@agentuity/auth 0.0.109 → 0.0.110

package/dist/agentuity/server.js

@@ -0,0 +1,505 @@
+/**
+ * Auth Hono middleware and handlers for @agentuity/auth.
+ *
+ * Provides session and API key authentication middleware for Hono applications.
+ *
+ * @module agentuity/server
+ */
+import { context, trace, SpanStatusCode } from '@opentelemetry/api';
+// =============================================================================
+// Helpers
+// =============================================================================
+/**
+ * Derive minimal org context from session.
+ * Full org data is fetched lazily via getOrg().
+ */
+function deriveOrgContext(session) {
+    if (!session?.activeOrganizationId)
+        return null;
+    return { id: session.activeOrganizationId };
+}
+/**
+ * Extract API key from request headers.
+ * Checks x-agentuity-auth-api-key header and Authorization: ApiKey header.
+ */
+function getApiKeyFromRequest(c) {
+    const customHeader = c.req.header('x-agentuity-auth-api-key') ?? c.req.header('X-Agentuity-Auth-Api-Key');
+    if (customHeader)
+        return customHeader.trim();
+    const authHeader = c.req.header('Authorization');
+    if (!authHeader)
+        return null;
+    const lower = authHeader.toLowerCase();
+    if (lower.startsWith('apikey ')) {
+        return authHeader.slice('apikey '.length).trim() || null;
+    }
+    return null;
+}
+/**
+ * Determine auth method from request headers.
+ */
+function getAuthMethod(c) {
+    const apiKey = getApiKeyFromRequest(c);
+    if (apiKey)
+        return 'api-key';
+    const authHeader = c.req.header('Authorization');
+    if (authHeader?.toLowerCase().startsWith('bearer '))
+        return 'bearer';
+    return 'session';
+}
+function buildAuthInterface(c, auth, user, session, org, authMethod, apiKeyContext) {
+    let cachedFullOrg = undefined;
+    const permissions = apiKeyContext?.permissions ?? null;
+    return {
+        async getUser() {
+            return user;
+        },
+        async getToken() {
+            const header = c.req.header('Authorization');
+            if (!header)
+                return null;
+            return header.replace(/^Bearer\s+/i, '') || null;
+        },
+        raw: {
+            user,
+            session,
+            org,
+        },
+        org,
+        async getOrg() {
+            if (cachedFullOrg !== undefined) {
+                return cachedFullOrg;
+            }
+            if (!org) {
+                cachedFullOrg = null;
+                return null;
+            }
+            // Fetch full org data lazily
+            try {
+                const fullOrg = await auth.api.getFullOrganization({
+                    headers: c.req.raw.headers,
+                });
+                if (!fullOrg) {
+                    cachedFullOrg = null;
+                    return null;
+                }
+                // Find the current user's role in the org
+                const members = (fullOrg.members ?? []);
+                const currentMember = members.find((m) => m.userId === user.id);
+                cachedFullOrg = {
+                    id: fullOrg.id,
+                    slug: fullOrg.slug ?? null,
+                    name: fullOrg.name ?? null,
+                    role: currentMember?.role ?? null,
+                    memberId: currentMember?.id ?? null,
+                    metadata: fullOrg.metadata ?? null,
+                };
+                return cachedFullOrg;
+            }
+            catch {
+                cachedFullOrg = org;
+                return org;
+            }
+        },
+        async getOrgRole() {
+            const org = await this.getOrg();
+            return org?.role ?? null;
+        },
+        async hasOrgRole(...roles) {
+            const role = await this.getOrgRole();
+            return !!role && roles.includes(role);
+        },
+        // API key helpers
+        authMethod,
+        apiKey: apiKeyContext,
+        hasPermission(resource, ...actions) {
+            if (!permissions)
+                return false;
+            const resourcePerms = permissions[resource] ?? [];
+            if (actions.length === 0) {
+                return resourcePerms.length > 0;
+            }
+            return actions.every((action) => resourcePerms.includes(action) || resourcePerms.includes('*'));
+        },
+    };
+}
+/**
+ * Build a null/anonymous auth wrapper for optional middleware.
+ */
+function buildAnonymousAuth() {
+    return {
+        async getUser() {
+            throw new Error('Not authenticated');
+        },
+        async getToken() {
+            return null;
+        },
+        raw: {
+            user: null,
+            session: null,
+            org: null,
+        },
+        org: null,
+        async getOrg() {
+            return null;
+        },
+        async getOrgRole() {
+            return null;
+        },
+        async hasOrgRole() {
+            return false;
+        },
+        authMethod: 'session',
+        apiKey: null,
+        hasPermission() {
+            return false;
+        },
+    };
+}
+// =============================================================================
+// Session Middleware
+// =============================================================================
+/**
+ * Create Hono middleware that validates sessions.
+ *
+ * Sets context variables (`user`, `session`, `org`, `auth`) for authenticated requests.
+ *
+ * OpenTelemetry spans are automatically enriched with auth attributes:
+ * - `auth.user.id` - User ID (always included)
+ * - `auth.user.email` - User email (included by default, opt-out via `otelSpans.email: false`)
+ * - `auth.method` - 'session' or 'bearer' (always included)
+ * - `auth.provider` - 'Auth' (always included)
+ * - `auth.org.id` - Active organization ID (always included if set)
+ * - `auth.org.name` - Organization name (included by default, opt-out via `otelSpans.orgName: false`)
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { createSessionMiddleware } from '@agentuity/auth';
+ * import { auth } from './auth';
+ *
+ * const app = new Hono();
+ * app.use('/api/*', createSessionMiddleware(auth));
+ *
+ * app.get('/api/me', (c) => {
+ *   const user = c.var.user;
+ *   if (!user) return c.json({ error: 'Unauthorized' }, 401);
+ *   return c.json({ id: user.id });
+ * });
+ * ```
+ *
+ * @example Using auth wrapper with org role check
+ * ```typescript
+ * app.get('/api/admin', createSessionMiddleware(auth, { hasOrgRole: ['admin', 'owner'] }), async (c) => {
+ *   const user = await c.var.auth.getUser();
+ *   return c.json({ id: user.id, message: 'Welcome admin!' });
+ * });
+ * ```
+ */
+export function createSessionMiddleware(auth, options = {}) {
+    const { optional = false, otelSpans = {}, hasOrgRole } = options;
+    const includeEmail = otelSpans.email !== false;
+    const includeOrgName = otelSpans.orgName !== false;
+    return async (c, next) => {
+        const span = trace.getSpan(context.active());
+        try {
+            const result = await auth.api.getSession({
+                headers: c.req.raw.headers,
+            });
+            if (!result) {
+                if (optional) {
+                    c.set('user', null);
+                    c.set('authSession', null);
+                    c.set('org', null);
+                    c.set('auth', buildAnonymousAuth());
+                    span?.addEvent('auth.anonymous');
+                    await next();
+                    return;
+                }
+                span?.addEvent('auth.unauthorized', { reason: 'no_session' });
+                span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Unauthorized' });
+                return c.json({ error: 'Unauthorized' }, 401);
+            }
+            // Cast to full types - BetterAuth returns complete objects at runtime
+            const user = result.user;
+            const session = result.session;
+            const org = deriveOrgContext(session);
+            const authMethod = getAuthMethod(c);
+            c.set('user', user);
+            c.set('authSession', session);
+            c.set('org', org);
+            if (span) {
+                span.setAttributes({
+                    'auth.user.id': user.id ?? '',
+                    'auth.method': authMethod,
+                    'auth.provider': 'AgentuityAuth',
+                });
+                if (includeEmail && user.email) {
+                    span.setAttribute('auth.user.email', user.email);
+                }
+                if (org) {
+                    span.setAttribute('auth.org.id', org.id);
+                    if (includeOrgName && org.name) {
+                        span.setAttribute('auth.org.name', org.name);
+                    }
+                }
+            }
+            c.set('auth', buildAuthInterface(c, auth, user, session, org, authMethod, null));
+            // Enforce org role if requested
+            if (hasOrgRole) {
+                const requiredRoles = Array.isArray(hasOrgRole) ? hasOrgRole : [hasOrgRole];
+                const hasRole = await c.var.auth.hasOrgRole(...requiredRoles);
+                if (!hasRole) {
+                    span?.addEvent('auth.forbidden', {
+                        reason: 'missing_org_role',
+                        required_roles: requiredRoles,
+                    });
+                    span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Forbidden' });
+                    return c.json({ error: 'Forbidden: insufficient organization role' }, 403);
+                }
+            }
+            await next();
+        }
+        catch (error) {
+            console.error('[Agentuity Auth] Session validation failed:', error);
+            span?.recordException(error);
+            span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Auth validation failed' });
+            if (optional) {
+                c.set('user', null);
+                c.set('authSession', null);
+                c.set('org', null);
+                c.set('auth', buildAnonymousAuth());
+                await next();
+                return;
+            }
+            return c.json({ error: 'Unauthorized' }, 401);
+        }
+    };
+}
+// =============================================================================
+// API Key Middleware
+// =============================================================================
+/**
+ * Create Hono middleware that validates API keys.
+ *
+ * This middleware ONLY accepts API key authentication via:
+ * - `x-agentuity-auth-api-key` header (preferred)
+ * - `Authorization: ApiKey <key>` header
+ *
+ * It does NOT use sessions. For routes that accept both session and API key,
+ * compose with createSessionMiddleware using `{ optional: true }`.
+ *
+ * @example API key only route with permission check
+ * ```typescript
+ * import { createApiKeyMiddleware } from '@agentuity/auth';
+ *
+ * app.post('/webhooks/*', createApiKeyMiddleware(auth, {
+ *   hasPermission: { webhook: 'write' }
+ * }));
+ *
+ * app.post('/webhooks/github', async (c) => {
+ *   // Permission already verified by middleware
+ *   return c.json({ success: true });
+ * });
+ * ```
+ *
+ * @example Either session OR API key (compose with optional)
+ * ```typescript
+ * app.use('/api/*', createSessionMiddleware(auth, { optional: true }));
+ * app.use('/api/*', createApiKeyMiddleware(auth, { optional: true }));
+ *
+ * app.get('/api/data', async (c) => {
+ *   // Works with session OR API key
+ *   if (!c.var.user) return c.json({ error: 'Unauthorized' }, 401);
+ *   return c.json({ data: '...' });
+ * });
+ * ```
+ */
+export function createApiKeyMiddleware(auth, options = {}) {
+    const { optional = false, otelSpans = {}, hasPermission } = options;
+    const includeEmail = otelSpans.email !== false;
+    return async (c, next) => {
+        const span = trace.getSpan(context.active());
+        const apiKeyToken = getApiKeyFromRequest(c);
+        if (!apiKeyToken) {
+            if (optional) {
+                await next();
+                return;
+            }
+            span?.addEvent('auth.unauthorized', { reason: 'no_api_key' });
+            span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Unauthorized' });
+            return c.json({ error: 'Unauthorized: API key required' }, 401);
+        }
+        try {
+            const result = await auth.api.verifyApiKey({
+                body: { key: apiKeyToken },
+            });
+            if (!result.valid || !result.key) {
+                if (optional) {
+                    await next();
+                    return;
+                }
+                span?.addEvent('auth.unauthorized', { reason: 'invalid_api_key' });
+                span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Unauthorized' });
+                return c.json({ error: 'Unauthorized: Invalid API key' }, 401);
+            }
+            const keyData = result.key;
+            const userId = keyData.userId;
+            const apiKeyContext = {
+                id: keyData.id,
+                name: keyData.name ?? null,
+                permissions: keyData.permissions ?? {},
+                userId: userId ?? null,
+            };
+            let user = null;
+            if (userId) {
+                try {
+                    // NOTE: BetterAuth's API key plugin supports resolving a user by ID via
+                    // `auth.api.getSession({ headers: { 'x-user-id': ... } })` without cookies.
+                    // The API key itself is the primary authenticator; this call is only
+                    // used to hydrate the user object for convenience (and is allowed to fail).
+                    const sessionResult = await auth.api.getSession({
+                        headers: new Headers({ 'x-user-id': userId }),
+                    });
+                    if (sessionResult?.user) {
+                        // Cast to full type - BetterAuth returns complete objects at runtime
+                        user = sessionResult.user;
+                    }
+                }
+                catch {
+                    // User fetch failed, continue with null user
+                }
+            }
+            c.set('user', user);
+            c.set('authSession', null);
+            c.set('org', null);
+            if (span) {
+                span.setAttributes({
+                    'auth.method': 'api-key',
+                    'auth.provider': 'AgentuityAuth',
+                    'auth.api_key.id': apiKeyContext.id,
+                });
+                if (user?.id) {
+                    span.setAttribute('auth.user.id', user.id);
+                }
+                if (includeEmail && user?.email) {
+                    span.setAttribute('auth.user.email', user.email);
+                }
+            }
+            if (user) {
+                c.set('auth', buildAuthInterface(c, auth, user, null, null, 'api-key', apiKeyContext));
+            }
+            else {
+                const anonAuth = buildAnonymousAuth();
+                c.set('auth', {
+                    ...anonAuth,
+                    authMethod: 'api-key',
+                    apiKey: apiKeyContext,
+                    hasPermission(resource, ...actions) {
+                        const perms = apiKeyContext.permissions[resource] ?? [];
+                        if (actions.length === 0)
+                            return perms.length > 0;
+                        return actions.every((a) => perms.includes(a) || perms.includes('*'));
+                    },
+                });
+            }
+            // Enforce permissions if requested
+            if (hasPermission) {
+                for (const [resource, actions] of Object.entries(hasPermission)) {
+                    const actionList = Array.isArray(actions) ? actions : [actions];
+                    const hasPerm = c.var.auth.hasPermission(resource, ...actionList);
+                    if (!hasPerm) {
+                        span?.addEvent('auth.forbidden', {
+                            reason: 'missing_permission',
+                            resource,
+                            actions: actionList,
+                        });
+                        span?.setStatus({ code: SpanStatusCode.ERROR, message: 'Forbidden' });
+                        return c.json({ error: 'Forbidden: insufficient API key permissions' }, 403);
+                    }
+                }
+            }
+            await next();
+        }
+        catch (error) {
+            console.error('[Agentuity Auth] API key validation failed:', error);
+            span?.recordException(error);
+            span?.setStatus({ code: SpanStatusCode.ERROR, message: 'API key validation failed' });
+            if (optional) {
+                await next();
+                return;
+            }
+            return c.json({ error: 'Unauthorized: API key validation failed' }, 401);
+        }
+    };
+}
+// =============================================================================
+// Auth Handler
+// =============================================================================
+/**
+ * Default headers to forward from BetterAuth responses.
+ * This prevents unintended headers from leaking through while preserving auth-essential ones.
+ */
+const DEFAULT_FORWARDED_HEADERS = [
+    'set-cookie',
+    'content-type',
+    'location',
+    'cache-control',
+    'pragma',
+    'expires',
+    'vary',
+    'etag',
+    'last-modified',
+];
+/**
+ * Mount auth routes with proper cookie handling and header filtering.
+ *
+ * This wrapper handles cookie merging between auth responses and other middleware.
+ * It ensures both session cookies AND other cookies (like thread cookies)
+ * are preserved while preventing unintended headers from leaking through.
+ *
+ * @example Basic usage
+ * ```typescript
+ * import { mountAuthRoutes } from '@agentuity/auth';
+ * import { auth } from './auth';
+ *
+ * const api = createRouter();
+ *
+ * // Mount all auth routes (sign-in, sign-up, sign-out, session, etc.)
+ * api.on(['GET', 'POST'], '/api/auth/*', mountAuthRoutes(auth));
+ * ```
+ *
+ * @example With custom header allowlist
+ * ```typescript
+ * api.on(['GET', 'POST'], '/api/auth/*', mountAuthRoutes(auth, {
+ *   allowList: ['set-cookie', 'content-type', 'location', 'x-custom-header']
+ * }));
+ * ```
+ */
+export function mountAuthRoutes(auth, options = {}) {
+    const allowList = new Set((options.allowList ?? DEFAULT_FORWARDED_HEADERS).map((h) => h.toLowerCase()));
+    // Always ensure set-cookie is in the allowlist
+    allowList.add('set-cookie');
+    return async (c) => {
+        const response = await auth.handler(c.req.raw);
+        response.headers.forEach((value, key) => {
+            const lower = key.toLowerCase();
+            // Only forward headers in the allowlist
+            if (!allowList.has(lower)) {
+                return;
+            }
+            if (lower === 'set-cookie') {
+                // Preserve existing cookies (e.g., Agentuity thread cookies)
+                c.header('set-cookie', value, { append: true });
+            }
+            else {
+                c.header(key, value);
+            }
+        });
+        const body = await response.text();
+        return new Response(body, {
+            status: response.status,
+            headers: c.res.headers,
+        });
+    };
+}
+//# sourceMappingURL=server.js.map

package/dist/agentuity/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/agentuity/server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AA6GpE,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,gBAAgB,CAAC,OAA2B;IACpD,IAAI,CAAC,OAAO,EAAE,oBAAoB;QAAE,OAAO,IAAI,CAAC;IAChD,OAAO,EAAE,EAAE,EAAE,OAAO,CAAC,oBAAoB,EAAE,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,CAAU;IACvC,MAAM,YAAY,GACjB,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,0BAA0B,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;IACtF,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;IAE7C,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACjD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAE7B,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IACvC,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACjC,OAAO,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IAC1D,CAAC;IAED,OAAO,IAAI,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,CAAU;IAChC,MAAM,MAAM,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAC;IACvC,IAAI,MAAM;QAAE,OAAO,SAAS,CAAC;IAE7B,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACjD,IAAI,UAAU,EAAE,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,QAAQ,CAAC;IAErE,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CAC1B,CAAU,EACV,IAAc,EACd,IAAc,EACd,OAA2B,EAC3B,GAA0B,EAC1B,UAAsB,EACtB,aAAuC;IAEvC,IAAI,aAAa,GAAsC,SAAS,CAAC;IACjE,MAAM,WAAW,GAAG,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;IAEvD,OAAO;QACN,KAAK,CAAC,OAAO;YACZ,OAAO,IAAI,CAAC;QACb,CAAC;QAED,KAAK,CAAC,QAAQ;YACb,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzB,OAAO,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC;QAClD,CAAC;QAED,GAAG,EAAE;YACJ,IAAI;YACJ,OAAO;YACP,GAAG;SACH;QAED,GAAG;QAEH,KAAK,CAAC,MAAM;YACX,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBACjC,OAAO,aAAa,CAAC;YACtB,CAAC;YAED,IAAI,CAAC,GAAG,EAAE,CAAC;gBACV,aAAa,GAAG,IAAI,CAAC;gBACrB,OAAO,IAAI,CAAC;YACb,CAAC;YAED,6BAA6B;YAC7B,IAAI,CAAC;gBACJ,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC;oBAClD,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,OAAO,EAAE,CAAC;oBACd,aAAa,GAAG,IAAI,CAAC;oBACrB,OAAO,IAAI,CAAC;gBACb,CAAC;gBAED,0CAA0C;gBAC1C,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAIpC,CAAC;gBACH,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC;gBAEhE,aAAa,GAAG;oBACf,EAAE,EAAE,OAAO,CAAC,EAAE;oBACd,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;oBAC1B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;oBAC1B,IAAI,EAAE,aAAa,EAAE,IAAI,IAAI,IAAI;oBACjC,QAAQ,EAAE,aAAa,EAAE,EAAE,IAAI,IAAI;oBACnC,QAAQ,EAAG,OAAmC,CAAC,QAAQ,IAAI,IAAI;iBAC/D,CAAC;gBAEF,OAAO,aAAa,CAAC;YACtB,CAAC;YAAC,MAAM,CAAC;gBACR,aAAa,GAAG,GAAG,CAAC;gBACpB,OAAO,GAAG,CAAC;YACZ,CAAC;QACF,CAAC;QAED,KAAK,CAAC,UAAU;YACf,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,OAAO,GAAG,EAAE,IAAI,IAAI,IAAI,CAAC;QAC1B,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,GAAG,KAAe;YAClC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,OAAO,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC;QAED,kBAAkB;QAClB,UAAU;QACV,MAAM,EAAE,aAAa;QAErB,aAAa,CAAC,QAAgB,EAAE,GAAG,OAAiB;YACnD,IAAI,CAAC,WAAW;gBAAE,OAAO,KAAK,CAAC;YAC/B,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAElD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;YACjC,CAAC;YAED,OAAO,OAAO,CAAC,KAAK,CACnB,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CACzE,CAAC;QACH,CAAC;KACD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB;IAC1B,OAAO;QACN,KAAK,CAAC,OAAO;YACZ,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACtC,CAAC;QAED,KAAK,CAAC,QAAQ;YACb,OAAO,IAAI,CAAC;QACb,CAAC;QAED,GAAG,EAAE;YACJ,IAAI,EAAE,IAA2B;YACjC,OAAO,EAAE,IAA8B;YACvC,GAAG,EAAE,IAAI;SACT;QAED,GAAG,EAAE,IAAI;QAET,KAAK,CAAC,MAAM;YACX,OAAO,IAAI,CAAC;QACb,CAAC;QAED,KAAK,CAAC,UAAU;YACf,OAAO,IAAI,CAAC;QACb,CAAC;QAED,KAAK,CAAC,UAAU;YACf,OAAO,KAAK,CAAC;QACd,CAAC;QAED,UAAU,EAAE,SAAS;QACrB,MAAM,EAAE,IAAI;QAEZ,aAAa;YACZ,OAAO,KAAK,CAAC;QACd,CAAC;KACD,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,UAAU,uBAAuB,CACtC,IAAc,EACd,UAAiC,EAAE;IAEnC,MAAM,EAAE,QAAQ,GAAG,KAAK,EAAE,SAAS,GAAG,EAAE,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IACjE,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,KAAK,KAAK,CAAC;IAC/C,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,KAAK,KAAK,CAAC;IAEnD,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAE7C,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,IAAI,QAAQ,EAAE,CAAC;oBACd,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;oBACpB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;oBAC3B,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBACnB,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC;oBACpC,IAAI,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC;oBACjC,MAAM,IAAI,EAAE,CAAC;oBACb,OAAO;gBACR,CAAC;gBAED,IAAI,EAAE,QAAQ,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;gBAC9D,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;gBACzE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAED,sEAAsE;YACtE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAgB,CAAC;YACrC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAsB,CAAC;YAC9C,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACtC,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YAEpC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACpB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;YAC9B,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAElB,IAAI,IAAI,EAAE,CAAC;gBACV,IAAI,CAAC,aAAa,CAAC;oBAClB,cAAc,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE;oBAC7B,aAAa,EAAE,UAAU;oBACzB,eAAe,EAAE,eAAe;iBAChC,CAAC,CAAC;gBAEH,IAAI,YAAY,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;oBAChC,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClD,CAAC;gBAED,IAAI,GAAG,EAAE,CAAC;oBACT,IAAI,CAAC,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;oBACzC,IAAI,cAAc,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;wBAChC,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;oBAC9C,CAAC;gBACF,CAAC;YACF,CAAC;YAED,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC;YAEjF,gCAAgC;YAChC,IAAI,UAAU,EAAE,CAAC;gBAChB,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;gBAC5E,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,aAAa,CAAC,CAAC;gBAE9D,IAAI,CAAC,OAAO,EAAE,CAAC;oBACd,IAAI,EAAE,QAAQ,CAAC,gBAAgB,EAAE;wBAChC,MAAM,EAAE,kBAAkB;wBAC1B,cAAc,EAAE,aAAa;qBAC7B,CAAC,CAAC;oBACH,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;oBACtE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,EAAE,GAAG,CAAC,CAAC;gBAC5E,CAAC;YACF,CAAC;YAED,MAAM,IAAI,EAAE,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;YAEpE,IAAI,EAAE,eAAe,CAAC,KAAc,CAAC,CAAC;YACtC,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC,CAAC;YAEnF,IAAI,QAAQ,EAAE,CAAC;gBACd,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBACpB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;gBAC3B,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;gBACnB,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBACpC,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACR,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,GAAG,CAAC,CAAC;QAC/C,CAAC;IACF,CAAC,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAM,UAAU,sBAAsB,CACrC,IAAc,EACd,UAAmC,EAAE;IAErC,MAAM,EAAE,QAAQ,GAAG,KAAK,EAAE,SAAS,GAAG,EAAE,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC;IACpE,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,KAAK,KAAK,CAAC;IAE/C,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QACxB,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAC;QAE5C,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,IAAI,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACR,CAAC;YAED,IAAI,EAAE,QAAQ,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;YAC9D,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;YACzE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,EAAE,GAAG,CAAC,CAAC;QACjE,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;gBAC1C,IAAI,EAAE,EAAE,GAAG,EAAE,WAAW,EAAE;aAC1B,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;gBAClC,IAAI,QAAQ,EAAE,CAAC;oBACd,MAAM,IAAI,EAAE,CAAC;oBACb,OAAO;gBACR,CAAC;gBAED,IAAI,EAAE,QAAQ,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAAC;gBACnE,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;gBACzE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,EAAE,GAAG,CAAC,CAAC;YAChE,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC;YAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAE9B,MAAM,aAAa,GAAsB;gBACxC,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;gBAC1B,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,EAAE;gBACtC,MAAM,EAAE,MAAM,IAAI,IAAI;aACtB,CAAC;YAEF,IAAI,IAAI,GAAoB,IAAI,CAAC;YACjC,IAAI,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC;oBACJ,wEAAwE;oBACxE,4EAA4E;oBAC5E,qEAAqE;oBACrE,4EAA4E;oBAC5E,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;wBAC/C,OAAO,EAAE,IAAI,OAAO,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC;qBAC7C,CAAC,CAAC;oBACH,IAAI,aAAa,EAAE,IAAI,EAAE,CAAC;wBACzB,qEAAqE;wBACrE,IAAI,GAAG,aAAa,CAAC,IAAgB,CAAC;oBACvC,CAAC;gBACF,CAAC;gBAAC,MAAM,CAAC;oBACR,6CAA6C;gBAC9C,CAAC;YACF,CAAC;YAED,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACpB,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;YAC3B,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAEnB,IAAI,IAAI,EAAE,CAAC;gBACV,IAAI,CAAC,aAAa,CAAC;oBAClB,aAAa,EAAE,SAAS;oBACxB,eAAe,EAAE,eAAe;oBAChC,iBAAiB,EAAE,aAAa,CAAC,EAAE;iBACnC,CAAC,CAAC;gBAEH,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC;oBACd,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC5C,CAAC;gBAED,IAAI,YAAY,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;oBACjC,IAAI,CAAC,YAAY,CAAC,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;gBAClD,CAAC;YACF,CAAC;YAED,IAAI,IAAI,EAAE,CAAC;gBACV,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;YACxF,CAAC;iBAAM,CAAC;gBACP,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;gBACtC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE;oBACb,GAAG,QAAQ;oBACX,UAAU,EAAE,SAAS;oBACrB,MAAM,EAAE,aAAa;oBACrB,aAAa,CAAC,QAAgB,EAAE,GAAG,OAAiB;wBACnD,MAAM,KAAK,GAAG,aAAa,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;wBACxD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;4BAAE,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;wBAClD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;oBACvE,CAAC;iBACD,CAAC,CAAC;YACJ,CAAC;YAED,mCAAmC;YACnC,IAAI,aAAa,EAAE,CAAC;gBACnB,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;oBACjE,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;oBAChE,MAAM,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,GAAG,UAAU,CAAC,CAAC;oBAElE,IAAI,CAAC,OAAO,EAAE,CAAC;wBACd,IAAI,EAAE,QAAQ,CAAC,gBAAgB,EAAE;4BAChC,MAAM,EAAE,oBAAoB;4BAC5B,QAAQ;4BACR,OAAO,EAAE,UAAU;yBACnB,CAAC,CAAC;wBACH,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;wBACtE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6CAA6C,EAAE,EAAE,GAAG,CAAC,CAAC;oBAC9E,CAAC;gBACF,CAAC;YACF,CAAC;YAED,MAAM,IAAI,EAAE,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;YAEpE,IAAI,EAAE,eAAe,CAAC,KAAc,CAAC,CAAC;YACtC,IAAI,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;YAEtF,IAAI,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,EAAE,CAAC;gBACb,OAAO;YACR,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC1E,CAAC;IACF,CAAC,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,yBAAyB,GAAG;IACjC,YAAY;IACZ,cAAc;IACd,UAAU;IACV,eAAe;IACf,QAAQ;IACR,SAAS;IACT,MAAM;IACN,MAAM;IACN,eAAe;CACf,CAAC;AAgBF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,eAAe,CAC9B,IAAc,EACd,UAAkC,EAAE;IAEpC,MAAM,SAAS,GAAG,IAAI,GAAG,CACxB,CAAC,OAAO,CAAC,SAAS,IAAI,yBAAyB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC5E,CAAC;IACF,+CAA+C;IAC/C,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAE5B,OAAO,KAAK,EAAE,CAAU,EAAqB,EAAE;QAC9C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE/C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAa,EAAE,GAAW,EAAE,EAAE;YACvD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAEhC,wCAAwC;YACxC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3B,OAAO;YACR,CAAC;YAED,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;gBAC5B,6DAA6D;gBAC7D,CAAC,CAAC,MAAM,CAAC,YAAY,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACP,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACtB,CAAC;QACF,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO;SACtB,CAAC,CAAC;IACJ,CAAC,CAAC;AACH,CAAC"}