@arcis/node 1.0.0

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core/constants.ts","../src/middleware/headers.ts","../src/middleware/rate-limit.ts","../src/middleware/error-handler.ts","../src/core/errors.ts","../src/sanitizers/utils.ts","../src/sanitizers/xss.ts","../src/sanitizers/sql.ts","../src/sanitizers/path.ts","../src/sanitizers/command.ts","../src/sanitizers/sanitize.ts","../src/sanitizers/nosql.ts","../src/sanitizers/prototype.ts","../src/sanitizers/headers.ts","../src/validation/schema.ts","../src/validation/file.ts","../src/logging/redactor.ts","../src/middleware/main.ts","../src/middleware/cors.ts","../src/middleware/cookies.ts","../src/validation/url.ts","../src/validation/redirect.ts","../src/stores/memory.ts","../src/stores/redis.ts"],"names":["host"],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAQO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,mCAAA;AAAA;AAAA,EAEA,iBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,eAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,uCAAA;AAAA;AAAA,EAEA,gCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEzD,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC,CAAA;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;AC1RhB,SAAS,aAAA,CAAc,OAAA,GAAyB,EAAC,EAAmB;AACzE,EAAA,MAAM;AAAA,IACJ,qBAAA,GAAwB,IAAA;AAAA,IACxB,SAAA,GAAY,IAAA;AAAA,IACZ,OAAA,GAAU,IAAA;AAAA,IACV,eAAe,OAAA,CAAQ,aAAA;AAAA,IACvB,IAAA,GAAO,IAAA;AAAA,IACP,iBAAiB,OAAA,CAAQ,eAAA;AAAA,IACzB,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,IAC5B,YAAA,GAAe;AAAA,GACjB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAE1D,IAAA,IAAI,qBAAA,EAAuB;AACzB,MAAA,MAAM,GAAA,GAAM,OAAO,qBAAA,KAA0B,QAAA,GACzC,wBACA,OAAA,CAAQ,WAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,2BAA2B,GAAG,CAAA;AAAA,IAC9C;AAGA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAoB,eAAe,CAAA;AAAA,IACnD;AAGA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,OAAA,CAAQ,oBAAoB,CAAA;AAAA,IACtE;AAGA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,YAAY,CAAA;AAAA,IAC/C;AAOA,IAAA,MAAM,cAAA,GAAkB,GAAA,CAAI,OAAA,CAAQ,mBAAmB,CAAA,EACnD,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,CACb,IAAA,EAAK,CACL,WAAA,EAAY;AACf,IAAA,MAAM,qBAAA,GAAwB,cAAA,KAAmB,OAAA,IAAW,cAAA,KAAmB,SAC3E,cAAA,GACA,MAAA;AACJ,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,MAAA,IAAU,qBAAA,KAA0B,OAAA;AAExD,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,MAAM,QAAA,GAAwB,OAAO,IAAA,KAAS,QAAA,GAAW,OAAO,EAAC;AACjE,MAAA,MAAM,MAAA,GAAS,QAAA,CAAS,MAAA,IAAU,OAAA,CAAQ,YAAA;AAC1C,MAAA,MAAM,iBAAA,GAAoB,SAAS,iBAAA,KAAsB,KAAA;AACzD,MAAA,MAAM,OAAA,GAAU,SAAS,OAAA,KAAY,IAAA;AAErC,MAAA,IAAI,SAAA,GAAY,WAAW,MAAM,CAAA,CAAA;AACjC,MAAA,IAAI,mBAAmB,SAAA,IAAa,qBAAA;AACpC,MAAA,IAAI,SAAS,SAAA,IAAa,WAAA;AAE1B,MAAA,GAAA,CAAI,SAAA,CAAU,6BAA6B,SAAS,CAAA;AAAA,IACtD;AAGA,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,cAAc,CAAA;AAAA,IACjD;AAGA,IAAA,IAAI,iBAAA,EAAmB;AACrB,MAAA,GAAA,CAAI,SAAA,CAAU,sBAAsB,iBAAiB,CAAA;AAAA,IACvD;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,qCAAqC,MAAM,CAAA;AAGzD,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,MAAM,iBAAA,GAAoB,OAAO,YAAA,KAAiB,QAAA,GAC9C,eACA,OAAA,CAAQ,aAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,iBAAiB,iBAAiB,CAAA;AAChD,MAAA,GAAA,CAAI,SAAA,CAAU,UAAU,UAAU,CAAA;AAClC,MAAA,GAAA,CAAI,SAAA,CAAU,WAAW,GAAG,CAAA;AAAA,IAC9B;AAGA,IAAA,GAAA,CAAI,aAAa,cAAc,CAAA;AAE/B,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,eAAA,GAAkB;;;ACtFxB,SAAS,iBAAA,CAAkB,OAAA,GAA4B,EAAC,EAA0B;AACvF,EAAA,MAAM;AAAA,IACJ,MAAM,UAAA,CAAW,oBAAA;AAAA,IACjB,WAAW,UAAA,CAAW,iBAAA;AAAA,IACtB,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,YAAA,GAAe,CAAC,GAAA,KAAQ;AACtB,MAAA,MAAM,EAAA,GAAK,GAAA,CAAI,EAAA,IAAM,GAAA,CAAI,MAAA,EAAQ,aAAA;AACjC,MAAA,IAAI,CAAC,EAAA,EAAI;AACP,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN;AAAA,SAEF;AACA,QAAA,OAAO,SAAA;AAAA,MACT;AACA,MAAA,OAAO,EAAA;AAAA,IACT,CAAA;AAAA,IACA,IAAA;AAAA,IACA,KAAA,EAAO;AAAA,GACT,GAAI,OAAA;AAIJ,EAAA,MAAM,aAAA,mBAAgB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAGxC,EAAA,IAAI,eAAA,GAAyD,IAAA;AAE7D,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,eAAA,GAAkB,YAAY,MAAM;AAClC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,aAAa,CAAA,EAAG;AAC5C,QAAA,IAAI,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA,GAAY,GAAA,EAAK;AACtC,UAAA,OAAO,cAAc,GAAG,CAAA;AAAA,QAC1B;AAAA,MACF;AAAA,IACF,GAAG,QAAQ,CAAA;AAGX,IAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,MAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,IACxB;AAAA,EACF;AAEA,EAAA,MAAM,OAAA,GAA0B,OAAO,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACzF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG;AACf,QAAA,OAAO,IAAA,EAAK;AAAA,MACd;AAEA,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,MAAA,IAAI,KAAA;AACJ,MAAA,IAAI,SAAA;AAEJ,MAAA,IAAI,aAAA,EAAe;AAEjB,QAAA,MAAM,KAAA,GAAQ,MAAM,aAAA,CAAc,GAAA,CAAI,GAAG,CAAA;AACzC,QAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AACnC,UAAA,MAAM,aAAA,CAAc,IAAI,GAAA,EAAK,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,GAAA,GAAM,QAAA,EAAU,CAAA;AACpE,UAAA,KAAA,GAAQ,CAAA;AACR,UAAA,SAAA,GAAY,GAAA,GAAM,QAAA;AAAA,QACpB,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,MAAM,aAAA,CAAc,SAAA,CAAU,GAAG,CAAA;AACzC,UAAA,SAAA,GAAY,KAAA,CAAM,SAAA;AAAA,QACpB;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,IAAI,CAAC,cAAc,GAAG,CAAA,IAAK,cAAc,GAAG,CAAA,CAAE,YAAY,GAAA,EAAK;AAC7D,UAAA,aAAA,CAAc,GAAG,CAAA,GAAI,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,MAAM,QAAA,EAAS;AAAA,QAC7D,CAAA,MAAO;AACL,UAAA,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA,EAAA;AAAA,QACrB;AACA,QAAA,KAAA,GAAQ,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA;AAC3B,QAAA,SAAA,GAAY,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA;AAAA,MACjC;AAEA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,MAAM,KAAK,CAAA;AACzC,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,IAAA,CAAA,CAAM,SAAA,GAAY,OAAO,GAAI,CAAA;AAGvD,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,GAAA,CAAI,QAAA,EAAU,CAAA;AACjD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,SAAA,CAAU,QAAA,EAAU,CAAA;AAC3D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,YAAA,CAAa,QAAA,EAAU,CAAA;AAE1D,MAAA,IAAI,QAAQ,GAAA,EAAK;AACf,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAEA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,+BAA+B,KAAK,CAAA;AAClD,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAGA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,aAAA,CAAc,eAAe,CAAA;AAC7B,MAAA,eAAA,GAAkB,IAAA;AAAA,IACpB;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;AAMO,IAAM,SAAA,GAAY;;;AC9IzB,IAAM,wBAAA,GAAqC;AAAA;AAAA,EAEzC,qEAAA;AAAA,EACA,2DAAA;AAAA,EACA,+CAAA;AAAA,EACA,qDAAA;AAAA,EACA,4CAAA;AAAA;AAAA,EAEA,yEAAA;AAAA;AAAA,EAEA,0DAAA;AAAA;AAAA,EAEA,oEAAA;AAAA;AAAA,EAEA,oCAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,SAAS,sBAAsB,OAAA,EAA0B;AAC9D,EAAA,OAAO,yBAAyB,IAAA,CAAK,CAAA,OAAA,KAAW,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAC,CAAA;AACvE;AA4BO,SAAS,YAAA,CACd,UAAyC,KAAA,EAC8B;AACvE,EAAA,MAAM,QAAQ,OAAO,OAAA,KAAY,SAAA,GAAY,OAAA,GAAU,QAAQ,KAAA,IAAS,KAAA;AACxE,EAAA,MAAM,YAAY,OAAO,OAAA,KAAY,QAAA,GAAW,OAAA,CAAQ,aAAa,IAAA,GAAO,IAAA;AAC5E,EAAA,MAAM,MAAA,GAAS,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,MAAA,GAAS,MAAA;AAC9D,EAAA,MAAM,aAAA,GAAgB,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,aAAA,GAAgB,MAAA;AAE5E,EAAA,OAAO,CAAC,GAAA,EAAgB,GAAA,EAAc,GAAA,EAAe,KAAA,KAAwB;AAC3E,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,MAAA,IAAU,GAAA;AAGnD,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,GAAG,CAAA;AAAA,IACpC;AAGA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAM,OAAA,GAAU;AAAA,QACd,OAAO,GAAA,CAAI,OAAA;AAAA,QACX,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,UAAA;AAAA,QACA,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,QAAQ,GAAA,CAAI;AAAA,OACd;AAEA,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,MAAA,CAAO,KAAA,CAAM,iBAAiB,OAAO,CAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,KAAA,CAAM,0BAA0B,OAAO,CAAA;AAAA,MACjD;AAAA,IACF;AAMA,IAAA,MAAM,aAAA,GAAgB,KAAA,IAAS,GAAA,CAAI,MAAA,KAAW,IAAA;AAE9C,IAAA,IAAI,aAAA;AACJ,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,aAAA,GAAgB,MAAA,CAAO,qBAAA;AAAA,IACzB,CAAA,MAAA,IAAW,qBAAA,CAAsB,GAAA,CAAI,OAAO,CAAA,EAAG;AAE7C,MAAA,aAAA,GAAgB,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,qBAAA;AAAA,IAC/C,CAAA,MAAO;AACL,MAAA,aAAA,GAAgB,GAAA,CAAI,OAAA;AAAA,IACtB;AAEA,IAAA,MAAM,QAAA,GAAoC;AAAA,MACxC,KAAA,EAAO;AAAA,KACT;AAGA,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,QAAA,CAAS,QAAQ,GAAA,CAAI,KAAA;AACrB,MAAA,QAAA,CAAS,UAAU,GAAA,CAAI,OAAA;AAAA,IACzB;AAEA,IAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK,QAAQ,CAAA;AAAA,EACtC,CAAA;AACF;AAMO,IAAM,kBAAA,GAAqB;;;AC5H3B,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF;;;ACtFO,SAAS,mBAAmB,GAAA,EAAqB;AACtD,EAAA,OAAO,IACJ,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,CACrB,OAAA,CAAQ,MAAM,MAAM,CAAA,CACpB,QAAQ,IAAA,EAAM,MAAM,EACpB,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA,CACtB,OAAA,CAAQ,MAAM,QAAQ,CAAA;AAC3B;;;ACYO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAO,aAAa,KAAA,EAAgC;AAC9G,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAInB,EAAA,KAAA,MAAW,WAAW,mBAAA,EAAqB;AACzC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,KAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAMA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,mBAAmB,KAAK,CAAA;AACxC,IAAA,IAAI,YAAY,KAAA,EAAO;AACrB,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AACA,IAAA,KAAA,GAAQ,OAAA;AAAA,EACV;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,IAAI,eAAA,CAAgB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAGxC,EAAA,IAAI,iBAAA,CAAkB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAC1C,EAAA,IAAI,eAAA,CAAgB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AACxC,EAAA,IAAI,wBAAA,CAAyB,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAGjD,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC1FO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC1F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAElC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,eAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAIA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC/DO,SAAS,YAAA,CAAa,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC3F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AAEnC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,gBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,oBAAoB,KAAA,EAAwB;AAC1D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AACnC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC7DO,SAAS,eAAA,CAAgB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC9F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AAEtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,mBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,uBAAuB,KAAA,EAAwB;AAC7D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AACtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;ACjDO,SAAS,cAAA,CAAe,KAAA,EAAe,OAAA,GAA2B,EAAC,EAAW;AACnF,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,IAAW,KAAA,CAAM,gBAAA;AACzC,EAAA,IAAI,KAAA,CAAM,SAAS,OAAA,EAAS;AAC1B,IAAA,MAAM,IAAI,kBAAA,CAAmB,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EACpD;AAEA,EAAA,MAAM,MAAA,GAAS,QAAQ,IAAA,KAAS,UAAA;AAChC,EAAA,IAAI,MAAA,GAAS,KAAA;AAGb,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,SAAA,CAAU,MAAM,CAAA,EAAG;AACrB,QAAA,MAAM,IAAI,mBAAA,CAAoB,eAAA,EAAiB,+BAA+B,CAAA;AAAA,MAChF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,YAAY,MAAM,CAAA;AAAA,IAC7B;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,SAAS,KAAA,EAAO;AAC1B,IAAA,MAAA,GAAS,aAAa,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,sBAAA,CAAuB,MAAM,CAAA,EAAG;AAClC,QAAA,MAAM,IAAI,mBAAA,CAAoB,mBAAA,EAAqB,uCAAuC,CAAA;AAAA,MAC5F;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,gBAAgB,MAAM,CAAA;AAAA,IACjC;AAAA,EACF;AAIA,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAA,GAAS,WAAA,CAAY,MAAA,EAAQ,KAAA,EAAO,OAAA,CAAQ,cAAc,KAAK,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,MAAA;AACT;AAUO,SAAS,cAAA,CAAe,GAAA,EAAc,OAAA,GAA2B,EAAC,EAAY;AACnF,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,cAAA,CAAe,KAAK,OAAO,CAAA;AAC/D,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AACpC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG,OAAO,GAAA,CAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAE5E,EAAA,OAAO,mBAAA,CAAoB,GAAA,EAAgC,OAAA,EAAS,CAAC,CAAA;AACvE;AAKA,SAAS,mBAAA,CACP,GAAA,EACA,OAAA,EACA,KAAA,EACyB;AACzB,EAAA,IAAI,KAAA,IAAS,KAAA,CAAM,mBAAA,EAAqB,OAAO,GAAA;AAE/C,EAAA,MAAM,SAAkC,EAAC;AAEzC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,EAAG;AAElC,IAAA,IAAI,OAAA,CAAQ,UAAU,KAAA,IAAS,oBAAA,CAAqB,IAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,KAAA,KAAU,KAAA,IAAS,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAIA,IAAA,MAAM,YAAA,GAAe,cAAA,CAAe,GAAA,EAAK,OAAO,CAAA;AAGhD,IAAA,MAAM,KAAA,GAAQ,IAAI,GAAG,CAAA;AACrB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AACzC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA,CAAe,KAAA,EAAO,OAAO,CAAA;AAAA,IACtD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,MAAA,CAAO,YAAY,IAAI,KAAA,CAAM,GAAA,CAAI,UAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,mBAAA,CAAoB,KAAA,EAAkC,OAAA,EAAS,QAAQ,CAAC,CAAA;AAAA,IACjG,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,eAAA,CAAgB,OAAA,GAA2B,EAAC,EAAmB;AAC7E,EAAA,OAAO,CAAC,GAAA,EAAc,IAAA,EAAgB,IAAA,KAAuB;AAC3D,IAAA,IAAI;AACF,MAAA,IAAI,GAAA,CAAI,IAAA,IAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AAC5C,QAAA,GAAA,CAAI,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,IAAA,EAAM,OAAO,CAAA;AAAA,MAC7C;AACA,MAAA,IAAI,GAAA,CAAI,KAAA,IAAS,OAAO,GAAA,CAAI,UAAU,QAAA,EAAU;AAC9C,QAAA,MAAM,cAAA,GAAiB,cAAA,CAAe,GAAA,CAAI,KAAA,EAAO,OAAO,CAAA;AAExD,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,OAAA,EAAS,EAAE,KAAA,EAAO,gBAAgB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACnG;AACA,MAAA,IAAI,GAAA,CAAI,MAAA,IAAU,OAAO,GAAA,CAAI,WAAW,QAAA,EAAU;AAChD,QAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,GAAA,CAAI,MAAA,EAAQ,OAAO,CAAA;AAC1D,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,QAAA,EAAU,EAAE,KAAA,EAAO,iBAAiB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACrG;AACA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AAAA,IACV;AAAA,EACF,CAAA;AACF;;;AChKO,SAAS,oBAAoB,GAAA,EAAsB;AACxD,EAAA,OAAO,oBAAA,CAAqB,IAAI,GAAG,CAAA;AACrC;AASO,SAAS,oBAAA,CAAqB,GAAA,EAAc,QAAA,GAAW,EAAA,EAAa;AACzE,EAAA,IAAI,QAAA,IAAY,GAAG,OAAO,KAAA;AAC1B,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,KAAA;AAEpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,IAAA,CAAK,CAAA,IAAA,KAAQ,qBAAqB,IAAA,EAAM,QAAA,GAAW,CAAC,CAAC,CAAA;AAAA,EAClE;AAEA,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,EAAG;AAC7D,IAAA,IAAI,mBAAA,CAAoB,GAAG,CAAA,EAAG;AAC5B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,oBAAA,CAAqB,KAAA,EAAO,QAAA,GAAW,CAAC,CAAA,EAAG;AAC7C,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC9BO,SAAS,oBAAoB,GAAA,EAAsB;AACxD,EAAA,OAAO,oBAAA,CAAqB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA;AACnD;AASO,SAAS,wBAAA,CAAyB,GAAA,EAAc,QAAA,GAAW,EAAA,EAAa;AAC7E,EAAA,IAAI,QAAA,IAAY,GAAG,OAAO,KAAA;AAC1B,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,OAAO,GAAA,KAAQ,UAAU,OAAO,KAAA;AAEpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,OAAO,IAAI,IAAA,CAAK,CAAA,IAAA,KAAQ,yBAAyB,IAAA,EAAM,QAAA,GAAW,CAAC,CAAC,CAAA;AAAA,EACtE;AAEA,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAA8B,CAAA,EAAG;AAC7D,IAAA,IAAI,oBAAA,CAAqB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC/C,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,IAAI,wBAAA,CAAyB,KAAA,EAAO,QAAA,GAAW,CAAC,CAAA,EAAG;AACjD,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;ACpCA,IAAM,wBAAA,GAA2B,gBAAA;AAkB1B,SAAS,mBAAA,CAAoB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAClG,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,IAAI,wBAAA,CAAyB,IAAA,CAAK,KAAK,CAAA,EAAG;AACxC,IAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,IAAA,YAAA,GAAe,IAAA;AAEf,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,wBAAwB,CAAA;AACpD,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,UAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,YACX,IAAA,EAAM,kBAAA;AAAA,YACN,SAAS,wBAAA,CAAyB,MAAA;AAAA,YAClC,QAAA,EAAU;AAAA,WACX,CAAA;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,wBAAA,EAA0B,EAAE,CAAA;AAExD,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,gBAAgB,OAAA,EAAyD;AACvF,EAAA,IAAI,CAAC,OAAA,IAAW,OAAO,OAAA,KAAY,QAAA,EAAU;AAC3C,IAAA,OAAO,EAAC;AAAA,EACV;AAEA,EAAA,MAAM,SAAiC,EAAC;AAExC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,MAAM,YAAA,GAAe,mBAAA,CAAoB,MAAA,CAAO,GAAG,CAAC,CAAA;AACpD,IAAA,MAAM,cAAA,GAAiB,mBAAA,CAAoB,MAAA,CAAO,KAAK,CAAC,CAAA;AACxD,IAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA;AAAA,EACzB;AAEA,EAAA,OAAO,MAAA;AACT;AASO,SAAS,sBAAsB,KAAA,EAAwB;AAC5D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,wBAAA,CAAyB,SAAA,GAAY,CAAA;AACrC,EAAA,OAAO,wBAAA,CAAyB,KAAK,KAAK,CAAA;AAC5C;;;AC/EO,SAAS,QAAA,CACd,MAAA,EACA,MAAA,GAAsC,MAAA,EACtB;AAChB,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,MAAM,CAAA,IAAK,EAAC;AAC7B,IAAA,MAAM,SAAmB,EAAC;AAC1B,IAAA,MAAM,YAAqC,EAAC;AAE5C,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnD,MAAA,MAAM,KAAA,GAAQ,KAAK,KAAK,CAAA;AACxB,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,KAAA,EAAO,KAAA,EAAO,KAAK,CAAA;AAEhD,MAAA,IAAI,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG;AAC5B,QAAA,MAAA,CAAO,IAAA,CAAK,GAAG,MAAA,CAAO,MAAM,CAAA;AAAA,MAC9B,CAAA,MAAA,IAAW,MAAA,CAAO,KAAA,KAAU,MAAA,EAAW;AACrC,QAAA,SAAA,CAAU,KAAK,IAAI,MAAA,CAAO,KAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,MAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,IAAA,CAAK,EAAE,QAAQ,CAAA;AAC/B,MAAA;AAAA,IACF;AAGA,IAAA,GAAA,CAAI,MAAM,CAAA,GAAI,SAAA;AACd,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAKA,SAAS,aAAA,CACP,KAAA,EACA,KAAA,EACA,KAAA,EACuC;AACvC,EAAA,MAAM,SAAmB,EAAC;AAG1B,EAAA,IAAI,MAAM,QAAA,KAAa,KAAA,KAAU,UAAa,KAAA,KAAU,IAAA,IAAQ,UAAU,EAAA,CAAA,EAAK;AAC7E,IAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,QAAA,CAAS,KAAK,CAAC,CAAA;AAC7C,IAAA,OAAO,EAAE,MAAA,EAAO;AAAA,EAClB;AAGA,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,MAAA,EAAQ,EAAC,EAAE;AAAA,EACtB;AAEA,EAAA,IAAI,UAAA,GAAsB,KAAA;AAC1B,EAAA,IAAI,OAAA,GAAU,IAAA;AAGd,EAAA,QAAQ,MAAM,IAAA;AAAM,IAClB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,OAAA,IAAW,CAAC,MAAM,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AAC/C,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,cAAA,CAAe,KAAK,CAAC,CAAA;AACnD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AAIA,MAAA,IAAI,OAAA,IAAW,MAAM,IAAA,IAAQ,CAAC,MAAM,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACxD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,IAAW,KAAA,CAAM,QAAA,KAAa,KAAA,EAAO;AACvC,QAAA,UAAA,GAAa,eAAe,KAAK,CAAA;AAAA,MACnC;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,UAAA,GAAa,OAAO,KAAK,CAAA;AACzB,MAAA,IAAI,KAAA,CAAM,UAAoB,CAAA,EAAG;AAC/B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,SAAA;AACH,MAAA,IAAI,UAAU,MAAA,IAAU,KAAA,KAAU,QAAQ,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AACtE,QAAA,UAAA,GAAa,IAAA;AAAA,MACf,CAAA,MAAA,IAAW,UAAU,OAAA,IAAW,KAAA,KAAU,SAAS,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AAC/E,QAAA,UAAA,GAAa,KAAA;AAAA,MACf,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,SAAS,CAAC,CAAA;AAC5D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACzC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,aAAA,CAAc,KAAK,CAAC,CAAA;AAClD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,eAAe,MAAA,CAAO,KAAK,EAAE,WAAA,EAAY,CAAE,MAAM,CAAA;AAAA,MAChE;AACA,MAAA;AAAA,IAEF,KAAK,KAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,GAAA,CAAI,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACvC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,WAAA,CAAY,KAAK,CAAC,CAAA;AAChD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,cAAA,CAAe,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MAC3C;AACA,MAAA;AAAA,IAEF,KAAK,MAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,IAAA,CAAK,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAK,CAAC,CAAA;AACjD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,OAAO,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,QAAQ,KAAK,CAAA,IAAK,UAAU,IAAA,EAAM;AACvE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA;AAIJ,EAAA,IAAI,OAAA,IAAW,KAAA,CAAM,IAAA,IAAQ,KAAA,CAAM,IAAA,KAAS,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,QAAA,CAAS,UAAU,CAAA,EAAG;AACxF,IAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,IAAA,OAAA,GAAU,KAAA;AAAA,EACZ;AAGA,EAAA,IAAI,OAAA,IAAW,MAAM,MAAA,EAAQ;AAC3B,IAAA,MAAM,YAAA,GAAe,KAAA,CAAM,MAAA,CAAO,UAAU,CAAA;AAC5C,IAAA,IAAI,iBAAiB,MAAA,EAAW;AAC9B,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,+BAA+B,KAAK,CAAA,oFAAA;AAAA,OAEtC;AAAA,IACF;AACA,IAAA,IAAI,iBAAiB,IAAA,EAAM;AACzB,MAAA,MAAA,CAAO,IAAA,CAAK,OAAO,YAAA,KAAiB,QAAA,IAAY,YAAA,CAAa,SAAS,CAAA,GAAI,YAAA,GAAe,CAAA,EAAG,KAAK,CAAA,WAAA,CAAa,CAAA;AAC9G,MAAA,OAAA,GAAU,KAAA;AAAA,IACZ;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,UAAU,UAAA,GAAa,MAAA;AAAA,IAC9B;AAAA,GACF;AACF;AAMO,IAAM,eAAA,GAAkB;;;AC7N/B,IAAM,WAAA,GAAwC;AAAA;AAAA,EAE5C,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAA,EAAM,GAAI,CAAC,CAAC,CAAA;AAAA,EAC9C,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,KAAM,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACnD,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,EAC1D,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA;AAAA,EAClC,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACvC,iBAAiB,EAAC;AAAA;AAAA;AAAA,EAGlB,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA,EACvC,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,IAAM,EAAA,EAAM,CAAA,EAAM,CAAI,CAAC,CAAC,CAAA;AAAA;AAAA,EAGzD,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACpG,aAAa;AAAC;AAChB,CAAA;AAMA,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAEnC,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAChD,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EACtD,MAAA;AAAA,EAAQ,SAAA;AAAA,EAAW,MAAA;AAAA,EAAQ,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,OAAA;AAAA,EAC/C,KAAA;AAAA,EAAO,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAExB,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,MAAA;AAAA,EAC7C,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS,MAAA;AAAA,EACnC,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,MAAA;AAAA,EACzB,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA;AAAA,EAEtB,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,QAAA;AAAA;AAAA,EAExB,WAAA;AAAA,EAAa,WAAA;AAAA;AAAA,EAEb,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,aAAA;AAAA,EAAe,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAE/C,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAExB,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS,OAAA;AAAA,EAAS;AAC7B,CAAC,CAAA;AAkDD,IAAM,gBAAA,GAAmB,IAAI,IAAA,GAAO,IAAA;AAqB7B,SAAS,iBAAiB,QAAA,EAA0B;AACzD,EAAA,IAAI,IAAA,GAAO,QAAA;AAGX,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAG7B,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AAGlC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,kBAAA,EAAoB,EAAE,CAAA;AAG1C,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,eAAA,EAAiB,EAAE,CAAA;AAGvC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,EAAY,GAAG,CAAA;AAGnC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,EAAE,CAAA;AAG9B,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,GAAG,CAAA;AACjC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAW,GAAG,CAAA;AAGlC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAGhC,EAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AAGlC,EAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,KAAS,GAAA,EAAK;AACzB,IAAA,IAAA,GAAO,SAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;AASA,SAAS,iBAAA,CAAkB,QAAgB,QAAA,EAA2B;AACpE,EAAA,MAAM,UAAA,GAAa,YAAY,QAAQ,CAAA;AACvC,EAAA,IAAI,CAAC,UAAA,IAAc,UAAA,CAAW,MAAA,KAAW,GAAG,OAAO,IAAA;AAEnD,EAAA,OAAO,UAAA,CAAW,KAAK,CAAA,GAAA,KAAO;AAC5B,IAAA,IAAI,MAAA,CAAO,MAAA,GAAS,GAAA,CAAI,MAAA,EAAQ,OAAO,KAAA;AACvC,IAAA,OAAO,OAAO,QAAA,CAAS,CAAA,EAAG,IAAI,MAAM,CAAA,CAAE,OAAO,GAAG,CAAA;AAAA,EAClD,CAAC,CAAA;AACH;AASA,SAAS,aAAa,QAAA,EAA0B;AAC9C,EAAA,MAAM,OAAA,GAAU,QAAA,CAAS,WAAA,CAAY,GAAG,CAAA;AACxC,EAAA,IAAI,OAAA,GAAU,GAAG,OAAO,EAAA;AACxB,EAAA,OAAO,QAAA,CAAS,KAAA,CAAM,OAAO,CAAA,CAAE,WAAA,EAAY;AAC7C;AAKA,SAAS,mBAAmB,QAAA,EAA2B;AACrD,EAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAChC,EAAA,IAAI,KAAA,CAAM,MAAA,GAAS,CAAA,EAAG,OAAO,KAAA;AAG7B,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,MAAA,GAAS,GAAG,CAAA,EAAA,EAAK;AACzC,IAAA,MAAM,GAAA,GAAM,GAAA,GAAM,KAAA,CAAM,CAAC,EAAE,WAAA,EAAY;AACvC,IAAA,IAAI,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA,EAAG,OAAO,IAAA;AAAA,EAC5C;AACA,EAAA,OAAO,KAAA;AACT;AA8BO,SAAS,YAAA,CACd,IAAA,EACA,OAAA,GAA+B,EAAC,EACZ;AACpB,EAAA,MAAM;AAAA,IACJ,OAAA,GAAU,gBAAA;AAAA,IACV,YAAA;AAAA,IACA,iBAAA;AAAA,IACA,gBAAA,GAAmB,IAAA;AAAA,IACnB,kBAAA,GAAqB,IAAA;AAAA,IACrB,gBAAA,GAAmB,IAAA;AAAA,IACnB,qBAAA,GAAwB;AAAA,GAC1B,GAAI,OAAA;AAEJ,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,MAAM,iBAAA,GAAoB,gBAAA,CAAiB,IAAA,CAAK,QAAQ,CAAA;AACxD,EAAA,MAAM,SAAA,GAAY,aAAa,iBAAiB,CAAA;AAGhD,EAAA,IAAI,IAAA,CAAK,OAAO,OAAA,EAAS;AACvB,IAAA,MAAA,CAAO,KAAK,CAAA,UAAA,EAAa,IAAA,CAAK,IAAI,CAAA,iBAAA,EAAoB,OAAO,CAAA,MAAA,CAAQ,CAAA;AAAA,EACvE;AAEA,EAAA,IAAI,IAAA,CAAK,SAAS,CAAA,EAAG;AACnB,IAAA,MAAA,CAAO,KAAK,eAAe,CAAA;AAAA,EAC7B;AAGA,EAAA,IAAI,gBAAA,IAAoB,CAAC,SAAA,EAAW;AAClC,IAAA,MAAA,CAAO,KAAK,uBAAuB,CAAA;AAAA,EACrC;AAEA,EAAA,IAAI,gBAAA,IAAoB,SAAA,IAAa,oBAAA,CAAqB,GAAA,CAAI,SAAS,CAAA,EAAG;AACxE,IAAA,MAAA,CAAO,IAAA,CAAK,CAAA,sBAAA,EAAyB,SAAS,CAAA,gBAAA,CAAkB,CAAA;AAAA,EAClE;AAEA,EAAA,IAAI,qBAAA,IAAyB,kBAAA,CAAmB,iBAAiB,CAAA,EAAG;AAClE,IAAA,MAAA,CAAO,KAAK,yDAAyD,CAAA;AAAA,EACvE;AAEA,EAAA,IAAI,qBAAqB,SAAA,EAAW;AAClC,IAAA,MAAM,oBAAoB,iBAAA,CAAkB,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa,CAAA;AACpE,IAAA,IAAI,CAAC,iBAAA,CAAkB,QAAA,CAAS,SAAS,CAAA,EAAG;AAC1C,MAAA,MAAA,CAAO,IAAA,CAAK,cAAc,SAAS,CAAA,2BAAA,EAA8B,kBAAkB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAE,CAAA;AAAA,IACjG;AAAA,EACF;AAGA,EAAA,IAAI,gBAAgB,CAAC,YAAA,CAAa,QAAA,CAAS,IAAA,CAAK,QAAQ,CAAA,EAAG;AACzD,IAAA,MAAA,CAAO,IAAA,CAAK,cAAc,IAAA,CAAK,QAAQ,8BAA8B,YAAA,CAAa,IAAA,CAAK,IAAI,CAAC,CAAA,CAAE,CAAA;AAAA,EAChG;AAGA,EAAA,IAAI,sBAAsB,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,EAAG;AAC/D,IAAA,IAAI,CAAC,iBAAA,CAAkB,IAAA,CAAK,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,EAAG;AAClD,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,+CAAA,EAAkD,IAAA,CAAK,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,IAChF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AAAA,IACzB,MAAA;AAAA,IACA;AAAA,GACF;AACF;AAQO,SAAS,qBAAqB,QAAA,EAA2B;AAC9D,EAAA,MAAM,GAAA,GAAM,aAAa,QAAQ,CAAA;AACjC,EAAA,OAAO,GAAA,KAAQ,EAAA,IAAM,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA;AACnD;;;AC/RO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AACjE,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU;;;ACvGhB,SAAS,KAAA,CAAM,OAAA,GAAwB,EAAC,EAAyB;AACtE,EAAA,MAAM,cAAgC,EAAC;AACvC,EAAA,MAAM,aAA6B,EAAC;AAGpC,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,MAAM,aAA4B,OAAO,OAAA,CAAQ,YAAY,QAAA,GACzD,OAAA,CAAQ,UACR,EAAC;AACL,IAAA,WAAA,CAAY,IAAA,CAAK,aAAA,CAAc,UAAU,CAAC,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAA,CAAQ,cAAc,KAAA,EAAO;AAC/B,IAAA,MAAM,gBAAkC,OAAO,OAAA,CAAQ,cAAc,QAAA,GACjE,OAAA,CAAQ,YACR,EAAC;AACL,IAAA,MAAM,WAAA,GAAc,kBAAkB,aAAa,CAAA;AACnD,IAAA,WAAA,CAAY,KAAK,WAAW,CAAA;AAC5B,IAAA,UAAA,CAAW,IAAA,CAAK,MAAM,WAAA,CAAY,KAAA,EAAO,CAAA;AAAA,EAC3C;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,KAAA,EAAO;AAC9B,IAAA,MAAM,eAAgC,OAAO,OAAA,CAAQ,aAAa,QAAA,GAC9D,OAAA,CAAQ,WACR,EAAC;AACL,IAAA,WAAA,CAAY,IAAA,CAAK,eAAA,CAAgB,YAAY,CAAC,CAAA;AAAA,EAChD;AAGA,EAAA,MAAM,MAAA,GAAS,WAAA;AACf,EAAA,MAAA,CAAO,QAAQ,MAAM;AACnB,IAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,MAAA,EAAA,EAAG;AAAA,IACL;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,MAAA;AACT;AAGA,IAAM,gBAAA,GAAmB;AACzB,gBAAA,CAAiB,QAAA,GAAW,eAAA;AAC5B,gBAAA,CAAiB,SAAA,GAAY,iBAAA;AAC7B,gBAAA,CAAiB,OAAA,GAAU,aAAA;AAC3B,gBAAA,CAAiB,QAAA,GAAW,QAAA;AAC5B,gBAAA,CAAiB,MAAA,GAAS,gBAAA;AAC1B,gBAAA,CAAiB,YAAA,GAAe,kBAAA;AAGhC,IAAO,YAAA,GAAQ;;;AC9Df,IAAM,kBAAkB,CAAC,KAAA,EAAO,QAAQ,KAAA,EAAO,OAAA,EAAS,QAAQ,QAAQ,CAAA;AACxE,IAAM,eAAA,GAAkB,CAAC,cAAA,EAAgB,eAAe,CAAA;AACxD,IAAM,eAAA,GAAkB,GAAA;AAKxB,SAAS,eAAA,CACP,eACA,OAAA,EACS;AAET,EAAA,IAAI,aAAA,KAAkB,QAAQ,OAAO,KAAA;AAErC,EAAA,IAAI,OAAA,KAAY,MAAM,OAAO,IAAA;AAE7B,EAAA,IAAI,OAAO,YAAY,QAAA,EAAU;AAC/B,IAAA,OAAO,aAAA,KAAkB,OAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA,EAAG;AAC1B,IAAA,OAAO,OAAA,CAAQ,SAAS,aAAa,CAAA;AAAA,EACvC;AAEA,EAAA,IAAI,mBAAmB,MAAA,EAAQ;AAC7B,IAAA,OAAO,OAAA,CAAQ,KAAK,aAAa,CAAA;AAAA,EACnC;AAEA,EAAA,IAAI,OAAO,YAAY,UAAA,EAAY;AACjC,IAAA,OAAO,QAAQ,aAAa,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AA6BO,SAAS,SAAS,OAAA,EAAsC;AAC7D,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,OAAA,GAAU,eAAA;AAAA,IACV,cAAA,GAAiB,eAAA;AAAA,IACjB,iBAAiB,EAAC;AAAA,IAClB,WAAA,GAAc,KAAA;AAAA,IACd,MAAA,GAAS,eAAA;AAAA,IACT,iBAAA,GAAoB;AAAA,GACtB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,aAAA,GAAgB,IAAI,OAAA,CAAQ,MAAA;AAGlC,IAAA,GAAA,CAAI,SAAA,CAAU,QAAQ,QAAQ,CAAA;AAG9B,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAEA,IAAA,MAAM,OAAA,GAAU,eAAA,CAAgB,aAAA,EAAe,MAAM,CAAA;AAErD,IAAA,IAAI,CAAC,OAAA,EAAS;AAEZ,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,aAAa,CAAA;AAE1D,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,GAAA,CAAI,SAAA,CAAU,oCAAoC,MAAM,CAAA;AAAA,IAC1D;AAEA,IAAA,IAAI,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,+BAAA,EAAiC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,IAC1E;AAGA,IAAA,IAAI,GAAA,CAAI,WAAW,SAAA,EAAW;AAC5B,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAC,CAAA;AAChE,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AACvE,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtD,MAAA,IAAI,iBAAA,EAAmB;AACrB,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,GAAA,EAAI;AACpB,QAAA;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,UAAA,GAAa;;;AC/I1B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA,EAAW,YAAA;AAAA,EACX,MAAA,EAAQ,UAAA;AAAA,EACR,gBAAA,EAAkB,mBAAA;AAAA,EAClB,aAAA,EAAe,gBAAA;AAAA,EACf,cAAA,EAAgB;AAClB,CAAA;AAKO,SAAS,mBAAA,CACd,WACA,OAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ,UAAU,WAAA,EAAY;AACpC,EAAA,IAAI,MAAA,GAAS,SAAA;AAGb,EAAA,IAAI,QAAQ,QAAA,IAAY,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACnD,IAAA,MAAA,IAAU,YAAA,CAAa,SAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,MAAA,IAAU,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACjD,IAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,QAAA,KAAa,KAAA,IAAS,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AAC7D,IAAA,QAAQ,QAAQ,QAAA;AAAU,MACxB,KAAK,QAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,gBAAA;AACvB,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,cAAA;AAEvB,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,CAAE,QAAA,CAAS,UAAU,CAAA,EAAG;AAC9C,UAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,QACzB;AACA,QAAA;AAAA,MACF,KAAK,KAAA;AAAA,MACL;AACE,QAAA,MAAA,IAAU,YAAA,CAAa,aAAA;AACvB,QAAA;AAAA;AACJ,EACF;AAGA,EAAA,IAAI,QAAQ,IAAA,EAAM;AAChB,IAAA,IAAI,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA,EAAG;AAC3B,MAAA,MAAA,GAAS,OAAO,OAAA,CAAQ,iBAAA,EAAmB,CAAA,OAAA,EAAU,OAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,IACrE,CAAA,MAAO;AACL,MAAA,MAAA,IAAU,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA,CAAA;AAAA,IAClC;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAqBO,SAAS,oBAAA,CAAqB,OAAA,GAA+B,EAAC,EAAmB;AACtF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAC9C,EAAA,MAAM,QAAA,GAAW;AAAA,IACf,QAAA,EAAU,QAAQ,QAAA,IAAY,IAAA;AAAA,IAC9B,MAAA,EAAQ,QAAQ,MAAA,IAAU,YAAA;AAAA,IAC1B,QAAA,EAAU,QAAQ,QAAA,IAAY,KAAA;AAAA,IAC9B,MAAM,OAAA,CAAQ;AAAA,GAChB;AAEA,EAAA,OAAO,CAAC,IAAA,EAAe,GAAA,EAAe,IAAA,KAAuB;AAE3D,IAAA,MAAM,iBAAA,GAAoB,GAAA,CAAI,SAAA,CAAU,IAAA,CAAK,GAAG,CAAA;AAEhD,IAAA,GAAA,CAAI,SAAA,GAAY,SAAS,gBAAA,CAAiB,IAAA,EAAc,KAAA,EAA4C;AAClG,MAAA,IAAI,IAAA,CAAK,WAAA,EAAY,KAAM,YAAA,EAAc;AACvC,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,UAAA,KAAA,GAAQ,KAAA,CAAM,IAAI,CAAA,CAAA,KAAK,mBAAA,CAAoB,OAAO,CAAC,CAAA,EAAG,QAAQ,CAAC,CAAA;AAAA,QACjE,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,mBAAA,CAAoB,MAAA,CAAO,KAAK,CAAA,EAAG,QAAQ,CAAA;AAAA,QACrD;AAAA,MACF;AACA,MAAA,OAAO,iBAAA,CAAkB,MAAM,KAAK,CAAA;AAAA,IACtC,CAAA;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,mBAAA,GAAsB;;;ACxE5B,SAAS,WAAA,CAAY,GAAA,EAAa,OAAA,GAA8B,EAAC,EAAsB;AAC5F,EAAA,MAAM;AAAA,IACJ,gBAAA,GAAmB,CAAC,OAAA,EAAS,QAAQ,CAAA;AAAA,IACrC,eAAe,EAAC;AAAA,IAChB,eAAe,EAAC;AAAA,IAChB,cAAA,GAAiB,KAAA;AAAA,IACjB,YAAA,GAAe;AAAA,GACjB,GAAI,OAAA;AAEJ,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,IAAY,GAAA,CAAI,IAAA,OAAW,EAAA,EAAI;AAChD,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,oCAAA,EAAqC;AAAA,EACrE;AAGA,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAI,IAAI,GAAG,CAAA;AAAA,EACtB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,8BAAA,EAA+B;AAAA,EAC/D;AAGA,EAAA,IAAI,CAAC,gBAAA,CAAiB,QAAA,CAAS,MAAA,CAAO,QAAQ,CAAA,EAAG;AAC/C,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,QAAQ,CAAA,qBAAA,EAAwB,MAAA,CAAO,QAAQ,CAAA,CAAA,EAAG;AAAA,EAC1E;AAGA,EAAA,IAAI,MAAA,CAAO,QAAA,IAAY,MAAA,CAAO,QAAA,EAAU;AACtC,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,0BAAA,EAA2B;AAAA,EAC3D;AAEA,EAAA,MAAM,QAAA,GAAW,MAAA,CAAO,QAAA,CAAS,WAAA,EAAY;AAG7C,EAAA,IAAI,aAAa,IAAA,CAAK,CAAA,CAAA,KAAK,aAAa,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG;AACxD,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAGA,EAAA,IAAI,aAAa,IAAA,CAAK,CAAA,CAAA,KAAK,aAAa,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG;AACxD,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,CAAA,cAAA,EAAiB,QAAQ,CAAA,CAAA,EAAG;AAAA,EAC5D;AAGA,EAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,IAAA,IACE,QAAA,KAAa,WAAA,IACb,QAAA,KAAa,WAAA,IACb,QAAA,KAAa,OAAA,IACb,QAAA,KAAa,KAAA,IACb,QAAA,KAAa,SAAA,IACb,QAAA,CAAS,QAAA,CAAS,YAAY,CAAA,EAC9B;AACA,MAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,kBAAA,EAAmB;AAAA,IACnD;AAGA,IAAA,IAAI,kCAAA,CAAmC,IAAA,CAAK,QAAQ,CAAA,EAAG;AACrD,MAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,kBAAA,EAAmB;AAAA,IACnD;AAAA,EACF;AAGA,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,YAAA,GAAe,eAAe,QAAQ,CAAA;AAC5C,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,YAAA,EAAa;AAAA,IAC7C;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AACtB;AASO,SAAS,SAAA,CAAU,GAAA,EAAa,OAAA,GAA8B,EAAC,EAAY;AAChF,EAAA,OAAO,WAAA,CAAY,GAAA,EAAK,OAAO,CAAA,CAAE,IAAA;AACnC;AAMA,SAAS,eAAe,QAAA,EAAiC;AAEvD,EAAA,IAAI,iCAAA,CAAkC,IAAA,CAAK,QAAQ,CAAA,EAAG;AACpD,IAAA,OAAO,8BAAA;AAAA,EACT;AAGA,EAAA,MAAM,QAAA,GAAW,QAAA,CAAS,KAAA,CAAM,oCAAoC,CAAA;AACpE,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,MAAA,GAAS,QAAA,CAAS,QAAA,CAAS,CAAC,GAAG,EAAE,CAAA;AACvC,IAAA,IAAI,MAAA,IAAU,EAAA,IAAM,MAAA,IAAU,EAAA,EAAI;AAChC,MAAA,OAAO,iCAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,8BAAA,CAA+B,IAAA,CAAK,QAAQ,CAAA,EAAG;AACjD,IAAA,OAAO,kCAAA;AAAA,EACT;AAIA,EAAA,IAAI,8BAAA,CAA+B,IAAA,CAAK,QAAQ,CAAA,EAAG;AACjD,IAAA,OAAO,qCAAA;AAAA,EACT;AAGA,EAAA,IAAI,gCAAA,CAAiC,IAAA,CAAK,QAAQ,CAAA,EAAG;AACnD,IAAA,OAAO,qCAAA;AAAA,EACT;AAGA,EAAA,IACE,QAAA,KAAa,0BAAA,IACb,QAAA,KAAa,mBAAA,EACb;AACA,IAAA,OAAO,yBAAA;AAAA,EACT;AAGA,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA;AAC5C,EAAA,IACE,IAAA,KAAS,KAAA,IACT,IAAA,KAAS,IAAA,IACT,KAAK,UAAA,CAAW,IAAI,CAAA,IACpB,IAAA,CAAK,WAAW,IAAI,CAAA,IACpB,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA,EACtB;AACA,IAAA,OAAO,sBAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;;;AC9JA,IAAM,mBAAA,GAAsB,oCAAA;AAG5B,IAAM,aAAA,GAAgB,WAAA;AAoBf,SAAS,gBAAA,CACd,GAAA,EACA,OAAA,GAAmC,EAAC,EACZ;AACxB,EAAA,MAAM;AAAA,IACJ,eAAe,EAAC;AAAA,IAChB,qBAAA,GAAwB,KAAA;AAAA,IACxB,gBAAA,GAAmB,CAAC,OAAA,EAAS,QAAQ;AAAA,GACvC,GAAI,OAAA;AAEJ,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,IAAY,GAAA,CAAI,IAAA,OAAW,EAAA,EAAI;AAChD,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,yCAAA,EAA0C;AAAA,EAC1E;AAGA,EAAA,MAAM,OAAA,GAAU,GAAA,CAAI,OAAA,CAAQ,aAAA,EAAe,EAAE,CAAA;AAG7C,EAAA,IAAI,mBAAA,CAAoB,IAAA,CAAK,OAAO,CAAA,EAAG;AACrC,IAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,KAAA,CAAM,mBAAmB,CAAA;AAC/C,IAAA,OAAO,EAAE,MAAM,KAAA,EAAO,MAAA,EAAQ,uBAAuB,KAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAG;AAAA,EACnE;AAIA,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,8DAAA,EAA+D;AAAA,EAC/F;AAGA,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,EAAG;AAC5B,IAAA,IAAI,CAAC,qBAAA,EAAuB;AAE1B,MAAA,MAAMA,KAAAA,GAAO,YAAY,OAAO,CAAA;AAChC,MAAA,IAAIA,KAAAA,IAAQ,aAAa,IAAA,CAAK,CAAA,CAAA,KAAKA,UAAS,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG;AAC5D,QAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,MACtB;AACA,MAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,4CAAA,EAA6C;AAAA,IAC7E;AACA,IAAA,MAAM,IAAA,GAAO,YAAY,OAAO,CAAA;AAChC,IAAA,IAAI,IAAA,IAAQ,YAAA,CAAa,MAAA,GAAS,CAAA,IAAK,CAAC,YAAA,CAAa,IAAA,CAAK,CAAA,CAAA,KAAK,IAAA,KAAS,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG;AACxF,MAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,4CAAA,EAA6C;AAAA,IAC7E;AACA,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAGA,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,IAAI,IAAI,OAAO,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AAEN,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAIA,EAAA,IAAI,CAAC,gBAAA,CAAiB,QAAA,CAAS,MAAA,CAAO,QAAQ,CAAA,EAAG;AAC/C,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,QAAQ,CAAA,qBAAA,EAAwB,MAAA,CAAO,QAAQ,CAAA,CAAA,EAAG;AAAA,EAC1E;AAGA,EAAA,MAAM,QAAA,GAAW,MAAA,CAAO,QAAA,CAAS,WAAA,EAAY;AAC7C,EAAA,IAAI,YAAA,CAAa,WAAW,CAAA,EAAG;AAC7B,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,mCAAA,EAAoC;AAAA,EACpE;AAEA,EAAA,IAAI,CAAC,aAAa,IAAA,CAAK,CAAA,CAAA,KAAK,aAAa,CAAA,CAAE,WAAA,EAAa,CAAA,EAAG;AACzD,IAAA,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,MAAA,EAAQ,CAAA,kBAAA,EAAqB,QAAQ,CAAA,CAAA,EAAG;AAAA,EAChE;AAEA,EAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AACtB;AASO,SAAS,cAAA,CAAe,GAAA,EAAa,OAAA,GAAmC,EAAC,EAAY;AAC1F,EAAA,OAAO,gBAAA,CAAiB,GAAA,EAAK,OAAO,CAAA,CAAE,IAAA;AACxC;AAKA,SAAS,YAAY,GAAA,EAA4B;AAE/C,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,iBAAiB,CAAA;AACzC,EAAA,OAAO,KAAA,GAAQ,KAAA,CAAM,CAAC,CAAA,CAAE,aAAY,GAAI,IAAA;AAC1C;;;AC1IO,IAAM,cAAN,MAA4C;AAAA,EAKjD,WAAA,CAAY,QAAA,GAAmB,UAAA,CAAW,iBAAA,EAAmB;AAJ7D,IAAA,IAAA,CAAQ,KAAA,uBAAyC,GAAA,EAAI;AACrD,IAAA,IAAA,CAAQ,eAAA,GAAyD,IAAA;AAI/D,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAAK,QAAA,GAAW,WAAW,aAAA,EAAe;AACrE,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,CAAA,iDAAA,EAAoD,UAAA,CAAW,aAAa,CAAA,MAAA,EAAS,QAAQ,CAAA,CAAA;AAAA,OAC/F;AAAA,IACF;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,YAAA,EAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAqB;AAI3B,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,IAAA,CAAK,IAAI,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA,EAAG,cAAc,CAAA;AAElF,IAAA,IAAA,CAAK,eAAA,GAAkB,YAAY,MAAM;AACvC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC/C,QAAA,IAAI,KAAA,CAAM,YAAY,GAAA,EAAK;AACzB,UAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,QACvB;AAAA,MACF;AAAA,IACF,GAAG,SAAS,CAAA;AAGZ,IAAA,IAAI,OAAO,IAAA,CAAK,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AACpD,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAEhC,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AAEnC,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,EAAE,KAAA,EAAO,GAAG,SAAA,EAAW,GAAA,GAAM,IAAA,CAAK,QAAA,EAAU,CAAA;AAChE,MAAA,OAAO,CAAA;AAAA,IACT;AAEA,IAAA,KAAA,CAAM,KAAA,EAAA;AACN,IAAA,OAAO,KAAA,CAAM,KAAA;AAAA,EACf;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,GAAQ,CAAA,EAAG;AAC5B,MAAA,KAAA,CAAM,KAAA,EAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AACA,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,KAAA,CAAM,IAAA;AAAA,EACpB;AACF;;;ACjEO,IAAM,aAAN,MAA2C;AAAA,EAMhD,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,MAAA,GAAS,QAAQ,MAAA,IAAU,WAAA;AAChC,IAAA,IAAA,CAAK,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,UAAA,CAAW,iBAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,GAAI,CAAA;AAAA,EACjD;AAAA,EAEQ,OAAO,GAAA,EAAqB;AAClC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,GAAG,CAAA,CAAA;AAAA,EAC7B;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAEhC,IAAA,MAAM,CAAC,QAAA,EAAU,GAAG,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACxC,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,MACxB,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ;AAAA,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,IAAY,GAAA,GAAM,CAAA,EAAG;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,QAAA,EAAU,EAAE,CAAA;AACnC,IAAA,IAAI,KAAA,CAAM,KAAK,CAAA,EAAG;AAEhB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAK,GAAA,GAAM;AAAA,KACjC;AAAA,EACF;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,IAAA,CAAK,IAAA,CAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAC,CAAA;AAC3E,IAAA,MAAM,IAAA,CAAK,OAAO,KAAA,CAAM,QAAA,EAAU,QAAQ,KAAA,CAAM,KAAA,CAAM,UAAU,CAAA;AAAA,EAClE;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,QAAQ,CAAA;AAK7C,IAAA,IAAI,UAAU,CAAA,EAAG;AACf,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,QAAA,EAAU,KAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,KAAA,GAAuB;AAAA,EAG7B;AACF;AASO,SAAS,iBAAiB,OAAA,EAAwC;AACvE,EAAA,OAAO,IAAI,WAAW,OAAO,CAAA;AAC/B","file":"index.mjs","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/middleware/headers\r\n * Security headers middleware\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\nimport { HEADERS } from '../core/constants';\r\nimport type { HeaderOptions, HstsOptions } from '../core/types';\r\n\r\n/**\r\n * Create Express middleware for security headers.\r\n * Sets CSP, HSTS, X-Frame-Options, and other security headers.\r\n * \r\n * @param options - Header configuration\r\n * @returns Express middleware\r\n * \r\n * @example\r\n * app.use(createHeaders());\r\n * \r\n * @example\r\n * app.use(createHeaders({\r\n *   frameOptions: 'SAMEORIGIN',\r\n *   contentSecurityPolicy: \"default-src 'self'\"\r\n * }));\r\n */\r\nexport function createHeaders(options: HeaderOptions = {}): RequestHandler {\r\n  const {\r\n    contentSecurityPolicy = true,\r\n    xssFilter = true,\r\n    noSniff = true,\r\n    frameOptions = HEADERS.FRAME_OPTIONS,\r\n    hsts = true,\r\n    referrerPolicy = HEADERS.REFERRER_POLICY,\r\n    permissionsPolicy = HEADERS.PERMISSIONS_POLICY,\r\n    cacheControl = true,\r\n  } = options;\r\n\r\n  return (req: Request, res: Response, next: NextFunction) => {\r\n    // Content Security Policy\r\n    if (contentSecurityPolicy) {\r\n      const csp = typeof contentSecurityPolicy === 'string' \r\n        ? contentSecurityPolicy \r\n        : HEADERS.DEFAULT_CSP;\r\n      res.setHeader('Content-Security-Policy', csp);\r\n    }\r\n\r\n    // X-XSS-Protection (legacy but still useful for older browsers)\r\n    if (xssFilter) {\r\n      res.setHeader('X-XSS-Protection', '1; mode=block');\r\n    }\r\n\r\n    // Prevent MIME type sniffing\r\n    if (noSniff) {\r\n      res.setHeader('X-Content-Type-Options', HEADERS.CONTENT_TYPE_OPTIONS);\r\n    }\r\n\r\n    // Clickjacking protection\r\n    if (frameOptions) {\r\n      res.setHeader('X-Frame-Options', frameOptions);\r\n    }\r\n\r\n    // HTTPS enforcement (HSTS)\r\n    // Only send HSTS over HTTPS — sending it over HTTP can brick HTTP-only\r\n    // development servers and confuses browsers that cache the directive.\r\n    // X-Forwarded-Proto is client-supplied so we validate the extracted value\r\n    // is exactly 'https' or 'http' before trusting it.\r\n    const forwardedProto = (req.headers['x-forwarded-proto'] as string | undefined)\r\n      ?.split(',')[0]\r\n      .trim()\r\n      .toLowerCase();\r\n    const trustedForwardedProto = forwardedProto === 'https' || forwardedProto === 'http'\r\n      ? forwardedProto\r\n      : undefined;\r\n    const isHttps = req.secure || trustedForwardedProto === 'https';\r\n\r\n    if (hsts && isHttps) {\r\n      const hstsOpts: HstsOptions = typeof hsts === 'object' ? hsts : {};\r\n      const maxAge = hstsOpts.maxAge ?? HEADERS.HSTS_MAX_AGE;\r\n      const includeSubDomains = hstsOpts.includeSubDomains !== false;\r\n      const preload = hstsOpts.preload === true;\r\n\r\n      let hstsValue = `max-age=${maxAge}`;\r\n      if (includeSubDomains) hstsValue += '; includeSubDomains';\r\n      if (preload) hstsValue += '; preload';\r\n\r\n      res.setHeader('Strict-Transport-Security', hstsValue);\r\n    }\r\n\r\n    // Referrer Policy\r\n    if (referrerPolicy) {\r\n      res.setHeader('Referrer-Policy', referrerPolicy);\r\n    }\r\n\r\n    // Permissions Policy\r\n    if (permissionsPolicy) {\r\n      res.setHeader('Permissions-Policy', permissionsPolicy);\r\n    }\r\n\r\n    // Additional security headers\r\n    res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');\r\n\r\n    // Cache-Control headers\r\n    if (cacheControl) {\r\n      const cacheControlValue = typeof cacheControl === 'string'\r\n        ? cacheControl\r\n        : HEADERS.CACHE_CONTROL;\r\n      res.setHeader('Cache-Control', cacheControlValue);\r\n      res.setHeader('Pragma', 'no-cache');\r\n      res.setHeader('Expires', '0');\r\n    }\r\n\r\n    // Remove fingerprinting headers\r\n    res.removeHeader('X-Powered-By');\r\n\r\n    next();\r\n  };\r\n}\r\n\r\n/**\r\n * Alias for createHeaders\r\n * @see createHeaders\r\n */\r\nexport const securityHeaders = createHeaders;\r\n","/**\r\n * @module @arcis/node/middleware/rate-limit\r\n * Rate limiting middleware\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\nimport { RATE_LIMIT } from '../core/constants';\r\nimport type { RateLimitOptions, RateLimiterMiddleware, RateLimitEntry } from '../core/types';\r\n\r\n/** In-memory rate limit store */\r\ninterface InMemoryRateLimitStore {\r\n  [key: string]: RateLimitEntry;\r\n}\r\n\r\n/**\r\n * Create Express middleware for rate limiting.\r\n * \r\n * @param options - Rate limit configuration\r\n * @returns Express middleware with cleanup method\r\n * \r\n * @example\r\n * app.use(createRateLimiter({ max: 100, windowMs: 60000 }));\r\n * \r\n * @example\r\n * // Skip rate limiting for certain routes\r\n * app.use(createRateLimiter({\r\n *   max: 50,\r\n *   skip: (req) => req.path === '/health'\r\n * }));\r\n * \r\n * @example\r\n * // Cleanup on shutdown\r\n * const limiter = createRateLimiter();\r\n * app.use(limiter);\r\n * process.on('SIGTERM', () => limiter.close());\r\n */\r\nexport function createRateLimiter(options: RateLimitOptions = {}): RateLimiterMiddleware {\r\n  const {\r\n    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,\r\n    windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS,\r\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\r\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\r\n    keyGenerator = (req) => {\r\n      const ip = req.ip ?? req.socket?.remoteAddress;\r\n      if (!ip) {\r\n        console.warn(\r\n          '[arcis] Rate limiter: cannot resolve client IP. All unresolvable clients share ' +\r\n          'one counter. Set Express trust proxy if behind a reverse proxy.'\r\n        );\r\n        return 'unknown';\r\n      }\r\n      return ip;\r\n    },\r\n    skip,\r\n    store: externalStore,\r\n  } = options;\r\n\r\n  // Object.create(null) avoids prototype pollution if keyGenerator ever\r\n  // returns '__proto__', 'constructor', or 'prototype'.\r\n  const inMemoryStore = Object.create(null) as InMemoryRateLimitStore;\r\n\r\n  // Cleanup interval for in-memory store (only create if not using external store)\r\n  let cleanupInterval: ReturnType<typeof setInterval> | null = null;\r\n  \r\n  if (!externalStore) {\r\n    cleanupInterval = setInterval(() => {\r\n      const now = Date.now();\r\n      for (const key of Object.keys(inMemoryStore)) {\r\n        if (inMemoryStore[key].resetTime < now) {\r\n          delete inMemoryStore[key];\r\n        }\r\n      }\r\n    }, windowMs);\r\n\r\n    // Prevent interval from keeping the process alive (Node.js only)\r\n    if (typeof cleanupInterval.unref === 'function') {\r\n      cleanupInterval.unref();\r\n    }\r\n  }\r\n\r\n  const handler: RequestHandler = async (req: Request, res: Response, next: NextFunction) => {\r\n    try {\r\n      if (skip?.(req)) {\r\n        return next();\r\n      }\r\n\r\n      const key = keyGenerator(req);\r\n      const now = Date.now();\r\n\r\n      let count: number;\r\n      let resetTime: number;\r\n\r\n      if (externalStore) {\r\n        // Use external store (e.g., Redis)\r\n        const entry = await externalStore.get(key);\r\n        if (!entry || entry.resetTime < now) {\r\n          await externalStore.set(key, { count: 1, resetTime: now + windowMs });\r\n          count = 1;\r\n          resetTime = now + windowMs;\r\n        } else {\r\n          count = await externalStore.increment(key);\r\n          resetTime = entry.resetTime;\r\n        }\r\n      } else {\r\n        // Use in-memory store\r\n        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {\r\n          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };\r\n        } else {\r\n          inMemoryStore[key].count++;\r\n        }\r\n        count = inMemoryStore[key].count;\r\n        resetTime = inMemoryStore[key].resetTime;\r\n      }\r\n\r\n      const remaining = Math.max(0, max - count);\r\n      const resetSeconds = Math.ceil((resetTime - now) / 1000);\r\n\r\n      // Set rate limit headers\r\n      res.setHeader('X-RateLimit-Limit', max.toString());\r\n      res.setHeader('X-RateLimit-Remaining', remaining.toString());\r\n      res.setHeader('X-RateLimit-Reset', resetSeconds.toString());\r\n\r\n      if (count > max) {\r\n        res.setHeader('Retry-After', resetSeconds.toString());\r\n        res.status(statusCode).json({\r\n          error: message,\r\n          retryAfter: resetSeconds,\r\n        });\r\n        return;\r\n      }\r\n\r\n      next();\r\n    } catch (error) {\r\n      // Log error but fail open (allow request through) to prevent DoS\r\n      console.error('[arcis] Rate limiter error:', error);\r\n      next();\r\n    }\r\n  };\r\n\r\n  // Attach close method for cleanup\r\n  const middleware = handler as RateLimiterMiddleware;\r\n  middleware.close = () => {\r\n    if (cleanupInterval) {\r\n      clearInterval(cleanupInterval);\r\n      cleanupInterval = null;\r\n    }\r\n  };\r\n\r\n  return middleware;\r\n}\r\n\r\n/**\r\n * Alias for createRateLimiter\r\n * @see createRateLimiter\r\n */\r\nexport const rateLimit = createRateLimiter;\r\n","/**\r\n * @module @arcis/node/middleware/error-handler\r\n * Production-safe error handler middleware\r\n */\r\n\r\nimport type { Request, Response, NextFunction } from 'express';\r\nimport { ERRORS } from '../core/constants';\r\nimport type { ErrorHandlerOptions, HttpError } from '../core/types';\r\n\r\n/**\r\n * Patterns that indicate database or infrastructure internals in error messages.\r\n * When detected, the message is replaced with a generic error to prevent info leakage.\r\n */\r\nconst SENSITIVE_ERROR_PATTERNS: RegExp[] = [\r\n  // SQL database errors\r\n  /\\b(SQLITE_ERROR|SQLSTATE|ORA-\\d|PG::|mysql_|pg_query|ECONNREFUSED)/i,\r\n  /\\b(syntax error at or near|relation \".*\" does not exist)/i,\r\n  /\\b(column \".*\" (does not exist|of relation))/i,\r\n  /\\b(duplicate key value violates unique constraint)/i,\r\n  /\\b(table .* doesn't exist|unknown column)/i,\r\n  // MongoDB errors\r\n  /\\b(MongoError|MongoServerError|MongoNetworkError|E11000 duplicate key)/i,\r\n  // Redis errors\r\n  /\\b(WRONGTYPE|CROSSSLOT|CLUSTERDOWN|READONLY|ReplyError)/i,\r\n  // Connection strings and DSNs\r\n  /\\b(mongodb(\\+srv)?:\\/\\/|postgres(ql)?:\\/\\/|mysql:\\/\\/|redis:\\/\\/)/i,\r\n  // Stack traces with file paths\r\n  /\\bat\\s+.*\\.(js|ts|py|go|java):\\d+/i,\r\n  // Internal IP addresses\r\n  /\\b(127\\.0\\.0\\.\\d+|10\\.\\d+\\.\\d+\\.\\d+|192\\.168\\.\\d+\\.\\d+|172\\.(1[6-9]|2\\d|3[01])\\.\\d+\\.\\d+)\\b/,\r\n];\r\n\r\n/**\r\n * Check if an error message contains sensitive infrastructure details.\r\n */\r\nexport function containsSensitiveInfo(message: string): boolean {\r\n  return SENSITIVE_ERROR_PATTERNS.some(pattern => pattern.test(message));\r\n}\r\n\r\n/**\r\n * Create Express error handler that hides sensitive details in production.\r\n *\r\n * Prevents information leakage by:\r\n * - Hiding stack traces in production\r\n * - Hiding error messages unless explicitly exposed\r\n * - Scrubbing database errors, connection strings, and internal IPs\r\n *\r\n * @param options - Error handler configuration (or boolean for isDev)\r\n * @returns Express error handling middleware\r\n *\r\n * @example\r\n * // Production mode (default) - hides error details\r\n * app.use(errorHandler());\r\n *\r\n * @example\r\n * // Development mode - shows error details and stack traces\r\n * app.use(errorHandler({ isDev: true }));\r\n *\r\n * @example\r\n * // With custom logger\r\n * app.use(errorHandler({\r\n *   isDev: false,\r\n *   logger: arcis.logger()\r\n * }));\r\n */\r\nexport function errorHandler(\r\n  options: ErrorHandlerOptions | boolean = false\r\n): (err: Error, req: Request, res: Response, next: NextFunction) => void {\r\n  const isDev = typeof options === 'boolean' ? options : options.isDev ?? false;\r\n  const logErrors = typeof options === 'object' ? options.logErrors ?? true : true;\r\n  const logger = typeof options === 'object' ? options.logger : undefined;\r\n  const customHandler = typeof options === 'object' ? options.customHandler : undefined;\r\n\r\n  return (err: HttpError, req: Request, res: Response, _next: NextFunction) => {\r\n    const statusCode = err.statusCode || err.status || 500;\r\n\r\n    // Custom handler takes precedence\r\n    if (customHandler) {\r\n      return customHandler(err, req, res);\r\n    }\r\n\r\n    // Always log full error details server-side\r\n    if (logErrors) {\r\n      const logData = {\r\n        error: err.message,\r\n        stack: err.stack,\r\n        statusCode,\r\n        path: req.path,\r\n        method: req.method,\r\n      };\r\n\r\n      if (logger) {\r\n        logger.error('Request error', logData);\r\n      } else {\r\n        console.error('[arcis] Request error:', logData);\r\n      }\r\n    }\r\n\r\n    // Build response\r\n    // Only expose err.message when err.expose === true (caller opted in) or in dev mode.\r\n    // This prevents internal details leaking through arbitrary 4xx errors that happen\r\n    // to contain sensitive info (e.g. \"DB query failed for user admin@corp.com\").\r\n    const exposeMessage = isDev || err.expose === true;\r\n\r\n    let clientMessage: string;\r\n    if (!exposeMessage) {\r\n      clientMessage = ERRORS.INTERNAL_SERVER_ERROR;\r\n    } else if (containsSensitiveInfo(err.message)) {\r\n      // Even when expose is true, scrub DB errors and infra details\r\n      clientMessage = isDev ? err.message : ERRORS.INTERNAL_SERVER_ERROR;\r\n    } else {\r\n      clientMessage = err.message;\r\n    }\r\n\r\n    const response: Record<string, unknown> = {\r\n      error: clientMessage,\r\n    };\r\n\r\n    // Only show details in development\r\n    if (isDev) {\r\n      response.stack = err.stack;\r\n      response.details = err.message;\r\n    }\r\n\r\n    res.status(statusCode).json(response);\r\n  };\r\n}\r\n\r\n/**\r\n * Alias for errorHandler\r\n * @see errorHandler\r\n */\r\nexport const createErrorHandler = errorHandler;\r\n","/**\r\n * @module @arcis/node/core/errors\r\n * Custom error classes for Arcis\r\n */\r\n\r\n/**\r\n * Base class for all Arcis errors\r\n */\r\nexport class ArcisError extends Error {\r\n  public readonly statusCode: number;\r\n  public readonly code: string;\r\n  /** Whether the error message is safe to expose to API clients. */\r\n  public readonly expose: boolean;\r\n\r\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\r\n    super(message);\r\n    this.name = 'ArcisError';\r\n    this.statusCode = statusCode;\r\n    this.code = code;\r\n    // Client errors (4xx) have controlled messages — safe to expose.\r\n    // Server errors (5xx) may contain internal details — hide by default.\r\n    this.expose = statusCode < 500;\r\n\r\n    // Maintains proper stack trace for where error was thrown (V8 engines)\r\n    if (Error.captureStackTrace) {\r\n      Error.captureStackTrace(this, this.constructor);\r\n    }\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when input validation fails\r\n */\r\nexport class ValidationError extends ArcisError {\r\n  public readonly errors: string[];\r\n\r\n  constructor(errors: string[]) {\r\n    super('Validation failed', 400, 'VALIDATION_ERROR');\r\n    this.name = 'ValidationError';\r\n    this.errors = errors;\r\n  }\r\n}\r\n\r\n/** Alias for ValidationError (backwards compatibility) */\r\nexport { ValidationError as ArcisValidationError };\r\n\r\n/**\r\n * Error thrown when rate limit is exceeded\r\n */\r\nexport class RateLimitError extends ArcisError {\r\n  public readonly retryAfter: number;\r\n\r\n  constructor(message: string, retryAfter: number) {\r\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\r\n    this.name = 'RateLimitError';\r\n    this.retryAfter = retryAfter;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when input is too large\r\n */\r\nexport class InputTooLargeError extends ArcisError {\r\n  public readonly maxSize: number;\r\n  public readonly actualSize: number;\r\n\r\n  constructor(maxSize: number, actualSize: number) {\r\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\r\n    this.name = 'InputTooLargeError';\r\n    this.maxSize = maxSize;\r\n    this.actualSize = actualSize;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when security threat is detected\r\n */\r\nexport class SecurityThreatError extends ArcisError {\r\n  public readonly threatType: string;\r\n  public readonly pattern: string;\r\n\r\n  constructor(threatType: string, pattern: string) {\r\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\r\n    this.name = 'SecurityThreatError';\r\n    this.threatType = threatType;\r\n    this.pattern = pattern;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when sanitization fails\r\n */\r\nexport class SanitizationError extends ArcisError {\r\n  constructor(message: string) {\r\n    super(message, 400, 'SANITIZATION_ERROR');\r\n    this.name = 'SanitizationError';\r\n  }\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/utils\r\n * Shared utilities for sanitizers\r\n */\r\n\r\n/**\r\n * Encodes HTML entities to prevent interpretation as markup.\r\n * \r\n * @param str - The string to encode\r\n * @returns The encoded string\r\n */\r\nexport function encodeHtmlEntities(str: string): string {\r\n  return str\r\n    .replace(/&/g, '&amp;')\r\n    .replace(/</g, '&lt;')\r\n    .replace(/>/g, '&gt;')\r\n    .replace(/\"/g, '&quot;')\r\n    .replace(/'/g, '&#x27;');\r\n}\r\n\r\n/**\r\n * Checks if a value is a plain object (not null, array, Date, etc.)\r\n * \r\n * @param value - Value to check\r\n * @returns True if plain object\r\n */\r\nexport function isPlainObject(value: unknown): value is Record<string, unknown> {\r\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\r\n    return false;\r\n  }\r\n  // Check the actual prototype chain rather than toString, which can be spoofed\r\n  // via Symbol.toStringTag. Accepts both Object.prototype (plain {}) and null\r\n  // prototype objects (Object.create(null)).\r\n  const proto = Object.getPrototypeOf(value as object);\r\n  return proto === Object.prototype || proto === null;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/xss\r\n * XSS (Cross-Site Scripting) prevention\r\n */\r\n\r\nimport { XSS_PATTERNS, XSS_REMOVE_PATTERNS } from '../core/constants';\r\nimport { encodeHtmlEntities } from './utils';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent XSS attacks.\r\n * \r\n * Strategy:\r\n * 1. Remove dangerous patterns (script tags, event handlers, etc.)\r\n * 2. HTML-encode the remaining content\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeXss(\"<script>alert('xss')</script>\")\r\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\r\n * \r\n * @example\r\n * sanitizeXss(\"<img onerror='alert(1)'>\")\r\n * // Returns: \"&lt;img&gt;\" (event handler removed)\r\n */\r\nexport function sanitizeXss(input: string, collectThreats?: false, htmlEncode?: boolean): string;\r\nexport function sanitizeXss(input: string, collectThreats: true, htmlEncode?: boolean): SanitizeResult;\r\nexport function sanitizeXss(input: string, collectThreats = false, htmlEncode = false): string | SanitizeResult {\r\n  if (typeof input !== 'string') {\r\n    return collectThreats \r\n      ? { value: String(input), wasSanitized: false, threats: [] }\r\n      : String(input);\r\n  }\r\n\r\n  const threats: ThreatInfo[] = [];\r\n  let value = input;\r\n  let wasSanitized = false;\r\n\r\n  // Remove dangerous patterns FIRST — XSS_REMOVE_PATTERNS is the single\r\n  // source of truth (defined in constants.ts alongside XSS_PATTERNS).\r\n  for (const pattern of XSS_REMOVE_PATTERNS) {\r\n    pattern.lastIndex = 0;\r\n    if (pattern.test(value)) {\r\n      pattern.lastIndex = 0;\r\n      \r\n      if (collectThreats) {\r\n        const matches = value.match(pattern);\r\n        if (matches) {\r\n          for (const match of matches) {\r\n            threats.push({\r\n              type: 'xss',\r\n              pattern: pattern.source,\r\n              original: match,\r\n            });\r\n          }\r\n        }\r\n      }\r\n      \r\n      value = value.replace(pattern, '');\r\n      wasSanitized = true;\r\n    }\r\n  }\r\n\r\n  // HTML-encode only when explicitly requested (SSR/template context).\r\n  // Do NOT encode by default — this is a REST API middleware; encoding\r\n  // here corrupts JSON data with HTML entities (&lt;, &amp;, etc.) that\r\n  // consumers would receive verbatim.\r\n  if (htmlEncode) {\r\n    const encoded = encodeHtmlEntities(value);\r\n    if (encoded !== value) {\r\n      wasSanitized = true;\r\n    }\r\n    value = encoded;\r\n  }\r\n\r\n  if (collectThreats) {\r\n    return { value, wasSanitized, threats };\r\n  }\r\n  \r\n  return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains potential XSS patterns.\r\n * Does not sanitize — use sanitizeXss() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if XSS patterns detected\r\n */\r\nexport function detectXss(input: string): boolean {\r\n  if (typeof input !== 'string') return false;\r\n  \r\n  // Check for event handlers\r\n  if (/\\s+on\\w+\\s*=/i.test(input)) return true;\r\n  \r\n  // Check for dangerous protocols\r\n  if (/javascript\\s*:/i.test(input)) return true;\r\n  if (/vbscript\\s*:/i.test(input)) return true;\r\n  if (/data\\s*:\\s*text\\/html/i.test(input)) return true;\r\n  \r\n  // Check for patterns from constants\r\n  for (const pattern of XSS_PATTERNS) {\r\n    pattern.lastIndex = 0;\r\n    if (pattern.test(input)) {\r\n      return true;\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/sql\r\n * SQL injection prevention\r\n */\r\n\r\nimport { SQL_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent SQL injection attacks.\r\n * Replaces dangerous SQL patterns with [BLOCKED].\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeSql(\"'; DROP TABLE users; --\")\r\n * // Returns: \"';  TABLE users  \"\r\n */\r\nexport function sanitizeSql(input: string, collectThreats?: false): string;\r\nexport function sanitizeSql(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeSql(input: string, collectThreats = false): string | SanitizeResult {\r\n  if (typeof input !== 'string') {\r\n    return collectThreats \r\n      ? { value: String(input), wasSanitized: false, threats: [] }\r\n      : String(input);\r\n  }\r\n\r\n  const threats: ThreatInfo[] = [];\r\n  let value = input;\r\n  let wasSanitized = false;\r\n\r\n  for (const pattern of SQL_PATTERNS) {\r\n    // Reset regex lastIndex for global patterns\r\n    pattern.lastIndex = 0;\r\n    \r\n    if (pattern.test(value)) {\r\n      pattern.lastIndex = 0; // Reset again for replace\r\n      \r\n      if (collectThreats) {\r\n        const matches = value.match(pattern);\r\n        if (matches) {\r\n          for (const match of matches) {\r\n            threats.push({\r\n              type: 'sql_injection',\r\n              pattern: pattern.source,\r\n              original: match,\r\n            });\r\n          }\r\n        }\r\n      }\r\n      \r\n      // Replace the matched content with a space to avoid concatenating surrounding\r\n      // tokens into new dangerous strings (e.g. \"SELECTname\" after stripping \"SELECT\").\r\n      value = value.replace(pattern, ' ');\r\n      wasSanitized = true;\r\n    }\r\n  }\r\n\r\n  if (collectThreats) {\r\n    return { value, wasSanitized, threats };\r\n  }\r\n  \r\n  return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains potential SQL injection patterns.\r\n * Does not sanitize — use sanitizeSql() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if SQL injection patterns detected\r\n */\r\nexport function detectSql(input: string): boolean {\r\n  if (typeof input !== 'string') return false;\r\n  \r\n  for (const pattern of SQL_PATTERNS) {\r\n    pattern.lastIndex = 0;\r\n    if (pattern.test(input)) {\r\n      return true;\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/path\r\n * Path traversal prevention\r\n */\r\n\r\nimport { PATH_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent path traversal attacks.\r\n * Removes ../ and ..\\ patterns (including URL-encoded variants).\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizePath(\"../../etc/passwd\")\r\n * // Returns: \"etc/passwd\"\r\n */\r\nexport function sanitizePath(input: string, collectThreats?: false): string;\r\nexport function sanitizePath(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizePath(input: string, collectThreats = false): string | SanitizeResult {\r\n  if (typeof input !== 'string') {\r\n    return collectThreats \r\n      ? { value: String(input), wasSanitized: false, threats: [] }\r\n      : String(input);\r\n  }\r\n\r\n  const threats: ThreatInfo[] = [];\r\n  let value = input;\r\n  let wasSanitized = false;\r\n\r\n  for (const pattern of PATH_PATTERNS) {\r\n    // Reset regex lastIndex for global patterns\r\n    pattern.lastIndex = 0;\r\n    \r\n    if (pattern.test(value)) {\r\n      pattern.lastIndex = 0; // Reset again for replace\r\n      \r\n      if (collectThreats) {\r\n        const matches = value.match(pattern);\r\n        if (matches) {\r\n          for (const match of matches) {\r\n            threats.push({\r\n              type: 'path_traversal',\r\n              pattern: pattern.source,\r\n              original: match,\r\n            });\r\n          }\r\n        }\r\n      }\r\n      \r\n      value = value.replace(pattern, '');\r\n      wasSanitized = true;\r\n    }\r\n  }\r\n\r\n  if (collectThreats) {\r\n    return { value, wasSanitized, threats };\r\n  }\r\n  \r\n  return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains path traversal patterns.\r\n * Does not sanitize — use sanitizePath() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if path traversal patterns detected\r\n */\r\nexport function detectPathTraversal(input: string): boolean {\r\n  if (typeof input !== 'string') return false;\r\n  \r\n  for (const pattern of PATH_PATTERNS) {\r\n    pattern.lastIndex = 0;\r\n    if (pattern.test(input)) {\r\n      return true;\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/command\r\n * Command injection prevention\r\n */\r\n\r\nimport { COMMAND_PATTERNS } from '../core/constants';\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Sanitizes a string to prevent command injection attacks.\r\n * Replaces shell metacharacters and dangerous commands with [BLOCKED].\r\n * \r\n * @param input - The string to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false for performance)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n * \r\n * @example\r\n * sanitizeCommand(\"file.txt; rm -rf /\")\r\n * // Returns: \"file.txt  rm -rf /\"\r\n */\r\nexport function sanitizeCommand(input: string, collectThreats?: false): string;\r\nexport function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeCommand(input: string, collectThreats = false): string | SanitizeResult {\r\n  if (typeof input !== 'string') {\r\n    return collectThreats \r\n      ? { value: String(input), wasSanitized: false, threats: [] }\r\n      : String(input);\r\n  }\r\n\r\n  const threats: ThreatInfo[] = [];\r\n  let value = input;\r\n  let wasSanitized = false;\r\n\r\n  for (const pattern of COMMAND_PATTERNS) {\r\n    // Reset regex lastIndex for global patterns\r\n    pattern.lastIndex = 0;\r\n    \r\n    if (pattern.test(value)) {\r\n      pattern.lastIndex = 0; // Reset again for replace\r\n      \r\n      if (collectThreats) {\r\n        const matches = value.match(pattern);\r\n        if (matches) {\r\n          for (const match of matches) {\r\n            threats.push({\r\n              type: 'command_injection',\r\n              pattern: pattern.source,\r\n              original: match,\r\n            });\r\n          }\r\n        }\r\n      }\r\n      \r\n      value = value.replace(pattern, ' ');\r\n      wasSanitized = true;\r\n    }\r\n  }\r\n\r\n  if (collectThreats) {\r\n    return { value, wasSanitized, threats };\r\n  }\r\n  \r\n  return value;\r\n}\r\n\r\n/**\r\n * Checks if a string contains command injection patterns.\r\n * Does not sanitize — use sanitizeCommand() for that.\r\n * \r\n * @param input - The string to check\r\n * @returns True if command injection patterns detected\r\n */\r\nexport function detectCommandInjection(input: string): boolean {\r\n  if (typeof input !== 'string') return false;\r\n  \r\n  for (const pattern of COMMAND_PATTERNS) {\r\n    pattern.lastIndex = 0;\r\n    if (pattern.test(input)) {\r\n      return true;\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/sanitize\r\n * Main sanitization functions that combine all sanitizers\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\nimport { INPUT, DANGEROUS_PROTO_KEYS, NOSQL_DANGEROUS_KEYS } from '../core/constants';\r\nimport { InputTooLargeError, SecurityThreatError } from '../core/errors';\r\nimport type { SanitizeOptions } from '../core/types';\r\nimport { sanitizeXss } from './xss';\r\nimport { sanitizeSql, detectSql } from './sql';\r\nimport { sanitizePath } from './path';\r\nimport { sanitizeCommand, detectCommandInjection } from './command';\r\n\r\n/**\r\n * Sanitize a string value against multiple attack vectors.\r\n * \r\n * Order matters: We do XSS encoding LAST because:\r\n * 1. Other sanitizers need to see the original patterns (e.g., SQL keywords)\r\n * 2. HTML encoding is the final safe output transformation\r\n * 3. Encoded entities like &lt; shouldn't be treated as SQL/command threats\r\n * \r\n * @param value - The string to sanitize\r\n * @param options - Sanitization options\r\n * @returns The sanitized string\r\n * \r\n * @example\r\n * sanitizeString(\"<script>alert('xss')</script>\")\r\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\r\n * \r\n * @example\r\n * sanitizeString(\"../../etc/passwd\")\r\n * // Returns: \"etc/passwd\"\r\n */\r\nexport function sanitizeString(value: string, options: SanitizeOptions = {}): string {\r\n  if (typeof value !== 'string') return value;\r\n\r\n  // Input size limit to prevent DoS\r\n  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;\r\n  if (value.length > maxSize) {\r\n    throw new InputTooLargeError(maxSize, value.length);\r\n  }\r\n\r\n  const reject = options.mode !== 'sanitize'; // default: 'reject'\r\n  let result = value;\r\n\r\n  // 1. SQL injection\r\n  if (options.sql !== false) {\r\n    if (reject) {\r\n      if (detectSql(result)) {\r\n        throw new SecurityThreatError('sql_injection', 'SQL pattern detected in input');\r\n      }\r\n    } else {\r\n      result = sanitizeSql(result);\r\n    }\r\n  }\r\n\r\n  // 2. Path traversal prevention\r\n  if (options.path !== false) {\r\n    result = sanitizePath(result);\r\n  }\r\n\r\n  // 3. Command injection\r\n  if (options.command !== false) {\r\n    if (reject) {\r\n      if (detectCommandInjection(result)) {\r\n        throw new SecurityThreatError('command_injection', 'Shell metacharacter detected in input');\r\n      }\r\n    } else {\r\n      result = sanitizeCommand(result);\r\n    }\r\n  }\r\n\r\n  // 4. XSS stripping — always runs to remove dangerous patterns.\r\n  // HTML encoding is opt-in via options.htmlEncode (for SSR contexts only).\r\n  if (options.xss !== false) {\r\n    result = sanitizeXss(result, false, options.htmlEncode ?? false);\r\n  }\r\n\r\n  return result;\r\n}\r\n\r\n/**\r\n * Sanitize an object recursively, including nested objects and arrays.\r\n * Also removes prototype pollution and NoSQL injection keys.\r\n * \r\n * @param obj - The object to sanitize\r\n * @param options - Sanitization options\r\n * @returns The sanitized object\r\n */\r\nexport function sanitizeObject(obj: unknown, options: SanitizeOptions = {}): unknown {\r\n  if (obj === null || obj === undefined) return obj;\r\n  if (typeof obj === 'string') return sanitizeString(obj, options);\r\n  if (typeof obj !== 'object') return obj;\r\n  if (Array.isArray(obj)) return obj.map(item => sanitizeObject(item, options));\r\n\r\n  return sanitizeObjectDepth(obj as Record<string, unknown>, options, 0);\r\n}\r\n\r\n/**\r\n * Internal recursive sanitization with depth tracking.\r\n */\r\nfunction sanitizeObjectDepth(\r\n  obj: Record<string, unknown>,\r\n  options: SanitizeOptions,\r\n  depth: number\r\n): Record<string, unknown> {\r\n  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;\r\n\r\n  const result: Record<string, unknown> = {};\r\n\r\n  for (const key of Object.keys(obj)) {\r\n    // Prototype pollution protection - always block dangerous keys (case-insensitive)\r\n    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\r\n      continue;\r\n    }\r\n\r\n    // NoSQL injection - skip dangerous MongoDB operators in keys\r\n    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {\r\n      continue;\r\n    }\r\n\r\n    // Sanitize the key against all active threat vectors (not just XSS).\r\n    // Keys can carry injection payloads that bubble into query builders or ORMs.\r\n    const sanitizedKey = sanitizeString(key, options);\r\n\r\n    // Recursively sanitize value\r\n    const value = obj[key];\r\n    if (value === null || value === undefined) {\r\n      result[sanitizedKey] = value;\r\n    } else if (typeof value === 'string') {\r\n      result[sanitizedKey] = sanitizeString(value, options);\r\n    } else if (Array.isArray(value)) {\r\n      result[sanitizedKey] = value.map(item => sanitizeObject(item, options));\r\n    } else if (typeof value === 'object') {\r\n      result[sanitizedKey] = sanitizeObjectDepth(value as Record<string, unknown>, options, depth + 1);\r\n    } else {\r\n      result[sanitizedKey] = value;\r\n    }\r\n  }\r\n\r\n  return result;\r\n}\r\n\r\n/**\r\n * Create Express middleware for request sanitization.\r\n * Sanitizes req.body, req.query, and req.params.\r\n * \r\n * @param options - Sanitization options\r\n * @returns Express middleware\r\n * \r\n * @example\r\n * app.use(createSanitizer());\r\n * \r\n * @example\r\n * app.use(createSanitizer({ xss: true, sql: true, nosql: true }));\r\n */\r\nexport function createSanitizer(options: SanitizeOptions = {}): RequestHandler {\r\n  return (req: Request, _res: Response, next: NextFunction) => {\r\n    try {\r\n      if (req.body && typeof req.body === 'object') {\r\n        req.body = sanitizeObject(req.body, options);\r\n      }\r\n      if (req.query && typeof req.query === 'object') {\r\n        const sanitizedQuery = sanitizeObject(req.query, options);\r\n        // Express 5: req.query is a getter with no setter — override on instance\r\n        Object.defineProperty(req, 'query', { value: sanitizedQuery, writable: true, configurable: true });\r\n      }\r\n      if (req.params && typeof req.params === 'object') {\r\n        const sanitizedParams = sanitizeObject(req.params, options);\r\n        Object.defineProperty(req, 'params', { value: sanitizedParams, writable: true, configurable: true });\r\n      }\r\n      next();\r\n    } catch (err) {\r\n      next(err);\r\n    }\r\n  };\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/nosql\r\n * NoSQL injection prevention (MongoDB operators)\r\n */\r\n\r\nimport { NOSQL_DANGEROUS_KEYS } from '../core/constants';\r\n\r\n/**\r\n * Checks if a key is a dangerous MongoDB operator.\r\n * \r\n * @param key - The key to check\r\n * @returns True if the key is a MongoDB operator\r\n * \r\n * @example\r\n * isDangerousNoSqlKey('$gt') // true\r\n * isDangerousNoSqlKey('name') // false\r\n */\r\nexport function isDangerousNoSqlKey(key: string): boolean {\r\n  return NOSQL_DANGEROUS_KEYS.has(key);\r\n}\r\n\r\n/**\r\n * Recursively checks if an object contains dangerous MongoDB operators.\r\n * \r\n * @param obj - The object to check\r\n * @param maxDepth - Maximum recursion depth (default: 10)\r\n * @returns True if dangerous operators found\r\n */\r\nexport function detectNoSqlInjection(obj: unknown, maxDepth = 10): boolean {\r\n  if (maxDepth <= 0) return false;\r\n  if (obj === null || typeof obj !== 'object') return false;\r\n  \r\n  if (Array.isArray(obj)) {\r\n    return obj.some(item => detectNoSqlInjection(item, maxDepth - 1));\r\n  }\r\n  \r\n  for (const key of Object.keys(obj as Record<string, unknown>)) {\r\n    if (isDangerousNoSqlKey(key)) {\r\n      return true;\r\n    }\r\n    \r\n    const value = (obj as Record<string, unknown>)[key];\r\n    if (typeof value === 'object' && value !== null) {\r\n      if (detectNoSqlInjection(value, maxDepth - 1)) {\r\n        return true;\r\n      }\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n\r\n/**\r\n * Get list of all MongoDB operators considered dangerous.\r\n * Useful for documentation or custom validation.\r\n * \r\n * @returns Array of dangerous operator strings\r\n */\r\nexport function getDangerousOperators(): string[] {\r\n  return Array.from(NOSQL_DANGEROUS_KEYS);\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/prototype\r\n * Prototype pollution prevention\r\n */\r\n\r\nimport { DANGEROUS_PROTO_KEYS } from '../core/constants';\r\n\r\n/**\r\n * Checks if a key is dangerous for prototype pollution.\r\n * Case-insensitive — catches __PROTO__, Constructor, etc.\r\n *\r\n * @param key - The key to check\r\n * @returns True if the key could cause prototype pollution\r\n *\r\n * @example\r\n * isDangerousProtoKey('__proto__')   // true\r\n * isDangerousProtoKey('__PROTO__')   // true\r\n * isDangerousProtoKey('Constructor') // true\r\n * isDangerousProtoKey('name')        // false\r\n */\r\nexport function isDangerousProtoKey(key: string): boolean {\r\n  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());\r\n}\r\n\r\n/**\r\n * Recursively checks if an object contains prototype pollution keys.\r\n * \r\n * @param obj - The object to check\r\n * @param maxDepth - Maximum recursion depth (default: 10)\r\n * @returns True if dangerous keys found\r\n */\r\nexport function detectPrototypePollution(obj: unknown, maxDepth = 10): boolean {\r\n  if (maxDepth <= 0) return false;\r\n  if (obj === null || typeof obj !== 'object') return false;\r\n  \r\n  if (Array.isArray(obj)) {\r\n    return obj.some(item => detectPrototypePollution(item, maxDepth - 1));\r\n  }\r\n  \r\n  for (const key of Object.keys(obj as Record<string, unknown>)) {\r\n    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\r\n      return true;\r\n    }\r\n    \r\n    const value = (obj as Record<string, unknown>)[key];\r\n    if (typeof value === 'object' && value !== null) {\r\n      if (detectPrototypePollution(value, maxDepth - 1)) {\r\n        return true;\r\n      }\r\n    }\r\n  }\r\n  \r\n  return false;\r\n}\r\n\r\n/**\r\n * Get list of all keys considered dangerous for prototype pollution.\r\n * Useful for documentation or custom validation.\r\n * \r\n * @returns Array of dangerous key strings\r\n */\r\nexport function getDangerousProtoKeys(): string[] {\r\n  return Array.from(DANGEROUS_PROTO_KEYS);\r\n}\r\n","/**\r\n * @module @arcis/node/sanitizers/headers\r\n * HTTP Header Injection & CRLF Injection prevention\r\n *\r\n * Prevents attackers from injecting newline characters (\\r\\n) into HTTP header\r\n * values, which can lead to response splitting, session fixation, XSS via\r\n * injected headers, and cache poisoning.\r\n */\r\n\r\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\r\n\r\n/**\r\n * Characters and sequences that enable header injection.\r\n * - \\r\\n (CRLF) — HTTP header delimiter, enables response splitting\r\n * - \\r, \\n alone — partial line breaks, some servers normalize to CRLF\r\n * - \\0 (null byte) — can truncate header values in some implementations\r\n */\r\nconst HEADER_INJECTION_PATTERN = /\\r\\n|\\r|\\n|\\0/g;\r\n\r\n/**\r\n * Sanitizes a header value by stripping CRLF sequences, bare CR/LF, and null bytes.\r\n *\r\n * @param input - The header value to sanitize\r\n * @param collectThreats - Whether to collect threat information (default: false)\r\n * @returns Sanitized string or SanitizeResult if collectThreats is true\r\n *\r\n * @example\r\n * sanitizeHeaderValue(\"safe-value\")\r\n * // Returns: \"safe-value\"\r\n *\r\n * sanitizeHeaderValue(\"value\\r\\nX-Injected: evil\")\r\n * // Returns: \"valueX-Injected: evil\"\r\n */\r\nexport function sanitizeHeaderValue(input: string, collectThreats?: false): string;\r\nexport function sanitizeHeaderValue(input: string, collectThreats: true): SanitizeResult;\r\nexport function sanitizeHeaderValue(input: string, collectThreats = false): string | SanitizeResult {\r\n  if (typeof input !== 'string') {\r\n    return collectThreats\r\n      ? { value: String(input), wasSanitized: false, threats: [] }\r\n      : String(input);\r\n  }\r\n\r\n  const threats: ThreatInfo[] = [];\r\n  let wasSanitized = false;\r\n\r\n  if (HEADER_INJECTION_PATTERN.test(input)) {\r\n    HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n    wasSanitized = true;\r\n\r\n    if (collectThreats) {\r\n      const matches = input.match(HEADER_INJECTION_PATTERN);\r\n      if (matches) {\r\n        for (const match of matches) {\r\n          threats.push({\r\n            type: 'header_injection',\r\n            pattern: HEADER_INJECTION_PATTERN.source,\r\n            original: match,\r\n          });\r\n        }\r\n      }\r\n    }\r\n  }\r\n\r\n  HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n  const value = input.replace(HEADER_INJECTION_PATTERN, '');\r\n\r\n  if (collectThreats) {\r\n    return { value, wasSanitized, threats };\r\n  }\r\n\r\n  return value;\r\n}\r\n\r\n/**\r\n * Sanitizes an object of header key-value pairs.\r\n * Strips CRLF/null bytes from both keys and values.\r\n *\r\n * @param headers - Object with header names as keys and header values as values\r\n * @returns New object with sanitized header names and values\r\n *\r\n * @example\r\n * sanitizeHeaders({ \"X-Custom\": \"safe\", \"X-Bad\\r\\n\": \"value\\r\\ninjected\" })\r\n * // Returns: { \"X-Custom\": \"safe\", \"X-Bad\": \"valueinjected\" }\r\n */\r\nexport function sanitizeHeaders(headers: Record<string, string>): Record<string, string> {\r\n  if (!headers || typeof headers !== 'object') {\r\n    return {};\r\n  }\r\n\r\n  const result: Record<string, string> = {};\r\n\r\n  for (const [key, value] of Object.entries(headers)) {\r\n    const sanitizedKey = sanitizeHeaderValue(String(key));\r\n    const sanitizedValue = sanitizeHeaderValue(String(value));\r\n    result[sanitizedKey] = sanitizedValue;\r\n  }\r\n\r\n  return result;\r\n}\r\n\r\n/**\r\n * Checks if a string contains HTTP header injection patterns (CRLF, null bytes).\r\n * Does not sanitize — use sanitizeHeaderValue() for that.\r\n *\r\n * @param input - The string to check\r\n * @returns True if header injection patterns detected\r\n */\r\nexport function detectHeaderInjection(input: string): boolean {\r\n  if (typeof input !== 'string') return false;\r\n\r\n  HEADER_INJECTION_PATTERN.lastIndex = 0;\r\n  return HEADER_INJECTION_PATTERN.test(input);\r\n}\r\n","/**\r\n * @module @arcis/node/validation/schema\r\n * Request validation middleware\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\nimport { VALIDATION, ERRORS } from '../core/constants';\r\nimport type { ValidationSchema, FieldValidator } from '../core/types';\r\nimport { sanitizeString } from '../sanitizers';\r\n\r\n/**\r\n * Create Express middleware for request validation.\r\n * Prevents mass assignment by only allowing fields defined in the schema.\r\n * \r\n * @param schema - Validation schema defining expected fields\r\n * @param source - Request property to validate ('body', 'query', or 'params')\r\n * @returns Express middleware\r\n * \r\n * @example\r\n * app.post('/users', validate({\r\n *   email: { type: 'email', required: true },\r\n *   name: { type: 'string', min: 2, max: 50 },\r\n *   age: { type: 'number', min: 0, max: 150 },\r\n *   role: { type: 'string', enum: ['user', 'admin'] }\r\n * }), handler);\r\n * \r\n * @example\r\n * // Validate query params\r\n * app.get('/search', validate({\r\n *   q: { type: 'string', required: true, min: 1 },\r\n *   page: { type: 'number', min: 1 }\r\n * }, 'query'), handler);\r\n */\r\nexport function validate(\r\n  schema: ValidationSchema,\r\n  source: 'body' | 'query' | 'params' = 'body'\r\n): RequestHandler {\r\n  return (req: Request, res: Response, next: NextFunction) => {\r\n    const data = req[source] || {};\r\n    const errors: string[] = [];\r\n    const validated: Record<string, unknown> = {};\r\n\r\n    for (const [field, rules] of Object.entries(schema)) {\r\n      const value = data[field];\r\n      const result = validateField(field, value, rules);\r\n      \r\n      if (result.errors.length > 0) {\r\n        errors.push(...result.errors);\r\n      } else if (result.value !== undefined) {\r\n        validated[field] = result.value;\r\n      }\r\n    }\r\n\r\n    if (errors.length > 0) {\r\n      res.status(400).json({ errors });\r\n      return;\r\n    }\r\n\r\n    // Replace with validated data (prevents mass assignment)\r\n    req[source] = validated as typeof req[typeof source];\r\n    next();\r\n  };\r\n}\r\n\r\n/**\r\n * Validate a single field against its rules.\r\n */\r\nfunction validateField(\r\n  field: string,\r\n  value: unknown,\r\n  rules: FieldValidator\r\n): { value?: unknown; errors: string[] } {\r\n  const errors: string[] = [];\r\n\r\n  // Required check\r\n  if (rules.required && (value === undefined || value === null || value === '')) {\r\n    errors.push(ERRORS.VALIDATION.REQUIRED(field));\r\n    return { errors };\r\n  }\r\n\r\n  // Skip optional empty fields\r\n  if (value === undefined || value === null) {\r\n    return { errors: [] };\r\n  }\r\n\r\n  let typedValue: unknown = value;\r\n  let isValid = true;\r\n\r\n  // Type validation and coercion\r\n  switch (rules.type) {\r\n    case 'string':\r\n      if (typeof value !== 'string') {\r\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'string'));\r\n        isValid = false;\r\n        break;\r\n      }\r\n      if (rules.min !== undefined && value.length < rules.min) {\r\n        errors.push(ERRORS.VALIDATION.MIN_LENGTH(field, rules.min));\r\n        isValid = false;\r\n      }\r\n      if (rules.max !== undefined && value.length > rules.max) {\r\n        errors.push(ERRORS.VALIDATION.MAX_LENGTH(field, rules.max));\r\n        isValid = false;\r\n      }\r\n      if (rules.pattern && !rules.pattern.test(value)) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_FORMAT(field));\r\n        isValid = false;\r\n      }\r\n      // Enum check runs before sanitization so the raw value is compared.\r\n      // Sanitizing first could silently modify the value and cause a mismatch\r\n      // with enum entries that contain characters the sanitizer would strip.\r\n      if (isValid && rules.enum && !rules.enum.includes(value)) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\r\n        isValid = false;\r\n      }\r\n      if (isValid && rules.sanitize !== false) {\r\n        typedValue = sanitizeString(value);\r\n      }\r\n      break;\r\n\r\n    case 'number':\r\n      typedValue = Number(value);\r\n      if (isNaN(typedValue as number)) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'number'));\r\n        isValid = false;\r\n        break;\r\n      }\r\n      if (rules.min !== undefined && (typedValue as number) < rules.min) {\r\n        errors.push(ERRORS.VALIDATION.MIN_VALUE(field, rules.min));\r\n        isValid = false;\r\n      }\r\n      if (rules.max !== undefined && (typedValue as number) > rules.max) {\r\n        errors.push(ERRORS.VALIDATION.MAX_VALUE(field, rules.max));\r\n        isValid = false;\r\n      }\r\n      break;\r\n\r\n    case 'boolean':\r\n      if (value === 'true' || value === true || value === 1 || value === '1') {\r\n        typedValue = true;\r\n      } else if (value === 'false' || value === false || value === 0 || value === '0') {\r\n        typedValue = false;\r\n      } else {\r\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'boolean'));\r\n        isValid = false;\r\n      }\r\n      break;\r\n\r\n    case 'email':\r\n      if (!VALIDATION.EMAIL.test(String(value))) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_EMAIL(field));\r\n        isValid = false;\r\n      }\r\n      if (isValid) {\r\n        typedValue = sanitizeString(String(value).toLowerCase().trim());\r\n      }\r\n      break;\r\n\r\n    case 'url':\r\n      if (!VALIDATION.URL.test(String(value))) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_URL(field));\r\n        isValid = false;\r\n      }\r\n      if (isValid) {\r\n        typedValue = sanitizeString(String(value));\r\n      }\r\n      break;\r\n\r\n    case 'uuid':\r\n      if (!VALIDATION.UUID.test(String(value))) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_UUID(field));\r\n        isValid = false;\r\n      }\r\n      break;\r\n\r\n    case 'array':\r\n      if (!Array.isArray(value)) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'array'));\r\n        isValid = false;\r\n        break;\r\n      }\r\n      if (rules.min !== undefined && value.length < rules.min) {\r\n        errors.push(ERRORS.VALIDATION.MIN_ITEMS(field, rules.min));\r\n        isValid = false;\r\n      }\r\n      if (rules.max !== undefined && value.length > rules.max) {\r\n        errors.push(ERRORS.VALIDATION.MAX_ITEMS(field, rules.max));\r\n        isValid = false;\r\n      }\r\n      break;\r\n\r\n    case 'object':\r\n      if (typeof value !== 'object' || Array.isArray(value) || value === null) {\r\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'object'));\r\n        isValid = false;\r\n      }\r\n      break;\r\n  }\r\n\r\n  // Enum validation for non-string types (strings check enum before sanitizing above).\r\n  if (isValid && rules.enum && rules.type !== 'string' && !rules.enum.includes(typedValue)) {\r\n    errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\r\n    isValid = false;\r\n  }\r\n\r\n  // Custom validation\r\n  if (isValid && rules.custom) {\r\n    const customResult = rules.custom(typedValue);\r\n    if (customResult === undefined) {\r\n      throw new TypeError(\r\n        `Custom validator for field \"${field}\" returned undefined. ` +\r\n        'Return true to pass, false to fail, or a string error message.'\r\n      );\r\n    }\r\n    if (customResult !== true) {\r\n      errors.push(typeof customResult === 'string' && customResult.length > 0 ? customResult : `${field} is invalid`);\r\n      isValid = false;\r\n    }\r\n  }\r\n\r\n  return {\r\n    value: isValid ? typedValue : undefined,\r\n    errors,\r\n  };\r\n}\r\n\r\n/**\r\n * Alias for validate\r\n * @see validate\r\n */\r\nexport const createValidator = validate;\r\n","/**\r\n * @module @arcis/node/validation/file\r\n * File upload validation and filename sanitization\r\n */\r\n\r\n// =============================================================================\r\n// MAGIC BYTES — first bytes of common file types\r\n// =============================================================================\r\n\r\nconst MAGIC_BYTES: Record<string, Buffer[]> = {\r\n  // Images\r\n  'image/jpeg': [Buffer.from([0xFF, 0xD8, 0xFF])],\r\n  'image/png': [Buffer.from([0x89, 0x50, 0x4E, 0x47])],\r\n  'image/gif': [Buffer.from('GIF87a'), Buffer.from('GIF89a')],\r\n  'image/webp': [Buffer.from('RIFF')], // RIFF....WEBP\r\n  'image/bmp': [Buffer.from([0x42, 0x4D])],\r\n  'image/svg+xml': [], // text-based, check separately\r\n\r\n  // Documents\r\n  'application/pdf': [Buffer.from('%PDF')],\r\n  'application/zip': [Buffer.from([0x50, 0x4B, 0x03, 0x04])],\r\n\r\n  // Audio/Video\r\n  'audio/mpeg': [Buffer.from([0xFF, 0xFB]), Buffer.from([0xFF, 0xF3]), Buffer.from([0x49, 0x44, 0x33])],\r\n  'video/mp4': [], // ftyp at offset 4\r\n};\r\n\r\n// =============================================================================\r\n// DANGEROUS EXTENSIONS — files that can execute code\r\n// =============================================================================\r\n\r\nconst DANGEROUS_EXTENSIONS = new Set([\r\n  // Scripts\r\n  '.exe', '.bat', '.cmd', '.com', '.msi', '.scr', '.pif',\r\n  '.vbs', '.vbe', '.js', '.jse', '.ws', '.wsf', '.wsc', '.wsh',\r\n  '.ps1', '.ps1xml', '.ps2', '.ps2xml', '.psc1', '.psc2',\r\n  '.sh', '.bash', '.csh', '.ksh',\r\n  // Server-side\r\n  '.php', '.php3', '.php4', '.php5', '.phtml', '.pht',\r\n  '.asp', '.aspx', '.ashx', '.asmx', '.cer',\r\n  '.jsp', '.jspx', '.jsw', '.jsv',\r\n  '.cgi', '.pl', '.py', '.rb',\r\n  // Java\r\n  '.jar', '.war', '.ear', '.class',\r\n  // Config that can execute\r\n  '.htaccess', '.htpasswd',\r\n  // Template engines\r\n  '.ejs', '.pug', '.hbs', '.handlebars', '.njk', '.twig',\r\n  // Shortcuts/links\r\n  '.lnk', '.inf', '.reg', '.url',\r\n  // Office macros\r\n  '.docm', '.xlsm', '.pptm', '.dotm',\r\n]);\r\n\r\n// =============================================================================\r\n// TYPES\r\n// =============================================================================\r\n\r\n/** File upload validation options */\r\nexport interface ValidateFileOptions {\r\n  /** Maximum file size in bytes. Default: 5MB */\r\n  maxSize?: number;\r\n  /** Allowed MIME types (e.g., ['image/jpeg', 'image/png']) */\r\n  allowedTypes?: string[];\r\n  /** Allowed file extensions (e.g., ['.jpg', '.png']). Includes dot. */\r\n  allowedExtensions?: string[];\r\n  /** Block dangerous/executable extensions. Default: true */\r\n  blockExecutables?: boolean;\r\n  /** Validate magic bytes match the claimed MIME type. Default: true */\r\n  validateMagicBytes?: boolean;\r\n  /** Block files with no extension. Default: true */\r\n  blockNoExtension?: boolean;\r\n  /** Block double extensions (e.g., file.php.jpg). Default: true */\r\n  blockDoubleExtensions?: boolean;\r\n}\r\n\r\n/** File metadata for validation */\r\nexport interface FileInput {\r\n  /** Original filename */\r\n  filename: string;\r\n  /** MIME type (as claimed by client) */\r\n  mimetype: string;\r\n  /** File size in bytes */\r\n  size: number;\r\n  /** File content buffer (for magic byte validation) */\r\n  buffer?: Buffer;\r\n}\r\n\r\n/** File validation result */\r\nexport interface ValidateFileResult {\r\n  /** Whether the file passed validation */\r\n  valid: boolean;\r\n  /** Validation errors (empty if valid) */\r\n  errors: string[];\r\n  /** Sanitized filename (safe for storage) */\r\n  sanitizedFilename: string;\r\n}\r\n\r\n// =============================================================================\r\n// DEFAULTS\r\n// =============================================================================\r\n\r\nconst DEFAULT_MAX_SIZE = 5 * 1024 * 1024; // 5MB\r\n\r\n// =============================================================================\r\n// FILENAME SANITIZATION\r\n// =============================================================================\r\n\r\n/**\r\n * Sanitize a filename for safe storage.\r\n *\r\n * Strips path traversal, null bytes, control characters, and special characters.\r\n * Preserves the extension and converts to a filesystem-safe name.\r\n *\r\n * @param filename - The original filename\r\n * @returns A sanitized filename safe for storage\r\n *\r\n * @example\r\n * sanitizeFilename('../../etc/passwd')          // 'etc_passwd'\r\n * sanitizeFilename('file<name>.jpg')            // 'filename.jpg'\r\n * sanitizeFilename('photo (1).jpg')             // 'photo_1.jpg'\r\n * sanitizeFilename('.htaccess')                 // 'htaccess'\r\n */\r\nexport function sanitizeFilename(filename: string): string {\r\n  let name = filename;\r\n\r\n  // Strip null bytes\r\n  name = name.replace(/\\0/g, '');\r\n\r\n  // Strip path components (both Unix and Windows)\r\n  name = name.replace(/^.*[/\\\\]/, '');\r\n\r\n  // Strip control characters\r\n  name = name.replace(/[\\x00-\\x1F\\x7F]/g, '');\r\n\r\n  // Strip characters unsafe for filesystems\r\n  name = name.replace(/[<>:\"/\\\\|?*]/g, '');\r\n\r\n  // Replace spaces and parens with underscores\r\n  name = name.replace(/[\\s()]+/g, '_');\r\n\r\n  // Strip leading dots (hidden files / .htaccess)\r\n  name = name.replace(/^\\.+/, '');\r\n\r\n  // Collapse multiple underscores/dots\r\n  name = name.replace(/_{2,}/g, '_');\r\n  name = name.replace(/\\.{2,}/g, '.');\r\n\r\n  // Trim underscores before dots (e.g., \"photo_1_.jpg\" → \"photo_1.jpg\")\r\n  name = name.replace(/_+\\./g, '.');\r\n\r\n  // Trim underscores from edges\r\n  name = name.replace(/^_+|_+$/g, '');\r\n\r\n  // Fallback for empty name\r\n  if (!name || name === '.') {\r\n    name = 'unnamed';\r\n  }\r\n\r\n  return name;\r\n}\r\n\r\n// =============================================================================\r\n// MAGIC BYTE VALIDATION\r\n// =============================================================================\r\n\r\n/**\r\n * Check if file content matches the claimed MIME type via magic bytes.\r\n */\r\nfunction matchesMagicBytes(buffer: Buffer, mimetype: string): boolean {\r\n  const signatures = MAGIC_BYTES[mimetype];\r\n  if (!signatures || signatures.length === 0) return true; // no signature to check\r\n\r\n  return signatures.some(sig => {\r\n    if (buffer.length < sig.length) return false;\r\n    return buffer.subarray(0, sig.length).equals(sig);\r\n  });\r\n}\r\n\r\n// =============================================================================\r\n// EXTENSION HELPERS\r\n// =============================================================================\r\n\r\n/**\r\n * Get the extension from a filename (lowercase, with dot).\r\n */\r\nfunction getExtension(filename: string): string {\r\n  const lastDot = filename.lastIndexOf('.');\r\n  if (lastDot < 1) return '';\r\n  return filename.slice(lastDot).toLowerCase();\r\n}\r\n\r\n/**\r\n * Check if a filename has double extensions (e.g., file.php.jpg).\r\n */\r\nfunction hasDoubleExtension(filename: string): boolean {\r\n  const parts = filename.split('.');\r\n  if (parts.length < 3) return false;\r\n\r\n  // Check if any non-final extension is dangerous\r\n  for (let i = 1; i < parts.length - 1; i++) {\r\n    const ext = '.' + parts[i].toLowerCase();\r\n    if (DANGEROUS_EXTENSIONS.has(ext)) return true;\r\n  }\r\n  return false;\r\n}\r\n\r\n// =============================================================================\r\n// FILE VALIDATION\r\n// =============================================================================\r\n\r\n/**\r\n * Validate a file upload for security.\r\n *\r\n * Checks file size, MIME type, extension, magic bytes, and dangerous patterns.\r\n * Returns a result with validation errors and a sanitized filename.\r\n *\r\n * @param file - File metadata and optional content\r\n * @param options - Validation options\r\n * @returns Validation result\r\n *\r\n * @example\r\n * const result = validateFile(\r\n *   { filename: 'photo.jpg', mimetype: 'image/jpeg', size: 1024, buffer },\r\n *   { allowedTypes: ['image/jpeg', 'image/png'], maxSize: 2 * 1024 * 1024 }\r\n * );\r\n * if (!result.valid) {\r\n *   return res.status(400).json({ errors: result.errors });\r\n * }\r\n * // Use result.sanitizedFilename for storage\r\n *\r\n * @example\r\n * // Block executables only (no whitelist)\r\n * const result = validateFile(file, { blockExecutables: true });\r\n */\r\nexport function validateFile(\r\n  file: FileInput,\r\n  options: ValidateFileOptions = {}\r\n): ValidateFileResult {\r\n  const {\r\n    maxSize = DEFAULT_MAX_SIZE,\r\n    allowedTypes,\r\n    allowedExtensions,\r\n    blockExecutables = true,\r\n    validateMagicBytes = true,\r\n    blockNoExtension = true,\r\n    blockDoubleExtensions = true,\r\n  } = options;\r\n\r\n  const errors: string[] = [];\r\n  const sanitizedFilename = sanitizeFilename(file.filename);\r\n  const extension = getExtension(sanitizedFilename);\r\n\r\n  // Size check\r\n  if (file.size > maxSize) {\r\n    errors.push(`File size ${file.size} exceeds maximum ${maxSize} bytes`);\r\n  }\r\n\r\n  if (file.size === 0) {\r\n    errors.push('File is empty');\r\n  }\r\n\r\n  // Extension checks\r\n  if (blockNoExtension && !extension) {\r\n    errors.push('File has no extension');\r\n  }\r\n\r\n  if (blockExecutables && extension && DANGEROUS_EXTENSIONS.has(extension)) {\r\n    errors.push(`Executable extension \"${extension}\" is not allowed`);\r\n  }\r\n\r\n  if (blockDoubleExtensions && hasDoubleExtension(sanitizedFilename)) {\r\n    errors.push('Double extensions with executable types are not allowed');\r\n  }\r\n\r\n  if (allowedExtensions && extension) {\r\n    const normalizedAllowed = allowedExtensions.map(e => e.toLowerCase());\r\n    if (!normalizedAllowed.includes(extension)) {\r\n      errors.push(`Extension \"${extension}\" is not allowed. Allowed: ${normalizedAllowed.join(', ')}`);\r\n    }\r\n  }\r\n\r\n  // MIME type check\r\n  if (allowedTypes && !allowedTypes.includes(file.mimetype)) {\r\n    errors.push(`MIME type \"${file.mimetype}\" is not allowed. Allowed: ${allowedTypes.join(', ')}`);\r\n  }\r\n\r\n  // Magic bytes validation\r\n  if (validateMagicBytes && file.buffer && file.buffer.length > 0) {\r\n    if (!matchesMagicBytes(file.buffer, file.mimetype)) {\r\n      errors.push(`File content does not match claimed MIME type \"${file.mimetype}\"`);\r\n    }\r\n  }\r\n\r\n  return {\r\n    valid: errors.length === 0,\r\n    errors,\r\n    sanitizedFilename,\r\n  };\r\n}\r\n\r\n/**\r\n * Check if a file extension is considered dangerous/executable.\r\n *\r\n * @param filename - Filename or extension to check\r\n * @returns true if the extension is dangerous\r\n */\r\nexport function isDangerousExtension(filename: string): boolean {\r\n  const ext = getExtension(filename);\r\n  return ext !== '' && DANGEROUS_EXTENSIONS.has(ext);\r\n}\r\n","/**\r\n * @module @arcis/node/logging/redactor\r\n * Safe logging with PII/secret redaction\r\n */\r\n\r\nimport { REDACTION, INPUT } from '../core/constants';\r\nimport type { LogOptions, SafeLogger } from '../core/types';\r\n\r\n/**\r\n * Create a safe logger that redacts sensitive data and prevents log injection.\r\n * \r\n * @param options - Logger configuration\r\n * @returns SafeLogger instance\r\n * \r\n * @example\r\n * const logger = createSafeLogger();\r\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\r\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\r\n * \r\n * @example\r\n * // With custom redact keys\r\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\r\n */\r\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\r\n  const { \r\n    redactKeys = [], \r\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\r\n    redactPatterns = [],\r\n  } = options;\r\n\r\n  // Combine default and custom keys (lowercase for case-insensitive matching)\r\n  const allRedactKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...redactKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  /**\r\n   * Redact sensitive data from an object recursively.\r\n   */\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n\r\n    if (typeof obj === 'string') {\r\n      return redactString(obj, maxLength, redactPatterns);\r\n    }\r\n\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allRedactKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  /**\r\n   * Log a message at the specified level.\r\n   */\r\n  function log(level: string, message: string, data?: unknown): void {\r\n    const entry: Record<string, unknown> = {\r\n      timestamp: new Date().toISOString(),\r\n      level,\r\n      message: redactString(message, maxLength, redactPatterns),\r\n    };\r\n    \r\n    if (data !== undefined) {\r\n      entry.data = redact(data);\r\n    }\r\n    \r\n    console.log(JSON.stringify(entry));\r\n  }\r\n\r\n  return {\r\n    log,\r\n    info: (msg: string, data?: unknown) => log('info', msg, data),\r\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\r\n    error: (msg: string, data?: unknown) => log('error', msg, data),\r\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\r\n  };\r\n}\r\n\r\n/**\r\n * Redact a string value.\r\n * Removes newlines (log injection prevention), applies patterns, and truncates.\r\n */\r\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\r\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\r\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\r\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\r\n  let safe = str\r\n    .replace(/[\\r\\n\\t]/g, ' ')\r\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\r\n\r\n  // Apply custom redaction patterns\r\n  for (const pattern of patterns) {\r\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\r\n  }\r\n\r\n  // Truncate if too long\r\n  if (safe.length > maxLength) {\r\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\r\n  }\r\n\r\n  return safe;\r\n}\r\n\r\n/**\r\n * Create a redactor function for custom use.\r\n * \r\n * @param sensitiveKeys - Keys to redact\r\n * @returns Redactor function\r\n */\r\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\r\n  const allKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...sensitiveKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  return redact;\r\n}\r\n\r\n/**\r\n * Alias for createSafeLogger\r\n * @see createSafeLogger\r\n */\r\nexport const safeLog = createSafeLogger;\r\n","/**\r\n * @module @arcis/node/middleware/main\r\n * Main arcis() middleware factory\r\n */\r\n\r\nimport type { RequestHandler } from 'express';\r\nimport type {\r\n  ArcisOptions,\r\n  ArcisFunction,\r\n  ArcisMiddlewareStack,\r\n  HeaderOptions,\r\n  RateLimitOptions,\r\n  SanitizeOptions,\r\n} from '../core/types';\r\nimport { createHeaders } from './headers';\r\nimport { createRateLimiter } from './rate-limit';\r\nimport { createErrorHandler } from './error-handler';\r\nimport { createSanitizer } from '../sanitizers';\r\nimport { validate } from '../validation';\r\nimport { createSafeLogger } from '../logging';\r\n\r\n/**\r\n * Create Arcis middleware with all protections enabled.\r\n * \r\n * @param options - Configuration options\r\n * @returns Array of Express middleware\r\n * \r\n * @example\r\n * // Full protection (recommended)\r\n * app.use(arcis());\r\n * \r\n * @example\r\n * // Custom configuration\r\n * app.use(arcis({\r\n *   rateLimit: { max: 50 },\r\n *   headers: { frameOptions: 'SAMEORIGIN' }\r\n * }));\r\n * \r\n * @example\r\n * // Disable specific features\r\n * app.use(arcis({\r\n *   rateLimit: false,\r\n *   sanitize: { sql: false }\r\n * }));\r\n * \r\n * @example\r\n * // Cleanup on shutdown\r\n * const middleware = arcis();\r\n * app.use(middleware);\r\n * process.on('SIGTERM', () => middleware.close());\r\n */\r\nexport function arcis(options: ArcisOptions = {}): ArcisMiddlewareStack {\r\n  const middlewares: RequestHandler[] = [];\r\n  const cleanupFns: (() => void)[] = [];\r\n\r\n  // Security headers (first, always)\r\n  if (options.headers !== false) {\r\n    const headerOpts: HeaderOptions = typeof options.headers === 'object' \r\n      ? options.headers \r\n      : {};\r\n    middlewares.push(createHeaders(headerOpts));\r\n  }\r\n\r\n  // Rate limiting\r\n  if (options.rateLimit !== false) {\r\n    const rateLimitOpts: RateLimitOptions = typeof options.rateLimit === 'object' \r\n      ? options.rateLimit \r\n      : {};\r\n    const rateLimiter = createRateLimiter(rateLimitOpts);\r\n    middlewares.push(rateLimiter);\r\n    cleanupFns.push(() => rateLimiter.close());\r\n  }\r\n\r\n  // Input sanitization (last, after body parsing)\r\n  if (options.sanitize !== false) {\r\n    const sanitizeOpts: SanitizeOptions = typeof options.sanitize === 'object' \r\n      ? options.sanitize \r\n      : {};\r\n    middlewares.push(createSanitizer(sanitizeOpts));\r\n  }\r\n\r\n  // Attach close() directly on the array so callers can clean up without any-casts.\r\n  const result = middlewares as ArcisMiddlewareStack;\r\n  result.close = () => {\r\n    for (const fn of cleanupFns) {\r\n      fn();\r\n    }\r\n  };\r\n\r\n  return result;\r\n}\r\n\r\n// Attach individual functions for granular use\r\nconst arcisWithMethods = arcis as ArcisFunction;\r\narcisWithMethods.sanitize = createSanitizer;\r\narcisWithMethods.rateLimit = createRateLimiter;\r\narcisWithMethods.headers = createHeaders;\r\narcisWithMethods.validate = validate;\r\narcisWithMethods.logger = createSafeLogger;\r\narcisWithMethods.errorHandler = createErrorHandler;\r\n\r\nexport { arcisWithMethods as arcisFunction };\r\nexport default arcisWithMethods;\r\n","/**\r\n * @module @arcis/node/middleware/cors\r\n * Safe CORS middleware with secure defaults\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\n\r\n/** CORS configuration options */\r\nexport interface CorsOptions {\r\n  /**\r\n   * Allowed origins. Can be:\r\n   * - A string: exact match (e.g., 'https://example.com')\r\n   * - An array: whitelist of allowed origins\r\n   * - A RegExp: pattern match (use with care)\r\n   * - A function: custom validation `(origin) => boolean`\r\n   * - `true`: reflect the request origin (DANGEROUS — only for dev)\r\n   *\r\n   * Default: none (no origin allowed). You must explicitly set this.\r\n   */\r\n  origin: string | string[] | RegExp | ((origin: string) => boolean) | true;\r\n\r\n  /** Allowed HTTP methods. Default: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'] */\r\n  methods?: string[];\r\n\r\n  /** Allowed headers. Default: ['Content-Type', 'Authorization'] */\r\n  allowedHeaders?: string[];\r\n\r\n  /** Headers exposed to the browser. Default: [] */\r\n  exposedHeaders?: string[];\r\n\r\n  /** Allow credentials (cookies, authorization headers). Default: false */\r\n  credentials?: boolean;\r\n\r\n  /** Preflight cache duration in seconds. Default: 600 (10 minutes) */\r\n  maxAge?: number;\r\n\r\n  /** Respond to preflight with 204 (no content). Default: true */\r\n  preflightContinue?: boolean;\r\n}\r\n\r\nconst DEFAULT_METHODS = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'];\r\nconst DEFAULT_HEADERS = ['Content-Type', 'Authorization'];\r\nconst DEFAULT_MAX_AGE = 600;\r\n\r\n/**\r\n * Check if an origin is allowed by the configured policy.\r\n */\r\nfunction isOriginAllowed(\r\n  requestOrigin: string,\r\n  allowed: CorsOptions['origin']\r\n): boolean {\r\n  // 'null' origin is always blocked — sent by sandboxed iframes, data: URIs, etc.\r\n  if (requestOrigin === 'null') return false;\r\n\r\n  if (allowed === true) return true;\r\n\r\n  if (typeof allowed === 'string') {\r\n    return requestOrigin === allowed;\r\n  }\r\n\r\n  if (Array.isArray(allowed)) {\r\n    return allowed.includes(requestOrigin);\r\n  }\r\n\r\n  if (allowed instanceof RegExp) {\r\n    return allowed.test(requestOrigin);\r\n  }\r\n\r\n  if (typeof allowed === 'function') {\r\n    return allowed(requestOrigin);\r\n  }\r\n\r\n  return false;\r\n}\r\n\r\n/**\r\n * Create safe CORS middleware.\r\n *\r\n * Unlike permissive CORS libraries, this enforces secure defaults:\r\n * - No wildcard `*` when credentials are enabled\r\n * - `null` origin is always blocked\r\n * - `Vary: Origin` is always set for proper caching\r\n * - You must explicitly configure allowed origins\r\n *\r\n * @param options - CORS configuration\r\n * @returns Express middleware\r\n *\r\n * @example\r\n * // Allow a single origin\r\n * app.use(safeCors({ origin: 'https://myapp.com' }));\r\n *\r\n * @example\r\n * // Allow multiple origins with credentials\r\n * app.use(safeCors({\r\n *   origin: ['https://myapp.com', 'https://admin.myapp.com'],\r\n *   credentials: true,\r\n * }));\r\n *\r\n * @example\r\n * // Development: allow all (NOT for production)\r\n * app.use(safeCors({ origin: true }));\r\n */\r\nexport function safeCors(options: CorsOptions): RequestHandler {\r\n  const {\r\n    origin,\r\n    methods = DEFAULT_METHODS,\r\n    allowedHeaders = DEFAULT_HEADERS,\r\n    exposedHeaders = [],\r\n    credentials = false,\r\n    maxAge = DEFAULT_MAX_AGE,\r\n    preflightContinue = true,\r\n  } = options;\r\n\r\n  return (req: Request, res: Response, next: NextFunction) => {\r\n    const requestOrigin = req.headers.origin;\r\n\r\n    // Always set Vary: Origin for proper caching\r\n    res.setHeader('Vary', 'Origin');\r\n\r\n    // No origin header = same-origin request, skip CORS headers\r\n    if (!requestOrigin) {\r\n      return next();\r\n    }\r\n\r\n    const allowed = isOriginAllowed(requestOrigin, origin);\r\n\r\n    if (!allowed) {\r\n      // Don't set any CORS headers — browser will block the request\r\n      return next();\r\n    }\r\n\r\n    // Set Access-Control-Allow-Origin to the specific origin (not *)\r\n    res.setHeader('Access-Control-Allow-Origin', requestOrigin);\r\n\r\n    if (credentials) {\r\n      res.setHeader('Access-Control-Allow-Credentials', 'true');\r\n    }\r\n\r\n    if (exposedHeaders.length > 0) {\r\n      res.setHeader('Access-Control-Expose-Headers', exposedHeaders.join(', '));\r\n    }\r\n\r\n    // Handle preflight requests\r\n    if (req.method === 'OPTIONS') {\r\n      res.setHeader('Access-Control-Allow-Methods', methods.join(', '));\r\n      res.setHeader('Access-Control-Allow-Headers', allowedHeaders.join(', '));\r\n      res.setHeader('Access-Control-Max-Age', String(maxAge));\r\n\r\n      if (preflightContinue) {\r\n        res.status(204).end();\r\n        return;\r\n      }\r\n    }\r\n\r\n    next();\r\n  };\r\n}\r\n\r\n/**\r\n * Alias for safeCors\r\n * @see safeCors\r\n */\r\nexport const createCors = safeCors;\r\n","/**\r\n * @module @arcis/node/middleware/cookies\r\n * Secure cookie defaults middleware\r\n */\r\n\r\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\r\n\r\n/** Cookie security configuration */\r\nexport interface SecureCookieOptions {\r\n  /** Force HttpOnly on all cookies. Default: true */\r\n  httpOnly?: boolean;\r\n  /** Force Secure flag (HTTPS only). Default: true in production, false in dev */\r\n  secure?: boolean;\r\n  /** SameSite attribute. Default: 'Lax' */\r\n  sameSite?: 'Strict' | 'Lax' | 'None' | false;\r\n  /** Override Path attribute. Default: undefined (keep original) */\r\n  path?: string;\r\n}\r\n\r\nconst COOKIE_ATTRS = {\r\n  HTTP_ONLY: '; HttpOnly',\r\n  SECURE: '; Secure',\r\n  SAME_SITE_STRICT: '; SameSite=Strict',\r\n  SAME_SITE_LAX: '; SameSite=Lax',\r\n  SAME_SITE_NONE: '; SameSite=None',\r\n} as const;\r\n\r\n/**\r\n * Enforce secure defaults on a Set-Cookie header value.\r\n */\r\nexport function enforceSecureCookie(\r\n  cookieStr: string,\r\n  options: Required<Omit<SecureCookieOptions, 'path'>> & { path?: string }\r\n): string {\r\n  const lower = cookieStr.toLowerCase();\r\n  let result = cookieStr;\r\n\r\n  // HttpOnly — prevent JavaScript access\r\n  if (options.httpOnly && !lower.includes('httponly')) {\r\n    result += COOKIE_ATTRS.HTTP_ONLY;\r\n  }\r\n\r\n  // Secure — HTTPS only\r\n  if (options.secure && !lower.includes('; secure')) {\r\n    result += COOKIE_ATTRS.SECURE;\r\n  }\r\n\r\n  // SameSite — CSRF protection\r\n  if (options.sameSite !== false && !lower.includes('samesite')) {\r\n    switch (options.sameSite) {\r\n      case 'Strict':\r\n        result += COOKIE_ATTRS.SAME_SITE_STRICT;\r\n        break;\r\n      case 'None':\r\n        result += COOKIE_ATTRS.SAME_SITE_NONE;\r\n        // SameSite=None requires Secure\r\n        if (!result.toLowerCase().includes('; secure')) {\r\n          result += COOKIE_ATTRS.SECURE;\r\n        }\r\n        break;\r\n      case 'Lax':\r\n      default:\r\n        result += COOKIE_ATTRS.SAME_SITE_LAX;\r\n        break;\r\n    }\r\n  }\r\n\r\n  // Override path if specified\r\n  if (options.path) {\r\n    if (lower.includes('path=')) {\r\n      result = result.replace(/;\\s*path=[^;]*/i, `; Path=${options.path}`);\r\n    } else {\r\n      result += `; Path=${options.path}`;\r\n    }\r\n  }\r\n\r\n  return result;\r\n}\r\n\r\n/**\r\n * Create middleware that enforces secure cookie defaults.\r\n *\r\n * Intercepts Set-Cookie headers and adds missing security attributes:\r\n * - HttpOnly: prevents JavaScript access (XSS cookie theft)\r\n * - Secure: cookies only sent over HTTPS\r\n * - SameSite: CSRF protection\r\n *\r\n * @param options - Cookie security configuration\r\n * @returns Express middleware\r\n *\r\n * @example\r\n * // Enforce defaults on all cookies\r\n * app.use(secureCookieDefaults());\r\n *\r\n * @example\r\n * // Strict SameSite for sensitive apps\r\n * app.use(secureCookieDefaults({ sameSite: 'Strict' }));\r\n */\r\nexport function secureCookieDefaults(options: SecureCookieOptions = {}): RequestHandler {\r\n  const isProduction = process.env.NODE_ENV === 'production';\r\n  const resolved = {\r\n    httpOnly: options.httpOnly ?? true,\r\n    secure: options.secure ?? isProduction,\r\n    sameSite: options.sameSite ?? 'Lax' as const,\r\n    path: options.path,\r\n  };\r\n\r\n  return (_req: Request, res: Response, next: NextFunction) => {\r\n    // Monkey-patch res.setHeader to intercept Set-Cookie\r\n    const originalSetHeader = res.setHeader.bind(res);\r\n\r\n    res.setHeader = function patchedSetHeader(name: string, value: string | number | readonly string[]) {\r\n      if (name.toLowerCase() === 'set-cookie') {\r\n        if (Array.isArray(value)) {\r\n          value = value.map(v => enforceSecureCookie(String(v), resolved));\r\n        } else {\r\n          value = enforceSecureCookie(String(value), resolved);\r\n        }\r\n      }\r\n      return originalSetHeader(name, value);\r\n    } as typeof res.setHeader;\r\n\r\n    next();\r\n  };\r\n}\r\n\r\n/**\r\n * Alias for secureCookieDefaults\r\n * @see secureCookieDefaults\r\n */\r\nexport const createSecureCookies = secureCookieDefaults;\r\n","/**\r\n * @module @arcis/node/validation/url\r\n * SSRF (Server-Side Request Forgery) prevention\r\n *\r\n * Validates URLs to ensure they don't target private/internal networks,\r\n * localhost, cloud metadata endpoints, or use dangerous protocols.\r\n *\r\n * @example\r\n * import { validateUrl } from '@arcis/node';\r\n *\r\n * // Block SSRF attempts\r\n * validateUrl('http://169.254.169.254/latest/meta-data/')  // { safe: false, reason: 'link-local address' }\r\n * validateUrl('http://10.0.0.1/admin')                     // { safe: false, reason: 'private address (10.0.0.0/8)' }\r\n * validateUrl('http://localhost/secret')                    // { safe: false, reason: 'loopback address' }\r\n * validateUrl('file:///etc/passwd')                         // { safe: false, reason: 'disallowed protocol: file:' }\r\n *\r\n * // Allow safe URLs\r\n * validateUrl('https://api.example.com/data')               // { safe: true }\r\n */\r\n\r\n/** Options for URL validation */\r\nexport interface ValidateUrlOptions {\r\n  /** Allowed protocols. Default: ['http:', 'https:'] */\r\n  allowedProtocols?: string[];\r\n  /** Additional hostnames to block (e.g., internal service names) */\r\n  blockedHosts?: string[];\r\n  /** Additional hostnames to always allow (bypass IP checks) */\r\n  allowedHosts?: string[];\r\n  /** Allow localhost/loopback. Default: false */\r\n  allowLocalhost?: boolean;\r\n  /** Allow private/internal IPs. Default: false */\r\n  allowPrivate?: boolean;\r\n}\r\n\r\n/** Result of URL validation */\r\nexport interface ValidateUrlResult {\r\n  /** Whether the URL is safe to fetch */\r\n  safe: boolean;\r\n  /** Reason the URL was blocked (only set when safe=false) */\r\n  reason?: string;\r\n}\r\n\r\n/**\r\n * Validate a URL for SSRF safety.\r\n *\r\n * Checks:\r\n * 1. Valid URL format\r\n * 2. Allowed protocol (default: http, https only)\r\n * 3. Not localhost/loopback (127.x.x.x, ::1, localhost)\r\n * 4. Not private IP (10.x, 172.16-31.x, 192.168.x)\r\n * 5. Not link-local (169.254.x.x — includes AWS/GCP/Azure metadata)\r\n * 6. Not blocked hostname\r\n * 7. No credentials in URL (user:pass@host)\r\n *\r\n * @param url - The URL string to validate\r\n * @param options - Validation options\r\n * @returns Validation result with safe flag and optional reason\r\n */\r\nexport function validateUrl(url: string, options: ValidateUrlOptions = {}): ValidateUrlResult {\r\n  const {\r\n    allowedProtocols = ['http:', 'https:'],\r\n    blockedHosts = [],\r\n    allowedHosts = [],\r\n    allowLocalhost = false,\r\n    allowPrivate = false,\r\n  } = options;\r\n\r\n  if (typeof url !== 'string' || url.trim() === '') {\r\n    return { safe: false, reason: 'invalid URL: empty or not a string' };\r\n  }\r\n\r\n  // Parse URL\r\n  let parsed: URL;\r\n  try {\r\n    parsed = new URL(url);\r\n  } catch {\r\n    return { safe: false, reason: 'invalid URL: failed to parse' };\r\n  }\r\n\r\n  // Check protocol\r\n  if (!allowedProtocols.includes(parsed.protocol)) {\r\n    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };\r\n  }\r\n\r\n  // Check for credentials in URL (user:pass@host)\r\n  if (parsed.username || parsed.password) {\r\n    return { safe: false, reason: 'URL contains credentials' };\r\n  }\r\n\r\n  const hostname = parsed.hostname.toLowerCase();\r\n\r\n  // Check explicit allowlist first (bypass IP checks)\r\n  if (allowedHosts.some(h => hostname === h.toLowerCase())) {\r\n    return { safe: true };\r\n  }\r\n\r\n  // Check explicit blocklist\r\n  if (blockedHosts.some(h => hostname === h.toLowerCase())) {\r\n    return { safe: false, reason: `blocked host: ${hostname}` };\r\n  }\r\n\r\n  // Check localhost/loopback\r\n  if (!allowLocalhost) {\r\n    if (\r\n      hostname === 'localhost' ||\r\n      hostname === '127.0.0.1' ||\r\n      hostname === '[::1]' ||\r\n      hostname === '::1' ||\r\n      hostname === '0.0.0.0' ||\r\n      hostname.endsWith('.localhost')\r\n    ) {\r\n      return { safe: false, reason: 'loopback address' };\r\n    }\r\n\r\n    // Check 127.x.x.x range\r\n    if (/^127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/.test(hostname)) {\r\n      return { safe: false, reason: 'loopback address' };\r\n    }\r\n  }\r\n\r\n  // Check private/internal IPs\r\n  if (!allowPrivate) {\r\n    const privateCheck = checkPrivateIp(hostname);\r\n    if (privateCheck) {\r\n      return { safe: false, reason: privateCheck };\r\n    }\r\n  }\r\n\r\n  return { safe: true };\r\n}\r\n\r\n/**\r\n * Convenience wrapper that returns true/false.\r\n *\r\n * @param url - The URL to check\r\n * @param options - Validation options\r\n * @returns true if the URL is safe to fetch\r\n */\r\nexport function isUrlSafe(url: string, options: ValidateUrlOptions = {}): boolean {\r\n  return validateUrl(url, options).safe;\r\n}\r\n\r\n/**\r\n * Check if a hostname is a private/internal IP address.\r\n * Returns the reason string if private, or null if not.\r\n */\r\nfunction checkPrivateIp(hostname: string): string | null {\r\n  // 10.0.0.0/8\r\n  if (/^10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/.test(hostname)) {\r\n    return 'private address (10.0.0.0/8)';\r\n  }\r\n\r\n  // 172.16.0.0/12 (172.16.x.x - 172.31.x.x)\r\n  const match172 = hostname.match(/^172\\.(\\d{1,3})\\.\\d{1,3}\\.\\d{1,3}$/);\r\n  if (match172) {\r\n    const second = parseInt(match172[1], 10);\r\n    if (second >= 16 && second <= 31) {\r\n      return 'private address (172.16.0.0/12)';\r\n    }\r\n  }\r\n\r\n  // 192.168.0.0/16\r\n  if (/^192\\.168\\.\\d{1,3}\\.\\d{1,3}$/.test(hostname)) {\r\n    return 'private address (192.168.0.0/16)';\r\n  }\r\n\r\n  // 169.254.0.0/16 — link-local, includes cloud metadata endpoints\r\n  // AWS: 169.254.169.254, GCP: metadata.google.internal, Azure: 169.254.169.254\r\n  if (/^169\\.254\\.\\d{1,3}\\.\\d{1,3}$/.test(hostname)) {\r\n    return 'link-local address (169.254.0.0/16)';\r\n  }\r\n\r\n  // 0.0.0.0/8 (current network)\r\n  if (/^0\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$/.test(hostname)) {\r\n    return 'current network address (0.0.0.0/8)';\r\n  }\r\n\r\n  // Cloud metadata hostnames\r\n  if (\r\n    hostname === 'metadata.google.internal' ||\r\n    hostname === 'metadata.internal'\r\n  ) {\r\n    return 'cloud metadata endpoint';\r\n  }\r\n\r\n  // IPv6 private ranges (simplified — bracket-wrapped in URLs)\r\n  const ipv6 = hostname.replace(/^\\[|\\]$/g, '');\r\n  if (\r\n    ipv6 === '::1' ||\r\n    ipv6 === '::' ||\r\n    ipv6.startsWith('fc') ||\r\n    ipv6.startsWith('fd') ||\r\n    ipv6.startsWith('fe80')\r\n  ) {\r\n    return 'private IPv6 address';\r\n  }\r\n\r\n  return null;\r\n}\r\n","/**\r\n * @module @arcis/node/validation/redirect\r\n * Open Redirect prevention\r\n *\r\n * Prevents attackers from using your app to redirect users to malicious sites\r\n * via manipulated query parameters like ?returnUrl=http://evil.com\r\n *\r\n * @example\r\n * import { validateRedirect, isRedirectSafe } from '@arcis/node';\r\n *\r\n * // Block open redirects\r\n * validateRedirect('http://evil.com')                    // { safe: false, reason: 'absolute URL not in allowed hosts' }\r\n * validateRedirect('//evil.com')                         // { safe: false, reason: 'protocol-relative URL not in allowed hosts' }\r\n * validateRedirect('javascript:alert(1)')                // { safe: false, reason: 'dangerous protocol: javascript:' }\r\n *\r\n * // Allow safe redirects\r\n * validateRedirect('/dashboard')                         // { safe: true }\r\n * validateRedirect('/users?page=2')                      // { safe: true }\r\n * validateRedirect('https://myapp.com/home', { allowedHosts: ['myapp.com'] })  // { safe: true }\r\n */\r\n\r\n/** Options for redirect validation */\r\nexport interface ValidateRedirectOptions {\r\n  /** Hostnames that are allowed for absolute URL redirects */\r\n  allowedHosts?: string[];\r\n  /** Allow protocol-relative URLs (//example.com). Default: false */\r\n  allowProtocolRelative?: boolean;\r\n  /** Allowed protocols for absolute URLs. Default: ['http:', 'https:'] */\r\n  allowedProtocols?: string[];\r\n}\r\n\r\n/** Result of redirect validation */\r\nexport interface ValidateRedirectResult {\r\n  /** Whether the redirect URL is safe */\r\n  safe: boolean;\r\n  /** Reason the redirect was blocked (only set when safe=false) */\r\n  reason?: string;\r\n}\r\n\r\n/** Protocols that can execute code or exfiltrate data */\r\nconst DANGEROUS_PROTOCOLS = /^(javascript|data|vbscript|blob):/i;\r\n\r\n/** Characters used to disguise URLs (tabs, newlines inside scheme) */\r\nconst CONTROL_CHARS = /[\\t\\n\\r]/g;\r\n\r\n/**\r\n * Validate a redirect URL to prevent open redirect attacks.\r\n *\r\n * Safe redirects:\r\n * - Relative paths: /dashboard, /users?page=2, ../settings\r\n * - Absolute URLs to allowed hosts (when configured)\r\n *\r\n * Blocked redirects:\r\n * - Absolute URLs to unknown hosts\r\n * - Protocol-relative URLs (//evil.com)\r\n * - javascript:, data:, vbscript:, blob: protocols\r\n * - Backslash-prefixed paths (\\\\evil.com — browser treats as //)\r\n * - URLs with control characters that could disguise the target\r\n *\r\n * @param url - The redirect target URL to validate\r\n * @param options - Validation options\r\n * @returns Validation result with safe flag and optional reason\r\n */\r\nexport function validateRedirect(\r\n  url: string,\r\n  options: ValidateRedirectOptions = {},\r\n): ValidateRedirectResult {\r\n  const {\r\n    allowedHosts = [],\r\n    allowProtocolRelative = false,\r\n    allowedProtocols = ['http:', 'https:'],\r\n  } = options;\r\n\r\n  if (typeof url !== 'string' || url.trim() === '') {\r\n    return { safe: false, reason: 'invalid redirect: empty or not a string' };\r\n  }\r\n\r\n  // Strip control characters that could disguise the URL\r\n  const cleaned = url.replace(CONTROL_CHARS, '');\r\n\r\n  // Block dangerous protocols (javascript:, data:, etc.)\r\n  if (DANGEROUS_PROTOCOLS.test(cleaned)) {\r\n    const proto = cleaned.match(DANGEROUS_PROTOCOLS);\r\n    return { safe: false, reason: `dangerous protocol: ${proto![0]}` };\r\n  }\r\n\r\n  // Block backslash-prefixed paths — browsers treat \\ as / in URLs\r\n  // so \\evil.com or \\/evil.com could redirect to //evil.com\r\n  if (cleaned.startsWith('\\\\')) {\r\n    return { safe: false, reason: 'backslash-prefixed URL (browser treats as protocol-relative)' };\r\n  }\r\n\r\n  // Check protocol-relative URLs (//evil.com)\r\n  if (cleaned.startsWith('//')) {\r\n    if (!allowProtocolRelative) {\r\n      // Still check allowedHosts\r\n      const host = extractHost(cleaned);\r\n      if (host && allowedHosts.some(h => host === h.toLowerCase())) {\r\n        return { safe: true };\r\n      }\r\n      return { safe: false, reason: 'protocol-relative URL not in allowed hosts' };\r\n    }\r\n    const host = extractHost(cleaned);\r\n    if (host && allowedHosts.length > 0 && !allowedHosts.some(h => host === h.toLowerCase())) {\r\n      return { safe: false, reason: 'protocol-relative URL not in allowed hosts' };\r\n    }\r\n    return { safe: true };\r\n  }\r\n\r\n  // Check if it's an absolute URL (has scheme)\r\n  let parsed: URL;\r\n  try {\r\n    parsed = new URL(cleaned);\r\n  } catch {\r\n    // Not a valid absolute URL — treat as relative path (safe)\r\n    return { safe: true };\r\n  }\r\n\r\n  // If we got here, it parsed as an absolute URL\r\n  // Check protocol\r\n  if (!allowedProtocols.includes(parsed.protocol)) {\r\n    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };\r\n  }\r\n\r\n  // Check if host is in allowed list\r\n  const hostname = parsed.hostname.toLowerCase();\r\n  if (allowedHosts.length === 0) {\r\n    return { safe: false, reason: 'absolute URL not in allowed hosts' };\r\n  }\r\n\r\n  if (!allowedHosts.some(h => hostname === h.toLowerCase())) {\r\n    return { safe: false, reason: `host not allowed: ${hostname}` };\r\n  }\r\n\r\n  return { safe: true };\r\n}\r\n\r\n/**\r\n * Convenience wrapper that returns true/false.\r\n *\r\n * @param url - The redirect URL to check\r\n * @param options - Validation options\r\n * @returns true if the redirect is safe\r\n */\r\nexport function isRedirectSafe(url: string, options: ValidateRedirectOptions = {}): boolean {\r\n  return validateRedirect(url, options).safe;\r\n}\r\n\r\n/**\r\n * Extract hostname from a protocol-relative URL.\r\n */\r\nfunction extractHost(url: string): string | null {\r\n  // //hostname/path or //hostname:port/path\r\n  const match = url.match(/^\\/\\/([^/:?#]+)/);\r\n  return match ? match[1].toLowerCase() : null;\r\n}\r\n","/**\r\n * @module @arcis/node/stores/memory\r\n * In-memory rate limit store\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/**\r\n * In-memory rate limit store.\r\n * Suitable for single-instance deployments.\r\n * For distributed systems, use RedisStore or a custom store.\r\n * \r\n * @example\r\n * const store = new MemoryStore(60000); // 1 minute window\r\n * const limiter = createRateLimiter({ store });\r\n */\r\nexport class MemoryStore implements RateLimitStore {\r\n  private store: Map<string, RateLimitEntry> = new Map();\r\n  private cleanupInterval: ReturnType<typeof setInterval> | null = null;\r\n  private windowMs: number;\r\n\r\n  constructor(windowMs: number = RATE_LIMIT.DEFAULT_WINDOW_MS) {\r\n    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {\r\n      throw new RangeError(\r\n        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`\r\n      );\r\n    }\r\n    this.windowMs = windowMs;\r\n    this.startCleanup();\r\n  }\r\n\r\n  /**\r\n   * Start the cleanup interval to remove expired entries.\r\n   */\r\n  private startCleanup(): void {\r\n    // Clamp the cleanup interval between 30 s and 5 min regardless of windowMs.\r\n    // Running it every windowMs is fine for typical windows but would fire every\r\n    // second for short windows (e.g. windowMs: 1000), causing O(n) GC pressure.\r\n    const CLEANUP_MIN_MS = 30_000;\r\n    const CLEANUP_MAX_MS = 300_000;\r\n    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);\r\n\r\n    this.cleanupInterval = setInterval(() => {\r\n      const now = Date.now();\r\n      for (const [key, entry] of this.store.entries()) {\r\n        if (entry.resetTime < now) {\r\n          this.store.delete(key);\r\n        }\r\n      }\r\n    }, cleanupMs);\r\n\r\n    // Prevent interval from keeping the process alive\r\n    if (typeof this.cleanupInterval.unref === 'function') {\r\n      this.cleanupInterval.unref();\r\n    }\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const entry = this.store.get(key);\r\n    if (!entry) return null;\r\n    \r\n    // Check if expired\r\n    if (entry.resetTime < Date.now()) {\r\n      this.store.delete(key);\r\n      return null;\r\n    }\r\n    \r\n    return entry;\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    this.store.set(key, entry);\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const now = Date.now();\r\n    const entry = this.store.get(key);\r\n    \r\n    if (!entry || entry.resetTime < now) {\r\n      // Start new window\r\n      this.store.set(key, { count: 1, resetTime: now + this.windowMs });\r\n      return 1;\r\n    }\r\n    \r\n    entry.count++;\r\n    return entry.count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const entry = this.store.get(key);\r\n    if (entry && entry.count > 0) {\r\n      entry.count--;\r\n    }\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    this.store.delete(key);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    if (this.cleanupInterval) {\r\n      clearInterval(this.cleanupInterval);\r\n      this.cleanupInterval = null;\r\n    }\r\n    this.store.clear();\r\n  }\r\n\r\n  /**\r\n   * Get current store size (for monitoring).\r\n   */\r\n  get size(): number {\r\n    return this.store.size;\r\n  }\r\n}\r\n","/**\r\n * @module @arcis/node/stores/redis\r\n * Redis rate limit store\r\n * \r\n * Note: This is a reference implementation. You'll need to install\r\n * the 'ioredis' or 'redis' package and pass your client instance.\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/** Generic Redis client interface (works with ioredis, redis, etc.) */\r\nexport interface RedisClientLike {\r\n  get(key: string): Promise<string | null>;\r\n  set(key: string, value: string, mode?: string, duration?: number): Promise<unknown>;\r\n  setex(key: string, seconds: number, value: string): Promise<unknown>;\r\n  expire(key: string, seconds: number): Promise<unknown>;\r\n  incr(key: string): Promise<number>;\r\n  decr(key: string): Promise<number>;\r\n  del(key: string): Promise<number>;\r\n  ttl(key: string): Promise<number>;\r\n  quit?(): Promise<unknown>;\r\n  disconnect?(): Promise<unknown>;\r\n}\r\n\r\nexport interface RedisStoreOptions {\r\n  /** Redis client instance */\r\n  client: RedisClientLike;\r\n  /** Key prefix. Default: 'arcis:rl:' */\r\n  prefix?: string;\r\n  /** Window size in milliseconds. Default: 60000 */\r\n  windowMs?: number;\r\n}\r\n\r\n/**\r\n * Redis rate limit store for distributed deployments.\r\n * \r\n * @example\r\n * import Redis from 'ioredis';\r\n * \r\n * const redis = new Redis();\r\n * const store = new RedisStore({ client: redis });\r\n * const limiter = createRateLimiter({ store });\r\n * \r\n * // Cleanup on shutdown\r\n * process.on('SIGTERM', async () => {\r\n *   await store.close();\r\n * });\r\n */\r\nexport class RedisStore implements RateLimitStore {\r\n  private client: RedisClientLike;\r\n  private prefix: string;\r\n  private windowMs: number;\r\n  private windowSec: number;\r\n\r\n  constructor(options: RedisStoreOptions) {\r\n    this.client = options.client;\r\n    this.prefix = options.prefix ?? 'arcis:rl:';\r\n    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;\r\n    this.windowSec = Math.ceil(this.windowMs / 1000);\r\n  }\r\n\r\n  private getKey(key: string): string {\r\n    return `${this.prefix}${key}`;\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    const [countStr, ttl] = await Promise.all([\r\n      this.client.get(redisKey),\r\n      this.client.ttl(redisKey),\r\n    ]);\r\n    \r\n    if (!countStr || ttl < 0) {\r\n      return null;\r\n    }\r\n    \r\n    const count = parseInt(countStr, 10);\r\n    if (isNaN(count)) {\r\n      // Corrupt value in Redis — treat as if key doesn't exist\r\n      return null;\r\n    }\r\n\r\n    return {\r\n      count,\r\n      resetTime: Date.now() + (ttl * 1000),\r\n    };\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    // Clamp to at least 1 second — Math.ceil can produce 0 or negative values\r\n    // when entry.resetTime is in the past due to Redis latency or clock skew.\r\n    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1000));\r\n    await this.client.setex(redisKey, ttlSec, entry.count.toString());\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    // INCR creates key with value 1 if it doesn't exist\r\n    const count = await this.client.incr(redisKey);\r\n\r\n    // Set expiry only on first increment using EXPIRE, which sets the TTL\r\n    // without overwriting the value (unlike SET ... EX which would reset the\r\n    // counter if two requests increment concurrently before expiry is set).\r\n    if (count === 1) {\r\n      await this.client.expire(redisKey, this.windowSec);\r\n    }\r\n\r\n    return count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.decr(redisKey);\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.del(redisKey);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    // Don't close the client - it may be shared\r\n    // The caller should manage the client lifecycle\r\n  }\r\n}\r\n\r\n/**\r\n * Create a Redis store with the given options.\r\n * Convenience function for functional programming style.\r\n * \r\n * @example\r\n * const store = createRedisStore({ client: redisClient });\r\n */\r\nexport function createRedisStore(options: RedisStoreOptions): RedisStore {\r\n  return new RedisStore(options);\r\n}\r\n"]}

package/dist/logging/index.d.mts

@@ -0,0 +1,38 @@
+import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.mjs';
+import 'express';
+
+/**
+ * @module @arcis/node/logging/redactor
+ * Safe logging with PII/secret redaction
+ */
+
+/**
+ * Create a safe logger that redacts sensitive data and prevents log injection.
+ *
+ * @param options - Logger configuration
+ * @returns SafeLogger instance
+ *
+ * @example
+ * const logger = createSafeLogger();
+ * logger.info('User login', { email: 'user@test.com', password: 'secret' });
+ * // Logs: { "email": "user@test.com", "password": "[REDACTED]" }
+ *
+ * @example
+ * // With custom redact keys
+ * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });
+ */
+declare function createSafeLogger(options?: LogOptions): SafeLogger;
+/**
+ * Create a redactor function for custom use.
+ *
+ * @param sensitiveKeys - Keys to redact
+ * @returns Redactor function
+ */
+declare function createRedactor(sensitiveKeys?: string[]): (obj: unknown) => unknown;
+/**
+ * Alias for createSafeLogger
+ * @see createSafeLogger
+ */
+declare const safeLog: typeof createSafeLogger;
+
+export { createRedactor, createSafeLogger, safeLog };

package/dist/logging/index.d.ts

@@ -0,0 +1,38 @@
+import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.js';
+import 'express';
+
+/**
+ * @module @arcis/node/logging/redactor
+ * Safe logging with PII/secret redaction
+ */
+
+/**
+ * Create a safe logger that redacts sensitive data and prevents log injection.
+ *
+ * @param options - Logger configuration
+ * @returns SafeLogger instance
+ *
+ * @example
+ * const logger = createSafeLogger();
+ * logger.info('User login', { email: 'user@test.com', password: 'secret' });
+ * // Logs: { "email": "user@test.com", "password": "[REDACTED]" }
+ *
+ * @example
+ * // With custom redact keys
+ * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });
+ */
+declare function createSafeLogger(options?: LogOptions): SafeLogger;
+/**
+ * Create a redactor function for custom use.
+ *
+ * @param sensitiveKeys - Keys to redact
+ * @returns Redactor function
+ */
+declare function createRedactor(sensitiveKeys?: string[]): (obj: unknown) => unknown;
+/**
+ * Alias for createSafeLogger
+ * @see createSafeLogger
+ */
+declare const safeLog: typeof createSafeLogger;
+
+export { createRedactor, createSafeLogger, safeLog };