@arcis/node 1.4.0 → 1.4.3

package/dist/middleware/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/middleware/headers.ts","../../src/middleware/rate-limit.ts","../../src/middleware/error-handler.ts","../../src/core/errors.ts","../../src/sanitizers/utils.ts","../../src/sanitizers/xss.ts","../../src/sanitizers/sql.ts","../../src/sanitizers/path.ts","../../src/sanitizers/command.ts","../../src/sanitizers/sanitize.ts","../../src/validation/schema.ts","../../src/validation/file.ts","../../src/logging/redactor.ts","../../src/middleware/main.ts","../../src/utils/duration.ts","../../src/middleware/rate-limit-sliding.ts","../../src/middleware/rate-limit-token.ts","../../src/middleware/cors.ts","../../src/middleware/cookies.ts","../../src/middleware/bot-detection.ts","../../src/middleware/csrf.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAKnB,CAAA;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB,CAAA;AAuCO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,mCAAA;AAAA;AAAA,EAEA,iBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,eAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,uCAAA;AAAA;AAAA,EAEA,gCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC,CAAA;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR,CAAA;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA,EAEuD;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF,CAAA;;;AC/RO,SAAS,aAAA,CAAc,OAAA,GAAyB,EAAC,EAAmB;AACzE,EAAA,MAAM;AAAA,IACJ,qBAAA,GAAwB,IAAA;AAAA,IACxB,SAAA,GAAY,IAAA;AAAA,IACZ,OAAA,GAAU,IAAA;AAAA,IACV,eAAe,OAAA,CAAQ,aAAA;AAAA,IACvB,IAAA,GAAO,IAAA;AAAA,IACP,iBAAiB,OAAA,CAAQ,eAAA;AAAA,IACzB,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,IAC5B,YAAA,GAAe,IAAA;AAAA,IACf,uBAAA,GAA0B,aAAA;AAAA,IAC1B,yBAAA,GAA4B,aAAA;AAAA,IAC5B,yBAAA,GAA4B,cAAA;AAAA,IAC5B,kBAAA,GAAqB,IAAA;AAAA,IACrB,kBAAA,GAAqB;AAAA,GACvB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAE1D,IAAA,IAAI,qBAAA,EAAuB;AACzB,MAAA,MAAM,GAAA,GAAM,OAAO,qBAAA,KAA0B,QAAA,GACzC,wBACA,OAAA,CAAQ,WAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,2BAA2B,GAAG,CAAA;AAAA,IAC9C;AAIA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAoB,GAAG,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,OAAA,CAAQ,oBAAoB,CAAA;AAAA,IACtE;AAGA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,YAAY,CAAA;AAAA,IAC/C;AAOA,IAAA,MAAM,cAAA,GAAkB,GAAA,CAAI,OAAA,CAAQ,mBAAmB,CAAA,EACnD,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,CACb,IAAA,EAAK,CACL,WAAA,EAAY;AACf,IAAA,MAAM,qBAAA,GAAwB,cAAA,KAAmB,OAAA,IAAW,cAAA,KAAmB,SAC3E,cAAA,GACA,MAAA;AACJ,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,MAAA,IAAU,qBAAA,KAA0B,OAAA;AAExD,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,MAAM,QAAA,GAAwB,OAAO,IAAA,KAAS,QAAA,GAAW,OAAO,EAAC;AACjE,MAAA,MAAM,MAAA,GAAS,QAAA,CAAS,MAAA,IAAU,OAAA,CAAQ,YAAA;AAC1C,MAAA,MAAM,iBAAA,GAAoB,SAAS,iBAAA,KAAsB,KAAA;AACzD,MAAA,MAAM,OAAA,GAAU,SAAS,OAAA,KAAY,IAAA;AAErC,MAAA,IAAI,SAAA,GAAY,WAAW,MAAM,CAAA,CAAA;AACjC,MAAA,IAAI,mBAAmB,SAAA,IAAa,qBAAA;AACpC,MAAA,IAAI,SAAS,SAAA,IAAa,WAAA;AAE1B,MAAA,GAAA,CAAI,SAAA,CAAU,6BAA6B,SAAS,CAAA;AAAA,IACtD;AAGA,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,cAAc,CAAA;AAAA,IACjD;AAGA,IAAA,IAAI,iBAAA,EAAmB;AACrB,MAAA,GAAA,CAAI,SAAA,CAAU,sBAAsB,iBAAiB,CAAA;AAAA,IACvD;AAGA,IAAA,IAAI,uBAAA,EAAyB;AAC3B,MAAA,GAAA,CAAI,SAAA,CAAU,8BAA8B,uBAAuB,CAAA;AAAA,IACrE;AAEA,IAAA,IAAI,yBAAA,EAA2B;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,yBAAyB,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI,yBAAA,EAA2B;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,yBAAyB,CAAA;AAAA,IACzE;AAGA,IAAA,IAAI,kBAAA,EAAoB;AACtB,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAwB,IAAI,CAAA;AAAA,IAC5C;AAGA,IAAA,IAAI,kBAAA,EAAoB;AACtB,MAAA,GAAA,CAAI,SAAA,CAAU,0BAA0B,KAAK,CAAA;AAAA,IAC/C;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,qCAAqC,MAAM,CAAA;AAGzD,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,MAAM,iBAAA,GAAoB,OAAO,YAAA,KAAiB,QAAA,GAC9C,eACA,OAAA,CAAQ,aAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,iBAAiB,iBAAiB,CAAA;AAChD,MAAA,GAAA,CAAI,SAAA,CAAU,UAAU,UAAU,CAAA;AAClC,MAAA,GAAA,CAAI,SAAA,CAAU,WAAW,GAAG,CAAA;AAAA,IAC9B;AAGA,IAAA,GAAA,CAAI,aAAa,cAAc,CAAA;AAE/B,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,eAAA,GAAkB;;;ACnHxB,SAAS,iBAAA,CAAkB,OAAA,GAA4B,EAAC,EAA0B;AACvF,EAAA,MAAM;AAAA,IACJ,MAAM,UAAA,CAAW,oBAAA;AAAA,IACjB,WAAW,UAAA,CAAW,iBAAA;AAAA,IACtB,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,YAAA,GAAe,CAAC,GAAA,KAAQ;AACtB,MAAA,MAAM,EAAA,GAAK,GAAA,CAAI,EAAA,IAAM,GAAA,CAAI,MAAA,EAAQ,aAAA;AACjC,MAAA,IAAI,CAAC,EAAA,EAAI;AACP,QAAA,OAAA,CAAQ,IAAA;AAAA,UACN;AAAA,SAEF;AACA,QAAA,OAAO,SAAA;AAAA,MACT;AACA,MAAA,OAAO,EAAA;AAAA,IACT,CAAA;AAAA,IACA,IAAA;AAAA,IACA,KAAA,EAAO;AAAA,GACT,GAAI,OAAA;AAIJ,EAAA,MAAM,aAAA,mBAAgB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAGxC,EAAA,IAAI,eAAA,GAAyD,IAAA;AAE7D,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,eAAA,GAAkB,YAAY,MAAM;AAClC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,aAAa,CAAA,EAAG;AAC5C,QAAA,IAAI,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA,GAAY,GAAA,EAAK;AACtC,UAAA,OAAO,cAAc,GAAG,CAAA;AAAA,QAC1B;AAAA,MACF;AAAA,IACF,GAAG,QAAQ,CAAA;AAGX,IAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,MAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,IACxB;AAAA,EACF;AAEA,EAAA,MAAM,OAAA,GAA0B,OAAO,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACzF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG;AACf,QAAA,OAAO,IAAA,EAAK;AAAA,MACd;AAEA,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,MAAA,IAAI,KAAA;AACJ,MAAA,IAAI,SAAA;AAEJ,MAAA,IAAI,aAAA,EAAe;AAEjB,QAAA,MAAM,KAAA,GAAQ,MAAM,aAAA,CAAc,GAAA,CAAI,GAAG,CAAA;AACzC,QAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AACnC,UAAA,MAAM,aAAA,CAAc,IAAI,GAAA,EAAK,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,GAAA,GAAM,QAAA,EAAU,CAAA;AACpE,UAAA,KAAA,GAAQ,CAAA;AACR,UAAA,SAAA,GAAY,GAAA,GAAM,QAAA;AAAA,QACpB,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,MAAM,aAAA,CAAc,SAAA,CAAU,GAAG,CAAA;AACzC,UAAA,SAAA,GAAY,KAAA,CAAM,SAAA;AAAA,QACpB;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,IAAI,CAAC,cAAc,GAAG,CAAA,IAAK,cAAc,GAAG,CAAA,CAAE,YAAY,GAAA,EAAK;AAC7D,UAAA,aAAA,CAAc,GAAG,CAAA,GAAI,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,MAAM,QAAA,EAAS;AAAA,QAC7D,CAAA,MAAO;AACL,UAAA,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA,EAAA;AAAA,QACrB;AACA,QAAA,KAAA,GAAQ,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA;AAC3B,QAAA,SAAA,GAAY,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA;AAAA,MACjC;AAEA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,MAAM,KAAK,CAAA;AACzC,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,IAAA,CAAA,CAAM,SAAA,GAAY,OAAO,GAAI,CAAA;AAGvD,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,GAAA,CAAI,QAAA,EAAU,CAAA;AACjD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,SAAA,CAAU,QAAA,EAAU,CAAA;AAC3D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,YAAA,CAAa,QAAA,EAAU,CAAA;AAE1D,MAAA,IAAI,QAAQ,GAAA,EAAK;AACf,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAEA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,+BAA+B,KAAK,CAAA;AAClD,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAGA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,aAAA,CAAc,eAAe,CAAA;AAC7B,MAAA,eAAA,GAAkB,IAAA;AAAA,IACpB;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;AAMO,IAAM,SAAA,GAAY;;;AC9IzB,IAAM,wBAAA,GAAqC;AAAA;AAAA,EAEzC,qEAAA;AAAA,EACA,2DAAA;AAAA,EACA,+CAAA;AAAA,EACA,qDAAA;AAAA,EACA,4CAAA;AAAA;AAAA,EAEA,yEAAA;AAAA;AAAA,EAEA,0DAAA;AAAA;AAAA,EAEA,oEAAA;AAAA;AAAA,EAEA,oCAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,SAAS,sBAAsB,OAAA,EAA0B;AAC9D,EAAA,OAAO,yBAAyB,IAAA,CAAK,CAAA,OAAA,KAAW,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAC,CAAA;AACvE;AA4BO,SAAS,YAAA,CACd,UAAyC,KAAA,EAC8B;AACvE,EAAA,MAAM,QAAQ,OAAO,OAAA,KAAY,SAAA,GAAY,OAAA,GAAU,QAAQ,KAAA,IAAS,KAAA;AACxE,EAAA,MAAM,YAAY,OAAO,OAAA,KAAY,QAAA,GAAW,OAAA,CAAQ,aAAa,IAAA,GAAO,IAAA;AAC5E,EAAA,MAAM,MAAA,GAAS,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,MAAA,GAAS,MAAA;AAC9D,EAAA,MAAM,aAAA,GAAgB,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,aAAA,GAAgB,MAAA;AAE5E,EAAA,OAAO,CAAC,GAAA,EAAgB,GAAA,EAAc,GAAA,EAAe,KAAA,KAAwB;AAC3E,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,MAAA,IAAU,GAAA;AAGnD,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,GAAG,CAAA;AAAA,IACpC;AAGA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAM,OAAA,GAAU;AAAA,QACd,OAAO,GAAA,CAAI,OAAA;AAAA,QACX,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,UAAA;AAAA,QACA,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,QAAQ,GAAA,CAAI;AAAA,OACd;AAEA,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,MAAA,CAAO,KAAA,CAAM,iBAAiB,OAAO,CAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,KAAA,CAAM,0BAA0B,OAAO,CAAA;AAAA,MACjD;AAAA,IACF;AAMA,IAAA,MAAM,aAAA,GAAgB,KAAA,IAAS,GAAA,CAAI,MAAA,KAAW,IAAA;AAE9C,IAAA,IAAI,aAAA;AACJ,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,aAAA,GAAgB,MAAA,CAAO,qBAAA;AAAA,IACzB,CAAA,MAAA,IAAW,qBAAA,CAAsB,GAAA,CAAI,OAAO,CAAA,EAAG;AAE7C,MAAA,aAAA,GAAgB,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,qBAAA;AAAA,IAC/C,CAAA,MAAO;AACL,MAAA,aAAA,GAAgB,GAAA,CAAI,OAAA;AAAA,IACtB;AAEA,IAAA,MAAM,QAAA,GAAoC;AAAA,MACxC,KAAA,EAAO;AAAA,KACT;AAGA,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,QAAA,CAAS,QAAQ,GAAA,CAAI,KAAA;AACrB,MAAA,QAAA,CAAS,UAAU,GAAA,CAAI,OAAA;AAAA,IACzB;AAEA,IAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK,QAAQ,CAAA;AAAA,EACtC,CAAA;AACF;AAMO,IAAM,kBAAA,GAAqB;;;AC5H3B,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF,CAAA;AAkCO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF,CAAA;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;AC5EO,SAAS,mBAAmB,GAAA,EAAqB;AACtD,EAAA,OAAO,IACJ,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,CACrB,OAAA,CAAQ,MAAM,MAAM,CAAA,CACpB,QAAQ,IAAA,EAAM,MAAM,EACpB,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA,CACtB,OAAA,CAAQ,MAAM,QAAQ,CAAA;AAC3B;;;ACYO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAO,aAAa,KAAA,EAAgC;AAC9G,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAInB,EAAA,KAAA,MAAW,WAAW,mBAAA,EAAqB;AACzC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,KAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAMA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,mBAAmB,KAAK,CAAA;AACxC,IAAA,IAAI,YAAY,KAAA,EAAO;AACrB,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AACA,IAAA,KAAA,GAAQ,OAAA;AAAA,EACV;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;;;AC7DO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC1F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAElC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,eAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAIA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC/DO,SAAS,YAAA,CAAa,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC3F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AAEnC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,gBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;;;ACzCO,SAAS,eAAA,CAAgB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC9F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AAEtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,mBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,uBAAuB,KAAA,EAAwB;AAC7D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AACtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;ACjDO,SAAS,cAAA,CAAe,KAAA,EAAe,OAAA,GAA2B,EAAC,EAAW;AACnF,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,IAAW,KAAA,CAAM,gBAAA;AACzC,EAAA,IAAI,KAAA,CAAM,SAAS,OAAA,EAAS;AAC1B,IAAA,MAAM,IAAI,kBAAA,CAAmB,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EACpD;AAEA,EAAA,MAAM,MAAA,GAAS,QAAQ,IAAA,KAAS,UAAA;AAChC,EAAA,IAAI,MAAA,GAAS,KAAA;AAGb,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,SAAA,CAAU,MAAM,CAAA,EAAG;AACrB,QAAA,MAAM,IAAI,mBAAA,CAAoB,eAAA,EAAiB,+BAA+B,CAAA;AAAA,MAChF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,YAAY,MAAM,CAAA;AAAA,IAC7B;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,SAAS,KAAA,EAAO;AAC1B,IAAA,MAAA,GAAS,aAAa,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,sBAAA,CAAuB,MAAM,CAAA,EAAG;AAClC,QAAA,MAAM,IAAI,mBAAA,CAAoB,mBAAA,EAAqB,uCAAuC,CAAA;AAAA,MAC5F;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,gBAAgB,MAAM,CAAA;AAAA,IACjC;AAAA,EACF;AAIA,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAA,GAAS,WAAA,CAAY,MAAA,EAAQ,KAAA,EAAO,OAAA,CAAQ,cAAc,KAAK,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,MAAA;AACT;AAUO,SAAS,cAAA,CAAe,GAAA,EAAc,OAAA,GAA2B,EAAC,EAAY;AACnF,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,cAAA,CAAe,KAAK,OAAO,CAAA;AAC/D,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AACpC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG,OAAO,GAAA,CAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAE5E,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAoB,GAAA,EAAgC,OAAA,EAAS,CAAC,CAAA;AAC7E,EAAA,OAAO,OAAA,CAAQ,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA,GAAI,MAAA;AAClD;AAKA,SAAS,mBAAA,CACP,GAAA,EACA,OAAA,EACA,KAAA,EACyB;AACzB,EAAA,IAAI,KAAA,IAAS,KAAA,CAAM,mBAAA,EAAqB,OAAO,GAAA;AAE/C,EAAA,MAAM,SAAkC,EAAC;AAEzC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,EAAG;AAElC,IAAA,IAAI,OAAA,CAAQ,UAAU,KAAA,IAAS,oBAAA,CAAqB,IAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,KAAA,KAAU,KAAA,IAAS,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAIA,IAAA,MAAM,YAAA,GAAe,cAAA,CAAe,GAAA,EAAK,OAAO,CAAA;AAGhD,IAAA,MAAM,KAAA,GAAQ,IAAI,GAAG,CAAA;AACrB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AACzC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA,CAAe,KAAA,EAAO,OAAO,CAAA;AAAA,IACtD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,MAAA,CAAO,YAAY,IAAI,KAAA,CAAM,GAAA,CAAI,UAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,mBAAA,CAAoB,KAAA,EAAkC,OAAA,EAAS,QAAQ,CAAC,CAAA;AAAA,IACjG,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,eAAA,CAAgB,OAAA,GAA2B,EAAC,EAAmB;AAC7E,EAAA,OAAO,CAAC,GAAA,EAAc,IAAA,EAAgB,IAAA,KAAuB;AAC3D,IAAA,IAAI;AACF,MAAA,IAAI,GAAA,CAAI,IAAA,IAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AAC5C,QAAA,GAAA,CAAI,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,IAAA,EAAM,OAAO,CAAA;AAAA,MAC7C;AACA,MAAA,IAAI,GAAA,CAAI,KAAA,IAAS,OAAO,GAAA,CAAI,UAAU,QAAA,EAAU;AAC9C,QAAA,MAAM,cAAA,GAAiB,cAAA,CAAe,GAAA,CAAI,KAAA,EAAO,OAAO,CAAA;AAExD,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,OAAA,EAAS,EAAE,KAAA,EAAO,gBAAgB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACnG;AACA,MAAA,IAAI,GAAA,CAAI,MAAA,IAAU,OAAO,GAAA,CAAI,WAAW,QAAA,EAAU;AAChD,QAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,GAAA,CAAI,MAAA,EAAQ,OAAO,CAAA;AAC1D,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,QAAA,EAAU,EAAE,KAAA,EAAO,iBAAiB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACrG;AACA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AAAA,IACV;AAAA,EACF,CAAA;AACF;;;ACjJO,SAAS,QAAA,CACd,MAAA,EACA,MAAA,GAAsC,MAAA,EACtB;AAChB,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,MAAM,CAAA,IAAK,EAAC;AAC7B,IAAA,MAAM,SAAmB,EAAC;AAC1B,IAAA,MAAM,YAAqC,EAAC;AAE5C,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnD,MAAA,MAAM,KAAA,GAAQ,KAAK,KAAK,CAAA;AACxB,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,KAAA,EAAO,KAAA,EAAO,KAAK,CAAA;AAEhD,MAAA,IAAI,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG;AAC5B,QAAA,MAAA,CAAO,IAAA,CAAK,GAAG,MAAA,CAAO,MAAM,CAAA;AAAA,MAC9B,CAAA,MAAA,IAAW,MAAA,CAAO,KAAA,KAAU,MAAA,EAAW;AACrC,QAAA,SAAA,CAAU,KAAK,IAAI,MAAA,CAAO,KAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,MAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,IAAA,CAAK,EAAE,QAAQ,CAAA;AAC/B,MAAA;AAAA,IACF;AAGA,IAAA,GAAA,CAAI,MAAM,CAAA,GAAI,SAAA;AACd,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAKA,SAAS,aAAA,CACP,KAAA,EACA,KAAA,EACA,KAAA,EACuC;AACvC,EAAA,MAAM,SAAmB,EAAC;AAG1B,EAAA,IAAI,MAAM,QAAA,KAAa,KAAA,KAAU,UAAa,KAAA,KAAU,IAAA,IAAQ,UAAU,EAAA,CAAA,EAAK;AAC7E,IAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,QAAA,CAAS,KAAK,CAAC,CAAA;AAC7C,IAAA,OAAO,EAAE,MAAA,EAAO;AAAA,EAClB;AAGA,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,MAAA,EAAQ,EAAC,EAAE;AAAA,EACtB;AAEA,EAAA,IAAI,UAAA,GAAsB,KAAA;AAC1B,EAAA,IAAI,OAAA,GAAU,IAAA;AAGd,EAAA,QAAQ,MAAM,IAAA;AAAM,IAClB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,OAAA,IAAW,CAAC,MAAM,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AAC/C,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,cAAA,CAAe,KAAK,CAAC,CAAA;AACnD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AAIA,MAAA,IAAI,OAAA,IAAW,MAAM,IAAA,IAAQ,CAAC,MAAM,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACxD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,IAAW,KAAA,CAAM,QAAA,KAAa,KAAA,EAAO;AACvC,QAAA,UAAA,GAAa,eAAe,KAAK,CAAA;AAAA,MACnC;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,UAAA,GAAa,OAAO,KAAK,CAAA;AACzB,MAAA,IAAI,KAAA,CAAM,UAAoB,CAAA,EAAG;AAC/B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,SAAA;AACH,MAAA,IAAI,UAAU,MAAA,IAAU,KAAA,KAAU,QAAQ,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AACtE,QAAA,UAAA,GAAa,IAAA;AAAA,MACf,CAAA,MAAA,IAAW,UAAU,OAAA,IAAW,KAAA,KAAU,SAAS,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AAC/E,QAAA,UAAA,GAAa,KAAA;AAAA,MACf,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,SAAS,CAAC,CAAA;AAC5D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACzC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,aAAA,CAAc,KAAK,CAAC,CAAA;AAClD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,eAAe,MAAA,CAAO,KAAK,EAAE,WAAA,EAAY,CAAE,MAAM,CAAA;AAAA,MAChE;AACA,MAAA;AAAA,IAEF,KAAK,KAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,GAAA,CAAI,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACvC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,WAAA,CAAY,KAAK,CAAC,CAAA;AAChD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,cAAA,CAAe,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MAC3C;AACA,MAAA;AAAA,IAEF,KAAK,MAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,IAAA,CAAK,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAK,CAAC,CAAA;AACjD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,OAAO,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,QAAQ,KAAK,CAAA,IAAK,UAAU,IAAA,EAAM;AACvE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA;AAIJ,EAAA,IAAI,OAAA,IAAW,KAAA,CAAM,IAAA,IAAQ,KAAA,CAAM,IAAA,KAAS,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,QAAA,CAAS,UAAU,CAAA,EAAG;AACxF,IAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,IAAA,OAAA,GAAU,KAAA;AAAA,EACZ;AAGA,EAAA,IAAI,OAAA,IAAW,MAAM,MAAA,EAAQ;AAC3B,IAAA,MAAM,YAAA,GAAe,KAAA,CAAM,MAAA,CAAO,UAAU,CAAA;AAC5C,IAAA,IAAI,iBAAiB,MAAA,EAAW;AAC9B,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,+BAA+B,KAAK,CAAA,oFAAA;AAAA,OAEtC;AAAA,IACF;AACA,IAAA,IAAI,iBAAiB,IAAA,EAAM;AACzB,MAAA,MAAA,CAAO,IAAA,CAAK,OAAO,YAAA,KAAiB,QAAA,IAAY,YAAA,CAAa,SAAS,CAAA,GAAI,YAAA,GAAe,CAAA,EAAG,KAAK,CAAA,WAAA,CAAa,CAAA;AAC9G,MAAA,OAAA,GAAU,KAAA;AAAA,IACZ;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,UAAU,UAAA,GAAa,MAAA;AAAA,IAC9B;AAAA,GACF;AACF;;;CCvN8C;AAAA;AAAA,EAE5C,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAA,EAAM,GAAI,CAAC,CAAC,CAAA;AAAA,EAC9C,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,KAAM,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACnD,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,EAC1D,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA;AAAA,EAClC,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACrB;AAAA;AAAA,EAGlB,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA,EACvC,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,IAAM,EAAA,EAAM,CAAA,EAAM,CAAI,CAAC,CAAC,CAAA;AAAA;AAAA,EAGzD,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAEtG;;;ACjBA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;;;AC7EO,SAAS,KAAA,CAAM,OAAA,GAAwB,EAAC,EAAyB;AACtE,EAAA,MAAM,cAAgC,EAAC;AACvC,EAAA,MAAM,aAA6B,EAAC;AAGpC,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,MAAM,aAA4B,OAAO,OAAA,CAAQ,YAAY,QAAA,GACzD,OAAA,CAAQ,UACR,EAAC;AACL,IAAA,WAAA,CAAY,IAAA,CAAK,aAAA,CAAc,UAAU,CAAC,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAA,CAAQ,cAAc,KAAA,EAAO;AAC/B,IAAA,MAAM,gBAAkC,OAAO,OAAA,CAAQ,cAAc,QAAA,GACjE,OAAA,CAAQ,YACR,EAAC;AACL,IAAA,MAAM,WAAA,GAAc,kBAAkB,aAAa,CAAA;AACnD,IAAA,WAAA,CAAY,KAAK,WAAW,CAAA;AAC5B,IAAA,UAAA,CAAW,IAAA,CAAK,MAAM,WAAA,CAAY,KAAA,EAAO,CAAA;AAAA,EAC3C;AAGA,EAAA,IAAI,OAAA,CAAQ,aAAa,KAAA,EAAO;AAC9B,IAAA,MAAM,eAAgC,OAAO,OAAA,CAAQ,aAAa,QAAA,GAC9D,OAAA,CAAQ,WACR,EAAC;AACL,IAAA,WAAA,CAAY,IAAA,CAAK,eAAA,CAAgB,YAAY,CAAC,CAAA;AAAA,EAChD;AAGA,EAAA,MAAM,MAAA,GAAS,WAAA;AACf,EAAA,MAAA,CAAO,QAAQ,MAAM;AACnB,IAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,MAAA,EAAA,EAAG;AAAA,IACL;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,MAAA;AACT;AAGA,IAAM,gBAAA,GAAmB;AACzB,gBAAA,CAAiB,QAAA,GAAW,eAAA;AAC5B,gBAAA,CAAiB,SAAA,GAAY,iBAAA;AAC7B,gBAAA,CAAiB,OAAA,GAAU,aAAA;AAC3B,gBAAA,CAAiB,QAAA,GAAW,QAAA;AAC5B,gBAAA,CAAiB,MAAA,GAAS,gBAAA;AAC1B,gBAAA,CAAiB,YAAA,GAAe,kBAAA;AAGhC,IAAO,YAAA,GAAQ;;;ACxFf,IAAM,eAAA,GAAkB,UAAA;AAExB,IAAM,cAAA,GAAiB,mCAAA;AAEvB,IAAM,UAAA,GAAqC;AAAA,EACzC,EAAA,EAAI,CAAA;AAAA,EACJ,CAAA,EAAG,GAAA;AAAA,EACH,CAAA,EAAG,GAAA;AAAA,EACH,CAAA,EAAG,IAAA;AAAA,EACH,CAAA,EAAG;AACL,CAAA;AAeO,SAAS,cAAc,KAAA,EAAgC;AAC5D,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,IAAK,QAAQ,CAAA,EAAG;AACxC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,KAAK,CAAA,uCAAA,CAAyC,CAAA;AAAA,IACrF;AACA,IAAA,OAAO,KAAK,GAAA,CAAI,IAAA,CAAK,KAAA,CAAM,KAAK,GAAG,eAAe,CAAA;AAAA,EACpD;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACpD,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,0DAAA,CAA4D,CAAA;AAAA,EACzG;AAEA,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,IAAA,EAAK,CAAE,MAAM,cAAc,CAAA;AAC/C,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,sBAAsB,KAAK,CAAA,mEAAA;AAAA,KAC7B;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAClC,EAAA,MAAM,IAAA,GAAO,KAAA,CAAM,CAAC,CAAA,CAAE,WAAA,EAAY;AAClC,EAAA,MAAM,KAAK,IAAA,CAAK,KAAA,CAAM,MAAA,GAAS,UAAA,CAAW,IAAI,CAAC,CAAA;AAE/C,EAAA,IAAI,EAAA,GAAK,CAAA,IAAK,EAAA,GAAK,eAAA,EAAiB;AAClC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,UAAA,EAAa,KAAK,CAAA,2BAAA,EAA8B,eAAe,CAAA,iBAAA,CAAmB,CAAA;AAAA,EACpG;AAEA,EAAA,OAAO,EAAA;AACT;;;ACZO,SAAS,0BAAA,CAA2B,OAAA,GAAgC,EAAC,EAA4B;AACtG,EAAA,MAAM;AAAA,IACJ,MAAM,UAAA,CAAW,oBAAA;AAAA,IACjB,MAAA,EAAQ,YAAY,UAAA,CAAW,iBAAA;AAAA,IAC/B,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,eAAe,CAAC,GAAA,KAAQ,IAAI,EAAA,IAAM,GAAA,CAAI,QAAQ,aAAA,IAAiB,SAAA;AAAA,IAC/D;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,QAAA,GAAW,cAAc,SAAS,CAAA;AAGxC,EAAA,MAAM,cAAA,mBAAiB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AACzC,EAAA,MAAM,eAAA,mBAAkB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAE1C,EAAA,MAAM,eAAA,GAAkB,YAAY,MAAM;AACxC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,MAAA,GAAS,MAAM,QAAA,GAAW,CAAA;AAChC,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,eAAe,CAAA,EAAG;AAC9C,MAAA,IAAI,eAAA,CAAgB,GAAG,CAAA,CAAE,SAAA,GAAY,MAAA,EAAQ;AAC3C,QAAA,OAAO,gBAAgB,GAAG,CAAA;AAAA,MAC5B;AAAA,IACF;AACA,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,cAAc,CAAA,EAAG;AAC7C,MAAA,IAAI,cAAA,CAAe,GAAG,CAAA,CAAE,SAAA,GAAY,MAAA,EAAQ;AAC1C,QAAA,OAAO,eAAe,GAAG,CAAA;AAAA,MAC3B;AAAA,IACF;AAAA,EACF,GAAG,QAAQ,CAAA;AAEX,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,IAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,MAAM,OAAA,GAA0B,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACnF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG,OAAO,IAAA,EAAK;AAE7B,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,MAAA,MAAM,WAAA,GAAc,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,QAAQ,CAAA,GAAI,QAAA;AAGjD,MAAA,IAAI,CAAC,eAAe,GAAG,CAAA,IAAK,eAAe,GAAG,CAAA,CAAE,YAAY,WAAA,EAAa;AAEvE,QAAA,IAAI,cAAA,CAAe,GAAG,CAAA,EAAG;AACvB,UAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,cAAA,CAAe,GAAG,CAAA;AAAA,QAC3C;AACA,QAAA,cAAA,CAAe,GAAG,CAAA,GAAI,EAAE,KAAA,EAAO,CAAA,EAAG,WAAW,WAAA,EAAY;AAAA,MAC3D;AAGA,MAAA,MAAM,UAAU,GAAA,GAAM,WAAA;AACtB,MAAA,MAAM,SAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAA,CAAI,QAAA,GAAW,WAAW,QAAQ,CAAA;AAC1D,MAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,GAAG,CAAA,EAAG,KAAA,IAAS,CAAA;AACjD,MAAA,MAAM,iBAAkB,SAAA,GAAY,MAAA,GAAU,cAAA,CAAe,GAAG,EAAE,KAAA,GAAQ,CAAA;AAE1E,MAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,CAAA,EAAG,KAAK,KAAA,CAAM,GAAA,GAAM,cAAc,CAAC,CAAA;AAC9D,MAAA,MAAM,OAAA,GAAU,cAAc,QAAA,GAAW,GAAA;AACzC,MAAA,MAAM,YAAA,GAAe,KAAK,GAAA,CAAI,CAAA,EAAG,KAAK,IAAA,CAAK,OAAA,GAAU,GAAI,CAAC,CAAA;AAG1D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,GAAA,CAAI,QAAA,EAAU,CAAA;AACjD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,SAAA,CAAU,QAAA,EAAU,CAAA;AAC3D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,YAAA,CAAa,QAAA,EAAU,CAAA;AAC1D,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAA,EAAsB,CAAA,EAAG,GAAG,CAAA,GAAA,EAAM,KAAK,KAAA,CAAM,QAAA,GAAW,GAAI,CAAC,CAAA,CAAE,CAAA;AAE7E,MAAA,IAAI,iBAAiB,GAAA,EAAK;AAExB,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,cAAA,CAAe,GAAG,CAAA,CAAE,KAAA,EAAA;AAEpB,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,8CAA8C,KAAK,CAAA;AACjE,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAEA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,aAAA,CAAc,eAAe,CAAA;AAAA,EAC/B,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;;;AC7FO,SAAS,wBAAA,CAAyB,OAAA,GAA8B,EAAC,EAA0B;AAChG,EAAA,MAAM;AAAA,IACJ,QAAA,GAAW,GAAA;AAAA,IACX,UAAA,GAAa,EAAA;AAAA,IACb,IAAA,GAAO,CAAA;AAAA,IACP,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,eAAe,CAAC,GAAA,KAAQ,IAAI,EAAA,IAAM,GAAA,CAAI,QAAQ,aAAA,IAAiB,SAAA;AAAA,IAC/D;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,IAAI,WAAW,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,wCAAA,EAA2C,QAAQ,CAAA,CAAE,CAAA;AAC5F,EAAA,IAAI,cAAc,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,yCAAA,EAA4C,UAAU,CAAA,CAAE,CAAA;AAClG,EAAA,IAAI,OAAO,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,oCAAA,EAAuC,IAAI,CAAA,CAAE,CAAA;AAChF,EAAA,IAAI,IAAA,GAAO,UAAU,MAAM,IAAI,WAAW,CAAA,mBAAA,EAAsB,IAAI,CAAA,uBAAA,EAA0B,QAAQ,CAAA,gDAAA,CAAkD,CAAA;AAExJ,EAAA,MAAM,OAAA,mBAAU,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAGlC,EAAA,MAAM,eAAA,GAAkB,YAAY,MAAM;AACxC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,cAAA,GAAkB,QAAA,GAAW,UAAA,GAAc,GAAA,GAAO,CAAA;AACxD,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,EAAG;AACtC,MAAA,IAAI,GAAA,GAAM,OAAA,CAAQ,GAAG,CAAA,CAAE,aAAa,cAAA,EAAgB;AAClD,QAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,MACpB;AAAA,IACF;AAAA,EACF,GAAG,GAAM,CAAA;AAET,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,IAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,SAAS,YAAA,CAAa,QAAgB,GAAA,EAAmB;AACvD,IAAA,MAAM,OAAA,GAAA,CAAW,GAAA,GAAM,MAAA,CAAO,UAAA,IAAc,GAAA;AAC5C,IAAA,MAAM,cAAc,OAAA,GAAU,UAAA;AAC9B,IAAA,MAAA,CAAO,SAAS,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,MAAA,CAAO,SAAS,WAAW,CAAA;AAC9D,IAAA,MAAA,CAAO,UAAA,GAAa,GAAA;AAAA,EACtB;AAEA,EAAA,MAAM,OAAA,GAA0B,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACnF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG,OAAO,IAAA,EAAK;AAE7B,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,MAAA,IAAI,CAAC,OAAA,CAAQ,GAAG,CAAA,EAAG;AACjB,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,EAAE,MAAA,EAAQ,QAAA,EAAU,YAAY,GAAA,EAAI;AAAA,MACrD;AAEA,MAAA,MAAM,MAAA,GAAS,QAAQ,GAAG,CAAA;AAC1B,MAAA,YAAA,CAAa,QAAQ,GAAG,CAAA;AAGxB,MAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,MAAA,GAAS,IAAA,GAClC,IAAA,CAAK,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,IAAU,UAAU,CAAA,GAC7C,CAAA;AAGJ,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,QAAA,CAAS,QAAA,EAAU,CAAA;AACtD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,MAAA,GAAS,IAAI,CAAC,CAAA,CAAE,UAAU,CAAA;AAC/F,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAA,EAAsB,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,KAAA,CAAM,QAAA,GAAW,UAAU,CAAC,CAAA,OAAA,EAAU,QAAQ,CAAA,CAAE,CAAA;AAE1G,MAAA,IAAI,MAAA,CAAO,SAAS,IAAA,EAAM;AACxB,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,aAAA,CAAc,QAAA,EAAU,CAAA;AACrD,QAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,aAAA,CAAc,QAAA,EAAU,CAAA;AAC3D,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,MAAA,CAAO,MAAA,IAAU,IAAA;AACjB,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,4CAA4C,KAAK,CAAA;AAC/D,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAEA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,aAAA,CAAc,eAAe,CAAA;AAAA,EAC/B,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;;;AC9GA,IAAM,kBAAkB,CAAC,KAAA,EAAO,QAAQ,KAAA,EAAO,OAAA,EAAS,QAAQ,QAAQ,CAAA;AACxE,IAAM,eAAA,GAAkB,CAAC,cAAA,EAAgB,eAAe,CAAA;AACxD,IAAM,eAAA,GAAkB,GAAA;AAKxB,SAAS,eAAA,CACP,eACA,OAAA,EACS;AAET,EAAA,IAAI,aAAA,KAAkB,QAAQ,OAAO,KAAA;AAErC,EAAA,IAAI,OAAA,KAAY,MAAM,OAAO,IAAA;AAE7B,EAAA,IAAI,OAAO,YAAY,QAAA,EAAU;AAC/B,IAAA,OAAO,aAAA,KAAkB,OAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA,EAAG;AAC1B,IAAA,OAAO,OAAA,CAAQ,SAAS,aAAa,CAAA;AAAA,EACvC;AAEA,EAAA,IAAI,mBAAmB,MAAA,EAAQ;AAC7B,IAAA,OAAO,OAAA,CAAQ,KAAK,aAAa,CAAA;AAAA,EACnC;AAEA,EAAA,IAAI,OAAO,YAAY,UAAA,EAAY;AACjC,IAAA,OAAO,QAAQ,aAAa,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AA6BO,SAAS,SAAS,OAAA,EAAsC;AAC7D,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,OAAA,GAAU,eAAA;AAAA,IACV,cAAA,GAAiB,eAAA;AAAA,IACjB,iBAAiB,EAAC;AAAA,IAClB,WAAA,GAAc,KAAA;AAAA,IACd,MAAA,GAAS,eAAA;AAAA,IACT,iBAAA,GAAoB;AAAA,GACtB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,aAAA,GAAgB,IAAI,OAAA,CAAQ,MAAA;AAGlC,IAAA,GAAA,CAAI,SAAA,CAAU,QAAQ,QAAQ,CAAA;AAG9B,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAEA,IAAA,MAAM,OAAA,GAAU,eAAA,CAAgB,aAAA,EAAe,MAAM,CAAA;AAErD,IAAA,IAAI,CAAC,OAAA,EAAS;AAEZ,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,aAAa,CAAA;AAE1D,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,GAAA,CAAI,SAAA,CAAU,oCAAoC,MAAM,CAAA;AAAA,IAC1D;AAEA,IAAA,IAAI,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,+BAAA,EAAiC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,IAC1E;AAGA,IAAA,IAAI,GAAA,CAAI,WAAW,SAAA,EAAW;AAC5B,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAC,CAAA;AAChE,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AACvE,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtD,MAAA,IAAI,iBAAA,EAAmB;AACrB,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,GAAA,EAAI;AACpB,QAAA;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,UAAA,GAAa;;;AC/I1B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA,EAAW,YAAA;AAAA,EACX,MAAA,EAAQ,UAAA;AAAA,EACR,gBAAA,EAAkB,mBAAA;AAAA,EAClB,aAAA,EAAe,gBAAA;AAAA,EACf,cAAA,EAAgB;AAClB,CAAA;AAKO,SAAS,mBAAA,CACd,WACA,OAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ,UAAU,WAAA,EAAY;AACpC,EAAA,IAAI,MAAA,GAAS,SAAA;AAGb,EAAA,IAAI,QAAQ,QAAA,IAAY,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACnD,IAAA,MAAA,IAAU,YAAA,CAAa,SAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,MAAA,IAAU,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACjD,IAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,QAAA,KAAa,KAAA,IAAS,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AAC7D,IAAA,QAAQ,QAAQ,QAAA;AAAU,MACxB,KAAK,QAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,gBAAA;AACvB,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,cAAA;AAEvB,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,CAAE,QAAA,CAAS,UAAU,CAAA,EAAG;AAC9C,UAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,QACzB;AACA,QAAA;AAAA,MACF,KAAK,KAAA;AAAA,MACL;AACE,QAAA,MAAA,IAAU,YAAA,CAAa,aAAA;AACvB,QAAA;AAAA;AACJ,EACF;AAGA,EAAA,IAAI,QAAQ,IAAA,EAAM;AAChB,IAAA,IAAI,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA,EAAG;AAC3B,MAAA,MAAA,GAAS,OAAO,OAAA,CAAQ,iBAAA,EAAmB,CAAA,OAAA,EAAU,OAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,IACrE,CAAA,MAAO;AACL,MAAA,MAAA,IAAU,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA,CAAA;AAAA,IAClC;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAqBO,SAAS,oBAAA,CAAqB,OAAA,GAA+B,EAAC,EAAmB;AACtF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAC9C,EAAA,MAAM,QAAA,GAAW;AAAA,IACf,QAAA,EAAU,QAAQ,QAAA,IAAY,IAAA;AAAA,IAC9B,MAAA,EAAQ,QAAQ,MAAA,IAAU,YAAA;AAAA,IAC1B,QAAA,EAAU,QAAQ,QAAA,IAAY,KAAA;AAAA,IAC9B,MAAM,OAAA,CAAQ;AAAA,GAChB;AAEA,EAAA,OAAO,CAAC,IAAA,EAAe,GAAA,EAAe,IAAA,KAAuB;AAE3D,IAAA,MAAM,iBAAA,GAAoB,GAAA,CAAI,SAAA,CAAU,IAAA,CAAK,GAAG,CAAA;AAEhD,IAAA,GAAA,CAAI,SAAA,GAAY,SAAS,gBAAA,CAAiB,IAAA,EAAc,KAAA,EAA4C;AAClG,MAAA,IAAI,IAAA,CAAK,WAAA,EAAY,KAAM,YAAA,EAAc;AACvC,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,UAAA,KAAA,GAAQ,KAAA,CAAM,IAAI,CAAA,CAAA,KAAK,mBAAA,CAAoB,OAAO,CAAC,CAAA,EAAG,QAAQ,CAAC,CAAA;AAAA,QACjE,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,mBAAA,CAAoB,MAAA,CAAO,KAAK,CAAA,EAAG,QAAQ,CAAA;AAAA,QACrD;AAAA,MACF;AACA,MAAA,OAAO,iBAAA,CAAkB,MAAM,KAAK,CAAA;AAAA,IACtC,CAAA;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,mBAAA,GAAsB;;;ACpDnC,IAAM,YAAA,GAA6B;AAAA;AAAA,EAEjC,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,eAAA,EAAgB;AAAA,EAClF,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,eAAA,EAAgB;AAAA,EAClF,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,gBAAA,EAAkB,UAAU,eAAA,EAAgB;AAAA,EAChF,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA,EACtE,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,eAAA,EAAiB,UAAU,eAAA,EAAgB;AAAA,EAC9E,EAAE,OAAA,EAAS,uBAAA,EAAyB,IAAA,EAAM,sBAAA,EAAwB,UAAU,eAAA,EAAgB;AAAA,EAC5F,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,eAAA,EAAgB;AAAA,EAClE,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,eAAA,EAAgB;AAAA,EAChE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EAC1E,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EAC1E,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA,EACtE,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,cAAA,EAAgB,UAAU,eAAA,EAAgB;AAAA,EAC5E,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAS,UAAU,eAAA,EAAgB;AAAA,EAC9D,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,eAAA,EAAgB;AAAA,EAChE,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,OAAA,EAAS,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA;AAAA,EAGtE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,QAAA,EAAS;AAAA,EACjE,EAAE,OAAA,EAAS,sBAAA,EAAwB,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EACxE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,QAAA,EAAS;AAAA,EAC3D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,QAAA,EAAS;AAAA,EACnE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,QAAA,EAAS;AAAA,EAC/D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EAC7D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,QAAA,EAAS;AAAA,EACnE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EAC7D,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,QAAA,EAAS;AAAA,EACjE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,QAAA,EAAS;AAAA,EAC/D,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,QAAA,EAAS;AAAA,EAC3D,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,OAAA,EAAS,UAAU,QAAA,EAAS;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA;AAAA,EAG7D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,YAAA,EAAa;AAAA,EACvE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,YAAA,EAAa;AAAA,EACjE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACxE,EAAE,OAAA,EAAS,oBAAA,EAAsB,IAAA,EAAM,eAAA,EAAiB,UAAU,YAAA,EAAa;AAAA,EAC/E,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,YAAA,EAAa;AAAA,EACjE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,oBAAA,EAAsB,UAAU,YAAA,EAAa;AAAA;AAAA,EAG5E,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAC7D,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,cAAA,EAAgB,UAAU,YAAA,EAAa;AAAA,EACzE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACnE,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACtE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAS,UAAU,YAAA,EAAa;AAAA,EAC3D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAChE,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,eAAA,EAAiB,UAAU,YAAA,EAAa;AAAA,EAC3E,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAC7D,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,YAAA,EAAa;AAAA,EAC/E,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACnE,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA;AAAA,EAG1E,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,iBAAA,EAAmB,UAAU,WAAA,EAAY;AAAA,EAC7E,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,EAChE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,WAAA,EAAY;AAAA,EACpE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,WAAA,EAAY;AAAA,EAC9D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA;AAAA,EAGjE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACzD,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACzD,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,iBAAA,EAAmB,UAAU,SAAA,EAAU;AAAA,EAC/E,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,cAAA,EAAgB,UAAU,SAAA,EAAU;AAAA,EACzE,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,eAAA,EAAiB,UAAU,SAAA,EAAU;AAAA,EACzE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,SAAA,EAAW,UAAU,SAAA,EAAU;AAAA,EAC/D,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,gBAAA,EAAkB,UAAU,SAAA,EAAU;AAAA,EAC3E,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,iBAAA,EAAmB,UAAU,SAAA,EAAU;AAAA,EACpE,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,mBAAA,EAAqB,UAAU,SAAA,EAAU;AAAA,EACjF,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA,EAAU;AAAA,EAC7D,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,YAAA,EAAc,UAAU,SAAA,EAAU;AAAA,EACrE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,OAAA,EAAS,UAAU,SAAA,EAAU;AAAA,EAC3D,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,KAAA,EAAO,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,aAAA,EAAe,UAAU,SAAA,EAAU;AAAA,EACrE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,KAAA,EAAO,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA,EAAU;AAAA,EAC1D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,SAAA,EAAW,UAAU,SAAA,EAAU;AAAA,EAC7D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,UAAA,EAAY,UAAU,SAAA,EAAU;AAAA,EAC/D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA;AACrD,CAAA;AASA,SAAS,wBAAwB,GAAA,EAAwB;AACvD,EAAA,MAAM,UAAoB,EAAC;AAC3B,EAAA,MAAM,UAAU,GAAA,CAAI,OAAA;AAGpB,EAAA,IAAI,CAAC,OAAA,CAAQ,YAAY,CAAA,EAAG;AAC1B,IAAA,OAAA,CAAQ,KAAK,oBAAoB,CAAA;AAAA,EACnC;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtB,IAAA,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,EAC/B;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,iBAAiB,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,KAAK,yBAAyB,CAAA;AAAA,EACxC;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,iBAAiB,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,KAAK,yBAAyB,CAAA;AAAA,EACxC;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,CAAA,KAAM,OAAA,EAAS;AACrC,IAAA,OAAA,CAAQ,KAAK,kBAAkB,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA;AACT;AAcO,SAAS,UAAU,GAAA,EAAkC;AAC1D,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA,IAAK,EAAA;AAE3C,EAAA,MAAM,EAAA,GAAK,MAAM,MAAA,GAAS,IAAA,GAAO,MAAM,KAAA,CAAM,CAAA,EAAG,IAAI,CAAA,GAAI,KAAA;AACxD,EAAA,MAAM,OAAA,GAAU,wBAAwB,GAAG,CAAA;AAG3C,EAAA,IAAI,CAAC,EAAA,EAAI;AACP,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,SAAA;AAAA,MACV,IAAA,EAAM,IAAA;AAAA,MACN,UAAA,EAAY,GAAA;AAAA,MACZ;AAAA,KACF;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,IAAA,IAAI,GAAA,CAAI,OAAA,CAAQ,IAAA,CAAK,EAAE,CAAA,EAAG;AACxB,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAA,EAAY,IAAA;AAAA,QACZ;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,gBAAgB,OAAA,CAAQ,MAAA;AAG9B,EAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,SAAA;AAAA,MACV,IAAA,EAAM,IAAA;AAAA,MACN,YAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAK,GAAA,GAAO,gBAAgB,GAAI,CAAA;AAAA,MACrD;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,QAAA,EAAU,OAAA;AAAA,IACV,IAAA,EAAM,IAAA;AAAA,IACN,YAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAK,CAAA,GAAO,gBAAgB,IAAK,CAAA;AAAA,IACtD;AAAA,GACF;AACF;AA6BO,SAAS,aAAA,CAAc,OAAA,GAAgC,EAAC,EAAmB;AAChF,EAAA,MAAM;AAAA,IACJ,KAAA,GAAQ,CAAC,eAAA,EAAiB,QAAA,EAAU,YAAY,CAAA;AAAA,IAChD,IAAA,GAAO,CAAC,WAAW,CAAA;AAAA,IACnB,aAAA,GAAgB,OAAA;AAAA,IAChB,UAAA,GAAa,GAAA;AAAA,IACb,OAAA,GAAU,gBAAA;AAAA,IACV;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,KAAK,CAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,IAAI,CAAA;AAE5B,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAG5B,IAAC,IAA2C,YAAA,GAAe,MAAA;AAG3D,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,IAAI,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,EAAG;AACjC,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,EAAG;AAChC,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,MAAM,CAAA;AAAA,MACpC;AACA,MAAA,GAAA,CAAI,OAAO,UAAU,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA;AAC9C,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,kBAAkB,MAAA,EAAQ;AAC5B,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,MAAM,CAAA;AAAA,MACpC;AACA,MAAA,GAAA,CAAI,OAAO,UAAU,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA;AAC9C,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;ACpSA,IAAM,QAAA,GAAW;AAAA,EACf,UAAA,EAAY,OAAA;AAAA,EACZ,UAAA,EAAY,cAAA;AAAA,EACZ,SAAA,EAAW,OAAA;AAAA,EACX,WAAA,EAAa,EAAA;AAAA,EACb,gBAAA,EAAkB,CAAC,MAAA,EAAQ,KAAA,EAAO,SAAS,QAAQ;AACrD,CAAA;AAWO,SAAS,iBAAA,CAAkB,SAAiB,EAAA,EAAY;AAC7D,EAAA,OAAO,WAAA,CAAY,MAAM,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC3C;AASO,SAAS,iBAAA,CAAkB,aAAqB,YAAA,EAA+B;AACpF,EAAA,IAAI,CAAC,WAAA,IAAe,CAAC,YAAA,EAAc,OAAO,KAAA;AAC1C,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,YAAA,CAAa,MAAA,EAAQ,OAAO,KAAA;AAGvD,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,CAAY,QAAQ,CAAA,EAAA,EAAK;AAC3C,IAAA,MAAA,IAAU,YAAY,UAAA,CAAW,CAAC,CAAA,GAAI,YAAA,CAAa,WAAW,CAAC,CAAA;AAAA,EACjE;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACpB;AAKA,SAAS,eAAA,CAAgB,GAAA,EAAc,UAAA,EAAoB,SAAA,EAAuC;AAEhG,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,UAAA,CAAW,aAAa,CAAA;AACxD,EAAA,IAAI,OAAO,WAAA,KAAgB,QAAA,IAAY,WAAA,EAAa,OAAO,WAAA;AAG3D,EAAA,IAAI,GAAA,CAAI,QAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,IAAY,SAAA,IAAa,IAAI,IAAA,EAAM;AACrE,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,IAAA,CAAK,SAAS,CAAA;AACpC,IAAA,IAAI,OAAO,SAAA,KAAc,QAAA,IAAY,SAAA,EAAW,OAAO,SAAA;AAAA,EACzD;AAGA,EAAA,IAAI,GAAA,CAAI,KAAA,IAAS,SAAA,IAAa,GAAA,CAAI,KAAA,EAAO;AACvC,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,KAAA,CAAM,SAAS,CAAA;AACtC,IAAA,IAAI,OAAO,UAAA,KAAe,QAAA,IAAY,UAAA,EAAY,OAAO,UAAA;AAAA,EAC3D;AAEA,EAAA,OAAO,MAAA;AACT;AA8BO,SAAS,cAAA,CAAe,OAAA,GAAuB,EAAC,EAAmB;AACxE,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,UAAA,IAAc,QAAA,CAAS,UAAA;AAEtD,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,aAAA,GAAgB,CAAA,OAAA,EAAU,cAAc,CAAA,CAAA,GAAK,cAAA;AACxE,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,UAAA,IAAc,QAAA,CAAS,UAAA;AAClD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,IAAa,QAAA,CAAS,SAAA;AAChD,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,WAAA,IAAe,QAAA,CAAS,WAAA;AACpD,EAAA,MAAM,mBAAmB,OAAA,CAAQ,gBAAA,IAAoB,CAAC,GAAG,SAAS,gBAAgB,CAAA;AAClF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,YAAA,IAAgB,EAAC;AAC9C,EAAA,MAAM,WAAW,OAAA,CAAQ,QAAA;AAEzB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAC9C,EAAA,MAAM,UAAA,GAAa;AAAA,IACjB,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,IAAA,IAAQ,GAAA;AAAA,IAC9B,QAAA,EAAU,OAAA,CAAQ,MAAA,EAAQ,QAAA,IAAY,KAAA;AAAA;AAAA,IACtC,MAAA,EAAQ,OAAA,CAAQ,MAAA,EAAQ,MAAA,IAAU,YAAA;AAAA,IAClC,QAAA,EAAU,OAAA,CAAQ,MAAA,EAAQ,QAAA,IAAY,KAAA;AAAA,IACtC,MAAA,EAAQ,QAAQ,MAAA,EAAQ;AAAA,GAC1B;AAEA,EAAA,MAAM,cAAA,GAAiB,CAAC,IAAA,EAAe,GAAA,EAAe,KAAA,KAAwB;AAC5E,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,8BAAA;AAAA,MACP,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH,CAAA;AAEA,EAAA,MAAM,OAAA,GAAU,QAAQ,OAAA,IAAW,cAAA;AAGnC,EAAA,MAAM,YAAA,GAAe,IAAI,GAAA,CAAI,gBAAA,CAAiB,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AAEvE,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AAGtC,IAAA,IAAI,QAAA,IAAY,QAAA,CAAS,GAAG,CAAA,EAAG;AAC7B,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,IAAA,IAAQ,GAAA,CAAI,GAAA;AACpC,IAAA,IAAI,YAAA,CAAa,IAAA,CAAK,CAAA,CAAA,KAAK,WAAA,KAAgB,CAAA,IAAK,YAAY,UAAA,CAAW,CAAA,GAAI,GAAG,CAAC,CAAA,EAAG;AAChF,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAC,GAAA,CAA2C,YAAY,MAAM;AAC5D,MAAA,MAAM,QAAA,GAAW,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAC/C,MAAA,IAAI,UAAU,OAAO,QAAA;AAErB,MAAA,MAAM,KAAA,GAAQ,kBAAkB,WAAW,CAAA;AAC3C,MAAA,aAAA,CAAc,GAAA,EAAK,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAChD,MAAA,OAAO,KAAA;AAAA,IACT,CAAA;AAGA,IAAA,IAAI,CAAC,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,EAAG;AAC7B,MAAA,MAAM,QAAA,GAAW,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAC/C,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,KAAA,GAAQ,kBAAkB,WAAW,CAAA;AAC3C,QAAA,aAAA,CAAc,GAAA,EAAK,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAAA,MAClD;AACA,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,MAAM,WAAA,GAAc,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAClD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAEA,IAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,GAAA,EAAK,UAAA,EAAY,SAAS,CAAA;AAC/D,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,CAAC,iBAAA,CAAkB,WAAA,EAAa,YAAY,CAAA,EAAG;AACjD,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAKA,SAAS,cAAA,CAAe,KAAc,IAAA,EAAkC;AAEtE,EAAA,IAAI,GAAA,CAAI,WAAW,OAAO,GAAA,CAAI,YAAY,QAAA,IAAY,IAAA,IAAQ,IAAI,OAAA,EAAS;AACzE,IAAA,OAAO,GAAA,CAAI,QAAQ,IAAI,CAAA;AAAA,EACzB;AAGA,EAAA,MAAM,YAAA,GAAe,IAAI,OAAA,CAAQ,MAAA;AACjC,EAAA,IAAI,CAAC,cAAc,OAAO,MAAA;AAE1B,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,IAAI,MAAA,CAAO,cAAc,WAAA,CAAY,IAAI,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,GAAQ,kBAAA,CAAmB,KAAA,CAAM,CAAC,CAAC,CAAA,GAAI,MAAA;AAChD;AAKA,SAAS,aAAA,CACP,GAAA,EACA,IAAA,EACA,KAAA,EACA,IAAA,EACM;AACN,EAAA,MAAM,QAAQ,CAAC,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AACjC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,KAAA,EAAQ,IAAA,CAAK,IAAI,CAAA,CAAE,CAAA;AAC9B,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,UAAU,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAA;AACpC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,SAAA,EAAY,IAAA,CAAK,QAAQ,CAAA,CAAE,CAAA;AACtC,EAAA,IAAI,KAAK,MAAA,EAAQ,KAAA,CAAM,KAAK,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAE,CAAA;AAEnD,EAAA,GAAA,CAAI,SAAA,CAAU,YAAA,EAAc,KAAA,CAAM,IAAA,CAAK,IAAI,CAAC,CAAA;AAC9C;AAKA,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AAGO,IAAM,UAAA,GAAa","file":"index.mjs","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n  /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/middleware/headers\n * Security headers middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { HEADERS } from '../core/constants';\nimport type { HeaderOptions, HstsOptions } from '../core/types';\n\n/**\n * Create Express middleware for security headers.\n * Sets CSP, HSTS, X-Frame-Options, and other security headers.\n * \n * @param options - Header configuration\n * @returns Express middleware\n * \n * @example\n * app.use(createHeaders());\n * \n * @example\n * app.use(createHeaders({\n *   frameOptions: 'SAMEORIGIN',\n *   contentSecurityPolicy: \"default-src 'self'\"\n * }));\n */\nexport function createHeaders(options: HeaderOptions = {}): RequestHandler {\n  const {\n    contentSecurityPolicy = true,\n    xssFilter = true,\n    noSniff = true,\n    frameOptions = HEADERS.FRAME_OPTIONS,\n    hsts = true,\n    referrerPolicy = HEADERS.REFERRER_POLICY,\n    permissionsPolicy = HEADERS.PERMISSIONS_POLICY,\n    cacheControl = true,\n    crossOriginOpenerPolicy = 'same-origin',\n    crossOriginResourcePolicy = 'same-origin',\n    crossOriginEmbedderPolicy = 'require-corp',\n    originAgentCluster = true,\n    dnsPrefetchControl = true,\n  } = options;\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    // Content Security Policy\n    if (contentSecurityPolicy) {\n      const csp = typeof contentSecurityPolicy === 'string' \n        ? contentSecurityPolicy \n        : HEADERS.DEFAULT_CSP;\n      res.setHeader('Content-Security-Policy', csp);\n    }\n\n    // X-XSS-Protection: 0 disables the legacy XSS auditor which was itself\n    // an attack vector (could be abused to selectively block legitimate scripts)\n    if (xssFilter) {\n      res.setHeader('X-XSS-Protection', '0');\n    }\n\n    // Prevent MIME type sniffing\n    if (noSniff) {\n      res.setHeader('X-Content-Type-Options', HEADERS.CONTENT_TYPE_OPTIONS);\n    }\n\n    // Clickjacking protection\n    if (frameOptions) {\n      res.setHeader('X-Frame-Options', frameOptions);\n    }\n\n    // HTTPS enforcement (HSTS)\n    // Only send HSTS over HTTPS — sending it over HTTP can brick HTTP-only\n    // development servers and confuses browsers that cache the directive.\n    // X-Forwarded-Proto is client-supplied so we validate the extracted value\n    // is exactly 'https' or 'http' before trusting it.\n    const forwardedProto = (req.headers['x-forwarded-proto'] as string | undefined)\n      ?.split(',')[0]\n      .trim()\n      .toLowerCase();\n    const trustedForwardedProto = forwardedProto === 'https' || forwardedProto === 'http'\n      ? forwardedProto\n      : undefined;\n    const isHttps = req.secure || trustedForwardedProto === 'https';\n\n    if (hsts && isHttps) {\n      const hstsOpts: HstsOptions = typeof hsts === 'object' ? hsts : {};\n      const maxAge = hstsOpts.maxAge ?? HEADERS.HSTS_MAX_AGE;\n      const includeSubDomains = hstsOpts.includeSubDomains !== false;\n      const preload = hstsOpts.preload === true;\n\n      let hstsValue = `max-age=${maxAge}`;\n      if (includeSubDomains) hstsValue += '; includeSubDomains';\n      if (preload) hstsValue += '; preload';\n\n      res.setHeader('Strict-Transport-Security', hstsValue);\n    }\n\n    // Referrer Policy\n    if (referrerPolicy) {\n      res.setHeader('Referrer-Policy', referrerPolicy);\n    }\n\n    // Permissions Policy\n    if (permissionsPolicy) {\n      res.setHeader('Permissions-Policy', permissionsPolicy);\n    }\n\n    // Cross-origin isolation headers (Spectre mitigation)\n    if (crossOriginOpenerPolicy) {\n      res.setHeader('Cross-Origin-Opener-Policy', crossOriginOpenerPolicy);\n    }\n\n    if (crossOriginResourcePolicy) {\n      res.setHeader('Cross-Origin-Resource-Policy', crossOriginResourcePolicy);\n    }\n\n    if (crossOriginEmbedderPolicy) {\n      res.setHeader('Cross-Origin-Embedder-Policy', crossOriginEmbedderPolicy);\n    }\n\n    // Request origin-keyed process isolation\n    if (originAgentCluster) {\n      res.setHeader('Origin-Agent-Cluster', '?1');\n    }\n\n    // Prevent DNS prefetching (privacy leak vector)\n    if (dnsPrefetchControl) {\n      res.setHeader('X-DNS-Prefetch-Control', 'off');\n    }\n\n    // Additional security headers\n    res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');\n\n    // Cache-Control headers\n    if (cacheControl) {\n      const cacheControlValue = typeof cacheControl === 'string'\n        ? cacheControl\n        : HEADERS.CACHE_CONTROL;\n      res.setHeader('Cache-Control', cacheControlValue);\n      res.setHeader('Pragma', 'no-cache');\n      res.setHeader('Expires', '0');\n    }\n\n    // Remove fingerprinting headers\n    res.removeHeader('X-Powered-By');\n\n    next();\n  };\n}\n\n/**\n * Alias for createHeaders\n * @see createHeaders\n */\nexport const securityHeaders = createHeaders;\n","/**\n * @module @arcis/node/middleware/rate-limit\n * Rate limiting middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { RATE_LIMIT } from '../core/constants';\nimport type { RateLimitOptions, RateLimiterMiddleware, RateLimitEntry } from '../core/types';\n\n/** In-memory rate limit store */\ninterface InMemoryRateLimitStore {\n  [key: string]: RateLimitEntry;\n}\n\n/**\n * Create Express middleware for rate limiting.\n * \n * @param options - Rate limit configuration\n * @returns Express middleware with cleanup method\n * \n * @example\n * app.use(createRateLimiter({ max: 100, windowMs: 60000 }));\n * \n * @example\n * // Skip rate limiting for certain routes\n * app.use(createRateLimiter({\n *   max: 50,\n *   skip: (req) => req.path === '/health'\n * }));\n * \n * @example\n * // Cleanup on shutdown\n * const limiter = createRateLimiter();\n * app.use(limiter);\n * process.on('SIGTERM', () => limiter.close());\n */\nexport function createRateLimiter(options: RateLimitOptions = {}): RateLimiterMiddleware {\n  const {\n    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,\n    windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => {\n      const ip = req.ip ?? req.socket?.remoteAddress;\n      if (!ip) {\n        console.warn(\n          '[arcis] Rate limiter: cannot resolve client IP. All unresolvable clients share ' +\n          'one counter. Set Express trust proxy if behind a reverse proxy.'\n        );\n        return 'unknown';\n      }\n      return ip;\n    },\n    skip,\n    store: externalStore,\n  } = options;\n\n  // Object.create(null) avoids prototype pollution if keyGenerator ever\n  // returns '__proto__', 'constructor', or 'prototype'.\n  const inMemoryStore = Object.create(null) as InMemoryRateLimitStore;\n\n  // Cleanup interval for in-memory store (only create if not using external store)\n  let cleanupInterval: ReturnType<typeof setInterval> | null = null;\n  \n  if (!externalStore) {\n    cleanupInterval = setInterval(() => {\n      const now = Date.now();\n      for (const key of Object.keys(inMemoryStore)) {\n        if (inMemoryStore[key].resetTime < now) {\n          delete inMemoryStore[key];\n        }\n      }\n    }, windowMs);\n\n    // Prevent interval from keeping the process alive (Node.js only)\n    if (typeof cleanupInterval.unref === 'function') {\n      cleanupInterval.unref();\n    }\n  }\n\n  const handler: RequestHandler = async (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) {\n        return next();\n      }\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      let count: number;\n      let resetTime: number;\n\n      if (externalStore) {\n        // Use external store (e.g., Redis)\n        const entry = await externalStore.get(key);\n        if (!entry || entry.resetTime < now) {\n          await externalStore.set(key, { count: 1, resetTime: now + windowMs });\n          count = 1;\n          resetTime = now + windowMs;\n        } else {\n          count = await externalStore.increment(key);\n          resetTime = entry.resetTime;\n        }\n      } else {\n        // Use in-memory store\n        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {\n          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };\n        } else {\n          inMemoryStore[key].count++;\n        }\n        count = inMemoryStore[key].count;\n        resetTime = inMemoryStore[key].resetTime;\n      }\n\n      const remaining = Math.max(0, max - count);\n      const resetSeconds = Math.ceil((resetTime - now) / 1000);\n\n      // Set rate limit headers\n      res.setHeader('X-RateLimit-Limit', max.toString());\n      res.setHeader('X-RateLimit-Remaining', remaining.toString());\n      res.setHeader('X-RateLimit-Reset', resetSeconds.toString());\n\n      if (count > max) {\n        res.setHeader('Retry-After', resetSeconds.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: resetSeconds,\n        });\n        return;\n      }\n\n      next();\n    } catch (error) {\n      // Log error but fail open (allow request through) to prevent DoS\n      console.error('[arcis] Rate limiter error:', error);\n      next();\n    }\n  };\n\n  // Attach close method for cleanup\n  const middleware = handler as RateLimiterMiddleware;\n  middleware.close = () => {\n    if (cleanupInterval) {\n      clearInterval(cleanupInterval);\n      cleanupInterval = null;\n    }\n  };\n\n  return middleware;\n}\n\n/**\n * Alias for createRateLimiter\n * @see createRateLimiter\n */\nexport const rateLimit = createRateLimiter;\n","/**\n * @module @arcis/node/middleware/error-handler\n * Production-safe error handler middleware\n */\n\nimport type { Request, Response, NextFunction } from 'express';\nimport { ERRORS } from '../core/constants';\nimport type { ErrorHandlerOptions, HttpError } from '../core/types';\n\n/**\n * Patterns that indicate database or infrastructure internals in error messages.\n * When detected, the message is replaced with a generic error to prevent info leakage.\n */\nconst SENSITIVE_ERROR_PATTERNS: RegExp[] = [\n  // SQL database errors\n  /\\b(SQLITE_ERROR|SQLSTATE|ORA-\\d|PG::|mysql_|pg_query|ECONNREFUSED)/i,\n  /\\b(syntax error at or near|relation \".*\" does not exist)/i,\n  /\\b(column \".*\" (does not exist|of relation))/i,\n  /\\b(duplicate key value violates unique constraint)/i,\n  /\\b(table .* doesn't exist|unknown column)/i,\n  // MongoDB errors\n  /\\b(MongoError|MongoServerError|MongoNetworkError|E11000 duplicate key)/i,\n  // Redis errors\n  /\\b(WRONGTYPE|CROSSSLOT|CLUSTERDOWN|READONLY|ReplyError)/i,\n  // Connection strings and DSNs\n  /\\b(mongodb(\\+srv)?:\\/\\/|postgres(ql)?:\\/\\/|mysql:\\/\\/|redis:\\/\\/)/i,\n  // Stack traces with file paths\n  /\\bat\\s+.*\\.(js|ts|py|go|java):\\d+/i,\n  // Internal IP addresses\n  /\\b(127\\.0\\.0\\.\\d+|10\\.\\d+\\.\\d+\\.\\d+|192\\.168\\.\\d+\\.\\d+|172\\.(1[6-9]|2\\d|3[01])\\.\\d+\\.\\d+)\\b/,\n];\n\n/**\n * Check if an error message contains sensitive infrastructure details.\n */\nexport function containsSensitiveInfo(message: string): boolean {\n  return SENSITIVE_ERROR_PATTERNS.some(pattern => pattern.test(message));\n}\n\n/**\n * Create Express error handler that hides sensitive details in production.\n *\n * Prevents information leakage by:\n * - Hiding stack traces in production\n * - Hiding error messages unless explicitly exposed\n * - Scrubbing database errors, connection strings, and internal IPs\n *\n * @param options - Error handler configuration (or boolean for isDev)\n * @returns Express error handling middleware\n *\n * @example\n * // Production mode (default) - hides error details\n * app.use(errorHandler());\n *\n * @example\n * // Development mode - shows error details and stack traces\n * app.use(errorHandler({ isDev: true }));\n *\n * @example\n * // With custom logger\n * app.use(errorHandler({\n *   isDev: false,\n *   logger: arcis.logger()\n * }));\n */\nexport function errorHandler(\n  options: ErrorHandlerOptions | boolean = false\n): (err: Error, req: Request, res: Response, next: NextFunction) => void {\n  const isDev = typeof options === 'boolean' ? options : options.isDev ?? false;\n  const logErrors = typeof options === 'object' ? options.logErrors ?? true : true;\n  const logger = typeof options === 'object' ? options.logger : undefined;\n  const customHandler = typeof options === 'object' ? options.customHandler : undefined;\n\n  return (err: HttpError, req: Request, res: Response, _next: NextFunction) => {\n    const statusCode = err.statusCode || err.status || 500;\n\n    // Custom handler takes precedence\n    if (customHandler) {\n      return customHandler(err, req, res);\n    }\n\n    // Always log full error details server-side\n    if (logErrors) {\n      const logData = {\n        error: err.message,\n        stack: err.stack,\n        statusCode,\n        path: req.path,\n        method: req.method,\n      };\n\n      if (logger) {\n        logger.error('Request error', logData);\n      } else {\n        console.error('[arcis] Request error:', logData);\n      }\n    }\n\n    // Build response\n    // Only expose err.message when err.expose === true (caller opted in) or in dev mode.\n    // This prevents internal details leaking through arbitrary 4xx errors that happen\n    // to contain sensitive info (e.g. \"DB query failed for user admin@corp.com\").\n    const exposeMessage = isDev || err.expose === true;\n\n    let clientMessage: string;\n    if (!exposeMessage) {\n      clientMessage = ERRORS.INTERNAL_SERVER_ERROR;\n    } else if (containsSensitiveInfo(err.message)) {\n      // Even when expose is true, scrub DB errors and infra details\n      clientMessage = isDev ? err.message : ERRORS.INTERNAL_SERVER_ERROR;\n    } else {\n      clientMessage = err.message;\n    }\n\n    const response: Record<string, unknown> = {\n      error: clientMessage,\n    };\n\n    // Only show details in development\n    if (isDev) {\n      response.stack = err.stack;\n      response.details = err.message;\n    }\n\n    res.status(statusCode).json(response);\n  };\n}\n\n/**\n * Alias for errorHandler\n * @see errorHandler\n */\nexport const createErrorHandler = errorHandler;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n","/**\n * @module @arcis/node/sanitizers/utils\n * Shared utilities for sanitizers\n */\n\n/**\n * Encodes HTML entities to prevent interpretation as markup.\n * \n * @param str - The string to encode\n * @returns The encoded string\n */\nexport function encodeHtmlEntities(str: string): string {\n  return str\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#x27;');\n}\n\n/**\n * Checks if a value is a plain object (not null, array, Date, etc.)\n * \n * @param value - Value to check\n * @returns True if plain object\n */\nexport function isPlainObject(value: unknown): value is Record<string, unknown> {\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\n    return false;\n  }\n  // Check the actual prototype chain rather than toString, which can be spoofed\n  // via Symbol.toStringTag. Accepts both Object.prototype (plain {}) and null\n  // prototype objects (Object.create(null)).\n  const proto = Object.getPrototypeOf(value as object);\n  return proto === Object.prototype || proto === null;\n}\n","/**\n * @module @arcis/node/sanitizers/xss\n * XSS (Cross-Site Scripting) prevention\n */\n\nimport { XSS_PATTERNS, XSS_REMOVE_PATTERNS } from '../core/constants';\nimport { encodeHtmlEntities } from './utils';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent XSS attacks.\n * \n * Strategy:\n * 1. Remove dangerous patterns (script tags, event handlers, etc.)\n * 2. HTML-encode the remaining content\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeXss(\"<script>alert('xss')</script>\")\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\n * \n * @example\n * sanitizeXss(\"<img onerror='alert(1)'>\")\n * // Returns: \"&lt;img&gt;\" (event handler removed)\n */\nexport function sanitizeXss(input: string, collectThreats?: false, htmlEncode?: boolean): string;\nexport function sanitizeXss(input: string, collectThreats: true, htmlEncode?: boolean): SanitizeResult;\nexport function sanitizeXss(input: string, collectThreats = false, htmlEncode = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  // Remove dangerous patterns FIRST — XSS_REMOVE_PATTERNS is the single\n  // source of truth (defined in constants.ts alongside XSS_PATTERNS).\n  for (const pattern of XSS_REMOVE_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(value)) {\n      pattern.lastIndex = 0;\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'xss',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      value = value.replace(pattern, '');\n      wasSanitized = true;\n    }\n  }\n\n  // HTML-encode only when explicitly requested (SSR/template context).\n  // Do NOT encode by default — this is a REST API middleware; encoding\n  // here corrupts JSON data with HTML entities (&lt;, &amp;, etc.) that\n  // consumers would receive verbatim.\n  if (htmlEncode) {\n    const encoded = encodeHtmlEntities(value);\n    if (encoded !== value) {\n      wasSanitized = true;\n    }\n    value = encoded;\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains potential XSS patterns.\n * Does not sanitize — use sanitizeXss() for that.\n * \n * @param input - The string to check\n * @returns True if XSS patterns detected\n */\nexport function detectXss(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  // Check for event handlers\n  if (/\\s+on\\w+\\s*=/i.test(input)) return true;\n  \n  // Check for dangerous protocols\n  if (/javascript\\s*:/i.test(input)) return true;\n  if (/vbscript\\s*:/i.test(input)) return true;\n  if (/data\\s*:\\s*text\\/html/i.test(input)) return true;\n  \n  // Check for patterns from constants\n  for (const pattern of XSS_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/sql\n * SQL injection prevention\n */\n\nimport { SQL_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent SQL injection attacks.\n * Replaces dangerous SQL patterns with [BLOCKED].\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeSql(\"'; DROP TABLE users; --\")\n * // Returns: \"';  TABLE users  \"\n */\nexport function sanitizeSql(input: string, collectThreats?: false): string;\nexport function sanitizeSql(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizeSql(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  for (const pattern of SQL_PATTERNS) {\n    // Reset regex lastIndex for global patterns\n    pattern.lastIndex = 0;\n    \n    if (pattern.test(value)) {\n      pattern.lastIndex = 0; // Reset again for replace\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'sql_injection',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      // Replace the matched content with a space to avoid concatenating surrounding\n      // tokens into new dangerous strings (e.g. \"SELECTname\" after stripping \"SELECT\").\n      value = value.replace(pattern, ' ');\n      wasSanitized = true;\n    }\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains potential SQL injection patterns.\n * Does not sanitize — use sanitizeSql() for that.\n * \n * @param input - The string to check\n * @returns True if SQL injection patterns detected\n */\nexport function detectSql(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  for (const pattern of SQL_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/path\n * Path traversal prevention\n */\n\nimport { PATH_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent path traversal attacks.\n * Removes ../ and ..\\ patterns (including URL-encoded variants).\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizePath(\"../../etc/passwd\")\n * // Returns: \"etc/passwd\"\n */\nexport function sanitizePath(input: string, collectThreats?: false): string;\nexport function sanitizePath(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizePath(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  for (const pattern of PATH_PATTERNS) {\n    // Reset regex lastIndex for global patterns\n    pattern.lastIndex = 0;\n    \n    if (pattern.test(value)) {\n      pattern.lastIndex = 0; // Reset again for replace\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'path_traversal',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      value = value.replace(pattern, '');\n      wasSanitized = true;\n    }\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains path traversal patterns.\n * Does not sanitize — use sanitizePath() for that.\n * \n * @param input - The string to check\n * @returns True if path traversal patterns detected\n */\nexport function detectPathTraversal(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  for (const pattern of PATH_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/command\n * Command injection prevention\n */\n\nimport { COMMAND_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent command injection attacks.\n * Replaces shell metacharacters and dangerous commands with [BLOCKED].\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeCommand(\"file.txt; rm -rf /\")\n * // Returns: \"file.txt  rm -rf /\"\n */\nexport function sanitizeCommand(input: string, collectThreats?: false): string;\nexport function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizeCommand(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  for (const pattern of COMMAND_PATTERNS) {\n    // Reset regex lastIndex for global patterns\n    pattern.lastIndex = 0;\n    \n    if (pattern.test(value)) {\n      pattern.lastIndex = 0; // Reset again for replace\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'command_injection',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      value = value.replace(pattern, ' ');\n      wasSanitized = true;\n    }\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains command injection patterns.\n * Does not sanitize — use sanitizeCommand() for that.\n * \n * @param input - The string to check\n * @returns True if command injection patterns detected\n */\nexport function detectCommandInjection(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  for (const pattern of COMMAND_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/sanitize\n * Main sanitization functions that combine all sanitizers\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { INPUT, DANGEROUS_PROTO_KEYS, NOSQL_DANGEROUS_KEYS } from '../core/constants';\nimport { InputTooLargeError, SecurityThreatError } from '../core/errors';\nimport type { SanitizeOptions } from '../core/types';\nimport { sanitizeXss } from './xss';\nimport { sanitizeSql, detectSql } from './sql';\nimport { sanitizePath } from './path';\nimport { sanitizeCommand, detectCommandInjection } from './command';\n\n/**\n * Sanitize a string value against multiple attack vectors.\n * \n * Order matters: We do XSS encoding LAST because:\n * 1. Other sanitizers need to see the original patterns (e.g., SQL keywords)\n * 2. HTML encoding is the final safe output transformation\n * 3. Encoded entities like &lt; shouldn't be treated as SQL/command threats\n * \n * @param value - The string to sanitize\n * @param options - Sanitization options\n * @returns The sanitized string\n * \n * @example\n * sanitizeString(\"<script>alert('xss')</script>\")\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\n * \n * @example\n * sanitizeString(\"../../etc/passwd\")\n * // Returns: \"etc/passwd\"\n */\nexport function sanitizeString(value: string, options: SanitizeOptions = {}): string {\n  if (typeof value !== 'string') return value;\n\n  // Input size limit to prevent DoS\n  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;\n  if (value.length > maxSize) {\n    throw new InputTooLargeError(maxSize, value.length);\n  }\n\n  const reject = options.mode !== 'sanitize'; // default: 'reject'\n  let result = value;\n\n  // 1. SQL injection\n  if (options.sql !== false) {\n    if (reject) {\n      if (detectSql(result)) {\n        throw new SecurityThreatError('sql_injection', 'SQL pattern detected in input');\n      }\n    } else {\n      result = sanitizeSql(result);\n    }\n  }\n\n  // 2. Path traversal prevention\n  if (options.path !== false) {\n    result = sanitizePath(result);\n  }\n\n  // 3. Command injection\n  if (options.command !== false) {\n    if (reject) {\n      if (detectCommandInjection(result)) {\n        throw new SecurityThreatError('command_injection', 'Shell metacharacter detected in input');\n      }\n    } else {\n      result = sanitizeCommand(result);\n    }\n  }\n\n  // 4. XSS stripping — always runs to remove dangerous patterns.\n  // HTML encoding is opt-in via options.htmlEncode (for SSR contexts only).\n  if (options.xss !== false) {\n    result = sanitizeXss(result, false, options.htmlEncode ?? false);\n  }\n\n  return result;\n}\n\n/**\n * Sanitize an object recursively, including nested objects and arrays.\n * Also removes prototype pollution and NoSQL injection keys.\n * \n * @param obj - The object to sanitize\n * @param options - Sanitization options\n * @returns The sanitized object\n */\nexport function sanitizeObject(obj: unknown, options: SanitizeOptions = {}): unknown {\n  if (obj === null || obj === undefined) return obj;\n  if (typeof obj === 'string') return sanitizeString(obj, options);\n  if (typeof obj !== 'object') return obj;\n  if (Array.isArray(obj)) return obj.map(item => sanitizeObject(item, options));\n\n  const result = sanitizeObjectDepth(obj as Record<string, unknown>, options, 0);\n  return options.freeze ? Object.freeze(result) : result;\n}\n\n/**\n * Internal recursive sanitization with depth tracking.\n */\nfunction sanitizeObjectDepth(\n  obj: Record<string, unknown>,\n  options: SanitizeOptions,\n  depth: number\n): Record<string, unknown> {\n  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;\n\n  const result: Record<string, unknown> = {};\n\n  for (const key of Object.keys(obj)) {\n    // Prototype pollution protection - always block dangerous keys (case-insensitive)\n    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\n      continue;\n    }\n\n    // NoSQL injection - skip dangerous MongoDB operators in keys\n    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {\n      continue;\n    }\n\n    // Sanitize the key against all active threat vectors (not just XSS).\n    // Keys can carry injection payloads that bubble into query builders or ORMs.\n    const sanitizedKey = sanitizeString(key, options);\n\n    // Recursively sanitize value\n    const value = obj[key];\n    if (value === null || value === undefined) {\n      result[sanitizedKey] = value;\n    } else if (typeof value === 'string') {\n      result[sanitizedKey] = sanitizeString(value, options);\n    } else if (Array.isArray(value)) {\n      result[sanitizedKey] = value.map(item => sanitizeObject(item, options));\n    } else if (typeof value === 'object') {\n      result[sanitizedKey] = sanitizeObjectDepth(value as Record<string, unknown>, options, depth + 1);\n    } else {\n      result[sanitizedKey] = value;\n    }\n  }\n\n  return result;\n}\n\n/**\n * Create Express middleware for request sanitization.\n * Sanitizes req.body, req.query, and req.params.\n * \n * @param options - Sanitization options\n * @returns Express middleware\n * \n * @example\n * app.use(createSanitizer());\n * \n * @example\n * app.use(createSanitizer({ xss: true, sql: true, nosql: true }));\n */\nexport function createSanitizer(options: SanitizeOptions = {}): RequestHandler {\n  return (req: Request, _res: Response, next: NextFunction) => {\n    try {\n      if (req.body && typeof req.body === 'object') {\n        req.body = sanitizeObject(req.body, options);\n      }\n      if (req.query && typeof req.query === 'object') {\n        const sanitizedQuery = sanitizeObject(req.query, options);\n        // Express 5: req.query is a getter with no setter — override on instance\n        Object.defineProperty(req, 'query', { value: sanitizedQuery, writable: true, configurable: true });\n      }\n      if (req.params && typeof req.params === 'object') {\n        const sanitizedParams = sanitizeObject(req.params, options);\n        Object.defineProperty(req, 'params', { value: sanitizedParams, writable: true, configurable: true });\n      }\n      next();\n    } catch (err) {\n      next(err);\n    }\n  };\n}\n","/**\n * @module @arcis/node/validation/schema\n * Request validation middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { VALIDATION, ERRORS } from '../core/constants';\nimport type { ValidationSchema, FieldValidator } from '../core/types';\nimport { sanitizeString } from '../sanitizers';\n\n/**\n * Create Express middleware for request validation.\n * Prevents mass assignment by only allowing fields defined in the schema.\n * \n * @param schema - Validation schema defining expected fields\n * @param source - Request property to validate ('body', 'query', or 'params')\n * @returns Express middleware\n * \n * @example\n * app.post('/users', validate({\n *   email: { type: 'email', required: true },\n *   name: { type: 'string', min: 2, max: 50 },\n *   age: { type: 'number', min: 0, max: 150 },\n *   role: { type: 'string', enum: ['user', 'admin'] }\n * }), handler);\n * \n * @example\n * // Validate query params\n * app.get('/search', validate({\n *   q: { type: 'string', required: true, min: 1 },\n *   page: { type: 'number', min: 1 }\n * }, 'query'), handler);\n */\nexport function validate(\n  schema: ValidationSchema,\n  source: 'body' | 'query' | 'params' = 'body'\n): RequestHandler {\n  return (req: Request, res: Response, next: NextFunction) => {\n    const data = req[source] || {};\n    const errors: string[] = [];\n    const validated: Record<string, unknown> = {};\n\n    for (const [field, rules] of Object.entries(schema)) {\n      const value = data[field];\n      const result = validateField(field, value, rules);\n      \n      if (result.errors.length > 0) {\n        errors.push(...result.errors);\n      } else if (result.value !== undefined) {\n        validated[field] = result.value;\n      }\n    }\n\n    if (errors.length > 0) {\n      res.status(400).json({ errors });\n      return;\n    }\n\n    // Replace with validated data (prevents mass assignment)\n    req[source] = validated as typeof req[typeof source];\n    next();\n  };\n}\n\n/**\n * Validate a single field against its rules.\n */\nfunction validateField(\n  field: string,\n  value: unknown,\n  rules: FieldValidator\n): { value?: unknown; errors: string[] } {\n  const errors: string[] = [];\n\n  // Required check\n  if (rules.required && (value === undefined || value === null || value === '')) {\n    errors.push(ERRORS.VALIDATION.REQUIRED(field));\n    return { errors };\n  }\n\n  // Skip optional empty fields\n  if (value === undefined || value === null) {\n    return { errors: [] };\n  }\n\n  let typedValue: unknown = value;\n  let isValid = true;\n\n  // Type validation and coercion\n  switch (rules.type) {\n    case 'string':\n      if (typeof value !== 'string') {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'string'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && value.length < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_LENGTH(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && value.length > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_LENGTH(field, rules.max));\n        isValid = false;\n      }\n      if (rules.pattern && !rules.pattern.test(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_FORMAT(field));\n        isValid = false;\n      }\n      // Enum check runs before sanitization so the raw value is compared.\n      // Sanitizing first could silently modify the value and cause a mismatch\n      // with enum entries that contain characters the sanitizer would strip.\n      if (isValid && rules.enum && !rules.enum.includes(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\n        isValid = false;\n      }\n      if (isValid && rules.sanitize !== false) {\n        typedValue = sanitizeString(value);\n      }\n      break;\n\n    case 'number':\n      typedValue = Number(value);\n      if (isNaN(typedValue as number)) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'number'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && (typedValue as number) < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_VALUE(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && (typedValue as number) > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_VALUE(field, rules.max));\n        isValid = false;\n      }\n      break;\n\n    case 'boolean':\n      if (value === 'true' || value === true || value === 1 || value === '1') {\n        typedValue = true;\n      } else if (value === 'false' || value === false || value === 0 || value === '0') {\n        typedValue = false;\n      } else {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'boolean'));\n        isValid = false;\n      }\n      break;\n\n    case 'email':\n      if (!VALIDATION.EMAIL.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_EMAIL(field));\n        isValid = false;\n      }\n      if (isValid) {\n        typedValue = sanitizeString(String(value).toLowerCase().trim());\n      }\n      break;\n\n    case 'url':\n      if (!VALIDATION.URL.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_URL(field));\n        isValid = false;\n      }\n      if (isValid) {\n        typedValue = sanitizeString(String(value));\n      }\n      break;\n\n    case 'uuid':\n      if (!VALIDATION.UUID.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_UUID(field));\n        isValid = false;\n      }\n      break;\n\n    case 'array':\n      if (!Array.isArray(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'array'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && value.length < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_ITEMS(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && value.length > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_ITEMS(field, rules.max));\n        isValid = false;\n      }\n      break;\n\n    case 'object':\n      if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'object'));\n        isValid = false;\n      }\n      break;\n  }\n\n  // Enum validation for non-string types (strings check enum before sanitizing above).\n  if (isValid && rules.enum && rules.type !== 'string' && !rules.enum.includes(typedValue)) {\n    errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\n    isValid = false;\n  }\n\n  // Custom validation\n  if (isValid && rules.custom) {\n    const customResult = rules.custom(typedValue);\n    if (customResult === undefined) {\n      throw new TypeError(\n        `Custom validator for field \"${field}\" returned undefined. ` +\n        'Return true to pass, false to fail, or a string error message.'\n      );\n    }\n    if (customResult !== true) {\n      errors.push(typeof customResult === 'string' && customResult.length > 0 ? customResult : `${field} is invalid`);\n      isValid = false;\n    }\n  }\n\n  return {\n    value: isValid ? typedValue : undefined,\n    errors,\n  };\n}\n\n/**\n * Alias for validate\n * @see validate\n */\nexport const createValidator = validate;\n","/**\n * @module @arcis/node/validation/file\n * File upload validation and filename sanitization\n */\n\n// =============================================================================\n// MAGIC BYTES — first bytes of common file types\n// =============================================================================\n\nconst MAGIC_BYTES: Record<string, Buffer[]> = {\n  // Images\n  'image/jpeg': [Buffer.from([0xFF, 0xD8, 0xFF])],\n  'image/png': [Buffer.from([0x89, 0x50, 0x4E, 0x47])],\n  'image/gif': [Buffer.from('GIF87a'), Buffer.from('GIF89a')],\n  'image/webp': [Buffer.from('RIFF')], // RIFF....WEBP\n  'image/bmp': [Buffer.from([0x42, 0x4D])],\n  'image/svg+xml': [], // text-based, check separately\n\n  // Documents\n  'application/pdf': [Buffer.from('%PDF')],\n  'application/zip': [Buffer.from([0x50, 0x4B, 0x03, 0x04])],\n\n  // Audio/Video\n  'audio/mpeg': [Buffer.from([0xFF, 0xFB]), Buffer.from([0xFF, 0xF3]), Buffer.from([0x49, 0x44, 0x33])],\n  'video/mp4': [], // ftyp at offset 4\n};\n\n// =============================================================================\n// DANGEROUS EXTENSIONS — files that can execute code\n// =============================================================================\n\nconst DANGEROUS_EXTENSIONS = new Set([\n  // Scripts\n  '.exe', '.bat', '.cmd', '.com', '.msi', '.scr', '.pif',\n  '.vbs', '.vbe', '.js', '.jse', '.ws', '.wsf', '.wsc', '.wsh',\n  '.ps1', '.ps1xml', '.ps2', '.ps2xml', '.psc1', '.psc2',\n  '.sh', '.bash', '.csh', '.ksh',\n  // Server-side\n  '.php', '.php3', '.php4', '.php5', '.phtml', '.pht',\n  '.asp', '.aspx', '.ashx', '.asmx', '.cer',\n  '.jsp', '.jspx', '.jsw', '.jsv',\n  '.cgi', '.pl', '.py', '.rb',\n  // Java\n  '.jar', '.war', '.ear', '.class',\n  // Config that can execute\n  '.htaccess', '.htpasswd',\n  // Template engines\n  '.ejs', '.pug', '.hbs', '.handlebars', '.njk', '.twig',\n  // Shortcuts/links\n  '.lnk', '.inf', '.reg', '.url',\n  // Office macros\n  '.docm', '.xlsm', '.pptm', '.dotm',\n]);\n\n// =============================================================================\n// TYPES\n// =============================================================================\n\n/** File upload validation options */\nexport interface ValidateFileOptions {\n  /** Maximum file size in bytes. Default: 5MB */\n  maxSize?: number;\n  /** Allowed MIME types (e.g., ['image/jpeg', 'image/png']) */\n  allowedTypes?: string[];\n  /** Allowed file extensions (e.g., ['.jpg', '.png']). Includes dot. */\n  allowedExtensions?: string[];\n  /** Block dangerous/executable extensions. Default: true */\n  blockExecutables?: boolean;\n  /** Validate magic bytes match the claimed MIME type. Default: true */\n  validateMagicBytes?: boolean;\n  /** Block files with no extension. Default: true */\n  blockNoExtension?: boolean;\n  /** Block double extensions (e.g., file.php.jpg). Default: true */\n  blockDoubleExtensions?: boolean;\n}\n\n/** File metadata for validation */\nexport interface FileInput {\n  /** Original filename */\n  filename: string;\n  /** MIME type (as claimed by client) */\n  mimetype: string;\n  /** File size in bytes */\n  size: number;\n  /** File content buffer (for magic byte validation) */\n  buffer?: Buffer;\n}\n\n/** File validation result */\nexport interface ValidateFileResult {\n  /** Whether the file passed validation */\n  valid: boolean;\n  /** Validation errors (empty if valid) */\n  errors: string[];\n  /** Sanitized filename (safe for storage) */\n  sanitizedFilename: string;\n}\n\n// =============================================================================\n// DEFAULTS\n// =============================================================================\n\nconst DEFAULT_MAX_SIZE = 5 * 1024 * 1024; // 5MB\n\n// =============================================================================\n// FILENAME SANITIZATION\n// =============================================================================\n\n/**\n * Sanitize a filename for safe storage.\n *\n * Strips path traversal, null bytes, control characters, and special characters.\n * Preserves the extension and converts to a filesystem-safe name.\n *\n * @param filename - The original filename\n * @returns A sanitized filename safe for storage\n *\n * @example\n * sanitizeFilename('../../etc/passwd')          // 'etc_passwd'\n * sanitizeFilename('file<name>.jpg')            // 'filename.jpg'\n * sanitizeFilename('photo (1).jpg')             // 'photo_1.jpg'\n * sanitizeFilename('.htaccess')                 // 'htaccess'\n */\nexport function sanitizeFilename(filename: string): string {\n  let name = filename;\n\n  // Strip null bytes\n  name = name.replace(/\\0/g, '');\n\n  // Strip path components (both Unix and Windows)\n  name = name.replace(/^.*[/\\\\]/, '');\n\n  // Strip control characters\n  name = name.replace(/[\\x00-\\x1F\\x7F]/g, '');\n\n  // Strip characters unsafe for filesystems\n  name = name.replace(/[<>:\"/\\\\|?*]/g, '');\n\n  // Replace spaces and parens with underscores\n  name = name.replace(/[\\s()]+/g, '_');\n\n  // Strip leading dots (hidden files / .htaccess)\n  name = name.replace(/^\\.+/, '');\n\n  // Collapse multiple underscores/dots\n  name = name.replace(/_{2,}/g, '_');\n  name = name.replace(/\\.{2,}/g, '.');\n\n  // Trim underscores before dots (e.g., \"photo_1_.jpg\" → \"photo_1.jpg\")\n  name = name.replace(/_+\\./g, '.');\n\n  // Trim underscores from edges\n  name = name.replace(/^_+|_+$/g, '');\n\n  // Fallback for empty name\n  if (!name || name === '.') {\n    name = 'unnamed';\n  }\n\n  return name;\n}\n\n// =============================================================================\n// MAGIC BYTE VALIDATION\n// =============================================================================\n\n/**\n * Check if file content matches the claimed MIME type via magic bytes.\n */\nfunction matchesMagicBytes(buffer: Buffer, mimetype: string): boolean {\n  const signatures = MAGIC_BYTES[mimetype];\n  if (!signatures || signatures.length === 0) return true; // no signature to check\n\n  return signatures.some(sig => {\n    if (buffer.length < sig.length) return false;\n    return buffer.subarray(0, sig.length).equals(sig);\n  });\n}\n\n// =============================================================================\n// EXTENSION HELPERS\n// =============================================================================\n\n/**\n * Get the extension from a filename (lowercase, with dot).\n */\nfunction getExtension(filename: string): string {\n  const lastDot = filename.lastIndexOf('.');\n  if (lastDot < 1) return '';\n  return filename.slice(lastDot).toLowerCase();\n}\n\n/**\n * Check if a filename has double extensions (e.g., file.php.jpg).\n */\nfunction hasDoubleExtension(filename: string): boolean {\n  const parts = filename.split('.');\n  if (parts.length < 3) return false;\n\n  // Check if any non-final extension is dangerous\n  for (let i = 1; i < parts.length - 1; i++) {\n    const ext = '.' + parts[i].toLowerCase();\n    if (DANGEROUS_EXTENSIONS.has(ext)) return true;\n  }\n  return false;\n}\n\n// =============================================================================\n// FILE VALIDATION\n// =============================================================================\n\n/**\n * Validate a file upload for security.\n *\n * Checks file size, MIME type, extension, magic bytes, and dangerous patterns.\n * Returns a result with validation errors and a sanitized filename.\n *\n * @param file - File metadata and optional content\n * @param options - Validation options\n * @returns Validation result\n *\n * @example\n * const result = validateFile(\n *   { filename: 'photo.jpg', mimetype: 'image/jpeg', size: 1024, buffer },\n *   { allowedTypes: ['image/jpeg', 'image/png'], maxSize: 2 * 1024 * 1024 }\n * );\n * if (!result.valid) {\n *   return res.status(400).json({ errors: result.errors });\n * }\n * // Use result.sanitizedFilename for storage\n *\n * @example\n * // Block executables only (no whitelist)\n * const result = validateFile(file, { blockExecutables: true });\n */\nexport function validateFile(\n  file: FileInput,\n  options: ValidateFileOptions = {}\n): ValidateFileResult {\n  const {\n    maxSize = DEFAULT_MAX_SIZE,\n    allowedTypes,\n    allowedExtensions,\n    blockExecutables = true,\n    validateMagicBytes = true,\n    blockNoExtension = true,\n    blockDoubleExtensions = true,\n  } = options;\n\n  const errors: string[] = [];\n  const sanitizedFilename = sanitizeFilename(file.filename);\n  const extension = getExtension(sanitizedFilename);\n\n  // Size check\n  if (file.size > maxSize) {\n    errors.push(`File size ${file.size} exceeds maximum ${maxSize} bytes`);\n  }\n\n  if (file.size === 0) {\n    errors.push('File is empty');\n  }\n\n  // Extension checks\n  if (blockNoExtension && !extension) {\n    errors.push('File has no extension');\n  }\n\n  if (blockExecutables && extension && DANGEROUS_EXTENSIONS.has(extension)) {\n    errors.push(`Executable extension \"${extension}\" is not allowed`);\n  }\n\n  if (blockDoubleExtensions && hasDoubleExtension(sanitizedFilename)) {\n    errors.push('Double extensions with executable types are not allowed');\n  }\n\n  if (allowedExtensions && extension) {\n    const normalizedAllowed = allowedExtensions.map(e => e.toLowerCase());\n    if (!normalizedAllowed.includes(extension)) {\n      errors.push(`Extension \"${extension}\" is not allowed. Allowed: ${normalizedAllowed.join(', ')}`);\n    }\n  }\n\n  // MIME type check\n  if (allowedTypes && !allowedTypes.includes(file.mimetype)) {\n    errors.push(`MIME type \"${file.mimetype}\" is not allowed. Allowed: ${allowedTypes.join(', ')}`);\n  }\n\n  // Magic bytes validation\n  if (validateMagicBytes && file.buffer && file.buffer.length > 0) {\n    if (!matchesMagicBytes(file.buffer, file.mimetype)) {\n      errors.push(`File content does not match claimed MIME type \"${file.mimetype}\"`);\n    }\n  }\n\n  return {\n    valid: errors.length === 0,\n    errors,\n    sanitizedFilename,\n  };\n}\n\n/**\n * Check if a file extension is considered dangerous/executable.\n *\n * @param filename - Filename or extension to check\n * @returns true if the extension is dangerous\n */\nexport function isDangerousExtension(filename: string): boolean {\n  const ext = getExtension(filename);\n  return ext !== '' && DANGEROUS_EXTENSIONS.has(ext);\n}\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n  silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n  const {\n    redactKeys = [],\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n    redactPatterns = [],\n    level: minLevel = 'debug',\n  } = options;\n\n  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n  // Combine default and custom keys (lowercase for case-insensitive matching)\n  const allRedactKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...redactKeys.map(k => k.toLowerCase()),\n  ]);\n\n  /**\n   * Redact sensitive data from an object recursively.\n   */\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n\n    if (typeof obj === 'string') {\n      return redactString(obj, maxLength, redactPatterns);\n    }\n\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allRedactKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  /**\n   * Log a message at the specified level.\n   */\n  function log(level: string, message: string, data?: unknown): void {\n    // Early exit: skip all work if message level is below minimum\n    const levelNum = LOG_LEVELS[level] ?? 0;\n    if (levelNum < minLevelNum) return;\n\n    const entry: Record<string, unknown> = {\n      timestamp: new Date().toISOString(),\n      level,\n      message: redactString(message, maxLength, redactPatterns),\n    };\n\n    if (data !== undefined) {\n      entry.data = redact(data);\n    }\n\n    console.log(JSON.stringify(entry));\n  }\n\n  return {\n    log,\n    info: (msg: string, data?: unknown) => log('info', msg, data),\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\n    error: (msg: string, data?: unknown) => log('error', msg, data),\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\n  };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n  let safe = str\n    .replace(/[\\r\\n\\t]/g, ' ')\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n  // Apply custom redaction patterns\n  for (const pattern of patterns) {\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n  }\n\n  // Truncate if too long\n  if (safe.length > maxLength) {\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n  }\n\n  return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n  const allKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...sensitiveKeys.map(k => k.toLowerCase()),\n  ]);\n\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n","/**\n * @module @arcis/node/middleware/main\n * Main arcis() middleware factory\n */\n\nimport type { RequestHandler } from 'express';\nimport type {\n  ArcisOptions,\n  ArcisFunction,\n  ArcisMiddlewareStack,\n  HeaderOptions,\n  RateLimitOptions,\n  SanitizeOptions,\n} from '../core/types';\nimport { createHeaders } from './headers';\nimport { createRateLimiter } from './rate-limit';\nimport { createErrorHandler } from './error-handler';\nimport { createSanitizer } from '../sanitizers';\nimport { validate } from '../validation';\nimport { createSafeLogger } from '../logging';\n\n/**\n * Create Arcis middleware with all protections enabled.\n * \n * @param options - Configuration options\n * @returns Array of Express middleware\n * \n * @example\n * // Full protection (recommended)\n * app.use(arcis());\n * \n * @example\n * // Custom configuration\n * app.use(arcis({\n *   rateLimit: { max: 50 },\n *   headers: { frameOptions: 'SAMEORIGIN' }\n * }));\n * \n * @example\n * // Disable specific features\n * app.use(arcis({\n *   rateLimit: false,\n *   sanitize: { sql: false }\n * }));\n * \n * @example\n * // Cleanup on shutdown\n * const middleware = arcis();\n * app.use(middleware);\n * process.on('SIGTERM', () => middleware.close());\n */\nexport function arcis(options: ArcisOptions = {}): ArcisMiddlewareStack {\n  const middlewares: RequestHandler[] = [];\n  const cleanupFns: (() => void)[] = [];\n\n  // Security headers (first, always)\n  if (options.headers !== false) {\n    const headerOpts: HeaderOptions = typeof options.headers === 'object' \n      ? options.headers \n      : {};\n    middlewares.push(createHeaders(headerOpts));\n  }\n\n  // Rate limiting\n  if (options.rateLimit !== false) {\n    const rateLimitOpts: RateLimitOptions = typeof options.rateLimit === 'object' \n      ? options.rateLimit \n      : {};\n    const rateLimiter = createRateLimiter(rateLimitOpts);\n    middlewares.push(rateLimiter);\n    cleanupFns.push(() => rateLimiter.close());\n  }\n\n  // Input sanitization (last, after body parsing)\n  if (options.sanitize !== false) {\n    const sanitizeOpts: SanitizeOptions = typeof options.sanitize === 'object' \n      ? options.sanitize \n      : {};\n    middlewares.push(createSanitizer(sanitizeOpts));\n  }\n\n  // Attach close() directly on the array so callers can clean up without any-casts.\n  const result = middlewares as ArcisMiddlewareStack;\n  result.close = () => {\n    for (const fn of cleanupFns) {\n      fn();\n    }\n  };\n\n  return result;\n}\n\n// Attach individual functions for granular use\nconst arcisWithMethods = arcis as ArcisFunction;\narcisWithMethods.sanitize = createSanitizer;\narcisWithMethods.rateLimit = createRateLimiter;\narcisWithMethods.headers = createHeaders;\narcisWithMethods.validate = validate;\narcisWithMethods.logger = createSafeLogger;\narcisWithMethods.errorHandler = createErrorHandler;\n\nexport { arcisWithMethods as arcisFunction };\nexport default arcisWithMethods;\n","/**\n * @module @arcis/node/utils/duration\n * Parse human-readable duration strings into milliseconds.\n *\n * Supports: ms, s, m, h, d\n *\n * @example\n * parseDuration('5m')    // 300000\n * parseDuration('2h')    // 7200000\n * parseDuration(60000)   // 60000 (passthrough)\n * parseDuration('500ms') // 500\n */\n\n/** Maximum duration: ~49.7 days (uint32 max in ms) */\nconst MAX_DURATION_MS = 4_294_967_295;\n\nconst DURATION_REGEX = /^(\\d+(?:\\.\\d+)?)\\s*(ms|s|m|h|d)$/i;\n\nconst UNIT_TO_MS: Record<string, number> = {\n  ms: 1,\n  s: 1_000,\n  m: 60_000,\n  h: 3_600_000,\n  d: 86_400_000,\n};\n\n/**\n * Parse a duration string or number into milliseconds.\n *\n * @param value - Duration string (e.g. \"5m\", \"2h\", \"30s\") or number (ms)\n * @returns Duration in milliseconds\n * @throws {Error} If the value is not a valid duration\n *\n * @example\n * parseDuration('15m')   // 900000\n * parseDuration('1d')    // 86400000\n * parseDuration('500ms') // 500\n * parseDuration(60000)   // 60000\n */\nexport function parseDuration(value: string | number): number {\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value) || value < 0) {\n      throw new Error(`Invalid duration: ${value}. Must be a non-negative finite number.`);\n    }\n    return Math.min(Math.floor(value), MAX_DURATION_MS);\n  }\n\n  if (typeof value !== 'string' || value.trim() === '') {\n    throw new Error(`Invalid duration: \"${value}\". Expected a duration string (e.g. \"5m\", \"2h\") or number.`);\n  }\n\n  const match = value.trim().match(DURATION_REGEX);\n  if (!match) {\n    throw new Error(\n      `Invalid duration: \"${value}\". Expected format: <number><unit> where unit is ms, s, m, h, or d.`\n    );\n  }\n\n  const amount = parseFloat(match[1]);\n  const unit = match[2].toLowerCase();\n  const ms = Math.floor(amount * UNIT_TO_MS[unit]);\n\n  if (ms < 0 || ms > MAX_DURATION_MS) {\n    throw new Error(`Duration \"${value}\" exceeds maximum allowed (${MAX_DURATION_MS}ms / ~49.7 days).`);\n  }\n\n  return ms;\n}\n\n/**\n * Format milliseconds into a human-readable duration string.\n *\n * @param ms - Duration in milliseconds\n * @returns Human-readable string (e.g. \"5m\", \"2h 30m\")\n */\nexport function formatDuration(ms: number): string {\n  if (!Number.isFinite(ms) || ms < 0) return '0ms';\n\n  if (ms < 1000) return `${ms}ms`;\n\n  const days = Math.floor(ms / 86_400_000);\n  const hours = Math.floor((ms % 86_400_000) / 3_600_000);\n  const minutes = Math.floor((ms % 3_600_000) / 60_000);\n  const seconds = Math.floor((ms % 60_000) / 1_000);\n\n  const parts: string[] = [];\n  if (days > 0) parts.push(`${days}d`);\n  if (hours > 0) parts.push(`${hours}h`);\n  if (minutes > 0) parts.push(`${minutes}m`);\n  if (seconds > 0) parts.push(`${seconds}s`);\n\n  return parts.join(' ') || '0ms';\n}\n","/**\n * @module @arcis/node/middleware/rate-limit-sliding\n * Sliding window rate limiting middleware.\n *\n * More accurate than fixed window — uses a weighted sum of the previous\n * and current window to approximate a true sliding window.\n *\n * Algorithm:\n *   weight = (windowMs - elapsed) / windowMs\n *   count = (prevWindow * weight) + currentWindow\n *   allow = count < limit\n *\n * @example\n * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { parseDuration } from '../utils/duration';\nimport { RATE_LIMIT } from '../core/constants';\n\nexport interface SlidingWindowOptions {\n  /** Maximum requests per window. Default: 100 */\n  max?: number;\n  /** Window size in ms or duration string. Default: '1m' */\n  window?: string | number;\n  /** Error message when limit exceeded */\n  message?: string;\n  /** HTTP status code for rate limited responses. Default: 429 */\n  statusCode?: number;\n  /** Function to generate rate limit key from request */\n  keyGenerator?: (req: Request) => string;\n  /** Function to skip rate limiting for certain requests */\n  skip?: (req: Request) => boolean;\n}\n\ninterface WindowEntry {\n  count: number;\n  startTime: number;\n}\n\nexport interface SlidingWindowMiddleware extends RequestHandler {\n  close: () => void;\n}\n\n/**\n * Create sliding window rate limiter middleware.\n *\n * @example\n * // 100 requests per 15 minutes\n * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));\n *\n * @example\n * // Strict API limit\n * app.use('/api', createSlidingWindowLimiter({ max: 30, window: '1m' }));\n */\nexport function createSlidingWindowLimiter(options: SlidingWindowOptions = {}): SlidingWindowMiddleware {\n  const {\n    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,\n    window: windowOpt = RATE_LIMIT.DEFAULT_WINDOW_MS,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',\n    skip,\n  } = options;\n\n  const windowMs = parseDuration(windowOpt);\n\n  // Two windows per key: current and previous\n  const currentWindows = Object.create(null) as Record<string, WindowEntry>;\n  const previousWindows = Object.create(null) as Record<string, WindowEntry>;\n\n  const cleanupInterval = setInterval(() => {\n    const now = Date.now();\n    const cutoff = now - windowMs * 2; // Keep 2 windows worth\n    for (const key of Object.keys(previousWindows)) {\n      if (previousWindows[key].startTime < cutoff) {\n        delete previousWindows[key];\n      }\n    }\n    for (const key of Object.keys(currentWindows)) {\n      if (currentWindows[key].startTime < cutoff) {\n        delete currentWindows[key];\n      }\n    }\n  }, windowMs);\n\n  if (typeof cleanupInterval.unref === 'function') {\n    cleanupInterval.unref();\n  }\n\n  const handler: RequestHandler = (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) return next();\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      // Determine current window boundaries\n      const windowStart = Math.floor(now / windowMs) * windowMs;\n\n      // Rotate windows if needed\n      if (!currentWindows[key] || currentWindows[key].startTime < windowStart) {\n        // Move current to previous\n        if (currentWindows[key]) {\n          previousWindows[key] = currentWindows[key];\n        }\n        currentWindows[key] = { count: 0, startTime: windowStart };\n      }\n\n      // Calculate weighted count BEFORE incrementing\n      const elapsed = now - windowStart;\n      const weight = Math.max(0, (windowMs - elapsed) / windowMs);\n      const prevCount = previousWindows[key]?.count ?? 0;\n      const estimatedCount = (prevCount * weight) + currentWindows[key].count + 1;\n\n      const remaining = Math.max(0, Math.floor(max - estimatedCount));\n      const resetMs = windowStart + windowMs - now;\n      const resetSeconds = Math.max(1, Math.ceil(resetMs / 1000));\n\n      // Set rate limit headers\n      res.setHeader('X-RateLimit-Limit', max.toString());\n      res.setHeader('X-RateLimit-Remaining', remaining.toString());\n      res.setHeader('X-RateLimit-Reset', resetSeconds.toString());\n      res.setHeader('X-RateLimit-Policy', `${max};w=${Math.floor(windowMs / 1000)}`);\n\n      if (estimatedCount > max) {\n        // Don't increment — rejected requests should not consume quota\n        res.setHeader('Retry-After', resetSeconds.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: resetSeconds,\n        });\n        return;\n      }\n\n      // Only increment on allowed requests\n      currentWindows[key].count++;\n\n      next();\n    } catch (error) {\n      // Fail open\n      console.error('[arcis] Sliding window rate limiter error:', error);\n      next();\n    }\n  };\n\n  const middleware = handler as SlidingWindowMiddleware;\n  middleware.close = () => {\n    clearInterval(cleanupInterval);\n  };\n\n  return middleware;\n}\n","/**\n * @module @arcis/node/middleware/rate-limit-token\n * Token bucket rate limiting middleware.\n *\n * Allows burst traffic while enforcing an average rate.\n * Tokens refill at a steady rate. Each request costs 1 token.\n *\n * Algorithm:\n *   tokens = min(capacity, tokens + elapsed * refillRate)\n *   if tokens >= cost: allow, subtract cost\n *   else: deny\n *\n * @example\n * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { RATE_LIMIT } from '../core/constants';\n\nexport interface TokenBucketOptions {\n  /** Maximum tokens (burst size). Default: 100 */\n  capacity?: number;\n  /** Tokens added per second. Default: 10 */\n  refillRate?: number;\n  /** Tokens consumed per request. Default: 1 */\n  cost?: number;\n  /** Error message when limit exceeded */\n  message?: string;\n  /** HTTP status code for rate limited responses. Default: 429 */\n  statusCode?: number;\n  /** Function to generate rate limit key from request */\n  keyGenerator?: (req: Request) => string;\n  /** Function to skip rate limiting for certain requests */\n  skip?: (req: Request) => boolean;\n}\n\ninterface Bucket {\n  tokens: number;\n  lastRefill: number;\n}\n\nexport interface TokenBucketMiddleware extends RequestHandler {\n  close: () => void;\n}\n\n/**\n * Create token bucket rate limiter middleware.\n *\n * @example\n * // Allow bursts of 50, sustained rate of 10/sec\n * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));\n *\n * @example\n * // Strict API: 5 requests burst, 1/sec sustained\n * app.use('/api/expensive', createTokenBucketLimiter({\n *   capacity: 5,\n *   refillRate: 1,\n * }));\n */\nexport function createTokenBucketLimiter(options: TokenBucketOptions = {}): TokenBucketMiddleware {\n  const {\n    capacity = 100,\n    refillRate = 10,\n    cost = 1,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',\n    skip,\n  } = options;\n\n  if (capacity < 1) throw new RangeError(`Token bucket capacity must be >= 1, got ${capacity}`);\n  if (refillRate <= 0) throw new RangeError(`Token bucket refillRate must be > 0, got ${refillRate}`);\n  if (cost < 1) throw new RangeError(`Token bucket cost must be >= 1, got ${cost}`);\n  if (cost > capacity) throw new RangeError(`Token bucket cost (${cost}) must be <= capacity (${capacity}), otherwise all requests are permanently denied`);\n\n  const buckets = Object.create(null) as Record<string, Bucket>;\n\n  // Cleanup stale buckets (full buckets that haven't been accessed)\n  const cleanupInterval = setInterval(() => {\n    const now = Date.now();\n    const staleThreshold = (capacity / refillRate) * 1000 * 2; // 2x time to refill\n    for (const key of Object.keys(buckets)) {\n      if (now - buckets[key].lastRefill > staleThreshold) {\n        delete buckets[key];\n      }\n    }\n  }, 60_000);\n\n  if (typeof cleanupInterval.unref === 'function') {\n    cleanupInterval.unref();\n  }\n\n  function refillBucket(bucket: Bucket, now: number): void {\n    const elapsed = (now - bucket.lastRefill) / 1000; // seconds\n    const tokensToAdd = elapsed * refillRate;\n    bucket.tokens = Math.min(capacity, bucket.tokens + tokensToAdd);\n    bucket.lastRefill = now;\n  }\n\n  const handler: RequestHandler = (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) return next();\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      // Get or create bucket\n      if (!buckets[key]) {\n        buckets[key] = { tokens: capacity, lastRefill: now };\n      }\n\n      const bucket = buckets[key];\n      refillBucket(bucket, now);\n\n      // Calculate retry-after (time until enough tokens are available)\n      const retryAfterSec = bucket.tokens < cost\n        ? Math.ceil((cost - bucket.tokens) / refillRate)\n        : 0;\n\n      // Set headers\n      res.setHeader('X-RateLimit-Limit', capacity.toString());\n      res.setHeader('X-RateLimit-Remaining', Math.floor(Math.max(0, bucket.tokens - cost)).toString());\n      res.setHeader('X-RateLimit-Policy', `${capacity};w=${Math.floor(capacity / refillRate)};burst=${capacity}`);\n\n      if (bucket.tokens < cost) {\n        res.setHeader('Retry-After', retryAfterSec.toString());\n        res.setHeader('X-RateLimit-Reset', retryAfterSec.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: retryAfterSec,\n        });\n        return;\n      }\n\n      // Consume token\n      bucket.tokens -= cost;\n      next();\n    } catch (error) {\n      // Fail open\n      console.error('[arcis] Token bucket rate limiter error:', error);\n      next();\n    }\n  };\n\n  const middleware = handler as TokenBucketMiddleware;\n  middleware.close = () => {\n    clearInterval(cleanupInterval);\n  };\n\n  return middleware;\n}\n","/**\n * @module @arcis/node/middleware/cors\n * Safe CORS middleware with secure defaults\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** CORS configuration options */\nexport interface CorsOptions {\n  /**\n   * Allowed origins. Can be:\n   * - A string: exact match (e.g., 'https://example.com')\n   * - An array: whitelist of allowed origins\n   * - A RegExp: pattern match (use with care)\n   * - A function: custom validation `(origin) => boolean`\n   * - `true`: reflect the request origin (DANGEROUS — only for dev)\n   *\n   * Default: none (no origin allowed). You must explicitly set this.\n   */\n  origin: string | string[] | RegExp | ((origin: string) => boolean) | true;\n\n  /** Allowed HTTP methods. Default: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'] */\n  methods?: string[];\n\n  /** Allowed headers. Default: ['Content-Type', 'Authorization'] */\n  allowedHeaders?: string[];\n\n  /** Headers exposed to the browser. Default: [] */\n  exposedHeaders?: string[];\n\n  /** Allow credentials (cookies, authorization headers). Default: false */\n  credentials?: boolean;\n\n  /** Preflight cache duration in seconds. Default: 600 (10 minutes) */\n  maxAge?: number;\n\n  /** Respond to preflight with 204 (no content). Default: true */\n  preflightContinue?: boolean;\n}\n\nconst DEFAULT_METHODS = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'];\nconst DEFAULT_HEADERS = ['Content-Type', 'Authorization'];\nconst DEFAULT_MAX_AGE = 600;\n\n/**\n * Check if an origin is allowed by the configured policy.\n */\nfunction isOriginAllowed(\n  requestOrigin: string,\n  allowed: CorsOptions['origin']\n): boolean {\n  // 'null' origin is always blocked — sent by sandboxed iframes, data: URIs, etc.\n  if (requestOrigin === 'null') return false;\n\n  if (allowed === true) return true;\n\n  if (typeof allowed === 'string') {\n    return requestOrigin === allowed;\n  }\n\n  if (Array.isArray(allowed)) {\n    return allowed.includes(requestOrigin);\n  }\n\n  if (allowed instanceof RegExp) {\n    return allowed.test(requestOrigin);\n  }\n\n  if (typeof allowed === 'function') {\n    return allowed(requestOrigin);\n  }\n\n  return false;\n}\n\n/**\n * Create safe CORS middleware.\n *\n * Unlike permissive CORS libraries, this enforces secure defaults:\n * - No wildcard `*` when credentials are enabled\n * - `null` origin is always blocked\n * - `Vary: Origin` is always set for proper caching\n * - You must explicitly configure allowed origins\n *\n * @param options - CORS configuration\n * @returns Express middleware\n *\n * @example\n * // Allow a single origin\n * app.use(safeCors({ origin: 'https://myapp.com' }));\n *\n * @example\n * // Allow multiple origins with credentials\n * app.use(safeCors({\n *   origin: ['https://myapp.com', 'https://admin.myapp.com'],\n *   credentials: true,\n * }));\n *\n * @example\n * // Development: allow all (NOT for production)\n * app.use(safeCors({ origin: true }));\n */\nexport function safeCors(options: CorsOptions): RequestHandler {\n  const {\n    origin,\n    methods = DEFAULT_METHODS,\n    allowedHeaders = DEFAULT_HEADERS,\n    exposedHeaders = [],\n    credentials = false,\n    maxAge = DEFAULT_MAX_AGE,\n    preflightContinue = true,\n  } = options;\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const requestOrigin = req.headers.origin;\n\n    // Always set Vary: Origin for proper caching\n    res.setHeader('Vary', 'Origin');\n\n    // No origin header = same-origin request, skip CORS headers\n    if (!requestOrigin) {\n      return next();\n    }\n\n    const allowed = isOriginAllowed(requestOrigin, origin);\n\n    if (!allowed) {\n      // Don't set any CORS headers — browser will block the request\n      return next();\n    }\n\n    // Set Access-Control-Allow-Origin to the specific origin (not *)\n    res.setHeader('Access-Control-Allow-Origin', requestOrigin);\n\n    if (credentials) {\n      res.setHeader('Access-Control-Allow-Credentials', 'true');\n    }\n\n    if (exposedHeaders.length > 0) {\n      res.setHeader('Access-Control-Expose-Headers', exposedHeaders.join(', '));\n    }\n\n    // Handle preflight requests\n    if (req.method === 'OPTIONS') {\n      res.setHeader('Access-Control-Allow-Methods', methods.join(', '));\n      res.setHeader('Access-Control-Allow-Headers', allowedHeaders.join(', '));\n      res.setHeader('Access-Control-Max-Age', String(maxAge));\n\n      if (preflightContinue) {\n        res.status(204).end();\n        return;\n      }\n    }\n\n    next();\n  };\n}\n\n/**\n * Alias for safeCors\n * @see safeCors\n */\nexport const createCors = safeCors;\n","/**\n * @module @arcis/node/middleware/cookies\n * Secure cookie defaults middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** Cookie security configuration */\nexport interface SecureCookieOptions {\n  /** Force HttpOnly on all cookies. Default: true */\n  httpOnly?: boolean;\n  /** Force Secure flag (HTTPS only). Default: true in production, false in dev */\n  secure?: boolean;\n  /** SameSite attribute. Default: 'Lax' */\n  sameSite?: 'Strict' | 'Lax' | 'None' | false;\n  /** Override Path attribute. Default: undefined (keep original) */\n  path?: string;\n}\n\nconst COOKIE_ATTRS = {\n  HTTP_ONLY: '; HttpOnly',\n  SECURE: '; Secure',\n  SAME_SITE_STRICT: '; SameSite=Strict',\n  SAME_SITE_LAX: '; SameSite=Lax',\n  SAME_SITE_NONE: '; SameSite=None',\n} as const;\n\n/**\n * Enforce secure defaults on a Set-Cookie header value.\n */\nexport function enforceSecureCookie(\n  cookieStr: string,\n  options: Required<Omit<SecureCookieOptions, 'path'>> & { path?: string }\n): string {\n  const lower = cookieStr.toLowerCase();\n  let result = cookieStr;\n\n  // HttpOnly — prevent JavaScript access\n  if (options.httpOnly && !lower.includes('httponly')) {\n    result += COOKIE_ATTRS.HTTP_ONLY;\n  }\n\n  // Secure — HTTPS only\n  if (options.secure && !lower.includes('; secure')) {\n    result += COOKIE_ATTRS.SECURE;\n  }\n\n  // SameSite — CSRF protection\n  if (options.sameSite !== false && !lower.includes('samesite')) {\n    switch (options.sameSite) {\n      case 'Strict':\n        result += COOKIE_ATTRS.SAME_SITE_STRICT;\n        break;\n      case 'None':\n        result += COOKIE_ATTRS.SAME_SITE_NONE;\n        // SameSite=None requires Secure\n        if (!result.toLowerCase().includes('; secure')) {\n          result += COOKIE_ATTRS.SECURE;\n        }\n        break;\n      case 'Lax':\n      default:\n        result += COOKIE_ATTRS.SAME_SITE_LAX;\n        break;\n    }\n  }\n\n  // Override path if specified\n  if (options.path) {\n    if (lower.includes('path=')) {\n      result = result.replace(/;\\s*path=[^;]*/i, `; Path=${options.path}`);\n    } else {\n      result += `; Path=${options.path}`;\n    }\n  }\n\n  return result;\n}\n\n/**\n * Create middleware that enforces secure cookie defaults.\n *\n * Intercepts Set-Cookie headers and adds missing security attributes:\n * - HttpOnly: prevents JavaScript access (XSS cookie theft)\n * - Secure: cookies only sent over HTTPS\n * - SameSite: CSRF protection\n *\n * @param options - Cookie security configuration\n * @returns Express middleware\n *\n * @example\n * // Enforce defaults on all cookies\n * app.use(secureCookieDefaults());\n *\n * @example\n * // Strict SameSite for sensitive apps\n * app.use(secureCookieDefaults({ sameSite: 'Strict' }));\n */\nexport function secureCookieDefaults(options: SecureCookieOptions = {}): RequestHandler {\n  const isProduction = process.env.NODE_ENV === 'production';\n  const resolved = {\n    httpOnly: options.httpOnly ?? true,\n    secure: options.secure ?? isProduction,\n    sameSite: options.sameSite ?? 'Lax' as const,\n    path: options.path,\n  };\n\n  return (_req: Request, res: Response, next: NextFunction) => {\n    // Monkey-patch res.setHeader to intercept Set-Cookie\n    const originalSetHeader = res.setHeader.bind(res);\n\n    res.setHeader = function patchedSetHeader(name: string, value: string | number | readonly string[]) {\n      if (name.toLowerCase() === 'set-cookie') {\n        if (Array.isArray(value)) {\n          value = value.map(v => enforceSecureCookie(String(v), resolved));\n        } else {\n          value = enforceSecureCookie(String(value), resolved);\n        }\n      }\n      return originalSetHeader(name, value);\n    } as typeof res.setHeader;\n\n    next();\n  };\n}\n\n/**\n * Alias for secureCookieDefaults\n * @see secureCookieDefaults\n */\nexport const createSecureCookies = secureCookieDefaults;\n","/**\n * @module @arcis/node/middleware/bot-detection\n * Local-only bot detection using User-Agent and behavioral signals.\n *\n * Categorizes requests into bot types and allows/denies based on config.\n * No cloud calls — everything runs locally.\n *\n * @example\n * // Block automated tools, allow search engines\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n *   deny: ['AUTOMATED', 'SCRAPER'],\n * }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n// =============================================================================\n// BOT CATEGORIES\n// =============================================================================\n\nexport type BotCategory =\n  | 'SEARCH_ENGINE'\n  | 'SOCIAL'\n  | 'MONITORING'\n  | 'AI_CRAWLER'\n  | 'SCRAPER'\n  | 'AUTOMATED'\n  | 'UNKNOWN'\n  | 'HUMAN';\n\nexport interface BotDetectionResult {\n  /** Whether the request appears to be from a bot */\n  isBot: boolean;\n  /** Bot category */\n  category: BotCategory;\n  /** Matched bot name (e.g. 'Googlebot', 'curl') or null */\n  name: string | null;\n  /** Confidence score: 0-1 */\n  confidence: number;\n  /** Behavioral signals detected */\n  signals: string[];\n}\n\nexport interface BotProtectionOptions {\n  /** Categories to explicitly allow. Default: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'] */\n  allow?: BotCategory[];\n  /** Categories to explicitly deny. Default: ['AUTOMATED'] */\n  deny?: BotCategory[];\n  /** Action for categories not in allow or deny. Default: 'allow' */\n  defaultAction?: 'allow' | 'deny';\n  /** HTTP status code for denied bots. Default: 403 */\n  statusCode?: number;\n  /** Error message for denied bots */\n  message?: string;\n  /** Enable behavioral signal detection. Default: true */\n  detectBehavior?: boolean;\n  /** Custom handler called on detection (instead of default deny response) */\n  onDetected?: (req: Request, res: Response, result: BotDetectionResult) => void;\n}\n\n// =============================================================================\n// BOT DATABASE\n// =============================================================================\n\ninterface BotPattern {\n  /** Regex pattern to match against User-Agent */\n  pattern: RegExp;\n  /** Bot name */\n  name: string;\n  /** Category */\n  category: BotCategory;\n}\n\n/**\n * Bot patterns ordered by specificity — more specific patterns first.\n * All patterns are case-insensitive and tested against the full UA string.\n */\nconst BOT_PATTERNS: BotPattern[] = [\n  // --- SEARCH ENGINES (specific variants before generic) ---\n  { pattern: /Googlebot-Image/i, name: 'Googlebot-Image', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot-Video/i, name: 'Googlebot-Video', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot-News/i, name: 'Googlebot-News', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot/i, name: 'Googlebot', category: 'SEARCH_ENGINE' },\n  { pattern: /AdsBot-Google/i, name: 'AdsBot-Google', category: 'SEARCH_ENGINE' },\n  { pattern: /Mediapartners-Google/i, name: 'Mediapartners-Google', category: 'SEARCH_ENGINE' },\n  { pattern: /Bingbot/i, name: 'Bingbot', category: 'SEARCH_ENGINE' },\n  { pattern: /msnbot/i, name: 'msnbot', category: 'SEARCH_ENGINE' },\n  { pattern: /Slurp/i, name: 'Yahoo Slurp', category: 'SEARCH_ENGINE' },\n  { pattern: /DuckDuckBot/i, name: 'DuckDuckBot', category: 'SEARCH_ENGINE' },\n  { pattern: /Baiduspider/i, name: 'Baiduspider', category: 'SEARCH_ENGINE' },\n  { pattern: /YandexBot/i, name: 'YandexBot', category: 'SEARCH_ENGINE' },\n  { pattern: /YandexImages/i, name: 'YandexImages', category: 'SEARCH_ENGINE' },\n  { pattern: /Sogou/i, name: 'Sogou', category: 'SEARCH_ENGINE' },\n  { pattern: /Exabot/i, name: 'Exabot', category: 'SEARCH_ENGINE' },\n  { pattern: /ia_archiver/i, name: 'Alexa', category: 'SEARCH_ENGINE' },\n  { pattern: /Applebot/i, name: 'Applebot', category: 'SEARCH_ENGINE' },\n  { pattern: /Qwantify/i, name: 'Qwantify', category: 'SEARCH_ENGINE' },\n  { pattern: /PetalBot/i, name: 'PetalBot', category: 'SEARCH_ENGINE' },\n  { pattern: /SeznamBot/i, name: 'SeznamBot', category: 'SEARCH_ENGINE' },\n\n  // --- SOCIAL ---\n  { pattern: /Twitterbot/i, name: 'Twitterbot', category: 'SOCIAL' },\n  { pattern: /facebookexternalhit/i, name: 'Facebook', category: 'SOCIAL' },\n  { pattern: /Facebot/i, name: 'Facebot', category: 'SOCIAL' },\n  { pattern: /LinkedInBot/i, name: 'LinkedInBot', category: 'SOCIAL' },\n  { pattern: /Pinterest/i, name: 'Pinterest', category: 'SOCIAL' },\n  { pattern: /Slackbot/i, name: 'Slackbot', category: 'SOCIAL' },\n  { pattern: /TelegramBot/i, name: 'TelegramBot', category: 'SOCIAL' },\n  { pattern: /WhatsApp/i, name: 'WhatsApp', category: 'SOCIAL' },\n  { pattern: /Discordbot/i, name: 'Discordbot', category: 'SOCIAL' },\n  { pattern: /Redditbot/i, name: 'Redditbot', category: 'SOCIAL' },\n  { pattern: /Embedly/i, name: 'Embedly', category: 'SOCIAL' },\n  { pattern: /Quora Link Preview/i, name: 'Quora', category: 'SOCIAL' },\n  { pattern: /Mastodon/i, name: 'Mastodon', category: 'SOCIAL' },\n\n  // --- MONITORING ---\n  { pattern: /UptimeRobot/i, name: 'UptimeRobot', category: 'MONITORING' },\n  { pattern: /Pingdom/i, name: 'Pingdom', category: 'MONITORING' },\n  { pattern: /Site24x7/i, name: 'Site24x7', category: 'MONITORING' },\n  { pattern: /StatusCake/i, name: 'StatusCake', category: 'MONITORING' },\n  { pattern: /Datadog/i, name: 'Datadog', category: 'MONITORING' },\n  { pattern: /NewRelicPinger/i, name: 'New Relic', category: 'MONITORING' },\n  { pattern: /Better Uptime Bot/i, name: 'Better Uptime', category: 'MONITORING' },\n  { pattern: /GTmetrix/i, name: 'GTmetrix', category: 'MONITORING' },\n  { pattern: /PageSpeed/i, name: 'PageSpeed Insights', category: 'MONITORING' },\n\n  // --- AI CRAWLERS ---\n  { pattern: /GPTBot/i, name: 'GPTBot', category: 'AI_CRAWLER' },\n  { pattern: /ChatGPT-User/i, name: 'ChatGPT-User', category: 'AI_CRAWLER' },\n  { pattern: /Claude-Web/i, name: 'Claude-Web', category: 'AI_CRAWLER' },\n  { pattern: /ClaudeBot/i, name: 'ClaudeBot', category: 'AI_CRAWLER' },\n  { pattern: /anthropic-ai/i, name: 'Anthropic', category: 'AI_CRAWLER' },\n  { pattern: /Bytespider/i, name: 'Bytespider', category: 'AI_CRAWLER' },\n  { pattern: /CCBot/i, name: 'CCBot', category: 'AI_CRAWLER' },\n  { pattern: /cohere-ai/i, name: 'Cohere', category: 'AI_CRAWLER' },\n  { pattern: /PerplexityBot/i, name: 'PerplexityBot', category: 'AI_CRAWLER' },\n  { pattern: /YouBot/i, name: 'YouBot', category: 'AI_CRAWLER' },\n  { pattern: /Google-Extended/i, name: 'Google-Extended', category: 'AI_CRAWLER' },\n  { pattern: /Diffbot/i, name: 'Diffbot', category: 'AI_CRAWLER' },\n  { pattern: /Amazonbot/i, name: 'Amazonbot', category: 'AI_CRAWLER' },\n  { pattern: /meta-externalagent/i, name: 'Meta AI', category: 'AI_CRAWLER' },\n\n  // --- AUTOMATED TOOLS (headless browsers, testing frameworks) ---\n  { pattern: /HeadlessChrome/i, name: 'Headless Chrome', category: 'AUTOMATED' },\n  { pattern: /PhantomJS/i, name: 'PhantomJS', category: 'AUTOMATED' },\n  { pattern: /Selenium/i, name: 'Selenium', category: 'AUTOMATED' },\n  { pattern: /Puppeteer/i, name: 'Puppeteer', category: 'AUTOMATED' },\n  { pattern: /Playwright/i, name: 'Playwright', category: 'AUTOMATED' },\n  { pattern: /Cypress/i, name: 'Cypress', category: 'AUTOMATED' },\n  { pattern: /webdriver/i, name: 'WebDriver', category: 'AUTOMATED' },\n  { pattern: /MSIE 6\\.0/i, name: 'Fake IE6', category: 'AUTOMATED' },\n\n  // --- SCRAPERS / CLI TOOLS ---\n  { pattern: /^curl\\//i, name: 'curl', category: 'SCRAPER' },\n  { pattern: /^wget\\//i, name: 'wget', category: 'SCRAPER' },\n  { pattern: /^python-requests\\//i, name: 'python-requests', category: 'SCRAPER' },\n  { pattern: /^python-httpx\\//i, name: 'python-httpx', category: 'SCRAPER' },\n  { pattern: /^Python-urllib/i, name: 'Python-urllib', category: 'SCRAPER' },\n  { pattern: /^aiohttp\\//i, name: 'aiohttp', category: 'SCRAPER' },\n  { pattern: /^Go-http-client/i, name: 'Go-http-client', category: 'SCRAPER' },\n  { pattern: /^Java\\//i, name: 'Java HttpClient', category: 'SCRAPER' },\n  { pattern: /^Apache-HttpClient/i, name: 'Apache HttpClient', category: 'SCRAPER' },\n  { pattern: /^okhttp\\//i, name: 'OkHttp', category: 'SCRAPER' },\n  { pattern: /^node-fetch\\//i, name: 'node-fetch', category: 'SCRAPER' },\n  { pattern: /^axios\\//i, name: 'axios', category: 'SCRAPER' },\n  { pattern: /^got\\//i, name: 'got', category: 'SCRAPER' },\n  { pattern: /^libwww-perl/i, name: 'libwww-perl', category: 'SCRAPER' },\n  { pattern: /^Ruby/i, name: 'Ruby', category: 'SCRAPER' },\n  { pattern: /^PHP\\//i, name: 'PHP', category: 'SCRAPER' },\n  { pattern: /Scrapy/i, name: 'Scrapy', category: 'SCRAPER' },\n  { pattern: /^Postman/i, name: 'Postman', category: 'SCRAPER' },\n  { pattern: /^Insomnia/i, name: 'Insomnia', category: 'SCRAPER' },\n  { pattern: /^HTTPie\\//i, name: 'HTTPie', category: 'SCRAPER' },\n];\n\n// =============================================================================\n// DETECTION ENGINE\n// =============================================================================\n\n/**\n * Detect behavioral signals that suggest a bot.\n */\nfunction detectBehavioralSignals(req: Request): string[] {\n  const signals: string[] = [];\n  const headers = req.headers;\n\n  // Missing User-Agent\n  if (!headers['user-agent']) {\n    signals.push('missing_user_agent');\n  }\n\n  // Missing Accept header (browsers always send this)\n  if (!headers['accept']) {\n    signals.push('missing_accept');\n  }\n\n  // Missing Accept-Language (browsers always send this)\n  if (!headers['accept-language']) {\n    signals.push('missing_accept_language');\n  }\n\n  // Missing Accept-Encoding (browsers always send this)\n  if (!headers['accept-encoding']) {\n    signals.push('missing_accept_encoding');\n  }\n\n  // Connection: close (browsers typically use keep-alive)\n  if (headers['connection'] === 'close') {\n    signals.push('connection_close');\n  }\n\n  return signals;\n}\n\n/**\n * Detect what kind of bot (if any) is making the request.\n *\n * @param req - HTTP request object\n * @returns Detection result with category, name, confidence, and signals\n *\n * @example\n * const result = detectBot(req);\n * if (result.isBot && result.category === 'AUTOMATED') {\n *   // Block automated tools\n * }\n */\nexport function detectBot(req: Request): BotDetectionResult {\n  const rawUa = req.headers['user-agent'] ?? '';\n  // Truncate to prevent CPU abuse from very long UA strings\n  const ua = rawUa.length > 2048 ? rawUa.slice(0, 2048) : rawUa;\n  const signals = detectBehavioralSignals(req);\n\n  // No User-Agent at all\n  if (!ua) {\n    return {\n      isBot: true,\n      category: 'UNKNOWN',\n      name: null,\n      confidence: 0.8,\n      signals,\n    };\n  }\n\n  // Match against known bot patterns\n  for (const bot of BOT_PATTERNS) {\n    if (bot.pattern.test(ua)) {\n      return {\n        isBot: true,\n        category: bot.category,\n        name: bot.name,\n        confidence: 0.95,\n        signals,\n      };\n    }\n  }\n\n  // Behavioral analysis for unrecognized UAs\n  const behaviorScore = signals.length;\n\n  // 3+ missing standard headers = likely bot\n  if (behaviorScore >= 3) {\n    return {\n      isBot: true,\n      category: 'UNKNOWN',\n      name: null,\n      confidence: Math.min(1.0, 0.6 + (behaviorScore * 0.1)),\n      signals,\n    };\n  }\n\n  return {\n    isBot: false,\n    category: 'HUMAN',\n    name: null,\n    confidence: Math.max(0.0, 1.0 - (behaviorScore * 0.15)),\n    signals,\n  };\n}\n\n/**\n * Create Express middleware for bot protection.\n *\n * @example\n * // Block automated tools and scrapers\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n *   deny: ['AUTOMATED', 'SCRAPER'],\n * }));\n *\n * @example\n * // Block everything except search engines\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE'],\n *   defaultAction: 'deny',\n * }));\n *\n * @example\n * // Custom handler\n * app.use(botProtection({\n *   deny: ['AUTOMATED'],\n *   onDetected: (req, res, result) => {\n *     console.log(`Bot blocked: ${result.name} (${result.category})`);\n *     res.status(403).json({ error: 'Bots not allowed' });\n *   },\n * }));\n */\nexport function botProtection(options: BotProtectionOptions = {}): RequestHandler {\n  const {\n    allow = ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n    deny = ['AUTOMATED'],\n    defaultAction = 'allow',\n    statusCode = 403,\n    message = 'Access denied.',\n    onDetected,\n  } = options;\n\n  const allowSet = new Set(allow);\n  const denySet = new Set(deny);\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const result = detectBot(req);\n\n    // Attach result to request for downstream use\n    (req as unknown as Record<string, unknown>).botDetection = result;\n\n    // Humans always pass\n    if (!result.isBot) {\n      return next();\n    }\n\n    // Check explicit allow/deny lists\n    if (allowSet.has(result.category)) {\n      return next();\n    }\n\n    if (denySet.has(result.category)) {\n      if (onDetected) {\n        return onDetected(req, res, result);\n      }\n      res.status(statusCode).json({ error: message });\n      return;\n    }\n\n    // Default action for uncategorized bots\n    if (defaultAction === 'deny') {\n      if (onDetected) {\n        return onDetected(req, res, result);\n      }\n      res.status(statusCode).json({ error: message });\n      return;\n    }\n\n    next();\n  };\n}\n","/**\n * @module @arcis/node/middleware/csrf\n * CSRF (Cross-Site Request Forgery) protection middleware\n *\n * Implements the double-submit cookie pattern:\n * 1. Server sets a CSRF token in a cookie\n * 2. Client must send the same token in a header or form field\n * 3. Middleware rejects requests where cookie token !== header/field token\n *\n * This works because an attacker's cross-origin form submission will include\n * the cookie automatically, but cannot read it (same-origin policy) to set\n * the matching header.\n */\n\nimport { randomBytes } from 'crypto';\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** CSRF protection configuration */\nexport interface CsrfOptions {\n  /** Cookie name for the CSRF token. Default: '_csrf' */\n  cookieName?: string;\n  /** Header name to check for the token. Default: 'x-csrf-token' */\n  headerName?: string;\n  /** Form field name to check for the token. Default: '_csrf' */\n  fieldName?: string;\n  /** Token byte length (hex-encoded = 2x chars). Default: 32 */\n  tokenLength?: number;\n  /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */\n  protectedMethods?: string[];\n  /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */\n  excludePaths?: string[];\n  /**\n   * Per-request skip function. If it returns true, CSRF check is skipped\n   * for that request. Useful for API key auth or signed webhooks.\n   *\n   * @example\n   * skipCsrf: (req) => Boolean(req.headers['x-api-key'])\n   */\n  skipCsrf?: (req: Request) => boolean;\n  /**\n   * Use the __Host- cookie prefix for stronger cookie security.\n   * When enabled, the browser enforces: Secure=true, no Domain, Path=/.\n   * This prevents CSRF cookie theft across subdomains.\n   * Default: false\n   */\n  useHostPrefix?: boolean;\n  /** Cookie options */\n  cookie?: {\n    /** Cookie path. Default: '/' */\n    path?: string;\n    /** HttpOnly — set false so client JS can read it for headers. Default: false */\n    httpOnly?: boolean;\n    /** Secure flag (HTTPS only). Default: true in production */\n    secure?: boolean;\n    /** SameSite attribute. Default: 'Lax' */\n    sameSite?: 'Strict' | 'Lax' | 'None';\n    /** Cookie domain */\n    domain?: string;\n  };\n  /** Custom error handler when CSRF validation fails */\n  onError?: (req: Request, res: Response, next: NextFunction) => void;\n}\n\nconst DEFAULTS = {\n  cookieName: '_csrf',\n  headerName: 'x-csrf-token',\n  fieldName: '_csrf',\n  tokenLength: 32,\n  protectedMethods: ['POST', 'PUT', 'PATCH', 'DELETE'],\n} as const;\n\n/**\n * Generate a cryptographically random CSRF token.\n *\n * @param length - Byte length (output is hex, so 2x chars). Default: 32\n * @returns Hex-encoded random token\n *\n * @example\n * const token = generateCsrfToken(); // 64 hex chars\n */\nexport function generateCsrfToken(length: number = 32): string {\n  return randomBytes(length).toString('hex');\n}\n\n/**\n * Validate that two CSRF tokens match using constant-time comparison.\n *\n * @param cookieToken - Token from the cookie\n * @param requestToken - Token from the header or form field\n * @returns true if tokens match\n */\nexport function validateCsrfToken(cookieToken: string, requestToken: string): boolean {\n  if (!cookieToken || !requestToken) return false;\n  if (cookieToken.length !== requestToken.length) return false;\n\n  // Constant-time comparison to prevent timing attacks\n  let result = 0;\n  for (let i = 0; i < cookieToken.length; i++) {\n    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);\n  }\n  return result === 0;\n}\n\n/**\n * Extract the CSRF token from a request (checks header, then body field, then query).\n */\nfunction getRequestToken(req: Request, headerName: string, fieldName: string): string | undefined {\n  // 1. Check header (most common for SPAs)\n  const headerToken = req.headers[headerName.toLowerCase()];\n  if (typeof headerToken === 'string' && headerToken) return headerToken;\n\n  // 2. Check body field (form submissions)\n  if (req.body && typeof req.body === 'object' && fieldName in req.body) {\n    const bodyToken = req.body[fieldName];\n    if (typeof bodyToken === 'string' && bodyToken) return bodyToken;\n  }\n\n  // 3. Check query string (fallback)\n  if (req.query && fieldName in req.query) {\n    const queryToken = req.query[fieldName];\n    if (typeof queryToken === 'string' && queryToken) return queryToken;\n  }\n\n  return undefined;\n}\n\n/**\n * Create CSRF protection middleware using double-submit cookie pattern.\n *\n * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.\n * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.\n *\n * @param options - CSRF configuration\n * @returns Express middleware\n *\n * @example\n * // Basic usage\n * app.use(csrfProtection());\n *\n * @example\n * // Exclude webhook paths\n * app.use(csrfProtection({\n *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']\n * }));\n *\n * @example\n * // Client-side: read cookie + set header\n * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];\n * fetch('/api/data', {\n *   method: 'POST',\n *   headers: { 'X-CSRF-Token': token },\n *   credentials: 'same-origin'\n * });\n */\nexport function csrfProtection(options: CsrfOptions = {}): RequestHandler {\n  const baseCookieName = options.cookieName ?? DEFAULTS.cookieName;\n  // __Host- prefix: forces browser to enforce Secure + no Domain + Path=/\n  const cookieName = options.useHostPrefix ? `__Host-${baseCookieName}` : baseCookieName;\n  const headerName = options.headerName ?? DEFAULTS.headerName;\n  const fieldName = options.fieldName ?? DEFAULTS.fieldName;\n  const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;\n  const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];\n  const excludePaths = options.excludePaths ?? [];\n  const skipCsrf = options.skipCsrf;\n\n  const isProduction = process.env.NODE_ENV === 'production';\n  const cookieOpts = {\n    path: options.cookie?.path ?? '/',\n    httpOnly: options.cookie?.httpOnly ?? false, // Must be readable by client JS\n    secure: options.cookie?.secure ?? isProduction,\n    sameSite: options.cookie?.sameSite ?? 'Lax',\n    domain: options.cookie?.domain,\n  };\n\n  const defaultOnError = (_req: Request, res: Response, _next: NextFunction) => {\n    res.status(403).json({\n      error: 'CSRF token validation failed',\n      message: 'Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header.',\n    });\n  };\n\n  const onError = options.onError ?? defaultOnError;\n\n  // Normalize protected methods to uppercase\n  const protectedSet = new Set(protectedMethods.map(m => m.toUpperCase()));\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const method = req.method.toUpperCase();\n\n    // Per-request skip callback (API keys, signed webhooks, etc.)\n    if (skipCsrf && skipCsrf(req)) {\n      return next();\n    }\n\n    // Check if path is excluded\n    const requestPath = req.path || req.url;\n    if (excludePaths.some(p => requestPath === p || requestPath.startsWith(p + '/'))) {\n      return next();\n    }\n\n    // Expose token generation on the request for templates/views\n    (req as unknown as Record<string, unknown>).csrfToken = () => {\n      const existing = getCookieValue(req, cookieName);\n      if (existing) return existing;\n\n      const token = generateCsrfToken(tokenLength);\n      setCsrfCookie(res, cookieName, token, cookieOpts);\n      return token;\n    };\n\n    // For safe methods — ensure a CSRF cookie exists\n    if (!protectedSet.has(method)) {\n      const existing = getCookieValue(req, cookieName);\n      if (!existing) {\n        const token = generateCsrfToken(tokenLength);\n        setCsrfCookie(res, cookieName, token, cookieOpts);\n      }\n      return next();\n    }\n\n    // For protected methods — validate the token\n    const cookieToken = getCookieValue(req, cookieName);\n    if (!cookieToken) {\n      return onError(req, res, next);\n    }\n\n    const requestToken = getRequestToken(req, headerName, fieldName);\n    if (!requestToken) {\n      return onError(req, res, next);\n    }\n\n    if (!validateCsrfToken(cookieToken, requestToken)) {\n      return onError(req, res, next);\n    }\n\n    next();\n  };\n}\n\n/**\n * Read a cookie value from the request.\n */\nfunction getCookieValue(req: Request, name: string): string | undefined {\n  // Express parses cookies if cookie-parser is used\n  if (req.cookies && typeof req.cookies === 'object' && name in req.cookies) {\n    return req.cookies[name];\n  }\n\n  // Fallback: parse from raw Cookie header\n  const cookieHeader = req.headers.cookie;\n  if (!cookieHeader) return undefined;\n\n  const match = cookieHeader.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(name)}=([^;]*)`));\n  return match ? decodeURIComponent(match[1]) : undefined;\n}\n\n/**\n * Set the CSRF token cookie on the response.\n */\nfunction setCsrfCookie(\n  res: Response,\n  name: string,\n  token: string,\n  opts: { path: string; httpOnly: boolean; secure: boolean; sameSite: string; domain?: string }\n): void {\n  const parts = [`${name}=${token}`];\n  parts.push(`Path=${opts.path}`);\n  if (opts.httpOnly) parts.push('HttpOnly');\n  if (opts.secure) parts.push('Secure');\n  parts.push(`SameSite=${opts.sameSite}`);\n  if (opts.domain) parts.push(`Domain=${opts.domain}`);\n\n  res.setHeader('Set-Cookie', parts.join('; '));\n}\n\n/**\n * Escape special regex characters in a string.\n */\nfunction escapeRegex(str: string): string {\n  return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\n/** Alias for csrfProtection */\nexport const createCsrf = csrfProtection;\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/middleware/headers.ts","../../src/middleware/rate-limit.ts","../../src/middleware/error-handler.ts","../../src/core/errors.ts","../../src/middleware/telemetry.ts","../../src/sanitizers/utils.ts","../../src/sanitizers/xss.ts","../../src/sanitizers/sql.ts","../../src/sanitizers/path.ts","../../src/sanitizers/command.ts","../../src/sanitizers/sanitize.ts","../../src/validation/schema.ts","../../src/validation/file.ts","../../src/validation/email.ts","../../src/logging/redactor.ts","../../src/telemetry/client.ts","../../src/middleware/main.ts","../../src/utils/duration.ts","../../src/middleware/rate-limit-sliding.ts","../../src/middleware/rate-limit-token.ts","../../src/middleware/cors.ts","../../src/middleware/cookies.ts","../../src/middleware/bot-detection.ts","../../src/middleware/csrf.ts","../../src/middleware/signup-protection.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAKnB,CAAA;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB,CAAA;AA+CO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAEjC,mCAAA;AAAA;AAAA,EAEA,iBAAA;AAAA;AAAA,EAEA,iCAAA;AAAA,EACA,eAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,mCAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,eAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,uCAAA;AAAA;AAAA,EAEA,gCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EAEA,gCAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC,CAAA;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR,CAAA;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA,EAEuD;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF,CAAA;;;AClTO,SAAS,aAAA,CAAc,OAAA,GAAyB,EAAC,EAAmB;AACzE,EAAA,MAAM;AAAA,IACJ,qBAAA,GAAwB,IAAA;AAAA,IACxB,SAAA,GAAY,IAAA;AAAA,IACZ,OAAA,GAAU,IAAA;AAAA,IACV,eAAe,OAAA,CAAQ,aAAA;AAAA,IACvB,IAAA,GAAO,IAAA;AAAA,IACP,iBAAiB,OAAA,CAAQ,eAAA;AAAA,IACzB,oBAAoB,OAAA,CAAQ,kBAAA;AAAA,IAC5B,YAAA,GAAe,IAAA;AAAA,IACf,uBAAA,GAA0B,aAAA;AAAA,IAC1B,yBAAA,GAA4B,aAAA;AAAA,IAC5B,yBAAA,GAA4B,cAAA;AAAA,IAC5B,kBAAA,GAAqB,IAAA;AAAA,IACrB,kBAAA,GAAqB;AAAA,GACvB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAE1D,IAAA,IAAI,qBAAA,EAAuB;AACzB,MAAA,MAAM,GAAA,GAAM,OAAO,qBAAA,KAA0B,QAAA,GACzC,wBACA,OAAA,CAAQ,WAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,2BAA2B,GAAG,CAAA;AAAA,IAC9C;AAIA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAoB,GAAG,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,OAAA,CAAQ,oBAAoB,CAAA;AAAA,IACtE;AAGA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,YAAY,CAAA;AAAA,IAC/C;AAOA,IAAA,MAAM,cAAA,GAAkB,GAAA,CAAI,OAAA,CAAQ,mBAAmB,CAAA,EACnD,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,CACb,IAAA,EAAK,CACL,WAAA,EAAY;AACf,IAAA,MAAM,qBAAA,GAAwB,cAAA,KAAmB,OAAA,IAAW,cAAA,KAAmB,SAC3E,cAAA,GACA,MAAA;AACJ,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,MAAA,IAAU,qBAAA,KAA0B,OAAA;AAExD,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,MAAM,QAAA,GAAwB,OAAO,IAAA,KAAS,QAAA,GAAW,OAAO,EAAC;AACjE,MAAA,MAAM,MAAA,GAAS,QAAA,CAAS,MAAA,IAAU,OAAA,CAAQ,YAAA;AAC1C,MAAA,MAAM,iBAAA,GAAoB,SAAS,iBAAA,KAAsB,KAAA;AACzD,MAAA,MAAM,OAAA,GAAU,SAAS,OAAA,KAAY,IAAA;AAErC,MAAA,IAAI,SAAA,GAAY,WAAW,MAAM,CAAA,CAAA;AACjC,MAAA,IAAI,mBAAmB,SAAA,IAAa,qBAAA;AACpC,MAAA,IAAI,SAAS,SAAA,IAAa,WAAA;AAE1B,MAAA,GAAA,CAAI,SAAA,CAAU,6BAA6B,SAAS,CAAA;AAAA,IACtD;AAGA,IAAA,IAAI,cAAA,EAAgB;AAClB,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAmB,cAAc,CAAA;AAAA,IACjD;AAGA,IAAA,IAAI,iBAAA,EAAmB;AACrB,MAAA,GAAA,CAAI,SAAA,CAAU,sBAAsB,iBAAiB,CAAA;AAAA,IACvD;AAGA,IAAA,IAAI,uBAAA,EAAyB;AAC3B,MAAA,GAAA,CAAI,SAAA,CAAU,8BAA8B,uBAAuB,CAAA;AAAA,IACrE;AAEA,IAAA,IAAI,yBAAA,EAA2B;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,yBAAyB,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI,yBAAA,EAA2B;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,gCAAgC,yBAAyB,CAAA;AAAA,IACzE;AAGA,IAAA,IAAI,kBAAA,EAAoB;AACtB,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAwB,IAAI,CAAA;AAAA,IAC5C;AAGA,IAAA,IAAI,kBAAA,EAAoB;AACtB,MAAA,GAAA,CAAI,SAAA,CAAU,0BAA0B,KAAK,CAAA;AAAA,IAC/C;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,qCAAqC,MAAM,CAAA;AAGzD,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,MAAM,iBAAA,GAAoB,OAAO,YAAA,KAAiB,QAAA,GAC9C,eACA,OAAA,CAAQ,aAAA;AACZ,MAAA,GAAA,CAAI,SAAA,CAAU,iBAAiB,iBAAiB,CAAA;AAChD,MAAA,GAAA,CAAI,SAAA,CAAU,UAAU,UAAU,CAAA;AAClC,MAAA,GAAA,CAAI,SAAA,CAAU,WAAW,GAAG,CAAA;AAAA,IAC9B;AAGA,IAAA,GAAA,CAAI,aAAa,cAAc,CAAA;AAE/B,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,eAAA,GAAkB;;;ACnHxB,SAAS,iBAAA,CAAkB,OAAA,GAA4B,EAAC,EAA0B;AACvF,EAAA,MAAM;AAAA,IACJ,MAAM,UAAA,CAAW,oBAAA;AAAA,IACjB,WAAW,UAAA,CAAW,iBAAA;AAAA,IACtB,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,YAAA,GAAe,CAAC,GAAA,KAAQ;AACtB,MAAA,MAAM,EAAA,GAAK,GAAA,CAAI,EAAA,IAAM,GAAA,CAAI,MAAA,EAAQ,aAAA;AACjC,MAAA,IAAI,IAAI,OAAO,EAAA;AAIf,MAAA,MAAM,EAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA,IAAK,EAAA;AACzC,MAAA,MAAM,IAAA,GAAQ,GAAA,CAAI,OAAA,CAAQ,iBAAiB,CAAA,IAAK,EAAA;AAChD,MAAA,MAAM,EAAA,GAAK,CAAA,EAAG,EAAE,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAExB,MAAA,IAAI,IAAA,GAAO,CAAA;AACX,MAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,CAAG,MAAA,EAAQ,CAAA,EAAA,EAAK,IAAA,GAAA,CAAS,IAAA,IAAQ,CAAA,IAAK,IAAA,GAAO,EAAA,CAAG,UAAA,CAAW,CAAC,CAAA,GAAK,CAAA;AACrF,MAAA,OAAO,CAAA,QAAA,EAAW,IAAA,CAAK,QAAA,CAAS,EAAE,CAAC,CAAA,CAAA;AAAA,IACrC,CAAA;AAAA,IACA,IAAA;AAAA,IACA,KAAA,EAAO;AAAA,GACT,GAAI,OAAA;AAIJ,EAAA,MAAM,aAAA,mBAAgB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAGxC,EAAA,IAAI,eAAA,GAAyD,IAAA;AAE7D,EAAA,IAAI,CAAC,aAAA,EAAe;AAClB,IAAA,eAAA,GAAkB,YAAY,MAAM;AAClC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,aAAa,CAAA,EAAG;AAC5C,QAAA,IAAI,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA,GAAY,GAAA,EAAK;AACtC,UAAA,OAAO,cAAc,GAAG,CAAA;AAAA,QAC1B;AAAA,MACF;AAAA,IACF,GAAG,QAAQ,CAAA;AAGX,IAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,MAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,IACxB;AAAA,EACF;AAEA,EAAA,MAAM,OAAA,GAA0B,OAAO,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACzF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG;AACf,QAAA,OAAO,IAAA,EAAK;AAAA,MACd;AAEA,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,MAAA,IAAI,KAAA;AACJ,MAAA,IAAI,SAAA;AAEJ,MAAA,IAAI,aAAA,EAAe;AAEjB,QAAA,MAAM,KAAA,GAAQ,MAAM,aAAA,CAAc,GAAA,CAAI,GAAG,CAAA;AACzC,QAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AACnC,UAAA,MAAM,aAAA,CAAc,IAAI,GAAA,EAAK,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,GAAA,GAAM,QAAA,EAAU,CAAA;AACpE,UAAA,KAAA,GAAQ,CAAA;AACR,UAAA,SAAA,GAAY,GAAA,GAAM,QAAA;AAAA,QACpB,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,MAAM,aAAA,CAAc,SAAA,CAAU,GAAG,CAAA;AACzC,UAAA,SAAA,GAAY,KAAA,CAAM,SAAA;AAAA,QACpB;AAAA,MACF,CAAA,MAAO;AAEL,QAAA,IAAI,CAAC,cAAc,GAAG,CAAA,IAAK,cAAc,GAAG,CAAA,CAAE,YAAY,GAAA,EAAK;AAC7D,UAAA,aAAA,CAAc,GAAG,CAAA,GAAI,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,MAAM,QAAA,EAAS;AAAA,QAC7D,CAAA,MAAO;AACL,UAAA,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA,EAAA;AAAA,QACrB;AACA,QAAA,KAAA,GAAQ,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA;AAC3B,QAAA,SAAA,GAAY,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA;AAAA,MACjC;AAEA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,MAAM,KAAK,CAAA;AACzC,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,IAAA,CAAA,CAAM,SAAA,GAAY,OAAO,GAAI,CAAA;AAGvD,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,GAAA,CAAI,QAAA,EAAU,CAAA;AACjD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,SAAA,CAAU,QAAA,EAAU,CAAA;AAC3D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,YAAA,CAAa,QAAA,EAAU,CAAA;AAE1D,MAAA,IAAI,QAAQ,GAAA,EAAK;AACf,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAEA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAGd,MAAA,OAAA,CAAQ,KAAA,CAAM,+DAA+D,KAAK,CAAA;AAClF,MAAA,IAAI;AACF,QAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,QAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,QAAA,IAAI,CAAC,cAAc,GAAG,CAAA,IAAK,cAAc,GAAG,CAAA,CAAE,YAAY,GAAA,EAAK;AAC7D,UAAA,aAAA,CAAc,GAAG,CAAA,GAAI,EAAE,OAAO,CAAA,EAAG,SAAA,EAAW,MAAM,QAAA,EAAS;AAAA,QAC7D,CAAA,MAAO;AACL,UAAA,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA,EAAA;AAAA,QACrB;AACA,QAAA,MAAM,KAAA,GAAQ,aAAA,CAAc,GAAG,CAAA,CAAE,KAAA;AACjC,QAAA,IAAI,QAAQ,GAAA,EAAK;AACf,UAAA,MAAM,YAAA,GAAe,KAAK,IAAA,CAAA,CAAM,aAAA,CAAc,GAAG,CAAA,CAAE,SAAA,GAAY,OAAO,GAAI,CAAA;AAC1E,UAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,UAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK,EAAE,KAAA,EAAO,OAAA,EAAS,UAAA,EAAY,YAAA,EAAc,CAAA;AACxE,UAAA;AAAA,QACF;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AACA,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAGA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,aAAA,CAAc,eAAe,CAAA;AAC7B,MAAA,eAAA,GAAkB,IAAA;AAAA,IACpB;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;AAMO,IAAM,SAAA,GAAY;;;ACpKzB,IAAM,wBAAA,GAAqC;AAAA;AAAA,EAEzC,qEAAA;AAAA,EACA,2DAAA;AAAA,EACA,+CAAA;AAAA,EACA,qDAAA;AAAA,EACA,4CAAA;AAAA;AAAA,EAEA,yEAAA;AAAA;AAAA,EAEA,0DAAA;AAAA;AAAA,EAEA,oEAAA;AAAA;AAAA,EAEA,oCAAA;AAAA;AAAA,EAEA;AACF,CAAA;AAKO,SAAS,sBAAsB,OAAA,EAA0B;AAC9D,EAAA,OAAO,yBAAyB,IAAA,CAAK,CAAA,OAAA,KAAW,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAC,CAAA;AACvE;AA4BO,SAAS,YAAA,CACd,UAAyC,KAAA,EAC8B;AACvE,EAAA,MAAM,QAAQ,OAAO,OAAA,KAAY,SAAA,GAAY,OAAA,GAAU,QAAQ,KAAA,IAAS,KAAA;AACxE,EAAA,MAAM,YAAY,OAAO,OAAA,KAAY,QAAA,GAAW,OAAA,CAAQ,aAAa,IAAA,GAAO,IAAA;AAC5E,EAAA,MAAM,MAAA,GAAS,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,MAAA,GAAS,MAAA;AAC9D,EAAA,MAAM,aAAA,GAAgB,OAAO,OAAA,KAAY,QAAA,GAAW,QAAQ,aAAA,GAAgB,MAAA;AAE5E,EAAA,OAAO,CAAC,GAAA,EAAgB,GAAA,EAAc,GAAA,EAAe,KAAA,KAAwB;AAC3E,IAAA,MAAM,UAAA,GAAa,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,MAAA,IAAU,GAAA;AAGnD,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAO,aAAA,CAAc,GAAA,EAAK,GAAA,EAAK,GAAG,CAAA;AAAA,IACpC;AAGA,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,MAAM,OAAA,GAAU;AAAA,QACd,OAAO,GAAA,CAAI,OAAA;AAAA,QACX,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,UAAA;AAAA,QACA,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,QAAQ,GAAA,CAAI;AAAA,OACd;AAEA,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,MAAA,CAAO,KAAA,CAAM,iBAAiB,OAAO,CAAA;AAAA,MACvC,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,KAAA,CAAM,0BAA0B,OAAO,CAAA;AAAA,MACjD;AAAA,IACF;AAMA,IAAA,MAAM,aAAA,GAAgB,KAAA,IAAS,GAAA,CAAI,MAAA,KAAW,IAAA;AAE9C,IAAA,IAAI,aAAA;AACJ,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,aAAA,GAAgB,MAAA,CAAO,qBAAA;AAAA,IACzB,CAAA,MAAA,IAAW,qBAAA,CAAsB,GAAA,CAAI,OAAO,CAAA,EAAG;AAE7C,MAAA,aAAA,GAAgB,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,MAAA,CAAO,qBAAA;AAAA,IAC/C,CAAA,MAAO;AACL,MAAA,aAAA,GAAgB,GAAA,CAAI,OAAA;AAAA,IACtB;AAEA,IAAA,MAAM,QAAA,GAAoC;AAAA,MACxC,KAAA,EAAO;AAAA,KACT;AAGA,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,QAAA,CAAS,QAAQ,GAAA,CAAI,KAAA;AACrB,MAAA,QAAA,CAAS,UAAU,GAAA,CAAI,OAAA;AAAA,IACzB;AAEA,IAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK,QAAQ,CAAA;AAAA,EACtC,CAAA;AACF;AAMO,IAAM,kBAAA,GAAqB;;;AC5H3B,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF,CAAA;AAkCO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF,CAAA;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF,CAAA;;;AC1DA,IAAM,gBAAA,GAA2C;AAAA,EAC/C,GAAA,EAAK,KAAA;AAAA,EACL,aAAA,EAAe,KAAA;AAAA,EACf,eAAA,EAAiB,OAAA;AAAA,EACjB,cAAA,EAAgB,MAAA;AAAA,EAChB,iBAAA,EAAmB,SAAA;AAAA,EACnB,mBAAA,EAAqB,WAAA;AAAA,EACrB,gBAAA,EAAkB,QAAA;AAAA,EAClB,IAAA,EAAM,MAAA;AAAA,EACN,GAAA,EAAK;AACP,CAAA;AAOO,SAAS,uBAAuB,MAAA,EAAyC;AAC9E,EAAA,OAAO,CAAC,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACzB,IAAA,MAAM,KAAA,GAAQ,YAAY,GAAA,EAAI;AAE9B,IAAA,GAAA,CAAI,EAAA,CAAG,UAAU,MAAM;AACrB,MAAA,IAAI;AACF,QAAA,MAAM,KAAA,GAAQ,WAAW,GAAA,EAAK,GAAA,CAAI,YAAY,WAAA,CAAY,GAAA,KAAQ,KAAK,CAAA;AACvE,QAAA,MAAA,CAAO,OAAO,KAAK,CAAA;AAAA,MACrB,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF,CAAC,CAAA;AAED,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,SAAS,oBAAoB,OAAA,EAAyC;AAC3E,EAAA,OAAO,CAAC,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AACzB,IAAA,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,CAAC,GAAA,KAAkB;AACnC,MAAA,IAAI,eAAe,mBAAA,EAAqB;AACtC,QAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,GAAA,CAAI,UAAU,KAAK,GAAA,CAAI,UAAA;AACvD,QAAA,GAAA,CAAI,OAAA,GAAU;AAAA,UACZ,MAAA;AAAA,UACA,IAAA,EAAM,GAAG,MAAM,CAAA,MAAA,CAAA;AAAA,UACf,QAAA,EAAU,MAAA;AAAA,UACV,gBAAgB,GAAA,CAAI,OAAA;AAAA,UACpB,QAAQ,GAAA,CAAI,OAAA;AAAA,UACZ,QAAA,EAAU;AAAA,SACZ;AAAA,MACF;AACA,MAAA,IAAA,CAAK,GAAG,CAAA;AAAA,IACV,CAAC,CAAA;AAAA,EACH,CAAA;AACF;AAEA,SAAS,UAAA,CAAW,GAAA,EAAc,MAAA,EAAgB,SAAA,EAAmC;AACnF,EAAA,MAAM,SAAS,GAAA,CAAI,OAAA;AACnB,EAAA,MAAM,QAAA,GAAW,MAAA,EAAQ,QAAA,IAAY,aAAA,CAAc,MAAM,CAAA;AAIzD,EAAA,OAAO;AAAA,IACL,EAAA,EAAA,iBAAI,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,IAC3B,EAAA,EAAI,UAAU,GAAG,CAAA;AAAA,IACjB,MAAA,EAAA,CAAS,GAAA,CAAI,MAAA,IAAU,KAAA,EAAO,WAAA,EAAY;AAAA,IAC1C,IAAA,EAAM,GAAA,CAAI,IAAA,IAAQ,GAAA,CAAI,GAAA,IAAO,GAAA;AAAA,IAC7B,QAAA;AAAA,IACA,MAAA,EAAQ,MAAA,EAAQ,MAAA,KAAW,MAAA,KAAW,MAAM,YAAA,GAAe,MAAA,CAAA;AAAA,IAC3D,IAAA,EAAM,MAAA,EAAQ,IAAA,KAAS,MAAA,KAAW,MAAM,qBAAA,GAAwB,MAAA,CAAA;AAAA,IAChE,QAAA,EAAU,MAAA,EAAQ,QAAA,KAAa,MAAA,KAAW,MAAM,QAAA,GAAW,MAAA,CAAA;AAAA,IAC3D,SAAA,EAAW,OAAO,GAAA,CAAI,OAAA,GAAU,YAAY,MAAM,QAAA,GAAW,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA,GAAI,EAAA;AAAA,IACzF,QAAQ,MAAA,EAAQ,MAAA;AAAA,IAChB,MAAA;AAAA,IACA,gBAAgB,MAAA,EAAQ,cAAA;AAAA,IACxB,SAAA,EAAW,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,SAAS;AAAA,GAClC;AACF;AAEA,SAAS,cAAc,MAAA,EAAmC;AACxD,EAAA,IAAI,MAAA,KAAW,KAAK,OAAO,MAAA;AAC3B,EAAA,IAAI,MAAA,KAAW,KAAK,OAAO,MAAA;AAC3B,EAAA,IAAI,MAAA,KAAW,KAAK,OAAO,MAAA;AAC3B,EAAA,OAAO,OAAA;AACT;AAEA,SAAS,UAAU,GAAA,EAAsB;AACvC,EAAA,IAAI,OAAO,IAAI,EAAA,KAAO,QAAA,IAAY,IAAI,EAAA,CAAG,MAAA,GAAS,CAAA,EAAG,OAAO,GAAA,CAAI,EAAA;AAChE,EAAA,MAAM,MAAA,GAAS,IAAI,MAAA,EAAQ,aAAA;AAC3B,EAAA,OAAO,OAAO,MAAA,KAAW,QAAA,GAAW,MAAA,GAAS,SAAA;AAC/C;;;AC7GO,SAAS,mBAAmB,GAAA,EAAqB;AACtD,EAAA,OAAO,IACJ,OAAA,CAAQ,IAAA,EAAM,OAAO,CAAA,CACrB,OAAA,CAAQ,MAAM,MAAM,CAAA,CACpB,QAAQ,IAAA,EAAM,MAAM,EACpB,OAAA,CAAQ,IAAA,EAAM,QAAQ,CAAA,CACtB,OAAA,CAAQ,MAAM,QAAQ,CAAA;AAC3B;;;ACYO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAO,aAAa,KAAA,EAAgC;AAC9G,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAInB,EAAA,KAAA,MAAW,WAAW,mBAAA,EAAqB;AACzC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,KAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAMA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,OAAA,GAAU,mBAAmB,KAAK,CAAA;AACxC,IAAA,IAAI,YAAY,KAAA,EAAO;AACrB,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AACA,IAAA,KAAA,GAAQ,OAAA;AAAA,EACV;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;;;AC7DO,SAAS,WAAA,CAAY,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC1F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAElC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,eAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAIA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,UAAU,KAAA,EAAwB;AAChD,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,YAAA,EAAc;AAClC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;AC/DO,SAAS,YAAA,CAAa,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC3F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAInB,EAAA,KAAA,GAAQ,KAAA,CAAM,UAAU,MAAM,CAAA;AAI9B,EAAA,IAAI,IAAA;AACJ,EAAA,GAAG;AACD,IAAA,IAAA,GAAO,KAAA;AACP,IAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AACnC,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,QAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,UAAA,IAAI,OAAA,EAAS;AACX,YAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,cAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,gBACX,IAAA,EAAM,gBAAA;AAAA,gBACN,SAAS,OAAA,CAAQ,MAAA;AAAA,gBACjB,QAAA,EAAU;AAAA,eACX,CAAA;AAAA,YACH;AAAA,UACF;AAAA,QACF;AAEA,QAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjC,QAAA,YAAA,GAAe,IAAA;AAAA,MACjB;AAAA,IACF;AAAA,EACF,SAAS,KAAA,KAAU,IAAA;AAEnB,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;;;AClDO,SAAS,eAAA,CAAgB,KAAA,EAAe,cAAA,GAAiB,KAAA,EAAgC;AAC9F,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,OAAO,cAAA,GACH,EAAE,KAAA,EAAO,MAAA,CAAO,KAAK,CAAA,EAAG,YAAA,EAAc,KAAA,EAAO,OAAA,EAAS,EAAC,EAAE,GACzD,OAAO,KAAK,CAAA;AAAA,EAClB;AAEA,EAAA,MAAM,UAAwB,EAAC;AAC/B,EAAA,IAAI,KAAA,GAAQ,KAAA;AACZ,EAAA,IAAI,YAAA,GAAe,KAAA;AAEnB,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AAEtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AAEpB,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,MAAM,OAAA,GAAU,KAAA,CAAM,KAAA,CAAM,OAAO,CAAA;AACnC,QAAA,IAAI,OAAA,EAAS;AACX,UAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,YAAA,OAAA,CAAQ,IAAA,CAAK;AAAA,cACX,IAAA,EAAM,mBAAA;AAAA,cACN,SAAS,OAAA,CAAQ,MAAA;AAAA,cACjB,QAAA,EAAU;AAAA,aACX,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,MAAA,KAAA,GAAQ,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,GAAG,CAAA;AAClC,MAAA,YAAA,GAAe,IAAA;AAAA,IACjB;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,EAAgB;AAClB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,EAAc,OAAA,EAAQ;AAAA,EACxC;AAEA,EAAA,OAAO,KAAA;AACT;AASO,SAAS,uBAAuB,KAAA,EAAwB;AAC7D,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAEtC,EAAA,KAAA,MAAW,WAAW,gBAAA,EAAkB;AACtC,IAAA,OAAA,CAAQ,SAAA,GAAY,CAAA;AACpB,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;;;ACjDO,SAAS,cAAA,CAAe,KAAA,EAAe,OAAA,GAA2B,EAAC,EAAW;AACnF,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,EAAU,OAAO,KAAA;AAGtC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,IAAW,KAAA,CAAM,gBAAA;AACzC,EAAA,IAAI,KAAA,CAAM,SAAS,OAAA,EAAS;AAC1B,IAAA,MAAM,IAAI,kBAAA,CAAmB,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EACpD;AAIA,EAAA,MAAM,MAAA,GAAS,QAAQ,IAAA,KAAS,QAAA;AAChC,EAAA,IAAI,MAAA,GAAS,KAAA;AAGb,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,SAAA,CAAU,MAAM,CAAA,EAAG;AACrB,QAAA,MAAM,IAAI,mBAAA,CAAoB,eAAA,EAAiB,+BAA+B,CAAA;AAAA,MAChF;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,YAAY,MAAM,CAAA;AAAA,IAC7B;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,SAAS,KAAA,EAAO;AAC1B,IAAA,MAAA,GAAS,aAAa,MAAM,CAAA;AAAA,EAC9B;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAI,sBAAA,CAAuB,MAAM,CAAA,EAAG;AAClC,QAAA,MAAM,IAAI,mBAAA,CAAoB,mBAAA,EAAqB,uCAAuC,CAAA;AAAA,MAC5F;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,gBAAgB,MAAM,CAAA;AAAA,IACjC;AAAA,EACF;AAIA,EAAA,IAAI,OAAA,CAAQ,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAA,GAAS,WAAA,CAAY,MAAA,EAAQ,KAAA,EAAO,OAAA,CAAQ,cAAc,KAAK,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,MAAA;AACT;AAUO,SAAS,cAAA,CAAe,GAAA,EAAc,OAAA,GAA2B,EAAC,EAAY;AACnF,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,cAAA,CAAe,KAAK,OAAO,CAAA;AAC/D,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AACpC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG,OAAO,GAAA,CAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAE5E,EAAA,MAAM,MAAA,GAAS,mBAAA,CAAoB,GAAA,EAAgC,OAAA,EAAS,CAAC,CAAA;AAC7E,EAAA,OAAO,OAAA,CAAQ,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA,GAAI,MAAA;AAClD;AAKA,SAAS,mBAAA,CACP,GAAA,EACA,OAAA,EACA,KAAA,EACyB;AACzB,EAAA,IAAI,KAAA,IAAS,KAAA,CAAM,mBAAA,EAAqB,OAAO,GAAA;AAE/C,EAAA,MAAM,SAAkC,EAAC;AAEzC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,EAAG;AAElC,IAAA,IAAI,OAAA,CAAQ,UAAU,KAAA,IAAS,oBAAA,CAAqB,IAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC1E,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,KAAA,KAAU,KAAA,IAAS,oBAAA,CAAqB,GAAA,CAAI,GAAG,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAIA,IAAA,MAAM,YAAA,GAAe,cAAA,CAAe,GAAA,EAAK,OAAO,CAAA;AAGhD,IAAA,MAAM,KAAA,GAAQ,IAAI,GAAG,CAAA;AACrB,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AACzC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,cAAA,CAAe,KAAA,EAAO,OAAO,CAAA;AAAA,IACtD,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AAC/B,MAAA,MAAA,CAAO,YAAY,IAAI,KAAA,CAAM,GAAA,CAAI,UAAQ,cAAA,CAAe,IAAA,EAAM,OAAO,CAAC,CAAA;AAAA,IACxE,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,mBAAA,CAAoB,KAAA,EAAkC,OAAA,EAAS,QAAQ,CAAC,CAAA;AAAA,IACjG,CAAA,MAAO;AACL,MAAA,MAAA,CAAO,YAAY,CAAA,GAAI,KAAA;AAAA,IACzB;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAeO,SAAS,eAAA,CAAgB,OAAA,GAA2B,EAAC,EAAmB;AAC7E,EAAA,OAAO,CAAC,GAAA,EAAc,IAAA,EAAgB,IAAA,KAAuB;AAC3D,IAAA,IAAI;AACF,MAAA,IAAI,GAAA,CAAI,IAAA,IAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AAC5C,QAAA,GAAA,CAAI,IAAA,GAAO,cAAA,CAAe,GAAA,CAAI,IAAA,EAAM,OAAO,CAAA;AAAA,MAC7C;AACA,MAAA,IAAI,GAAA,CAAI,KAAA,IAAS,OAAO,GAAA,CAAI,UAAU,QAAA,EAAU;AAC9C,QAAA,MAAM,cAAA,GAAiB,cAAA,CAAe,GAAA,CAAI,KAAA,EAAO,OAAO,CAAA;AAExD,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,OAAA,EAAS,EAAE,KAAA,EAAO,gBAAgB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACnG;AACA,MAAA,IAAI,GAAA,CAAI,MAAA,IAAU,OAAO,GAAA,CAAI,WAAW,QAAA,EAAU;AAChD,QAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,GAAA,CAAI,MAAA,EAAQ,OAAO,CAAA;AAC1D,QAAA,MAAA,CAAO,cAAA,CAAe,GAAA,EAAK,QAAA,EAAU,EAAE,KAAA,EAAO,iBAAiB,QAAA,EAAU,IAAA,EAAM,YAAA,EAAc,IAAA,EAAM,CAAA;AAAA,MACrG;AACA,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,GAAG,CAAA;AAAA,IACV;AAAA,EACF,CAAA;AACF;;;ACnJO,SAAS,QAAA,CACd,MAAA,EACA,MAAA,GAAsC,MAAA,EACtB;AAChB,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,MAAM,CAAA,IAAK,EAAC;AAC7B,IAAA,MAAM,SAAmB,EAAC;AAC1B,IAAA,MAAM,YAAqC,EAAC;AAE5C,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AACnD,MAAA,MAAM,KAAA,GAAQ,KAAK,KAAK,CAAA;AACxB,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,KAAA,EAAO,KAAA,EAAO,KAAK,CAAA;AAEhD,MAAA,IAAI,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,CAAA,EAAG;AAC5B,QAAA,MAAA,CAAO,IAAA,CAAK,GAAG,MAAA,CAAO,MAAM,CAAA;AAAA,MAC9B,CAAA,MAAA,IAAW,MAAA,CAAO,KAAA,KAAU,MAAA,EAAW;AACrC,QAAA,SAAA,CAAU,KAAK,IAAI,MAAA,CAAO,KAAA;AAAA,MAC5B;AAAA,IACF;AAEA,IAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACrB,MAAA,GAAA,CAAI,OAAO,GAAG,CAAA,CAAE,IAAA,CAAK,EAAE,QAAQ,CAAA;AAC/B,MAAA;AAAA,IACF;AAGA,IAAA,GAAA,CAAI,MAAM,CAAA,GAAI,SAAA;AACd,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAKA,SAAS,aAAA,CACP,KAAA,EACA,KAAA,EACA,KAAA,EACuC;AACvC,EAAA,MAAM,SAAmB,EAAC;AAG1B,EAAA,IAAI,MAAM,QAAA,KAAa,KAAA,KAAU,UAAa,KAAA,KAAU,IAAA,IAAQ,UAAU,EAAA,CAAA,EAAK;AAC7E,IAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,QAAA,CAAS,KAAK,CAAC,CAAA;AAC7C,IAAA,OAAO,EAAE,MAAA,EAAO;AAAA,EAClB;AAGA,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,MAAA,EAAQ,EAAC,EAAE;AAAA,EACtB;AAEA,EAAA,IAAI,UAAA,GAAsB,KAAA;AAC1B,EAAA,IAAI,OAAA,GAAU,IAAA;AAGd,EAAA,QAAQ,MAAM,IAAA;AAAM,IAClB,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,WAAW,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,OAAA,IAAW,CAAC,MAAM,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG;AAC/C,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,cAAA,CAAe,KAAK,CAAC,CAAA;AACnD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AAIA,MAAA,IAAI,OAAA,IAAW,MAAM,IAAA,IAAQ,CAAC,MAAM,IAAA,CAAK,QAAA,CAAS,KAAK,CAAA,EAAG;AACxD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,IAAW,KAAA,CAAM,QAAA,KAAa,KAAA,EAAO;AACvC,QAAA,UAAA,GAAa,eAAe,KAAK,CAAA;AAAA,MACnC;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,UAAA,GAAa,OAAO,KAAK,CAAA;AACzB,MAAA,IAAI,KAAA,CAAM,UAAoB,CAAA,EAAG;AAC/B,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,KAAA,CAAM,GAAA,KAAQ,MAAA,IAAc,UAAA,GAAwB,MAAM,GAAA,EAAK;AACjE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,SAAA;AACH,MAAA,IAAI,UAAU,MAAA,IAAU,KAAA,KAAU,QAAQ,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AACtE,QAAA,UAAA,GAAa,IAAA;AAAA,MACf,CAAA,MAAA,IAAW,UAAU,OAAA,IAAW,KAAA,KAAU,SAAS,KAAA,KAAU,CAAA,IAAK,UAAU,GAAA,EAAK;AAC/E,QAAA,UAAA,GAAa,KAAA;AAAA,MACf,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,SAAS,CAAC,CAAA;AAC5D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACzC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,aAAA,CAAc,KAAK,CAAC,CAAA;AAClD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,eAAe,MAAA,CAAO,KAAK,EAAE,WAAA,EAAY,CAAE,MAAM,CAAA;AAAA,MAChE;AACA,MAAA;AAAA,IAEF,KAAK,KAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,GAAA,CAAI,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACvC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,WAAA,CAAY,KAAK,CAAC,CAAA;AAChD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,UAAA,GAAa,cAAA,CAAe,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MAC3C;AACA,MAAA;AAAA,IAEF,KAAK,MAAA;AACH,MAAA,IAAI,CAAC,UAAA,CAAW,IAAA,CAAK,KAAK,MAAA,CAAO,KAAK,CAAC,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAK,CAAC,CAAA;AACjD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,OAAA;AACH,MAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACzB,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,OAAO,CAAC,CAAA;AAC1D,QAAA,OAAA,GAAU,KAAA;AACV,QAAA;AAAA,MACF;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA,IAAI,MAAM,GAAA,KAAQ,MAAA,IAAa,KAAA,CAAM,MAAA,GAAS,MAAM,GAAA,EAAK;AACvD,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,UAAU,KAAA,EAAO,KAAA,CAAM,GAAG,CAAC,CAAA;AACzD,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA,IAEF,KAAK,QAAA;AACH,MAAA,IAAI,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,QAAQ,KAAK,CAAA,IAAK,UAAU,IAAA,EAAM;AACvE,QAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,YAAA,CAAa,KAAA,EAAO,QAAQ,CAAC,CAAA;AAC3D,QAAA,OAAA,GAAU,KAAA;AAAA,MACZ;AACA,MAAA;AAAA;AAIJ,EAAA,IAAI,OAAA,IAAW,KAAA,CAAM,IAAA,IAAQ,KAAA,CAAM,IAAA,KAAS,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,QAAA,CAAS,UAAU,CAAA,EAAG;AACxF,IAAA,MAAA,CAAO,KAAK,MAAA,CAAO,UAAA,CAAW,aAAa,KAAA,EAAO,KAAA,CAAM,IAAI,CAAC,CAAA;AAC7D,IAAA,OAAA,GAAU,KAAA;AAAA,EACZ;AAGA,EAAA,IAAI,OAAA,IAAW,MAAM,MAAA,EAAQ;AAC3B,IAAA,MAAM,YAAA,GAAe,KAAA,CAAM,MAAA,CAAO,UAAU,CAAA;AAC5C,IAAA,IAAI,iBAAiB,MAAA,EAAW;AAC9B,MAAA,MAAM,IAAI,SAAA;AAAA,QACR,+BAA+B,KAAK,CAAA,oFAAA;AAAA,OAEtC;AAAA,IACF;AACA,IAAA,IAAI,iBAAiB,IAAA,EAAM;AACzB,MAAA,MAAA,CAAO,IAAA,CAAK,OAAO,YAAA,KAAiB,QAAA,IAAY,YAAA,CAAa,SAAS,CAAA,GAAI,YAAA,GAAe,CAAA,EAAG,KAAK,CAAA,WAAA,CAAa,CAAA;AAC9G,MAAA,OAAA,GAAU,KAAA;AAAA,IACZ;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,UAAU,UAAA,GAAa,MAAA;AAAA,IAC9B;AAAA,GACF;AACF;;;CCvN8C;AAAA;AAAA,EAE5C,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAA,EAAM,GAAI,CAAC,CAAC,CAAA;AAAA,EAC9C,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,KAAM,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACnD,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAC,CAAA;AAAA,EAC1D,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA;AAAA,EAClC,WAAA,EAAa,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAI,CAAC,CAAC,CAAA;AAAA,EACrB;AAAA;AAAA,EAGlB,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,MAAM,CAAC,CAAA;AAAA,EACvC,iBAAA,EAAmB,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,IAAM,EAAA,EAAM,CAAA,EAAM,CAAI,CAAC,CAAC,CAAA;AAAA;AAAA,EAGzD,YAAA,EAAc,CAAC,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,GAAA,EAAM,GAAI,CAAC,CAAA,EAAG,MAAA,CAAO,IAAA,CAAK,CAAC,EAAA,EAAM,EAAA,EAAM,EAAI,CAAC,CAAC,CAEtG;;;ACuBA,IAAM,gBAAA,GAAmB,GAAA;AACzB,IAAM,gBAAA,GAAmB,EAAA;AACzB,IAAM,iBAAA,GAAoB,GAAA;AAS1B,IAAM,YAAA,GAAe,oJAAA;AAGrB,IAAM,cAAA,uBAAqB,GAAA,CAAI;AAAA,EAC7B,WAAA;AAAA,EAAa,WAAA;AAAA,EAAa,aAAA;AAAA,EAAe,aAAA;AAAA,EAAe,SAAA;AAAA,EACxD,gBAAA;AAAA,EAAkB,WAAA;AAAA,EAAa,YAAA;AAAA,EAAc,UAAA;AAAA,EAAY,UAAA;AAAA,EACzD,YAAA;AAAA,EAAc,SAAA;AAAA,EAAW,SAAA;AAAA,EAAW,UAAA;AAAA,EAAY,SAAA;AAAA,EAChD,QAAA;AAAA,EAAU,SAAA;AAAA,EAAW,cAAA;AAAA,EAAgB,cAAA;AAAA,EAAgB;AACvD,CAAC,CAAA;AAGD,IAAM,kBAAA,uBAAyB,GAAA,CAAI;AAAA;AAAA,EAEjC,mBAAA;AAAA,EAAqB,mBAAA;AAAA,EAAqB,mBAAA;AAAA,EAC1C,cAAA;AAAA,EAAgB,eAAA;AAAA,EAAiB,cAAA;AAAA,EACjC,iBAAA;AAAA,EAAmB,eAAA;AAAA,EACnB,gBAAA;AAAA,EAAkB,gBAAA;AAAA,EAClB,aAAA;AAAA,EAAe,YAAA;AAAA,EAAc,aAAA;AAAA,EAC7B,iBAAA;AAAA,EAAmB,QAAA;AAAA,EAAU,oBAAA;AAAA,EAC7B,mBAAA;AAAA,EAAqB,kBAAA;AAAA,EACrB,eAAA;AAAA,EAAiB,cAAA;AAAA,EAAgB,eAAA;AAAA,EACjC,iBAAA;AAAA,EAAmB,aAAA;AAAA,EACnB,eAAA;AAAA,EAAiB,aAAA;AAAA,EACjB,YAAA;AAAA,EAAc,aAAA;AAAA,EACd,iBAAA;AAAA,EAAmB,eAAA;AAAA,EACnB,eAAA;AAAA,EAAiB,eAAA;AAAA,EACjB,eAAA;AAAA,EAAiB,aAAA;AAAA,EACjB,eAAA;AAAA,EAAiB,eAAA;AAAA,EACjB,aAAA;AAAA,EAAe,kBAAA;AAAA,EACf,eAAA;AAAA,EAAiB,eAAA;AAAA,EACjB,kBAAA;AAAA,EAAoB,aAAA;AAAA,EACpB,YAAA;AAAA,EAAc,YAAA;AAAA,EACd,aAAA;AAAA,EAAe,WAAA;AAAA,EACf,gBAAA;AAAA,EAAkB,WAAA;AAAA,EAClB,eAAA;AAAA,EAAiB,aAAA;AAAA,EACjB,kBAAA;AAAA,EAAoB,kBAAA;AAAA,EACpB,gBAAA;AAAA,EAAkB,aAAA;AAAA,EAClB,iBAAA;AAAA,EAAmB,iBAAA;AAAA,EACnB,gBAAA;AAAA,EAAkB,iBAAA;AAAA,EAClB,cAAA;AAAA,EAAgB,gBAAA;AAAA,EAChB,eAAA;AAAA,EAAiB,aAAA;AAAA,EACjB,cAAA;AAAA,EAAgB,cAAA;AAAA,EAChB,YAAA;AAAA,EAAc,cAAA;AAAA,EACd,gBAAA;AAAA,EAAkB,mBAAA;AAAA,EAClB,cAAA;AAAA,EAAgB,cAAA;AAAA,EAChB,aAAA;AAAA,EAAe,UAAA;AAAA,EACf,cAAA;AAAA,EAAgB,cAAA;AAAA,EAChB,eAAA;AAAA,EAAiB;AACnB,CAAC,CAAA;AAGD,IAAM,YAAA,GAAuC;AAAA,EAC3C,WAAA,EAAa,WAAA;AAAA,EACb,YAAA,EAAc,WAAA;AAAA,EACd,UAAA,EAAY,WAAA;AAAA,EACZ,WAAA,EAAa,WAAA;AAAA,EACb,WAAA,EAAa,WAAA;AAAA,EACb,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,WAAA,EAAa,WAAA;AAAA,EACb,WAAA,EAAa,WAAA;AAAA,EACb,YAAA,EAAc,WAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,UAAA,EAAY,WAAA;AAAA,EACZ,WAAA,EAAa,WAAA;AAAA,EACb,WAAA,EAAa,WAAA;AAAA,EACb,aAAA,EAAe,aAAA;AAAA,EACf,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,aAAA,EAAe,aAAA;AAAA,EACf,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,YAAA,EAAc,aAAA;AAAA,EACd,eAAA,EAAiB,gBAAA;AAAA,EACjB,eAAA,EAAiB,gBAAA;AAAA,EACjB,WAAA,EAAa,YAAA;AAAA,EACb,WAAA,EAAa,YAAA;AAAA,EACb,WAAA,EAAa;AACf,CAAA;AAEA,SAAS,aAAA,CAAc,QAAyC,KAAA,EAAsC;AACpG,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,MAAA;AAAA,IACA,UAAA,EAAY,IAAA;AAAA,IACZ,MAAA,EAAQ,KAAA;AAAA,IACR,YAAA,EAAc,KAAA;AAAA,IACd,UAAA,EAAY;AAAA,GACd;AACF;AAoBO,SAAS,aAAA,CACd,KAAA,EACA,OAAA,GAAkC,EAAC,EACZ;AACvB,EAAA,MAAM;AAAA,IACJ,eAAA,GAAkB,IAAA;AAAA,IAClB,cAAA,GAAiB,IAAA;AAAA,IACjB,iBAAiB,EAAC;AAAA,IAClB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,IAAA,EAAK,CAAE,WAAA,EAAY;AAG5C,EAAA,IAAI,CAAC,UAAA,IAAc,UAAA,CAAW,MAAA,GAAS,gBAAA,EAAkB;AACvD,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAEA,EAAA,MAAM,OAAA,GAAU,UAAA,CAAW,WAAA,CAAY,GAAG,CAAA;AAC1C,EAAA,IAAI,YAAY,EAAA,EAAI;AAClB,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAEA,EAAA,MAAM,SAAA,GAAY,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,OAAO,CAAA;AAC7C,EAAA,MAAM,MAAA,GAAS,UAAA,CAAW,KAAA,CAAM,OAAA,GAAU,CAAC,CAAA;AAG3C,EAAA,IAAI,SAAA,CAAU,MAAA,KAAW,CAAA,IAAK,SAAA,CAAU,SAAS,gBAAA,EAAkB;AACjE,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AACA,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,IAAK,MAAA,CAAO,SAAS,iBAAA,EAAmB;AAC5D,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAGA,EAAA,IAAI,SAAA,CAAU,QAAA,CAAS,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAGA,EAAA,IAAI,UAAU,UAAA,CAAW,GAAG,KAAK,SAAA,CAAU,QAAA,CAAS,GAAG,CAAA,EAAG;AACxD,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAGA,EAAA,IAAI,CAAC,YAAA,CAAa,IAAA,CAAK,UAAU,CAAA,EAAG;AAClC,IAAA,OAAO,aAAA,CAAc,kBAAkB,UAAU,CAAA;AAAA,EACnD;AAGA,EAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,cAAA,CAAe,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AACnE,EAAA,IAAI,UAAA,CAAW,GAAA,CAAI,MAAM,CAAA,EAAG;AAC1B,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,MAAA,EAAQ,OAAA;AAAA,MACR,UAAA,EAAY,IAAA;AAAA,MACZ,MAAA,EAAQ,cAAA,CAAe,GAAA,CAAI,MAAM,CAAA;AAAA,MACjC,YAAA,EAAc,KAAA;AAAA,MACd;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,cAAA,CAAe,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AACnE,EAAA,IAAI,UAAA,CAAW,GAAA,CAAI,MAAM,CAAA,EAAG;AAC1B,IAAA,OAAO,aAAA,CAAc,WAAW,UAAU,CAAA;AAAA,EAC5C;AAGA,EAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,GAAA,CAAI,MAAM,CAAA;AAClD,EAAA,IAAI,mBAAmB,YAAA,EAAc;AACnC,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ,YAAA;AAAA,MACR,UAAA,EAAY,IAAA;AAAA,MACZ,MAAA,EAAQ,KAAA;AAAA,MACR,YAAA,EAAc,IAAA;AAAA,MACd;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,GAAA,CAAI,MAAM,CAAA;AACxC,EAAA,IAAI,cAAA,IAAkB,YAAA,CAAa,MAAM,CAAA,EAAG;AAC1C,IAAA,MAAM,YAAY,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,YAAA,CAAa,MAAM,CAAC,CAAA,CAAA;AACtD,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,MAAA,EAAQ,MAAA;AAAA,MACR,UAAA,EAAY,SAAA;AAAA,MACZ,MAAA,EAAQ,cAAA,CAAe,GAAA,CAAI,YAAA,CAAa,MAAM,CAAC,CAAA;AAAA,MAC/C,YAAA,EAAc,KAAA;AAAA,MACd;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,IAAA;AAAA,IACP,MAAA,EAAQ,OAAA;AAAA,IACR,UAAA,EAAY,IAAA;AAAA,IACZ,MAAA;AAAA,IACA,YAAA;AAAA,IACA;AAAA,GACF;AACF;;;ACjRA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;;;AC9HA,IAAM,kBAAA,GAAqB,EAAA;AAC3B,IAAM,cAAA,GAAiB,GAAA;AACvB,IAAM,yBAAA,GAA4B,GAAA;AAClC,IAAM,qBAAA,GAAwB,GAAA;AAC9B,IAAM,gBAAA,GAAmB,GAAA;AAgBlB,IAAM,kBAAN,MAAsB;AAAA,EAa3B,YAAY,OAAA,EAA2B;AAZvC,IAAA,IAAA,CAAQ,QAA0B,EAAC;AAQnC,IAAA,IAAA,CAAQ,QAAA,GAAW,KAAA;AACnB,IAAA,IAAA,CAAQ,MAAA,GAAS,KAAA;AAIf,IAAA,IAAI,CAAC,OAAA,CAAQ,QAAA,IAAY,OAAO,OAAA,CAAQ,aAAa,QAAA,EAAU;AAC7D,MAAA,MAAM,IAAI,UAAU,yCAAyC,CAAA;AAAA,IAC/D;AAEA,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,cAAc,OAAA,CAAQ,WAAA;AAC3B,IAAA,IAAA,CAAK,SAAA,GAAY,KAAA;AAAA,MACf,QAAQ,SAAA,IAAa,kBAAA;AAAA,MACrB,CAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAA,CAAK,kBAAkB,IAAA,CAAK,GAAA;AAAA,MAC1B,QAAQ,eAAA,IAAmB,yBAAA;AAAA,MAC3B;AAAA,KACF;AACA,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA,CAAQ,OAAA,KAAY,MAAM;AAAA,IAEzC,CAAA,CAAA;AAEA,IAAA,IAAA,CAAK,UAAA,EAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAO,KAAA,EAA6B;AAClC,IAAA,IAAI,KAAK,MAAA,EAAQ;AACjB,IAAA,IAAA,CAAK,KAAA,CAAM,KAAK,KAAK,CAAA;AACrB,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,IAAU,IAAA,CAAK,SAAA,EAAW;AAEvC,MAAA,KAAK,KAAK,KAAA,EAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,QAAA,EAAU;AACnB,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAE7B,IAAA,IAAA,CAAK,QAAA,GAAW,IAAA;AAChB,IAAA,IAAI;AACF,MAAA,MAAM,QAAQ,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,CAAA,EAAG,KAAK,SAAS,CAAA;AACjD,MAAA,MAAM,IAAA,CAAK,KAAK,KAAK,CAAA;AAAA,IACvB,SAAS,GAAA,EAAK;AACZ,MAAA,IAAA,CAAK,WAAW,GAAG,CAAA;AAAA,IACrB,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,QAAA,GAAW,KAAA;AAAA,IAClB;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,KAAA,CAAM,SAAS,CAAA,EAAG;AACzC,MAAA,KAAK,KAAK,KAAA,EAAM;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,MAAA,EAAQ;AACjB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AAEd,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,EAAW;AAC5B,MAAA,aAAA,CAAc,KAAK,KAAK,CAAA;AACxB,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AAAA,IACf;AAEA,IAAA,IAAI,IAAA,CAAK,kBAAkB,MAAA,EAAW;AACpC,MAAA,OAAA,CAAQ,GAAA,CAAI,SAAA,EAAW,IAAA,CAAK,aAAa,CAAA;AACzC,MAAA,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,IAAA,CAAK,aAAa,CAAA;AACxC,MAAA,IAAA,CAAK,aAAA,GAAgB,MAAA;AAAA,IACvB;AAGA,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,KAAA,EAAM;AAAA,IACnB,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,oBAAA,GAA6B;AAC3B,IAAA,IAAI,IAAA,CAAK,aAAA,KAAkB,MAAA,IAAa,IAAA,CAAK,MAAA,EAAQ;AACrD,IAAA,MAAM,UAAU,MAAY;AAC1B,MAAA,KAAK,KAAK,KAAA,EAAM;AAAA,IAClB,CAAA;AACA,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAA;AACrB,IAAA,OAAA,CAAQ,IAAA,CAAK,WAAW,OAAO,CAAA;AAC/B,IAAA,OAAA,CAAQ,IAAA,CAAK,UAAU,OAAO,CAAA;AAAA,EAChC;AAAA;AAAA,EAGA,IAAI,YAAA,GAAuB;AACzB,IAAA,OAAO,KAAK,KAAA,CAAM,MAAA;AAAA,EACpB;AAAA;AAAA,EAIA,MAAc,KAAK,KAAA,EAAwC;AACzD,IAAA,MAAM,OAAA,GAAkC;AAAA,MACtC,cAAA,EAAgB;AAAA,KAClB;AACA,IAAA,IAAI,KAAK,MAAA,EAAQ,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,KAAK,MAAM,CAAA,CAAA;AACjE,IAAA,IAAI,IAAA,CAAK,WAAA,EAAa,OAAA,CAAQ,gBAAgB,IAAI,IAAA,CAAK,WAAA;AAEvD,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,aAAa,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,gBAAgB,CAAA;AAExE,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,IAAA,CAAK,QAAA,EAAU;AAAA,QACrC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA;AAAA,QACA,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,MAAA,EAAQ,OAAO,CAAA;AAAA,QACtC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAED,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,QAAA,MAAM,IAAA,GAAO,MAAM,YAAA,CAAa,GAAG,CAAA;AACnC,QAAA,MAAM,IAAI,kBAAA,CAAmB,GAAA,CAAI,MAAA,EAAQ,IAAI,CAAA;AAAA,MAC/C;AAAA,IACF,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,UAAU,CAAA;AAAA,IACzB;AAAA,EACF;AAAA,EAEQ,UAAA,GAAmB;AACzB,IAAA,IAAA,CAAK,KAAA,GAAQ,YAAY,MAAM;AAC7B,MAAA,KAAK,KAAK,KAAA,EAAM;AAAA,IAClB,CAAA,EAAG,KAAK,eAAe,CAAA;AAGvB,IAAC,IAAA,CAAK,MAAiC,KAAA,IAAQ;AAAA,EACjD;AAAA,EAEQ,WAAW,GAAA,EAAoB;AACrC,IAAA,IAAI;AACF,MAAA,IAAA,CAAK,OAAA,CAAQ,eAAe,KAAA,GAAQ,GAAA,GAAM,IAAI,KAAA,CAAM,MAAA,CAAO,GAAG,CAAC,CAAC,CAAA;AAAA,IAClE,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACF,CAAA;AAEO,IAAM,kBAAA,GAAN,cAAiC,KAAA,CAAM;AAAA,EAC5C,WAAA,CACkB,QACA,YAAA,EAChB;AACA,IAAA,KAAA,CAAM,CAAA,+BAAA,EAAkC,MAAM,CAAA,CAAE,CAAA;AAHhC,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AAAA,EACd;AACF,CAAA;AAEA,SAAS,KAAA,CAAM,KAAA,EAAe,GAAA,EAAa,GAAA,EAAqB;AAC9D,EAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,GAAG,OAAO,GAAA;AACpC,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,GAAA,EAAK,IAAA,CAAK,GAAA,CAAI,KAAK,IAAA,CAAK,KAAA,CAAM,KAAK,CAAC,CAAC,CAAA;AACvD;AAEA,eAAe,aAAa,GAAA,EAAgC;AAC1D,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,IAAA,EAAK;AAC5B,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAA;AAAA,EACT;AACF;;;AC9KA,SAAS,qBAAA,GAAsD;AAC7D,EAAA,MAAM,GAAA,GAAM,OAAO,OAAA,KAAY,WAAA,GAAc,QAAQ,GAAA,GAAM,MAAA;AAC3D,EAAA,MAAM,WAAW,GAAA,EAAK,cAAA;AACtB,EAAA,IAAI,CAAC,UAAU,OAAO,MAAA;AACtB,EAAA,MAAM,IAAA,GAAyB,EAAE,QAAA,EAAS;AAC1C,EAAA,IAAI,GAAA,EAAK,kBAAA,EAAoB,IAAA,CAAK,WAAA,GAAc,GAAA,CAAI,kBAAA;AACpD,EAAA,IAAI,GAAA,EAAK,SAAA,EAAW,IAAA,CAAK,MAAA,GAAS,GAAA,CAAI,SAAA;AACtC,EAAA,MAAM,QAAQ,GAAA,EAAK,gBAAA,GAAmB,SAAS,GAAA,CAAI,gBAAA,EAAkB,EAAE,CAAA,GAAI,GAAA;AAC3E,EAAA,IAAI,CAAC,MAAA,CAAO,KAAA,CAAM,KAAK,CAAA,OAAQ,SAAA,GAAY,KAAA;AAC3C,EAAA,MAAM,QAAQ,GAAA,EAAK,uBAAA,GAA0B,SAAS,GAAA,CAAI,uBAAA,EAAyB,EAAE,CAAA,GAAI,GAAA;AACzF,EAAA,IAAI,CAAC,MAAA,CAAO,KAAA,CAAM,KAAK,CAAA,OAAQ,eAAA,GAAkB,KAAA;AACjD,EAAA,OAAO,IAAA;AACT;AAgCO,SAAS,KAAA,CAAM,OAAA,GAAwB,EAAC,EAAyB;AACtE,EAAA,MAAM,cAAgC,EAAC;AACvC,EAAA,MAAM,aAA6B,EAAC;AAKpC,EAAA,IAAI,eAAA;AACJ,EAAA,MAAM,gBAAgB,OAAA,CAAQ,SAAA,EAAW,QAAA,GACrC,OAAA,CAAQ,YACR,qBAAA,EAAsB;AAC1B,EAAA,IAAI,aAAA,EAAe;AACjB,IAAA,MAAM,MAAA,GAAS,IAAI,eAAA,CAAgB,aAAa,CAAA;AAChD,IAAA,eAAA,GAAkB,MAAA;AAClB,IAAA,WAAA,CAAY,IAAA,CAAK,sBAAA,CAAuB,MAAM,CAAC,CAAA;AAC/C,IAAA,UAAA,CAAW,KAAK,MAAM;AACpB,MAAA,KAAK,OAAO,KAAA,EAAM;AAAA,IACpB,CAAC,CAAA;AAAA,EACH;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,KAAA,EAAO;AAC7B,IAAA,MAAM,aAA4B,OAAO,OAAA,CAAQ,YAAY,QAAA,GACzD,OAAA,CAAQ,UACR,EAAC;AACL,IAAA,WAAA,CAAY,IAAA,CAAK,aAAA,CAAc,UAAU,CAAC,CAAA;AAAA,EAC5C;AAGA,EAAA,IAAI,OAAA,CAAQ,cAAc,KAAA,EAAO;AAC/B,IAAA,MAAM,gBAAkC,OAAO,OAAA,CAAQ,cAAc,QAAA,GACjE,OAAA,CAAQ,YACR,EAAC;AACL,IAAA,MAAM,WAAA,GAAc,kBAAkB,aAAa,CAAA;AACnD,IAAA,WAAA,CAAY,KAAK,WAAW,CAAA;AAC5B,IAAA,UAAA,CAAW,IAAA,CAAK,MAAM,WAAA,CAAY,KAAA,EAAO,CAAA;AAAA,EAC3C;AAIA,EAAA,IAAI,OAAA,CAAQ,aAAa,KAAA,EAAO;AAC9B,IAAA,MAAM,eAAgC,OAAO,OAAA,CAAQ,aAAa,QAAA,GAC9D,OAAA,CAAQ,WACR,EAAC;AACL,IAAA,MAAM,SAAA,GAAY,gBAAgB,YAAY,CAAA;AAC9C,IAAA,WAAA,CAAY,IAAA,CAAK,eAAA,GAAkB,mBAAA,CAAoB,SAAS,IAAI,SAAS,CAAA;AAAA,EAC/E;AAGA,EAAA,MAAM,MAAA,GAAS,WAAA;AACf,EAAA,MAAA,CAAO,QAAQ,MAAM;AACnB,IAAA,KAAA,MAAW,MAAM,UAAA,EAAY;AAC3B,MAAA,EAAA,EAAG;AAAA,IACL;AAAA,EACF,CAAA;AAEA,EAAA,OAAO,MAAA;AACT;AAGA,IAAM,gBAAA,GAAmB;AACzB,gBAAA,CAAiB,QAAA,GAAW,eAAA;AAC5B,gBAAA,CAAiB,SAAA,GAAY,iBAAA;AAC7B,gBAAA,CAAiB,OAAA,GAAU,aAAA;AAC3B,gBAAA,CAAiB,QAAA,GAAW,QAAA;AAC5B,gBAAA,CAAiB,MAAA,GAAS,gBAAA;AAC1B,gBAAA,CAAiB,YAAA,GAAe,kBAAA;AAGhC,IAAO,YAAA,GAAQ;;;AC1If,IAAM,eAAA,GAAkB,UAAA;AAExB,IAAM,cAAA,GAAiB,mCAAA;AAEvB,IAAM,UAAA,GAAqC;AAAA,EACzC,EAAA,EAAI,CAAA;AAAA,EACJ,CAAA,EAAG,GAAA;AAAA,EACH,CAAA,EAAG,GAAA;AAAA,EACH,CAAA,EAAG,IAAA;AAAA,EACH,CAAA,EAAG;AACL,CAAA;AAeO,SAAS,cAAc,KAAA,EAAgC;AAC5D,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC7B,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,IAAK,QAAQ,CAAA,EAAG;AACxC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,KAAK,CAAA,uCAAA,CAAyC,CAAA;AAAA,IACrF;AACA,IAAA,OAAO,KAAK,GAAA,CAAI,IAAA,CAAK,KAAA,CAAM,KAAK,GAAG,eAAe,CAAA;AAAA,EACpD;AAEA,EAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACpD,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,0DAAA,CAA4D,CAAA;AAAA,EACzG;AAEA,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,IAAA,EAAK,CAAE,MAAM,cAAc,CAAA;AAC/C,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,sBAAsB,KAAK,CAAA,mEAAA;AAAA,KAC7B;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,UAAA,CAAW,KAAA,CAAM,CAAC,CAAC,CAAA;AAClC,EAAA,MAAM,IAAA,GAAO,KAAA,CAAM,CAAC,CAAA,CAAE,WAAA,EAAY;AAClC,EAAA,MAAM,KAAK,IAAA,CAAK,KAAA,CAAM,MAAA,GAAS,UAAA,CAAW,IAAI,CAAC,CAAA;AAE/C,EAAA,IAAI,EAAA,GAAK,CAAA,IAAK,EAAA,GAAK,eAAA,EAAiB;AAClC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,UAAA,EAAa,KAAK,CAAA,2BAAA,EAA8B,eAAe,CAAA,iBAAA,CAAmB,CAAA;AAAA,EACpG;AAEA,EAAA,OAAO,EAAA;AACT;;;ACZO,SAAS,0BAAA,CAA2B,OAAA,GAAgC,EAAC,EAA4B;AACtG,EAAA,MAAM;AAAA,IACJ,MAAM,UAAA,CAAW,oBAAA;AAAA,IACjB,MAAA,EAAQ,YAAY,UAAA,CAAW,iBAAA;AAAA,IAC/B,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,eAAe,CAAC,GAAA,KAAQ,IAAI,EAAA,IAAM,GAAA,CAAI,QAAQ,aAAA,IAAiB,SAAA;AAAA,IAC/D;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,QAAA,GAAW,cAAc,SAAS,CAAA;AAGxC,EAAA,MAAM,cAAA,mBAAiB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AACzC,EAAA,MAAM,eAAA,mBAAkB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAE1C,EAAA,MAAM,eAAA,GAAkB,YAAY,MAAM;AACxC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,MAAA,GAAS,MAAM,QAAA,GAAW,CAAA;AAChC,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,eAAe,CAAA,EAAG;AAC9C,MAAA,IAAI,eAAA,CAAgB,GAAG,CAAA,CAAE,SAAA,GAAY,MAAA,EAAQ;AAC3C,QAAA,OAAO,gBAAgB,GAAG,CAAA;AAAA,MAC5B;AAAA,IACF;AACA,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,cAAc,CAAA,EAAG;AAC7C,MAAA,IAAI,cAAA,CAAe,GAAG,CAAA,CAAE,SAAA,GAAY,MAAA,EAAQ;AAC1C,QAAA,OAAO,eAAe,GAAG,CAAA;AAAA,MAC3B;AAAA,IACF;AAAA,EACF,GAAG,QAAQ,CAAA;AAEX,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,IAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,MAAM,OAAA,GAA0B,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACnF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG,OAAO,IAAA,EAAK;AAE7B,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,MAAA,MAAM,WAAA,GAAc,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,QAAQ,CAAA,GAAI,QAAA;AAGjD,MAAA,IAAI,CAAC,eAAe,GAAG,CAAA,IAAK,eAAe,GAAG,CAAA,CAAE,YAAY,WAAA,EAAa;AAEvE,QAAA,IAAI,cAAA,CAAe,GAAG,CAAA,EAAG;AACvB,UAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,cAAA,CAAe,GAAG,CAAA;AAAA,QAC3C;AACA,QAAA,cAAA,CAAe,GAAG,CAAA,GAAI,EAAE,KAAA,EAAO,CAAA,EAAG,WAAW,WAAA,EAAY;AAAA,MAC3D;AAGA,MAAA,MAAM,UAAU,GAAA,GAAM,WAAA;AACtB,MAAA,MAAM,SAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAA,CAAI,QAAA,GAAW,WAAW,QAAQ,CAAA;AAC1D,MAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,GAAG,CAAA,EAAG,KAAA,IAAS,CAAA;AACjD,MAAA,MAAM,iBAAkB,SAAA,GAAY,MAAA,GAAU,cAAA,CAAe,GAAG,EAAE,KAAA,GAAQ,CAAA;AAE1E,MAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,CAAA,EAAG,KAAK,KAAA,CAAM,GAAA,GAAM,cAAc,CAAC,CAAA;AAC9D,MAAA,MAAM,OAAA,GAAU,cAAc,QAAA,GAAW,GAAA;AACzC,MAAA,MAAM,YAAA,GAAe,KAAK,GAAA,CAAI,CAAA,EAAG,KAAK,IAAA,CAAK,OAAA,GAAU,GAAI,CAAC,CAAA;AAG1D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,GAAA,CAAI,QAAA,EAAU,CAAA;AACjD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,SAAA,CAAU,QAAA,EAAU,CAAA;AAC3D,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,YAAA,CAAa,QAAA,EAAU,CAAA;AAC1D,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAA,EAAsB,CAAA,EAAG,GAAG,CAAA,GAAA,EAAM,KAAK,KAAA,CAAM,QAAA,GAAW,GAAI,CAAC,CAAA,CAAE,CAAA;AAE7E,MAAA,IAAI,iBAAiB,GAAA,EAAK;AAExB,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,YAAA,CAAa,QAAA,EAAU,CAAA;AACpD,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,cAAA,CAAe,GAAG,CAAA,CAAE,KAAA,EAAA;AAEpB,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,8CAA8C,KAAK,CAAA;AACjE,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAEA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,aAAA,CAAc,eAAe,CAAA;AAAA,EAC/B,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;;;AC7FO,SAAS,wBAAA,CAAyB,OAAA,GAA8B,EAAC,EAA0B;AAChG,EAAA,MAAM;AAAA,IACJ,QAAA,GAAW,GAAA;AAAA,IACX,UAAA,GAAa,EAAA;AAAA,IACb,IAAA,GAAO,CAAA;AAAA,IACP,UAAU,UAAA,CAAW,eAAA;AAAA,IACrB,aAAa,UAAA,CAAW,mBAAA;AAAA,IACxB,eAAe,CAAC,GAAA,KAAQ,IAAI,EAAA,IAAM,GAAA,CAAI,QAAQ,aAAA,IAAiB,SAAA;AAAA,IAC/D;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,IAAI,WAAW,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,wCAAA,EAA2C,QAAQ,CAAA,CAAE,CAAA;AAC5F,EAAA,IAAI,cAAc,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,yCAAA,EAA4C,UAAU,CAAA,CAAE,CAAA;AAClG,EAAA,IAAI,OAAO,CAAA,EAAG,MAAM,IAAI,UAAA,CAAW,CAAA,oCAAA,EAAuC,IAAI,CAAA,CAAE,CAAA;AAChF,EAAA,IAAI,IAAA,GAAO,UAAU,MAAM,IAAI,WAAW,CAAA,mBAAA,EAAsB,IAAI,CAAA,uBAAA,EAA0B,QAAQ,CAAA,gDAAA,CAAkD,CAAA;AAExJ,EAAA,MAAM,OAAA,mBAAU,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA;AAGlC,EAAA,MAAM,eAAA,GAAkB,YAAY,MAAM;AACxC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,cAAA,GAAkB,QAAA,GAAW,UAAA,GAAc,GAAA,GAAO,CAAA;AACxD,IAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,EAAG;AACtC,MAAA,IAAI,GAAA,GAAM,OAAA,CAAQ,GAAG,CAAA,CAAE,aAAa,cAAA,EAAgB;AAClD,QAAA,OAAO,QAAQ,GAAG,CAAA;AAAA,MACpB;AAAA,IACF;AAAA,EACF,GAAG,GAAM,CAAA;AAET,EAAA,IAAI,OAAO,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AAC/C,IAAA,eAAA,CAAgB,KAAA,EAAM;AAAA,EACxB;AAEA,EAAA,SAAS,YAAA,CAAa,QAAgB,GAAA,EAAmB;AACvD,IAAA,MAAM,OAAA,GAAA,CAAW,GAAA,GAAM,MAAA,CAAO,UAAA,IAAc,GAAA;AAC5C,IAAA,MAAM,cAAc,OAAA,GAAU,UAAA;AAC9B,IAAA,MAAA,CAAO,SAAS,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,MAAA,CAAO,SAAS,WAAW,CAAA;AAC9D,IAAA,MAAA,CAAO,UAAA,GAAa,GAAA;AAAA,EACtB;AAEA,EAAA,MAAM,OAAA,GAA0B,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AACnF,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,GAAO,GAAG,CAAA,EAAG,OAAO,IAAA,EAAK;AAE7B,MAAA,MAAM,GAAA,GAAM,aAAa,GAAG,CAAA;AAC5B,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAGrB,MAAA,IAAI,CAAC,OAAA,CAAQ,GAAG,CAAA,EAAG;AACjB,QAAA,OAAA,CAAQ,GAAG,CAAA,GAAI,EAAE,MAAA,EAAQ,QAAA,EAAU,YAAY,GAAA,EAAI;AAAA,MACrD;AAEA,MAAA,MAAM,MAAA,GAAS,QAAQ,GAAG,CAAA;AAC1B,MAAA,YAAA,CAAa,QAAQ,GAAG,CAAA;AAGxB,MAAA,MAAM,aAAA,GAAgB,MAAA,CAAO,MAAA,GAAS,IAAA,GAClC,IAAA,CAAK,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,IAAU,UAAU,CAAA,GAC7C,CAAA;AAGJ,MAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,QAAA,CAAS,QAAA,EAAU,CAAA;AACtD,MAAA,GAAA,CAAI,SAAA,CAAU,uBAAA,EAAyB,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,MAAA,CAAO,MAAA,GAAS,IAAI,CAAC,CAAA,CAAE,UAAU,CAAA;AAC/F,MAAA,GAAA,CAAI,SAAA,CAAU,oBAAA,EAAsB,CAAA,EAAG,QAAQ,CAAA,GAAA,EAAM,IAAA,CAAK,KAAA,CAAM,QAAA,GAAW,UAAU,CAAC,CAAA,OAAA,EAAU,QAAQ,CAAA,CAAE,CAAA;AAE1G,MAAA,IAAI,MAAA,CAAO,SAAS,IAAA,EAAM;AACxB,QAAA,GAAA,CAAI,SAAA,CAAU,aAAA,EAAe,aAAA,CAAc,QAAA,EAAU,CAAA;AACrD,QAAA,GAAA,CAAI,SAAA,CAAU,mBAAA,EAAqB,aAAA,CAAc,QAAA,EAAU,CAAA;AAC3D,QAAA,GAAA,CAAI,MAAA,CAAO,UAAU,CAAA,CAAE,IAAA,CAAK;AAAA,UAC1B,KAAA,EAAO,OAAA;AAAA,UACP,UAAA,EAAY;AAAA,SACb,CAAA;AACD,QAAA;AAAA,MACF;AAGA,MAAA,MAAA,CAAO,MAAA,IAAU,IAAA;AACjB,MAAA,IAAA,EAAK;AAAA,IACP,SAAS,KAAA,EAAO;AAEd,MAAA,OAAA,CAAQ,KAAA,CAAM,4CAA4C,KAAK,CAAA;AAC/D,MAAA,IAAA,EAAK;AAAA,IACP;AAAA,EACF,CAAA;AAEA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,QAAQ,MAAM;AACvB,IAAA,aAAA,CAAc,eAAe,CAAA;AAAA,EAC/B,CAAA;AAEA,EAAA,OAAO,UAAA;AACT;;;AC9GA,IAAM,kBAAkB,CAAC,KAAA,EAAO,QAAQ,KAAA,EAAO,OAAA,EAAS,QAAQ,QAAQ,CAAA;AACxE,IAAM,eAAA,GAAkB,CAAC,cAAA,EAAgB,eAAe,CAAA;AACxD,IAAM,eAAA,GAAkB,GAAA;AAKxB,SAAS,eAAA,CACP,eACA,OAAA,EACS;AAET,EAAA,IAAI,aAAA,KAAkB,QAAQ,OAAO,KAAA;AAErC,EAAA,IAAI,OAAA,KAAY,MAAM,OAAO,IAAA;AAE7B,EAAA,IAAI,OAAO,YAAY,QAAA,EAAU;AAC/B,IAAA,OAAO,aAAA,KAAkB,OAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,OAAO,CAAA,EAAG;AAC1B,IAAA,OAAO,OAAA,CAAQ,SAAS,aAAa,CAAA;AAAA,EACvC;AAEA,EAAA,IAAI,mBAAmB,MAAA,EAAQ;AAC7B,IAAA,OAAO,OAAA,CAAQ,KAAK,aAAa,CAAA;AAAA,EACnC;AAEA,EAAA,IAAI,OAAO,YAAY,UAAA,EAAY;AACjC,IAAA,OAAO,QAAQ,aAAa,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AA6BO,SAAS,SAAS,OAAA,EAAsC;AAC7D,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,OAAA,GAAU,eAAA;AAAA,IACV,cAAA,GAAiB,eAAA;AAAA,IACjB,iBAAiB,EAAC;AAAA,IAClB,WAAA,GAAc,KAAA;AAAA,IACd,MAAA,GAAS,eAAA;AAAA,IACT,iBAAA,GAAoB;AAAA,GACtB,GAAI,OAAA;AAEJ,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,aAAA,GAAgB,IAAI,OAAA,CAAQ,MAAA;AAGlC,IAAA,GAAA,CAAI,SAAA,CAAU,QAAQ,QAAQ,CAAA;AAG9B,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAEA,IAAA,MAAM,OAAA,GAAU,eAAA,CAAgB,aAAA,EAAe,MAAM,CAAA;AAErD,IAAA,IAAI,CAAC,OAAA,EAAS;AAEZ,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,GAAA,CAAI,SAAA,CAAU,+BAA+B,aAAa,CAAA;AAE1D,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,GAAA,CAAI,SAAA,CAAU,oCAAoC,MAAM,CAAA;AAAA,IAC1D;AAEA,IAAA,IAAI,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7B,MAAA,GAAA,CAAI,SAAA,CAAU,+BAAA,EAAiC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,IAC1E;AAGA,IAAA,IAAI,GAAA,CAAI,WAAW,SAAA,EAAW;AAC5B,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAC,CAAA;AAChE,MAAA,GAAA,CAAI,SAAA,CAAU,8BAAA,EAAgC,cAAA,CAAe,IAAA,CAAK,IAAI,CAAC,CAAA;AACvE,MAAA,GAAA,CAAI,SAAA,CAAU,wBAAA,EAA0B,MAAA,CAAO,MAAM,CAAC,CAAA;AAEtD,MAAA,IAAI,iBAAA,EAAmB;AACrB,QAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,GAAA,EAAI;AACpB,QAAA;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,UAAA,GAAa;;;AC/I1B,IAAM,YAAA,GAAe;AAAA,EACnB,SAAA,EAAW,YAAA;AAAA,EACX,MAAA,EAAQ,UAAA;AAAA,EACR,gBAAA,EAAkB,mBAAA;AAAA,EAClB,aAAA,EAAe,gBAAA;AAAA,EACf,cAAA,EAAgB;AAClB,CAAA;AAKO,SAAS,mBAAA,CACd,WACA,OAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ,UAAU,WAAA,EAAY;AACpC,EAAA,IAAI,MAAA,GAAS,SAAA;AAGb,EAAA,IAAI,QAAQ,QAAA,IAAY,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACnD,IAAA,MAAA,IAAU,YAAA,CAAa,SAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,MAAA,IAAU,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AACjD,IAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,EACzB;AAGA,EAAA,IAAI,QAAQ,QAAA,KAAa,KAAA,IAAS,CAAC,KAAA,CAAM,QAAA,CAAS,UAAU,CAAA,EAAG;AAC7D,IAAA,QAAQ,QAAQ,QAAA;AAAU,MACxB,KAAK,QAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,gBAAA;AACvB,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,MAAA,IAAU,YAAA,CAAa,cAAA;AAEvB,QAAA,IAAI,CAAC,MAAA,CAAO,WAAA,EAAY,CAAE,QAAA,CAAS,UAAU,CAAA,EAAG;AAC9C,UAAA,MAAA,IAAU,YAAA,CAAa,MAAA;AAAA,QACzB;AACA,QAAA;AAAA,MACF,KAAK,KAAA;AAAA,MACL;AACE,QAAA,MAAA,IAAU,YAAA,CAAa,aAAA;AACvB,QAAA;AAAA;AACJ,EACF;AAGA,EAAA,IAAI,QAAQ,IAAA,EAAM;AAChB,IAAA,IAAI,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA,EAAG;AAC3B,MAAA,MAAA,GAAS,OAAO,OAAA,CAAQ,iBAAA,EAAmB,CAAA,OAAA,EAAU,OAAA,CAAQ,IAAI,CAAA,CAAE,CAAA;AAAA,IACrE,CAAA,MAAO;AACL,MAAA,MAAA,IAAU,CAAA,OAAA,EAAU,QAAQ,IAAI,CAAA,CAAA;AAAA,IAClC;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT;AAqBO,SAAS,oBAAA,CAAqB,OAAA,GAA+B,EAAC,EAAmB;AACtF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAC9C,EAAA,MAAM,QAAA,GAAW;AAAA,IACf,QAAA,EAAU,QAAQ,QAAA,IAAY,IAAA;AAAA,IAC9B,MAAA,EAAQ,QAAQ,MAAA,IAAU,YAAA;AAAA,IAC1B,QAAA,EAAU,QAAQ,QAAA,IAAY,KAAA;AAAA,IAC9B,MAAM,OAAA,CAAQ;AAAA,GAChB;AAKA,EAAA,IAAI,QAAA,CAAS,QAAA,KAAa,MAAA,IAAU,QAAA,CAAS,WAAW,KAAA,EAAO;AAC7D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,SAAS,QAAA,KAAa,KAAA,IAAS,QAAA,CAAS,MAAA,KAAW,SAAS,YAAA,EAAc;AAI5E,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,CAAC,IAAA,EAAe,GAAA,EAAe,IAAA,KAAuB;AAE3D,IAAA,MAAM,iBAAA,GAAoB,GAAA,CAAI,SAAA,CAAU,IAAA,CAAK,GAAG,CAAA;AAEhD,IAAA,GAAA,CAAI,SAAA,GAAY,SAAS,gBAAA,CAAiB,IAAA,EAAc,KAAA,EAA4C;AAClG,MAAA,IAAI,IAAA,CAAK,WAAA,EAAY,KAAM,YAAA,EAAc;AACvC,QAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,UAAA,KAAA,GAAQ,KAAA,CAAM,IAAI,CAAA,CAAA,KAAK,mBAAA,CAAoB,OAAO,CAAC,CAAA,EAAG,QAAQ,CAAC,CAAA;AAAA,QACjE,CAAA,MAAO;AACL,UAAA,KAAA,GAAQ,mBAAA,CAAoB,MAAA,CAAO,KAAK,CAAA,EAAG,QAAQ,CAAA;AAAA,QACrD;AAAA,MACF;AACA,MAAA,OAAO,iBAAA,CAAkB,MAAM,KAAK,CAAA;AAAA,IACtC,CAAA;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAMO,IAAM,mBAAA,GAAsB;;;ACrEnC,IAAM,YAAA,GAA6B;AAAA;AAAA,EAEjC,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,eAAA,EAAgB;AAAA,EAClF,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,eAAA,EAAgB;AAAA,EAClF,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,gBAAA,EAAkB,UAAU,eAAA,EAAgB;AAAA,EAChF,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA,EACtE,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,eAAA,EAAiB,UAAU,eAAA,EAAgB;AAAA,EAC9E,EAAE,OAAA,EAAS,uBAAA,EAAyB,IAAA,EAAM,sBAAA,EAAwB,UAAU,eAAA,EAAgB;AAAA,EAC5F,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,eAAA,EAAgB;AAAA,EAClE,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,eAAA,EAAgB;AAAA,EAChE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EAC1E,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,eAAA,EAAgB;AAAA,EAC1E,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA,EACtE,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,cAAA,EAAgB,UAAU,eAAA,EAAgB;AAAA,EAC5E,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAS,UAAU,eAAA,EAAgB;AAAA,EAC9D,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,eAAA,EAAgB;AAAA,EAChE,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,OAAA,EAAS,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,eAAA,EAAgB;AAAA,EACpE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,eAAA,EAAgB;AAAA;AAAA,EAGtE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,QAAA,EAAS;AAAA,EACjE,EAAE,OAAA,EAAS,sBAAA,EAAwB,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EACxE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,QAAA,EAAS;AAAA,EAC3D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,QAAA,EAAS;AAAA,EACnE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,QAAA,EAAS;AAAA,EAC/D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EAC7D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,QAAA,EAAS;AAAA,EACnE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA,EAC7D,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,QAAA,EAAS;AAAA,EACjE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,QAAA,EAAS;AAAA,EAC/D,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,QAAA,EAAS;AAAA,EAC3D,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,OAAA,EAAS,UAAU,QAAA,EAAS;AAAA,EACpE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,QAAA,EAAS;AAAA;AAAA,EAG7D,EAAE,OAAA,EAAS,cAAA,EAAgB,IAAA,EAAM,aAAA,EAAe,UAAU,YAAA,EAAa;AAAA,EACvE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,YAAA,EAAa;AAAA,EACjE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACxE,EAAE,OAAA,EAAS,oBAAA,EAAsB,IAAA,EAAM,eAAA,EAAiB,UAAU,YAAA,EAAa;AAAA,EAC/E,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,YAAA,EAAa;AAAA,EACjE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,oBAAA,EAAsB,UAAU,YAAA,EAAa;AAAA;AAAA,EAG5E,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAC7D,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,cAAA,EAAgB,UAAU,YAAA,EAAa;AAAA,EACzE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACnE,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACtE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,YAAA,EAAa;AAAA,EACrE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,OAAA,EAAS,UAAU,YAAA,EAAa;AAAA,EAC3D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAChE,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,eAAA,EAAiB,UAAU,YAAA,EAAa;AAAA,EAC3E,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,YAAA,EAAa;AAAA,EAC7D,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,iBAAA,EAAmB,UAAU,YAAA,EAAa;AAAA,EAC/E,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA,EAC/D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,YAAA,EAAa;AAAA,EACnE,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,SAAA,EAAW,UAAU,YAAA,EAAa;AAAA;AAAA,EAG1E,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,iBAAA,EAAmB,UAAU,WAAA,EAAY;AAAA,EAC7E,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA,EAChE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,YAAA,EAAc,UAAU,WAAA,EAAY;AAAA,EACpE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,SAAA,EAAW,UAAU,WAAA,EAAY;AAAA,EAC9D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,WAAA,EAAa,UAAU,WAAA,EAAY;AAAA,EAClE,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,UAAA,EAAY,UAAU,WAAA,EAAY;AAAA;AAAA,EAGjE,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACzD,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACzD,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,iBAAA,EAAmB,UAAU,SAAA,EAAU;AAAA,EAC/E,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,cAAA,EAAgB,UAAU,SAAA,EAAU;AAAA,EACzE,EAAE,OAAA,EAAS,iBAAA,EAAmB,IAAA,EAAM,eAAA,EAAiB,UAAU,SAAA,EAAU;AAAA,EACzE,EAAE,OAAA,EAAS,aAAA,EAAe,IAAA,EAAM,SAAA,EAAW,UAAU,SAAA,EAAU;AAAA,EAC/D,EAAE,OAAA,EAAS,kBAAA,EAAoB,IAAA,EAAM,gBAAA,EAAkB,UAAU,SAAA,EAAU;AAAA,EAC3E,EAAE,OAAA,EAAS,UAAA,EAAY,IAAA,EAAM,iBAAA,EAAmB,UAAU,SAAA,EAAU;AAAA,EACpE,EAAE,OAAA,EAAS,qBAAA,EAAuB,IAAA,EAAM,mBAAA,EAAqB,UAAU,SAAA,EAAU;AAAA,EACjF,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA,EAAU;AAAA,EAC7D,EAAE,OAAA,EAAS,gBAAA,EAAkB,IAAA,EAAM,YAAA,EAAc,UAAU,SAAA,EAAU;AAAA,EACrE,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,OAAA,EAAS,UAAU,SAAA,EAAU;AAAA,EAC3D,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,KAAA,EAAO,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,eAAA,EAAiB,IAAA,EAAM,aAAA,EAAe,UAAU,SAAA,EAAU;AAAA,EACrE,EAAE,OAAA,EAAS,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,KAAA,EAAO,UAAU,SAAA,EAAU;AAAA,EACvD,EAAE,OAAA,EAAS,SAAA,EAAW,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA,EAAU;AAAA,EAC1D,EAAE,OAAA,EAAS,WAAA,EAAa,IAAA,EAAM,SAAA,EAAW,UAAU,SAAA,EAAU;AAAA,EAC7D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,UAAA,EAAY,UAAU,SAAA,EAAU;AAAA,EAC/D,EAAE,OAAA,EAAS,YAAA,EAAc,IAAA,EAAM,QAAA,EAAU,UAAU,SAAA;AACrD,CAAA;AASA,SAAS,wBAAwB,GAAA,EAAwB;AACvD,EAAA,MAAM,UAAoB,EAAC;AAC3B,EAAA,MAAM,UAAU,GAAA,CAAI,OAAA;AAGpB,EAAA,IAAI,CAAC,OAAA,CAAQ,YAAY,CAAA,EAAG;AAC1B,IAAA,OAAA,CAAQ,KAAK,oBAAoB,CAAA;AAAA,EACnC;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,QAAQ,CAAA,EAAG;AACtB,IAAA,OAAA,CAAQ,KAAK,gBAAgB,CAAA;AAAA,EAC/B;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,iBAAiB,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,KAAK,yBAAyB,CAAA;AAAA,EACxC;AAGA,EAAA,IAAI,CAAC,OAAA,CAAQ,iBAAiB,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,KAAK,yBAAyB,CAAA;AAAA,EACxC;AAGA,EAAA,IAAI,OAAA,CAAQ,YAAY,CAAA,KAAM,OAAA,EAAS;AACrC,IAAA,OAAA,CAAQ,KAAK,kBAAkB,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,OAAA;AACT;AAcO,SAAS,UAAU,GAAA,EAAkC;AAC1D,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,OAAA,CAAQ,YAAY,CAAA,IAAK,EAAA;AAI3C,EAAA,IAAI,KAAA,CAAM,SAAS,IAAA,EAAM;AACvB,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,SAAA;AAAA,MACV,IAAA,EAAM,IAAA;AAAA,MACN,UAAA,EAAY,GAAA;AAAA,MACZ,OAAA,EAAS,wBAAwB,GAAG;AAAA,KACtC;AAAA,EACF;AACA,EAAA,MAAM,EAAA,GAAK,KAAA;AACX,EAAA,MAAM,OAAA,GAAU,wBAAwB,GAAG,CAAA;AAG3C,EAAA,IAAI,CAAC,EAAA,EAAI;AACP,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,SAAA;AAAA,MACV,IAAA,EAAM,IAAA;AAAA,MACN,UAAA,EAAY,GAAA;AAAA,MACZ;AAAA,KACF;AAAA,EACF;AAGA,EAAA,KAAA,MAAW,OAAO,YAAA,EAAc;AAC9B,IAAA,IAAI,GAAA,CAAI,OAAA,CAAQ,IAAA,CAAK,EAAE,CAAA,EAAG;AACxB,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAA,EAAY,IAAA;AAAA,QACZ;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAGA,EAAA,MAAM,gBAAgB,OAAA,CAAQ,MAAA;AAG9B,EAAA,IAAI,iBAAiB,CAAA,EAAG;AACtB,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,IAAA;AAAA,MACP,QAAA,EAAU,SAAA;AAAA,MACV,IAAA,EAAM,IAAA;AAAA,MACN,YAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAK,GAAA,GAAO,gBAAgB,GAAI,CAAA;AAAA,MACrD;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,QAAA,EAAU,OAAA;AAAA,IACV,IAAA,EAAM,IAAA;AAAA,IACN,YAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAK,CAAA,GAAO,gBAAgB,IAAK,CAAA;AAAA,IACtD;AAAA,GACF;AACF;AA6BO,SAAS,aAAA,CAAc,OAAA,GAAgC,EAAC,EAAmB;AAChF,EAAA,MAAM;AAAA,IACJ,KAAA,GAAQ,CAAC,eAAA,EAAiB,QAAA,EAAU,YAAY,CAAA;AAAA,IAChD,IAAA,GAAO,CAAC,WAAW,CAAA;AAAA,IACnB,aAAA,GAAgB,OAAA;AAAA,IAChB,UAAA,GAAa,GAAA;AAAA,IACb,OAAA,GAAU,gBAAA;AAAA,IACV;AAAA,GACF,GAAI,OAAA;AAEJ,EAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,KAAK,CAAA;AAC9B,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,IAAI,CAAA;AAE5B,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,MAAA,GAAS,UAAU,GAAG,CAAA;AAG5B,IAAC,IAA2C,YAAA,GAAe,MAAA;AAG3D,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,IAAI,QAAA,CAAS,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,EAAG;AACjC,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,QAAQ,CAAA,EAAG;AAChC,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,MAAM,CAAA;AAAA,MACpC;AACA,MAAA,GAAA,CAAI,OAAO,UAAU,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA;AAC9C,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,kBAAkB,MAAA,EAAQ;AAC5B,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO,UAAA,CAAW,GAAA,EAAK,GAAA,EAAK,MAAM,CAAA;AAAA,MACpC;AACA,MAAA,GAAA,CAAI,OAAO,UAAU,CAAA,CAAE,KAAK,EAAE,KAAA,EAAO,SAAS,CAAA;AAC9C,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;ACrSA,IAAM,QAAA,GAAW;AAAA,EACf,UAAA,EAAY,OAAA;AAAA,EACZ,UAAA,EAAY,cAAA;AAAA,EACZ,SAAA,EAAW,OAAA;AAAA,EACX,WAAA,EAAa,EAAA;AAAA,EACb,gBAAA,EAAkB,CAAC,MAAA,EAAQ,KAAA,EAAO,SAAS,QAAQ;AACrD,CAAA;AAWO,SAAS,iBAAA,CAAkB,SAAiB,EAAA,EAAY;AAC7D,EAAA,OAAO,WAAA,CAAY,MAAM,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC3C;AASO,SAAS,iBAAA,CAAkB,aAAqB,YAAA,EAA+B;AACpF,EAAA,IAAI,CAAC,WAAA,IAAe,CAAC,YAAA,EAAc,OAAO,KAAA;AAC1C,EAAA,IAAI,WAAA,CAAY,MAAA,KAAW,YAAA,CAAa,MAAA,EAAQ,OAAO,KAAA;AAGvD,EAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAA,CAAK,WAAW,CAAA;AACjC,EAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAA,CAAK,YAAY,CAAA;AAClC,EAAA,OAAO,eAAA,CAAgB,GAAG,CAAC,CAAA;AAC7B;AAKA,SAAS,eAAA,CAAgB,GAAA,EAAc,UAAA,EAAoB,SAAA,EAAuC;AAEhG,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,UAAA,CAAW,aAAa,CAAA;AACxD,EAAA,IAAI,OAAO,WAAA,KAAgB,QAAA,IAAY,WAAA,EAAa,OAAO,WAAA;AAG3D,EAAA,IAAI,GAAA,CAAI,QAAQ,OAAO,GAAA,CAAI,SAAS,QAAA,IAAY,SAAA,IAAa,IAAI,IAAA,EAAM;AACrE,IAAA,MAAM,SAAA,GAAY,GAAA,CAAI,IAAA,CAAK,SAAS,CAAA;AACpC,IAAA,IAAI,OAAO,SAAA,KAAc,QAAA,IAAY,SAAA,EAAW,OAAO,SAAA;AAAA,EACzD;AAKA,EAAA,OAAO,MAAA;AACT;AA8BO,SAAS,cAAA,CAAe,OAAA,GAAuB,EAAC,EAAmB;AACxE,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,UAAA,IAAc,QAAA,CAAS,UAAA;AAEtD,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,aAAA,GAAgB,CAAA,OAAA,EAAU,cAAc,CAAA,CAAA,GAAK,cAAA;AACxE,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,UAAA,IAAc,QAAA,CAAS,UAAA;AAClD,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,SAAA,IAAa,QAAA,CAAS,SAAA;AAChD,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,WAAA,IAAe,QAAA,CAAS,WAAA;AACpD,EAAA,MAAM,mBAAmB,OAAA,CAAQ,gBAAA,IAAoB,CAAC,GAAG,SAAS,gBAAgB,CAAA;AAClF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,YAAA,IAAgB,EAAC;AAC9C,EAAA,MAAM,WAAW,OAAA,CAAQ,QAAA;AAEzB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAC9C,EAAA,MAAM,UAAA,GAAa;AAAA,IACjB,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,IAAA,IAAQ,GAAA;AAAA,IAC9B,QAAA,EAAU,OAAA,CAAQ,MAAA,EAAQ,QAAA,IAAY,KAAA;AAAA;AAAA,IACtC,MAAA,EAAQ,OAAA,CAAQ,MAAA,EAAQ,MAAA,IAAU,YAAA;AAAA,IAClC,QAAA,EAAU,OAAA,CAAQ,MAAA,EAAQ,QAAA,IAAY,KAAA;AAAA,IACtC,MAAA,EAAQ,QAAQ,MAAA,EAAQ;AAAA,GAC1B;AAEA,EAAA,MAAM,cAAA,GAAiB,CAAC,IAAA,EAAe,GAAA,EAAe,KAAA,KAAwB;AAC5E,IAAA,GAAA,CAAI,MAAA,CAAO,GAAG,CAAA,CAAE,IAAA,CAAK;AAAA,MACnB,KAAA,EAAO,8BAAA;AAAA,MACP,OAAA,EAAS;AAAA,KACV,CAAA;AAAA,EACH,CAAA;AAEA,EAAA,MAAM,OAAA,GAAU,QAAQ,OAAA,IAAW,cAAA;AAGnC,EAAA,MAAM,YAAA,GAAe,IAAI,GAAA,CAAI,gBAAA,CAAiB,IAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA;AAEvE,EAAA,OAAO,CAAC,GAAA,EAAc,GAAA,EAAe,IAAA,KAAuB;AAC1D,IAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,WAAA,EAAY;AAGtC,IAAA,IAAI,QAAA,IAAY,QAAA,CAAS,GAAG,CAAA,EAAG;AAC7B,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,IAAA,IAAQ,GAAA,CAAI,GAAA;AACpC,IAAA,IAAI,YAAA,CAAa,IAAA,CAAK,CAAA,CAAA,KAAK,WAAA,KAAgB,CAAA,IAAK,YAAY,UAAA,CAAW,CAAA,GAAI,GAAG,CAAC,CAAA,EAAG;AAChF,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAC,GAAA,CAA2C,YAAY,MAAM;AAC5D,MAAA,MAAM,QAAA,GAAW,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAC/C,MAAA,IAAI,UAAU,OAAO,QAAA;AAErB,MAAA,MAAM,KAAA,GAAQ,kBAAkB,WAAW,CAAA;AAC3C,MAAA,aAAA,CAAc,GAAA,EAAK,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAChD,MAAA,OAAO,KAAA;AAAA,IACT,CAAA;AAGA,IAAA,IAAI,CAAC,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,EAAG;AAC7B,MAAA,MAAM,QAAA,GAAW,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAC/C,MAAA,IAAI,CAAC,QAAA,EAAU;AACb,QAAA,MAAM,KAAA,GAAQ,kBAAkB,WAAW,CAAA;AAC3C,QAAA,aAAA,CAAc,GAAA,EAAK,UAAA,EAAY,KAAA,EAAO,UAAU,CAAA;AAAA,MAClD;AACA,MAAA,OAAO,IAAA,EAAK;AAAA,IACd;AAGA,IAAA,MAAM,WAAA,GAAc,cAAA,CAAe,GAAA,EAAK,UAAU,CAAA;AAClD,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAEA,IAAA,MAAM,YAAA,GAAe,eAAA,CAAgB,GAAA,EAAK,UAAA,EAAY,SAAS,CAAA;AAC/D,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAEA,IAAA,IAAI,CAAC,iBAAA,CAAkB,WAAA,EAAa,YAAY,CAAA,EAAG;AACjD,MAAA,OAAO,OAAA,CAAQ,GAAA,EAAK,GAAA,EAAK,IAAI,CAAA;AAAA,IAC/B;AAGA,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,MAAM,UAAA,GAAa,kBAAkB,WAAW,CAAA;AAChD,MAAA,aAAA,CAAc,GAAA,EAAK,UAAA,EAAY,UAAA,EAAY,UAAU,CAAA;AAAA,IACvD;AAEA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AACF;AAKA,SAAS,cAAA,CAAe,KAAc,IAAA,EAAkC;AAEtE,EAAA,IAAI,GAAA,CAAI,WAAW,OAAO,GAAA,CAAI,YAAY,QAAA,IAAY,IAAA,IAAQ,IAAI,OAAA,EAAS;AACzE,IAAA,OAAO,GAAA,CAAI,QAAQ,IAAI,CAAA;AAAA,EACzB;AAGA,EAAA,MAAM,YAAA,GAAe,IAAI,OAAA,CAAQ,MAAA;AACjC,EAAA,IAAI,CAAC,cAAc,OAAO,MAAA;AAE1B,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,IAAI,MAAA,CAAO,cAAc,WAAA,CAAY,IAAI,CAAC,CAAA,QAAA,CAAU,CAAC,CAAA;AACtF,EAAA,OAAO,KAAA,GAAQ,kBAAA,CAAmB,KAAA,CAAM,CAAC,CAAC,CAAA,GAAI,MAAA;AAChD;AAKA,SAAS,aAAA,CACP,GAAA,EACA,IAAA,EACA,KAAA,EACA,IAAA,EACM;AACN,EAAA,MAAM,QAAQ,CAAC,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AACjC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,KAAA,EAAQ,IAAA,CAAK,IAAI,CAAA,CAAE,CAAA;AAC9B,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,UAAU,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAA;AACpC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,SAAA,EAAY,IAAA,CAAK,QAAQ,CAAA,CAAE,CAAA;AACtC,EAAA,IAAI,KAAK,MAAA,EAAQ,KAAA,CAAM,KAAK,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAE,CAAA;AAGnD,EAAA,MAAM,SAAA,GAAY,KAAA,CAAM,IAAA,CAAK,IAAI,CAAA;AACjC,EAAA,MAAM,QAAA,GAAW,GAAA,CAAI,SAAA,CAAU,YAAY,CAAA;AAC3C,EAAA,IAAI,aAAa,MAAA,EAAW;AAC1B,IAAA,GAAA,CAAI,SAAA,CAAU,cAAc,SAAS,CAAA;AAAA,EACvC,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAClC,IAAA,GAAA,CAAI,UAAU,YAAA,EAAc,CAAC,GAAG,QAAA,EAAU,SAAS,CAAC,CAAA;AAAA,EACtD,CAAA,MAAO;AACL,IAAA,GAAA,CAAI,SAAA,CAAU,YAAA,EAAc,CAAC,QAAA,EAAoB,SAAS,CAAC,CAAA;AAAA,EAC7D;AACF;AAKA,SAAS,YAAY,GAAA,EAAqB;AACxC,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,qBAAA,EAAuB,MAAM,CAAA;AAClD;AAGO,IAAM,UAAA,GAAa;;;AC5OnB,SAAS,WAAA,CACd,GAAA,EACA,OAAA,GAAmC,EAAC,EACjB;AACnB,EAAA,MAAM;AAAA,IACJ,UAAA,GAAa,OAAA;AAAA,IACb,UAAA,GAAa,IAAA;AAAA,IACb,eAAA,GAAkB,IAAA;AAAA,IAClB,QAAA,GAAW,IAAA;AAAA,IACX,uBAAuB,EAAC;AAAA,IACxB,sBAAsB,EAAC;AAAA,IACvB,sBAAsB;AAAC,GACzB,GAAI,OAAA;AAEJ,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,GAAA,GAAM,UAAU,GAAG,CAAA;AACzB,IAAA,IAAI,IAAI,KAAA,IAAS,CAAC,qBAAqB,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA,EAAG;AAC7D,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,EAAE,QAAA,EAAU,GAAA,CAAI,QAAA,EAAU,MAAM,GAAA,CAAI,IAAA,EAAM,UAAA,EAAY,GAAA,CAAI,UAAA;AAAW,OAChF;AAAA,IACF;AAAA,EACF;AAEA,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,MAAM,KAAA,GAAS,GAAA,CAAI,IAAA,GAA+C,UAAU,CAAA;AAC5E,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,CAAM,WAAW,CAAA,EAAG;AACnD,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,eAAA,EAAgB;AAAA,IACnD;AACA,IAAA,MAAM,MAAA,GAAS,cAAc,KAAA,EAAO;AAAA,MAClC,eAAA,EAAiB,eAAA;AAAA,MACjB,cAAA,EAAgB,mBAAA;AAAA,MAChB,cAAA,EAAgB;AAAA,KACjB,CAAA;AACD,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,MAAM,MAAA,GACJ,MAAA,CAAO,MAAA,KAAW,YAAA,GAAe,kBAAA,GAAqB,eAAA;AACxD,MAAA,OAAO,EAAE,SAAS,KAAA,EAAO,MAAA,EAAQ,SAAS,EAAE,WAAA,EAAa,MAAA,CAAO,MAAA,EAAO,EAAE;AAAA,IAC3E;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAK;AACvC;AAOO,SAAS,gBAAA,CACd,OAAA,GAAmC,EAAC,EACR;AAC5B,EAAA,MAAM,eAAe,OAAA,CAAQ,SAAA;AAC7B,EAAA,MAAM,OAAA,GACJ,YAAA,KAAiB,KAAA,GACb,IAAA,GACA,iBAAA,CAAkB;AAAA,IAChB,GAAA,EAAK,cAAc,GAAA,IAAO,CAAA;AAAA,IAC1B,QAAA,EAAU,cAAc,QAAA,IAAY,GAAA;AAAA,IACpC,OAAA,EAAS;AAAA,GACV,CAAA;AAEP,EAAA,MAAM,OAAA,GAA0B,CAAC,GAAA,EAAK,GAAA,EAAK,IAAA,KAAS;AAClD,IAAA,MAAM,MAAA,GAAS,WAAA,CAAY,GAAA,EAAK,OAAO,CAAA;AACvC,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,OAAA,CAAQ,SAAA,GAAY,KAAK,MAAM,CAAA;AAC/B,MAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,KAAW,KAAA,GAAQ,GAAA,GAAM,GAAA;AAC/C,MAAA,GAAA,CAAI,MAAA,CAAO,MAAM,CAAA,CAAE,IAAA,CAAK,EAAE,OAAO,gBAAA,EAAkB,MAAA,EAAQ,MAAA,CAAO,MAAA,EAAQ,CAAA;AAC1E,MAAA;AAAA,IACF;AACA,IAAA,IAAI,OAAA,EAAS;AAEX,MAAA,IAAI,WAAA,GAAc,KAAA;AAClB,MAAA,MAAM,aAAA,GAA8B,CAAC,GAAA,KAAkB;AACrD,QAAA,IAAI,GAAA,EAAK,OAAO,IAAA,CAAK,GAAG,CAAA;AACxB,QAAA,IAAI,CAAC,aAAa,IAAA,EAAK;AAAA,MACzB,CAAA;AACA,MAAA,MAAM,UAAA,GAAa,IAAI,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,GAAA,CAAI,QAAQ,IAAA,EAAM;AAChB,UAAA,IAAI,SAAS,QAAA,EAAU;AACrB,YAAA,OAAO,CAAC,IAAA,KAAiB;AACvB,cAAA,IAAI,SAAS,GAAA,EAAK;AAChB,gBAAA,WAAA,GAAc,IAAA;AACd,gBAAA,OAAA,CAAQ,YAAY,GAAA,EAAK,EAAE,SAAS,KAAA,EAAO,MAAA,EAAQ,gBAAgB,CAAA;AAAA,cACrE;AACA,cAAA,OAAQ,MAAA,CAAO,MAAA,CAAmC,IAAA,CAAK,MAAA,EAAQ,IAAI,CAAA;AAAA,YACrE,CAAA;AAAA,UACF;AACA,UAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,MAAA,EAAQ,IAAI,CAAA;AAAA,QACjC;AAAA,OACD,CAAA;AACD,MAAA,OAAA,CAAQ,GAAA,EAAK,YAAwB,aAAa,CAAA;AAClD,MAAA;AAAA,IACF;AACA,IAAA,IAAA,EAAK;AAAA,EACP,CAAA;AAEA,EAAA,MAAM,UAAA,GAAa,OAAA;AACnB,EAAA,UAAA,CAAW,KAAA,GAAQ,MAAM,OAAA,EAAS,KAAA,EAAM;AACxC,EAAA,OAAO,UAAA;AACT","file":"index.mjs","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n  /** form tags — phishing/credential harvesting via action= redirection */\n  /<form[\\s>]/gi,\n  /** meta tags — http-equiv refresh redirects or CSP bypass */\n  /<meta[\\s>]/gi,\n  /** base href hijacking — redirects all relative URLs to attacker domain */\n  /<base[\\s>]/gi,\n  /** link tag injection — stylesheet or preload CSRF attacks */\n  /<link[\\s>]/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */\n  /<style[^>]*>[\\s\\S]*?<\\/style>/gi,\n  /<style[^>]*/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n  /** form tag injection — phishing via action= redirection */\n  /<form[\\s>][^>]*/gi,\n  /** meta tag injection — http-equiv refresh or CSP bypass */\n  /<meta[\\s>][^>]*/gi,\n  /** base href hijacking */\n  /<base[\\s>][^>]*/gi,\n  /** link tag injection — stylesheet or preload attacks */\n  /<link[\\s>][^>]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */\n  /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/middleware/headers\n * Security headers middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { HEADERS } from '../core/constants';\nimport type { HeaderOptions, HstsOptions } from '../core/types';\n\n/**\n * Create Express middleware for security headers.\n * Sets CSP, HSTS, X-Frame-Options, and other security headers.\n * \n * @param options - Header configuration\n * @returns Express middleware\n * \n * @example\n * app.use(createHeaders());\n * \n * @example\n * app.use(createHeaders({\n *   frameOptions: 'SAMEORIGIN',\n *   contentSecurityPolicy: \"default-src 'self'\"\n * }));\n */\nexport function createHeaders(options: HeaderOptions = {}): RequestHandler {\n  const {\n    contentSecurityPolicy = true,\n    xssFilter = true,\n    noSniff = true,\n    frameOptions = HEADERS.FRAME_OPTIONS,\n    hsts = true,\n    referrerPolicy = HEADERS.REFERRER_POLICY,\n    permissionsPolicy = HEADERS.PERMISSIONS_POLICY,\n    cacheControl = true,\n    crossOriginOpenerPolicy = 'same-origin',\n    crossOriginResourcePolicy = 'same-origin',\n    crossOriginEmbedderPolicy = 'require-corp',\n    originAgentCluster = true,\n    dnsPrefetchControl = true,\n  } = options;\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    // Content Security Policy\n    if (contentSecurityPolicy) {\n      const csp = typeof contentSecurityPolicy === 'string' \n        ? contentSecurityPolicy \n        : HEADERS.DEFAULT_CSP;\n      res.setHeader('Content-Security-Policy', csp);\n    }\n\n    // X-XSS-Protection: 0 disables the legacy XSS auditor which was itself\n    // an attack vector (could be abused to selectively block legitimate scripts)\n    if (xssFilter) {\n      res.setHeader('X-XSS-Protection', '0');\n    }\n\n    // Prevent MIME type sniffing\n    if (noSniff) {\n      res.setHeader('X-Content-Type-Options', HEADERS.CONTENT_TYPE_OPTIONS);\n    }\n\n    // Clickjacking protection\n    if (frameOptions) {\n      res.setHeader('X-Frame-Options', frameOptions);\n    }\n\n    // HTTPS enforcement (HSTS)\n    // Only send HSTS over HTTPS — sending it over HTTP can brick HTTP-only\n    // development servers and confuses browsers that cache the directive.\n    // X-Forwarded-Proto is client-supplied so we validate the extracted value\n    // is exactly 'https' or 'http' before trusting it.\n    const forwardedProto = (req.headers['x-forwarded-proto'] as string | undefined)\n      ?.split(',')[0]\n      .trim()\n      .toLowerCase();\n    const trustedForwardedProto = forwardedProto === 'https' || forwardedProto === 'http'\n      ? forwardedProto\n      : undefined;\n    const isHttps = req.secure || trustedForwardedProto === 'https';\n\n    if (hsts && isHttps) {\n      const hstsOpts: HstsOptions = typeof hsts === 'object' ? hsts : {};\n      const maxAge = hstsOpts.maxAge ?? HEADERS.HSTS_MAX_AGE;\n      const includeSubDomains = hstsOpts.includeSubDomains !== false;\n      const preload = hstsOpts.preload === true;\n\n      let hstsValue = `max-age=${maxAge}`;\n      if (includeSubDomains) hstsValue += '; includeSubDomains';\n      if (preload) hstsValue += '; preload';\n\n      res.setHeader('Strict-Transport-Security', hstsValue);\n    }\n\n    // Referrer Policy\n    if (referrerPolicy) {\n      res.setHeader('Referrer-Policy', referrerPolicy);\n    }\n\n    // Permissions Policy\n    if (permissionsPolicy) {\n      res.setHeader('Permissions-Policy', permissionsPolicy);\n    }\n\n    // Cross-origin isolation headers (Spectre mitigation)\n    if (crossOriginOpenerPolicy) {\n      res.setHeader('Cross-Origin-Opener-Policy', crossOriginOpenerPolicy);\n    }\n\n    if (crossOriginResourcePolicy) {\n      res.setHeader('Cross-Origin-Resource-Policy', crossOriginResourcePolicy);\n    }\n\n    if (crossOriginEmbedderPolicy) {\n      res.setHeader('Cross-Origin-Embedder-Policy', crossOriginEmbedderPolicy);\n    }\n\n    // Request origin-keyed process isolation\n    if (originAgentCluster) {\n      res.setHeader('Origin-Agent-Cluster', '?1');\n    }\n\n    // Prevent DNS prefetching (privacy leak vector)\n    if (dnsPrefetchControl) {\n      res.setHeader('X-DNS-Prefetch-Control', 'off');\n    }\n\n    // Additional security headers\n    res.setHeader('X-Permitted-Cross-Domain-Policies', 'none');\n\n    // Cache-Control headers\n    if (cacheControl) {\n      const cacheControlValue = typeof cacheControl === 'string'\n        ? cacheControl\n        : HEADERS.CACHE_CONTROL;\n      res.setHeader('Cache-Control', cacheControlValue);\n      res.setHeader('Pragma', 'no-cache');\n      res.setHeader('Expires', '0');\n    }\n\n    // Remove fingerprinting headers\n    res.removeHeader('X-Powered-By');\n\n    next();\n  };\n}\n\n/**\n * Alias for createHeaders\n * @see createHeaders\n */\nexport const securityHeaders = createHeaders;\n","/**\n * @module @arcis/node/middleware/rate-limit\n * Rate limiting middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { RATE_LIMIT } from '../core/constants';\nimport type { RateLimitOptions, RateLimiterMiddleware, RateLimitEntry } from '../core/types';\n\n/** In-memory rate limit store */\ninterface InMemoryRateLimitStore {\n  [key: string]: RateLimitEntry;\n}\n\n/**\n * Create Express middleware for rate limiting.\n * \n * @param options - Rate limit configuration\n * @returns Express middleware with cleanup method\n * \n * @example\n * app.use(createRateLimiter({ max: 100, windowMs: 60000 }));\n * \n * @example\n * // Skip rate limiting for certain routes\n * app.use(createRateLimiter({\n *   max: 50,\n *   skip: (req) => req.path === '/health'\n * }));\n * \n * @example\n * // Cleanup on shutdown\n * const limiter = createRateLimiter();\n * app.use(limiter);\n * process.on('SIGTERM', () => limiter.close());\n */\nexport function createRateLimiter(options: RateLimitOptions = {}): RateLimiterMiddleware {\n  const {\n    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,\n    windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => {\n      const ip = req.ip ?? req.socket?.remoteAddress;\n      if (ip) return ip;\n      // SECURITY: When IP is unresolvable, fall back to a fingerprint of UA +\n      // Accept-Language so unresolvable clients don't share a single counter\n      // (one attacker could exhaust the limit and block every other client).\n      const ua = (req.headers['user-agent'] ?? '') as string;\n      const lang = (req.headers['accept-language'] ?? '') as string;\n      const fp = `${ua}|${lang}`;\n      // Small non-crypto hash — just needs to disperse unknown clients\n      let hash = 0;\n      for (let i = 0; i < fp.length; i++) hash = ((hash << 5) - hash + fp.charCodeAt(i)) | 0;\n      return `unknown:${hash.toString(36)}`;\n    },\n    skip,\n    store: externalStore,\n  } = options;\n\n  // Object.create(null) avoids prototype pollution if keyGenerator ever\n  // returns '__proto__', 'constructor', or 'prototype'.\n  const inMemoryStore = Object.create(null) as InMemoryRateLimitStore;\n\n  // Cleanup interval for in-memory store (only create if not using external store)\n  let cleanupInterval: ReturnType<typeof setInterval> | null = null;\n  \n  if (!externalStore) {\n    cleanupInterval = setInterval(() => {\n      const now = Date.now();\n      for (const key of Object.keys(inMemoryStore)) {\n        if (inMemoryStore[key].resetTime < now) {\n          delete inMemoryStore[key];\n        }\n      }\n    }, windowMs);\n\n    // Prevent interval from keeping the process alive (Node.js only)\n    if (typeof cleanupInterval.unref === 'function') {\n      cleanupInterval.unref();\n    }\n  }\n\n  const handler: RequestHandler = async (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) {\n        return next();\n      }\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      let count: number;\n      let resetTime: number;\n\n      if (externalStore) {\n        // Use external store (e.g., Redis)\n        const entry = await externalStore.get(key);\n        if (!entry || entry.resetTime < now) {\n          await externalStore.set(key, { count: 1, resetTime: now + windowMs });\n          count = 1;\n          resetTime = now + windowMs;\n        } else {\n          count = await externalStore.increment(key);\n          resetTime = entry.resetTime;\n        }\n      } else {\n        // Use in-memory store\n        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {\n          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };\n        } else {\n          inMemoryStore[key].count++;\n        }\n        count = inMemoryStore[key].count;\n        resetTime = inMemoryStore[key].resetTime;\n      }\n\n      const remaining = Math.max(0, max - count);\n      const resetSeconds = Math.ceil((resetTime - now) / 1000);\n\n      // Set rate limit headers\n      res.setHeader('X-RateLimit-Limit', max.toString());\n      res.setHeader('X-RateLimit-Remaining', remaining.toString());\n      res.setHeader('X-RateLimit-Reset', resetSeconds.toString());\n\n      if (count > max) {\n        res.setHeader('Retry-After', resetSeconds.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: resetSeconds,\n        });\n        return;\n      }\n\n      next();\n    } catch (error) {\n      // External store failed — fall back to in-memory rate limiting.\n      // Pure fail-open is a security bypass; in-memory fallback maintains protection.\n      console.error('[arcis] Rate limiter store error, using in-memory fallback:', error);\n      try {\n        const key = keyGenerator(req);\n        const now = Date.now();\n        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {\n          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };\n        } else {\n          inMemoryStore[key].count++;\n        }\n        const count = inMemoryStore[key].count;\n        if (count > max) {\n          const resetSeconds = Math.ceil((inMemoryStore[key].resetTime - now) / 1000);\n          res.setHeader('Retry-After', resetSeconds.toString());\n          res.status(statusCode).json({ error: message, retryAfter: resetSeconds });\n          return;\n        }\n      } catch {\n        // If even fallback fails, allow through to preserve availability\n      }\n      next();\n    }\n  };\n\n  // Attach close method for cleanup\n  const middleware = handler as RateLimiterMiddleware;\n  middleware.close = () => {\n    if (cleanupInterval) {\n      clearInterval(cleanupInterval);\n      cleanupInterval = null;\n    }\n  };\n\n  return middleware;\n}\n\n/**\n * Alias for createRateLimiter\n * @see createRateLimiter\n */\nexport const rateLimit = createRateLimiter;\n","/**\n * @module @arcis/node/middleware/error-handler\n * Production-safe error handler middleware\n */\n\nimport type { Request, Response, NextFunction } from 'express';\nimport { ERRORS } from '../core/constants';\nimport type { ErrorHandlerOptions, HttpError } from '../core/types';\n\n/**\n * Patterns that indicate database or infrastructure internals in error messages.\n * When detected, the message is replaced with a generic error to prevent info leakage.\n */\nconst SENSITIVE_ERROR_PATTERNS: RegExp[] = [\n  // SQL database errors\n  /\\b(SQLITE_ERROR|SQLSTATE|ORA-\\d|PG::|mysql_|pg_query|ECONNREFUSED)/i,\n  /\\b(syntax error at or near|relation \".*\" does not exist)/i,\n  /\\b(column \".*\" (does not exist|of relation))/i,\n  /\\b(duplicate key value violates unique constraint)/i,\n  /\\b(table .* doesn't exist|unknown column)/i,\n  // MongoDB errors\n  /\\b(MongoError|MongoServerError|MongoNetworkError|E11000 duplicate key)/i,\n  // Redis errors\n  /\\b(WRONGTYPE|CROSSSLOT|CLUSTERDOWN|READONLY|ReplyError)/i,\n  // Connection strings and DSNs\n  /\\b(mongodb(\\+srv)?:\\/\\/|postgres(ql)?:\\/\\/|mysql:\\/\\/|redis:\\/\\/)/i,\n  // Stack traces with file paths\n  /\\bat\\s+.*\\.(js|ts|py|go|java):\\d+/i,\n  // Internal IP addresses\n  /\\b(127\\.0\\.0\\.\\d+|10\\.\\d+\\.\\d+\\.\\d+|192\\.168\\.\\d+\\.\\d+|172\\.(1[6-9]|2\\d|3[01])\\.\\d+\\.\\d+)\\b/,\n];\n\n/**\n * Check if an error message contains sensitive infrastructure details.\n */\nexport function containsSensitiveInfo(message: string): boolean {\n  return SENSITIVE_ERROR_PATTERNS.some(pattern => pattern.test(message));\n}\n\n/**\n * Create Express error handler that hides sensitive details in production.\n *\n * Prevents information leakage by:\n * - Hiding stack traces in production\n * - Hiding error messages unless explicitly exposed\n * - Scrubbing database errors, connection strings, and internal IPs\n *\n * @param options - Error handler configuration (or boolean for isDev)\n * @returns Express error handling middleware\n *\n * @example\n * // Production mode (default) - hides error details\n * app.use(errorHandler());\n *\n * @example\n * // Development mode - shows error details and stack traces\n * app.use(errorHandler({ isDev: true }));\n *\n * @example\n * // With custom logger\n * app.use(errorHandler({\n *   isDev: false,\n *   logger: arcis.logger()\n * }));\n */\nexport function errorHandler(\n  options: ErrorHandlerOptions | boolean = false\n): (err: Error, req: Request, res: Response, next: NextFunction) => void {\n  const isDev = typeof options === 'boolean' ? options : options.isDev ?? false;\n  const logErrors = typeof options === 'object' ? options.logErrors ?? true : true;\n  const logger = typeof options === 'object' ? options.logger : undefined;\n  const customHandler = typeof options === 'object' ? options.customHandler : undefined;\n\n  return (err: HttpError, req: Request, res: Response, _next: NextFunction) => {\n    const statusCode = err.statusCode || err.status || 500;\n\n    // Custom handler takes precedence\n    if (customHandler) {\n      return customHandler(err, req, res);\n    }\n\n    // Always log full error details server-side\n    if (logErrors) {\n      const logData = {\n        error: err.message,\n        stack: err.stack,\n        statusCode,\n        path: req.path,\n        method: req.method,\n      };\n\n      if (logger) {\n        logger.error('Request error', logData);\n      } else {\n        console.error('[arcis] Request error:', logData);\n      }\n    }\n\n    // Build response\n    // Only expose err.message when err.expose === true (caller opted in) or in dev mode.\n    // This prevents internal details leaking through arbitrary 4xx errors that happen\n    // to contain sensitive info (e.g. \"DB query failed for user admin@corp.com\").\n    const exposeMessage = isDev || err.expose === true;\n\n    let clientMessage: string;\n    if (!exposeMessage) {\n      clientMessage = ERRORS.INTERNAL_SERVER_ERROR;\n    } else if (containsSensitiveInfo(err.message)) {\n      // Even when expose is true, scrub DB errors and infra details\n      clientMessage = isDev ? err.message : ERRORS.INTERNAL_SERVER_ERROR;\n    } else {\n      clientMessage = err.message;\n    }\n\n    const response: Record<string, unknown> = {\n      error: clientMessage,\n    };\n\n    // Only show details in development\n    if (isDev) {\n      response.stack = err.stack;\n      response.details = err.message;\n    }\n\n    res.status(statusCode).json(response);\n  };\n}\n\n/**\n * Alias for errorHandler\n * @see errorHandler\n */\nexport const createErrorHandler = errorHandler;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n","/**\n * @module @arcis/node/middleware/telemetry\n * Bridges Arcis middleware decisions to a TelemetryClient.\n * Pattern 3 (two-layer): the client owns transport; this layer owns Express plumbing.\n */\n\nimport type { Request, RequestHandler } from 'express';\nimport type { TelemetryClient } from '../telemetry/client';\nimport type { TelemetryEvent, TelemetryDecision, TelemetrySeverity } from '../telemetry/types';\nimport { SecurityThreatError } from '../core/errors';\n\n/** Marker that inner middleware writes to and the emitter reads from. */\nexport interface ArcisTelemetryMarker {\n  vector?: string;\n  rule?: string;\n  severity?: TelemetrySeverity;\n  matchedPattern?: string;\n  reason?: string;\n  /** Pre-decided decision. If absent, the emitter infers from response status. */\n  decision?: TelemetryDecision;\n}\n\ndeclare module 'express-serve-static-core' {\n  interface Request {\n    /** Per-request marker populated by Arcis middlewares for telemetry attribution. */\n    __arcis?: ArcisTelemetryMarker;\n  }\n}\n\nconst THREAT_TO_VECTOR: Record<string, string> = {\n  xss: 'xss',\n  sql_injection: 'sql',\n  nosql_injection: 'nosql',\n  path_traversal: 'path',\n  command_injection: 'command',\n  prototype_pollution: 'prototype',\n  header_injection: 'header',\n  ssti: 'ssti',\n  xxe: 'xxe',\n};\n\n/**\n * Express middleware that records a telemetry event for every request.\n * Captures latency from entry, hooks `res.on('finish')`, and infers the\n * final decision from response status + any `req.__arcis` marker.\n */\nexport function createTelemetryEmitter(client: TelemetryClient): RequestHandler {\n  return (req, res, next) => {\n    const start = performance.now();\n\n    res.on('finish', () => {\n      try {\n        const event = buildEvent(req, res.statusCode, performance.now() - start);\n        client.record(event);\n      } catch {\n        // emit must never break the response — fail-open\n      }\n    });\n\n    next();\n  };\n}\n\n/**\n * Wraps the sanitizer middleware so SecurityThreatError → req.__arcis marker.\n * The emitter on `finish` will then have vector/rule/severity attribution.\n */\nexport function tapSanitizerThreats(handler: RequestHandler): RequestHandler {\n  return (req, res, next) => {\n    handler(req, res, (err?: unknown) => {\n      if (err instanceof SecurityThreatError) {\n        const vector = THREAT_TO_VECTOR[err.threatType] ?? err.threatType;\n        req.__arcis = {\n          vector,\n          rule: `${vector}/match`,\n          severity: 'high',\n          matchedPattern: err.pattern,\n          reason: err.message,\n          decision: 'deny',\n        };\n      }\n      next(err);\n    });\n  };\n}\n\nfunction buildEvent(req: Request, status: number, latencyMs: number): TelemetryEvent {\n  const marker = req.__arcis;\n  const decision = marker?.decision ?? inferDecision(status);\n\n  // Skip 5xx — those are server errors, not security decisions.\n  // Still emit so the dashboard shows traffic, but mark as allow with status >=500.\n  return {\n    ts: new Date().toISOString(),\n    ip: extractIp(req),\n    method: (req.method ?? 'GET').toUpperCase(),\n    path: req.path ?? req.url ?? '/',\n    decision,\n    vector: marker?.vector ?? (status === 429 ? 'rate-limit' : undefined),\n    rule: marker?.rule ?? (status === 429 ? 'rate-limit/exceeded' : undefined),\n    severity: marker?.severity ?? (status === 429 ? 'medium' : undefined),\n    userAgent: typeof req.headers?.['user-agent'] === 'string' ? req.headers['user-agent'] : '',\n    reason: marker?.reason,\n    status,\n    matchedPattern: marker?.matchedPattern,\n    latencyMs: Math.max(0, latencyMs),\n  };\n}\n\nfunction inferDecision(status: number): TelemetryDecision {\n  if (status === 429) return 'deny';\n  if (status === 400) return 'deny';\n  if (status === 403) return 'deny';\n  return 'allow';\n}\n\nfunction extractIp(req: Request): string {\n  if (typeof req.ip === 'string' && req.ip.length > 0) return req.ip;\n  const remote = req.socket?.remoteAddress;\n  return typeof remote === 'string' ? remote : '0.0.0.0';\n}\n","/**\n * @module @arcis/node/sanitizers/utils\n * Shared utilities for sanitizers\n */\n\n/**\n * Encodes HTML entities to prevent interpretation as markup.\n * \n * @param str - The string to encode\n * @returns The encoded string\n */\nexport function encodeHtmlEntities(str: string): string {\n  return str\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#x27;');\n}\n\n/**\n * Checks if a value is a plain object (not null, array, Date, etc.)\n * \n * @param value - Value to check\n * @returns True if plain object\n */\nexport function isPlainObject(value: unknown): value is Record<string, unknown> {\n  if (typeof value !== 'object' || value === null || Array.isArray(value)) {\n    return false;\n  }\n  // Check the actual prototype chain rather than toString, which can be spoofed\n  // via Symbol.toStringTag. Accepts both Object.prototype (plain {}) and null\n  // prototype objects (Object.create(null)).\n  const proto = Object.getPrototypeOf(value as object);\n  return proto === Object.prototype || proto === null;\n}\n","/**\n * @module @arcis/node/sanitizers/xss\n * XSS (Cross-Site Scripting) prevention\n */\n\nimport { XSS_PATTERNS, XSS_REMOVE_PATTERNS } from '../core/constants';\nimport { encodeHtmlEntities } from './utils';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent XSS attacks.\n * \n * Strategy:\n * 1. Remove dangerous patterns (script tags, event handlers, etc.)\n * 2. HTML-encode the remaining content\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeXss(\"<script>alert('xss')</script>\")\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\n * \n * @example\n * sanitizeXss(\"<img onerror='alert(1)'>\")\n * // Returns: \"&lt;img&gt;\" (event handler removed)\n */\nexport function sanitizeXss(input: string, collectThreats?: false, htmlEncode?: boolean): string;\nexport function sanitizeXss(input: string, collectThreats: true, htmlEncode?: boolean): SanitizeResult;\nexport function sanitizeXss(input: string, collectThreats = false, htmlEncode = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  // Remove dangerous patterns FIRST — XSS_REMOVE_PATTERNS is the single\n  // source of truth (defined in constants.ts alongside XSS_PATTERNS).\n  for (const pattern of XSS_REMOVE_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(value)) {\n      pattern.lastIndex = 0;\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'xss',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      value = value.replace(pattern, '');\n      wasSanitized = true;\n    }\n  }\n\n  // HTML-encode only when explicitly requested (SSR/template context).\n  // Do NOT encode by default — this is a REST API middleware; encoding\n  // here corrupts JSON data with HTML entities (&lt;, &amp;, etc.) that\n  // consumers would receive verbatim.\n  if (htmlEncode) {\n    const encoded = encodeHtmlEntities(value);\n    if (encoded !== value) {\n      wasSanitized = true;\n    }\n    value = encoded;\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains potential XSS patterns.\n * Does not sanitize — use sanitizeXss() for that.\n * \n * @param input - The string to check\n * @returns True if XSS patterns detected\n */\nexport function detectXss(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  // Check for event handlers\n  if (/\\s+on\\w+\\s*=/i.test(input)) return true;\n  \n  // Check for dangerous protocols\n  if (/javascript\\s*:/i.test(input)) return true;\n  if (/vbscript\\s*:/i.test(input)) return true;\n  if (/data\\s*:\\s*text\\/html/i.test(input)) return true;\n  \n  // Check for patterns from constants\n  for (const pattern of XSS_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/sql\n * SQL injection prevention\n */\n\nimport { SQL_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent SQL injection attacks.\n * Replaces dangerous SQL patterns with [BLOCKED].\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeSql(\"'; DROP TABLE users; --\")\n * // Returns: \"';  TABLE users  \"\n */\nexport function sanitizeSql(input: string, collectThreats?: false): string;\nexport function sanitizeSql(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizeSql(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  for (const pattern of SQL_PATTERNS) {\n    // Reset regex lastIndex for global patterns\n    pattern.lastIndex = 0;\n    \n    if (pattern.test(value)) {\n      pattern.lastIndex = 0; // Reset again for replace\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'sql_injection',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      // Replace the matched content with a space to avoid concatenating surrounding\n      // tokens into new dangerous strings (e.g. \"SELECTname\" after stripping \"SELECT\").\n      value = value.replace(pattern, ' ');\n      wasSanitized = true;\n    }\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains potential SQL injection patterns.\n * Does not sanitize — use sanitizeSql() for that.\n * \n * @param input - The string to check\n * @returns True if SQL injection patterns detected\n */\nexport function detectSql(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  for (const pattern of SQL_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/path\n * Path traversal prevention\n */\n\nimport { PATH_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent path traversal attacks.\n * Removes ../ and ..\\ patterns (including URL-encoded variants).\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizePath(\"../../etc/passwd\")\n * // Returns: \"etc/passwd\"\n */\nexport function sanitizePath(input: string, collectThreats?: false): string;\nexport function sanitizePath(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizePath(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  // SECURITY: Normalize Unicode to NFKC before pattern matching.\n  // Fullwidth dot U+FF0E normalizes to '.', preventing ．．/ bypass of ../ detection.\n  value = value.normalize('NFKC');\n\n  // Apply patterns repeatedly until the string stops changing.\n  // Single-pass stripping is bypassable: \"....//\".replace(\"../\",\"\") → \"../\"\n  let prev: string;\n  do {\n    prev = value;\n    for (const pattern of PATH_PATTERNS) {\n      pattern.lastIndex = 0;\n\n      if (pattern.test(value)) {\n        pattern.lastIndex = 0;\n\n        if (collectThreats) {\n          const matches = value.match(pattern);\n          if (matches) {\n            for (const match of matches) {\n              threats.push({\n                type: 'path_traversal',\n                pattern: pattern.source,\n                original: match,\n              });\n            }\n          }\n        }\n\n        value = value.replace(pattern, '');\n        wasSanitized = true;\n      }\n    }\n  } while (value !== prev);\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains path traversal patterns.\n * Does not sanitize — use sanitizePath() for that.\n * \n * @param input - The string to check\n * @returns True if path traversal patterns detected\n */\nexport function detectPathTraversal(input: string): boolean {\n  if (typeof input !== 'string') return false;\n\n  // SECURITY: Normalize Unicode to NFKC — same as sanitizePath\n  const normalized = input.normalize('NFKC');\n\n  for (const pattern of PATH_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(normalized)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/command\n * Command injection prevention\n */\n\nimport { COMMAND_PATTERNS } from '../core/constants';\nimport type { SanitizeResult, ThreatInfo } from '../core/types';\n\n/**\n * Sanitizes a string to prevent command injection attacks.\n * Replaces shell metacharacters and dangerous commands with [BLOCKED].\n * \n * @param input - The string to sanitize\n * @param collectThreats - Whether to collect threat information (default: false for performance)\n * @returns Sanitized string or SanitizeResult if collectThreats is true\n * \n * @example\n * sanitizeCommand(\"file.txt; rm -rf /\")\n * // Returns: \"file.txt  rm -rf /\"\n */\nexport function sanitizeCommand(input: string, collectThreats?: false): string;\nexport function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;\nexport function sanitizeCommand(input: string, collectThreats = false): string | SanitizeResult {\n  if (typeof input !== 'string') {\n    return collectThreats \n      ? { value: String(input), wasSanitized: false, threats: [] }\n      : String(input);\n  }\n\n  const threats: ThreatInfo[] = [];\n  let value = input;\n  let wasSanitized = false;\n\n  for (const pattern of COMMAND_PATTERNS) {\n    // Reset regex lastIndex for global patterns\n    pattern.lastIndex = 0;\n    \n    if (pattern.test(value)) {\n      pattern.lastIndex = 0; // Reset again for replace\n      \n      if (collectThreats) {\n        const matches = value.match(pattern);\n        if (matches) {\n          for (const match of matches) {\n            threats.push({\n              type: 'command_injection',\n              pattern: pattern.source,\n              original: match,\n            });\n          }\n        }\n      }\n      \n      value = value.replace(pattern, ' ');\n      wasSanitized = true;\n    }\n  }\n\n  if (collectThreats) {\n    return { value, wasSanitized, threats };\n  }\n  \n  return value;\n}\n\n/**\n * Checks if a string contains command injection patterns.\n * Does not sanitize — use sanitizeCommand() for that.\n * \n * @param input - The string to check\n * @returns True if command injection patterns detected\n */\nexport function detectCommandInjection(input: string): boolean {\n  if (typeof input !== 'string') return false;\n  \n  for (const pattern of COMMAND_PATTERNS) {\n    pattern.lastIndex = 0;\n    if (pattern.test(input)) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n","/**\n * @module @arcis/node/sanitizers/sanitize\n * Main sanitization functions that combine all sanitizers\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { INPUT, DANGEROUS_PROTO_KEYS, NOSQL_DANGEROUS_KEYS } from '../core/constants';\nimport { InputTooLargeError, SecurityThreatError } from '../core/errors';\nimport type { SanitizeOptions } from '../core/types';\nimport { sanitizeXss } from './xss';\nimport { sanitizeSql, detectSql } from './sql';\nimport { sanitizePath } from './path';\nimport { sanitizeCommand, detectCommandInjection } from './command';\n\n/**\n * Sanitize a string value against multiple attack vectors.\n * \n * Order matters: We do XSS encoding LAST because:\n * 1. Other sanitizers need to see the original patterns (e.g., SQL keywords)\n * 2. HTML encoding is the final safe output transformation\n * 3. Encoded entities like &lt; shouldn't be treated as SQL/command threats\n * \n * @param value - The string to sanitize\n * @param options - Sanitization options\n * @returns The sanitized string\n * \n * @example\n * sanitizeString(\"<script>alert('xss')</script>\")\n * // Returns: \"&lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;\"\n * \n * @example\n * sanitizeString(\"../../etc/passwd\")\n * // Returns: \"etc/passwd\"\n */\nexport function sanitizeString(value: string, options: SanitizeOptions = {}): string {\n  if (typeof value !== 'string') return value;\n\n  // Input size limit to prevent DoS\n  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;\n  if (value.length > maxSize) {\n    throw new InputTooLargeError(maxSize, value.length);\n  }\n\n  // Default mode is 'sanitize' (strip threats and return cleaned string).\n  // Pass mode: 'reject' to throw SecurityThreatError instead of stripping.\n  const reject = options.mode === 'reject';\n  let result = value;\n\n  // 1. SQL injection\n  if (options.sql !== false) {\n    if (reject) {\n      if (detectSql(result)) {\n        throw new SecurityThreatError('sql_injection', 'SQL pattern detected in input');\n      }\n    } else {\n      result = sanitizeSql(result);\n    }\n  }\n\n  // 2. Path traversal prevention\n  if (options.path !== false) {\n    result = sanitizePath(result);\n  }\n\n  // 3. Command injection\n  if (options.command !== false) {\n    if (reject) {\n      if (detectCommandInjection(result)) {\n        throw new SecurityThreatError('command_injection', 'Shell metacharacter detected in input');\n      }\n    } else {\n      result = sanitizeCommand(result);\n    }\n  }\n\n  // 4. XSS stripping — always runs to remove dangerous patterns.\n  // HTML encoding is opt-in via options.htmlEncode (for SSR contexts only).\n  if (options.xss !== false) {\n    result = sanitizeXss(result, false, options.htmlEncode ?? false);\n  }\n\n  return result;\n}\n\n/**\n * Sanitize an object recursively, including nested objects and arrays.\n * Also removes prototype pollution and NoSQL injection keys.\n * \n * @param obj - The object to sanitize\n * @param options - Sanitization options\n * @returns The sanitized object\n */\nexport function sanitizeObject(obj: unknown, options: SanitizeOptions = {}): unknown {\n  if (obj === null || obj === undefined) return obj;\n  if (typeof obj === 'string') return sanitizeString(obj, options);\n  if (typeof obj !== 'object') return obj;\n  if (Array.isArray(obj)) return obj.map(item => sanitizeObject(item, options));\n\n  const result = sanitizeObjectDepth(obj as Record<string, unknown>, options, 0);\n  return options.freeze ? Object.freeze(result) : result;\n}\n\n/**\n * Internal recursive sanitization with depth tracking.\n */\nfunction sanitizeObjectDepth(\n  obj: Record<string, unknown>,\n  options: SanitizeOptions,\n  depth: number\n): Record<string, unknown> {\n  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;\n\n  const result: Record<string, unknown> = {};\n\n  for (const key of Object.keys(obj)) {\n    // Prototype pollution protection - always block dangerous keys (case-insensitive)\n    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {\n      continue;\n    }\n\n    // NoSQL injection - skip dangerous MongoDB operators in keys\n    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {\n      continue;\n    }\n\n    // Sanitize the key against all active threat vectors (not just XSS).\n    // Keys can carry injection payloads that bubble into query builders or ORMs.\n    const sanitizedKey = sanitizeString(key, options);\n\n    // Recursively sanitize value\n    const value = obj[key];\n    if (value === null || value === undefined) {\n      result[sanitizedKey] = value;\n    } else if (typeof value === 'string') {\n      result[sanitizedKey] = sanitizeString(value, options);\n    } else if (Array.isArray(value)) {\n      result[sanitizedKey] = value.map(item => sanitizeObject(item, options));\n    } else if (typeof value === 'object') {\n      result[sanitizedKey] = sanitizeObjectDepth(value as Record<string, unknown>, options, depth + 1);\n    } else {\n      result[sanitizedKey] = value;\n    }\n  }\n\n  return result;\n}\n\n/**\n * Create Express middleware for request sanitization.\n * Sanitizes req.body, req.query, and req.params.\n * \n * @param options - Sanitization options\n * @returns Express middleware\n * \n * @example\n * app.use(createSanitizer());\n * \n * @example\n * app.use(createSanitizer({ xss: true, sql: true, nosql: true }));\n */\nexport function createSanitizer(options: SanitizeOptions = {}): RequestHandler {\n  return (req: Request, _res: Response, next: NextFunction) => {\n    try {\n      if (req.body && typeof req.body === 'object') {\n        req.body = sanitizeObject(req.body, options);\n      }\n      if (req.query && typeof req.query === 'object') {\n        const sanitizedQuery = sanitizeObject(req.query, options);\n        // Express 5: req.query is a getter with no setter — override on instance\n        Object.defineProperty(req, 'query', { value: sanitizedQuery, writable: true, configurable: true });\n      }\n      if (req.params && typeof req.params === 'object') {\n        const sanitizedParams = sanitizeObject(req.params, options);\n        Object.defineProperty(req, 'params', { value: sanitizedParams, writable: true, configurable: true });\n      }\n      next();\n    } catch (err) {\n      next(err);\n    }\n  };\n}\n","/**\n * @module @arcis/node/validation/schema\n * Request validation middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { VALIDATION, ERRORS } from '../core/constants';\nimport type { ValidationSchema, FieldValidator } from '../core/types';\nimport { sanitizeString } from '../sanitizers';\n\n/**\n * Create Express middleware for request validation.\n * Prevents mass assignment by only allowing fields defined in the schema.\n * \n * @param schema - Validation schema defining expected fields\n * @param source - Request property to validate ('body', 'query', or 'params')\n * @returns Express middleware\n * \n * @example\n * app.post('/users', validate({\n *   email: { type: 'email', required: true },\n *   name: { type: 'string', min: 2, max: 50 },\n *   age: { type: 'number', min: 0, max: 150 },\n *   role: { type: 'string', enum: ['user', 'admin'] }\n * }), handler);\n * \n * @example\n * // Validate query params\n * app.get('/search', validate({\n *   q: { type: 'string', required: true, min: 1 },\n *   page: { type: 'number', min: 1 }\n * }, 'query'), handler);\n */\nexport function validate(\n  schema: ValidationSchema,\n  source: 'body' | 'query' | 'params' = 'body'\n): RequestHandler {\n  return (req: Request, res: Response, next: NextFunction) => {\n    const data = req[source] || {};\n    const errors: string[] = [];\n    const validated: Record<string, unknown> = {};\n\n    for (const [field, rules] of Object.entries(schema)) {\n      const value = data[field];\n      const result = validateField(field, value, rules);\n      \n      if (result.errors.length > 0) {\n        errors.push(...result.errors);\n      } else if (result.value !== undefined) {\n        validated[field] = result.value;\n      }\n    }\n\n    if (errors.length > 0) {\n      res.status(400).json({ errors });\n      return;\n    }\n\n    // Replace with validated data (prevents mass assignment)\n    req[source] = validated as typeof req[typeof source];\n    next();\n  };\n}\n\n/**\n * Validate a single field against its rules.\n */\nfunction validateField(\n  field: string,\n  value: unknown,\n  rules: FieldValidator\n): { value?: unknown; errors: string[] } {\n  const errors: string[] = [];\n\n  // Required check\n  if (rules.required && (value === undefined || value === null || value === '')) {\n    errors.push(ERRORS.VALIDATION.REQUIRED(field));\n    return { errors };\n  }\n\n  // Skip optional empty fields\n  if (value === undefined || value === null) {\n    return { errors: [] };\n  }\n\n  let typedValue: unknown = value;\n  let isValid = true;\n\n  // Type validation and coercion\n  switch (rules.type) {\n    case 'string':\n      if (typeof value !== 'string') {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'string'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && value.length < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_LENGTH(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && value.length > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_LENGTH(field, rules.max));\n        isValid = false;\n      }\n      if (rules.pattern && !rules.pattern.test(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_FORMAT(field));\n        isValid = false;\n      }\n      // Enum check runs before sanitization so the raw value is compared.\n      // Sanitizing first could silently modify the value and cause a mismatch\n      // with enum entries that contain characters the sanitizer would strip.\n      if (isValid && rules.enum && !rules.enum.includes(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\n        isValid = false;\n      }\n      if (isValid && rules.sanitize !== false) {\n        typedValue = sanitizeString(value);\n      }\n      break;\n\n    case 'number':\n      typedValue = Number(value);\n      if (isNaN(typedValue as number)) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'number'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && (typedValue as number) < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_VALUE(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && (typedValue as number) > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_VALUE(field, rules.max));\n        isValid = false;\n      }\n      break;\n\n    case 'boolean':\n      if (value === 'true' || value === true || value === 1 || value === '1') {\n        typedValue = true;\n      } else if (value === 'false' || value === false || value === 0 || value === '0') {\n        typedValue = false;\n      } else {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'boolean'));\n        isValid = false;\n      }\n      break;\n\n    case 'email':\n      if (!VALIDATION.EMAIL.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_EMAIL(field));\n        isValid = false;\n      }\n      if (isValid) {\n        typedValue = sanitizeString(String(value).toLowerCase().trim());\n      }\n      break;\n\n    case 'url':\n      if (!VALIDATION.URL.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_URL(field));\n        isValid = false;\n      }\n      if (isValid) {\n        typedValue = sanitizeString(String(value));\n      }\n      break;\n\n    case 'uuid':\n      if (!VALIDATION.UUID.test(String(value))) {\n        errors.push(ERRORS.VALIDATION.INVALID_UUID(field));\n        isValid = false;\n      }\n      break;\n\n    case 'array':\n      if (!Array.isArray(value)) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'array'));\n        isValid = false;\n        break;\n      }\n      if (rules.min !== undefined && value.length < rules.min) {\n        errors.push(ERRORS.VALIDATION.MIN_ITEMS(field, rules.min));\n        isValid = false;\n      }\n      if (rules.max !== undefined && value.length > rules.max) {\n        errors.push(ERRORS.VALIDATION.MAX_ITEMS(field, rules.max));\n        isValid = false;\n      }\n      break;\n\n    case 'object':\n      if (typeof value !== 'object' || Array.isArray(value) || value === null) {\n        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, 'object'));\n        isValid = false;\n      }\n      break;\n  }\n\n  // Enum validation for non-string types (strings check enum before sanitizing above).\n  if (isValid && rules.enum && rules.type !== 'string' && !rules.enum.includes(typedValue)) {\n    errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));\n    isValid = false;\n  }\n\n  // Custom validation\n  if (isValid && rules.custom) {\n    const customResult = rules.custom(typedValue);\n    if (customResult === undefined) {\n      throw new TypeError(\n        `Custom validator for field \"${field}\" returned undefined. ` +\n        'Return true to pass, false to fail, or a string error message.'\n      );\n    }\n    if (customResult !== true) {\n      errors.push(typeof customResult === 'string' && customResult.length > 0 ? customResult : `${field} is invalid`);\n      isValid = false;\n    }\n  }\n\n  return {\n    value: isValid ? typedValue : undefined,\n    errors,\n  };\n}\n\n/**\n * Alias for validate\n * @see validate\n */\nexport const createValidator = validate;\n","/**\n * @module @arcis/node/validation/file\n * File upload validation and filename sanitization\n */\n\n// =============================================================================\n// MAGIC BYTES — first bytes of common file types\n// =============================================================================\n\nconst MAGIC_BYTES: Record<string, Buffer[]> = {\n  // Images\n  'image/jpeg': [Buffer.from([0xFF, 0xD8, 0xFF])],\n  'image/png': [Buffer.from([0x89, 0x50, 0x4E, 0x47])],\n  'image/gif': [Buffer.from('GIF87a'), Buffer.from('GIF89a')],\n  'image/webp': [Buffer.from('RIFF')], // RIFF....WEBP\n  'image/bmp': [Buffer.from([0x42, 0x4D])],\n  'image/svg+xml': [], // text-based, check separately\n\n  // Documents\n  'application/pdf': [Buffer.from('%PDF')],\n  'application/zip': [Buffer.from([0x50, 0x4B, 0x03, 0x04])],\n\n  // Audio/Video\n  'audio/mpeg': [Buffer.from([0xFF, 0xFB]), Buffer.from([0xFF, 0xF3]), Buffer.from([0x49, 0x44, 0x33])],\n  'video/mp4': [], // ftyp at offset 4\n};\n\n// =============================================================================\n// DANGEROUS EXTENSIONS — files that can execute code\n// =============================================================================\n\nconst DANGEROUS_EXTENSIONS = new Set([\n  // Scripts\n  '.exe', '.bat', '.cmd', '.com', '.msi', '.scr', '.pif',\n  '.vbs', '.vbe', '.js', '.jse', '.ws', '.wsf', '.wsc', '.wsh',\n  '.ps1', '.ps1xml', '.ps2', '.ps2xml', '.psc1', '.psc2',\n  '.sh', '.bash', '.csh', '.ksh',\n  // Server-side\n  '.php', '.php3', '.php4', '.php5', '.phtml', '.pht',\n  '.asp', '.aspx', '.ashx', '.asmx', '.cer',\n  '.jsp', '.jspx', '.jsw', '.jsv',\n  '.cgi', '.pl', '.py', '.rb',\n  // Java\n  '.jar', '.war', '.ear', '.class',\n  // Config that can execute\n  '.htaccess', '.htpasswd',\n  // Template engines\n  '.ejs', '.pug', '.hbs', '.handlebars', '.njk', '.twig',\n  // Shortcuts/links\n  '.lnk', '.inf', '.reg', '.url',\n  // Office macros\n  '.docm', '.xlsm', '.pptm', '.dotm',\n]);\n\n// =============================================================================\n// TYPES\n// =============================================================================\n\n/** File upload validation options */\nexport interface ValidateFileOptions {\n  /** Maximum file size in bytes. Default: 5MB */\n  maxSize?: number;\n  /** Allowed MIME types (e.g., ['image/jpeg', 'image/png']) */\n  allowedTypes?: string[];\n  /** Allowed file extensions (e.g., ['.jpg', '.png']). Includes dot. */\n  allowedExtensions?: string[];\n  /** Block dangerous/executable extensions. Default: true */\n  blockExecutables?: boolean;\n  /** Validate magic bytes match the claimed MIME type. Default: true */\n  validateMagicBytes?: boolean;\n  /** Block files with no extension. Default: true */\n  blockNoExtension?: boolean;\n  /** Block double extensions (e.g., file.php.jpg). Default: true */\n  blockDoubleExtensions?: boolean;\n}\n\n/** File metadata for validation */\nexport interface FileInput {\n  /** Original filename */\n  filename: string;\n  /** MIME type (as claimed by client) */\n  mimetype: string;\n  /** File size in bytes */\n  size: number;\n  /** File content buffer (for magic byte validation) */\n  buffer?: Buffer;\n}\n\n/** File validation result */\nexport interface ValidateFileResult {\n  /** Whether the file passed validation */\n  valid: boolean;\n  /** Validation errors (empty if valid) */\n  errors: string[];\n  /** Sanitized filename (safe for storage) */\n  sanitizedFilename: string;\n}\n\n// =============================================================================\n// DEFAULTS\n// =============================================================================\n\nconst DEFAULT_MAX_SIZE = 5 * 1024 * 1024; // 5MB\n\n// =============================================================================\n// FILENAME SANITIZATION\n// =============================================================================\n\n/**\n * Sanitize a filename for safe storage.\n *\n * Strips path traversal, null bytes, control characters, and special characters.\n * Preserves the extension and converts to a filesystem-safe name.\n *\n * @param filename - The original filename\n * @returns A sanitized filename safe for storage\n *\n * @example\n * sanitizeFilename('../../etc/passwd')          // 'etc_passwd'\n * sanitizeFilename('file<name>.jpg')            // 'filename.jpg'\n * sanitizeFilename('photo (1).jpg')             // 'photo_1.jpg'\n * sanitizeFilename('.htaccess')                 // 'htaccess'\n */\nexport function sanitizeFilename(filename: string): string {\n  let name = filename;\n\n  // Strip null bytes\n  name = name.replace(/\\0/g, '');\n\n  // Strip path components (both Unix and Windows)\n  name = name.replace(/^.*[/\\\\]/, '');\n\n  // Strip control characters\n  name = name.replace(/[\\x00-\\x1F\\x7F]/g, '');\n\n  // Strip characters unsafe for filesystems\n  name = name.replace(/[<>:\"/\\\\|?*]/g, '');\n\n  // Replace spaces and parens with underscores\n  name = name.replace(/[\\s()]+/g, '_');\n\n  // Strip leading dots (hidden files / .htaccess)\n  name = name.replace(/^\\.+/, '');\n\n  // Collapse multiple underscores/dots\n  name = name.replace(/_{2,}/g, '_');\n  name = name.replace(/\\.{2,}/g, '.');\n\n  // Trim underscores before dots (e.g., \"photo_1_.jpg\" → \"photo_1.jpg\")\n  name = name.replace(/_+\\./g, '.');\n\n  // Trim underscores from edges\n  name = name.replace(/^_+|_+$/g, '');\n\n  // Fallback for empty name\n  if (!name || name === '.') {\n    name = 'unnamed';\n  }\n\n  return name;\n}\n\n// =============================================================================\n// MAGIC BYTE VALIDATION\n// =============================================================================\n\n/**\n * Check if file content matches the claimed MIME type via magic bytes.\n */\nfunction matchesMagicBytes(buffer: Buffer, mimetype: string): boolean {\n  const signatures = MAGIC_BYTES[mimetype];\n  if (!signatures || signatures.length === 0) return true; // no signature to check\n\n  return signatures.some(sig => {\n    if (buffer.length < sig.length) return false;\n    return buffer.subarray(0, sig.length).equals(sig);\n  });\n}\n\n// =============================================================================\n// EXTENSION HELPERS\n// =============================================================================\n\n/**\n * Get the extension from a filename (lowercase, with dot).\n */\nfunction getExtension(filename: string): string {\n  const lastDot = filename.lastIndexOf('.');\n  if (lastDot < 1) return '';\n  return filename.slice(lastDot).toLowerCase();\n}\n\n/**\n * Check if a filename has double extensions (e.g., file.php.jpg).\n */\nfunction hasDoubleExtension(filename: string): boolean {\n  const parts = filename.split('.');\n  if (parts.length < 3) return false;\n\n  // Check if any non-final extension is dangerous\n  for (let i = 1; i < parts.length - 1; i++) {\n    const ext = '.' + parts[i].toLowerCase();\n    if (DANGEROUS_EXTENSIONS.has(ext)) return true;\n  }\n  return false;\n}\n\n// =============================================================================\n// FILE VALIDATION\n// =============================================================================\n\n/**\n * Validate a file upload for security.\n *\n * Checks file size, MIME type, extension, magic bytes, and dangerous patterns.\n * Returns a result with validation errors and a sanitized filename.\n *\n * @param file - File metadata and optional content\n * @param options - Validation options\n * @returns Validation result\n *\n * @example\n * const result = validateFile(\n *   { filename: 'photo.jpg', mimetype: 'image/jpeg', size: 1024, buffer },\n *   { allowedTypes: ['image/jpeg', 'image/png'], maxSize: 2 * 1024 * 1024 }\n * );\n * if (!result.valid) {\n *   return res.status(400).json({ errors: result.errors });\n * }\n * // Use result.sanitizedFilename for storage\n *\n * @example\n * // Block executables only (no whitelist)\n * const result = validateFile(file, { blockExecutables: true });\n */\nexport function validateFile(\n  file: FileInput,\n  options: ValidateFileOptions = {}\n): ValidateFileResult {\n  const {\n    maxSize = DEFAULT_MAX_SIZE,\n    allowedTypes,\n    allowedExtensions,\n    blockExecutables = true,\n    validateMagicBytes = true,\n    blockNoExtension = true,\n    blockDoubleExtensions = true,\n  } = options;\n\n  const errors: string[] = [];\n  const sanitizedFilename = sanitizeFilename(file.filename);\n  const extension = getExtension(sanitizedFilename);\n\n  // Size check\n  if (file.size > maxSize) {\n    errors.push(`File size ${file.size} exceeds maximum ${maxSize} bytes`);\n  }\n\n  if (file.size === 0) {\n    errors.push('File is empty');\n  }\n\n  // Extension checks\n  if (blockNoExtension && !extension) {\n    errors.push('File has no extension');\n  }\n\n  if (blockExecutables && extension && DANGEROUS_EXTENSIONS.has(extension)) {\n    errors.push(`Executable extension \"${extension}\" is not allowed`);\n  }\n\n  if (blockDoubleExtensions && hasDoubleExtension(sanitizedFilename)) {\n    errors.push('Double extensions with executable types are not allowed');\n  }\n\n  if (allowedExtensions && extension) {\n    const normalizedAllowed = allowedExtensions.map(e => e.toLowerCase());\n    if (!normalizedAllowed.includes(extension)) {\n      errors.push(`Extension \"${extension}\" is not allowed. Allowed: ${normalizedAllowed.join(', ')}`);\n    }\n  }\n\n  // MIME type check\n  if (allowedTypes && !allowedTypes.includes(file.mimetype)) {\n    errors.push(`MIME type \"${file.mimetype}\" is not allowed. Allowed: ${allowedTypes.join(', ')}`);\n  }\n\n  // Magic bytes validation\n  if (validateMagicBytes && file.buffer && file.buffer.length > 0) {\n    if (!matchesMagicBytes(file.buffer, file.mimetype)) {\n      errors.push(`File content does not match claimed MIME type \"${file.mimetype}\"`);\n    }\n  }\n\n  return {\n    valid: errors.length === 0,\n    errors,\n    sanitizedFilename,\n  };\n}\n\n/**\n * Check if a file extension is considered dangerous/executable.\n *\n * @param filename - Filename or extension to check\n * @returns true if the extension is dangerous\n */\nexport function isDangerousExtension(filename: string): boolean {\n  const ext = getExtension(filename);\n  return ext !== '' && DANGEROUS_EXTENSIONS.has(ext);\n}\n","/**\n * @module @arcis/node/validation/email\n * Advanced email validation with disposable detection and typo suggestions.\n *\n * Three levels of validation:\n * 1. Syntax — RFC-compliant format checking\n * 2. Domain intelligence — disposable/free provider detection, typo correction\n * 3. MX verification — DNS MX record lookup (async, optional)\n *\n * @example\n * const result = validateEmail('user@tempmail.com');\n * // { valid: false, reason: 'disposable' }\n *\n * const result = validateEmail('user@gmial.com');\n * // { valid: true, reason: 'typo', suggestion: 'user@gmail.com' }\n */\n\nimport { promises as dns } from 'dns';\n\nexport interface EmailValidationOptions {\n  /** Check for disposable email providers. Default: true */\n  checkDisposable?: boolean;\n  /** Suggest corrections for typos. Default: true */\n  suggestTypoFix?: boolean;\n  /** Verify MX records via DNS. Default: false */\n  checkMx?: boolean;\n  /** Additional blocked domains */\n  blockedDomains?: string[];\n  /** Additional allowed domains (bypasses disposable check) */\n  allowedDomains?: string[];\n}\n\nexport interface EmailValidationResult {\n  /** Whether the email is valid */\n  valid: boolean;\n  /** Reason for the result */\n  reason: 'valid' | 'invalid_syntax' | 'disposable' | 'no_mx' | 'blocked' | 'typo';\n  /** Suggested correction if a typo was detected */\n  suggestion: string | null;\n  /** Whether the domain is a free email provider */\n  isFree: boolean;\n  /** Whether the domain is a disposable email provider */\n  isDisposable: boolean;\n  /** The normalized email address */\n  normalized: string;\n}\n\n// RFC 5321: local part max 64, domain max 255, total max 254\nconst MAX_EMAIL_LENGTH = 254;\nconst MAX_LOCAL_LENGTH = 64;\nconst MAX_DOMAIN_LENGTH = 255;\n\n/**\n * Strict email syntax regex.\n * - No consecutive dots in local part\n * - No leading/trailing dots in local part\n * - Domain must have at least one dot\n * - No spaces anywhere\n */\nconst EMAIL_SYNTAX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\\.[a-zA-Z]{2,}$/;\n\n/** Common free email providers */\nconst FREE_PROVIDERS = new Set([\n  'gmail.com', 'yahoo.com', 'hotmail.com', 'outlook.com', 'aol.com',\n  'protonmail.com', 'proton.me', 'icloud.com', 'mail.com', 'zoho.com',\n  'yandex.com', 'gmx.com', 'gmx.net', 'live.com', 'msn.com',\n  'me.com', 'mac.com', 'fastmail.com', 'tutanota.com', 'hey.com',\n]);\n\n/** Common disposable email domains */\nconst DISPOSABLE_DOMAINS = new Set([\n  // Popular disposable services\n  'guerrillamail.com', 'guerrillamail.net', 'guerrillamail.org',\n  'tempmail.com', 'temp-mail.org', 'temp-mail.io',\n  'throwaway.email', 'throwaway.com',\n  'mailinator.com', 'mailinator.net',\n  'yopmail.com', 'yopmail.fr', 'yopmail.net',\n  'sharklasers.com', 'grr.la', 'guerrillamail.info',\n  'guerrillamail.biz', 'guerrillamail.de',\n  'trashmail.com', 'trashmail.me', 'trashmail.net',\n  'dispostable.com', 'maildrop.cc',\n  'mailnesia.com', 'tempail.com',\n  'mohmal.com', 'getnada.com',\n  'emailondeck.com', 'discard.email',\n  'fakeinbox.com', 'mailcatch.com',\n  'mintemail.com', 'tempr.email',\n  'tempinbox.com', 'burnermail.io',\n  'mailsac.com', 'harakirimail.com',\n  'tempmailo.com', 'emailfake.com',\n  'crazymailing.com', 'armyspy.com',\n  'dayrep.com', 'einrot.com',\n  'fleckens.hu', 'gustr.com',\n  'jourrapide.com', 'rhyta.com',\n  'superrito.com', 'teleworm.us',\n  '10minutemail.com', '10minutemail.net',\n  'minutemail.com', 'tempsky.com',\n  'spamgourmet.com', 'mytrashmail.com',\n  'mailexpire.com', 'safetymail.info',\n  'filzmail.com', 'trashymail.com',\n  'sharkmail.com', 'jetable.org',\n  'nospam.ze.tc', 'trash-me.com',\n  'dodgit.com', 'mailmoat.com',\n  'spamfree24.org', 'incognitomail.org',\n  'tempomail.fr', 'ephemail.net',\n  'hidemail.de', 'spaml.de',\n  'uggsrock.com', 'binkmail.com',\n  'suremail.info', 'bugmenot.com',\n]);\n\n/** Common typos and their corrections */\nconst DOMAIN_TYPOS: Record<string, string> = {\n  'gmial.com': 'gmail.com',\n  'gmaill.com': 'gmail.com',\n  'gmai.com': 'gmail.com',\n  'gamil.com': 'gmail.com',\n  'gnail.com': 'gmail.com',\n  'gmal.com': 'gmail.com',\n  'gmil.com': 'gmail.com',\n  'gmail.co': 'gmail.com',\n  'gmail.cm': 'gmail.com',\n  'gmail.om': 'gmail.com',\n  'gmail.con': 'gmail.com',\n  'gmail.cim': 'gmail.com',\n  'gmail.comm': 'gmail.com',\n  'yahooo.com': 'yahoo.com',\n  'yaho.com': 'yahoo.com',\n  'yahoo.co': 'yahoo.com',\n  'yahoo.cm': 'yahoo.com',\n  'yahoo.con': 'yahoo.com',\n  'yahho.com': 'yahoo.com',\n  'hotmial.com': 'hotmail.com',\n  'hotmal.com': 'hotmail.com',\n  'hotmai.com': 'hotmail.com',\n  'hotmil.com': 'hotmail.com',\n  'hotmail.co': 'hotmail.com',\n  'hotmail.cm': 'hotmail.com',\n  'hotmail.con': 'hotmail.com',\n  'outlok.com': 'outlook.com',\n  'outloo.com': 'outlook.com',\n  'outlook.co': 'outlook.com',\n  'outlook.cm': 'outlook.com',\n  'protonmal.com': 'protonmail.com',\n  'protonmail.co': 'protonmail.com',\n  'icloud.co': 'icloud.com',\n  'icloud.cm': 'icloud.com',\n  'icoud.com': 'icloud.com',\n};\n\nfunction invalidResult(reason: EmailValidationResult['reason'], email: string): EmailValidationResult {\n  return {\n    valid: false,\n    reason,\n    suggestion: null,\n    isFree: false,\n    isDisposable: false,\n    normalized: email,\n  };\n}\n\n/**\n * Validate an email address with syntax checking, disposable detection,\n * and typo suggestions.\n *\n * @param email - Email address to validate\n * @param options - Validation options\n * @returns Validation result\n *\n * @example\n * validateEmail('user@gmail.com')\n * // { valid: true, reason: 'valid', isFree: true }\n *\n * validateEmail('user@tempmail.com')\n * // { valid: false, reason: 'disposable' }\n *\n * validateEmail('user@gmial.com')\n * // { valid: true, reason: 'typo', suggestion: 'user@gmail.com' }\n */\nexport function validateEmail(\n  email: string,\n  options: EmailValidationOptions = {}\n): EmailValidationResult {\n  const {\n    checkDisposable = true,\n    suggestTypoFix = true,\n    blockedDomains = [],\n    allowedDomains = [],\n  } = options;\n\n  // Normalize\n  const normalized = email.trim().toLowerCase();\n\n  // Basic checks\n  if (!normalized || normalized.length > MAX_EMAIL_LENGTH) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  const atIndex = normalized.lastIndexOf('@');\n  if (atIndex === -1) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  const localPart = normalized.slice(0, atIndex);\n  const domain = normalized.slice(atIndex + 1);\n\n  // Length checks\n  if (localPart.length === 0 || localPart.length > MAX_LOCAL_LENGTH) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n  if (domain.length === 0 || domain.length > MAX_DOMAIN_LENGTH) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  // Consecutive dots in local part\n  if (localPart.includes('..')) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  // Leading/trailing dots in local part\n  if (localPart.startsWith('.') || localPart.endsWith('.')) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  // Full regex validation\n  if (!EMAIL_SYNTAX.test(normalized)) {\n    return invalidResult('invalid_syntax', normalized);\n  }\n\n  // Check if domain is explicitly allowed (bypass other checks)\n  const allowedSet = new Set(allowedDomains.map(d => d.toLowerCase()));\n  if (allowedSet.has(domain)) {\n    return {\n      valid: true,\n      reason: 'valid',\n      suggestion: null,\n      isFree: FREE_PROVIDERS.has(domain),\n      isDisposable: false,\n      normalized,\n    };\n  }\n\n  // Check blocked domains\n  const blockedSet = new Set(blockedDomains.map(d => d.toLowerCase()));\n  if (blockedSet.has(domain)) {\n    return invalidResult('blocked', normalized);\n  }\n\n  // Check disposable\n  const isDisposable = DISPOSABLE_DOMAINS.has(domain);\n  if (checkDisposable && isDisposable) {\n    return {\n      valid: false,\n      reason: 'disposable',\n      suggestion: null,\n      isFree: false,\n      isDisposable: true,\n      normalized,\n    };\n  }\n\n  // Check typos\n  const isFree = FREE_PROVIDERS.has(domain);\n  if (suggestTypoFix && DOMAIN_TYPOS[domain]) {\n    const corrected = `${localPart}@${DOMAIN_TYPOS[domain]}`;\n    return {\n      valid: true,\n      reason: 'typo',\n      suggestion: corrected,\n      isFree: FREE_PROVIDERS.has(DOMAIN_TYPOS[domain]),\n      isDisposable: false,\n      normalized,\n    };\n  }\n\n  return {\n    valid: true,\n    reason: 'valid',\n    suggestion: null,\n    isFree,\n    isDisposable,\n    normalized,\n  };\n}\n\n/**\n * Verify that the email domain has MX records (can receive email).\n *\n * This performs a DNS lookup and requires network access.\n * Use for registration flows where you need high confidence.\n *\n * @param email - Email address to verify\n * @returns True if the domain has MX records\n *\n * @example\n * if (await verifyEmailMx('user@example.com')) {\n *   // Domain can receive email\n * }\n */\nexport async function verifyEmailMx(email: string): Promise<boolean> {\n  if (!isValidEmailSyntax(email)) return false;\n\n  const atIndex = email.lastIndexOf('@');\n  const domain = email.slice(atIndex + 1).trim().toLowerCase();\n  if (!domain) return false;\n\n  try {\n    const records = await dns.resolveMx(domain);\n    return records.length > 0;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Quick check if an email address has valid syntax.\n * Faster than validateEmail() — just syntax, no domain intelligence.\n */\nexport function isValidEmailSyntax(email: string): boolean {\n  const normalized = email.trim().toLowerCase();\n  if (!normalized || normalized.length > MAX_EMAIL_LENGTH) return false;\n\n  const atIndex = normalized.lastIndexOf('@');\n  if (atIndex === -1) return false;\n\n  const localPart = normalized.slice(0, atIndex);\n  if (localPart.includes('..') || localPart.startsWith('.') || localPart.endsWith('.')) return false;\n\n  return EMAIL_SYNTAX.test(normalized);\n}\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n  silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n  const {\n    redactKeys = [],\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n    redactPatterns = [],\n    level: minLevel = 'debug',\n  } = options;\n\n  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n  // Combine default and custom keys (lowercase for case-insensitive matching)\n  const allRedactKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...redactKeys.map(k => k.toLowerCase()),\n  ]);\n\n  /**\n   * Redact sensitive data from an object recursively.\n   */\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n\n    if (typeof obj === 'string') {\n      return redactString(obj, maxLength, redactPatterns);\n    }\n\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allRedactKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  /**\n   * Log a message at the specified level.\n   */\n  function log(level: string, message: string, data?: unknown): void {\n    // Early exit: skip all work if message level is below minimum\n    const levelNum = LOG_LEVELS[level] ?? 0;\n    if (levelNum < minLevelNum) return;\n\n    const entry: Record<string, unknown> = {\n      timestamp: new Date().toISOString(),\n      level,\n      message: redactString(message, maxLength, redactPatterns),\n    };\n\n    if (data !== undefined) {\n      entry.data = redact(data);\n    }\n\n    console.log(JSON.stringify(entry));\n  }\n\n  return {\n    log,\n    info: (msg: string, data?: unknown) => log('info', msg, data),\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\n    error: (msg: string, data?: unknown) => log('error', msg, data),\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\n  };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n  let safe = str\n    .replace(/[\\r\\n\\t]/g, ' ')\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n  // Apply custom redaction patterns\n  for (const pattern of patterns) {\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n  }\n\n  // Truncate if too long\n  if (safe.length > maxLength) {\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n  }\n\n  return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n  const allKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...sensitiveKeys.map(k => k.toLowerCase()),\n  ]);\n\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n","import type { TelemetryEvent, TelemetryOptions } from './types';\n\nconst DEFAULT_BATCH_SIZE = 50;\nconst MAX_BATCH_SIZE = 500; // matches server Zod schema upper bound\nconst DEFAULT_FLUSH_INTERVAL_MS = 5000;\nconst MIN_FLUSH_INTERVAL_MS = 500;\nconst FLUSH_TIMEOUT_MS = 10_000;\n\ntype Listener = (err: Error) => void;\n\n/**\n * In-memory batching client that ships `TelemetryEvent` objects to an\n * Arcis dashboard server.\n *\n * Design rules (spec/API_SPEC.md §9):\n *   1. `record()` is synchronous and never throws — safe to call from hot paths.\n *   2. Flushes trigger on batchSize OR flushIntervalMs, whichever comes first.\n *   3. Network errors are fail-open: they call `onError` (if provided) and\n *      drop the batch. No retry, no disk persistence, no backpressure.\n *   4. `close()` attempts one final flush; safe to call multiple times.\n *   5. Interval timer uses `unref()` so it never holds the process open.\n */\nexport class TelemetryClient {\n  private queue: TelemetryEvent[] = [];\n  private readonly endpoint: string;\n  private readonly apiKey: string | undefined;\n  private readonly workspaceId: string | undefined;\n  private readonly batchSize: number;\n  private readonly flushIntervalMs: number;\n  private readonly onError: Listener;\n  private timer: ReturnType<typeof setInterval> | undefined;\n  private flushing = false;\n  private closed = false;\n  private signalHandler: (() => void) | undefined;\n\n  constructor(options: TelemetryOptions) {\n    if (!options.endpoint || typeof options.endpoint !== 'string') {\n      throw new TypeError('TelemetryClient: `endpoint` is required');\n    }\n\n    this.endpoint = options.endpoint;\n    this.apiKey = options.apiKey;\n    this.workspaceId = options.workspaceId;\n    this.batchSize = clamp(\n      options.batchSize ?? DEFAULT_BATCH_SIZE,\n      1,\n      MAX_BATCH_SIZE,\n    );\n    this.flushIntervalMs = Math.max(\n      options.flushIntervalMs ?? DEFAULT_FLUSH_INTERVAL_MS,\n      MIN_FLUSH_INTERVAL_MS,\n    );\n    this.onError = options.onError ?? (() => {\n      // default: swallow silently (fail-open)\n    });\n\n    this.startTimer();\n  }\n\n  /**\n   * Enqueue an event. Fast, synchronous, cannot throw.\n   * Triggers a flush if the queue has reached `batchSize`.\n   */\n  record(event: TelemetryEvent): void {\n    if (this.closed) return;\n    this.queue.push(event);\n    if (this.queue.length >= this.batchSize) {\n      // fire and forget\n      void this.flush();\n    }\n  }\n\n  /**\n   * Manually flush the queue. Pulls up to `batchSize` events into a batch and\n   * POSTs them. Returns a resolved promise on success OR on handled failure.\n   * Never throws.\n   */\n  async flush(): Promise<void> {\n    if (this.flushing) return;\n    if (this.queue.length === 0) return;\n\n    this.flushing = true;\n    try {\n      const batch = this.queue.splice(0, this.batchSize);\n      await this.send(batch);\n    } catch (err) {\n      this.safeNotify(err);\n    } finally {\n      this.flushing = false;\n    }\n\n    // Drain anything that arrived while we were flushing.\n    if (!this.closed && this.queue.length > 0) {\n      void this.flush();\n    }\n  }\n\n  /**\n   * Shut down: stop the interval timer and attempt one final flush.\n   * Safe to call multiple times.\n   */\n  async close(): Promise<void> {\n    if (this.closed) return;\n    this.closed = true;\n\n    if (this.timer !== undefined) {\n      clearInterval(this.timer);\n      this.timer = undefined;\n    }\n\n    if (this.signalHandler !== undefined) {\n      process.off('SIGTERM', this.signalHandler);\n      process.off('SIGINT', this.signalHandler);\n      this.signalHandler = undefined;\n    }\n\n    // final best-effort flush\n    try {\n      await this.flush();\n    } catch {\n      // fail-open on shutdown\n    }\n  }\n\n  /**\n   * Register `SIGTERM` / `SIGINT` handlers that call `close()` to drain\n   * the queue on graceful shutdown. Opt-in — libraries should not silently\n   * attach global signal handlers. Safe to call multiple times.\n   */\n  installShutdownHooks(): void {\n    if (this.signalHandler !== undefined || this.closed) return;\n    const handler = (): void => {\n      void this.close();\n    };\n    this.signalHandler = handler;\n    process.once('SIGTERM', handler);\n    process.once('SIGINT', handler);\n  }\n\n  /** Count of events currently waiting to be sent. Useful for tests. */\n  get pendingCount(): number {\n    return this.queue.length;\n  }\n\n  // ── internals ─────────────────────────────────────────────────────────\n\n  private async send(batch: TelemetryEvent[]): Promise<void> {\n    const headers: Record<string, string> = {\n      'content-type': 'application/json',\n    };\n    if (this.apiKey) headers['authorization'] = `Bearer ${this.apiKey}`;\n    if (this.workspaceId) headers['x-workspace-id'] = this.workspaceId;\n\n    const controller = new AbortController();\n    const abortTimer = setTimeout(() => controller.abort(), FLUSH_TIMEOUT_MS);\n\n    try {\n      const res = await fetch(this.endpoint, {\n        method: 'POST',\n        headers,\n        body: JSON.stringify({ events: batch }),\n        signal: controller.signal,\n      });\n\n      if (!res.ok) {\n        const text = await safeReadBody(res);\n        throw new TelemetryHttpError(res.status, text);\n      }\n    } finally {\n      clearTimeout(abortTimer);\n    }\n  }\n\n  private startTimer(): void {\n    this.timer = setInterval(() => {\n      void this.flush();\n    }, this.flushIntervalMs);\n\n    // node-only: don't block process exit\n    (this.timer as { unref?: () => void }).unref?.();\n  }\n\n  private safeNotify(err: unknown): void {\n    try {\n      this.onError(err instanceof Error ? err : new Error(String(err)));\n    } catch {\n      // user-provided hook must never bubble up\n    }\n  }\n}\n\nexport class TelemetryHttpError extends Error {\n  constructor(\n    public readonly status: number,\n    public readonly responseBody: string,\n  ) {\n    super(`Telemetry ingest returned HTTP ${status}`);\n    this.name = 'TelemetryHttpError';\n  }\n}\n\nfunction clamp(value: number, min: number, max: number): number {\n  if (!Number.isFinite(value)) return min;\n  return Math.max(min, Math.min(max, Math.trunc(value)));\n}\n\nasync function safeReadBody(res: Response): Promise<string> {\n  try {\n    const text = await res.text();\n    return text.slice(0, 500);\n  } catch {\n    return '';\n  }\n}\n","/**\n * @module @arcis/node/middleware/main\n * Main arcis() middleware factory\n */\n\nimport type { RequestHandler } from 'express';\nimport type {\n  ArcisOptions,\n  ArcisFunction,\n  ArcisMiddlewareStack,\n  HeaderOptions,\n  RateLimitOptions,\n  SanitizeOptions,\n} from '../core/types';\nimport { createHeaders } from './headers';\nimport { createRateLimiter } from './rate-limit';\nimport { createErrorHandler } from './error-handler';\nimport { createTelemetryEmitter, tapSanitizerThreats } from './telemetry';\nimport { createSanitizer } from '../sanitizers';\nimport { validate } from '../validation';\nimport { createSafeLogger } from '../logging';\nimport { TelemetryClient } from '../telemetry/client';\nimport type { TelemetryOptions } from '../telemetry/types';\n\n/**\n * Build TelemetryOptions from `ARCIS_*` environment variables when the user\n * didn't pass `telemetry` in `arcis({...})`. Returns undefined if `ARCIS_ENDPOINT`\n * isn't set — preserving zero-overhead opt-in.\n *\n * Recognized env vars:\n *   - `ARCIS_ENDPOINT`           (required to activate)\n *   - `ARCIS_WORKSPACE_ID`       (optional; sent as x-workspace-id)\n *   - `ARCIS_KEY`                (optional; sent as Authorization: Bearer <key>)\n *   - `ARCIS_BATCH_SIZE`         (optional integer; default 50)\n *   - `ARCIS_FLUSH_INTERVAL_MS`  (optional integer; default 5000)\n *\n * Explicit `options.telemetry` always wins over env. This preserves the\n * existing opt-in contract and lets callers override env in tests.\n */\nfunction buildTelemetryFromEnv(): TelemetryOptions | undefined {\n  const env = typeof process !== 'undefined' ? process.env : undefined;\n  const endpoint = env?.ARCIS_ENDPOINT;\n  if (!endpoint) return undefined;\n  const opts: TelemetryOptions = { endpoint };\n  if (env?.ARCIS_WORKSPACE_ID) opts.workspaceId = env.ARCIS_WORKSPACE_ID;\n  if (env?.ARCIS_KEY) opts.apiKey = env.ARCIS_KEY;\n  const batch = env?.ARCIS_BATCH_SIZE ? parseInt(env.ARCIS_BATCH_SIZE, 10) : NaN;\n  if (!Number.isNaN(batch)) opts.batchSize = batch;\n  const flush = env?.ARCIS_FLUSH_INTERVAL_MS ? parseInt(env.ARCIS_FLUSH_INTERVAL_MS, 10) : NaN;\n  if (!Number.isNaN(flush)) opts.flushIntervalMs = flush;\n  return opts;\n}\n\n/**\n * Create Arcis middleware with all protections enabled.\n * \n * @param options - Configuration options\n * @returns Array of Express middleware\n * \n * @example\n * // Full protection (recommended)\n * app.use(arcis());\n * \n * @example\n * // Custom configuration\n * app.use(arcis({\n *   rateLimit: { max: 50 },\n *   headers: { frameOptions: 'SAMEORIGIN' }\n * }));\n * \n * @example\n * // Disable specific features\n * app.use(arcis({\n *   rateLimit: false,\n *   sanitize: { sql: false }\n * }));\n * \n * @example\n * // Cleanup on shutdown\n * const middleware = arcis();\n * app.use(middleware);\n * process.on('SIGTERM', () => middleware.close());\n */\nexport function arcis(options: ArcisOptions = {}): ArcisMiddlewareStack {\n  const middlewares: RequestHandler[] = [];\n  const cleanupFns: (() => void)[] = [];\n\n  // Telemetry emitter — first, so latency includes the full middleware chain.\n  // Opt-in: zero overhead unless options.telemetry.endpoint is set, OR\n  // ARCIS_ENDPOINT is present in the environment. Explicit options win.\n  let telemetryClient: TelemetryClient | undefined;\n  const telemetryOpts = options.telemetry?.endpoint\n    ? options.telemetry\n    : buildTelemetryFromEnv();\n  if (telemetryOpts) {\n    const client = new TelemetryClient(telemetryOpts);\n    telemetryClient = client;\n    middlewares.push(createTelemetryEmitter(client));\n    cleanupFns.push(() => {\n      void client.close();\n    });\n  }\n\n  // Security headers (always before rate-limit/sanitize)\n  if (options.headers !== false) {\n    const headerOpts: HeaderOptions = typeof options.headers === 'object'\n      ? options.headers\n      : {};\n    middlewares.push(createHeaders(headerOpts));\n  }\n\n  // Rate limiting — emitter detects 429 from response status, no wrap needed.\n  if (options.rateLimit !== false) {\n    const rateLimitOpts: RateLimitOptions = typeof options.rateLimit === 'object'\n      ? options.rateLimit\n      : {};\n    const rateLimiter = createRateLimiter(rateLimitOpts);\n    middlewares.push(rateLimiter);\n    cleanupFns.push(() => rateLimiter.close());\n  }\n\n  // Input sanitization — wrap with telemetry tap so SecurityThreatError\n  // populates req.__arcis with vector/rule/severity for the emitter.\n  if (options.sanitize !== false) {\n    const sanitizeOpts: SanitizeOptions = typeof options.sanitize === 'object'\n      ? options.sanitize\n      : {};\n    const sanitizer = createSanitizer(sanitizeOpts);\n    middlewares.push(telemetryClient ? tapSanitizerThreats(sanitizer) : sanitizer);\n  }\n\n  // Attach close() directly on the array so callers can clean up without any-casts.\n  const result = middlewares as ArcisMiddlewareStack;\n  result.close = () => {\n    for (const fn of cleanupFns) {\n      fn();\n    }\n  };\n\n  return result;\n}\n\n// Attach individual functions for granular use\nconst arcisWithMethods = arcis as ArcisFunction;\narcisWithMethods.sanitize = createSanitizer;\narcisWithMethods.rateLimit = createRateLimiter;\narcisWithMethods.headers = createHeaders;\narcisWithMethods.validate = validate;\narcisWithMethods.logger = createSafeLogger;\narcisWithMethods.errorHandler = createErrorHandler;\n\nexport { arcisWithMethods as arcisFunction };\nexport default arcisWithMethods;\n","/**\n * @module @arcis/node/utils/duration\n * Parse human-readable duration strings into milliseconds.\n *\n * Supports: ms, s, m, h, d\n *\n * @example\n * parseDuration('5m')    // 300000\n * parseDuration('2h')    // 7200000\n * parseDuration(60000)   // 60000 (passthrough)\n * parseDuration('500ms') // 500\n */\n\n/** Maximum duration: ~49.7 days (uint32 max in ms) */\nconst MAX_DURATION_MS = 4_294_967_295;\n\nconst DURATION_REGEX = /^(\\d+(?:\\.\\d+)?)\\s*(ms|s|m|h|d)$/i;\n\nconst UNIT_TO_MS: Record<string, number> = {\n  ms: 1,\n  s: 1_000,\n  m: 60_000,\n  h: 3_600_000,\n  d: 86_400_000,\n};\n\n/**\n * Parse a duration string or number into milliseconds.\n *\n * @param value - Duration string (e.g. \"5m\", \"2h\", \"30s\") or number (ms)\n * @returns Duration in milliseconds\n * @throws {Error} If the value is not a valid duration\n *\n * @example\n * parseDuration('15m')   // 900000\n * parseDuration('1d')    // 86400000\n * parseDuration('500ms') // 500\n * parseDuration(60000)   // 60000\n */\nexport function parseDuration(value: string | number): number {\n  if (typeof value === 'number') {\n    if (!Number.isFinite(value) || value < 0) {\n      throw new Error(`Invalid duration: ${value}. Must be a non-negative finite number.`);\n    }\n    return Math.min(Math.floor(value), MAX_DURATION_MS);\n  }\n\n  if (typeof value !== 'string' || value.trim() === '') {\n    throw new Error(`Invalid duration: \"${value}\". Expected a duration string (e.g. \"5m\", \"2h\") or number.`);\n  }\n\n  const match = value.trim().match(DURATION_REGEX);\n  if (!match) {\n    throw new Error(\n      `Invalid duration: \"${value}\". Expected format: <number><unit> where unit is ms, s, m, h, or d.`\n    );\n  }\n\n  const amount = parseFloat(match[1]);\n  const unit = match[2].toLowerCase();\n  const ms = Math.floor(amount * UNIT_TO_MS[unit]);\n\n  if (ms < 0 || ms > MAX_DURATION_MS) {\n    throw new Error(`Duration \"${value}\" exceeds maximum allowed (${MAX_DURATION_MS}ms / ~49.7 days).`);\n  }\n\n  return ms;\n}\n\n/**\n * Format milliseconds into a human-readable duration string.\n *\n * @param ms - Duration in milliseconds\n * @returns Human-readable string (e.g. \"5m\", \"2h 30m\")\n */\nexport function formatDuration(ms: number): string {\n  if (!Number.isFinite(ms) || ms < 0) return '0ms';\n\n  if (ms < 1000) return `${ms}ms`;\n\n  const days = Math.floor(ms / 86_400_000);\n  const hours = Math.floor((ms % 86_400_000) / 3_600_000);\n  const minutes = Math.floor((ms % 3_600_000) / 60_000);\n  const seconds = Math.floor((ms % 60_000) / 1_000);\n\n  const parts: string[] = [];\n  if (days > 0) parts.push(`${days}d`);\n  if (hours > 0) parts.push(`${hours}h`);\n  if (minutes > 0) parts.push(`${minutes}m`);\n  if (seconds > 0) parts.push(`${seconds}s`);\n\n  return parts.join(' ') || '0ms';\n}\n","/**\n * @module @arcis/node/middleware/rate-limit-sliding\n * Sliding window rate limiting middleware.\n *\n * More accurate than fixed window — uses a weighted sum of the previous\n * and current window to approximate a true sliding window.\n *\n * Algorithm:\n *   weight = (windowMs - elapsed) / windowMs\n *   count = (prevWindow * weight) + currentWindow\n *   allow = count < limit\n *\n * @example\n * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { parseDuration } from '../utils/duration';\nimport { RATE_LIMIT } from '../core/constants';\n\nexport interface SlidingWindowOptions {\n  /** Maximum requests per window. Default: 100 */\n  max?: number;\n  /** Window size in ms or duration string. Default: '1m' */\n  window?: string | number;\n  /** Error message when limit exceeded */\n  message?: string;\n  /** HTTP status code for rate limited responses. Default: 429 */\n  statusCode?: number;\n  /** Function to generate rate limit key from request */\n  keyGenerator?: (req: Request) => string;\n  /** Function to skip rate limiting for certain requests */\n  skip?: (req: Request) => boolean;\n}\n\ninterface WindowEntry {\n  count: number;\n  startTime: number;\n}\n\nexport interface SlidingWindowMiddleware extends RequestHandler {\n  close: () => void;\n}\n\n/**\n * Create sliding window rate limiter middleware.\n *\n * @example\n * // 100 requests per 15 minutes\n * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));\n *\n * @example\n * // Strict API limit\n * app.use('/api', createSlidingWindowLimiter({ max: 30, window: '1m' }));\n */\nexport function createSlidingWindowLimiter(options: SlidingWindowOptions = {}): SlidingWindowMiddleware {\n  const {\n    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,\n    window: windowOpt = RATE_LIMIT.DEFAULT_WINDOW_MS,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',\n    skip,\n  } = options;\n\n  const windowMs = parseDuration(windowOpt);\n\n  // Two windows per key: current and previous\n  const currentWindows = Object.create(null) as Record<string, WindowEntry>;\n  const previousWindows = Object.create(null) as Record<string, WindowEntry>;\n\n  const cleanupInterval = setInterval(() => {\n    const now = Date.now();\n    const cutoff = now - windowMs * 2; // Keep 2 windows worth\n    for (const key of Object.keys(previousWindows)) {\n      if (previousWindows[key].startTime < cutoff) {\n        delete previousWindows[key];\n      }\n    }\n    for (const key of Object.keys(currentWindows)) {\n      if (currentWindows[key].startTime < cutoff) {\n        delete currentWindows[key];\n      }\n    }\n  }, windowMs);\n\n  if (typeof cleanupInterval.unref === 'function') {\n    cleanupInterval.unref();\n  }\n\n  const handler: RequestHandler = (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) return next();\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      // Determine current window boundaries\n      const windowStart = Math.floor(now / windowMs) * windowMs;\n\n      // Rotate windows if needed\n      if (!currentWindows[key] || currentWindows[key].startTime < windowStart) {\n        // Move current to previous\n        if (currentWindows[key]) {\n          previousWindows[key] = currentWindows[key];\n        }\n        currentWindows[key] = { count: 0, startTime: windowStart };\n      }\n\n      // Calculate weighted count BEFORE incrementing\n      const elapsed = now - windowStart;\n      const weight = Math.max(0, (windowMs - elapsed) / windowMs);\n      const prevCount = previousWindows[key]?.count ?? 0;\n      const estimatedCount = (prevCount * weight) + currentWindows[key].count + 1;\n\n      const remaining = Math.max(0, Math.floor(max - estimatedCount));\n      const resetMs = windowStart + windowMs - now;\n      const resetSeconds = Math.max(1, Math.ceil(resetMs / 1000));\n\n      // Set rate limit headers\n      res.setHeader('X-RateLimit-Limit', max.toString());\n      res.setHeader('X-RateLimit-Remaining', remaining.toString());\n      res.setHeader('X-RateLimit-Reset', resetSeconds.toString());\n      res.setHeader('X-RateLimit-Policy', `${max};w=${Math.floor(windowMs / 1000)}`);\n\n      if (estimatedCount > max) {\n        // Don't increment — rejected requests should not consume quota\n        res.setHeader('Retry-After', resetSeconds.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: resetSeconds,\n        });\n        return;\n      }\n\n      // Only increment on allowed requests\n      currentWindows[key].count++;\n\n      next();\n    } catch (error) {\n      // Fail open\n      console.error('[arcis] Sliding window rate limiter error:', error);\n      next();\n    }\n  };\n\n  const middleware = handler as SlidingWindowMiddleware;\n  middleware.close = () => {\n    clearInterval(cleanupInterval);\n  };\n\n  return middleware;\n}\n","/**\n * @module @arcis/node/middleware/rate-limit-token\n * Token bucket rate limiting middleware.\n *\n * Allows burst traffic while enforcing an average rate.\n * Tokens refill at a steady rate. Each request costs 1 token.\n *\n * Algorithm:\n *   tokens = min(capacity, tokens + elapsed * refillRate)\n *   if tokens >= cost: allow, subtract cost\n *   else: deny\n *\n * @example\n * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { RATE_LIMIT } from '../core/constants';\n\nexport interface TokenBucketOptions {\n  /** Maximum tokens (burst size). Default: 100 */\n  capacity?: number;\n  /** Tokens added per second. Default: 10 */\n  refillRate?: number;\n  /** Tokens consumed per request. Default: 1 */\n  cost?: number;\n  /** Error message when limit exceeded */\n  message?: string;\n  /** HTTP status code for rate limited responses. Default: 429 */\n  statusCode?: number;\n  /** Function to generate rate limit key from request */\n  keyGenerator?: (req: Request) => string;\n  /** Function to skip rate limiting for certain requests */\n  skip?: (req: Request) => boolean;\n}\n\ninterface Bucket {\n  tokens: number;\n  lastRefill: number;\n}\n\nexport interface TokenBucketMiddleware extends RequestHandler {\n  close: () => void;\n}\n\n/**\n * Create token bucket rate limiter middleware.\n *\n * @example\n * // Allow bursts of 50, sustained rate of 10/sec\n * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));\n *\n * @example\n * // Strict API: 5 requests burst, 1/sec sustained\n * app.use('/api/expensive', createTokenBucketLimiter({\n *   capacity: 5,\n *   refillRate: 1,\n * }));\n */\nexport function createTokenBucketLimiter(options: TokenBucketOptions = {}): TokenBucketMiddleware {\n  const {\n    capacity = 100,\n    refillRate = 10,\n    cost = 1,\n    message = RATE_LIMIT.DEFAULT_MESSAGE,\n    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,\n    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? 'unknown',\n    skip,\n  } = options;\n\n  if (capacity < 1) throw new RangeError(`Token bucket capacity must be >= 1, got ${capacity}`);\n  if (refillRate <= 0) throw new RangeError(`Token bucket refillRate must be > 0, got ${refillRate}`);\n  if (cost < 1) throw new RangeError(`Token bucket cost must be >= 1, got ${cost}`);\n  if (cost > capacity) throw new RangeError(`Token bucket cost (${cost}) must be <= capacity (${capacity}), otherwise all requests are permanently denied`);\n\n  const buckets = Object.create(null) as Record<string, Bucket>;\n\n  // Cleanup stale buckets (full buckets that haven't been accessed)\n  const cleanupInterval = setInterval(() => {\n    const now = Date.now();\n    const staleThreshold = (capacity / refillRate) * 1000 * 2; // 2x time to refill\n    for (const key of Object.keys(buckets)) {\n      if (now - buckets[key].lastRefill > staleThreshold) {\n        delete buckets[key];\n      }\n    }\n  }, 60_000);\n\n  if (typeof cleanupInterval.unref === 'function') {\n    cleanupInterval.unref();\n  }\n\n  function refillBucket(bucket: Bucket, now: number): void {\n    const elapsed = (now - bucket.lastRefill) / 1000; // seconds\n    const tokensToAdd = elapsed * refillRate;\n    bucket.tokens = Math.min(capacity, bucket.tokens + tokensToAdd);\n    bucket.lastRefill = now;\n  }\n\n  const handler: RequestHandler = (req: Request, res: Response, next: NextFunction) => {\n    try {\n      if (skip?.(req)) return next();\n\n      const key = keyGenerator(req);\n      const now = Date.now();\n\n      // Get or create bucket\n      if (!buckets[key]) {\n        buckets[key] = { tokens: capacity, lastRefill: now };\n      }\n\n      const bucket = buckets[key];\n      refillBucket(bucket, now);\n\n      // Calculate retry-after (time until enough tokens are available)\n      const retryAfterSec = bucket.tokens < cost\n        ? Math.ceil((cost - bucket.tokens) / refillRate)\n        : 0;\n\n      // Set headers\n      res.setHeader('X-RateLimit-Limit', capacity.toString());\n      res.setHeader('X-RateLimit-Remaining', Math.floor(Math.max(0, bucket.tokens - cost)).toString());\n      res.setHeader('X-RateLimit-Policy', `${capacity};w=${Math.floor(capacity / refillRate)};burst=${capacity}`);\n\n      if (bucket.tokens < cost) {\n        res.setHeader('Retry-After', retryAfterSec.toString());\n        res.setHeader('X-RateLimit-Reset', retryAfterSec.toString());\n        res.status(statusCode).json({\n          error: message,\n          retryAfter: retryAfterSec,\n        });\n        return;\n      }\n\n      // Consume token\n      bucket.tokens -= cost;\n      next();\n    } catch (error) {\n      // Fail open\n      console.error('[arcis] Token bucket rate limiter error:', error);\n      next();\n    }\n  };\n\n  const middleware = handler as TokenBucketMiddleware;\n  middleware.close = () => {\n    clearInterval(cleanupInterval);\n  };\n\n  return middleware;\n}\n","/**\n * @module @arcis/node/middleware/cors\n * Safe CORS middleware with secure defaults\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** CORS configuration options */\nexport interface CorsOptions {\n  /**\n   * Allowed origins. Can be:\n   * - A string: exact match (e.g., 'https://example.com')\n   * - An array: whitelist of allowed origins\n   * - A RegExp: pattern match (use with care)\n   * - A function: custom validation `(origin) => boolean`\n   * - `true`: reflect the request origin (DANGEROUS — only for dev)\n   *\n   * Default: none (no origin allowed). You must explicitly set this.\n   */\n  origin: string | string[] | RegExp | ((origin: string) => boolean) | true;\n\n  /** Allowed HTTP methods. Default: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'] */\n  methods?: string[];\n\n  /** Allowed headers. Default: ['Content-Type', 'Authorization'] */\n  allowedHeaders?: string[];\n\n  /** Headers exposed to the browser. Default: [] */\n  exposedHeaders?: string[];\n\n  /** Allow credentials (cookies, authorization headers). Default: false */\n  credentials?: boolean;\n\n  /** Preflight cache duration in seconds. Default: 600 (10 minutes) */\n  maxAge?: number;\n\n  /** Respond to preflight with 204 (no content). Default: true */\n  preflightContinue?: boolean;\n}\n\nconst DEFAULT_METHODS = ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'];\nconst DEFAULT_HEADERS = ['Content-Type', 'Authorization'];\nconst DEFAULT_MAX_AGE = 600;\n\n/**\n * Check if an origin is allowed by the configured policy.\n */\nfunction isOriginAllowed(\n  requestOrigin: string,\n  allowed: CorsOptions['origin']\n): boolean {\n  // 'null' origin is always blocked — sent by sandboxed iframes, data: URIs, etc.\n  if (requestOrigin === 'null') return false;\n\n  if (allowed === true) return true;\n\n  if (typeof allowed === 'string') {\n    return requestOrigin === allowed;\n  }\n\n  if (Array.isArray(allowed)) {\n    return allowed.includes(requestOrigin);\n  }\n\n  if (allowed instanceof RegExp) {\n    return allowed.test(requestOrigin);\n  }\n\n  if (typeof allowed === 'function') {\n    return allowed(requestOrigin);\n  }\n\n  return false;\n}\n\n/**\n * Create safe CORS middleware.\n *\n * Unlike permissive CORS libraries, this enforces secure defaults:\n * - No wildcard `*` when credentials are enabled\n * - `null` origin is always blocked\n * - `Vary: Origin` is always set for proper caching\n * - You must explicitly configure allowed origins\n *\n * @param options - CORS configuration\n * @returns Express middleware\n *\n * @example\n * // Allow a single origin\n * app.use(safeCors({ origin: 'https://myapp.com' }));\n *\n * @example\n * // Allow multiple origins with credentials\n * app.use(safeCors({\n *   origin: ['https://myapp.com', 'https://admin.myapp.com'],\n *   credentials: true,\n * }));\n *\n * @example\n * // Development: allow all (NOT for production)\n * app.use(safeCors({ origin: true }));\n */\nexport function safeCors(options: CorsOptions): RequestHandler {\n  const {\n    origin,\n    methods = DEFAULT_METHODS,\n    allowedHeaders = DEFAULT_HEADERS,\n    exposedHeaders = [],\n    credentials = false,\n    maxAge = DEFAULT_MAX_AGE,\n    preflightContinue = true,\n  } = options;\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const requestOrigin = req.headers.origin;\n\n    // Always set Vary: Origin for proper caching\n    res.setHeader('Vary', 'Origin');\n\n    // No origin header = same-origin request, skip CORS headers\n    if (!requestOrigin) {\n      return next();\n    }\n\n    const allowed = isOriginAllowed(requestOrigin, origin);\n\n    if (!allowed) {\n      // Don't set any CORS headers — browser will block the request\n      return next();\n    }\n\n    // Set Access-Control-Allow-Origin to the specific origin (not *)\n    res.setHeader('Access-Control-Allow-Origin', requestOrigin);\n\n    if (credentials) {\n      res.setHeader('Access-Control-Allow-Credentials', 'true');\n    }\n\n    if (exposedHeaders.length > 0) {\n      res.setHeader('Access-Control-Expose-Headers', exposedHeaders.join(', '));\n    }\n\n    // Handle preflight requests\n    if (req.method === 'OPTIONS') {\n      res.setHeader('Access-Control-Allow-Methods', methods.join(', '));\n      res.setHeader('Access-Control-Allow-Headers', allowedHeaders.join(', '));\n      res.setHeader('Access-Control-Max-Age', String(maxAge));\n\n      if (preflightContinue) {\n        res.status(204).end();\n        return;\n      }\n    }\n\n    next();\n  };\n}\n\n/**\n * Alias for safeCors\n * @see safeCors\n */\nexport const createCors = safeCors;\n","/**\n * @module @arcis/node/middleware/cookies\n * Secure cookie defaults middleware\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** Cookie security configuration */\nexport interface SecureCookieOptions {\n  /** Force HttpOnly on all cookies. Default: true */\n  httpOnly?: boolean;\n  /** Force Secure flag (HTTPS only). Default: true in production, false in dev */\n  secure?: boolean;\n  /** SameSite attribute. Default: 'Lax' */\n  sameSite?: 'Strict' | 'Lax' | 'None' | false;\n  /** Override Path attribute. Default: undefined (keep original) */\n  path?: string;\n}\n\nconst COOKIE_ATTRS = {\n  HTTP_ONLY: '; HttpOnly',\n  SECURE: '; Secure',\n  SAME_SITE_STRICT: '; SameSite=Strict',\n  SAME_SITE_LAX: '; SameSite=Lax',\n  SAME_SITE_NONE: '; SameSite=None',\n} as const;\n\n/**\n * Enforce secure defaults on a Set-Cookie header value.\n */\nexport function enforceSecureCookie(\n  cookieStr: string,\n  options: Required<Omit<SecureCookieOptions, 'path'>> & { path?: string }\n): string {\n  const lower = cookieStr.toLowerCase();\n  let result = cookieStr;\n\n  // HttpOnly — prevent JavaScript access\n  if (options.httpOnly && !lower.includes('httponly')) {\n    result += COOKIE_ATTRS.HTTP_ONLY;\n  }\n\n  // Secure — HTTPS only\n  if (options.secure && !lower.includes('; secure')) {\n    result += COOKIE_ATTRS.SECURE;\n  }\n\n  // SameSite — CSRF protection\n  if (options.sameSite !== false && !lower.includes('samesite')) {\n    switch (options.sameSite) {\n      case 'Strict':\n        result += COOKIE_ATTRS.SAME_SITE_STRICT;\n        break;\n      case 'None':\n        result += COOKIE_ATTRS.SAME_SITE_NONE;\n        // SameSite=None requires Secure\n        if (!result.toLowerCase().includes('; secure')) {\n          result += COOKIE_ATTRS.SECURE;\n        }\n        break;\n      case 'Lax':\n      default:\n        result += COOKIE_ATTRS.SAME_SITE_LAX;\n        break;\n    }\n  }\n\n  // Override path if specified\n  if (options.path) {\n    if (lower.includes('path=')) {\n      result = result.replace(/;\\s*path=[^;]*/i, `; Path=${options.path}`);\n    } else {\n      result += `; Path=${options.path}`;\n    }\n  }\n\n  return result;\n}\n\n/**\n * Create middleware that enforces secure cookie defaults.\n *\n * Intercepts Set-Cookie headers and adds missing security attributes:\n * - HttpOnly: prevents JavaScript access (XSS cookie theft)\n * - Secure: cookies only sent over HTTPS\n * - SameSite: CSRF protection\n *\n * @param options - Cookie security configuration\n * @returns Express middleware\n *\n * @example\n * // Enforce defaults on all cookies\n * app.use(secureCookieDefaults());\n *\n * @example\n * // Strict SameSite for sensitive apps\n * app.use(secureCookieDefaults({ sameSite: 'Strict' }));\n */\nexport function secureCookieDefaults(options: SecureCookieOptions = {}): RequestHandler {\n  const isProduction = process.env.NODE_ENV === 'production';\n  const resolved = {\n    httpOnly: options.httpOnly ?? true,\n    secure: options.secure ?? isProduction,\n    sameSite: options.sameSite ?? 'Lax' as const,\n    path: options.path,\n  };\n\n  // Fail loudly on incompatible combinations — silent misconfiguration is a\n  // common footgun (e.g. SameSite=None without Secure is rejected by every\n  // modern browser, producing a request that just silently loses cookies).\n  if (resolved.sameSite === 'None' && resolved.secure === false) {\n    throw new Error(\n      '[arcis] secureCookieDefaults: sameSite=None requires secure=true (modern browsers reject the cookie otherwise)'\n    );\n  }\n  if (resolved.httpOnly === false && resolved.secure === false && isProduction) {\n    // Only a warning — some apps legitimately need non-HttpOnly cookies (e.g. CSRF double-submit).\n    // But running both off in production is almost never intentional.\n    // eslint-disable-next-line no-console\n    console.warn(\n      '[arcis] secureCookieDefaults: httpOnly and secure are both disabled in production — cookies will be readable by JS and sent over HTTP'\n    );\n  }\n\n  return (_req: Request, res: Response, next: NextFunction) => {\n    // Monkey-patch res.setHeader to intercept Set-Cookie\n    const originalSetHeader = res.setHeader.bind(res);\n\n    res.setHeader = function patchedSetHeader(name: string, value: string | number | readonly string[]) {\n      if (name.toLowerCase() === 'set-cookie') {\n        if (Array.isArray(value)) {\n          value = value.map(v => enforceSecureCookie(String(v), resolved));\n        } else {\n          value = enforceSecureCookie(String(value), resolved);\n        }\n      }\n      return originalSetHeader(name, value);\n    } as typeof res.setHeader;\n\n    next();\n  };\n}\n\n/**\n * Alias for secureCookieDefaults\n * @see secureCookieDefaults\n */\nexport const createSecureCookies = secureCookieDefaults;\n","/**\n * @module @arcis/node/middleware/bot-detection\n * Local-only bot detection using User-Agent and behavioral signals.\n *\n * Categorizes requests into bot types and allows/denies based on config.\n * No cloud calls — everything runs locally.\n *\n * @example\n * // Block automated tools, allow search engines\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n *   deny: ['AUTOMATED', 'SCRAPER'],\n * }));\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n// =============================================================================\n// BOT CATEGORIES\n// =============================================================================\n\nexport type BotCategory =\n  | 'SEARCH_ENGINE'\n  | 'SOCIAL'\n  | 'MONITORING'\n  | 'AI_CRAWLER'\n  | 'SCRAPER'\n  | 'AUTOMATED'\n  | 'UNKNOWN'\n  | 'HUMAN';\n\nexport interface BotDetectionResult {\n  /** Whether the request appears to be from a bot */\n  isBot: boolean;\n  /** Bot category */\n  category: BotCategory;\n  /** Matched bot name (e.g. 'Googlebot', 'curl') or null */\n  name: string | null;\n  /** Confidence score: 0-1 */\n  confidence: number;\n  /** Behavioral signals detected */\n  signals: string[];\n}\n\nexport interface BotProtectionOptions {\n  /** Categories to explicitly allow. Default: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'] */\n  allow?: BotCategory[];\n  /** Categories to explicitly deny. Default: ['AUTOMATED'] */\n  deny?: BotCategory[];\n  /** Action for categories not in allow or deny. Default: 'allow' */\n  defaultAction?: 'allow' | 'deny';\n  /** HTTP status code for denied bots. Default: 403 */\n  statusCode?: number;\n  /** Error message for denied bots */\n  message?: string;\n  /** Enable behavioral signal detection. Default: true */\n  detectBehavior?: boolean;\n  /** Custom handler called on detection (instead of default deny response) */\n  onDetected?: (req: Request, res: Response, result: BotDetectionResult) => void;\n}\n\n// =============================================================================\n// BOT DATABASE\n// =============================================================================\n\ninterface BotPattern {\n  /** Regex pattern to match against User-Agent */\n  pattern: RegExp;\n  /** Bot name */\n  name: string;\n  /** Category */\n  category: BotCategory;\n}\n\n/**\n * Bot patterns ordered by specificity — more specific patterns first.\n * All patterns are case-insensitive and tested against the full UA string.\n */\nconst BOT_PATTERNS: BotPattern[] = [\n  // --- SEARCH ENGINES (specific variants before generic) ---\n  { pattern: /Googlebot-Image/i, name: 'Googlebot-Image', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot-Video/i, name: 'Googlebot-Video', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot-News/i, name: 'Googlebot-News', category: 'SEARCH_ENGINE' },\n  { pattern: /Googlebot/i, name: 'Googlebot', category: 'SEARCH_ENGINE' },\n  { pattern: /AdsBot-Google/i, name: 'AdsBot-Google', category: 'SEARCH_ENGINE' },\n  { pattern: /Mediapartners-Google/i, name: 'Mediapartners-Google', category: 'SEARCH_ENGINE' },\n  { pattern: /Bingbot/i, name: 'Bingbot', category: 'SEARCH_ENGINE' },\n  { pattern: /msnbot/i, name: 'msnbot', category: 'SEARCH_ENGINE' },\n  { pattern: /Slurp/i, name: 'Yahoo Slurp', category: 'SEARCH_ENGINE' },\n  { pattern: /DuckDuckBot/i, name: 'DuckDuckBot', category: 'SEARCH_ENGINE' },\n  { pattern: /Baiduspider/i, name: 'Baiduspider', category: 'SEARCH_ENGINE' },\n  { pattern: /YandexBot/i, name: 'YandexBot', category: 'SEARCH_ENGINE' },\n  { pattern: /YandexImages/i, name: 'YandexImages', category: 'SEARCH_ENGINE' },\n  { pattern: /Sogou/i, name: 'Sogou', category: 'SEARCH_ENGINE' },\n  { pattern: /Exabot/i, name: 'Exabot', category: 'SEARCH_ENGINE' },\n  { pattern: /ia_archiver/i, name: 'Alexa', category: 'SEARCH_ENGINE' },\n  { pattern: /Applebot/i, name: 'Applebot', category: 'SEARCH_ENGINE' },\n  { pattern: /Qwantify/i, name: 'Qwantify', category: 'SEARCH_ENGINE' },\n  { pattern: /PetalBot/i, name: 'PetalBot', category: 'SEARCH_ENGINE' },\n  { pattern: /SeznamBot/i, name: 'SeznamBot', category: 'SEARCH_ENGINE' },\n\n  // --- SOCIAL ---\n  { pattern: /Twitterbot/i, name: 'Twitterbot', category: 'SOCIAL' },\n  { pattern: /facebookexternalhit/i, name: 'Facebook', category: 'SOCIAL' },\n  { pattern: /Facebot/i, name: 'Facebot', category: 'SOCIAL' },\n  { pattern: /LinkedInBot/i, name: 'LinkedInBot', category: 'SOCIAL' },\n  { pattern: /Pinterest/i, name: 'Pinterest', category: 'SOCIAL' },\n  { pattern: /Slackbot/i, name: 'Slackbot', category: 'SOCIAL' },\n  { pattern: /TelegramBot/i, name: 'TelegramBot', category: 'SOCIAL' },\n  { pattern: /WhatsApp/i, name: 'WhatsApp', category: 'SOCIAL' },\n  { pattern: /Discordbot/i, name: 'Discordbot', category: 'SOCIAL' },\n  { pattern: /Redditbot/i, name: 'Redditbot', category: 'SOCIAL' },\n  { pattern: /Embedly/i, name: 'Embedly', category: 'SOCIAL' },\n  { pattern: /Quora Link Preview/i, name: 'Quora', category: 'SOCIAL' },\n  { pattern: /Mastodon/i, name: 'Mastodon', category: 'SOCIAL' },\n\n  // --- MONITORING ---\n  { pattern: /UptimeRobot/i, name: 'UptimeRobot', category: 'MONITORING' },\n  { pattern: /Pingdom/i, name: 'Pingdom', category: 'MONITORING' },\n  { pattern: /Site24x7/i, name: 'Site24x7', category: 'MONITORING' },\n  { pattern: /StatusCake/i, name: 'StatusCake', category: 'MONITORING' },\n  { pattern: /Datadog/i, name: 'Datadog', category: 'MONITORING' },\n  { pattern: /NewRelicPinger/i, name: 'New Relic', category: 'MONITORING' },\n  { pattern: /Better Uptime Bot/i, name: 'Better Uptime', category: 'MONITORING' },\n  { pattern: /GTmetrix/i, name: 'GTmetrix', category: 'MONITORING' },\n  { pattern: /PageSpeed/i, name: 'PageSpeed Insights', category: 'MONITORING' },\n\n  // --- AI CRAWLERS ---\n  { pattern: /GPTBot/i, name: 'GPTBot', category: 'AI_CRAWLER' },\n  { pattern: /ChatGPT-User/i, name: 'ChatGPT-User', category: 'AI_CRAWLER' },\n  { pattern: /Claude-Web/i, name: 'Claude-Web', category: 'AI_CRAWLER' },\n  { pattern: /ClaudeBot/i, name: 'ClaudeBot', category: 'AI_CRAWLER' },\n  { pattern: /anthropic-ai/i, name: 'Anthropic', category: 'AI_CRAWLER' },\n  { pattern: /Bytespider/i, name: 'Bytespider', category: 'AI_CRAWLER' },\n  { pattern: /CCBot/i, name: 'CCBot', category: 'AI_CRAWLER' },\n  { pattern: /cohere-ai/i, name: 'Cohere', category: 'AI_CRAWLER' },\n  { pattern: /PerplexityBot/i, name: 'PerplexityBot', category: 'AI_CRAWLER' },\n  { pattern: /YouBot/i, name: 'YouBot', category: 'AI_CRAWLER' },\n  { pattern: /Google-Extended/i, name: 'Google-Extended', category: 'AI_CRAWLER' },\n  { pattern: /Diffbot/i, name: 'Diffbot', category: 'AI_CRAWLER' },\n  { pattern: /Amazonbot/i, name: 'Amazonbot', category: 'AI_CRAWLER' },\n  { pattern: /meta-externalagent/i, name: 'Meta AI', category: 'AI_CRAWLER' },\n\n  // --- AUTOMATED TOOLS (headless browsers, testing frameworks) ---\n  { pattern: /HeadlessChrome/i, name: 'Headless Chrome', category: 'AUTOMATED' },\n  { pattern: /PhantomJS/i, name: 'PhantomJS', category: 'AUTOMATED' },\n  { pattern: /Selenium/i, name: 'Selenium', category: 'AUTOMATED' },\n  { pattern: /Puppeteer/i, name: 'Puppeteer', category: 'AUTOMATED' },\n  { pattern: /Playwright/i, name: 'Playwright', category: 'AUTOMATED' },\n  { pattern: /Cypress/i, name: 'Cypress', category: 'AUTOMATED' },\n  { pattern: /webdriver/i, name: 'WebDriver', category: 'AUTOMATED' },\n  { pattern: /MSIE 6\\.0/i, name: 'Fake IE6', category: 'AUTOMATED' },\n\n  // --- SCRAPERS / CLI TOOLS ---\n  { pattern: /^curl\\//i, name: 'curl', category: 'SCRAPER' },\n  { pattern: /^wget\\//i, name: 'wget', category: 'SCRAPER' },\n  { pattern: /^python-requests\\//i, name: 'python-requests', category: 'SCRAPER' },\n  { pattern: /^python-httpx\\//i, name: 'python-httpx', category: 'SCRAPER' },\n  { pattern: /^Python-urllib/i, name: 'Python-urllib', category: 'SCRAPER' },\n  { pattern: /^aiohttp\\//i, name: 'aiohttp', category: 'SCRAPER' },\n  { pattern: /^Go-http-client/i, name: 'Go-http-client', category: 'SCRAPER' },\n  { pattern: /^Java\\//i, name: 'Java HttpClient', category: 'SCRAPER' },\n  { pattern: /^Apache-HttpClient/i, name: 'Apache HttpClient', category: 'SCRAPER' },\n  { pattern: /^okhttp\\//i, name: 'OkHttp', category: 'SCRAPER' },\n  { pattern: /^node-fetch\\//i, name: 'node-fetch', category: 'SCRAPER' },\n  { pattern: /^axios\\//i, name: 'axios', category: 'SCRAPER' },\n  { pattern: /^got\\//i, name: 'got', category: 'SCRAPER' },\n  { pattern: /^libwww-perl/i, name: 'libwww-perl', category: 'SCRAPER' },\n  { pattern: /^Ruby/i, name: 'Ruby', category: 'SCRAPER' },\n  { pattern: /^PHP\\//i, name: 'PHP', category: 'SCRAPER' },\n  { pattern: /Scrapy/i, name: 'Scrapy', category: 'SCRAPER' },\n  { pattern: /^Postman/i, name: 'Postman', category: 'SCRAPER' },\n  { pattern: /^Insomnia/i, name: 'Insomnia', category: 'SCRAPER' },\n  { pattern: /^HTTPie\\//i, name: 'HTTPie', category: 'SCRAPER' },\n];\n\n// =============================================================================\n// DETECTION ENGINE\n// =============================================================================\n\n/**\n * Detect behavioral signals that suggest a bot.\n */\nfunction detectBehavioralSignals(req: Request): string[] {\n  const signals: string[] = [];\n  const headers = req.headers;\n\n  // Missing User-Agent\n  if (!headers['user-agent']) {\n    signals.push('missing_user_agent');\n  }\n\n  // Missing Accept header (browsers always send this)\n  if (!headers['accept']) {\n    signals.push('missing_accept');\n  }\n\n  // Missing Accept-Language (browsers always send this)\n  if (!headers['accept-language']) {\n    signals.push('missing_accept_language');\n  }\n\n  // Missing Accept-Encoding (browsers always send this)\n  if (!headers['accept-encoding']) {\n    signals.push('missing_accept_encoding');\n  }\n\n  // Connection: close (browsers typically use keep-alive)\n  if (headers['connection'] === 'close') {\n    signals.push('connection_close');\n  }\n\n  return signals;\n}\n\n/**\n * Detect what kind of bot (if any) is making the request.\n *\n * @param req - HTTP request object\n * @returns Detection result with category, name, confidence, and signals\n *\n * @example\n * const result = detectBot(req);\n * if (result.isBot && result.category === 'AUTOMATED') {\n *   // Block automated tools\n * }\n */\nexport function detectBot(req: Request): BotDetectionResult {\n  const rawUa = req.headers['user-agent'] ?? '';\n  // SECURITY: A UA longer than 2048 chars is either buggy client or attempt to hide\n  // a bot signature past a truncation boundary. Flag as suspicious bot directly —\n  // don't silently truncate and continue.\n  if (rawUa.length > 2048) {\n    return {\n      isBot: true,\n      category: 'UNKNOWN',\n      name: null,\n      confidence: 0.9,\n      signals: detectBehavioralSignals(req),\n    };\n  }\n  const ua = rawUa;\n  const signals = detectBehavioralSignals(req);\n\n  // No User-Agent at all\n  if (!ua) {\n    return {\n      isBot: true,\n      category: 'UNKNOWN',\n      name: null,\n      confidence: 0.8,\n      signals,\n    };\n  }\n\n  // Match against known bot patterns\n  for (const bot of BOT_PATTERNS) {\n    if (bot.pattern.test(ua)) {\n      return {\n        isBot: true,\n        category: bot.category,\n        name: bot.name,\n        confidence: 0.95,\n        signals,\n      };\n    }\n  }\n\n  // Behavioral analysis for unrecognized UAs\n  const behaviorScore = signals.length;\n\n  // 3+ missing standard headers = likely bot\n  if (behaviorScore >= 3) {\n    return {\n      isBot: true,\n      category: 'UNKNOWN',\n      name: null,\n      confidence: Math.min(1.0, 0.6 + (behaviorScore * 0.1)),\n      signals,\n    };\n  }\n\n  return {\n    isBot: false,\n    category: 'HUMAN',\n    name: null,\n    confidence: Math.max(0.0, 1.0 - (behaviorScore * 0.15)),\n    signals,\n  };\n}\n\n/**\n * Create Express middleware for bot protection.\n *\n * @example\n * // Block automated tools and scrapers\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n *   deny: ['AUTOMATED', 'SCRAPER'],\n * }));\n *\n * @example\n * // Block everything except search engines\n * app.use(botProtection({\n *   allow: ['SEARCH_ENGINE'],\n *   defaultAction: 'deny',\n * }));\n *\n * @example\n * // Custom handler\n * app.use(botProtection({\n *   deny: ['AUTOMATED'],\n *   onDetected: (req, res, result) => {\n *     console.log(`Bot blocked: ${result.name} (${result.category})`);\n *     res.status(403).json({ error: 'Bots not allowed' });\n *   },\n * }));\n */\nexport function botProtection(options: BotProtectionOptions = {}): RequestHandler {\n  const {\n    allow = ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],\n    deny = ['AUTOMATED'],\n    defaultAction = 'allow',\n    statusCode = 403,\n    message = 'Access denied.',\n    onDetected,\n  } = options;\n\n  const allowSet = new Set(allow);\n  const denySet = new Set(deny);\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const result = detectBot(req);\n\n    // Attach result to request for downstream use\n    (req as unknown as Record<string, unknown>).botDetection = result;\n\n    // Humans always pass\n    if (!result.isBot) {\n      return next();\n    }\n\n    // Check explicit allow/deny lists\n    if (allowSet.has(result.category)) {\n      return next();\n    }\n\n    if (denySet.has(result.category)) {\n      if (onDetected) {\n        return onDetected(req, res, result);\n      }\n      res.status(statusCode).json({ error: message });\n      return;\n    }\n\n    // Default action for uncategorized bots\n    if (defaultAction === 'deny') {\n      if (onDetected) {\n        return onDetected(req, res, result);\n      }\n      res.status(statusCode).json({ error: message });\n      return;\n    }\n\n    next();\n  };\n}\n","/**\n * @module @arcis/node/middleware/csrf\n * CSRF (Cross-Site Request Forgery) protection middleware\n *\n * Implements the double-submit cookie pattern:\n * 1. Server sets a CSRF token in a cookie\n * 2. Client must send the same token in a header or form field\n * 3. Middleware rejects requests where cookie token !== header/field token\n *\n * This works because an attacker's cross-origin form submission will include\n * the cookie automatically, but cannot read it (same-origin policy) to set\n * the matching header.\n */\n\nimport { randomBytes, timingSafeEqual } from 'crypto';\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\n\n/** CSRF protection configuration */\nexport interface CsrfOptions {\n  /** Cookie name for the CSRF token. Default: '_csrf' */\n  cookieName?: string;\n  /** Header name to check for the token. Default: 'x-csrf-token' */\n  headerName?: string;\n  /** Form field name to check for the token. Default: '_csrf' */\n  fieldName?: string;\n  /** Token byte length (hex-encoded = 2x chars). Default: 32 */\n  tokenLength?: number;\n  /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */\n  protectedMethods?: string[];\n  /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */\n  excludePaths?: string[];\n  /**\n   * Per-request skip function. If it returns true, CSRF check is skipped\n   * for that request. Useful for API key auth or signed webhooks.\n   *\n   * @example\n   * skipCsrf: (req) => Boolean(req.headers['x-api-key'])\n   */\n  skipCsrf?: (req: Request) => boolean;\n  /**\n   * Use the __Host- cookie prefix for stronger cookie security.\n   * When enabled, the browser enforces: Secure=true, no Domain, Path=/.\n   * This prevents CSRF cookie theft across subdomains.\n   * Default: false\n   */\n  useHostPrefix?: boolean;\n  /** Cookie options */\n  cookie?: {\n    /** Cookie path. Default: '/' */\n    path?: string;\n    /** HttpOnly — set false so client JS can read it for headers. Default: false */\n    httpOnly?: boolean;\n    /** Secure flag (HTTPS only). Default: true in production */\n    secure?: boolean;\n    /** SameSite attribute. Default: 'Lax' */\n    sameSite?: 'Strict' | 'Lax' | 'None';\n    /** Cookie domain */\n    domain?: string;\n  };\n  /** Custom error handler when CSRF validation fails */\n  onError?: (req: Request, res: Response, next: NextFunction) => void;\n  /**\n   * Rotate the CSRF token after each successful validation on a protected\n   * method. Defends against token-fixation attacks where an attacker plants\n   * a known token before authentication. Default: false.\n   *\n   * When enabled, every successful POST/PUT/PATCH/DELETE causes the server to\n   * issue a fresh token via Set-Cookie — the client must re-read the cookie\n   * before the next mutating request.\n   */\n  rotateOnUse?: boolean;\n}\n\nconst DEFAULTS = {\n  cookieName: '_csrf',\n  headerName: 'x-csrf-token',\n  fieldName: '_csrf',\n  tokenLength: 32,\n  protectedMethods: ['POST', 'PUT', 'PATCH', 'DELETE'],\n} as const;\n\n/**\n * Generate a cryptographically random CSRF token.\n *\n * @param length - Byte length (output is hex, so 2x chars). Default: 32\n * @returns Hex-encoded random token\n *\n * @example\n * const token = generateCsrfToken(); // 64 hex chars\n */\nexport function generateCsrfToken(length: number = 32): string {\n  return randomBytes(length).toString('hex');\n}\n\n/**\n * Validate that two CSRF tokens match using constant-time comparison.\n *\n * @param cookieToken - Token from the cookie\n * @param requestToken - Token from the header or form field\n * @returns true if tokens match\n */\nexport function validateCsrfToken(cookieToken: string, requestToken: string): boolean {\n  if (!cookieToken || !requestToken) return false;\n  if (cookieToken.length !== requestToken.length) return false;\n\n  // SECURITY: Use Node.js built-in constant-time comparison to prevent timing attacks\n  const a = Buffer.from(cookieToken);\n  const b = Buffer.from(requestToken);\n  return timingSafeEqual(a, b);\n}\n\n/**\n * Extract the CSRF token from a request (checks header, then body field, then query).\n */\nfunction getRequestToken(req: Request, headerName: string, fieldName: string): string | undefined {\n  // 1. Check header (most common for SPAs)\n  const headerToken = req.headers[headerName.toLowerCase()];\n  if (typeof headerToken === 'string' && headerToken) return headerToken;\n\n  // 2. Check body field (form submissions)\n  if (req.body && typeof req.body === 'object' && fieldName in req.body) {\n    const bodyToken = req.body[fieldName];\n    if (typeof bodyToken === 'string' && bodyToken) return bodyToken;\n  }\n\n  // SECURITY: Query string intentionally not supported — tokens in URLs leak\n  // to server logs, Referer headers, browser history, and CDN/proxy logs.\n\n  return undefined;\n}\n\n/**\n * Create CSRF protection middleware using double-submit cookie pattern.\n *\n * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.\n * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.\n *\n * @param options - CSRF configuration\n * @returns Express middleware\n *\n * @example\n * // Basic usage\n * app.use(csrfProtection());\n *\n * @example\n * // Exclude webhook paths\n * app.use(csrfProtection({\n *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']\n * }));\n *\n * @example\n * // Client-side: read cookie + set header\n * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];\n * fetch('/api/data', {\n *   method: 'POST',\n *   headers: { 'X-CSRF-Token': token },\n *   credentials: 'same-origin'\n * });\n */\nexport function csrfProtection(options: CsrfOptions = {}): RequestHandler {\n  const baseCookieName = options.cookieName ?? DEFAULTS.cookieName;\n  // __Host- prefix: forces browser to enforce Secure + no Domain + Path=/\n  const cookieName = options.useHostPrefix ? `__Host-${baseCookieName}` : baseCookieName;\n  const headerName = options.headerName ?? DEFAULTS.headerName;\n  const fieldName = options.fieldName ?? DEFAULTS.fieldName;\n  const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;\n  const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];\n  const excludePaths = options.excludePaths ?? [];\n  const skipCsrf = options.skipCsrf;\n\n  const isProduction = process.env.NODE_ENV === 'production';\n  const cookieOpts = {\n    path: options.cookie?.path ?? '/',\n    httpOnly: options.cookie?.httpOnly ?? false, // Must be readable by client JS\n    secure: options.cookie?.secure ?? isProduction,\n    sameSite: options.cookie?.sameSite ?? 'Lax',\n    domain: options.cookie?.domain,\n  };\n\n  const defaultOnError = (_req: Request, res: Response, _next: NextFunction) => {\n    res.status(403).json({\n      error: 'CSRF token validation failed',\n      message: 'Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header.',\n    });\n  };\n\n  const onError = options.onError ?? defaultOnError;\n\n  // Normalize protected methods to uppercase\n  const protectedSet = new Set(protectedMethods.map(m => m.toUpperCase()));\n\n  return (req: Request, res: Response, next: NextFunction) => {\n    const method = req.method.toUpperCase();\n\n    // Per-request skip callback (API keys, signed webhooks, etc.)\n    if (skipCsrf && skipCsrf(req)) {\n      return next();\n    }\n\n    // Check if path is excluded\n    const requestPath = req.path || req.url;\n    if (excludePaths.some(p => requestPath === p || requestPath.startsWith(p + '/'))) {\n      return next();\n    }\n\n    // Expose token generation on the request for templates/views\n    (req as unknown as Record<string, unknown>).csrfToken = () => {\n      const existing = getCookieValue(req, cookieName);\n      if (existing) return existing;\n\n      const token = generateCsrfToken(tokenLength);\n      setCsrfCookie(res, cookieName, token, cookieOpts);\n      return token;\n    };\n\n    // For safe methods — ensure a CSRF cookie exists\n    if (!protectedSet.has(method)) {\n      const existing = getCookieValue(req, cookieName);\n      if (!existing) {\n        const token = generateCsrfToken(tokenLength);\n        setCsrfCookie(res, cookieName, token, cookieOpts);\n      }\n      return next();\n    }\n\n    // For protected methods — validate the token\n    const cookieToken = getCookieValue(req, cookieName);\n    if (!cookieToken) {\n      return onError(req, res, next);\n    }\n\n    const requestToken = getRequestToken(req, headerName, fieldName);\n    if (!requestToken) {\n      return onError(req, res, next);\n    }\n\n    if (!validateCsrfToken(cookieToken, requestToken)) {\n      return onError(req, res, next);\n    }\n\n    // Optional token rotation on successful validation\n    if (options.rotateOnUse) {\n      const freshToken = generateCsrfToken(tokenLength);\n      setCsrfCookie(res, cookieName, freshToken, cookieOpts);\n    }\n\n    next();\n  };\n}\n\n/**\n * Read a cookie value from the request.\n */\nfunction getCookieValue(req: Request, name: string): string | undefined {\n  // Express parses cookies if cookie-parser is used\n  if (req.cookies && typeof req.cookies === 'object' && name in req.cookies) {\n    return req.cookies[name];\n  }\n\n  // Fallback: parse from raw Cookie header\n  const cookieHeader = req.headers.cookie;\n  if (!cookieHeader) return undefined;\n\n  const match = cookieHeader.match(new RegExp(`(?:^|;\\\\s*)${escapeRegex(name)}=([^;]*)`));\n  return match ? decodeURIComponent(match[1]) : undefined;\n}\n\n/**\n * Set the CSRF token cookie on the response.\n */\nfunction setCsrfCookie(\n  res: Response,\n  name: string,\n  token: string,\n  opts: { path: string; httpOnly: boolean; secure: boolean; sameSite: string; domain?: string }\n): void {\n  const parts = [`${name}=${token}`];\n  parts.push(`Path=${opts.path}`);\n  if (opts.httpOnly) parts.push('HttpOnly');\n  if (opts.secure) parts.push('Secure');\n  parts.push(`SameSite=${opts.sameSite}`);\n  if (opts.domain) parts.push(`Domain=${opts.domain}`);\n\n  // Accumulate Set-Cookie headers to avoid overwriting cookies set by other middleware\n  const newCookie = parts.join('; ');\n  const existing = res.getHeader('Set-Cookie');\n  if (existing === undefined) {\n    res.setHeader('Set-Cookie', newCookie);\n  } else if (Array.isArray(existing)) {\n    res.setHeader('Set-Cookie', [...existing, newCookie]);\n  } else {\n    res.setHeader('Set-Cookie', [existing as string, newCookie]);\n  }\n}\n\n/**\n * Escape special regex characters in a string.\n */\nfunction escapeRegex(str: string): string {\n  return str.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\n/** Alias for csrfProtection */\nexport const createCsrf = csrfProtection;\n","/**\n * @module @arcis/node/middleware/signup-protection\n *\n * Composite signup-form protection: one middleware that combines email\n * validation (syntax + disposable), bot detection, and a dedicated\n * per-IP rate limit. Matches the Arcjet `protectSignup` convenience\n * primitive but stays fully local — no cloud lookups.\n *\n * @example\n *   app.post('/signup', signupProtection(), handler);\n *\n * @example\n *   app.post('/signup', signupProtection({\n *     emailField: 'email',\n *     rateLimit: { max: 5, windowMs: 60_000 },\n *     blockDisposable: true,\n *   }), handler);\n */\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport { validateEmail } from '../validation/email';\nimport { detectBot, type BotCategory } from './bot-detection';\nimport { createRateLimiter } from './rate-limit';\n\nexport type SignupBlockReason =\n  | 'missing_email'\n  | 'invalid_email'\n  | 'disposable_email'\n  | 'bot'\n  | 'rate_limited';\n\nexport interface SignupCheckResult {\n  allowed: boolean;\n  reason: SignupBlockReason | 'ok';\n  details?: Record<string, unknown>;\n}\n\nexport interface SignupProtectionOptions {\n  /** Request body field holding the email address. Default: 'email' */\n  emailField?: string;\n  /** Run email validation. Default: true */\n  checkEmail?: boolean;\n  /** Reject disposable email domains. Default: true */\n  blockDisposable?: boolean;\n  /** Run bot detection. Default: true */\n  checkBot?: boolean;\n  /** Bot categories allowed through (e.g. test harnesses). Default: [] — all bots blocked */\n  allowedBotCategories?: BotCategory[];\n  /** Per-IP rate limit on signup endpoint. Set to `false` to disable. Default: 5 requests / 60s */\n  rateLimit?: { max?: number; windowMs?: number } | false;\n  /** Extra email domains to allow (bypasses disposable check) */\n  allowedEmailDomains?: string[];\n  /** Extra email domains to block */\n  blockedEmailDomains?: string[];\n  /** Called when a request is blocked — for telemetry/logging */\n  onBlocked?: (req: Request, result: SignupCheckResult) => void;\n}\n\nexport interface SignupProtectionMiddleware extends RequestHandler {\n  /** Release the rate-limiter cleanup interval */\n  close: () => void;\n}\n\n/**\n * Pure signup check — no rate-limit mutation, no response writes.\n * Useful for framework adapters or custom control flow.\n */\nexport function checkSignup(\n  req: Request,\n  options: SignupProtectionOptions = {}\n): SignupCheckResult {\n  const {\n    emailField = 'email',\n    checkEmail = true,\n    blockDisposable = true,\n    checkBot = true,\n    allowedBotCategories = [],\n    allowedEmailDomains = [],\n    blockedEmailDomains = [],\n  } = options;\n\n  if (checkBot) {\n    const bot = detectBot(req);\n    if (bot.isBot && !allowedBotCategories.includes(bot.category)) {\n      return {\n        allowed: false,\n        reason: 'bot',\n        details: { category: bot.category, name: bot.name, confidence: bot.confidence },\n      };\n    }\n  }\n\n  if (checkEmail) {\n    const email = (req.body as Record<string, unknown> | undefined)?.[emailField];\n    if (typeof email !== 'string' || email.length === 0) {\n      return { allowed: false, reason: 'missing_email' };\n    }\n    const result = validateEmail(email, {\n      checkDisposable: blockDisposable,\n      allowedDomains: allowedEmailDomains,\n      blockedDomains: blockedEmailDomains,\n    });\n    if (!result.valid) {\n      const reason: SignupBlockReason =\n        result.reason === 'disposable' ? 'disposable_email' : 'invalid_email';\n      return { allowed: false, reason, details: { emailReason: result.reason } };\n    }\n  }\n\n  return { allowed: true, reason: 'ok' };\n}\n\n/**\n * Express middleware: applies bot + email + rate-limit checks to a signup\n * endpoint. Responds 400/403/429 with a JSON body on block; otherwise\n * calls `next()`.\n */\nexport function signupProtection(\n  options: SignupProtectionOptions = {}\n): SignupProtectionMiddleware {\n  const rateLimitCfg = options.rateLimit;\n  const limiter =\n    rateLimitCfg === false\n      ? null\n      : createRateLimiter({\n          max: rateLimitCfg?.max ?? 5,\n          windowMs: rateLimitCfg?.windowMs ?? 60_000,\n          message: 'Too many signup attempts',\n        });\n\n  const handler: RequestHandler = (req, res, next) => {\n    const result = checkSignup(req, options);\n    if (!result.allowed) {\n      options.onBlocked?.(req, result);\n      const status = result.reason === 'bot' ? 403 : 400;\n      res.status(status).json({ error: 'signup_blocked', reason: result.reason });\n      return;\n    }\n    if (limiter) {\n      // Delegate to rate limiter — it will respond 429 on breach or call next() otherwise.\n      let rateLimited = false;\n      const rateLimitNext: NextFunction = (err?: unknown) => {\n        if (err) return next(err);\n        if (!rateLimited) next();\n      };\n      const patchedRes = new Proxy(res, {\n        get(target, prop) {\n          if (prop === 'status') {\n            return (code: number) => {\n              if (code === 429) {\n                rateLimited = true;\n                options.onBlocked?.(req, { allowed: false, reason: 'rate_limited' });\n              }\n              return (target.status as (c: number) => Response).call(target, code);\n            };\n          }\n          return Reflect.get(target, prop);\n        },\n      });\n      limiter(req, patchedRes as Response, rateLimitNext);\n      return;\n    }\n    next();\n  };\n\n  const middleware = handler as SignupProtectionMiddleware;\n  middleware.close = () => limiter?.close();\n  return middleware;\n}\n"]}