAAO,IAAI,MAAM;oBACf,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE;oBACpD,CAAC,CAAC;wBACE,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC;qBAC1B,CAAC;QACV,CAAC;QACD,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,oEAAoE;QACpE,uEAAuE;QACvE,+DAA+D;QAC/D,6DAA6D;QAC7D,aAAa,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YAC3C,OAAO,CAAC,IAAI,CACV,4CAA4C,EAC5C,eAAe,CAAC,GAAG,CAAC,CACrB,CAAC;QACJ,CAAC,CAAC,CAAC;QACH,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;YACrB,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,EAAE;gBAC3C,MAAM;gBACN,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO;gBAC5B,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI;aACvB,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,CAAC;QACD,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,yBAAyB,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC3D,mBAAmB,CAAC,KAAK,EAAE,kBAAkB,EAAE;YAC7C,MAAM;YACN,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE;SAC7C,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IACpD,CAAC,CAAC,CACH,CAAC;IAEF,2EAA2E;IAC3E,qEAAqE;IACrE,wEAAwE;IACxE,6CAA6C;IAC7C,MAAM,gBAAgB,GAAqB;QACzC,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,EAAE,CAAC;QAC7B,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxE,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAEnD,kEAAkE;IAClE,GAAG,CAAC,GAAG,CACL,wBAAwB,EACxB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QACxD,MAAM,eAAe,GACnB,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QACpE,MAAM,uBAAuB,GAC3B,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC;YAC3C,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC;QAC9B,MAAM,WAAW,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,cAAc,GAAG,WAAW,CAAC;QAEjC,iEAAiE;QACjE,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,iEAAiE;QACjE,8DAA8D;QAC9D,+DAA+D;QAC/D,IAAI,UAA8B,CAAC;QACnC,IAAI,WAA+B,CAAC;QACpC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,EAAE,CAAC;gBACnC,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAE3C,CAAC;gBACd,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,8CAA8C;YAChD,CAAC;YACD,mEAAmE;YACnE,gEAAgE;YAChE,qEAAqE;YACrE,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;oBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;oBACvB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAC5B,GAAG,EAAE,qDAAqD;wBAC1D,IAAI,EAAE,CAAC,kBAAkB,UAAU,EAAE,CAAC;qBACvC,CAAC,CAAC;oBACH,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAA2B,CAAC;gBAC1D,CAAC;gBAAC,MAAM,CAAC;oBACP,8DAA8D;oBAC9D,kDAAkD;gBACpD,CAAC;YACH,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,qEAAqE;QACrE,mEAAmE;QACnE,iEAAiE;QACjE,IAAI,uBAAuB,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,CAAC,MAAM,WAAW;qBAC5B,KAAK,EAAE;qBACP,IAAI,EAAE;qBACN,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAwC,CAAC;gBAClE,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;oBACjD,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;oBACrD,IAAI,WAAW,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC;wBACrC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;wBACjD,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;wBACjC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;wBAChD,cAAc,GAAG,IAAI,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE;4BAC5C,MAAM,EAAE,WAAW,CAAC,MAAM;4BAC1B,OAAO;4BACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,IAAI,EAAE,WAAW,EAAE,CAAC;4BAC9C,MAAM,EAAE,MAAM;yBACqB,CAAC,CAAC;oBACzC,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,oBAAoB;YACtB,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,UAAU,GACd,QAAQ,IAAI,IAAI;YAChB,OAAQ,QAAgB,CAAC,MAAM,KAAK,QAAQ;YAC5C,OAAQ,QAAgB,CAAC,OAAO,EAAE,GAAG,KAAK,UAAU,CAAC;QAEvD,mEAAmE;QACnE,gEAAgE;QAChE,2EAA2E;QAC3E,qEAAqE;QACrE,kEAAkE;QAClE,mEAAmE;QACnE,kEAAkE;QAClE,iDAAiD;QACjD,IACE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,GAAG,GAAG,GAAG,YAAY,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,mEAAmE;QACnE,mEAAmE;QACnE,4DAA4D;QAC5D,IACE,eAAe;YACf,WAAW;YACX,UAAU;YACT,QAAqB,CAAC,MAAM,IAAI,GAAG;YACnC,QAAqB,CAAC,MAAM,GAAG,GAAG,EACnC,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACtD,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;gBACvB,+DAA+D;gBAC/D,8DAA8D;gBAC9D,6DAA6D;gBAC7D,8DAA8D;gBAC9D,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,6GAA6G;oBAClH,IAAI,EAAE,CAAC,WAAW,CAAC;iBACpB,CAAC,CAAC;gBAEH,0DAA0D;gBAC1D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,0DAA0D;gBAC1D,2CAA2C;gBAC3C,EAAE;gBACF,8DAA8D;gBAC9D,8DAA8D;gBAC9D,2DAA2D;gBAC3D,MAAM,eAAe,GAAG,iCAAiC,CACvD,QAAoB,CACrB,CAAC;gBAEF,qDAAqD;gBACrD,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,wDAAwD;wBAC7D,IAAI,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC;qBACrC,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;gBACL,CAAC;gBAED,4DAA4D;gBAC5D,2DAA2D;gBAC3D,4DAA4D;gBAC5D,iEAAiE;gBACjE,IAAI,CAAC;oBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;wBAChC,GAAG,EAAE,uCAAuC;wBAC5C,IAAI,EAAE,CAAC,WAAW,CAAC;qBACpB,CAAC,CAAC;oBACH,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAEpC,CAAC;oBACd,IAAI,SAAS,EAAE,CAAC;wBACd,IAAI,eAAe,EAAE,CAAC;4BACpB,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,qDAAqD;gCAC1D,IAAI,EAAE,CAAC,SAAS,EAAE,eAAe,CAAC;6BACnC,CAAC,CAAC;wBACL,CAAC;6BAAM,CAAC;4BACN,MAAM,EAAE,CAAC,OAAO,CAAC;gCACf,GAAG,EAAE,sCAAsC;gCAC3C,IAAI,EAAE,CAAC,SAAS,CAAC;6BAClB,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,yCAAyC;gBAC3C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yCAAyC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC,CACH,CAAC;IAEF,kDAAkD;IAClD,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QAEnC,uCAAuC;QACvC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,oEAAoE;YACpE,gEAAgE;YAChE,uDAAuD;YACvD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,qDAAqD;IACrD,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAChC,MAAM,WAAW,GACf,OAAO,IAAI,EAAE,WAAW,KAAK,QAAQ;YACnC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,GAAG,CAAC;QAEV,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE;aAClE,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,mDAAmD;IACnD,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,qEAAqE;IACrE,mEAAmE;IACnE,gEAAgE;IAChE,iEAAiE;IACjE,GAAG,CAAC,GAAG,CACL,gCAAgC,EAChC,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACxC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;YACvB,oEAAoE;YACpE,sBAAsB;YACtB,IAAI,MAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBAChC,GAAG,EAAE,uCAAuC;oBAC5C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAuB,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,6DAA6D;YAC/D,CAAC;YACD,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC;oBACH,MAAM,EAAE,CAAC,OAAO,CAAC;wBACf,GAAG,EAAE,yCAAyC;wBAC9C,IAAI,EAAE,CAAC,MAAM,CAAC;qBACf,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;YAED,wDAAwD;YACxD,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,OAAO,CAAC;oBACf,GAAG,EAAE,sCAAsC;oBAC3C,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;iBACtB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;YAED,gEAAgE;YAChE,kEAAkE;YAClE,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,4CAA4C;YAC9C,CAAC;YAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,kCAAkC;IAClC,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,yEAAyE;IACzE,yEAAyE;IACzE,sCAAsC;IACtC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAC3B,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE;YAC1C,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;SACxD,CAAC,CAAC;IACL,CAAC,CAAC,CACH,CAAC;IAEF,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;IAC9D,gBAAgB,GAAG;QACjB,GAAG,eAAe;QAClB,WAAW;QACX,oBAAoB;QACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;QAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;KACnE,CAAC;IACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,YAAY,GAAG,OAAO,CAAC;IACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAE9E,SAAS,uBAAuB,CAAC,GAAU;IACzC,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACxC,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE;aAC1B,CAAC,CAAC;YACH,IAAI,MAAM,EAAE,KAAK,EAAE,CAAC;gBAClB,yBAAyB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC/C,MAAM,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACtC,IAAI,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,eAAe,CAAC;wBACpB,KAAK;wBACL,KAAK,EAAE,MAAM,CAAC,KAAK;wBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI;qBAC7C,CAAC,CAAC;gBACL,CAAC;gBACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACvD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,+DAA+D;aAClE,CAAC;QACJ,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,8BAA8B,EAC9B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,CAAC;QAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAChE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,wCAAwC,EAAE,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;aACrD,CAAC,CAAC;YACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC9B,gBAAgB,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,qBAAqB,EAAE,CAAC;QACxD,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,WAAW;YAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;QAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;QAED,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,MAAM,eAAe,EAAE,CAAC;QAEtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAU,EACV,UAAuB,EAAE;IAEzB,0EAA0E;IAC1E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,yDAAyD;IACzD,EAAE;IACF,uEAAuE;IACvE,wEAAwE;IACxE,wEAAwE;IACxE,8BAA8B;IAC9B,IAAI,YAAY,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,sBAAsB,KAAK,KAAK,EAAE,CAAC;YAC7C,kCAAkC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjD,CAAC;QACD,oEAAoE;QACpE,2EAA2E;QAC3E,0EAA0E;QAC1E,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;QACxC,CAAC;QACD,IAAI,gBAAgB,EAAE,CAAC;YACrB,IACE,OAAO,CAAC,UAAU;gBAClB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,SAAS;gBACjB,OAAO,CAAC,kBAAkB,EAC1B,CAAC;gBACD,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;gBAC9D,gBAAgB,CAAC,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC;gBACvD,gBAAgB,CAAC,YAAY,GAAG,eAAe,CAAC,YAAY,CAAC;YAC/D,CAAC;YACD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,gBAAgB,CAAC,WAAW,GAAG;oBAC7B,GAAG,CAAC,gBAAgB,CAAC,WAAW,IAAI,EAAE,CAAC;oBACvC,GAAG,OAAO,CAAC,WAAW;iBACvB,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;gBACjC,gBAAgB,CAAC,oBAAoB;oBACnC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzC,CAAC;YACD,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;gBACpC,gBAAgB,CAAC,uBAAuB;oBACtC,OAAO,CAAC,uBAAuB,CAAC;YACpC,CAAC;YACD,IAAI,OAAO,CAAC,0BAA0B,EAAE,CAAC;gBACvC,gBAAgB,CAAC,0BAA0B;oBACzC,OAAO,CAAC,0BAA0B,CAAC;YACvC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,gEAAgE;IAChE,YAAY,GAAG,IAAI,CAAC;IACpB,gBAAgB,GAAG,IAAI,CAAC;IACxB,WAAW,GAAG,GAAG,CAAC;IAElB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,gBAAgB,EAAE,EAAE,CAAC;YACvB,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,gBAAgB,GAAG,IAAI,CAAC;IACxB,aAAa,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;IAC9C,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAClE,MAAM,uBAAuB,GAAG,8BAA8B,CAAC,OAAO,CAAC,CAAC;IAExE,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IACxC,CAAC;IAED,oCAAoC;IACpC,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,GAAG,CACL,6BAA6B,EAC7B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACnD,CAAC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,4BAA4B,EAC5B,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,KAAK,MAAM,MAAM,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACD,MAAM,WAAW,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,WAAW;gBAAE,MAAM,aAAa,CAAC,WAAW,CAAC,CAAC;YAClD,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,iBAAiB,CAAC,KAAK,CAAC;gBAAE,MAAM,eAAe,EAAE,CAAC;YACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,IAAI,yBAAyB,EAAE,CAAC;QACvE,gBAAgB,GAAG;YACjB,SAAS,EAAE,aAAa;YACxB,GAAG,CAAC,OAAO,CAAC,SAAS;gBACnB,CAAC,CAAC,EAAE;gBACJ,CAAC,CAAC;oBACE,YAAY,EAAE,GAAG,EAAE,CAAC,yBAAyB,EAAE;iBAChD,CAAC;YACN,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QAErC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,uEAAuE,CACxE,CAAC;IACN,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kDAAkD,EAAE,GAAG,CAAC,CAAC;QACvE,uBAAuB,CAAC,GAAG,CAAC,CAAC;QAC7B,kEAAkE;QAClE,oEAAoE;QACpE,+DAA+D;QAC/D,MAAM,eAAe,GAAG,4BAA4B,CAAC,OAAO,CAAC,CAAC;QAC9D,gBAAgB,GAAG;YACjB,GAAG,eAAe;YAClB,WAAW;YACX,oBAAoB;YACpB,uBAAuB,EAAE,uBAAuB,CAAC,WAAW;YAC5D,0BAA0B,EAAE,uBAAuB,CAAC,cAAc;SACnE,CAAC;QACF,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,YAAY,GAAG,OAAO,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAE9E;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAU,EAAE,WAAmB;IACjE,KAAK,GAAG,CAAC;IACT,KAAK,WAAW,CAAC;IACjB,MAAM,IAAI,KAAK,CACb,iJAAiJ,CAClJ,CAAC;AACJ,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport {\n defineEventHandler,\n getMethod,\n getQuery,\n getRequestIP,\n setResponseHeader,\n setResponseStatus,\n getCookie,\n setCookie,\n deleteCookie,\n getHeader,\n} from \"h3\";\nimport type { H3Event } from \"h3\";\nimport type { H3AppShim } from \"./framework-request-handler.js\";\nimport { EMBED_START_PATH } from \"../shared/embed-auth.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n resolveEmbedSessionFromRequest,\n requestHasEmbedAuthMarker,\n} from \"./embed-session.js\";\nimport {\n EMBED_TRANSPLANT_HEADER,\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\n\n// In h3 v2, `event.req` IS the web Request — but in Nitro's dev server (srvx\n// runtime), event.url and event.req share the same underlying URL object.\n// When registerMiddleware strips the mount prefix from event.url.pathname, it\n// also mutates event.req.url (NodeRequestURL setter updates nodeReq.url).\n// Better Auth's router uses new URL(request.url).pathname to extract the\n// sub-route, so it must receive the original full URL — not the stripped one.\n// registerMiddleware saves the original pathname in event.context so we can\n// reconstruct a fresh Request with the correct URL here.\nfunction toWebRequest(event: H3Event): Request {\n const req = (event as any).req as Request;\n const ctx = (event as any).context as\n | { _mountedPathname?: string; _mountPrefix?: string }\n | undefined;\n if (ctx?._mountedPathname && ctx._mountPrefix) {\n try {\n const url = new URL(req.url);\n const mountedPathname = stripAppBasePath(ctx._mountedPathname);\n if (url.pathname !== mountedPathname) {\n url.pathname = mountedPathname;\n const method = req.method.toUpperCase();\n const hasBody = method !== \"GET\" && method !== \"HEAD\";\n return new Request(url.href, {\n method: req.method,\n headers: req.headers,\n // Body may already be partially consumed; pass through as-is.\n // GET/HEAD cannot have a body — omit to avoid spec errors.\n ...(hasBody ? { body: req.body, duplex: \"half\" } : {}),\n } as any);\n }\n } catch {\n // URL reconstruction failed — fall through and use original req.\n }\n }\n return req;\n}\n\ntype H3App = H3AppShim;\nimport {\n getDbExec,\n isPostgres,\n intType,\n retryOnDdlRace,\n describeDbError,\n} from \"../db/client.js\";\nimport { getBetterAuth, getBetterAuthSync } from \"./better-auth-instance.js\";\nimport type { BetterAuthConfig } from \"./better-auth-instance.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport {\n getOnboardingHtml,\n getResetPasswordHtml,\n type OnboardingHtmlOptions,\n} from \"./onboarding-html.js\";\nimport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n readDesktopSso,\n writeDesktopSso,\n clearDesktopSso,\n} from \"./desktop-sso.js\";\nimport {\n isElectron as isElectronRequest,\n getAppBasePath,\n getAppUrl,\n getOrigin,\n encodeOAuthState,\n decodeOAuthState,\n createOAuthSession,\n oauthCallbackResponse,\n oauthErrorPage,\n resolveOAuthRedirectUri,\n isAllowedOAuthRedirectUri,\n} from \"./google-oauth.js\";\nimport { safeOAuthReturnUrl } from \"./oauth-return-url.js\";\nimport { captureAuthError } from \"./sentry.js\";\nimport { extractOAuthStateAppId } from \"../shared/oauth-state.js\";\nimport { isValidWorkspaceAppIdFormat } from \"../shared/workspace-app-id.js\";\nimport {\n AGENT_NATIVE_SOCIAL_IMAGE_ALT,\n AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT,\n AGENT_NATIVE_SOCIAL_IMAGE_PATH,\n AGENT_NATIVE_SOCIAL_IMAGE_TYPE,\n AGENT_NATIVE_SOCIAL_IMAGE_WIDTH,\n withAgentNativeSocialImageCacheBuster,\n} from \"../shared/social-meta.js\";\nimport { DEFAULT_SSR_CACHE_HEADERS } from \"../shared/cache-control.js\";\nimport {\n normalizeWorkspaceAppAudience,\n workspaceAppAudienceFromEnv,\n workspaceAppRouteAccessFromEnv,\n type WorkspaceAppAudience,\n} from \"../shared/workspace-app-audience.js\";\nimport { resolveAuthCookieNamespace } from \"./cookie-namespace.js\";\nimport {\n BUILDER_CONNECT_OWNER_COOKIE,\n BUILDER_CONNECT_PARAM,\n BUILDER_STATE_PARAM,\n verifyBuilderCallbackStateAndGetOwner,\n verifyBuilderConnectTokenAndGetOwner,\n} from \"./builder-browser.js\";\nimport { putSetting } from \"../settings/store.js\";\n// Pure env-read feature switch from a leaf module (no dependency back on\n// auth.ts), so the guard and the SSO route handler share one validator and\n// can never disagree about whether federated SSO is enabled.\nimport { isIdentitySsoEnabled } from \"./identity-sso-store.js\";\n\n/**\n * Get the configured session max age. Desktop SSO broker writes from\n * OAuth flows read this so expiration stays consistent with the cookie.\n */\nexport function getSessionMaxAge(): number {\n return sessionMaxAge;\n}\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface AuthSession {\n email: string;\n userId?: string;\n token?: string;\n /** Display name from the auth provider, when available (Better Auth user.name). */\n name?: string;\n /** Profile image from the auth provider, when available. */\n image?: string;\n /** Active organization ID (resolved by getOrgContext from the framework's org_members table + the user's active-org-id setting; NOT the Better Auth organization plugin, which is intentionally not registered) */\n orgId?: string;\n /** User's role in the active organization (owner/admin/member) */\n orgRole?: string;\n}\n\nexport interface AuthOptions {\n /** Session max age in seconds. Default: 30 days */\n maxAge?: number;\n /**\n * Custom getSession implementation (for BYOA — Auth.js, Clerk, etc.).\n * When provided, Better Auth is bypassed entirely.\n */\n getSession?: (event: H3Event) => Promise<AuthSession | null>;\n /**\n * Paths that are accessible without authentication.\n * Supports prefix matching: \"/book\" matches /book/anything.\n * Both page routes and API routes can be made public.\n */\n publicPaths?: string[];\n /**\n * Workspace-level audience for the app.\n *\n * \"internal\" keeps the existing behavior: every app page requires an\n * authenticated workspace member unless listed in publicPaths.\n *\n * \"public\" lets unauthenticated visitors load page routes, while framework\n * and API routes remain protected unless explicitly listed in publicPaths.\n */\n workspaceAppAudience?: WorkspaceAppAudience;\n /**\n * Workspace app page paths that anonymous visitors can load.\n * Uses the same prefix matching as publicPaths, but only for page routes:\n * framework, API, and .well-known routes stay protected.\n */\n workspaceAppPublicPaths?: string[];\n /**\n * Workspace app page paths that still require auth when the app audience is\n * public. Useful for public sites with login-only admin/management pages.\n */\n workspaceAppProtectedPaths?: string[];\n /**\n * Custom login page HTML. When provided, this HTML is served to\n * unauthenticated page requests instead of the built-in login form.\n * Use this for custom login flows (e.g., \"Sign in with Google\" button).\n */\n loginHtml?: string;\n /**\n * Hide email/password forms on the built-in login page and show only the\n * Google sign-in button. Use this for templates (mail, calendar) where\n * Google connection is required anyway. Has no effect when `loginHtml`\n * is provided.\n */\n googleOnly?: boolean;\n /**\n * Mount the framework's generic Google sign-in routes.\n *\n * Set this to false when a template owns `/_agent-native/google/auth-url`\n * and `/_agent-native/google/callback` itself because it needs broader\n * product scopes and persisted API tokens, not just identity sign-in.\n */\n mountGoogleOAuthRoutes?: boolean;\n /**\n * Additional Google OAuth scopes to request beyond the default identity\n * scopes (`openid`, `email`, `profile`). When set, Better Auth's Google\n * social provider asks for these up front, requests a refresh token\n * (`access_type=offline`), and forces the consent screen so the refresh\n * token is reissued on every sign-in.\n *\n * Tokens land in Better Auth's `account` table, and a database hook\n * mirrors them into `oauth_tokens` so template code (mail's Gmail client,\n * calendar's events fetcher, etc.) can pick them up without a separate\n * \"Connect Google\" round-trip.\n *\n * Example for the mail template:\n * ```ts\n * googleScopes: [\n * \"https://www.googleapis.com/auth/gmail.readonly\",\n * \"https://www.googleapis.com/auth/gmail.send\",\n * ],\n * ```\n */\n googleScopes?: string[];\n /**\n * Product marketing content shown alongside the sign-in form.\n * When provided, the page uses a split layout: marketing on the left,\n * sign-in form on the right.\n */\n marketing?: {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n };\n /**\n * Optional host-scoped notice shown before the built-in Google sign-in\n * redirects to Google.\n */\n googleSignInNotice?: {\n host?: string;\n title: string;\n body: string | string[];\n continueLabel?: string;\n cancelLabel?: string;\n };\n /**\n * Google sign-in flow: `'popup'`, `'redirect'`, or `'auto'` (default).\n *\n * - `'auto'` — popup in normal browsers and Builder web iframes, redirect in\n * Electron and Builder desktop preview/editor surfaces.\n * - `'popup'` — force popup everywhere.\n * - `'redirect'` — force redirect everywhere.\n *\n * Falls back to the `GOOGLE_AUTH_MODE` env var, then `'auto'`.\n */\n googleAuthMode?: GoogleAuthMode;\n /**\n * Additional Better Auth configuration (social providers, plugins, etc.)\n */\n betterAuth?: BetterAuthConfig;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/**\n * Cookie name for the framework's session cookie.\n *\n * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps\n * running on different localhost ports share one cookie jar. When multiple\n * templates run side-by-side (eager repo dev, the desktop app, multi-template\n * deploys on a shared domain), they would otherwise stomp on each other's\n * `an_session` cookie and ping-pong each other into a logged-out state.\n *\n * When an isolated app slug is resolved, suffix the cookie so each app gets\n * its own slot.\n *\n * Workspace exception: in workspace mode (`AGENT_NATIVE_WORKSPACE=1`),\n * every app shares the same origin AND the same DB, and cross-app SSO is\n * the desired behavior — signing into Dispatch should mean you're signed\n * in across the workspace's other apps too. Per-app suffixes break that.\n * Use a single workspace-wide cookie so the legacy `an_session_*` token\n * flow set by `setFrameworkSessionCookie` (which the Builder OAuth popup\n * exchange relies on — see `desktop-exchange` and `oauthCallbackResponse`)\n * is recognised by every app in the workspace.\n *\n * Cross-subdomain exception: when `COOKIE_DOMAIN` is set for a custom domain,\n * use the unsuffixed `an_session` and emit `Domain=<COOKIE_DOMAIN>` so the\n * cookie is shared across every subdomain. First-party `*.agent-native.com`\n * apps are deliberately excluded from that behavior by default because each\n * hosted app has its own auth database; they use Dispatch identity federation\n * instead of a shared browser cookie.\n */\nconst AUTH_COOKIE_NAMESPACE = resolveAuthCookieNamespace();\n\n/**\n * When set, the framework session cookie is shared across every subdomain\n * matching this domain. Returns undefined when unset or deliberately ignored\n * for first-party hosted apps, so cookies stay scoped to the origin host.\n */\nexport function getCookieDomain(): string | undefined {\n return AUTH_COOKIE_NAMESPACE.frameworkCookieDomain;\n}\n\nexport const COOKIE_NAME = AUTH_COOKIE_NAMESPACE.frameworkCookieName;\nexport const BETTER_AUTH_COOKIE_PREFIX =\n AUTH_COOKIE_NAMESPACE.betterAuthCookiePrefix;\n\n/**\n * Cookie domain attribute spread into every `setCookie`/`deleteCookie`.\n * Empty when `COOKIE_DOMAIN` isn't set so the cookie stays scoped to the\n * single origin (current production default for non-first-party apps).\n */\nexport function cookieDomainAttrs(): { domain?: string } {\n const domain = getCookieDomain();\n return domain ? { domain } : {};\n}\n\nfunction getCookieValues(event: H3Event, name: string): string[] {\n const values: string[] = [];\n const raw = getHeader(event, \"cookie\");\n\n if (raw) {\n for (const part of String(raw).split(\";\")) {\n const trimmed = part.trim();\n if (!trimmed) continue;\n const eq = trimmed.indexOf(\"=\");\n if (eq <= 0) continue;\n if (trimmed.slice(0, eq).trim() !== name) continue;\n\n let value = trimmed.slice(eq + 1).trim();\n if (value.startsWith('\"') && value.endsWith('\"')) {\n value = value.slice(1, -1);\n }\n try {\n value = decodeURIComponent(value);\n } catch {\n // Keep the raw cookie value if it was not percent-encoded.\n }\n if (value && !values.includes(value)) values.push(value);\n }\n }\n\n // H3's cookie parser keeps only the first duplicate name. Preserve it as a\n // fallback for mock/runtime shapes that do not expose the raw Cookie header.\n const parsed = getCookie(event, name);\n if (parsed && !values.includes(parsed)) values.push(parsed);\n\n return values;\n}\n\nexport function getFrameworkSessionCookieValues(event: H3Event): string[] {\n return getFrameworkSessionCookieEntries(event).map((entry) => entry.value);\n}\n\nfunction getFrameworkSessionCookieEntries(\n event: H3Event,\n): Array<{ name: string; value: string }> {\n const entries: Array<{ name: string; value: string }> = [];\n const seenValues = new Set<string>();\n\n for (const name of frameworkSessionCookieNamesToClear()) {\n for (const value of getCookieValues(event, name)) {\n if (seenValues.has(value)) continue;\n seenValues.add(value);\n entries.push({ name, value });\n }\n }\n\n return entries;\n}\n\nfunction frameworkSessionCookieNamesToClear(): string[] {\n return AUTH_COOKIE_NAMESPACE.frameworkCookieNamesToClear;\n}\n\nfunction deleteCookieFromEveryScope(event: H3Event, name: string): void {\n // Clear host-only cookies first. Then clear any configured domain scope so\n // stale shared cookies stop shadowing isolated app sessions.\n deleteCookie(event, name, { path: \"/\" });\n for (const domain of AUTH_COOKIE_NAMESPACE.frameworkCookieDomainsToClear) {\n deleteCookie(event, name, { path: \"/\", domain });\n }\n}\n\nexport function clearFrameworkSessionCookies(event: H3Event): void {\n for (const name of frameworkSessionCookieNamesToClear()) {\n deleteCookieFromEveryScope(event, name);\n }\n}\n\nasync function getLegacyCookieSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n for (const { name, value } of getFrameworkSessionCookieEntries(event)) {\n const email = await getSessionEmail(value);\n if (email) {\n if (name !== COOKIE_NAME) setFrameworkSessionCookie(event, value);\n return { email, token: value };\n }\n }\n return null;\n}\nfunction getOAuthStateAppId(): string | undefined {\n const raw = process.env.APP_NAME || process.env.npm_package_name;\n if (!raw) return undefined;\n const slug = raw\n .toLowerCase()\n .replace(/[^a-z0-9-]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n return slug || undefined;\n}\n\nfunction oauthDebugFlowId(flowId: unknown): string | undefined {\n return typeof flowId === \"string\" && flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthDebugUrlPath(value: unknown): string | undefined {\n if (typeof value !== \"string\" || !value) return undefined;\n try {\n const url = new URL(value);\n return url.pathname;\n } catch {\n return undefined;\n }\n}\n\nfunction isBuilderOAuthRequest(event: H3Event): boolean {\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n return (\n /Electron/i.test(userAgent) ||\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer)\n );\n}\n\nfunction builderPreviewReturnOrigin(event: H3Event): string | undefined {\n const referer = getHeader(event, \"referer\") || \"\";\n if (!referer) return undefined;\n try {\n const url = new URL(referer);\n const hostname = url.hostname.toLowerCase();\n if (\n url.protocol === \"https:\" &&\n (hostname === \"builderio.xyz\" ||\n hostname.endsWith(\".builderio.xyz\") ||\n hostname === \"builderio.dev\" ||\n hostname.endsWith(\".builderio.dev\") ||\n hostname === \"builder.codes\" ||\n hostname.endsWith(\".builder.codes\") ||\n hostname === \"builder.my\" ||\n hostname.endsWith(\".builder.my\"))\n ) {\n return url.origin;\n }\n } catch {}\n return undefined;\n}\n\nfunction logGoogleOAuthDebug(\n event: H3Event,\n phase: string,\n details: Record<string, unknown> = {},\n): void {\n const { flowId, ...rest } = details;\n const reqUrl = event.node?.req?.url ?? event.path ?? \"\";\n const path = reqUrl.split(\"?\")[0] || undefined;\n const userAgent = getHeader(event, \"user-agent\") || \"\";\n const referer = getHeader(event, \"referer\") || \"\";\n console.info(\"[agent-native][google-oauth]\", {\n phase,\n app: getOAuthStateAppId(),\n path,\n flow: oauthDebugFlowId(flowId),\n electron: /Electron/i.test(userAgent),\n agentNativeDesktop: /AgentNativeDesktop/i.test(userAgent),\n builderReferrer:\n /builder\\.(io|my)|builderio\\.(xyz|dev)|builder\\.codes/i.test(referer),\n ...rest,\n });\n}\nconst DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days\n\n// ---------------------------------------------------------------------------\n// Environment helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Check if we're in a development/test environment.\n * Used for cookie security settings, not for auth bypass.\n */\nexport function isDevEnvironment(): boolean {\n const env = process.env.NODE_ENV;\n return env === \"development\" || env === \"test\";\n}\n\n/**\n * Validate a `?return=` URL for the /_agent-native/sign-in entrypoint.\n *\n * Parses the candidate against a sentinel base origin; any input that\n * resolves to a different origin (network-path references, absolute URLs,\n * `data:` / `javascript:` schemes, backslash-bypass tricks WHATWG normalises\n * to `//`) gets rejected and falls back to \"/\". Control characters are\n * stripped up front to defend against header-injection. Returns the\n * normalised path the parser produced — never the raw input.\n *\n * Exported for unit tests.\n */\nexport function safeReturnPath(raw: string | null | undefined): string {\n if (!raw) return \"/\";\n if (/[\\x00-\\x1f]/.test(raw)) return \"/\";\n try {\n const parsed = new URL(raw, \"http://safe-base.invalid\");\n if (parsed.origin !== \"http://safe-base.invalid\") return \"/\";\n return parsed.pathname + parsed.search + parsed.hash;\n } catch {\n return \"/\";\n }\n}\n\n/**\n * Return the configured login HTML for this request, or `null` when no auth\n * guard is installed. Used by the `/_agent-native/open` deep-link route to\n * serve the same sign-in form the auth guard would — at the original deep\n * link URL — so the login form's `window.location.replace(href)` success\n * handler reloads the same URL and the (now authenticated) open route\n * proceeds. Mirrors the rawPath/getLoginHtml resolution in the auth guard.\n */\nexport function getConfiguredLoginHtml(event: H3Event): string | null {\n const config = _authGuardConfig;\n if (!config) return null;\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml =\n config.getLoginHtml?.(event, rawPath) ?? config.loginHtml ?? null;\n return loginHtml ? injectLoginSocialImageMeta(loginHtml, event) : null;\n}\n\n/**\n * True only when the request originates from the local machine — the raw\n * socket peer is `127.0.0.0/8`, `::1`, or the IPv4-mapped `::ffff:127.0.0.1`\n * (an optional IPv6 zone id like `fe80::1%en0` is stripped first).\n *\n * `getRequestIP(event)` is called WITHOUT `{ xForwardedFor: true }`, so it\n * returns the real connection peer and never an attacker-controlled\n * `X-Forwarded-For` value — a remote client cannot spoof its way past this.\n * Used to scope local-only conveniences (the desktop SSO broker and the dev\n * auto-account) so a directly network-reachable dev server never exposes\n * them to a remote visitor. NOTE: a reverse proxy / tunnel that connects to\n * the dev server over localhost still appears as loopback, so this is a\n * necessary but not sufficient gate — callers pair it with NODE_ENV and,\n * for the dev account, a throwaway per-DB password.\n */\nexport function isLoopbackAddress(ip: string | undefined): boolean {\n // Strip an optional IPv6 zone id (e.g. \"fe80::1%en0\") before comparing.\n const normalised = (ip ?? \"\").split(\"%\")[0];\n return (\n normalised === \"127.0.0.1\" ||\n normalised === \"::1\" ||\n normalised === \"::ffff:127.0.0.1\" ||\n normalised.startsWith(\"127.\")\n );\n}\n\n/**\n * True when the request's actual socket peer is loopback. Uses\n * `getRequestIP(event)` WITHOUT `{ xForwardedFor: true }`, so it reflects the\n * real connecting IP and a remote client cannot spoof it via the `Host` /\n * `X-Forwarded-*` headers. Use this — not a parsed `Host`-header origin — for\n * any \"is this local dev?\" security gate (MCP/connect dev-open).\n */\nexport function isLoopbackRequest(event: H3Event): boolean {\n let ip: string | undefined;\n try {\n ip = getRequestIP(event) ?? undefined;\n } catch {\n ip = undefined;\n }\n return isLoopbackAddress(ip);\n}\n\n/**\n * Read the desktop-SSO broker file, but only if the request is plausibly\n * from the Electron desktop app *and* coming from the local machine.\n *\n * The broker file lives in the user's home directory and trusts the local\n * trust boundary — a non-loopback request that pretends to be Electron\n * via User-Agent must NEVER be allowed to read it. We additionally refuse\n * any read in production builds: the desktop app launches with\n * `NODE_ENV=development` (or unset), and any web-hosted production deploy\n * has no business consulting a per-user file on the server's homedir\n * even if one exists.\n *\n * Returns null when the safety checks fail or the file isn't present.\n */\nasync function readDesktopSsoSafely(\n event: H3Event,\n): Promise<Awaited<ReturnType<typeof readDesktopSso>>> {\n if (process.env.NODE_ENV === \"production\") return null;\n if (!isElectronRequest(event)) return null;\n if (!isLoopbackRequest(event)) return null;\n return await readDesktopSso();\n}\n\n/**\n * Extract the framework session token from a Better Auth response's\n * Set-Cookie headers, if any. Used by the password-reset path to skip\n * the freshly-minted session when revoking sibling sessions for the\n * user. Returns undefined if no session cookie was minted (the common\n * case — Better Auth's reset doesn't auto-sign-in by default).\n */\nfunction extractSessionTokenFromSetCookies(\n response: Response,\n): string | undefined {\n try {\n // Headers may have multiple Set-Cookie entries; iterate via getSetCookie\n // when available (Node 20+ / undici), else fall back to comma split.\n const headers = response.headers as Headers & {\n getSetCookie?: () => string[];\n };\n const setCookies =\n typeof headers.getSetCookie === \"function\"\n ? headers.getSetCookie()\n : (headers.get(\"set-cookie\") ?? \"\")\n .split(/,(?=[^;]+=)/)\n .map((s) => s.trim())\n .filter(Boolean);\n for (const sc of setCookies) {\n // Better Auth's session cookie name is configurable but defaults to\n // `<prefix>.session_token`. Match either the Better Auth default or\n // our COOKIE_NAME (`an_session`) on the same line.\n const match = sc.match(\n /(?:^|\\s|;)(an_session|[\\w.-]*session_token)=([^;]+)/i,\n );\n if (match) return match[2];\n }\n } catch {\n // Best-effort; treat as no token.\n }\n return undefined;\n}\n\n// ---------------------------------------------------------------------------\n// ACCESS_TOKEN resolution\n// ---------------------------------------------------------------------------\n\nfunction getAccessTokens(): string[] {\n const single = process.env.ACCESS_TOKEN;\n const multi = process.env.ACCESS_TOKENS;\n const tokens: string[] = [];\n if (single) tokens.push(single);\n if (multi) {\n for (const t of multi.split(\",\")) {\n const trimmed = t.trim();\n if (trimmed && !tokens.includes(trimmed)) tokens.push(trimmed);\n }\n }\n return tokens;\n}\n\nfunction getBearerSessionToken(event: H3Event): string | undefined {\n const auth = getHeader(event, \"authorization\");\n if (!auth) return undefined;\n const match = /^Bearer\\s+(.+)$/i.exec(auth.trim());\n return match?.[1]?.trim() || undefined;\n}\n\nasync function getBearerLegacySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n const email = await getSessionEmail(bearerToken);\n return email ? { email, token: bearerToken } : null;\n}\n\n/**\n * Verify a connect-minted MCP OAuth access token presented as\n * `Authorization: Bearer <jwt>` and resolve it to a session.\n *\n * `agent-native connect` mints this token for the local Plans publish flow and\n * POSTs it to the HOSTED action route\n * `/_agent-native/actions/import-visual-plan-source`. That token is audience-\n * bound to the app's MCP resource (`{appUrl}/_agent-native/mcp`), not to the\n * legacy `sessions` table — so the legacy bearer lookup above never matches it.\n * Reuse the MCP surface's canonical `verifyAuth` here so the HTTP action surface\n * honors EXACTLY the tokens the MCP endpoint honors: same signature check, same\n * audience binding to THIS app's resource, same connect-token revocation gate.\n * It resolves to the same `{ userEmail, orgId }` identity the MCP path uses, so\n * downstream `accessFilter` / ownable-data scoping is identical.\n *\n * `allowDevOpen: false` and the `userEmail` guard ensure an invalid token (or a\n * bare ACCESS_TOKEN with no owner hint) never escalates to an unauthenticated\n * or unscoped identity on this path — it strictly adds acceptance of verified,\n * audience-bound caller tokens, nothing more.\n */\nasync function getMcpOAuthBearerSession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const authHeader = getHeader(event, \"authorization\");\n if (!authHeader) return null;\n const bearerToken = getBearerSessionToken(event);\n if (!bearerToken) return null;\n\n try {\n const [{ getMcpOAuthResource }, { verifyAuth, resolveOrgIdFromDomain }] =\n await Promise.all([\n import(\"../mcp/oauth-route.js\"),\n import(\"../mcp/build-server.js\"),\n ]);\n const result = await verifyAuth(authHeader, undefined, {\n resourceUrl: getMcpOAuthResource(event),\n allowDevOpen: false,\n });\n const identity = result.authed ? result.identity : undefined;\n if (!identity?.userEmail) return null;\n const orgId =\n identity.orgId ?? (await resolveOrgIdFromDomain(identity.orgDomain));\n return {\n email: identity.userEmail,\n token: bearerToken,\n ...(orgId ? { orgId } : {}),\n };\n } catch (e) {\n console.error(\"[auth] MCP OAuth bearer verification error:\", e);\n return null;\n }\n}\n\nfunction isFrameworkActionRoute(event: H3Event): boolean {\n const { rawPath } = getRequestPathAndSearch(event);\n const path = stripAppBasePath(rawPath);\n return (\n path === \"/_agent-native/actions\" ||\n path.startsWith(\"/_agent-native/actions/\")\n );\n}\n\n/**\n * Resolve an `Authorization: Bearer` token to a session: first the legacy\n * `sessions` table (desktop/native persisted tokens), then, only on the\n * framework HTTP action surface, a connect-minted MCP OAuth access token (the\n * local Plans publish credential).\n */\nasync function getBearerSession(event: H3Event): Promise<AuthSession | null> {\n const legacy = await getBearerLegacySession(event);\n if (legacy) return legacy;\n if (!isFrameworkActionRoute(event)) return null;\n return getMcpOAuthBearerSession(event);\n}\n\nfunction shouldExposeSessionTokenInBody(event: H3Event): boolean {\n const origin = getHeader(event, \"origin\");\n if (origin && DESKTOP_AUTH_TOKEN_BODY_ORIGINS.has(origin)) return true;\n\n // Some native WebViews do not consistently emit an Origin header for\n // programmatic fetches. The desktop app marks same-server requests with\n // X-Request-Source; browsers can only use that cross-origin after our CORS\n // allowlist has approved the origin, and same-origin pages already receive\n // an equivalent httpOnly session cookie on successful login.\n return !origin && getHeader(event, \"x-request-source\") === \"clips-desktop\";\n}\n\nfunction authLoginResponse(\n event: H3Event,\n token: string,\n email?: string,\n): { ok: true; token?: string; email?: string } {\n if (!shouldExposeSessionTokenInBody(event)) return { ok: true };\n return email ? { ok: true, token, email } : { ok: true, token };\n}\n\n/**\n * Bad-credential / already-registered errors are normal user behavior, not\n * bugs we want to investigate. Filtering them out keeps Sentry signal\n * actionable — a real anomaly (DB error, Better Auth init crash, missing\n * table) shows up clearly because it doesn't match any of these patterns.\n */\nconst EXPECTED_AUTH_FAILURE_PATTERNS: RegExp[] = [\n /invalid\\s+(email|password|credentials)/i,\n /password.*incorrect/i,\n /user\\s+(not\\s+found|already\\s+exists)/i,\n /email\\s+already/i,\n /already\\s+(exists|registered|in\\s+use)/i,\n /not\\s+verified/i,\n];\n\nexport function isExpectedAuthFailure(error: unknown): boolean {\n const msg = (error as { message?: unknown })?.message;\n if (typeof msg !== \"string\") return false;\n return EXPECTED_AUTH_FAILURE_PATTERNS.some((re) => re.test(msg));\n}\n\n// ---------------------------------------------------------------------------\n// Legacy session store — kept for backward compat (addSession/getSessionEmail)\n// Used by google-oauth.ts for mobile deep linking session creation.\n// ---------------------------------------------------------------------------\n\nlet _sessionInitPromise: Promise<void> | undefined;\nlet sessionMaxAge = DEFAULT_MAX_AGE;\n\nasync function ensureSessionTable(): Promise<void> {\n if (!_sessionInitPromise) {\n _sessionInitPromise = (async () => {\n const client = getDbExec();\n await retryOnDdlRace(() =>\n client.execute(`\n CREATE TABLE IF NOT EXISTS sessions (\n token TEXT PRIMARY KEY,\n email TEXT,\n created_at ${intType()} NOT NULL\n )\n `),\n );\n try {\n await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);\n } catch {\n // Column already exists\n }\n })().catch((err) => {\n // Don't cache the rejection — let the next caller retry a fresh init.\n _sessionInitPromise = undefined;\n throw err;\n });\n }\n return _sessionInitPromise;\n}\n\n/**\n * Re-run any `sessions`-table op once if Postgres reports the relation is\n * missing. Covers the case where a prior `ensureSessionTable()` resolved but\n * the table wasn't actually present (e.g. a race where the CREATE was dropped\n * on a reused pool connection, or a cached resolved promise from a prior\n * DB URL). Forces a fresh init, then retries the caller's op.\n */\nasync function retryIfSessionsMissing<T>(op: () => Promise<T>): Promise<T> {\n try {\n return await op();\n } catch (e: any) {\n if (e?.code !== \"42P01\") throw e;\n const msg = String(e?.message ?? \"\");\n if (!msg.includes(\"sessions\")) throw e;\n _sessionInitPromise = undefined;\n await ensureSessionTable();\n return await op();\n }\n}\n\n/**\n * Create a new session in the legacy sessions table.\n * Used by google-oauth.ts for mobile deep linking.\n */\nexport async function addSession(token: string, email?: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: isPostgres()\n ? `INSERT INTO sessions (token, email, created_at) VALUES (?, ?, ?) ON CONFLICT (token) DO UPDATE SET email=EXCLUDED.email, created_at=EXCLUDED.created_at`\n : `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,\n args: [token, email ?? null, Date.now()],\n }),\n );\n}\n\n/** Remove a session from the legacy sessions table. */\nexport async function removeSession(token: string): Promise<void> {\n await ensureSessionTable();\n const client = getDbExec();\n await retryIfSessionsMissing(() =>\n client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n}\n\n/**\n * Look up the email associated with a legacy session token.\n * Returns null if the session doesn't exist, is expired, or has no email.\n */\nexport async function getSessionEmail(token: string): Promise<string | null> {\n await ensureSessionTable();\n const client = getDbExec();\n const { rows } = await retryIfSessionsMissing(() =>\n client.execute({\n sql: `SELECT email, created_at FROM sessions WHERE token = ?`,\n args: [token],\n }),\n );\n if (rows.length === 0) return null;\n const createdAt = rows[0].created_at as number;\n if (Date.now() - createdAt > sessionMaxAge * 1000) {\n await client.execute({\n sql: `DELETE FROM sessions WHERE token = ?`,\n args: [token],\n });\n return null;\n }\n return (rows[0].email as string) ?? null;\n}\n\n// ---------------------------------------------------------------------------\n// getSession — the auth contract\n// ---------------------------------------------------------------------------\n\nlet customGetSession: ((event: H3Event) => Promise<AuthSession | null>) | null =\n null;\n\n/**\n * Mutable config for the auth guard. Stored separately from the guard function\n * so that a custom auth plugin can update the login HTML / public paths even\n * after the default plugin has already installed the middleware (a race that\n * occurs in production serverless environments where the default plugin is\n * auto-mounted before the template's custom auth plugin runs).\n */\ninterface AuthGuardConfig {\n loginHtml: string;\n getLoginHtml?: (event: H3Event, rawPath: string) => string;\n publicPaths: string[];\n workspaceAppAudience: WorkspaceAppAudience;\n workspaceAppPublicPaths: string[];\n workspaceAppProtectedPaths: string[];\n}\nlet _authGuardConfig: AuthGuardConfig | null = null;\nconst _genericGoogleOAuthRoutesEnabled = new WeakMap<object, boolean>();\n\nfunction getRequestHost(event: H3Event): string | undefined {\n return (\n getHeader(event, \"x-forwarded-host\") ??\n getHeader(event, \"host\") ??\n undefined\n );\n}\n\nfunction getOnboardingHtmlOptions(\n options: AuthOptions,\n event?: H3Event,\n rawPath?: string,\n): OnboardingHtmlOptions {\n return {\n googleOnly: options.googleOnly,\n marketing: options.marketing,\n googleSignInNotice: options.googleSignInNotice,\n googleAuthMode: options.googleAuthMode,\n requestHost: event ? getRequestHost(event) : undefined,\n requestPath: rawPath,\n requestOrigin: event ? getOrigin(event) : undefined,\n };\n}\n\nfunction getAuthOnboardingHtml(\n options: AuthOptions,\n event?: H3Event,\n rawPath?: string,\n): string {\n return getOnboardingHtml(getOnboardingHtmlOptions(options, event, rawPath));\n}\n\nfunction getOnboardingLoginHtmlConfig(\n options: AuthOptions,\n): Pick<AuthGuardConfig, \"loginHtml\" | \"getLoginHtml\"> {\n if (options.loginHtml) return { loginHtml: options.loginHtml };\n return {\n loginHtml: getAuthOnboardingHtml(options),\n getLoginHtml: (event, rawPath) =>\n getAuthOnboardingHtml(options, event, rawPath),\n };\n}\n\nfunction resolveWorkspaceAppAudience(\n options: Pick<AuthOptions, \"workspaceAppAudience\"> = {},\n): WorkspaceAppAudience {\n return normalizeWorkspaceAppAudience(\n options.workspaceAppAudience ?? workspaceAppAudienceFromEnv(),\n );\n}\n\nfunction resolveWorkspaceAppRouteAccess(\n options: Pick<\n AuthOptions,\n \"workspaceAppPublicPaths\" | \"workspaceAppProtectedPaths\"\n > = {},\n): { publicPaths: string[]; protectedPaths: string[] } {\n const env = workspaceAppRouteAccessFromEnv();\n return {\n publicPaths: options.workspaceAppPublicPaths ?? env.publicPaths,\n protectedPaths: options.workspaceAppProtectedPaths ?? env.protectedPaths,\n };\n}\n\nfunction setGenericGoogleOAuthRoutesEnabled(\n app: H3App,\n enabled: boolean,\n): void {\n if (app && typeof app === \"object\") {\n _genericGoogleOAuthRoutesEnabled.set(app, enabled);\n }\n}\n\nfunction areGenericGoogleOAuthRoutesEnabled(app: H3App): boolean {\n return _genericGoogleOAuthRoutesEnabled.get(app as object) !== false;\n}\n\n// Desktop OAuth exchange store — holds session tokens keyed by a unique flow\n// ID so native apps (Tauri, Electron) that open OAuth in the system browser\n// can retrieve the token after the callback completes on the server.\n//\n// Primary: in-memory Map (fast, works for single-instance dev/preview builds).\n// Fallback: sessions table with a \"dex:\" prefixed key for cross-instance\n// durability (Cloudflare Workers, multi-region deployments). The value stored\n// in the `email` column is \"{realToken}::{userEmail}\" so both can be recovered\n// from a single DB lookup.\nexport interface DesktopExchangeErrorPayload {\n message: string;\n code?: string;\n accountId?: string;\n existingOwner?: string;\n attemptedOwner?: string;\n}\n\ntype DesktopExchangeEntry =\n | { token: string; email: string; expiresAt: number }\n | { error: DesktopExchangeErrorPayload; expiresAt: number };\ntype DesktopExchangeStoredEntry =\n | { token: string; email: string }\n | { error: DesktopExchangeErrorPayload };\n\nconst _desktopExchanges = new Map<string, DesktopExchangeEntry>();\nconst DESKTOP_EXCHANGE_ERROR_PREFIX = \"__error__::\";\nconst DESKTOP_AUTH_TOKEN_BODY_ORIGINS = new Set([\n \"tauri://localhost\",\n \"http://localhost:1420\",\n]);\n\n// 5-minute TTL for exchange entries (short — single-use tokens).\nconst DESKTOP_EXCHANGE_TTL_MS = 5 * 60 * 1000;\n\nexport function setDesktopExchange(\n flowId: string,\n token: string,\n email: string,\n) {\n _desktopExchanges.set(flowId, {\n token,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Persist to DB so the token survives cross-instance routing (e.g. when\n // templates call this helper directly instead of going through the OAuth\n // callback path).\n void persistDesktopExchangeToDB(flowId, token, email);\n}\n\nexport function setDesktopExchangeError(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n) {\n _desktopExchanges.set(flowId, {\n error,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n void persistDesktopExchangeErrorToDB(flowId, error);\n}\n\n/**\n * Persist a desktop exchange entry to the sessions table so it survives\n * cross-instance routing (e.g. Cloudflare Workers). Stored under a synthetic\n * token key \"dex:{flowId}\"; the `email` column packs both the real session\n * token and the user email so they can be recovered in one query.\n * Non-fatal — if the DB isn't ready yet the in-memory Map still works for\n * same-instance requests.\n */\nasync function persistDesktopExchangeToDB(\n flowId: string,\n token: string,\n email: string,\n): Promise<void> {\n try {\n await addSession(`dex:${flowId}`, `${token}::${email}`);\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\nasync function persistDesktopExchangeErrorToDB(\n flowId: string,\n error: DesktopExchangeErrorPayload,\n): Promise<void> {\n try {\n const payload = Buffer.from(JSON.stringify(error)).toString(\"base64url\");\n await addSession(\n `dex:${flowId}`,\n `${DESKTOP_EXCHANGE_ERROR_PREFIX}${payload}`,\n );\n } catch {\n // non-fatal — in-memory Map is the primary path\n }\n}\n\n/**\n * Retrieve and consume a desktop exchange entry from the DB fallback.\n * Returns null if not found or already consumed.\n */\nasync function consumeDesktopExchangeFromDB(\n flowId: string,\n): Promise<DesktopExchangeStoredEntry | null> {\n try {\n // Atomic DELETE...RETURNING prevents token replay: two concurrent polls\n // cannot both retrieve the token because only one DELETE will match the row.\n // SQLite ≥3.35 and PostgreSQL both support this syntax.\n // The created_at predicate enforces the 5-minute TTL so stale DB entries\n // (e.g. the desktop app never polled) are rejected rather than silently\n // redeemed with the session table's default 30-day TTL.\n const client = getDbExec();\n const { rows } = await client.execute({\n sql: `DELETE FROM sessions WHERE token = ? AND created_at > ? RETURNING email`,\n args: [`dex:${flowId}`, Date.now() - DESKTOP_EXCHANGE_TTL_MS],\n });\n if (rows.length === 0) return null;\n const packed = (rows[0].email ?? rows[0][0]) as string | null;\n if (!packed) return null;\n if (packed.startsWith(DESKTOP_EXCHANGE_ERROR_PREFIX)) {\n const raw = packed.slice(DESKTOP_EXCHANGE_ERROR_PREFIX.length);\n return {\n error: JSON.parse(Buffer.from(raw, \"base64url\").toString()),\n };\n }\n const sepIdx = packed.indexOf(\"::\");\n if (sepIdx === -1) return null;\n return { token: packed.slice(0, sepIdx), email: packed.slice(sepIdx + 2) };\n } catch {\n return null;\n }\n}\n\nsetInterval(() => {\n const now = Date.now();\n for (const [k, v] of _desktopExchanges) {\n if (v.expiresAt < now) _desktopExchanges.delete(k);\n }\n}, 60_000).unref?.();\n\n/**\n * Module-level auth guard function. Set by autoMountAuth() when auth is active.\n * Called by the server middleware to enforce auth on ALL requests (not just\n * /_agent-native/* routes).\n */\nlet _authGuardFn:\n | ((event: H3Event) => Promise<Response | object | string | void>)\n | null = null;\n\n/**\n * The H3 app the auth routes + guard were last mounted on. Module-level\n * state survives Vite HMR restarts, but each HMR cycle creates a fresh\n * nitroApp/H3 instance whose middleware array is empty again. Tracking the\n * app here lets autoMountAuth detect \"same module state, new app\" and\n * re-mount routes instead of silently skipping them because `_authGuardFn`\n * looks populated from a previous cycle.\n */\nlet _mountedApp: H3App | null = null;\n\n/**\n * Run the auth guard on an event. Returns a Response/object to block the\n * request (login page or 401), or undefined to allow it through.\n *\n * Called by the default server middleware (server/middleware/auth.ts) to\n * enforce auth on page routes and API routes — not just framework routes.\n */\nexport async function runAuthGuard(\n event: H3Event,\n): Promise<Response | object | string | void> {\n if (!_authGuardFn) return; // Auth not mounted (local mode, etc.)\n return _authGuardFn(event);\n}\n\n// ---------------------------------------------------------------------------\n// Auth guard factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create an auth guard function that checks session and blocks\n * unauthenticated requests. Returns the login HTML for page routes\n * or a 401 JSON response for API routes.\n *\n * Reads loginHtml and publicPaths from _authGuardConfig on every request\n * so that a custom plugin can update them after the default has already\n * installed this middleware (the production race condition fix).\n */\nfunction applyCorsHeaders(event: H3Event): {\n hasOrigin: boolean;\n allowed: boolean;\n} {\n // Framework-level CORS. The auth guard runs before any of the app's own\n // route handlers, so we need to set CORS here too — otherwise a 401\n // response would be missing the Allow-Origin header and the browser\n // blocks the response body (making it look like a network error\n // rather than \"unauthenticated\").\n const origin = getHeader(event, \"origin\");\n if (!origin) return { hasOrigin: false, allowed: true };\n const requestedHeaders = String(\n getHeader(event, \"access-control-request-headers\") ?? \"\",\n )\n .toLowerCase()\n .split(\",\")\n .map((header) => header.trim());\n const mcpEmbedCorsRequest =\n isMcpEmbedCorsOrigin(origin) &&\n (requestHasEmbedAuthMarker(event) ||\n requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n Boolean(getHeader(event, EMBED_TARGET_HEADER)) ||\n Boolean(getHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n Boolean(getHeader(event, \"authorization\")));\n const allowedOrigin = getAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n const responseOrigin = mcpEmbedCorsRequest ? origin : allowedOrigin;\n if (!responseOrigin) return { hasOrigin: true, allowed: false };\n setResponseHeader(event, \"Access-Control-Allow-Origin\", responseOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n if (!mcpEmbedCorsRequest || shouldAllowMcpEmbedCredentials(responseOrigin)) {\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n }\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n mcpEmbedCorsRequest\n ? MCP_EMBED_CORS_ALLOW_HEADERS\n : [\n \"Content-Type\",\n \"Authorization\",\n \"X-Requested-With\",\n \"X-Request-Source\",\n \"X-Agent-Native-CSRF\",\n \"X-User-Timezone\",\n EMBED_TARGET_HEADER,\n ].join(\",\"),\n );\n return { hasOrigin: true, allowed: true };\n}\n\nfunction createAuthCorsHandler() {\n return defineEventHandler((event) => {\n const cors = applyCorsHeaders(event);\n if (getMethod(event) !== \"OPTIONS\") return;\n\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n setResponseStatus(event, 204);\n return \"\";\n });\n}\n\nfunction mountAuthCorsMiddleware(app: H3App): void {\n const handler = createAuthCorsHandler();\n app.use(\"/_agent-native/auth\", handler);\n app.use(\"/_agent-native/google\", handler);\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n return (\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/_agent-native/\") &&\n (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n );\n}\n\nfunction getRequestPathAndSearch(event: H3Event): {\n rawPath: string;\n search: string;\n} {\n const mountedPathname = (event as any).context?._mountedPathname;\n if (typeof mountedPathname === \"string\" && mountedPathname) {\n return { rawPath: mountedPathname, search: event.url?.search || \"\" };\n }\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n return {\n rawPath: queryStart >= 0 ? url.slice(0, queryStart) : url,\n search: queryStart >= 0 ? url.slice(queryStart) : \"\",\n };\n}\n\nfunction workspaceOAuthCallbackRelayResponse(\n event: H3Event,\n): Response | undefined {\n const { rawPath, search } = getRequestPathAndSearch(event);\n const normalizedPath = stripAppBasePath(rawPath);\n const basePath = getAppBasePath();\n if (\n !basePath ||\n !isWorkspaceOAuthCallbackRelayEnabled() ||\n !isFrameworkOAuthCallbackPath(normalizedPath) ||\n rawPath === `${basePath}/_agent-native` ||\n rawPath.startsWith(`${basePath}/_agent-native/`)\n ) {\n return undefined;\n }\n\n const state = new URLSearchParams(\n search.startsWith(\"?\") ? search.slice(1) : search,\n ).get(\"state\");\n const appId = extractOAuthStateAppId(state);\n if (\n !appId ||\n appId === getOAuthStateAppId() ||\n !isValidWorkspaceAppIdFormat(appId)\n ) {\n return undefined;\n }\n\n return new Response(\"\", {\n status: 302,\n headers: { Location: `/${appId}${normalizedPath}${search}` },\n });\n}\n\nfunction verifiedBuilderConnectOwnerFromUrl(url: string): string | null {\n const queryStart = url.indexOf(\"?\");\n if (queryStart < 0) return null;\n const token = new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_CONNECT_PARAM,\n );\n return verifyBuilderConnectTokenAndGetOwner(token);\n}\n\nfunction shouldBypassAuthForBuilderConnect(event: H3Event, p: string): boolean {\n if (p === \"/_agent-native/builder/connect\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n return Boolean(verifiedBuilderConnectOwnerFromUrl(url));\n }\n\n if (p === \"/_agent-native/builder/callback\") {\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const state =\n queryStart >= 0\n ? new URLSearchParams(url.slice(queryStart + 1)).get(\n BUILDER_STATE_PARAM,\n )\n : null;\n // The signed `_an_state` authenticates this specific Builder callback\n // flow back to our app. A stale localhost session cookie can otherwise\n // make the global guard reject the callback before the handler gets to\n // validate the state and owner. This only bypasses to the callback route;\n // the callback handler still verifies the signed owner / pending flow.\n if (verifyBuilderCallbackStateAndGetOwner(state)) return true;\n\n // The legacy owner cookie is broader and can be stale across shared\n // browser sessions, so keep it limited to the session-lost popup case.\n const hasSession = getFrameworkSessionCookieValues(event).length > 0;\n if (hasSession) return false;\n return Boolean(\n verifyBuilderConnectTokenAndGetOwner(\n getCookie(event, BUILDER_CONNECT_OWNER_COOKIE),\n ),\n );\n }\n\n return false;\n}\n\nconst LOGIN_OG_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bproperty=([\"'])og:image\\1)[^>]*>/i;\nconst LOGIN_TWITTER_CARD_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:card\\1)[^>]*>/i;\nconst LOGIN_TWITTER_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:image\\1)[^>]*>/i;\n\nfunction escapeHtmlAttr(value: string): string {\n return value\n .replace(/&/g, \"&amp;\")\n .replace(/</g, \"&lt;\")\n .replace(/>/g, \"&gt;\")\n .replace(/\"/g, \"&quot;\");\n}\n\nfunction injectLoginSocialImageMeta(loginHtml: string, event: H3Event): string {\n const headCloseIdx = loginHtml.indexOf(\"</head>\");\n if (headCloseIdx === -1) return loginHtml;\n\n const hasAnySocialImage =\n LOGIN_OG_IMAGE_META_RE.test(loginHtml) ||\n LOGIN_TWITTER_IMAGE_META_RE.test(loginHtml);\n const imageUrl = escapeHtmlAttr(\n withAgentNativeSocialImageCacheBuster(\n getAppUrl(event, AGENT_NATIVE_SOCIAL_IMAGE_PATH),\n ),\n );\n const tags: string[] = [];\n\n if (!hasAnySocialImage) {\n tags.push(`<meta property=\"og:image\" content=\"${imageUrl}\">`);\n tags.push(`<meta property=\"og:image:secure_url\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta property=\"og:image:type\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_TYPE}\">`,\n );\n tags.push(\n `<meta property=\"og:image:width\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_WIDTH}\">`,\n );\n tags.push(\n `<meta property=\"og:image:height\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT}\">`,\n );\n tags.push(\n `<meta property=\"og:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n if (!LOGIN_TWITTER_CARD_META_RE.test(loginHtml)) {\n tags.push(`<meta name=\"twitter:card\" content=\"summary_large_image\">`);\n }\n if (!hasAnySocialImage) {\n tags.push(`<meta name=\"twitter:image\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta name=\"twitter:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n\n if (tags.length === 0) return loginHtml;\n return (\n loginHtml.slice(0, headCloseIdx) +\n tags.join(\"\") +\n loginHtml.slice(headCloseIdx)\n );\n}\n\nfunction loginHtmlResponse(loginHtml: string, event: H3Event): Response {\n return new Response(injectLoginSocialImageMeta(loginHtml, event), {\n status: 200,\n headers: {\n \"Content-Type\": \"text/html; charset=utf-8\",\n // The sign-in document is part of the public server shell. Keep it on the\n // same short-fresh/long-SWR CDN policy as React Router SSR so hosted\n // template roots do not invoke origin just to render anonymous login UI.\n // The login HTML is env-INDEPENDENT (a Google-only app always renders a\n // working button), so a cached copy is never \"wrong\" — never downgrade\n // this to private/no-store.\n ...DEFAULT_SSR_CACHE_HEADERS,\n \"X-Robots-Tag\": \"noindex, nofollow\",\n },\n });\n}\n\nfunction isHtmlDocumentRequest(event: H3Event, pathname: string): boolean {\n if (!isReadMethod(event)) return false;\n if (pathname.endsWith(\".data\")) return false;\n\n const fetchDest = getHeader(event, \"sec-fetch-dest\")?.toLowerCase();\n if (fetchDest === \"document\" || fetchDest === \"iframe\") return true;\n\n const accept = getHeader(event, \"accept\")?.toLowerCase();\n return !accept || accept.includes(\"text/html\") || accept.includes(\"*/*\");\n}\n\nfunction createAuthGuardFn(): (\n event: H3Event,\n) => Promise<Response | object | string | void> {\n return async (event: H3Event) => {\n const config = _authGuardConfig;\n if (!config) return;\n const { publicPaths } = config;\n\n const url = event.node?.req?.url ?? event.path ?? \"/\";\n const queryStart = url.indexOf(\"?\");\n const rawPath = queryStart >= 0 ? url.slice(0, queryStart) : url;\n const loginHtml = config.getLoginHtml?.(event, rawPath) ?? config.loginHtml;\n const p = stripAppBasePath(rawPath);\n const normalizedUrl = queryStart >= 0 ? `${p}${url.slice(queryStart)}` : p;\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n\n // Emit CORS headers on every request the guard sees so that even\n // error responses (401) reach the browser.\n const cors = applyCorsHeaders(event);\n // Preflight short-circuit: the browser sends OPTIONS before the real\n // credentialed request. Must return success without invoking auth.\n if (getMethod(event) === \"OPTIONS\") {\n if (cors.hasOrigin && !cors.allowed) {\n setResponseStatus(event, 403);\n return \"\";\n }\n setResponseStatus(event, 204);\n return \"\";\n }\n\n // Skip auth routes and specific Google OAuth endpoints that must be public\n // (callback and auth-url). Other Google endpoints like /status require auth.\n if (\n p.startsWith(\"/_agent-native/auth/\") ||\n p === \"/_agent-native/google/callback\" ||\n p === \"/_agent-native/google/auth-url\" ||\n p === \"/_agent-native/google/add-account/callback\"\n ) {\n return;\n }\n\n // The deep-link route resolves the *browser* session itself and serves\n // the sign-in form inline when unauthenticated (so the post-login reload\n // returns to the same deep link). It must bypass the guard's blanket\n // 401-for-/_agent-native/* so an external-agent \"Open in … →\" link\n // clicked in any browser/webview lands correctly.\n if (p === \"/_agent-native/open\" || p === EMBED_START_PATH) {\n return;\n }\n\n // Integration webhook endpoints verify authenticity via platform-specific\n // signature verification (Slack HMAC, Telegram token, etc.), not sessions.\n if (/^\\/_agent-native\\/integrations\\/[^/]+\\/webhook$/.test(p)) {\n return;\n }\n\n // Internal processor endpoint for the integration webhook fanout. The\n // webhook handler enqueues a task to SQL and dispatches a fresh HTTP POST\n // to this endpoint so the agent loop runs in its own function execution\n // (cross-platform serverless-safe — see `integrations/webhook-handler.ts`).\n // Authenticity is verified via an HMAC token signed with A2A_SECRET, plus\n // an atomic SQL claim that prevents duplicate processing.\n if (p === \"/_agent-native/integrations/process-task\") {\n return;\n }\n\n // Internal processor endpoint for deferred A2A continuations created by\n // integration tasks. It uses the same HMAC internal-token scheme as the\n // primary integration processor, so it must bypass cookie/session auth.\n if (p === \"/_agent-native/integrations/process-a2a-continuation\") {\n return;\n }\n\n // Agent Teams durable sub-agent processor. Self-fired by `spawnTask` to run\n // a queued sub-agent in a fresh function invocation; authenticity is\n // verified by the same HMAC internal-token scheme plus an atomic SQL claim,\n // so it bypasses cookie/session auth (mirrors the integration processor).\n if (p === \"/_agent-native/agent-teams/_process-run\") {\n return;\n }\n\n // Read-only agent chat share links. The random token is the bearer secret;\n // the route returns a sanitized transcript plus bounded run summaries and\n // exposes no write surface, live event stream, tool payloads, or owner APIs.\n if (p.startsWith(\"/_agent-native/agent-chat/shared/\")) {\n return;\n }\n\n // A2A endpoint verifies authenticity via JWT signed with the org's A2A\n // secret (or the global A2A_SECRET fallback), not via session cookies.\n if (p === \"/_agent-native/a2a\") {\n return;\n }\n\n // MCP protocol endpoint. `mountMCP` runs its own `verifyAuth` (Bearer\n // ACCESS_TOKEN/ACCESS_TOKENS or A2A_SECRET JWT, open in dev) and is the\n // authoritative gate — exactly like A2A above. Without this bypass the\n // guard's blanket 401-for-/_agent-native/* below shadows that check, so\n // an external coding agent (Claude Code / Codex / Cowork) connecting via\n // the stdio proxy or HTTP can never reach it. Exact protocol endpoint only:\n // tolerate the common trailing slash, but keep\n // `/_agent-native/mcp/*` management subroutes on normal session auth.\n if (p === \"/_agent-native/mcp\" || p === \"/_agent-native/mcp/\") {\n return;\n }\n\n // MCP connect — frictionless external-agent connection. Like /open\n // above, the connect *page* resolves the browser session itself and\n // serves its own login form when unauthenticated (so the post-login\n // reload returns to the same URL, carrying the device user_code in the\n // query). The two unauthenticated device endpoints below are the CLI's\n // OAuth-style polling pair: `device/start` (mint a device+user code) and\n // `device/poll` (exchange an approved code for the token) — both must be\n // reachable without a browser session because the CLI has none. They are\n // protected by short-TTL, single-use, crypto-random codes + a creation\n // rate-limit, not cookies.\n //\n // The standard remote-MCP OAuth endpoints also bypass here: metadata and\n // dynamic client registration are public by design; `/oauth/token` is\n // protected by single-use auth codes / refresh tokens; and\n // `/oauth/authorize` resolves the browser session itself so it can serve\n // the login form at the original authorization URL.\n //\n // The legacy Connect endpoints that MINT or MUTATE on behalf of the user\n // (`/connect/token`, `/device/authorize`, `/tokens`, `/tokens/revoke`) are\n // intentionally NOT bypassed: they are POSTed by the in-page fetch with a\n // session cookie and the handler re-checks the session itself.\n if (\n p === \"/_agent-native/mcp/connect\" ||\n p === \"/_agent-native/mcp/connect/device/start\" ||\n p === \"/_agent-native/mcp/connect/device/poll\" ||\n p === \"/_agent-native/mcp/oauth/authorize\" ||\n p === \"/_agent-native/mcp/oauth/token\" ||\n p === \"/_agent-native/mcp/oauth/register\"\n ) {\n return;\n }\n\n // Cross-app SSO (\"Sign in with Agent-Native\") — CLIENT side. Both the\n // `/login` entry point and the `/callback` (hit by a user who is, by\n // definition, NOT yet signed in to THIS app) must bypass the blanket\n // 401-for-/_agent-native/*: they resolve / mint the browser session\n // themselves and verify a signature-bound, single-use, CSRF-stated\n // hub token — not a cookie. This bypass is GATED on the opt-in env var\n // so an unset `AGENT_NATIVE_IDENTITY_HUB_URL` is a true no-op (the\n // guard's behaviour is byte-for-byte unchanged when SSO is off). The\n // handler itself 404s when disabled as defence in depth.\n if (\n isIdentitySsoEnabled() &&\n (p === \"/_agent-native/identity/login\" ||\n p === \"/_agent-native/identity/callback\")\n ) {\n return;\n }\n\n // Internal processor endpoint for the A2A async-mode fanout. Mirrors the\n // integration webhook fanout: when `message/send` is called with\n // `async: true`, the JSON-RPC handler enqueues to a2a_tasks and self-\n // fires a POST here so the handler runs in a fresh function execution.\n // Authenticity is verified via an HMAC token signed with A2A_SECRET\n // (same scheme as /_agent-native/integrations/process-task).\n if (p === \"/_agent-native/a2a/_process-task\") {\n return;\n }\n\n // A2A secret receive endpoint — verifies authenticity via JWT signed\n // with the calling app's A2A secret, not via session cookies. Used to\n // sync the org A2A secret across connected apps.\n if (p === \"/_agent-native/org/a2a-secret/receive\") {\n return;\n }\n\n // Recap-image upload (POST /_agent-native/recap-image). The PR visual-recap\n // GitHub Action uploads a PNG here with the SAME `agent-native connect`\n // bearer token the MCP / action surface accepts — a connect-minted MCP\n // OAuth access token that `getSession` only honors on the action surface.\n // The handler re-runs the canonical `verifyAuth` itself (audience-bound to\n // this app's MCP resource) and 401s unauthenticated callers, so — exactly\n // like /_agent-native/a2a and the MCP endpoints above — it must bypass the\n // guard's blanket 401-for-/_agent-native/*. The anonymous read route\n // (`/recap-image/<token>.png`) is already public via the `.png` static-asset\n // branch below; this bypass is for the upload path only.\n if (p === \"/_agent-native/recap-image\") {\n return;\n }\n\n // Force-sign-in entrypoint. Templates send viewers from public pages\n // (share links, embeds) here with a `?return=<path>` query — anonymous\n // visitors get the loginHtml, and once they sign in the loginHtml's\n // post-login reload re-hits this same URL with a session cookie set,\n // so we 302 them to the original page.\n //\n // `return` is validated by parsing it against a sentinel base origin\n // and checking the resolved origin still matches. This rejects every\n // open-redirect shape — `//evil.com/...` (network-path reference),\n // `/\\evil.com/...` (WHATWG URL parser normalises `\\` to `/` in HTTP\n // URLs, so a naive prefix check on `//` misses this), absolute URLs\n // like `https://evil.com`, and `data:` / `javascript:` schemes. The\n // reconstructed path comes from the parsed segments so any leftover\n // quirks get normalised. Control chars (incl. CR/LF for header\n // injection) are rejected up front.\n //\n if (p === \"/_agent-native/sign-in\") {\n const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : \"\";\n const safeReturn = safeReturnPath(\n new URLSearchParams(queryStr).get(\"return\"),\n );\n const session = await getSession(event);\n if (session) {\n return new Response(\"\", {\n status: 302,\n headers: { Location: safeReturn },\n });\n }\n return loginHtmlResponse(loginHtml, event);\n }\n\n // Auth entry pages are framework-owned pages, not app routes. When a user\n // already has a session, redirect them back to the mounted app instead of\n // letting React Router try to render /login.\n if (p === \"/login\" || p === \"/signup\") {\n const session = await getSession(event);\n if (session) {\n const queryStr = queryStart >= 0 ? url.slice(queryStart + 1) : \"\";\n const safeReturn = safeReturnPath(\n new URLSearchParams(queryStr).get(\"return\"),\n );\n return new Response(\"\", {\n status: 302,\n headers: {\n Location: safeReturn === \"/\" ? getAppBasePath() || \"/\" : safeReturn,\n },\n });\n }\n return loginHtmlResponse(loginHtml, event);\n }\n\n // Skip static assets (Vite chunks, fonts, images, etc.)\n if (\n p.startsWith(\"/assets/\") ||\n p.startsWith(\"/_build/\") ||\n p.endsWith(\".js\") ||\n p.endsWith(\".css\") ||\n p.endsWith(\".map\") ||\n p.endsWith(\".ico\") ||\n p.endsWith(\".png\") ||\n p.endsWith(\".svg\") ||\n p.endsWith(\".woff2\") ||\n p.endsWith(\".woff\")\n ) {\n return;\n }\n\n // React Router 7's lazy route discovery fetches `/__manifest?p=...` to\n // resolve manifest patches for `<Link>`s the user might click. The\n // auth fallback returning loginHtml here makes RR fail to parse the\n // body as RSC, surfacing as a console error and (when the visitor\n // already errored elsewhere) blocking the app from rendering. Let it\n // through — it returns a tiny RSC-encoded manifest of the public\n // route tree, no per-user data.\n if (p === \"/__manifest\") return;\n if (p === \"/_agent-native/speculation-rules.json\") return;\n if (isPublicPath(normalizedUrl, publicPaths)) return;\n if (shouldBypassAuthForBuilderConnect(event, p)) return;\n if (isPublicWorkspacePageRequest(event, p, config)) {\n return;\n }\n\n const session = await getSession(event);\n if (session) return;\n\n if (p.startsWith(\"/api/\") || p.startsWith(\"/_agent-native/\")) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n if (!isHtmlDocumentRequest(event, p)) {\n setResponseStatus(event, 401);\n return { error: \"Unauthorized\" };\n }\n\n // Local-dev convenience: on the first page GET of a freshly-scaffolded\n // app, transparently create + sign in `dev@local.test` instead of\n // showing the sign-up form. Gated on NODE_ENV=development AND no real users in the\n // DB, so production and any app that has ever had a real signup are\n // unaffected. See maybeAutoCreateDevSession for full conditions.\n if (getMethod(event) === \"GET\") {\n const autoSession = await maybeAutoCreateDevSession(event, url);\n if (autoSession) return autoSession;\n }\n\n return loginHtmlResponse(loginHtml, event);\n };\n}\n\n// `.test` is an RFC 6761 reserved TLD that never resolves, so this stays a\n// safe local-only address while still passing better-auth's `z.email()`\n// validator (a bare `dev@local` has no TLD and is rejected as INVALID_EMAIL,\n// which silently broke the zero-setup auto-sign-in on every fresh dev DB).\nconst AUTO_DEV_ACCOUNT_EMAIL = \"dev@local.test\";\n// No fixed password: maybeAutoCreateDevSession mints a random one per DB\n// and prints it to the console once (see there).\n\n// Pre-fix local dev DBs may already contain a `dev@local` user. Treat that\n// legacy address as the dev account too, so the \"any real users?\" check\n// below doesn't mistake the old auto-account for a real signup (which would\n// permanently disable auto-create) and the post-logout guard still fires.\nconst LEGACY_AUTO_DEV_ACCOUNT_EMAIL = \"dev@local\";\n\nlet authDisabledWarningLogged = false;\n\nfunction isAuthDisabled(): boolean {\n const value = process.env.AUTH_DISABLED?.trim().toLowerCase();\n return value === \"1\" || value === \"true\";\n}\n\nfunction getAuthDisabledSession(): AuthSession | null {\n if (!isAuthDisabled()) return null;\n if (!authDisabledWarningLogged) {\n authDisabledWarningLogged = true;\n console.warn(\n `[agent-native] AUTH_DISABLED — login/signup disabled; all requests run as ${AUTO_DEV_ACCOUNT_EMAIL}`,\n );\n }\n return { email: AUTO_DEV_ACCOUNT_EMAIL };\n}\n\nasync function hasAutoDevAccountUser(\n db: ReturnType<typeof getDbExec>,\n): Promise<boolean> {\n const { rows } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email IN (?, ?) LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL, LEGACY_AUTO_DEV_ACCOUNT_EMAIL],\n });\n return rows.length > 0;\n}\n\ntype AutoDevAccountCreationResult = { password: string } | null;\n\nconst autoDevAccountCreationPromises = new Map<\n string,\n Promise<AutoDevAccountCreationResult>\n>();\n\nfunction getAutoDevAccountCreationKey(): string {\n return `${process.cwd()}:${process.env.APP_BASE_PATH ?? \"\"}`;\n}\n\nasync function createAutoDevAccountForSession(\n auth: NonNullable<Awaited<ReturnType<typeof getBetterAuth>>>,\n db: ReturnType<typeof getDbExec>,\n): Promise<string | null> {\n const key = getAutoDevAccountCreationKey();\n let creationPromise = autoDevAccountCreationPromises.get(key);\n\n if (!creationPromise) {\n const devPassword = crypto.randomBytes(18).toString(\"base64url\");\n\n creationPromise = (async () => {\n try {\n await auth.api.signUpEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: devPassword,\n name: \"Dev\",\n },\n });\n } catch (e) {\n // Another process can still win the create race after our SELECT.\n // In-process first-page races share this promise and do not issue a\n // duplicate Better Auth signup, which keeps local SQLite logs quiet.\n if (await hasAutoDevAccountUser(db)) return null;\n if (!isExpectedAuthFailure(e)) throw e;\n return null;\n }\n\n // Print the throwaway credential exactly once so the developer can\n // sign back in manually after logout (auto-flow won't refire once the\n // dev row exists). Local console only — never Sentry.\n console.log(\n `\\n[agent-native] Local dev auto-login ready.\\n` +\n ` email: ${AUTO_DEV_ACCOUNT_EMAIL}\\n` +\n ` password: ${devPassword}\\n` +\n ` (random, this DB only — needed to sign back in after logout.\\n` +\n ` Set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1 to disable.)\\n`,\n );\n\n return { password: devPassword };\n })();\n\n autoDevAccountCreationPromises.set(key, creationPromise);\n creationPromise\n .finally(() => {\n if (autoDevAccountCreationPromises.get(key) === creationPromise) {\n autoDevAccountCreationPromises.delete(key);\n }\n })\n .catch(() => {});\n }\n\n const result = await creationPromise;\n return result?.password ?? null;\n}\n\n/**\n * Local-dev convenience: skip the sign-up wall on first run.\n *\n * When NODE_ENV=development AND the `user` table has no rows for any\n * email other than the dev account (`dev@local.test`, or the legacy\n * `dev@local` on pre-fix DBs), transparently sign up (or sign back in\n * to) the auto-managed dev account and return a 302 to the original URL\n * with a session cookie set. A developer who just ran `pnpm dev` lands\n * in the app immediately instead of being asked to fill in name + email\n * + password to try the framework.\n *\n * Auto-create fires exactly once per local DB: as soon as the dev\n * account (or any real user) exists in the `user` table, the helper\n * returns null and the normal login flow takes over. Signing out then\n * leaves the user on the regular sign-in form; without this guard the\n * post-logout reload would silently re-create the session.\n *\n * Hardening (this is a convenience, not an auth bypass — it uses the\n * real Better Auth sign-up/sign-in, but a known-credential local account\n * is still worth not shipping):\n * - **Loopback only.** Gated on `isLoopbackRequest`, so a tunnelled /\n * reverse-proxied / misconfigured-non-prod dev server never auto-signs\n * in a directly-remote visitor (mirrors the desktop SSO broker).\n * - **Random per-DB password.** The account password is freshly\n * generated on creation and printed to the server console exactly\n * once — there is no source-code-known credential. After logout the\n * auto-flow won't refire (dev row exists), so signing back in uses\n * that printed password; lost it ⇒ drop the row or wipe the local DB.\n * - **NODE_ENV.** Still gated on development/test.\n *\n * Set `AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1` to opt out entirely\n * (useful for tests that exercise the unauthenticated branch).\n */\nasync function maybeAutoCreateDevSession(\n event: H3Event,\n redirectTo: string,\n): Promise<Response | null> {\n if (!isDevEnvironment()) return null;\n if (process.env.AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT === \"1\") return null;\n // Local machine only: never auto-sign-in a remote visitor, even if a\n // dev server is exposed (tunnel, reverse proxy, misconfigured NODE_ENV).\n if (!isLoopbackRequest(event)) return null;\n\n try {\n const db = getDbExec();\n // Exclude BOTH the current and the legacy dev-account email so a\n // pre-fix local DB that still holds a `dev@local` row isn't treated\n // as having a \"real user\" (which would permanently disable\n // auto-create on that DB).\n const { rows: realUsers } = await db.execute({\n sql: 'SELECT 1 FROM \"user\" WHERE email NOT IN (?, ?) LIMIT 1',\n args: [AUTO_DEV_ACCOUNT_EMAIL, LEGACY_AUTO_DEV_ACCOUNT_EMAIL],\n });\n if (realUsers.length > 0) return null;\n\n // If the dev account already exists, this is not a freshly-scaffolded\n // app — the user has been through the auto-create flow at least\n // once. Skip auto-create so signing out actually works: without\n // this guard, the post-logout reload immediately re-creates the\n // session and the user is stuck in the dev account forever (or has\n // to set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1). To get the demo\n // experience back, drop the row or wipe the local DB. The legacy\n // `dev@local` address is matched too so pre-fix DBs still suppress\n // re-create after logout.\n if (await hasAutoDevAccountUser(db)) return null;\n\n const auth = await getBetterAuth();\n if (!auth) return null;\n\n // The dev account does not exist at this point (the devUsers check\n // above returned early otherwise). Concurrent in-process first page\n // loads share one signup promise so the losing request never asks Better\n // Auth to insert the same email and therefore never emits a SQLite\n // unique-constraint log.\n const devPassword = await createAutoDevAccountForSession(auth, db);\n if (!devPassword) return null;\n\n const result = await auth.api.signInEmail({\n body: {\n email: AUTO_DEV_ACCOUNT_EMAIL,\n password: devPassword,\n },\n });\n if (!result?.token) return null;\n\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);\n\n // Emit the session cookie ON the 302 itself. Returning a bare\n // `new Response(...)` here drops the cookie staged on event.node.res\n // (see redirectWithStagedCookies), so the developer would 302 to the\n // app and immediately bounce back to the login form.\n return redirectWithStagedCookies(event, redirectTo);\n } catch (e) {\n // Local-dev only — log to console for debugging, but don't surface\n // through Sentry. Falling back to the regular login form is the\n // correct user-facing behavior when this path fails.\n console.warn(\"[agent-native] auto dev account skipped:\", e);\n return null;\n }\n}\n\n/**\n * Map a Better Auth session to our AuthSession type.\n */\nfunction mapBetterAuthSession(baSession: {\n user: { id: string; email: string; name?: string; image?: string | null };\n session: { token: string };\n}): AuthSession {\n return {\n email: baSession.user.email,\n userId: baSession.user.id,\n name: baSession.user.name,\n ...(baSession.user.image ? { image: baSession.user.image } : {}),\n token: baSession.session?.token,\n };\n}\n\n/**\n * Backfill `orgId` onto a resolved session using the canonical\n * `resolveOrgIdForEmail` (org_members + active-org-id user setting), so\n * every consumer of `session.orgId` agrees with `getOrgContext` on which\n * org is active.\n *\n */\nasync function backfillSessionOrg(session: AuthSession): Promise<AuthSession> {\n if (session.orgId) return session;\n const { resolveOrgIdForEmail } = await import(\"../org/context.js\");\n const orgId = await resolveOrgIdForEmail(session.email).catch(() => null);\n return orgId ? { ...session, orgId } : session;\n}\n\n/**\n * Get the current auth session for a request.\n *\n * Resolution chain:\n * 1. ACCESS_TOKEN → check legacy cookie-based token sessions\n * 2. Embed session → short-lived token minted by /_agent-native/embed/start\n * 3. BYOA custom getSession → delegate to template callback\n * 4. Bearer legacy session → check Authorization: Bearer against sessions\n * 5. Better Auth → check session via Better Auth API (cookie or Bearer)\n * 6. Legacy cookie → check an_session cookie in legacy sessions table\n * 7. Desktop SSO broker (Electron loopback only)\n * 8. Mobile _session query param → promote to cookie\n *\n * Returns `null` for unauthenticated requests. There is no dev-mode bypass:\n * local development uses the same Better Auth signup flow as production. The\n * onboarding/sign-in page is served by `runAuthGuard` for any unauthenticated\n * page load.\n */\nexport async function getSession(event: H3Event): Promise<AuthSession | null> {\n // Per-request memoization. The wider codebase calls `getSession` many\n // times per request (auth guard, action wrapper, route handler, plus the\n // org-backfill query inside `backfillSessionOrg`). Cache the resolved\n // session on `event.context` so the chain runs once per request.\n const ctx = event.context as {\n __anSessionCache?: Promise<AuthSession | null>;\n };\n return (ctx.__anSessionCache ??= (async () => {\n const session = await resolveSessionUncached(event);\n return session?.email ? backfillSessionOrg(session) : session;\n })());\n}\n\nasync function resolveSessionUncached(\n event: H3Event,\n): Promise<AuthSession | null> {\n // 1. MCP App embed session. This is a short-lived browser session minted\n // from a one-time ticket that was scoped to the authenticated MCP caller.\n // It lets an inline MCP App iframe load the real app without reusing the\n // MCP bearer token as a browser cookie. Resolve it FIRST: the token is\n // HMAC-verified and carries its own identity + org scope, and is the most\n // specific intent for an embed request. Checking it before the legacy\n // an_session cookie prevents a stale cookie (common when an ACCESS_TOKEN is\n // configured) from shadowing the embed identity.\n const embedSession = await resolveEmbedSessionFromRequest(event);\n if (embedSession) {\n return {\n email: embedSession.email,\n token: embedSession.token,\n ...(embedSession.orgId ? { orgId: embedSession.orgId } : {}),\n };\n }\n\n // 2. ACCESS_TOKEN check (programmatic/agent access)\n const accessTokens = getAccessTokens();\n if (accessTokens.length > 0) {\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n }\n\n // 3. BYOA custom getSession\n if (customGetSession) {\n const session = await customGetSession(event);\n if (session) return session;\n\n const bearerSession = await getBearerSession(event);\n if (bearerSession) return bearerSession;\n\n // Desktop SSO broker: even with BYOA auth, fall back to the broker\n // for Electron requests so cross-template SSO works for custom-auth\n // templates too. Gated on `readDesktopSsoSafely` so a non-loopback\n // request that spoofs `User-Agent: ... Electron/...` cannot read the\n // home-dir broker file (and so production builds never consult it).\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) return { email: sso.email, token: sso.token };\n // Fall through to mobile _session check\n } else {\n // 4. Bearer session. Desktop/native clients can persist a legacy session\n // token outside the WebView cookie jar and attach it to all app requests.\n // `agent-native connect` clients may present a connect-minted MCP OAuth\n // token, but only the framework action route accepts that fallback.\n const bearerSession = await getBearerSession(event);\n if (bearerSession) return bearerSession;\n\n // 5. Better Auth session (cookie or Bearer token)\n try {\n const ba = getBetterAuthSync();\n if (ba) {\n const baSession = await ba.api.getSession({\n headers: event.headers,\n });\n if (baSession?.user?.email) {\n return mapBetterAuthSession(baSession);\n }\n }\n } catch (e) {\n console.error(\"[auth] ba.api.getSession error:\", e);\n }\n\n // 6. Legacy cookie fallback (for sessions created before migration)\n const cookieSession = await getLegacyCookieSession(event);\n if (cookieSession) return cookieSession;\n\n // 7. Desktop SSO broker fallback.\n // Each template in the Electron desktop app has its own database, so\n // a session token created by one template doesn't resolve in another.\n // When an Electron request has no resolvable session, trust the\n // home-dir SSO record written by whichever template the user signed\n // into. Gated on `readDesktopSsoSafely`: requires Electron User-Agent,\n // a loopback (127.0.0.1 / ::1) source IP, and a non-production NODE_ENV\n // — anything else is rejected so a hostile network request cannot\n // impersonate whichever email last signed into the desktop app.\n const sso = await readDesktopSsoSafely(event);\n if (sso?.email) {\n return { email: sso.email, token: sso.token };\n }\n }\n\n // 8. Mobile WebView bridge — _session query param\n const querySession = await promoteQuerySession(event);\n if (querySession) return querySession;\n\n // 9. AUTH_DISABLED fallback — only when no session resolved above.\n // Must run after BYOA customGetSession so infrastructure/custom auth keeps\n // caller identity instead of collapsing to the shared preview user.\n const authDisabledSession = getAuthDisabledSession();\n if (authDisabledSession) return authDisabledSession;\n\n return null;\n}\n\nasync function promoteQuerySession(\n event: H3Event,\n): Promise<AuthSession | null> {\n const qToken = getQuery(event)?._session as string | undefined;\n if (!qToken) return null;\n const email = await getSessionEmail(qToken);\n if (!email) return null;\n setFrameworkSessionCookie(event, qToken);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n return { email, token: qToken };\n}\n\nfunction isReadMethod(event: H3Event): boolean {\n const method = getMethod(event);\n return method === \"GET\" || method === \"HEAD\";\n}\n\n/**\n * Cookie attributes that work in both same-site and third-party iframe\n * contexts. Over HTTPS we emit `SameSite=None; Secure; Partitioned` —\n * `None`+`Secure` is required by browsers to ship the cookie back inside a\n * cross-origin iframe at all; `Partitioned` keeps the cookie working under\n * Chrome's third-party-cookie deprecation by binding it to the embedding\n * site's storage partition. (Better Auth already sets the same trio on its\n * own session cookie; this matches so the framework's legacy cookie —\n * which the Builder OAuth popup exchange writes via\n * `setFrameworkSessionCookie` — survives iframe contexts too.) Plain-HTTP\n * dev keeps the default `SameSite=Lax`; `None` requires Secure, and\n * `Partitioned` only takes effect alongside `Secure`.\n */\nfunction crossSiteCookieAttrs(event: H3Event): {\n sameSite: \"lax\" | \"none\";\n secure: boolean;\n partitioned?: boolean;\n} {\n return isHttpsRequest(event)\n ? { sameSite: \"none\", secure: true, partitioned: true }\n : { sameSite: \"lax\", secure: false };\n}\n\nexport function setFrameworkSessionCookie(event: H3Event, token: string): void {\n clearFrameworkSessionCookies(event);\n setCookie(event, COOKIE_NAME, token, {\n httpOnly: true,\n ...crossSiteCookieAttrs(event),\n ...cookieDomainAttrs(),\n path: \"/\",\n maxAge: sessionMaxAge,\n });\n}\n\n/**\n * Build a redirect `Response` that carries whatever `Set-Cookie` headers were\n * just staged on the event (e.g. by `setFrameworkSessionCookie`).\n *\n * h3 v2's `setCookie` appends the cookie onto `event.res.headers`. When a\n * handler returns a plain object/string, h3's `prepareResponse` merges those\n * staged headers into the synthesized response, so the cookie survives. But\n * when a handler returns a web `Response`, `prepareResponse` only merges the\n * staged headers if the Response is 2xx — its `!val.ok` early-return hands a\n * non-2xx Response (like a 302) straight back WITHOUT merging. A bare\n * `new Response(\"\", { status: 302, headers: { Location } })` therefore 302s\n * the browser with no session cookie, so the zero-setup dev auto-sign-in\n * bounces straight back to the login form.\n *\n * Mirroring the staged cookies onto the redirect Response's own headers makes\n * them part of the Response that's returned as-is, so the 302 actually\n * carries the session cookie. (`event.res.headers` is also left intact for\n * any non-Response continuation path; h3 only skips the merge for the\n * Response branch, so there's no double-emit.)\n */\nfunction redirectWithStagedCookies(\n event: H3Event,\n location: string,\n status = 302,\n): Response {\n const headers = new Headers({ Location: location });\n const staged = event.res?.headers?.getSetCookie?.() ?? [];\n for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n return new Response(\"\", { status, headers });\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n try {\n const xfProto = getHeader(event, \"x-forwarded-proto\");\n if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n return true;\n }\n const req: any = (event as any).req ?? event.node?.req;\n const url: string | undefined = req?.url;\n if (typeof url === \"string\" && url.startsWith(\"https://\")) return true;\n const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n if (appUrl.startsWith(\"https://\")) return true;\n } catch {\n // ignore\n }\n return false;\n}\n\n// ---------------------------------------------------------------------------\n// Public path matching\n// ---------------------------------------------------------------------------\n\nfunction isPublicPath(url: string, publicPaths: string[]): boolean {\n const p = url.split(\"?\")[0];\n return matchesPathList(p, publicPaths);\n}\n\nfunction matchesPathList(path: string, paths: string[]): boolean {\n return paths.some((candidate) => {\n const normalized =\n candidate.length > 1 && candidate.endsWith(\"/\")\n ? candidate.slice(0, -1)\n : candidate;\n return path === normalized || path.startsWith(normalized + \"/\");\n });\n}\n\nfunction isPublicWorkspacePageRequest(\n event: H3Event,\n path: string,\n config: AuthGuardConfig,\n): boolean {\n if (!isReadMethod(event)) return false;\n if (\n path === \"/_agent-native\" ||\n path.startsWith(\"/_agent-native/\") ||\n path === \"/api\" ||\n path.startsWith(\"/api/\") ||\n path === \"/.well-known\" ||\n path.startsWith(\"/.well-known/\")\n ) {\n return false;\n }\n if (matchesPathList(path, config.workspaceAppProtectedPaths)) return false;\n if (matchesPathList(path, config.workspaceAppPublicPaths)) return true;\n return config.workspaceAppAudience === \"public\";\n}\n\nfunction stripAppBasePath(pathname: string): string {\n const basePath = getAppBasePath();\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\n// ---------------------------------------------------------------------------\n// Fallback login page HTML (custom auth with no login page configured)\n// ---------------------------------------------------------------------------\n\nfunction getCustomAuthRequiredHtml(): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\n<title>Authentication required</title>\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n :root {\n color-scheme: dark;\n --bg: #09090b;\n --panel: #141417;\n --panel-soft: #1b1b20;\n --border: rgba(255,255,255,0.1);\n --border-strong: rgba(255,255,255,0.18);\n --text: #f4f4f5;\n --muted: #a1a1aa;\n --subtle: #71717a;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n background: linear-gradient(180deg, #111114 0%, var(--bg) 58%);\n color: var(--text);\n display: flex;\n align-items: center;\n justify-content: center;\n min-height: 100vh;\n padding: 1rem;\n }\n .card {\n width: 100%;\n max-width: 420px;\n padding: 2rem;\n background: color-mix(in srgb, var(--panel) 94%, transparent);\n border: 1px solid var(--border);\n border-radius: 12px;\n box-shadow: 0 24px 80px rgba(0,0,0,0.35);\n }\n .eyebrow {\n display: inline-flex;\n align-items: center;\n min-height: 1.5rem;\n padding: 0 0.625rem;\n margin-bottom: 1rem;\n border: 1px solid var(--border);\n border-radius: 999px;\n color: var(--muted);\n background: rgba(255,255,255,0.04);\n font-size: 0.75rem;\n font-weight: 500;\n }\n h1 {\n font-size: 1.375rem;\n line-height: 1.2;\n font-weight: 650;\n margin-bottom: 0.5rem;\n color: var(--text);\n letter-spacing: 0;\n }\n .intro {\n margin-bottom: 1.5rem;\n color: var(--muted);\n font-size: 0.9375rem;\n line-height: 1.55;\n }\n .hint {\n margin-top: 1rem;\n color: var(--subtle);\n font-size: 0.8125rem;\n line-height: 1.45;\n }\n @media (max-width: 480px) {\n .card { padding: 1.5rem; }\n h1 { font-size: 1.25rem; }\n }\n</style>\n</head>\n<body>\n<div class=\"card\">\n <div class=\"eyebrow\">Authentication required</div>\n <h1>Sign in is not configured</h1>\n <p class=\"intro\">This route requires an authenticated session, but this app's custom auth plugin did not provide a sign-in page.</p>\n <p class=\"hint\">If this route should be public, add it to the auth plugin's public route configuration. Otherwise configure a custom sign-in page for this app.</p>\n</div>\n</body>\n</html>`;\n}\n\n// ---------------------------------------------------------------------------\n// mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes\n// ---------------------------------------------------------------------------\n\nasync function mountBetterAuthRoutes(\n app: H3App,\n options: AuthOptions,\n): Promise<void> {\n const publicPaths = [...(options.publicPaths ?? [])];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n // The A2A agent card is part of an open protocol — other agents must be\n // able to discover it without auth. Same for favicons and similar probes.\n for (const pp of [\"/.well-known\", \"/favicon.ico\", \"/favicon.png\"]) {\n if (!publicPaths.includes(pp)) publicPaths.push(pp);\n }\n\n // Auto-add Google OAuth routes when credentials are configured. Templates\n // that need broader product scopes (mail/calendar) opt out and provide\n // their own Nitro routes at these paths.\n if (\n process.env.GOOGLE_CLIENT_ID &&\n process.env.GOOGLE_CLIENT_SECRET &&\n options.mountGoogleOAuthRoutes !== false\n ) {\n setGenericGoogleOAuthRoutesEnabled(app, true);\n for (const gp of [\n \"/_agent-native/google/callback\",\n \"/_agent-native/google/auth-url\",\n ]) {\n if (!publicPaths.includes(gp)) publicPaths.push(gp);\n }\n\n const googleScopes = [\n \"openid\",\n \"https://www.googleapis.com/auth/userinfo.email\",\n \"https://www.googleapis.com/auth/userinfo.profile\",\n ].join(\" \");\n\n app.use(\n \"/_agent-native/google/auth-url\",\n defineEventHandler((event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n // Validate the user-supplied `redirect_uri` against the framework's\n // server-side allowlist (must be same-origin and under\n // `/_agent-native/...`). Reject anything else so an attacker can't\n // smuggle a different already-registered redirect URI past Google's\n // host-prefix matching. See HIGH-1 in 09-oauth-session.md.\n const redirectUri = resolveOAuthRedirectUri(event);\n if (redirectUri === null) {\n setResponseStatus(event, 400);\n return { error: \"Invalid redirect_uri\" };\n }\n const q = getQuery(event);\n const desktop =\n isElectronRequest(event) || q.desktop === \"1\" || q.desktop === \"true\";\n const flowId = desktop ? (q.flow_id as string) || undefined : undefined;\n // Validate the caller's return param up front and only embed it\n // into the OAuth state when it normalises to a non-root path —\n // skip embedding \"/\" (the default fallback) so the state stays\n // small for the common case.\n const returnQuery = q.return;\n const validated =\n typeof returnQuery === \"string\"\n ? safeOAuthReturnUrl(returnQuery, {\n allowDefaultLoopback: isBuilderOAuthRequest(event),\n allowedOrigins: [builderPreviewReturnOrigin(event)],\n })\n : \"/\";\n const returnUrl = validated !== \"/\" ? validated : undefined;\n const state = encodeOAuthState({\n redirectUri,\n desktop,\n addAccount: false,\n app: getOAuthStateAppId(),\n returnUrl,\n flowId,\n });\n logGoogleOAuthDebug(event, \"auth-url\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n returnUrl,\n redirect: q.redirect === \"1\",\n workspace:\n process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\",\n });\n const params = new URLSearchParams({\n client_id: process.env.GOOGLE_CLIENT_ID!,\n redirect_uri: redirectUri,\n response_type: \"code\",\n scope: googleScopes,\n access_type: \"online\",\n prompt: \"select_account\",\n state,\n });\n const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;\n if (q.redirect === \"1\") {\n // Return a native web Response — NOT h3 v2's `sendRedirect`. Under\n // h3 `2.0.1-rc.20`, `sendRedirect = (_, loc, code) => redirect(...)`\n // ignores the event and returns a non-standard `HTTPResponse` class\n // instance; the framework request-handler shim doesn't unwrap it and\n // String()-coerces it to the literal text \"[object Object]\" with a\n // 200 status (no Location header), which broke the popup-based\n // Google sign-in in production. Web `Response` is the proven idiom\n // here — `oauthCallbackResponse`/`oauthErrorPage` use it and work.\n return new Response(null, {\n status: 302,\n headers: { Location: authUrl },\n });\n }\n return { url: authUrl };\n }),\n );\n\n app.use(\n \"/_agent-native/google/callback\",\n defineEventHandler(async (event) => {\n if (!areGenericGoogleOAuthRoutesEnabled(app)) return undefined;\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const callbackRelay = workspaceOAuthCallbackRelayResponse(event);\n if (callbackRelay) return callbackRelay;\n let callbackFlowId: string | undefined;\n let callbackDesktop = false;\n try {\n const query = getQuery(event);\n const code = query.code as string;\n const { redirectUri, desktop, returnUrl, flowId } = decodeOAuthState(\n query.state as string | undefined,\n getAppUrl(event, \"/_agent-native/google/callback\"),\n );\n callbackFlowId = flowId;\n callbackDesktop = desktop ?? false;\n logGoogleOAuthDebug(event, \"callback-start\", {\n flowId,\n desktop,\n redirectPath: oauthDebugUrlPath(redirectUri),\n hasCode: !!code,\n returnUrl,\n });\n if (!code) {\n const providerError =\n typeof query.error === \"string\" && query.error\n ? query.error\n : undefined;\n const providerDescription =\n typeof query.error_description === \"string\" &&\n query.error_description\n ? query.error_description\n : undefined;\n const msg =\n providerDescription ||\n providerError ||\n \"Missing authorization code\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: `Google sign-in failed: ${msg}`,\n code: providerError || \"missing_authorization_code\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n code: providerError,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n // Defence in depth: the state is HMAC-signed, but if the signing\n // key ever leaked an attacker could mint state with their own\n // redirect_uri. Re-validate against the same allowlist used at\n // auth-url time so the token exchange is always sent to a URI we\n // own.\n if (!isAllowedOAuthRedirectUri(redirectUri, event)) {\n const msg =\n \"Invalid Google OAuth redirect URI in state. Restart sign-in from this app.\";\n if (flowId) {\n setDesktopExchangeError(flowId, {\n message: msg,\n code: \"invalid_redirect_uri\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId,\n desktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n\n const tokenRes = await fetch(\"https://oauth2.googleapis.com/token\", {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n code,\n client_id: process.env.GOOGLE_CLIENT_ID!,\n client_secret: process.env.GOOGLE_CLIENT_SECRET!,\n redirect_uri: redirectUri,\n grant_type: \"authorization_code\",\n }),\n });\n const tokens = await tokenRes.json();\n if (!tokenRes.ok) {\n throw new Error(\n tokens.error_description ||\n tokens.error ||\n \"Token exchange failed\",\n );\n }\n\n const userRes = await fetch(\n \"https://www.googleapis.com/oauth2/v2/userinfo\",\n { headers: { Authorization: `Bearer ${tokens.access_token}` } },\n );\n const user = await userRes.json();\n const email = user.email as string;\n if (!email) throw new Error(\"Could not get email from Google\");\n // Reject unverified Google addresses. Google returns\n // `verified_email: false` for accounts where ownership of the\n // address hasn't been proven (rare on consumer accounts but\n // reachable on Workspace tenants that allow it). Without this\n // check, an attacker could sign up as `victim@example.com` on\n // Google without controlling the inbox and take over a local\n // password account that already exists at that address (Better\n // Auth's accountLinking auto-merges trusted-provider sign-ins).\n if (user.verified_email !== true) {\n throw new Error(\n \"Google account email is not verified. Please verify your email with Google and try again.\",\n );\n }\n if (typeof user.picture === \"string\" && user.picture.trim()) {\n await putSetting(`avatar:${email}`, {\n image: user.picture,\n }).catch((error) => {\n console.warn(\n \"[auth] failed to store Google profile image:\",\n error,\n );\n });\n }\n\n const { sessionToken } = await createOAuthSession(event, email, {\n hasProductionSession: false,\n desktop,\n });\n logGoogleOAuthDebug(event, \"callback-session-created\", {\n flowId,\n desktop,\n hasSessionToken: !!sessionToken,\n emailDomain: email.split(\"@\")[1] || \"\",\n });\n\n if (flowId && sessionToken) {\n _desktopExchanges.set(flowId, {\n token: sessionToken,\n email,\n expiresAt: Date.now() + DESKTOP_EXCHANGE_TTL_MS,\n });\n // Also persist to DB for cross-instance durability (Cloudflare\n // Workers, multi-region). Fire-and-forget — in-memory Map is\n // still the primary fast path for same-instance requests.\n void persistDesktopExchangeToDB(flowId, sessionToken, email);\n logGoogleOAuthDebug(event, \"callback-exchange-stored\", {\n flowId,\n desktop,\n });\n }\n\n return oauthCallbackResponse(event, email, {\n sessionToken,\n desktop,\n returnUrl,\n flowId,\n });\n } catch (error: any) {\n const msg = error.message || \"Unknown error\";\n if (callbackFlowId) {\n setDesktopExchangeError(callbackFlowId, {\n message: `Google sign-in failed: ${msg}`,\n code: \"callback_error\",\n });\n }\n logGoogleOAuthDebug(event, \"callback-error\", {\n flowId: callbackFlowId,\n desktop: callbackDesktop,\n message: msg,\n });\n return oauthErrorPage(`Connection failed: ${msg}`);\n }\n }),\n );\n }\n\n // Desktop OAuth exchange — native apps (Tauri tray, Electron) open OAuth\n // in the system browser but need a way to retrieve the session token\n // afterwards since they don't share a cookie jar with the browser.\n app.use(\n \"/_agent-native/auth/desktop-exchange\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"GET\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const query = getQuery(event);\n const flowId = query.flow_id as string | undefined;\n if (!flowId) {\n setResponseStatus(event, 400);\n return { error: \"Missing flow_id\" };\n }\n let entry = _desktopExchanges.get(flowId);\n if (!entry || entry.expiresAt < Date.now()) {\n // In-memory miss — fall back to the DB-persisted entry. This handles\n // cross-instance routing (Cloudflare Workers, multi-region) where the\n // OAuth callback and the polling request may hit different isolates.\n const fromDb = await consumeDesktopExchangeFromDB(flowId);\n if (!fromDb) {\n // Don't log on the pending path — clients poll every second for up\n // to 5 minutes, so logging here floods telemetry. The auth-url,\n // callback-start, callback-session-created, exchange-success, and\n // exchange-error breadcrumbs already cover every meaningful state\n // transition.\n return { pending: true, flow: oauthDebugFlowId(flowId) };\n }\n entry =\n \"error\" in fromDb\n ? { error: fromDb.error, expiresAt: Date.now() + 1 }\n : {\n token: fromDb.token,\n email: fromDb.email,\n expiresAt: Date.now() + 1,\n };\n }\n _desktopExchanges.delete(flowId);\n // Also wipe the DB-persisted entry so it cannot be replayed via the\n // DB fallback path after in-memory consumption. Best-effort: a dropped\n // Neon WebSocket rejects with a raw ErrorEvent, and a floating\n // rejection here surfaces as an unhandled promise rejection.\n removeSession(`dex:${flowId}`).catch((err) => {\n console.warn(\n \"[auth] desktop-exchange DB cleanup failed:\",\n describeDbError(err),\n );\n });\n if (\"error\" in entry) {\n logGoogleOAuthDebug(event, \"exchange-error\", {\n flowId,\n message: entry.error.message,\n code: entry.error.code,\n });\n return { error: entry.error.message, ...entry.error };\n }\n // Make the exchange itself establish the app session. Older clients\n // still make a follow-up /auth/session?_session=... request, but the\n // OAuth handoff should not depend on that second request succeeding.\n setFrameworkSessionCookie(event, entry.token);\n setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n logGoogleOAuthDebug(event, \"exchange-success\", {\n flowId,\n emailDomain: entry.email.split(\"@\")[1] || \"\",\n });\n return { token: entry.token, email: entry.email };\n }),\n );\n\n // Initialize Better Auth. Forward `googleScopes` into the BetterAuthConfig\n // so the social provider requests the broader product scopes (Gmail,\n // Calendar, etc.) up front during the primary sign-in — eliminating the\n // need for a separate \"Connect Google\" page.\n const betterAuthConfig: BetterAuthConfig = {\n ...(options.betterAuth ?? {}),\n ...(options.googleScopes ? { googleScopes: options.googleScopes } : {}),\n };\n const auth = await getBetterAuth(betterAuthConfig);\n\n // Mount Better Auth catch-all handler at /_agent-native/auth/ba/*\n app.use(\n \"/_agent-native/auth/ba\",\n defineEventHandler(async (event) => {\n const reqPath = event.url?.pathname ?? event.path ?? \"\";\n const isResetPassword =\n reqPath.includes(\"reset-password\") && getMethod(event) === \"POST\";\n const isSendVerificationEmail =\n reqPath.includes(\"send-verification-email\") &&\n getMethod(event) === \"POST\";\n const authRequest = toWebRequest(event);\n let requestForAuth = authRequest;\n\n // Pre-read the body for reset-password so we can auto-verify the\n // user's email after they save the new password. CRUCIAL: clone\n // the Request first — h3 v2 `event.req` is the live web Request,\n // and `.text()`/`.json()` consume the stream. The same `event.req`\n // is handed to Better Auth below; without the clone, Better Auth\n // sees an empty body, fails Zod validation, and returns 400 —\n // which the reset page renders as \"the link may have expired\".\n let resetToken: string | undefined;\n let resetUserId: string | undefined;\n if (isResetPassword) {\n try {\n const cloned = authRequest.clone();\n const body = (await cloned.json().catch(() => undefined)) as\n | { token?: string }\n | undefined;\n resetToken = body?.token;\n } catch {\n // ignore — Better Auth will handle validation\n }\n // Look up userId BEFORE calling auth.handler — Better Auth deletes\n // the verification row as part of the reset, so by the time the\n // handler returns 200 the row is gone and we can't recover the user.\n if (resetToken) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n const rows = await db.execute({\n sql: \"SELECT value FROM verification WHERE identifier = ?\",\n args: [`reset-password:${resetToken}`],\n });\n resetUserId = rows.rows[0]?.value as string | undefined;\n } catch {\n // Best-effort — if we can't read the verification row we just\n // skip auto-verify; the user can verify normally.\n }\n }\n }\n\n // The signup wrapper sanitizes callbackURL before calling Better Auth,\n // but the resend endpoint is exposed directly so users can request a\n // fresh link while unauthenticated. Keep that path equally strict:\n // only same-origin relative return paths survive into the email.\n if (isSendVerificationEmail) {\n try {\n const body = (await authRequest\n .clone()\n .json()\n .catch(() => undefined)) as Record<string, unknown> | undefined;\n if (body && typeof body.callbackURL === \"string\") {\n const callbackURL = safeReturnPath(body.callbackURL);\n if (callbackURL !== body.callbackURL) {\n const headers = new Headers(authRequest.headers);\n headers.delete(\"content-length\");\n headers.set(\"content-type\", \"application/json\");\n requestForAuth = new Request(authRequest.url, {\n method: authRequest.method,\n headers,\n body: JSON.stringify({ ...body, callbackURL }),\n duplex: \"half\",\n } as RequestInit & { duplex: \"half\" });\n }\n }\n } catch {\n // Let Better Auth handle malformed bodies and return its normal\n // validation error.\n }\n }\n\n const response = await auth.handler(requestForAuth);\n const isResponse =\n response != null &&\n typeof (response as any).status === \"number\" &&\n typeof (response as any).headers?.get === \"function\";\n\n // After email verification, add ?verified=1 to the redirect so the\n // login page can show \"Email verified!\". MUTATE the response in\n // place — `new Response(null, { headers: new Headers(response.headers) })`\n // collapses multiple Set-Cookie headers into one comma-joined value,\n // which browsers reject. With `autoSignInAfterVerification: true`\n // Better Auth emits 2–3 Set-Cookie headers (session token + cookie\n // cache + dontRememberToken); losing them strands the user on the\n // login page even though verification succeeded.\n if (\n reqPath.includes(\"verify-email\") &&\n isResponse &&\n (response as Response).status >= 300 &&\n (response as Response).status < 400\n ) {\n const loc = response.headers.get(\"location\");\n if (loc && !/[?&]verified=/.test(loc)) {\n const sep = loc.includes(\"?\") ? \"&\" : \"?\";\n response.headers.set(\"location\", loc + sep + \"verified=1\");\n }\n }\n\n // Auto-verify email after a successful password reset. The user\n // proved email ownership by receiving and using the reset link, so\n // we don't want them stuck behind `requireEmailVerification` after\n // resetting — that's the exact escape hatch they just used.\n if (\n isResetPassword &&\n resetUserId &&\n isResponse &&\n (response as Response).status >= 200 &&\n (response as Response).status < 300\n ) {\n try {\n const { getDbExec } = await import(\"../db/client.js\");\n const db = getDbExec();\n // Use boolean literals for cross-dialect portability: Postgres\n // stores `email_verified` as BOOLEAN and rejects integer 1/0,\n // SQLite accepts TRUE/FALSE as aliases for 1/0 (since 3.23).\n // Quote `\"user\"` because it's a reserved keyword in Postgres.\n await db.execute({\n sql: 'UPDATE \"user\" SET email_verified = TRUE WHERE id = ? AND (email_verified = FALSE OR email_verified IS NULL)',\n args: [resetUserId],\n });\n\n // Revoke every existing session for this user so a stolen\n // cookie doesn't outlive the password it was paired with. We\n // do this AFTER Better Auth's response has been generated so\n // the freshly-minted post-reset session (if any) is captured\n // by the response's Set-Cookie header — but `auth.handler` for\n // reset-password does not auto-sign-in by default, so the\n // common path is \"wipe everything; user signs in with new\n // password.\" The legacy `sessions` table is also wiped by\n // joining through the `user.email` column.\n //\n // Skip the freshly-minted Better Auth session id when present\n // (auto-sign-in plugins / future config). Reading it from the\n // response avoids racing against Better Auth's own writes.\n const newSessionToken = extractSessionTokenFromSetCookies(\n response as Response,\n );\n\n // 1. Better Auth `session` table — keyed by user_id.\n if (newSessionToken) {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ? AND token <> ?',\n args: [resetUserId, newSessionToken],\n });\n } else {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [resetUserId],\n });\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column. The\n // reset-password verification row holds the user's id, not\n // their email, so we look up the email first. Best-effort —\n // skip silently if the lookup fails so the response still ships.\n try {\n const { rows } = await db.execute({\n sql: 'SELECT email FROM \"user\" WHERE id = ?',\n args: [resetUserId],\n });\n const userEmail = (rows[0]?.email ?? rows[0]?.[0]) as\n | string\n | undefined;\n if (userEmail) {\n if (newSessionToken) {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ? AND token <> ?\",\n args: [userEmail, newSessionToken],\n });\n } else {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [userEmail],\n });\n }\n }\n } catch {\n // Best-effort — don't block the response\n }\n } catch {\n // Best-effort — don't block the response\n }\n }\n\n return response;\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/login\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n\n // Email/password login via Better Auth\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n // signInEmail succeeded but returned no token — typically means the\n // email isn't verified yet. Don't return { ok: true } without a\n // session or the frontend will reload into a dead end.\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/register\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n const callbackURL =\n typeof body?.callbackURL === \"string\"\n ? safeReturnPath(body.callbackURL)\n : \"/\";\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0], callbackURL },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n // Backward-compat: POST /_agent-native/auth/logout\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if no Better Auth session\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n // POST /_agent-native/auth/logout-all — revoke every session row for\n // the authenticated user across both auth tables. Companion to the\n // password-reset session-revocation logic; lets a user sign out\n // everywhere from one device. Requires an authenticated session.\n app.use(\n \"/_agent-native/auth/logout-all\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Not authenticated\" };\n }\n try {\n const db = getDbExec();\n // 1. Resolve user_id from email so we can wipe Better Auth sessions\n // by their FK column.\n let userId: string | undefined;\n try {\n const { rows } = await db.execute({\n sql: 'SELECT id FROM \"user\" WHERE email = ?',\n args: [session.email],\n });\n userId = (rows[0]?.id ?? rows[0]?.[0]) as string | undefined;\n } catch {\n // User table may not exist on token-only deployments — skip.\n }\n if (userId) {\n try {\n await db.execute({\n sql: 'DELETE FROM \"session\" WHERE user_id = ?',\n args: [userId],\n });\n } catch {\n // Best-effort.\n }\n }\n\n // 2. Legacy `sessions` table — keyed by `email` column.\n try {\n await db.execute({\n sql: \"DELETE FROM sessions WHERE email = ?\",\n args: [session.email],\n });\n } catch {\n // Best-effort.\n }\n\n // 3. Drop the current request's cookie and best-effort sign out\n // of Better Auth (so the response sets the proper expiry header).\n clearFrameworkSessionCookies(event);\n try {\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore — sessions are already gone in DB.\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n } catch (e: any) {\n setResponseStatus(event, 500);\n return { error: e?.message || \"Failed to revoke sessions\" };\n }\n }),\n );\n\n // GET /_agent-native/auth/session\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n\n // GET /_agent-native/auth/reset — HTML page shown when a user clicks the\n // reset link in their email. Reads ?token=... and POSTs to Better Auth's\n // /reset-password endpoint on submit.\n app.use(\n \"/_agent-native/auth/reset\",\n defineEventHandler((event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n return new Response(getResetPasswordHtml(), {\n headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n });\n }),\n );\n\n // Auth guard — stored both in framework middleware registry AND in\n // _authGuardFn so the server middleware can enforce it on ALL routes.\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig = {\n ...loginHtmlConfig,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n}\n\n// ---------------------------------------------------------------------------\n// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails\n// ---------------------------------------------------------------------------\n\nfunction mountAuthFallbackRoutes(app: H3App): void {\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || !password) {\n setResponseStatus(event, 400);\n return { error: \"Email and password are required\" };\n }\n\n try {\n const auth = await getBetterAuth();\n const result = await auth.api.signInEmail({\n body: { email, password },\n });\n if (result?.token) {\n setFrameworkSessionCookie(event, result.token);\n await addSession(result.token, email);\n if (isElectronRequest(event)) {\n await writeDesktopSso({\n email,\n token: result.token,\n expiresAt: Date.now() + sessionMaxAge * 1000,\n });\n }\n return authLoginResponse(event, result.token, email);\n }\n setResponseStatus(event, 403);\n return {\n error:\n \"Email not verified. Check your inbox for a verification link.\",\n };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"login\", email });\n }\n setResponseStatus(event, 401);\n return { error: e?.message || \"Invalid email or password\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/register\",\n defineEventHandler(async (event) => {\n if (getMethod(event) !== \"POST\") {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n\n const body = await readBody(event);\n const email = body?.email?.trim?.()?.toLowerCase?.();\n const password = body?.password;\n\n if (!email || typeof email !== \"string\" || !email.includes(\"@\")) {\n setResponseStatus(event, 400);\n return { error: \"Valid email is required\" };\n }\n if (!password || typeof password !== \"string\" || password.length < 8) {\n setResponseStatus(event, 400);\n return { error: \"Password must be at least 8 characters\" };\n }\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signUpEmail({\n body: { email, password, name: email.split(\"@\")[0] },\n });\n return { ok: true };\n } catch (e: any) {\n if (!isExpectedAuthFailure(e)) {\n captureAuthError(e, { route: \"signup\", email });\n }\n setResponseStatus(event, 409);\n return { error: e?.message || \"Registration failed\" };\n }\n }),\n );\n\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n\n try {\n const auth = await getBetterAuth();\n await auth.api.signOut({ headers: event.headers });\n } catch {\n // Ignore if Better Auth is still unavailable\n }\n\n if (isElectronRequest(event)) await clearDesktopSso();\n\n return { ok: true };\n }),\n );\n\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n}\n\n// ---------------------------------------------------------------------------\n// autoMountAuth — the recommended entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Automatically configure auth based on environment and configuration:\n *\n * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.\n * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.\n * Users see an onboarding page to create an account on first visit.\n *\n * Local development uses the same Better Auth flow as production. Email\n * verification is automatically skipped in dev/test environments and when\n * no email provider is configured (see `shouldSkipEmailVerification`), so a\n * fresh local clone only needs an email + password to get started.\n *\n * Returns true if auth was mounted, false if skipped.\n */\nexport async function autoMountAuth(\n app: H3App,\n options: AuthOptions = {},\n): Promise<boolean> {\n // If auth is already mounted on THIS app (e.g., default plugin ran before\n // custom plugin in the same server boot), don't re-mount routes — but DO\n // update the live config if custom options like googleOnly or loginHtml\n // were provided. createAuthGuardFn() reads from _authGuardConfig on every\n // request, so updating it here takes effect immediately.\n //\n // We gate on `_mountedApp === app` because module-level state survives\n // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh\n // H3 app, empty middleware) would short-circuit here and end up with no\n // auth routes mounted at all.\n if (_authGuardFn && _mountedApp === app) {\n if (options.mountGoogleOAuthRoutes === false) {\n setGenericGoogleOAuthRoutesEnabled(app, false);\n }\n // A custom getSession always wins — even if the default auth plugin\n // mounted first (which happens in production where bootstrapDefaultPlugins\n // can't see the template's server/plugins/ dir and auto-mounts defaults).\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n if (_authGuardConfig) {\n if (\n options.googleOnly ||\n options.loginHtml ||\n options.marketing ||\n options.googleSignInNotice\n ) {\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig.loginHtml = loginHtmlConfig.loginHtml;\n _authGuardConfig.getLoginHtml = loginHtmlConfig.getLoginHtml;\n }\n if (options.publicPaths) {\n _authGuardConfig.publicPaths = [\n ...(_authGuardConfig.publicPaths ?? []),\n ...options.publicPaths,\n ];\n }\n if (options.workspaceAppAudience) {\n _authGuardConfig.workspaceAppAudience =\n resolveWorkspaceAppAudience(options);\n }\n if (options.workspaceAppPublicPaths) {\n _authGuardConfig.workspaceAppPublicPaths =\n options.workspaceAppPublicPaths;\n }\n if (options.workspaceAppProtectedPaths) {\n _authGuardConfig.workspaceAppProtectedPaths =\n options.workspaceAppProtectedPaths;\n }\n }\n return true;\n }\n\n // Fresh app (first boot, or HMR created a new Nitro instance) — reset\n // the guard so the mount path below installs it on the new app.\n _authGuardFn = null;\n _authGuardConfig = null;\n _mountedApp = app;\n\n if (!app) {\n if (isDevEnvironment()) {\n customGetSession = null;\n return false;\n }\n throw new Error(\n \"autoMountAuth: H3 app is required. In Nitro plugins, pass nitroApp.h3App.\",\n );\n }\n\n // Reset globals\n customGetSession = null;\n sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;\n const publicPaths = options.publicPaths ?? [];\n const workspaceAppAudience = resolveWorkspaceAppAudience(options);\n const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);\n\n mountAuthCorsMiddleware(app);\n\n if (options.getSession) {\n customGetSession = options.getSession;\n }\n\n // BYOA — custom getSession provider\n if (customGetSession) {\n app.use(\n \"/_agent-native/auth/session\",\n defineEventHandler(async (event) => {\n if (!isReadMethod(event)) {\n setResponseStatus(event, 405);\n return { error: \"Method not allowed\" };\n }\n const session = await getSession(event);\n return session ?? { error: \"Not authenticated\" };\n }),\n );\n app.use(\n \"/_agent-native/auth/login\",\n defineEventHandler(() => ({ ok: true })),\n );\n app.use(\n \"/_agent-native/auth/logout\",\n defineEventHandler(async (event) => {\n for (const cookie of getFrameworkSessionCookieValues(event)) {\n await removeSession(cookie);\n }\n const bearerToken = getBearerSessionToken(event);\n if (bearerToken) await removeSession(bearerToken);\n clearFrameworkSessionCookies(event);\n if (isElectronRequest(event)) await clearDesktopSso();\n return { ok: true };\n }),\n );\n\n const byoaLoginHtml = options.loginHtml ?? getCustomAuthRequiredHtml();\n _authGuardConfig = {\n loginHtml: byoaLoginHtml,\n ...(options.loginHtml\n ? {}\n : {\n getLoginHtml: () => getCustomAuthRequiredHtml(),\n }),\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n\n if (process.env.DEBUG)\n console.log(\"[agent-native] Auth enabled — custom getSession provider.\");\n return true;\n }\n\n // Default: Better Auth (account-first)\n try {\n await mountBetterAuthRoutes(app, options);\n if (process.env.DEBUG)\n console.log(\n \"[agent-native] Auth enabled — Better Auth (accounts + organizations).\",\n );\n } catch (err) {\n console.error(\"[agent-native] Failed to initialize Better Auth:\", err);\n mountAuthFallbackRoutes(app);\n // CRITICAL: Even if Better Auth fails, register the auth guard so\n // unauthenticated users can't access the app. They'll see the login\n // page but won't be able to sign in until the DB is available.\n const loginHtmlConfig = getOnboardingLoginHtmlConfig(options);\n _authGuardConfig = {\n ...loginHtmlConfig,\n publicPaths,\n workspaceAppAudience,\n workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,\n workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,\n };\n const guardFn = createAuthGuardFn();\n _authGuardFn = guardFn;\n app.use(defineEventHandler(guardFn));\n console.log(\n \"[agent-native] Auth guard registered despite init failure — app is locked.\",\n );\n }\n return true;\n}\n\n// ---------------------------------------------------------------------------\n// Deprecated — kept for backward compat\n// ---------------------------------------------------------------------------\n\n/**\n * @deprecated Use `autoMountAuth(app, options?)` instead.\n */\nexport function mountAuthMiddleware(app: H3App, accessToken: string): void {\n void app;\n void accessToken;\n throw new Error(\n \"mountAuthMiddleware(accessToken) has been removed. Use createAuthPlugin() or autoMountAuth() with Better Auth, or a custom getSession provider.\",\n );\n}\n"]}