@agentuity/cli 0.0.51 → 0.0.53

package/dist/crypto/box.js

@@ -0,0 +1,382 @@
+/**
+ * Package crypto implements a **FIPS 140-3 compliant KEM-DEM envelope encryption scheme**
+ * suitable for multi-gigabyte streams using ECDH P-256 and AES-256-GCM.
+ * This design is compatible with the Go implementation and depends only on standard
+ * Node.js crypto packages.
+ *
+ * ──────────────────────────  Design summary  ─────────────────────────────
+ *
+ *  ⚙  KEM  (Key-Encapsulation Mechanism)
+ *      • ECDH P-256 + AES-256-GCM for DEK wrapping
+ *      • Output: variable-size encrypted DEK (48-byte DEK + 16-byte GCM tag + ephemeral pubkey)
+ *      • Provides forward secrecy for each blob
+ *
+ *  ⚙  DEM  (Data-Encapsulation Mechanism)
+ *      • AES-256-GCM in ~64 KiB framed chunks (65519 bytes max)
+ *      • Nonce = 4-byte random prefix ∥ 8-byte little-endian counter
+ *      • First frame authenticates header via associated data (prevents tampering)
+ *      • Constant ~64 KiB RAM, O(1) header re-wrap for key rotation
+ *
+ *  ⚙  Fleet key
+ *      • Single ECDSA P-256 key-pair per customer
+ *      • Public key used directly for ECDH operations
+ *      • Private key stored in cloud secret store and fetched at boot
+ *
+ *  File layout
+ *   ┌─────────────────────────────────────────────────────────────────────────┐
+ *   │ uint16 wrappedLen │ 125B wrapped DEK │ 12B base nonce │ frames... │
+ *   └─────────────────────────────────────────────────────────────────────────┘
+ *                               ▲                    ▲
+ *                               │                    └─ AES-256-GCM frames
+ *                               └─ ECDH + AES-GCM wrapped DEK
+ *
+ *  Security properties
+ *  • Confidentiality & integrity: AES-256-GCM per frame
+ *  • Header authentication: first frame includes header as associated data
+ *  • Forward-secrecy per object: new ephemeral ECDH key each encryption
+ *  • Key rotation: requires re-wrapping only the ~139-byte header
+ *  • FIPS 140-3 compliant: uses only approved algorithms
+ *
+ *  Typical workflow
+ *  ────────────────
+ *    Publisher:
+ *      1) generate DEK, encrypt stream → dst
+ *      2) ephemeral ECDH + AES-GCM wrap DEK with fleet public key
+ *      3) write header {len, wrapped DEK, nonce} - ~139 bytes total
+ *      4) first frame includes header as associated data for authentication
+ *
+ *    Machine node:
+ *      1) read header, unwrap DEK with fleet private key via ECDH
+ *      2) stream-decrypt frames on the fly (first frame verifies header)
+ *
+ * Public API
+ * ──────────
+ *
+ *  encryptFIPSKEMDEMStream(publicKey: KeyObject, src: Readable, dst: Writable): Promise<number>
+ *  decryptFIPSKEMDEMStream(privateKey: KeyObject, src: Readable, dst: Writable): Promise<number>
+ *
+ * Both return the number of plaintext bytes processed and ensure that
+ * every error path is authenticated-failure-safe.
+ */
+import { createCipheriv, createDecipheriv, createECDH, randomBytes } from 'node:crypto';
+import { createHash } from 'node:crypto';
+const FRAME = 65519;
+const DEK_SIZE = 32;
+const GCM_TAG = 16;
+const PUBKEY_LEN = 65;
+function concatKDFSHA256(z, keyDataLen, ...otherInfo) {
+    const h = createHash('sha256');
+    h.update(Buffer.from([0x00, 0x00, 0x00, 0x01]));
+    h.update(z);
+    for (const info of otherInfo) {
+        h.update(info);
+    }
+    const keyDataLenBits = keyDataLen * 8;
+    h.update(Buffer.from([
+        (keyDataLenBits >> 24) & 0xff,
+        (keyDataLenBits >> 16) & 0xff,
+        (keyDataLenBits >> 8) & 0xff,
+        keyDataLenBits & 0xff,
+    ]));
+    return h.digest();
+}
+function wrapDEKWithECDH(dek, recipientPub) {
+    const ephemeral = createECDH('prime256v1');
+    ephemeral.generateKeys();
+    const jwk = recipientPub.export({ format: 'jwk' });
+    if (!jwk.x || !jwk.y) {
+        throw new Error('Invalid EC public key');
+    }
+    const xBuf = Buffer.from(jwk.x, 'base64url');
+    const yBuf = Buffer.from(jwk.y, 'base64url');
+    const pubKeyPoint = Buffer.concat([Buffer.from([0x04]), xBuf, yBuf]);
+    const sharedSecret = ephemeral.computeSecret(pubKeyPoint);
+    const kek = concatKDFSHA256(sharedSecret, 32, Buffer.from('AES-256-GCM'));
+    sharedSecret.fill(0);
+    const nonce = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', kek, nonce);
+    const ciphertext = Buffer.concat([cipher.update(dek), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    kek.fill(0);
+    const ephemeralPubBytes = ephemeral.getPublicKey(undefined, 'uncompressed');
+    return Buffer.concat([ephemeralPubBytes, nonce, ciphertext, tag]);
+}
+function unwrapDEKWithECDH(wrapped, recipientPriv) {
+    if (wrapped.length < PUBKEY_LEN + 12 + DEK_SIZE + GCM_TAG) {
+        throw new Error('wrapped DEK too short');
+    }
+    const ephemeralPubBytes = wrapped.subarray(0, PUBKEY_LEN);
+    const remaining = wrapped.subarray(PUBKEY_LEN);
+    const jwk = recipientPriv.export({ format: 'jwk' });
+    if (!jwk.d) {
+        throw new Error('Invalid EC private key');
+    }
+    const ecdh = createECDH('prime256v1');
+    const dBuf = Buffer.from(jwk.d, 'base64url');
+    try {
+        ecdh.setPrivateKey(dBuf);
+        const sharedSecret = ecdh.computeSecret(ephemeralPubBytes);
+        const kek = concatKDFSHA256(sharedSecret, 32, Buffer.from('AES-256-GCM'));
+        sharedSecret.fill(0);
+        const nonceSize = 12;
+        if (remaining.length < nonceSize) {
+            throw new Error('invalid wrapped DEK format');
+        }
+        const nonce = remaining.subarray(0, nonceSize);
+        const ciphertextAndTag = remaining.subarray(nonceSize);
+        if (ciphertextAndTag.length < GCM_TAG) {
+            throw new Error('invalid wrapped DEK format');
+        }
+        const ciphertext = ciphertextAndTag.subarray(0, ciphertextAndTag.length - GCM_TAG);
+        const tag = ciphertextAndTag.subarray(ciphertextAndTag.length - GCM_TAG);
+        const decipher = createDecipheriv('aes-256-gcm', kek, nonce);
+        decipher.setAuthTag(tag);
+        let plaintext;
+        try {
+            plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+        }
+        catch (_err) {
+            throw new Error('DEK unwrap failed');
+        }
+        kek.fill(0);
+        return plaintext;
+    }
+    finally {
+        dBuf.fill(0);
+    }
+}
+function makeNonce(prefix, counter) {
+    const nonce = Buffer.alloc(12);
+    prefix.copy(nonce, 0, 0, 4);
+    nonce.writeBigUInt64LE(counter, 4);
+    return nonce;
+}
+export async function encryptFIPSKEMDEMStream(pub, src, dst) {
+    if (pub.asymmetricKeyType !== 'ec') {
+        throw new Error('only EC keys supported');
+    }
+    const keyDetails = pub.asymmetricKeyDetails;
+    if (!keyDetails || keyDetails.namedCurve !== 'prime256v1') {
+        throw new Error('only P-256 keys supported');
+    }
+    const dek = randomBytes(DEK_SIZE);
+    let buf;
+    const it = src[Symbol.asyncIterator]();
+    try {
+        const wrapped = wrapDEKWithECDH(dek, pub);
+        const baseNonce = Buffer.alloc(12);
+        randomBytes(4).copy(baseNonce, 0);
+        const lenBuf = Buffer.alloc(2);
+        lenBuf.writeUInt16BE(wrapped.length, 0);
+        await writeAsync(dst, lenBuf);
+        await writeAsync(dst, wrapped);
+        await writeAsync(dst, baseNonce);
+        let counter = 0n;
+        let total = 0;
+        const headerAD = Buffer.alloc(2 + 12);
+        headerAD.writeUInt16BE(wrapped.length, 0);
+        baseNonce.copy(headerAD, 2);
+        buf = Buffer.alloc(FRAME);
+        while (true) {
+            const bytesRead = await readFull(it, src, buf);
+            if (bytesRead === 0) {
+                break;
+            }
+            const plaintext = buf.subarray(0, bytesRead);
+            const nonce = makeNonce(baseNonce, counter);
+            const cipher = createCipheriv('aes-256-gcm', dek, nonce);
+            if (counter === 0n) {
+                cipher.setAAD(headerAD);
+            }
+            const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+            const tag = cipher.getAuthTag();
+            const ct = Buffer.concat([ciphertext, tag]);
+            if (ct.length > 0xffff) {
+                throw new Error('ciphertext length exceeds uint16 limit');
+            }
+            const ctLenBuf = Buffer.alloc(2);
+            ctLenBuf.writeUInt16BE(ct.length, 0);
+            await writeAsync(dst, ctLenBuf);
+            await writeAsync(dst, ct);
+            counter++;
+            total += bytesRead;
+            if (bytesRead < FRAME) {
+                break;
+            }
+        }
+        return total;
+    }
+    finally {
+        dek.fill(0);
+        if (buf)
+            buf.fill(0);
+        await it.return?.().catch(() => { });
+    }
+}
+export async function decryptFIPSKEMDEMStream(priv, src, dst) {
+    if (priv.asymmetricKeyType !== 'ec') {
+        throw new Error('only EC keys supported');
+    }
+    const keyDetails = priv.asymmetricKeyDetails;
+    if (!keyDetails || keyDetails.namedCurve !== 'prime256v1') {
+        throw new Error('only P-256 keys supported');
+    }
+    const it = src[Symbol.asyncIterator]();
+    try {
+        const lenBuf = Buffer.alloc(2);
+        await readExact(it, src, lenBuf);
+        const wrappedLen = lenBuf.readUInt16BE(0);
+        if (wrappedLen === 0 || wrappedLen > 200) {
+            throw new Error('invalid wrapped DEK length');
+        }
+        const wrapped = Buffer.alloc(wrappedLen);
+        await readExact(it, src, wrapped);
+        const baseNonce = Buffer.alloc(12);
+        await readExact(it, src, baseNonce);
+        const dek = unwrapDEKWithECDH(wrapped, priv);
+        try {
+            let counter = 0n;
+            let total = 0;
+            const headerAD = Buffer.alloc(2 + 12);
+            headerAD.writeUInt16BE(wrappedLen, 0);
+            baseNonce.copy(headerAD, 2);
+            while (true) {
+                const chunkLenBuf = Buffer.alloc(2);
+                const chunkLenRead = await readUpTo(it, src, chunkLenBuf);
+                if (chunkLenRead === 0) {
+                    break;
+                }
+                if (chunkLenRead < 2) {
+                    throw new Error('unexpected EOF reading chunk length');
+                }
+                const chunkLen = chunkLenBuf.readUInt16BE(0);
+                if (chunkLen > FRAME + GCM_TAG) {
+                    throw new Error('chunk too large');
+                }
+                const cipherBuf = Buffer.alloc(chunkLen);
+                await readExact(it, src, cipherBuf);
+                if (cipherBuf.length < GCM_TAG) {
+                    throw new Error('chunk too short for auth tag');
+                }
+                const ciphertext = cipherBuf.subarray(0, cipherBuf.length - GCM_TAG);
+                const tag = cipherBuf.subarray(cipherBuf.length - GCM_TAG);
+                const nonce = makeNonce(baseNonce, counter);
+                const decipher = createDecipheriv('aes-256-gcm', dek, nonce);
+                decipher.setAuthTag(tag);
+                if (counter === 0n) {
+                    decipher.setAAD(headerAD);
+                }
+                let plain;
+                try {
+                    plain = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+                }
+                catch (err) {
+                    cipherBuf.fill(0);
+                    throw err;
+                }
+                cipherBuf.fill(0);
+                await writeAsync(dst, plain);
+                counter++;
+                total += plain.length;
+            }
+            return total;
+        }
+        finally {
+            dek.fill(0);
+        }
+    }
+    finally {
+        await it.return?.().catch(() => { });
+    }
+}
+async function writeAsync(stream, chunk) {
+    return new Promise((resolve, reject) => {
+        let callbackCompleted = false;
+        let drainOccurred = false;
+        const cleanup = () => {
+            stream.off('drain', onDrain);
+            stream.off('error', onError);
+        };
+        const tryResolve = () => {
+            if (callbackCompleted && (canContinue || drainOccurred)) {
+                cleanup();
+                resolve();
+            }
+        };
+        const onDrain = () => {
+            drainOccurred = true;
+            tryResolve();
+        };
+        const onError = (err) => {
+            cleanup();
+            reject(err);
+        };
+        const canContinue = stream.write(chunk, (err) => {
+            callbackCompleted = true;
+            if (err) {
+                cleanup();
+                reject(err);
+            }
+            else {
+                tryResolve();
+            }
+        });
+        if (!canContinue) {
+            // Need to wait for drain - attach listeners
+            stream.once('drain', onDrain);
+            stream.once('error', onError);
+        }
+    });
+}
+async function readFull(iterator, stream, buf) {
+    let offset = 0;
+    while (offset < buf.length) {
+        const result = await iterator.next();
+        if (result.done) {
+            break;
+        }
+        const chunk = result.value;
+        const chunkBuf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        const toCopy = Math.min(chunkBuf.length, buf.length - offset);
+        chunkBuf.copy(buf, offset, 0, toCopy);
+        offset += toCopy;
+        if (offset >= buf.length && toCopy < chunkBuf.length) {
+            stream.unshift(chunkBuf.subarray(toCopy));
+            break;
+        }
+    }
+    return offset;
+}
+async function readExact(iterator, stream, buf) {
+    let offset = 0;
+    while (offset < buf.length) {
+        const result = await iterator.next();
+        if (result.done) {
+            throw new Error('unexpected EOF');
+        }
+        const chunk = result.value;
+        const chunkBuf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        const toCopy = Math.min(chunkBuf.length, buf.length - offset);
+        chunkBuf.copy(buf, offset, 0, toCopy);
+        offset += toCopy;
+        if (offset >= buf.length && toCopy < chunkBuf.length) {
+            stream.unshift(chunkBuf.subarray(toCopy));
+            break;
+        }
+    }
+}
+async function readUpTo(iterator, stream, buf) {
+    const result = await iterator.next();
+    if (result.done) {
+        return 0;
+    }
+    const chunk = result.value;
+    const chunkBuf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    const toCopy = Math.min(chunkBuf.length, buf.length);
+    chunkBuf.copy(buf, 0, 0, toCopy);
+    if (toCopy < chunkBuf.length) {
+        stream.unshift(chunkBuf.subarray(toCopy));
+    }
+    return toCopy;
+}
+//# sourceMappingURL=box.js.map

package/dist/crypto/box.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"box.js","sourceRoot":"","sources":["../../src/crypto/box.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAa,MAAM,aAAa,CAAC;AAEnG,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,KAAK,GAAG,KAAK,CAAC;AACpB,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,OAAO,GAAG,EAAE,CAAC;AACnB,MAAM,UAAU,GAAG,EAAE,CAAC;AAEtB,SAAS,eAAe,CAAC,CAAS,EAAE,UAAkB,EAAE,GAAG,SAAmB;IAC7E,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACZ,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC9B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC;IACD,MAAM,cAAc,GAAG,UAAU,GAAG,CAAC,CAAC;IACtC,CAAC,CAAC,MAAM,CACP,MAAM,CAAC,IAAI,CAAC;QACX,CAAC,cAAc,IAAI,EAAE,CAAC,GAAG,IAAI;QAC7B,CAAC,cAAc,IAAI,EAAE,CAAC,GAAG,IAAI;QAC7B,CAAC,cAAc,IAAI,CAAC,CAAC,GAAG,IAAI;QAC5B,cAAc,GAAG,IAAI;KACrB,CAAC,CACF,CAAC;IACF,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;AACnB,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,YAAuB;IAC5D,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IAC3C,SAAS,CAAC,YAAY,EAAE,CAAC;IAEzB,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IAErE,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,eAAe,CAAC,YAAY,EAAE,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;IAC1E,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAErB,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEZ,MAAM,iBAAiB,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IAC5E,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,iBAAiB,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC;AACnE,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe,EAAE,aAAwB;IACnE,IAAI,OAAO,CAAC,MAAM,GAAG,UAAU,GAAG,EAAE,GAAG,QAAQ,GAAG,OAAO,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAE/C,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAE7C,IAAI,CAAC;QACJ,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QAEzB,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,eAAe,CAAC,YAAY,EAAE,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1E,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAErB,MAAM,SAAS,GAAG,EAAE,CAAC;QACrB,IAAI,SAAS,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAC/C,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEvD,IAAI,gBAAgB,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,gBAAgB,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;QACnF,MAAM,GAAG,GAAG,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;QAEzE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAC7D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACJ,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,OAAO,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACtC,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,SAAS,CAAC;IAClB,CAAC;YAAS,CAAC;QACV,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;AACF,CAAC;AAED,SAAS,SAAS,CAAC,MAAc,EAAE,OAAe;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/B,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC5B,KAAK,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACnC,OAAO,KAAK,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC5C,GAAc,EACd,GAAa,EACb,GAAa;IAEb,IAAI,GAAG,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,UAAU,GAAG,GAAG,CAAC,oBAAoB,CAAC;IAC5C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,GAAG,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,GAAuB,CAAC;IAC5B,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;IAEvC,IAAI,CAAC;QACJ,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAE1C,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACnC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAElC,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACxC,MAAM,UAAU,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC9B,MAAM,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC/B,MAAM,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAEjC,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QACtC,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC1C,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAE5B,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAE1B,OAAO,IAAI,EAAE,CAAC;YACb,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;YAC/C,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;gBACrB,MAAM;YACP,CAAC;YAED,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;YAC7C,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAE5C,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAEzD,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;gBACpB,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAChC,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC;YAE5C,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACjC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACrC,MAAM,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAChC,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAE1B,OAAO,EAAE,CAAC;YACV,KAAK,IAAI,SAAS,CAAC;YAEnB,IAAI,SAAS,GAAG,KAAK,EAAE,CAAC;gBACvB,MAAM;YACP,CAAC;QACF,CAAC;QAED,OAAO,KAAK,CAAC;IACd,CAAC;YAAS,CAAC;QACV,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,IAAI,GAAG;YAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrB,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrC,CAAC;AACF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC5C,IAAe,EACf,GAAa,EACb,GAAa;IAEb,IAAI,IAAI,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC;IAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,UAAU,KAAK,YAAY,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC;IAEvC,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAE1C,IAAI,UAAU,KAAK,CAAC,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACzC,MAAM,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAElC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACnC,MAAM,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAEpC,MAAM,GAAG,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAE7C,IAAI,CAAC;YACJ,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,KAAK,GAAG,CAAC,CAAC;YAEd,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YACtC,QAAQ,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;YACtC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;YAE5B,OAAO,IAAI,EAAE,CAAC;gBACb,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACpC,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;gBAC1D,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;oBACxB,MAAM;gBACP,CAAC;gBACD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;gBACxD,CAAC;gBAED,MAAM,QAAQ,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;gBAC7C,IAAI,QAAQ,GAAG,KAAK,GAAG,OAAO,EAAE,CAAC;oBAChC,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;gBACpC,CAAC;gBAED,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBACzC,MAAM,SAAS,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;gBAEpC,IAAI,SAAS,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;oBAChC,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACjD,CAAC;gBAED,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;gBACrE,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;gBAE3D,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;gBAC5C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC7D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;gBAEzB,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;oBACpB,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBAC3B,CAAC;gBAED,IAAI,KAAa,CAAC;gBAClB,IAAI,CAAC;oBACJ,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBACxE,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACd,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;oBAClB,MAAM,GAAG,CAAC;gBACX,CAAC;gBAED,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAElB,MAAM,UAAU,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC7B,OAAO,EAAE,CAAC;gBACV,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC;YACvB,CAAC;YAED,OAAO,KAAK,CAAC;QACd,CAAC;gBAAS,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;IACF,CAAC;YAAS,CAAC;QACV,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrC,CAAC;AACF,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,MAAgB,EAAE,KAAa;IACxD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACtC,IAAI,iBAAiB,GAAG,KAAK,CAAC;QAC9B,IAAI,aAAa,GAAG,KAAK,CAAC;QAE1B,MAAM,OAAO,GAAG,GAAG,EAAE;YACpB,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9B,CAAC,CAAC;QAEF,MAAM,UAAU,GAAG,GAAG,EAAE;YACvB,IAAI,iBAAiB,IAAI,CAAC,WAAW,IAAI,aAAa,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,CAAC;gBACV,OAAO,EAAE,CAAC;YACX,CAAC;QACF,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,EAAE;YACpB,aAAa,GAAG,IAAI,CAAC;YACrB,UAAU,EAAE,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,CAAC,GAAU,EAAE,EAAE;YAC9B,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,GAAG,CAAC,CAAC;QACb,CAAC,CAAC;QAEF,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;YAC/C,iBAAiB,GAAG,IAAI,CAAC;YACzB,IAAI,GAAG,EAAE,CAAC;gBACT,OAAO,EAAE,CAAC;gBACV,MAAM,CAAC,GAAG,CAAC,CAAC;YACb,CAAC;iBAAM,CAAC;gBACP,UAAU,EAAE,CAAC;YACd,CAAC;QACF,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,4CAA4C;YAC5C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;IACF,CAAC,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,QAAQ,CACtB,QAAwC,EACxC,MAAgB,EAChB,GAAW;IAEX,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,OAAO,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM;QACP,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC;QAEjB,IAAI,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;YACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1C,MAAM;QACP,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC;AAED,KAAK,UAAU,SAAS,CACvB,QAAwC,EACxC,MAAgB,EAChB,GAAW;IAEX,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,OAAO,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC;QAEjB,IAAI,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;YACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1C,MAAM;QACP,CAAC;IACF,CAAC;AACF,CAAC;AAED,KAAK,UAAU,QAAQ,CACtB,QAAwC,EACxC,MAAgB,EAChB,GAAW;IAEX,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,CAAC;IACV,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACrE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAEjC,IAAI,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC"}