@agirails/sdk 4.4.9 → 4.5.2

package/dist/delivery/nonce-keys.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * AIP-16 Delivery — Per-Builder Nonce Key Constants
+ * ===================================================
+ *
+ * The AGIRAILS delivery surface (AIP-16 Rev 5) uses two SEPARATE nonce
+ * spaces, one for the buyer-signed *setup* message and one for the
+ * provider-signed *envelope* message. These are deliberately distinct
+ * from the AIP-4 delivery-proof nonce key (`agirails.delivery.v1`) and
+ * from each other, so that:
+ *
+ *   1. A nonce burned for a setup message cannot be replayed as an
+ *      envelope message (per-builder replay separation).
+ *   2. A nonce burned for an AIP-4 delivery proof cannot collide with
+ *      the AIP-16 setup/envelope nonce spaces (cross-feature isolation).
+ *   3. The on-disk persistence file (`.actp/nonces.json`) keeps a
+ *      clean, auditable per-key monotonic counter.
+ *
+ * Why per-builder separation matters (audit context):
+ * ----------------------------------------------------
+ * The existing `NonceManager` (`src/utils/NonceManager.ts`) keys nonces
+ * by *message-type string*. There is no central registry of known keys
+ * — any string is accepted. This file therefore acts as the canonical,
+ * type-safe constant source for AIP-16's two delivery nonce keys, so
+ * call sites (setup builder, envelope builder, future replay-cache
+ * server) all reach for the SAME literal and the TypeScript `as const`
+ * narrowing prevents silent drift.
+ *
+ * Reuse, NOT replace:
+ * -------------------
+ * These constants are intended to be passed straight into the existing
+ * `NonceManager` API (`getNextNonce`, `getAndIncrementNonce`,
+ * `recordNonce`, etc.) — they introduce no new manager, no new storage
+ * layer, and no behavioural change. They simply give the delivery layer
+ * a single authoritative spelling of its two nonce-key strings.
+ *
+ * @example Use with the existing nonce manager
+ * ```typescript
+ * import { createNonceManager } from '../utils/NonceManager';
+ * import {
+ *   DELIVERY_NONCE_KEY_SETUP,
+ *   DELIVERY_NONCE_KEY_ENVELOPE,
+ * } from './nonce-keys';
+ *
+ * const nonces = createNonceManager({ stateDirectory: process.cwd() });
+ *
+ * // Buyer setup signing path:
+ * const setupNonce = await (nonces as any).getAndIncrementNonce(
+ *   DELIVERY_NONCE_KEY_SETUP,
+ * );
+ *
+ * // Provider envelope signing path (independent counter):
+ * const envelopeNonce = await (nonces as any).getAndIncrementNonce(
+ *   DELIVERY_NONCE_KEY_ENVELOPE,
+ * );
+ * ```
+ *
+ * Reference: AIP-16 Rev 5 §replay-protection, §nonce-spaces
+ *
+ * @module delivery/nonce-keys
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DELIVERY_NONCE_KEY_ENVELOPE = exports.DELIVERY_NONCE_KEY_SETUP = void 0;
+/**
+ * Nonce key for buyer-signed AIP-16 delivery *setup* messages.
+ *
+ * Distinct from {@link DELIVERY_NONCE_KEY_ENVELOPE} (per-builder
+ * separation) and from the AIP-4 delivery-proof key
+ * `agirails.delivery.v1` (cross-feature separation).
+ *
+ * The `.v1` suffix matches the EIP-712 domain version for the v1
+ * delivery surface; a future v2 would introduce a new key string
+ * rather than incrementing in place.
+ */
+exports.DELIVERY_NONCE_KEY_SETUP = 'agirails.delivery.setup.v1';
+/**
+ * Nonce key for provider-signed AIP-16 delivery *envelope* messages.
+ *
+ * Distinct from {@link DELIVERY_NONCE_KEY_SETUP} (per-builder
+ * separation) and from the AIP-4 delivery-proof key
+ * `agirails.delivery.v1` (cross-feature separation).
+ *
+ * The `.v1` suffix matches the EIP-712 domain version for the v1
+ * delivery surface; a future v2 would introduce a new key string
+ * rather than incrementing in place.
+ */
+exports.DELIVERY_NONCE_KEY_ENVELOPE = 'agirails.delivery.envelope.v1';
+//# sourceMappingURL=nonce-keys.js.map

package/dist/delivery/nonce-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-keys.js","sourceRoot":"","sources":["../../src/delivery/nonce-keys.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;;;AAEH;;;;;;;;;;GAUG;AACU,QAAA,wBAAwB,GAAG,4BAAqC,CAAC;AAE9E;;;;;;;;;;GAUG;AACU,QAAA,2BAA2B,GAAG,+BAAwC,CAAC"}

package/dist/delivery/setupBuilder.d.ts

@@ -0,0 +1,403 @@
+/**
+ * AIP-16 Delivery Surface — Buyer Setup Builder + Verifier (Phase 2b)
+ * =====================================================================
+ *
+ * Constructs and verifies the buyer-signed `DeliverySetupV1` payload —
+ * the first artifact of the AIP-16 Rev 5 delivery surface. The buyer
+ * (requester) posts this signed object to the delivery channel after
+ * the on-chain transaction reaches `COMMITTED`, declaring:
+ *
+ *  - which kernel + chain the delivery is bound to,
+ *  - which on-chain identity is acting as the requester,
+ *  - which EOA produced the signature (smart-wallet two-step auth),
+ *  - the buyer's ephemeral X25519 pubkey (or canonical-empty for `public`),
+ *  - which channels the buyer accepts the envelope on,
+ *  - the privacy posture the buyer expects,
+ *  - and a creation timestamp + expiry for replay / staleness bounds.
+ *
+ * ## Builder shape
+ *
+ * Per the AIP-16 builder convention (and consistent with `QuoteBuilder`,
+ * `CounterOfferBuilder`, etc.):
+ *
+ *  - `constructor(signer?, nonceManager?)` — both optional. A signer is
+ *    REQUIRED for `build()`; `verify()` and `computeHash()` need
+ *    neither, so verifying SDKs (relays, peer endpoints, dispute
+ *    workers) can instantiate a no-arg builder.
+ *
+ *  - `build()` is `async` because EIP-712 signing is async on real
+ *    wallets (`Wallet.signTypedData` returns a `Promise`).
+ *
+ *  - `verify()` and `computeHash()` are `static` — they take a wire
+ *    object and need no builder state. This mirrors the existing
+ *    `DeliveryProofBuilder` static-verify pattern.
+ *
+ * ## Smart-wallet two-step auth (DEC-10 / V2 receipts pattern)
+ *
+ * `requesterAddress` (the on-chain participant) and `signerAddress`
+ * (the EOA that produced the signature) are accepted SEPARATELY and
+ * are NOT derived from each other in this layer. When AutoWallet
+ * (AIP-12 Tier 1) is active, `requesterAddress` is the Smart Wallet
+ * contract and `signerAddress` is the controlling EOA; the SMART-WALLET
+ * DERIVATION (`computeSmartWalletFromSigner(signerAddress) ===
+ * requesterAddress`) is the SERVER'S responsibility, not the SDK's.
+ * Doing it here would silently couple the SDK to the Coinbase Smart
+ * Wallet factory ABI and break in cross-vendor flows.
+ *
+ * What the SDK DOES enforce in `build()` is the cheaper invariant:
+ * `signerAddress` MUST equal the address of the supplied `signer`.
+ * That catches the most common bug (caller passes the wrong
+ * `signerAddress`) without making assumptions about the participant.
+ *
+ * ## Nonce manager use
+ *
+ * The signed `DeliverySetupV1` schema has NO `nonce` field — replay
+ * binding is provided by `txId` (one tx per setup) and timestamps
+ * (`createdAt` / `expiresAt`). The `NonceManager` is still touched
+ * here so we have one place to hook future per-builder counters if
+ * the spec evolves; we use {@link DELIVERY_NONCE_KEY_SETUP} (distinct
+ * from the envelope key and the AIP-4 delivery-proof key) and the
+ * returned counter is reported back to the caller via
+ * {@link BuildSetupResult.nonceManagerKey} so the caller can audit
+ * the path was reached. Because the value is not signed, we tolerate
+ * a missing `NonceManager` gracefully — `build()` does NOT throw on
+ * undefined `nonceManager`, it simply skips the counter bump.
+ *
+ * ## Verification order
+ *
+ * `verify()` is `static` and runs checks in a fixed coarse → fine
+ * order, short-circuiting at the first failure with a stable
+ * structured code. The order is chosen so that cheap, unambiguous
+ * defects are reported BEFORE the more expensive signature recovery,
+ * but also so that signature failures are reported before policy
+ * failures (timestamp skew, expiry) — a forged signature is a more
+ * severe class of error and we want the caller to see it first.
+ *
+ * @module delivery/setupBuilder
+ * @see ./types — signed/wire interfaces and `BuildSetupResult`.
+ * @see ./eip712 — domain, types, and `recoverSetupSigner`.
+ * @see ./validate — `validateSetupWire` (structural validation).
+ * @see ./nonce-keys — `DELIVERY_NONCE_KEY_SETUP`.
+ */
+import { type Signer } from 'ethers';
+import type { NonceManager } from '../utils/NonceManager';
+import { type BuildSetupResult, type DeliveryPrivacy, type DeliverySetupSignedV1, type DeliverySetupWireV1 } from './types';
+/**
+ * Default expiry, in seconds, applied when callers omit `expiresInSec`.
+ *
+ * 3600 (1 hour) matches the negotiation-layer default and is bounded
+ * by the relay's accepted-setup TTL. Callers facing high-latency
+ * counterparties may pass an explicit larger value, but the relay
+ * SHOULD cap at its own policy ceiling.
+ */
+export declare const DEFAULT_SETUP_EXPIRY_SEC = 3600;
+/**
+ * Maximum tolerated clock-skew, in seconds, between the signed
+ * `createdAt` and the verifier's wall clock. Symmetric (past + future).
+ *
+ * 900s (15 min) matches the receipts-V2 freshness window and the
+ * AIP-3 anchor-receipt skew bound. Tighter would penalize NTP-skewed
+ * client machines; looser would meaningfully extend the replay
+ * window an attacker has to work with a leaked setup.
+ */
+export declare const SETUP_TIMESTAMP_SKEW_SEC = 900;
+/**
+ * Default v1 channel list applied when callers omit `acceptedChannels`.
+ *
+ * The v1 channel registry has exactly one entry; future channels MUST
+ * be added by callers explicitly so that channel-selection is always
+ * an intentional choice, not a hidden default.
+ */
+export declare const DEFAULT_ACCEPTED_CHANNELS: readonly string[];
+/**
+ * Replace the wall-clock implementation used inside this module.
+ *
+ * **TEST-ONLY.** Production code MUST NOT call this. The function is
+ * exported because Jest spies cannot intercept top-level `let`
+ * assignments cleanly across ESM/CJS boundaries; an explicit setter
+ * keeps the seam visible and grep-able.
+ *
+ * Pass `null` (or call {@link resetSecondsNowForTests}) to restore
+ * the real wall-clock implementation.
+ *
+ * @param impl - Replacement function returning Unix seconds, or `null`
+ *   to restore the default real-clock implementation.
+ *
+ * @example
+ * ```typescript
+ * setSecondsNowForTests(() => 1_750_000_000);
+ * try {
+ *   const { wire } = await new DeliverySetupBuilder(wallet).build(params);
+ *   expect(wire.signed.createdAt).toBe(1_750_000_000);
+ * } finally {
+ *   resetSecondsNowForTests();
+ * }
+ * ```
+ */
+export declare function setSecondsNowForTests(impl: (() => number) | null): void;
+/**
+ * Restore {@link secondsNow} to its default real-clock implementation.
+ *
+ * **TEST-ONLY.** Called from `afterEach` blocks; safe to call when no
+ * override is active.
+ */
+export declare function resetSecondsNowForTests(): void;
+/**
+ * Parameters accepted by {@link DeliverySetupBuilder.build}.
+ *
+ * Every field is explicit — no implicit derivation of one address
+ * from another. In particular, `requesterAddress` and `signerAddress`
+ * are passed SEPARATELY so the SDK is agnostic to which Smart Wallet
+ * factory the caller is using (see DEC-10 / V2 receipts pattern).
+ */
+export interface BuildSetupParams {
+    /**
+     * On-chain transaction id this setup is bound to.
+     * 32-byte hex-encoded value (`0x` + 64 hex chars).
+     */
+    txId: `0x${string}`;
+    /**
+     * EVM chain id (e.g. `8453` for Base mainnet, `84532` for Base Sepolia).
+     * Encoded into BOTH the EIP-712 domain and the signed payload.
+     */
+    chainId: number;
+    /**
+     * Address of the ACTP kernel contract on `chainId`. Becomes the
+     * EIP-712 `verifyingContract`.
+     */
+    kernelAddress: `0x${string}`;
+    /**
+     * On-chain identity acting as the requester. Smart-wallet flows pass
+     * the Smart Wallet address here; non-smart-wallet flows pass the EOA.
+     * The SDK does NOT derive this from `signer` — callers must supply it.
+     */
+    requesterAddress: `0x${string}`;
+    /**
+     * EOA address that will produce the signature. MUST equal
+     * `await signer.getAddress()` — `build()` enforces this and throws
+     * a {@link DeliveryEip712Error} on mismatch.
+     */
+    signerAddress: `0x${string}`;
+    /**
+     * Buyer-side ephemeral X25519 public key as 32-byte hex.
+     *
+     * For `expectedPrivacy: "encrypted"`: a freshly generated X25519
+     * pubkey whose private key is held in memory by the requester
+     * (forward secrecy w.r.t. requester long-term keys).
+     *
+     * For `expectedPrivacy: "public"`: MUST be {@link CANONICAL_EMPTY_BYTES32}.
+     * `build()` enforces the canonical-empty rule on this field.
+     */
+    buyerEphemeralPubkey: `0x${string}`;
+    /**
+     * Ordered list of delivery channels the buyer is willing to accept
+     * the envelope on. Defaults to {@link DEFAULT_ACCEPTED_CHANNELS}
+     * (`["agirails-relay-v1"]`) when omitted.
+     */
+    acceptedChannels?: string[];
+    /**
+     * Privacy posture the buyer expects. The provider MUST select a
+     * `DeliveryScheme` consistent with this value.
+     */
+    expectedPrivacy: DeliveryPrivacy;
+    /**
+     * Validity window for this setup, in seconds. Default
+     * {@link DEFAULT_SETUP_EXPIRY_SEC} (3600 = 1 hour).
+     * `expiresAt` is computed as `createdAt + expiresInSec`.
+     */
+    expiresInSec?: number;
+    /**
+     * Override the `createdAt` timestamp. Defaults to {@link secondsNow}.
+     * Tests SHOULD pass an explicit value here for determinism rather
+     * than relying on {@link setSecondsNowForTests}; the test-clock
+     * setter is for callers that cannot reach into the params object
+     * (e.g. higher-level helpers that wrap the builder).
+     */
+    createdAt?: number;
+    /**
+     * CoinbaseSmartWallet factory nonce used to derive `requesterAddress`
+     * from `signerAddress`. Defaults to `0` (the first wallet per owner).
+     *
+     * H4 fix (AIP-16 Phase 3 HIGH): callers whose Smart Wallet was
+     * deployed at a non-zero factory nonce MUST pass that nonce here so
+     * the server's smart-wallet derivation lands on the correct address.
+     * Omitting it (or passing `0`) reproduces the legacy behavior, which
+     * is correct for the vast majority of callers (auto-wallet always
+     * deploys at nonce=0).
+     *
+     * Must be a non-negative integer in the `uint256` range; `build()`
+     * rejects negative or non-integer values with `BUILDER_INVALID_SMART_WALLET_NONCE`.
+     */
+    smartWalletNonce?: number;
+}
+/**
+ * Builder + verifier for AIP-16 delivery setup messages.
+ *
+ * Instances are cheap to construct and have no I/O side effects.
+ * `verify()` and `computeHash()` are static — call them without
+ * constructing an instance.
+ *
+ * @example Buyer signing flow
+ * ```typescript
+ * const builder = new DeliverySetupBuilder(wallet, nonceManager);
+ * const { wire } = await builder.build({
+ *   txId,
+ *   chainId: 84532,
+ *   kernelAddress: KERNEL,
+ *   requesterAddress: SMART_WALLET,
+ *   signerAddress: EOA,
+ *   buyerEphemeralPubkey: '0x' + 'aa'.repeat(32),
+ *   expectedPrivacy: 'encrypted',
+ * });
+ * await postToRelay(wire);
+ * ```
+ *
+ * @example Provider verification flow
+ * ```typescript
+ * const result = DeliverySetupBuilder.verify(wire, {
+ *   expectedKernelAddress: KERNEL,
+ *   expectedChainId: 84532,
+ * });
+ * if (!result.ok) {
+ *   throw new Error(`Setup verification failed: ${result.code}`);
+ * }
+ * const setup = result.signed;
+ * ```
+ */
+export declare class DeliverySetupBuilder {
+    private readonly signer?;
+    private readonly nonceManager?;
+    /**
+     * Construct a new builder.
+     *
+     * @param signer - EOA signer required for {@link build}. Pass `undefined`
+     *   to construct a verify-only instance; `verify()` and `computeHash()`
+     *   are static and do not need a builder instance at all, but a
+     *   no-arg constructor is supported for symmetry with peer builders.
+     * @param nonceManager - Optional nonce manager. The v1 setup schema
+     *   has no `nonce` field, so this is purely an audit hook today;
+     *   when supplied, `build()` calls `getNextNonce(DELIVERY_NONCE_KEY_SETUP)`
+     *   to advance the counter. Missing manager is tolerated.
+     */
+    constructor(signer?: Signer, nonceManager?: NonceManager);
+    /**
+     * Construct, sign, and return a {@link DeliverySetupWireV1}.
+     *
+     * Pre-checks:
+     *  - signer MUST be present (throws `BUILDER_NO_SIGNER` otherwise).
+     *  - `signerAddress` MUST equal `await signer.getAddress()`
+     *    (throws `BUILDER_SIGNER_ADDRESS_MISMATCH` otherwise).
+     *  - For `expectedPrivacy: "public"`, `buyerEphemeralPubkey` MUST equal
+     *    {@link CANONICAL_EMPTY_BYTES32}.
+     *  - For `expectedPrivacy: "encrypted"`, `buyerEphemeralPubkey` MUST NOT
+     *    be {@link CANONICAL_EMPTY_BYTES32} (a zero X25519 public key is
+     *    rejected by RFC 7748 §6.1 anyway, but we surface a clearer error).
+     *  - `expiresInSec` (when supplied) must be a positive integer.
+     *
+     * Signing:
+     *  - Uses `signer.signTypedData(domain, types, signed)` with the
+     *    canonical delivery EIP-712 domain anchored to `kernelAddress`.
+     *
+     * Nonce manager:
+     *  - When supplied, `getNextNonce(DELIVERY_NONCE_KEY_SETUP)` is called
+     *    purely for audit / future-compat. The returned counter is NOT
+     *    encoded into the signed payload (the v1 schema has no nonce
+     *    field) and the caller MAY ignore `nonceManagerKey` in the result.
+     *
+     * @param params - {@link BuildSetupParams}.
+     * @returns A {@link BuildSetupResult} carrying the signed wire object
+     *   and the nonce-manager key that was touched (always
+     *   {@link DELIVERY_NONCE_KEY_SETUP} for v1).
+     * @throws {DeliveryEip712Error} on signer absence, signer/address
+     *   mismatch, or canonical-empty rule violation.
+     */
+    build(params: BuildSetupParams): Promise<BuildSetupResult>;
+    /**
+     * Verify a {@link DeliverySetupWireV1} received from the relay.
+     *
+     * Check order (first failure short-circuits, with a stable code):
+     *
+     *  1. `validateSetupWire(wire)` — top-level shape + all field-level
+     *     invariants (positive chainId, valid addresses, bytes32 shape on
+     *     `buyerEphemeralPubkey`, non-empty acceptedChannels, valid
+     *     `expectedPrivacy`, positive timestamps, `expiresAt > createdAt`,
+     *     valid signature shape). On failure: code = `setup_signature_invalid`,
+     *     error = the validator's identifier.
+     *
+     *  2. `signed.chainId === expectedChainId` — else `setup_chain_mismatch`.
+     *
+     *  3. `signed.kernelAddress` (lowercased) === `expectedKernelAddress`
+     *     (lowercased) — else `setup_kernel_mismatch`. This is the
+     *     allowlist anchor: callers MUST pass the kernel address they
+     *     trust on the target chain; passing the payload's own kernel
+     *     would defeat the allowlist (an attacker could sign under any
+     *     kernel).
+     *
+     *  4. `recoverSetupSigner(signed, requesterSig, expectedKernelAddress)`
+     *     (lowercased) === `signed.signerAddress` (lowercased). NOTE:
+     *     recovery uses `expectedKernelAddress`, NOT `signed.kernelAddress`
+     *     — at this point we've already enforced they match in step 3,
+     *     but using the trusted value defends against future code
+     *     refactors that might accidentally drop step 3. On failure:
+     *     `setup_signature_invalid`.
+     *
+     *  5. Timestamp skew: `|now - createdAt| <= SETUP_TIMESTAMP_SKEW_SEC`
+     *     — else `setup_timestamp_skew`. Symmetric to catch both
+     *     past-replays and forward-dated forgeries.
+     *
+     *  6. Expiry: `expiresAt > now` — else `setup_expired`. Strict `>`
+     *     (not `>=`) so a setup exactly at its expiry second is
+     *     considered expired.
+     *
+     * Smart-wallet equality between `signerAddress` and `requesterAddress`
+     * is intentionally NOT performed here — that's the verifier's
+     * responsibility (server side, V2 receipts pattern, DEC-10).
+     *
+     * @param wire - The wire object received from the relay.
+     * @param opts.expectedKernelAddress - Trusted kernel address for the
+     *   target chain (from the verifier's allowlist).
+     * @param opts.expectedChainId - Trusted chainId for the target chain.
+     * @param opts.now - Override for the verifier's wall clock (Unix
+     *   seconds). Tests use this to drive timestamp-skew and expiry paths
+     *   deterministically; production callers SHOULD omit it.
+     * @returns `{ ok: true, signed }` on success, `{ ok: false, code, error }`
+     *   on failure.
+     */
+    static verify(wire: DeliverySetupWireV1, opts: {
+        expectedKernelAddress: string;
+        expectedChainId: number;
+        now?: number;
+    }): {
+        ok: true;
+        signed: DeliverySetupSignedV1;
+    } | {
+        ok: false;
+        code: string;
+        error: string;
+    };
+    /**
+     * Compute a stable, cross-SDK identifier for a setup wire object.
+     *
+     * The hash is `keccak256(utf8Bytes(canonicalJsonStringify(wire.signed)))`:
+     *
+     *  - canonical JSON (sorted keys, no whitespace) guarantees
+     *    byte-for-byte identical input across SDK languages,
+     *  - `keccak256` matches the on-chain hashing convention,
+     *  - hashing the SIGNED projection (not the full wire) excludes the
+     *    signature and any `serverMeta` so the hash is stable across
+     *    relay-side decoration. The signature is recoverable from the
+     *    signed bytes; including it in the hash would make the hash
+     *    depend on signature malleability.
+     *
+     * This is not part of the EIP-712 signature path — it is purely a
+     * content-addressing helper for logs, dedup sets, and cross-SDK
+     * test fixtures. The EIP-712 hash (the one the wallet signs) is
+     * computed by ethers internally and is NOT exposed here.
+     *
+     * @param wire - The wire object to hash.
+     * @returns 32-byte hex-encoded keccak256 hash (`0x` + 64 hex chars).
+     */
+    static computeHash(wire: DeliverySetupWireV1): string;
+}
+export type { BuildSetupResult } from './types';
+//# sourceMappingURL=setupBuilder.d.ts.map

package/dist/delivery/setupBuilder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setupBuilder.d.ts","sourceRoot":"","sources":["../../src/delivery/setupBuilder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgFG;AAEH,OAAO,EAIL,KAAK,MAAM,EACZ,MAAM,QAAQ,CAAC;AAGhB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAS1D,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACzB,MAAM,SAAS,CAAC;AAOjB;;;;;;;GAOG;AACH,eAAO,MAAM,wBAAwB,OAAO,CAAC;AAE7C;;;;;;;;GAQG;AACH,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,MAAM,EAE7C,CAAC;AA2CX;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,CAAC,MAAM,MAAM,CAAC,GAAG,IAAI,GAAG,IAAI,CAMvE;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AAMD;;;;;;;GAOG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,IAAI,EAAE,KAAK,MAAM,EAAE,CAAC;IAEpB;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,aAAa,EAAE,KAAK,MAAM,EAAE,CAAC;IAE7B;;;;OAIG;IACH,gBAAgB,EAAE,KAAK,MAAM,EAAE,CAAC;IAEhC;;;;OAIG;IACH,aAAa,EAAE,KAAK,MAAM,EAAE,CAAC;IAE7B;;;;;;;;;OASG;IACH,oBAAoB,EAAE,KAAK,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE5B;;;OAGG;IACH,eAAe,EAAE,eAAe,CAAC;IAEjC;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;;;;;;;;;;;OAaG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAe;IAE7C;;;;;;;;;;;OAWG;gBACS,MAAM,CAAC,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,YAAY;IASxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8BG;IACG,KAAK,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAkJhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkDG;IACH,MAAM,CAAC,MAAM,CACX,IAAI,EAAE,mBAAmB,EACzB,IAAI,EAAE;QACJ,qBAAqB,EAAE,MAAM,CAAC;QAC9B,eAAe,EAAE,MAAM,CAAC;QACxB,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,GAEC;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,MAAM,EAAE,qBAAqB,CAAA;KAAE,GAC3C;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE;IA4F9C;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,mBAAmB,GAAG,MAAM;CAGtD;AAWD,YAAY,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC"}