@amodalai/runtime 0.3.70 → 0.3.71

package/dist/src/auth/strategies/none.d.ts

@@ -0,0 +1,37 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * NoneAuthStrategy — synthesizes an anonymous identity. Always matches
+ * (`valid()` returns true) and always authenticates with the same
+ * synthetic session, so the chain stops at this strategy.
+ *
+ * Place LAST in the chain to act as a default. For public agents (no
+ * end-user auth) or local dev where you want the runtime to accept any
+ * caller.
+ *
+ * Security: NoneAuthStrategy makes the agent reachable without
+ * authentication. Only use when the agent is intentionally public —
+ * ideally combined with cf-worker's `accessMode: 'public'` upstream.
+ */
+import type { Request } from 'express';
+import type { AuthResult, AuthStrategy } from '../types.js';
+export interface NoneAuthStrategyOptions {
+    /** User id to synthesize for anonymous callers. Defaults to `'anonymous'`. */
+    userId?: string;
+    /** Optional `agentId` to attach. */
+    agentId?: string;
+    /** Override `AuthSession.method`. Defaults to `'none'`. */
+    authMethod?: string;
+}
+export declare class NoneAuthStrategy implements AuthStrategy {
+    readonly name = "none";
+    private readonly userId;
+    private readonly agentId?;
+    private readonly authMethod;
+    constructor(options?: NoneAuthStrategyOptions);
+    valid(_req: Request): boolean;
+    authenticate(_req: Request): Promise<AuthResult>;
+}

package/dist/src/auth/strategies/none.js

@@ -0,0 +1,31 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export class NoneAuthStrategy {
+    name = 'none';
+    userId;
+    agentId;
+    authMethod;
+    constructor(options = {}) {
+        this.userId = options.userId ?? 'anonymous';
+        if (options.agentId !== undefined)
+            this.agentId = options.agentId;
+        this.authMethod = options.authMethod ?? 'none';
+    }
+    valid(_req) {
+        return true;
+    }
+    async authenticate(_req) {
+        return {
+            kind: 'authenticated',
+            session: {
+                user: { id: this.userId },
+                method: this.authMethod,
+                ...(this.agentId ? { agentId: this.agentId } : {}),
+            },
+        };
+    }
+}
+//# sourceMappingURL=none.js.map

package/dist/src/auth/strategies/none.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"none.js","sourceRoot":"","sources":["../../../../src/auth/strategies/none.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA2BH,MAAM,OAAO,gBAAgB;IAClB,IAAI,GAAG,MAAM,CAAC;IACN,MAAM,CAAS;IACf,OAAO,CAAU;IACjB,UAAU,CAAS;IAEpC,YAAY,UAAmC,EAAE;QAC/C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC;QAC5C,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,IAAa;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAa;QAC9B,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,IAAI,EAAE,EAAC,EAAE,EAAE,IAAI,CAAC,MAAM,EAAC;gBACvB,MAAM,EAAE,IAAI,CAAC,UAAU;gBACvB,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;aACjD;SACF,CAAC;IACJ,CAAC;CACF"}

package/dist/src/auth/strategies/oidc.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+import type { Request, Router as ExpressRouter } from 'express';
+import type { JWTPayload } from 'jose';
+import type { AuthResult, AuthSession, AuthStrategy } from '../types.js';
+export interface OidcAuthStrategyOptions {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    callbackUrl: string;
+    scopes?: readonly string[];
+    /** HMAC secret used to sign the session JWT cookie. Min 16 chars. */
+    sessionSecret: string;
+    /** Cookie name. Defaults to `'amodal_session'`. */
+    cookieName?: string;
+    /** Session TTL in seconds. Defaults to 24h. */
+    sessionTtlSeconds?: number;
+    /**
+     * Authorize hook — given the verified id_token claims, return the
+     * AuthSession.user fields the runtime should use, or `null` to deny.
+     * Defaults to allowing any authenticated user with `id` from `sub`.
+     */
+    authorize?: (claims: JWTPayload) => Promise<AuthSession['user'] | null> | AuthSession['user'] | null;
+    authMethod?: string;
+    /**
+     * Allow plain-HTTP discovery + token exchange. Off by default —
+     * `openid-client` enforces HTTPS in production. Tests against an
+     * in-process IdP need this; production deploys must not enable it.
+     */
+    allowInsecureRequests?: boolean;
+}
+export declare class OidcAuthStrategy implements AuthStrategy {
+    readonly name = "oidc";
+    private readonly opts;
+    private readonly sessionKey;
+    private discoveryPromise;
+    constructor(options: OidcAuthStrategyOptions);
+    valid(req: Request): boolean;
+    authenticate(req: Request): Promise<AuthResult>;
+    routes(): ExpressRouter;
+    private config;
+    private handleLogin;
+    private handleCallback;
+    private resolveUser;
+}

package/dist/src/auth/strategies/oidc.integration.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+export {};

package/dist/src/auth/strategies/oidc.integration.test.js

@@ -0,0 +1,290 @@
+/**
+ * @license
+ * Copyright 2026 Amodal Labs, Inc.
+ * SPDX-License-Identifier: MIT
+ */
+/**
+ * End-to-end OIDC test driving the full auth-code+PKCE dance against an
+ * in-process `node-oidc-provider`. Boots a real IdP on a random port,
+ * mounts `OidcAuthStrategy` on a real Express app, and walks login →
+ * IdP /auth → interaction (auto-resolved) → callback → session cookie →
+ * protected route hit. Catches integration bugs that unit tests can't:
+ * cookie wiring, redirect handling, state/PKCE round-trip, callback URL
+ * matching.
+ */
+import http from 'node:http';
+import { randomBytes } from 'node:crypto';
+import express from 'express';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import Provider from 'oidc-provider';
+import { OidcAuthStrategy } from './oidc.js';
+import { authenticate, authRouter, getSession } from '../compose.js';
+const TEST_USER = {
+    sub: 'user-42',
+    email: 'alice@example.com',
+    name: 'Alice Example',
+};
+async function resolveInteraction(provider, req, res) {
+    const details = await provider.interactionDetails(req, res);
+    if (details.prompt.name === 'login') {
+        await provider.interactionFinished(req, res, { login: { accountId: TEST_USER.sub } }, { mergeWithLastSubmission: false });
+        return;
+    }
+    // consent prompt — grant everything requested
+    const grant = new provider.Grant({
+        accountId: TEST_USER.sub,
+        clientId: 'test-client',
+    });
+    const missingScopes = details.prompt.details['missingOIDCScope'];
+    if (Array.isArray(missingScopes)) {
+        for (const scope of missingScopes) {
+            if (typeof scope === 'string')
+                grant.addOIDCScope(scope);
+        }
+    }
+    const grantId = await grant.save();
+    await provider.interactionFinished(req, res, { consent: { grantId } }, { mergeWithLastSubmission: true });
+}
+async function reservePort() {
+    return new Promise((resolve, reject) => {
+        const s = http.createServer();
+        s.on('error', reject);
+        s.listen(0, '127.0.0.1', () => {
+            const addr = s.address();
+            s.close(() => resolve(addr.port));
+        });
+    });
+}
+async function startIdp(issuerUrl, redirectUri) {
+    const provider = new Provider(issuerUrl, {
+        clients: [
+            {
+                client_id: 'test-client',
+                client_secret: 'test-secret',
+                redirect_uris: [redirectUri],
+                grant_types: ['authorization_code'],
+                response_types: ['code'],
+                token_endpoint_auth_method: 'client_secret_basic',
+            },
+        ],
+        pkce: { required: () => true },
+        findAccount: (_ctx, sub) => ({
+            accountId: sub,
+            claims: () => ({
+                sub,
+                email: TEST_USER.email,
+                name: TEST_USER.name,
+            }),
+        }),
+        cookies: {
+            keys: ['integration-test-cookie-key-please-rotate'],
+        },
+        // Most real IdPs (Okta, Auth0, Azure AD with optional claims) put
+        // scoped claims directly on the id_token. Match that behaviour so
+        // the strategy's `claims['email']` / `claims['name']` reads work.
+        conformIdTokenClaims: false,
+        claims: {
+            openid: ['sub'],
+            email: ['email', 'email_verified'],
+            profile: ['name', 'family_name', 'given_name', 'preferred_username'],
+        },
+        features: {
+            // The full IdP UI isn't relevant to us — we drive interactions via
+            // a custom resolver below.
+            devInteractions: { enabled: false },
+        },
+        // node-oidc-provider redirects to this URL when an interaction
+        // (login / consent) is required. The app provides routes there.
+        interactions: {
+            url: (_ctx, interaction) => `/interaction/${interaction.uid}`,
+        },
+    });
+    const app = express();
+    app.set('trust proxy', true);
+    // Auto-resolve every interaction as "this user has logged in and consented."
+    // Saves us from rendering or POSTing a real form.
+    app.get('/interaction/:uid', (req, res, next) => {
+        void resolveInteraction(provider, req, res).catch(next);
+    });
+    const oidcCallback = provider.callback();
+    app.use((req, res, next) => {
+        void oidcCallback(req, res).catch(next);
+    });
+    // Surface internal failures so the test can print them.
+    app.use((err, _req, res, _next) => {
+        const detail = err instanceof Error ? err.stack ?? err.message : String(err);
+        process.stderr.write(`[idp error] ${detail}\n`);
+        res.status(500).json({ error: detail });
+    });
+    const idpUrl = new URL(issuerUrl);
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(Number(idpUrl.port), idpUrl.hostname, () => {
+            resolve({
+                url: issuerUrl,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => (err ? closeReject(err) : closeResolve()));
+                }),
+            });
+        });
+    });
+}
+async function startApp(strategy, port) {
+    const app = express();
+    app.use(authRouter(strategy));
+    app.get('/protected', authenticate(strategy), (_req, res) => {
+        const session = getSession(res);
+        res.json({ user: session?.user, method: session?.method });
+    });
+    return new Promise((resolve, reject) => {
+        const server = http.createServer(app);
+        server.on('error', reject);
+        server.listen(port, '127.0.0.1', () => {
+            resolve({
+                url: `http://127.0.0.1:${port}`,
+                close: () => new Promise((closeResolve, closeReject) => {
+                    server.close((err) => (err ? closeReject(err) : closeResolve()));
+                }),
+            });
+        });
+    });
+}
+function makeCookieJar() {
+    const store = new Map();
+    return {
+        store,
+        header: () => [...store.entries()].map(([name, value]) => `${name}=${value}`).join('; '),
+        ingest(setCookie) {
+            if (!setCookie)
+                return;
+            const list = Array.isArray(setCookie) ? setCookie : [setCookie];
+            for (const raw of list) {
+                const [pair] = raw.split(';');
+                if (!pair)
+                    continue;
+                const eq = pair.indexOf('=');
+                if (eq === -1)
+                    continue;
+                const name = pair.slice(0, eq).trim();
+                const value = pair.slice(eq + 1).trim();
+                if (value === '') {
+                    store.delete(name);
+                }
+                else {
+                    store.set(name, value);
+                }
+            }
+        },
+    };
+}
+async function followRedirects(start, jar, maxHops = 12) {
+    let current = start;
+    const trail = [];
+    for (let i = 0; i < maxHops; i++) {
+        const res = await fetch(current, {
+            redirect: 'manual',
+            headers: jar.store.size > 0 ? { cookie: jar.header() } : {},
+        });
+        const setCookie = res.headers.getSetCookie?.() ?? res.headers.get('set-cookie');
+        jar.ingest(setCookie ?? undefined);
+        trail.push(`${res.status} ${current}`);
+        if (res.status >= 300 && res.status < 400) {
+            const location = res.headers.get('location');
+            if (!location) {
+                return {
+                    status: res.status,
+                    url: current,
+                    headers: headerObject(res.headers),
+                    body: '',
+                    trail,
+                };
+            }
+            current = new URL(location, current).toString();
+            continue;
+        }
+        const body = await res.text();
+        return { status: res.status, url: current, headers: headerObject(res.headers), body, trail };
+    }
+    throw new Error(`Too many redirects starting at ${start}\n${trail.join('\n')}`);
+}
+function headerObject(h) {
+    const out = {};
+    h.forEach((value, key) => {
+        out[key] = value;
+    });
+    return out;
+}
+describe('OidcAuthStrategy — integration', () => {
+    let idp;
+    let app;
+    let strategy;
+    const sessionSecret = randomBytes(32).toString('hex');
+    beforeAll(async () => {
+        // Reserve both ports up front so we can pin issuer + callback URLs
+        // into both the IdP config and the strategy config before either
+        // starts listening.
+        const idpPort = await reservePort();
+        const appPort = await reservePort();
+        const issuerUrl = `http://127.0.0.1:${idpPort}`;
+        const callbackUrl = `http://127.0.0.1:${appPort}/auth/callback`;
+        idp = await startIdp(issuerUrl, callbackUrl);
+        strategy = new OidcAuthStrategy({
+            issuer: issuerUrl,
+            clientId: 'test-client',
+            clientSecret: 'test-secret',
+            callbackUrl,
+            sessionSecret,
+            allowInsecureRequests: true,
+        });
+        app = await startApp(strategy, appPort);
+    }, 30_000);
+    afterAll(async () => {
+        if (app)
+            await app.close();
+        if (idp)
+            await idp.close();
+    });
+    it('rejects an unauthenticated request', async () => {
+        const res = await fetch(`${app.url}/protected`);
+        expect(res.status).toBe(401);
+    });
+    it('discovery doc is reachable on the IdP', async () => {
+        const res = await fetch(`${idp.url}/.well-known/openid-configuration`);
+        expect(res.status).toBe(200);
+        const body = (await res.json());
+        expect(body.issuer).toBe(idp.url);
+    });
+    it('walks the full authorization-code + PKCE dance and authenticates', async () => {
+        const jar = makeCookieJar();
+        // /auth/login → IdP /auth → interaction (auto-resolved twice: login + consent)
+        // → IdP /auth/<uid> → our /auth/callback?code=... → 302 to returnTo ('/').
+        // The trail terminates on the app's '/' (404 here only because the test
+        // app didn't register one — that's fine; what matters is we got back to
+        // the app's domain and the session cookie was issued in the callback hop.
+        const final = await followRedirects(`${app.url}/auth/login`, jar, 20);
+        if (final.status >= 500) {
+            process.stderr.write(`[trail]\n${final.trail.join('\n')}\n[final body] ${final.body}\n`);
+            throw new Error(`Unexpected 5xx during OIDC dance: ${final.status}`);
+        }
+        expect(final.url.startsWith(app.url)).toBe(true);
+        // session cookie should now be set
+        expect(jar.store.has('amodal_session')).toBe(true);
+        // protected route should work with the session cookie
+        const res = await fetch(`${app.url}/protected`, {
+            headers: { cookie: jar.header() },
+        });
+        expect(res.status).toBe(200);
+        const body = (await res.json());
+        expect(body.user.id).toBe(TEST_USER.sub);
+        expect(body.user.email).toBe(TEST_USER.email);
+        expect(body.method).toBe('oidc');
+    }, 30_000);
+    it('rejects a request with a tampered session cookie', async () => {
+        const res = await fetch(`${app.url}/protected`, {
+            headers: { cookie: 'amodal_session=garbage.token.here' },
+        });
+        expect(res.status).toBe(401);
+    });
+});
+//# sourceMappingURL=oidc.integration.test.js.map

package/dist/src/auth/strategies/oidc.integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.integration.test.js","sourceRoot":"","sources":["../../../../src/auth/strategies/oidc.integration.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;GAQG;AACH,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAC,MAAM,QAAQ,CAAC;AACjE,OAAO,QAAQ,MAAM,eAAe,CAAC;AAErC,OAAO,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAC,YAAY,EAAE,UAAU,EAAE,UAAU,EAAC,MAAM,eAAe,CAAC;AAOnE,MAAM,SAAS,GAAG;IAChB,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,mBAAmB;IAC1B,IAAI,EAAE,eAAe;CACtB,CAAC;AAEF,KAAK,UAAU,kBAAkB,CAC/B,QAAkB,EAClB,GAAY,EACZ,GAAa;IAEb,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC5D,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACpC,MAAM,QAAQ,CAAC,mBAAmB,CAChC,GAAG,EACH,GAAG,EACH,EAAC,KAAK,EAAE,EAAC,SAAS,EAAE,SAAS,CAAC,GAAG,EAAC,EAAC,EACnC,EAAC,uBAAuB,EAAE,KAAK,EAAC,CACjC,CAAC;QACF,OAAO;IACT,CAAC;IACD,8CAA8C;IAC9C,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC;QAC/B,SAAS,EAAE,SAAS,CAAC,GAAG;QACxB,QAAQ,EAAE,aAAa;KACxB,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,KAAK,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,CAAC,mBAAmB,CAChC,GAAG,EACH,GAAG,EACH,EAAC,OAAO,EAAE,EAAC,OAAO,EAAC,EAAC,EACpB,EAAC,uBAAuB,EAAE,IAAI,EAAC,CAChC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAC9B,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACtB,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,EAAiB,CAAC;YACxC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,SAAiB,EAAE,WAAmB;IAC5D,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC,SAAS,EAAE;QACvC,OAAO,EAAE;YACP;gBACE,SAAS,EAAE,aAAa;gBACxB,aAAa,EAAE,aAAa;gBAC5B,aAAa,EAAE,CAAC,WAAW,CAAC;gBAC5B,WAAW,EAAE,CAAC,oBAAoB,CAAC;gBACnC,cAAc,EAAE,CAAC,MAAM,CAAC;gBACxB,0BAA0B,EAAE,qBAAqB;aAClD;SACF;QACD,IAAI,EAAE,EAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,EAAC;QAC5B,WAAW,EAAE,CAAC,IAAa,EAAE,GAAW,EAAE,EAAE,CAAC,CAAC;YAC5C,SAAS,EAAE,GAAG;YACd,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBACb,GAAG;gBACH,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,IAAI,EAAE,SAAS,CAAC,IAAI;aACrB,CAAC;SACH,CAAC;QACF,OAAO,EAAE;YACP,IAAI,EAAE,CAAC,2CAA2C,CAAC;SACpD;QACD,kEAAkE;QAClE,kEAAkE;QAClE,kEAAkE;QAClE,oBAAoB,EAAE,KAAK;QAC3B,MAAM,EAAE;YACN,MAAM,EAAE,CAAC,KAAK,CAAC;YACf,KAAK,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC;YAClC,OAAO,EAAE,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,oBAAoB,CAAC;SACrE;QACD,QAAQ,EAAE;YACR,mEAAmE;YACnE,2BAA2B;YAC3B,eAAe,EAAE,EAAC,OAAO,EAAE,KAAK,EAAC;SAClC;QACD,+DAA+D;QAC/D,gEAAgE;QAChE,YAAY,EAAE;YACZ,GAAG,EAAE,CAAC,IAAa,EAAE,WAA0B,EAAE,EAAE,CACjD,gBAAgB,WAAW,CAAC,GAAG,EAAE;SACpC;KACF,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IAE7B,6EAA6E;IAC7E,kDAAkD;IAClD,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9C,KAAK,kBAAkB,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACzC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,KAAK,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,wDAAwD;IACxD,GAAG,CAAC,GAAG,CACL,CAAC,GAAY,EAAE,IAAa,EAAE,GAAa,EAAE,KAAmB,EAAQ,EAAE;QACxE,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,MAAM,IAAI,CAAC,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,MAAM,EAAC,CAAC,CAAC;IACxC,CAAC,CACF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAClC,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG,EAAE;YACvD,OAAO,CAAC;gBACN,GAAG,EAAE,SAAS;gBACd,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;gBACnE,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CAAC,QAA0B,EAAE,IAAY;IAC9D,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IACH,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE;YACpC,OAAO,CAAC;gBACN,GAAG,EAAE,oBAAoB,IAAI,EAAE;gBAC/B,KAAK,EAAE,GAAG,EAAE,CACV,IAAI,OAAO,CAAO,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE;oBAC9C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;gBACnE,CAAC,CAAC;aACL,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAQD,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,OAAO;QACL,KAAK;QACL,MAAM,EAAE,GAAG,EAAE,CACX,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5E,MAAM,CAAC,SAAS;YACd,IAAI,CAAC,SAAS;gBAAE,OAAO;YACvB,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;YAChE,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,CAAC,IAAI;oBAAE,SAAS;gBACpB,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC7B,IAAI,EAAE,KAAK,CAAC,CAAC;oBAAE,SAAS;gBACxB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACxC,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;oBACjB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,KAAa,EACb,GAAc,EACd,OAAO,GAAG,EAAE;IAQZ,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YAC/B,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAC,CAAC,CAAC,CAAC,EAAE;SAC1D,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAChF,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS,CAAC,CAAC;QACnC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC;QACvC,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO;oBACL,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC;oBAClC,IAAI,EAAE,EAAE;oBACR,KAAK;iBACN,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAC,CAAC;IAC7F,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,KAAK,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,YAAY,CAAC,CAAU;IAC9B,MAAM,GAAG,GAAkD,EAAE,CAAC;IAC9D,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACvB,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAI,GAAkB,CAAC;IACvB,IAAI,GAAkB,CAAC;IACvB,IAAI,QAA0B,CAAC;IAC/B,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEtD,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,mEAAmE;QACnE,iEAAiE;QACjE,oBAAoB;QACpB,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,MAAM,WAAW,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,oBAAoB,OAAO,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,oBAAoB,OAAO,gBAAgB,CAAC;QAEhE,GAAG,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QAC7C,QAAQ,GAAG,IAAI,gBAAgB,CAAC;YAC9B,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,aAAa;YACvB,YAAY,EAAE,aAAa;YAC3B,WAAW;YACX,aAAa;YACb,qBAAqB,EAAE,IAAI;SAC5B,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC,EAAE,MAAM,CAAC,CAAC;IAEX,QAAQ,CAAC,KAAK,IAAI,EAAE;QAClB,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;QAC3B,IAAI,GAAG;YAAE,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,mCAAmC,CAAC,CAAC;QACvE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;QAE5B,+EAA+E;QAC/E,2EAA2E;QAC3E,wEAAwE;QACxE,wEAAwE;QACxE,0EAA0E;QAC1E,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACtE,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,IAAI,IAAI,CACnE,CAAC;YACF,MAAM,IAAI,KAAK,CAAC,qCAAqC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEjD,mCAAmC;QACnC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEnD,sDAAsD;QACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAC,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,EAAC;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyD,CAAC;QACxF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,EAAE,MAAM,CAAC,CAAC;IAEX,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,GAAG,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAC,MAAM,EAAE,mCAAmC,EAAC;SACvD,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}