npm - @astrasyncai/verification-gateway - Versions diffs - 2.4.9 → 2.4.10 - Mend

@astrasyncai/verification-gateway 2.4.9 → 2.4.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/dist/adapters/express.js +53 -17
package/dist/adapters/express.js.map +1 -1
package/dist/adapters/express.mjs +53 -17
package/dist/adapters/express.mjs.map +1 -1
package/dist/adapters/mcp.js +35 -13
package/dist/adapters/mcp.js.map +1 -1
package/dist/adapters/mcp.mjs +35 -13
package/dist/adapters/mcp.mjs.map +1 -1
package/dist/adapters/nextjs.js +53 -17
package/dist/adapters/nextjs.js.map +1 -1
package/dist/adapters/nextjs.mjs +53 -17
package/dist/adapters/nextjs.mjs.map +1 -1
package/dist/adapters/sdk.js +35 -13
package/dist/adapters/sdk.js.map +1 -1
package/dist/adapters/sdk.mjs +35 -13
package/dist/adapters/sdk.mjs.map +1 -1
package/dist/browser/background.js +36 -14
package/dist/browser/background.js.map +1 -1
package/dist/browser/background.mjs +36 -14
package/dist/browser/background.mjs.map +1 -1
package/dist/cursor/extension.js +36 -14
package/dist/cursor/extension.js.map +1 -1
package/dist/cursor/extension.mjs +36 -14
package/dist/cursor/extension.mjs.map +1 -1
package/dist/gateway/gateway.js +36 -14
package/dist/gateway/gateway.js.map +1 -1
package/dist/gateway/gateway.mjs +36 -14
package/dist/gateway/gateway.mjs.map +1 -1
package/dist/index.js +54 -18
package/dist/index.js.map +1 -1
package/dist/index.mjs +54 -18
package/dist/index.mjs.map +1 -1
package/package.json +1 -1

package/dist/cursor/extension.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/cursor/extension.ts","../../src/adapter-interface/interface.ts","../../src/adapter-interface/purpose-mapping.ts","../../src/cursor/cursor-adapter.ts","../../src/gateway/types.ts","../../src/local-evaluator/evaluator.ts","../../../../node_modules/js-yaml/dist/js-yaml.mjs","../../src/local-evaluator/pdlss-parser.ts","../../src/local-evaluator/schema.ts","../../src/gateway/modes/local.ts","../../src/access-levels.ts","../../src/version.ts","../../src/verify.ts","../../src/adapters/express.ts","../../src/adapters/nextjs.ts","../../src/transport/rfc9421.ts","../../src/transport/rfc9421-verify.ts","../../src/transport/vi.ts","../../src/transport/stripe-webhook.ts","../../src/transport/ap2.ts","../../src/transport/mpp.ts","../../src/transport/mpp-verify.ts","../../src/transport/x402.ts","../../src/transport/vi-verify.ts","../../src/transport/registry/visa.ts","../../src/gateway/modes/online.ts","../../src/gateway/modes/hybrid.ts","../../src/gateway/trace-logger.ts","../../src/gateway/gateway.ts"],"sourcesContent":["/*\n VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).\n \n This file is the `main` referenced in the extension's package.json.\n * It creates a CursorAdapter, wires it to the real `vscode` API,\n * and manages its lifecycle through activate/deactivate.\n \n Build: bundled separately via tsup/esbuild with `vscode` marked as external.\n /\n\nimport { CursorAdapter } from './cursor-adapter';\nimport { AstraSyncGateway } from '../gateway/gateway';\nimport type { VSCodeAPI } from './cursor-adapter';\n\n// Extension state\nlet adapter: CursorAdapter \| null = null;\nlet gateway: AstraSyncGateway \| null = null;\n\n/\n Called by VS Code when the extension activates.\n * The `vscode` module is passed in at runtime — never bundled.\n /\nexport async function activate(vscodeApi: VSCodeAPI): Promise<void> {\n const config = loadConfiguration();\n\n gateway = new AstraSyncGateway(config.gatewayConfig);\n\n adapter = new CursorAdapter({\n vscode: vscodeApi,\n onApprovalRequired: async (context, decision) => {\n const choice = await vscodeApi.window.showWarningMessage(\n `AstraSync: ${decision.reason}\\n\\nAction: ${context.action} → ${context.target}`,\n 'Allow',\n 'Deny',\n );\n return choice === 'Allow';\n },\n });\n\n await adapter.initialize({\n gateway,\n adapterOptions: { vscode: vscodeApi },\n });\n\n // Register commands\n vscodeApi.commands.registerCommand('astrasync.showPolicy', () => {\n const channel = vscodeApi.window.createOutputChannel('AstraSync Policy');\n channel.appendLine(`Mode: ${gateway!.mode}`);\n channel.appendLine(`Posture: ${gateway!.posture}`);\n channel.appendLine(`Policy file: ${config.gatewayConfig.policyFile \|\| '(inline/none)'}`);\n channel.show();\n });\n\n vscodeApi.commands.registerCommand('astrasync.switchMode', async () => {\n // Mode switching only available if API key is set\n if (!config.gatewayConfig.apiKey) {\n vscodeApi.window.showInformationMessage(\n 'AstraSync: Set astrasync.apiKey in settings to enable online/hybrid mode.',\n );\n return;\n }\n\n const choice = await vscodeApi.window.showWarningMessage(\n 'Switch AstraSync mode?',\n 'Local',\n 'Online',\n 'Hybrid',\n );\n\n if (choice) {\n const mode = choice.toLowerCase() as 'local' \| 'online' \| 'hybrid';\n await gateway!.switchMode(mode);\n vscodeApi.window.showInformationMessage(`AstraSync: Switched to ${mode} mode`);\n }\n });\n}\n\n/\n Called by VS Code when the extension deactivates.\n /\nexport async function deactivate(): Promise<void> {\n if (adapter) {\n await adapter.shutdown();\n adapter = null;\n }\n if (gateway) {\n await gateway.shutdown();\n gateway = null;\n }\n}\n\n// -----------------------------------------------------------------------\n// Configuration\n// -----------------------------------------------------------------------\n\ninterface ExtensionConfig {\n gatewayConfig: {\n mode: 'local' \| 'online' \| 'hybrid';\n policyFile?: string;\n apiKey?: string;\n apiBaseUrl?: string;\n debug?: boolean;\n traceEnabled?: boolean;\n posture?: 'active' \| 'passive';\n policy?: {\n version: string;\n name: string;\n purposes: Array<{ id: string; allowed: boolean }>;\n };\n };\n}\n\nfunction loadConfiguration(): ExtensionConfig {\n // In a real VS Code extension, this reads from vscode.workspace.getConfiguration('astrasync').\n // Since VSCodeAPI is minimal (no workspace.getConfiguration), we use sensible defaults.\n // Users configure via a .astrasync/policy.yaml file in their workspace root.\n\n return {\n gatewayConfig: {\n mode: 'local',\n policyFile: '.astrasync/policy.yaml',\n debug: false,\n traceEnabled: true,\n posture: 'active',\n // Fallback inline policy if no YAML file exists\n policy: {\n version: '1.0',\n name: 'default-cursor-policy',\n purposes: [\n { id: 'file.read', allowed: true },\n { id: 'file.write', allowed: true },\n { id: 'file.delete', allowed: false },\n { id: 'shell.exec', allowed: true },\n { id: 'network.fetch', allowed: true },\n { id: 'payment.execute', allowed: false },\n { id: 'email.send', allowed: false },\n ],\n },\n },\n };\n}\n","/\n PlatformAdapter Interface\n \n The contract that Layer 4 platform adapters implement.\n * Agent-side interception: governs what agents are allowed to do before they do it.\n \n Each adapter is 200-500 lines of platform-specific code.\n * All verification logic lives in the gateway — adapters just translate\n * between the platform's world and AstraSync's world.\n /\n\nimport type { AstraSyncGateway } from '../gateway/gateway';\nimport type { PDLSSContext, VerificationDecision, AgentAction, InterceptResult } from '../gateway/types';\n\nexport interface AdapterConfig {\n /* The AstraSyncGateway instance (handles mode routing) /\n gateway: AstraSyncGateway;\n /* Platform-specific configuration /\n adapterOptions: Record<string, unknown>;\n}\n\nexport interface PlatformAdapter {\n /\n Interface version for compatibility checking.\n * Current version: 1.\n /\n readonly interfaceVersion: number;\n\n /\n Platform-specific initialization.\n * Load config, register hooks, establish connections.\n /\n initialize(config: AdapterConfig): Promise<void>;\n\n /\n Graceful shutdown.\n * Drain in-flight verifications, deregister hooks, close connections.\n /\n shutdown(): Promise<void>;\n\n /\n Intercept an agent action before execution.\n \n How this works depends on the platform:\n * - CLI adapter: proxy server captures outbound request\n * - Browser adapter: content script intercepts DOM interaction\n * - Express: middleware captures inbound request\n /\n interceptAction(action: AgentAction): Promise<InterceptResult>;\n\n /\n Extract PDLSS-compatible context from a platform-specific action.\n * Maps platform-native action format to the universal PDLSSContext.\n /\n extractContext(action: AgentAction): PDLSSContext;\n\n /\n Enforce the verification decision in a platform-specific way.\n \n How this works depends on the platform:\n * - CLI: block command / allow command / prompt for approval\n * - Browser: block navigation / show confirmation dialog\n * - Express: return 403 / pass through / inject headers\n /\n enforceDecision(decision: VerificationDecision): Promise<void>;\n}\n\n/\n Current adapter interface version.\n /\nexport const ADAPTER_INTERFACE_VERSION = 1;\n\n/\n Check if an adapter is compatible with the current interface version.\n /\nexport function isCompatibleAdapter(adapter: PlatformAdapter): boolean {\n return adapter.interfaceVersion === ADAPTER_INTERFACE_VERSION;\n}\n","/\n Shared purpose mapping utilities for Layer 4 platform adapters.\n \n Maps platform-native action names to PDLSS purpose categories.\n * Used by OpenClaw CLI, Cursor, browser, and future adapters.\n /\n\n// -----------------------------------------------------------------------\n// Tool → Purpose mapping\n// -----------------------------------------------------------------------\n\n/* Standard tool name → PDLSS purpose mapping used by all adapters /\nconst TOOL_PURPOSE_MAP: Record<string, string> = {\n // Shell\n shell_exec: 'shell.exec',\n run_command: 'shell.exec',\n execute: 'shell.exec',\n terminal_exec: 'shell.exec',\n run_terminal_command: 'shell.exec',\n\n // File read\n file_read: 'file.read',\n read_file: 'file.read',\n\n // File write\n file_write: 'file.write',\n write_file: 'file.write',\n create_file: 'file.write',\n edit_file: 'file.write',\n\n // File delete\n file_delete: 'file.delete',\n delete_file: 'file.delete',\n\n // Network\n http_request: 'network.request',\n fetch: 'network.request',\n web_request: 'network.request',\n\n // Email\n send_email: 'email.send',\n read_email: 'email.read',\n\n // Calendar\n create_event: 'calendar.create',\n\n // Database\n query_database: 'database.query',\n write_database: 'database.write',\n\n // Payment\n payment_execute: 'payment.execute',\n};\n\n/\n Map a tool/action name to a PDLSS purpose category.\n * Returns `tool.<name>` for unmapped tools (denied by default).\n /\nexport function mapToolToPurpose(toolName: string): string {\n return TOOL_PURPOSE_MAP[toolName] \|\| `tool.${toolName}`;\n}\n\n/\n Register additional tool → purpose mappings (e.g. from a platform adapter).\n * Does not overwrite existing mappings.\n /\nexport function registerToolMappings(mappings: Record<string, string>): void {\n for (const [tool, purpose] of Object.entries(mappings)) {\n if (!(tool in TOOL_PURPOSE_MAP)) {\n TOOL_PURPOSE_MAP[tool] = purpose;\n }\n }\n}\n\n// -----------------------------------------------------------------------\n// Target extraction\n// -----------------------------------------------------------------------\n\n/\n Extract the meaningful target string from tool arguments.\n * Uses the purpose category to determine which argument field is relevant.\n /\nexport function extractTarget(toolName: string, args: Record<string, unknown>): string {\n const purpose = mapToolToPurpose(toolName);\n\n if (purpose.startsWith('shell.')) {\n return String(args.command \|\| args.cmd \|\| args.script \|\| '');\n }\n\n if (purpose.startsWith('file.')) {\n return String(args.path \|\| args.file \|\| args.filename \|\| args.file_path \|\| '');\n }\n\n if (purpose.startsWith('network.')) {\n return String(args.url \|\| args.endpoint \|\| args.uri \|\| '');\n }\n\n if (purpose.startsWith('email.')) {\n return String(args.to \|\| args.recipient \|\| args.address \|\| '');\n }\n\n if (purpose.startsWith('database.')) {\n return String(args.query \|\| args.table \|\| '');\n }\n\n if (purpose.startsWith('payment.')) {\n return String(args.description \|\| args.merchant \|\| args.amount \|\| '');\n }\n\n // Fallback: try common field names\n if (args.command) return String(args.command);\n if (args.path) return String(args.path);\n if (args.url) return String(args.url);\n\n // Default: use first non-empty string argument or tool name\n for (const val of Object.values(args)) {\n if (typeof val === 'string' && val.length > 0) return val;\n }\n return toolName;\n}\n\n// -----------------------------------------------------------------------\n// Network domain extraction\n// -----------------------------------------------------------------------\n\n/\n Extract network domains from a URL target.\n * Returns undefined if the target is not a URL.\n /\nexport function extractNetworkDomains(target: string): string[] \| undefined {\n try {\n if (target.startsWith('http://') \|\| target.startsWith('https://')) {\n const url = new URL(target);\n return [url.hostname];\n }\n } catch {\n // Not a URL\n }\n return undefined;\n}\n","/\n @astrasyncai/adapter-cursor\n \n Layer 4 adapter for Cursor / VS Code AI agents.\n * Intercepts file operations, terminal commands, and network requests\n * made by the AI agent within the editor.\n \n The adapter does NOT depend on @types/vscode. Instead, the VS Code\n * extension passes the real `vscode` module via a minimal interface\n * at initialize() time. This keeps the library free of extension host deps.\n \n ~250 lines — thin, disposable, platform-specific.\n /\n\nimport type { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface';\nimport type { PDLSSContext, VerificationDecision, AgentAction, InterceptResult } from '../gateway/types';\nimport type { AstraSyncGateway } from '../gateway/gateway';\nimport { ADAPTER_INTERFACE_VERSION } from '../adapter-interface/interface';\nimport { mapToolToPurpose, extractTarget, extractNetworkDomains } from '../adapter-interface/purpose-mapping';\n\n// -----------------------------------------------------------------------\n// Minimal VS Code type stubs (injected at runtime by the extension)\n// -----------------------------------------------------------------------\n\nexport interface Disposable {\n dispose(): void;\n}\n\nexport interface VSCodeAPI {\n workspace: {\n onDidCreateFiles: (listener: (e: FileEvent) => void) => Disposable;\n onDidDeleteFiles: (listener: (e: FileEvent) => void) => Disposable;\n onDidSaveTextDocument: (listener: (doc: TextDocumentLike) => void) => Disposable;\n };\n window: {\n onDidOpenTerminal: (listener: (terminal: TerminalLike) => void) => Disposable;\n showWarningMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n showInformationMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n showErrorMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n createOutputChannel(name: string): OutputChannelLike;\n };\n commands: {\n registerCommand(command: string, callback: (...args: unknown[]) => unknown): Disposable;\n };\n}\n\ninterface FileEvent {\n files: ReadonlyArray<{ fsPath: string; path: string }>;\n}\n\ninterface TextDocumentLike {\n uri: { fsPath: string; path: string };\n languageId: string;\n fileName: string;\n}\n\ninterface TerminalLike {\n name: string;\n processId: Thenable<number \| undefined>;\n sendText(text: string, addNewLine?: boolean): void;\n}\n\ntype Thenable<T> = PromiseLike<T>;\n\ninterface OutputChannelLike {\n appendLine(value: string): void;\n show(): void;\n dispose(): void;\n}\n\n// -----------------------------------------------------------------------\n// Configuration\n// -----------------------------------------------------------------------\n\nexport interface CursorAdapterOptions {\n /* The VS Code API object (passed by the extension at runtime) /\n vscode: VSCodeAPI;\n /* Callback for MANUAL_REVIEW decisions /\n onApprovalRequired?: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;\n}\n\n// -----------------------------------------------------------------------\n// Adapter implementation\n// -----------------------------------------------------------------------\n\nexport class CursorAdapter implements PlatformAdapter {\n readonly interfaceVersion = ADAPTER_INTERFACE_VERSION;\n\n private gateway!: AstraSyncGateway;\n private vscode!: VSCodeAPI;\n private disposables: Disposable[] = [];\n private outputChannel: OutputChannelLike \| null = null;\n private onApprovalRequired: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;\n private _isRunning = false;\n\n constructor(options?: Partial<CursorAdapterOptions>) {\n this.onApprovalRequired = options?.onApprovalRequired ?? (async () => false);\n if (options?.vscode) {\n this.vscode = options.vscode;\n }\n }\n\n get isRunning(): boolean {\n return this._isRunning;\n }\n\n async initialize(config: AdapterConfig): Promise<void> {\n this.gateway = config.gateway as AstraSyncGateway;\n\n if (config.adapterOptions.vscode) {\n this.vscode = config.adapterOptions.vscode as VSCodeAPI;\n }\n\n if (!this.vscode) {\n throw new Error('CursorAdapter requires vscode API — pass it via adapterOptions.vscode');\n }\n\n // Output channel for logging decisions\n this.outputChannel = this.vscode.window.createOutputChannel('AstraSync Local Guard');\n\n // Register file watchers\n this.disposables.push(\n this.vscode.workspace.onDidCreateFiles((e) => {\n for (const file of e.files) {\n this.evaluateFileAction('file_write', file.fsPath);\n }\n }),\n );\n\n this.disposables.push(\n this.vscode.workspace.onDidDeleteFiles((e) => {\n for (const file of e.files) {\n this.evaluateFileAction('file_delete', file.fsPath);\n }\n }),\n );\n\n this.disposables.push(\n this.vscode.workspace.onDidSaveTextDocument((doc) => {\n this.evaluateFileAction('file_write', doc.fileName);\n }),\n );\n\n // Register status command\n this.disposables.push(\n this.vscode.commands.registerCommand('astrasync.status', () => {\n this.outputChannel?.show();\n this.vscode.window.showInformationMessage('AstraSync Local Guard is active');\n }),\n );\n\n this._isRunning = true;\n this.log('AstraSync Local Guard for Cursor — initialized');\n }\n\n async shutdown(): Promise<void> {\n for (const d of this.disposables) {\n d.dispose();\n }\n this.disposables = [];\n this.outputChannel?.dispose();\n this.outputChannel = null;\n this._isRunning = false;\n }\n\n async interceptAction(action: AgentAction): Promise<InterceptResult> {\n const raw = action.raw as { type: string; path?: string; command?: string };\n\n if (!raw.type) {\n return { intercepted: false, skipReason: 'No action type' };\n }\n\n const context = this.extractContext(action);\n return { intercepted: true, context };\n }\n\n extractContext(action: AgentAction): PDLSSContext {\n const raw = action.raw as { type: string; path?: string; command?: string; url?: string };\n\n let toolName: string;\n const args: Record<string, unknown> = {};\n\n switch (raw.type) {\n case 'file.create':\n case 'file.save':\n toolName = 'file_write';\n args.path = raw.path \|\| '';\n break;\n case 'file.delete':\n toolName = 'file_delete';\n args.path = raw.path \|\| '';\n break;\n case 'file.read':\n toolName = 'file_read';\n args.path = raw.path \|\| '';\n break;\n case 'terminal.exec':\n toolName = 'shell_exec';\n args.command = raw.command \|\| '';\n break;\n case 'network.request':\n toolName = 'http_request';\n args.url = raw.url \|\| '';\n break;\n default:\n toolName = raw.type;\n }\n\n const purpose = mapToolToPurpose(toolName);\n const target = extractTarget(toolName, args);\n const networkAccess = extractNetworkDomains(target);\n\n return {\n purpose,\n action: toolName,\n target,\n ...(networkAccess && { networkAccess }),\n };\n }\n\n async enforceDecision(decision: VerificationDecision): Promise<void> {\n switch (decision.recommendation) {\n case 'DENY':\n this.log(`BLOCKED: ${decision.reason}`);\n this.vscode.window.showErrorMessage(\n `AstraSync blocked action: ${decision.reason}`,\n );\n break;\n case 'MANUAL_REVIEW':\n this.log(`REVIEW: ${decision.reason}`);\n break;\n case 'ALLOW':\n // No action needed\n break;\n }\n }\n\n // =====================================================================\n // Internal helpers\n // =====================================================================\n\n private async evaluateFileAction(toolName: string, filePath: string): Promise<void> {\n const action: AgentAction = {\n raw: {\n type: toolName === 'file_delete' ? 'file.delete' : 'file.save',\n path: filePath,\n },\n platform: 'cursor',\n timestamp: new Date(),\n };\n\n const interception = await this.interceptAction(action);\n if (!interception.intercepted \|\| !interception.context) return;\n\n const decision = await this.gateway.evaluate(interception.context);\n\n if (decision.recommendation === 'DENY') {\n await this.enforceDecision(decision);\n } else if (decision.recommendation === 'MANUAL_REVIEW') {\n const approved = await this.handleApproval(interception.context, decision);\n if (!approved) {\n await this.enforceDecision({ ...decision, recommendation: 'DENY' });\n }\n }\n\n this.log(`${decision.recommendation}: ${interception.context.purpose} -> ${interception.context.target}`);\n }\n\n private async handleApproval(context: PDLSSContext, decision: VerificationDecision): Promise<boolean> {\n if (this.onApprovalRequired) {\n return this.onApprovalRequired(context, decision);\n }\n\n // Default: VS Code prompt\n const choice = await this.vscode.window.showWarningMessage(\n `AstraSync: ${decision.reason}. Allow?`,\n 'Allow',\n 'Deny',\n );\n return choice === 'Allow';\n }\n\n private log(message: string): void {\n this.outputChannel?.appendLine(`[${new Date().toISOString()}] ${message}`);\n }\n}\n","/\n AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.\n /\n\n// ========================================================================\n// Gateway Configuration\n// ========================================================================\n\nexport type GatewayMode = 'online' \| 'local' \| 'hybrid';\n\n/\n Posture controls whether the gateway actively blocks or just monitors.\n * - active: Evaluate and enforce decisions (block/allow/review)\n * - passive: Evaluate and log but never block (telemetry-only mode)\n /\nexport type GatewayPosture = 'active' \| 'passive';\n\nexport interface AstraSyncGatewayConfig {\n mode: GatewayMode;\n /* Enforcement posture: 'active' blocks actions, 'passive' logs only (default: 'active') /\n posture?: GatewayPosture;\n /* AstraSync API base URL (required for online/hybrid modes) /\n apiBaseUrl?: string;\n /* API key for authenticating with AstraSync (required for online/hybrid modes) /\n apiKey?: string;\n /* Path to local PDLSS policy YAML file (required for local/hybrid modes) /\n policyFile?: string;\n /* Inline policy object (alternative to policyFile) /\n policy?: LocalPolicy;\n /* Sync interval in seconds for hybrid mode (default: 3600) /\n syncInterval?: number;\n /* Cache verification results TTL in seconds (default: 300) /\n cacheTtl?: number;\n /* Enable debug logging /\n debug?: boolean;\n /* Enable trace logging to .astrasync/traces/ (default: false) /\n traceEnabled?: boolean;\n /* Trace log directory (default: .astrasync/traces/) /\n tracePath?: string;\n /* Default access level for unverified requests /\n defaultAccessLevel?: import('../types').AccessLevel;\n /* Minimum trust score for standard access (online/hybrid) /\n minTrustScore?: number;\n /* Minimum trust score for full access (online/hybrid) /\n minTrustScoreForFull?: number;\n /* Custom headers to send with API requests /\n customHeaders?: Record<string, string>;\n /* Counterparty URL for analytics /\n counterpartyUrl?: string;\n /* Counterparty type for analytics /\n counterpartyType?: import('../types').CounterpartyType;\n}\n\n// ========================================================================\n// PDLSS Context (Agent-side action context)\n// ========================================================================\n\nexport interface PDLSSContext {\n /* Purpose category (e.g. email.send, shell.exec, file.read) /\n purpose: string;\n /* Specific action within purpose /\n action: string;\n /* Target resource, recipient, or counterparty /\n target: string;\n /* Types of data access (read, write, delete) /\n dataAccess?: string[];\n /* Network domains/IPs being accessed /\n networkAccess?: string[];\n /* Resource type (customer, order, file, directory, process) /\n resourceType?: string;\n /* Risk factors for this action /\n riskFactors?: RiskFactor[];\n /* Transaction value (if financial) /\n transactionValue?: number;\n /* Currency for transaction /\n currency?: string;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\nexport interface RiskFactor {\n type: 'financial' \| 'data_sensitivity' \| 'privilege_escalation' \| 'network_scope' \| 'destructive';\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n detail: string;\n}\n\n// ========================================================================\n// Verification Decision\n// ========================================================================\n\nexport interface VerificationDecision {\n recommendation: 'ALLOW' \| 'DENY' \| 'MANUAL_REVIEW';\n reason: string;\n trustScore?: number;\n tokenGuidance?: import('../types').TokenGuidance;\n sessionId?: string;\n /* PDLSS dimensions that were evaluated /\n evaluatedDimensions?: {\n purpose: boolean;\n scope: boolean;\n limits: boolean;\n riskThresholds: boolean;\n };\n}\n\n// ========================================================================\n// Local Policy Types (YAML format)\n// ========================================================================\n\nexport interface LocalPolicy {\n version: string;\n name: string;\n description?: string;\n purposes: LocalPurposeRule[];\n scope?: LocalScope;\n limits?: LocalLimits;\n riskThresholds?: LocalRiskThresholds;\n selfInstantiation?: LocalSelfInstantiation;\n}\n\nexport interface LocalPurposeRule {\n id: string;\n allowed: boolean;\n targets?: string[];\n blockedPatterns?: string[];\n requiresApproval?: boolean;\n}\n\nexport interface LocalScope {\n allowedDomains?: string[];\n blockedDomains?: string[];\n blockedResources?: string[];\n}\n\nexport interface LocalLimits {\n maxTransactionAmount?: number;\n maxRequestsPerHour?: number;\n currency?: string;\n}\n\nexport interface LocalRiskThresholds {\n autoAllow: { min: number; max: number };\n requireApproval: { min: number; max: number };\n autoBlock: { min: number; max: number };\n}\n\nexport interface LocalSelfInstantiation {\n /* Whether sub-agent spawning is allowed /\n allowed: boolean;\n /* Maximum depth of sub-agent chain /\n maxDepth?: number;\n}\n\n// ========================================================================\n// Risk Scoring Defaults (cherry-picked from trust-harness-core)\n// ========================================================================\n\n/* Base risk scores per action category /\nexport const BASE_RISK_SCORES: Record<string, number> = {\n 'file.read': 10,\n 'file.write': 40,\n 'file.delete': 70,\n 'shell.exec': 50,\n 'network.fetch': 60,\n 'network.request': 60,\n 'email.send': 45,\n 'email.read': 15,\n 'calendar.create': 20,\n 'calendar.modify': 30,\n 'database.query': 25,\n 'database.write': 55,\n 'payment.execute': 80,\n 'sub_agent.spawn': 65,\n 'code.execute': 45,\n};\n\n/* Shell commands that significantly increase risk score /\nexport const HIGH_RISK_COMMANDS = [\n 'rm', 'rmdir', 'dd', 'mkfs', 'chmod', 'chown',\n 'sudo', 'su', 'curl', 'wget', 'nc', 'netcat',\n 'ssh', 'scp', 'rsync', 'git push', 'npm publish',\n 'docker', 'kubectl',\n];\n\n/* File paths that indicate sensitive data access /\nexport const SENSITIVE_PATHS = [\n '.ssh', '.aws', '.gnupg', '.env', 'credentials',\n 'secrets', 'password', '.git/config', '/etc', '/var', '/root',\n 'id_rsa', '.npmrc', '.pypirc',\n];\n\n// ========================================================================\n// Trace Event Types\n// ========================================================================\n\nexport interface TraceEvent {\n id: string;\n timestamp: Date;\n type: 'evaluation' \| 'decision' \| 'error' \| 'mode_switch';\n context?: PDLSSContext;\n decision?: VerificationDecision;\n metadata?: Record<string, unknown>;\n}\n\n// ========================================================================\n// Adapter Interface Types\n// ========================================================================\n\nexport interface AdapterConfig {\n /* The gateway instance (handles mode routing) /\n gateway: unknown; // Typed as AstraSyncGateway at usage site to avoid circular deps\n /* Platform-specific configuration /\n adapterOptions: Record<string, unknown>;\n}\n\nexport interface AgentAction {\n /* Raw action data from the platform /\n raw: unknown;\n /* Platform identifier (e.g. 'openclaw-cli', 'cursor', 'browser') /\n platform: string;\n /* Timestamp of the action /\n timestamp: Date;\n}\n\nexport interface InterceptResult {\n /* Whether the action was intercepted /\n intercepted: boolean;\n /* Extracted PDLSS context (if intercepted) /\n context?: PDLSSContext;\n /* Reason for not intercepting (if not intercepted) /\n skipReason?: string;\n}\n\n// ========================================================================\n// Sync Queue Types (Hybrid mode)\n// ========================================================================\n\nexport interface SyncQueueEntry {\n id: string;\n context: PDLSSContext;\n decision: VerificationDecision;\n timestamp: Date;\n retryCount: number;\n status: 'pending' \| 'synced' \| 'failed';\n}\n","/\n Local PDLSS Evaluator\n \n Evaluates agent actions against a local PDLSS policy.\n * Same logic as the cloud evaluator but runs in-process with no I/O.\n \n Evaluation order:\n * 1. Purpose: find matching rule, check if allowed\n * 2. Purpose: check allowed targets (if specified)\n * 3. Purpose: check blocked patterns (if specified)\n * 4. Scope: check global blocked resources/domains\n * 5. Limits: check transaction/rate limits\n * 6. Risk thresholds + approval requirements\n /\n\nimport type { LocalPolicy, PDLSSContext, VerificationDecision, LocalPurposeRule } from '../gateway/types';\nimport { HIGH_RISK_COMMANDS, SENSITIVE_PATHS } from '../gateway/types';\n\nexport class LocalEvaluator {\n private policy: LocalPolicy;\n private requestCounts: Map<string, { count: number; windowStart: number }> = new Map();\n\n constructor(policy: LocalPolicy) {\n this.policy = policy;\n }\n\n /\n Update the policy (e.g. after hot-reload or sync).\n /\n updatePolicy(policy: LocalPolicy): void {\n this.policy = policy;\n }\n\n /\n Evaluate an action context against the loaded policy.\n /\n evaluate(context: PDLSSContext): VerificationDecision {\n // 1. Purpose: find matching rule\n const purposeRule = this.policy.purposes.find((p) => p.id === context.purpose);\n if (!purposeRule) {\n return { recommendation: 'DENY', reason: 'Purpose not in policy' };\n }\n if (!purposeRule.allowed) {\n return { recommendation: 'DENY', reason: 'Purpose explicitly blocked' };\n }\n\n // 2. Purpose: check allowed targets\n if (purposeRule.targets && !this.matchesAnyPattern(context.target, purposeRule.targets)) {\n return { recommendation: 'DENY', reason: 'Target not in allowed list' };\n }\n\n // 3. Purpose: check blocked patterns\n if (purposeRule.blockedPatterns && this.matchesAnyPattern(context.target, purposeRule.blockedPatterns)) {\n return { recommendation: 'DENY', reason: 'Target matches blocked pattern' };\n }\n\n // 4. Scope: check global blocked resources/domains\n const scopeBlock = this.checkScopeBlock(context);\n if (scopeBlock) {\n return { recommendation: 'DENY', reason: scopeBlock };\n }\n\n // 5. Limits: check transaction and rate limits\n const limitViolation = this.checkLimits(context);\n if (limitViolation) {\n return { recommendation: 'DENY', reason: limitViolation };\n }\n\n // 6. Self-instantiation: check sub-agent spawning rules\n if (context.purpose === 'sub_agent.spawn' && this.policy.selfInstantiation) {\n if (!this.policy.selfInstantiation.allowed) {\n return { recommendation: 'DENY', reason: 'Sub-agent spawning is not allowed' };\n }\n const depth = (context.metadata?.subAgentDepth as number) \|\| 0;\n if (this.policy.selfInstantiation.maxDepth !== undefined && depth >= this.policy.selfInstantiation.maxDepth) {\n return { recommendation: 'DENY', reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}` };\n }\n }\n\n // 7. Risk thresholds + approval requirements\n if (purposeRule.requiresApproval) {\n return { recommendation: 'MANUAL_REVIEW', reason: 'Purpose requires approval' };\n }\n\n const riskDecision = this.checkRiskThresholds(context);\n if (riskDecision) {\n return riskDecision;\n }\n\n return {\n recommendation: 'ALLOW',\n reason: 'All PDLSS checks passed',\n evaluatedDimensions: {\n purpose: true,\n scope: !!this.policy.scope,\n limits: !!this.policy.limits,\n riskThresholds: !!this.policy.riskThresholds,\n },\n };\n }\n\n private checkScopeBlock(context: PDLSSContext): string \| null {\n const scope = this.policy.scope;\n if (!scope) return null;\n\n // Check blocked domains against target and network access\n if (scope.blockedDomains) {\n const targetDomain = this.extractDomain(context.target);\n if (this.matchesAnyPattern(targetDomain, scope.blockedDomains)) {\n return `Target blocked by scope: ${context.target}`;\n }\n if (context.networkAccess) {\n for (const domain of context.networkAccess) {\n if (this.matchesAnyPattern(this.extractDomain(domain), scope.blockedDomains)) {\n return `Domain blocked by scope: ${domain}`;\n }\n }\n }\n }\n\n // Check blocked resources against target\n if (scope.blockedResources && this.matchesAnyPattern(context.target, scope.blockedResources)) {\n return `Resource blocked by scope: ${context.target}`;\n }\n\n // Check allowed domains (if specified, target must match)\n if (scope.allowedDomains && context.networkAccess) {\n for (const domain of context.networkAccess) {\n if (!this.matchesAnyPattern(this.extractDomain(domain), scope.allowedDomains)) {\n return `Domain not in allowed list: ${domain}`;\n }\n }\n }\n\n return null;\n }\n\n private checkLimits(context: PDLSSContext): string \| null {\n const limits = this.policy.limits;\n if (!limits) return null;\n\n // Transaction amount check\n if (limits.maxTransactionAmount !== undefined && context.transactionValue !== undefined) {\n if (context.transactionValue > limits.maxTransactionAmount) {\n return `Transaction value ${context.transactionValue} exceeds limit ${limits.maxTransactionAmount}`;\n }\n }\n\n // Rate limit check\n if (limits.maxRequestsPerHour !== undefined) {\n const key = context.purpose;\n const now = Date.now();\n const entry = this.requestCounts.get(key);\n const hourMs = 3600000;\n\n if (!entry \|\| now - entry.windowStart > hourMs) {\n this.requestCounts.set(key, { count: 1, windowStart: now });\n } else {\n entry.count++;\n if (entry.count > limits.maxRequestsPerHour) {\n return `Rate limit exceeded: ${entry.count}/${limits.maxRequestsPerHour} requests per hour`;\n }\n }\n }\n\n return null;\n }\n\n private checkRiskThresholds(context: PDLSSContext): VerificationDecision \| null {\n if (!this.policy.riskThresholds) return null;\n\n const riskScore = this.calculateRiskScore(context);\n const thresholds = this.policy.riskThresholds;\n\n if (riskScore >= thresholds.autoBlock.min) {\n return { recommendation: 'DENY', reason: `Risk score ${riskScore} exceeds block threshold` };\n }\n\n if (riskScore >= thresholds.requireApproval.min) {\n return { recommendation: 'MANUAL_REVIEW', reason: `Risk score ${riskScore} requires approval` };\n }\n\n return null;\n }\n\n private calculateRiskScore(context: PDLSSContext): number {\n let score = 0;\n\n // Explicit risk factors take priority (highest severity wins)\n if (context.riskFactors?.length) {\n const severityScores: Record<string, number> = {\n low: 10,\n medium: 40,\n high: 70,\n critical: 90,\n };\n\n for (const factor of context.riskFactors) {\n const factorScore = severityScores[factor.severity] \|\| 0;\n if (factorScore > score) score = factorScore;\n }\n return score;\n }\n\n // Auto-detect risk from high-risk shell commands\n if (context.purpose === 'shell.exec' && context.target) {\n const targetLower = context.target.toLowerCase();\n for (const cmd of HIGH_RISK_COMMANDS) {\n if (targetLower.startsWith(cmd) \|\| targetLower.includes(` ${cmd} `) \|\| targetLower.includes(` ${cmd}`)) {\n score = Math.max(score, 80);\n break;\n }\n }\n }\n\n // Auto-detect risk from sensitive file paths (score 50 = review range)\n if ((context.purpose === 'file.read' \|\| context.purpose === 'file.write' \|\| context.purpose === 'file.delete') && context.target) {\n const targetLower = context.target.toLowerCase();\n for (const sensitivePath of SENSITIVE_PATHS) {\n if (targetLower.includes(sensitivePath.toLowerCase())) {\n score = Math.max(score, 50);\n break;\n }\n }\n }\n\n return score;\n }\n\n /\n Extract domain from a URL-like string (strips protocol and path).\n /\n private extractDomain(value: string): string {\n let domain = value;\n // Strip protocol\n const protoIndex = domain.indexOf('://');\n if (protoIndex !== -1) domain = domain.slice(protoIndex + 3);\n // Strip path\n const slashIndex = domain.indexOf('/');\n if (slashIndex !== -1) domain = domain.slice(0, slashIndex);\n // Strip port\n const colonIndex = domain.indexOf(':');\n if (colonIndex !== -1) domain = domain.slice(0, colonIndex);\n return domain;\n }\n\n /\n Check if a value matches any of the given glob patterns.\n /\n private matchesAnyPattern(value: string, patterns: string[]): boolean {\n return patterns.some((pattern) => this.matchGlob(value, pattern));\n }\n\n /\n Simple glob pattern matching.\n * Supports * (matches any characters including / and spaces) and ? (single char).\n * Uses the same approach as the backend's matchGlobPattern.\n /\n private matchGlob(value: string, pattern: string): boolean {\n // Exact match\n if (pattern === value) return true;\n\n // Convert glob to regex\n const regexStr = pattern\n .replace(/[.+^${}()\|[\\]\\\\]/g, '\\\\$&') // Escape special regex chars (except and ?)\n .replace(/\\/g, '.') // * matches anything\n .replace(/\\?/g, '.'); // ? matches single char\n\n try {\n return new RegExp(`^${regexStr}$`, 'i').test(value);\n } catch {\n return false;\n }\n }\n}\n\n/*\n Convenience: find a matching purpose rule.\n /\nexport function findPurposeRule(policy: LocalPolicy, purposeId: string): LocalPurposeRule \| undefined {\n return policy.purposes.find((p) => p.id === purposeId);\n}\n","\n/! js-yaml 4.1.1 https://github.com/nodeca/js-yaml @license MIT /\nfunction isNothing(subject) {\n return (typeof subject === 'undefined') \|\| (subject === null);\n}\n\n\nfunction isObject(subject) {\n return (typeof subject === 'object') && (subject !== null);\n}\n\n\nfunction toArray(sequence) {\n if (Array.isArray(sequence)) return sequence;\n else if (isNothing(sequence)) return [];\n\n return [ sequence ];\n}\n\n\nfunction extend(target, source) {\n var index, length, key, sourceKeys;\n\n if (source) {\n sourceKeys = Object.keys(source);\n\n for (index = 0, length = sourceKeys.length; index < length; index += 1) {\n key = sourceKeys[index];\n target[key] = source[key];\n }\n }\n\n return target;\n}\n\n\nfunction repeat(string, count) {\n var result = '', cycle;\n\n for (cycle = 0; cycle < count; cycle += 1) {\n result += string;\n }\n\n return result;\n}\n\n\nfunction isNegativeZero(number) {\n return (number === 0) && (Number.NEGATIVE_INFINITY === 1 / number);\n}\n\n\nvar isNothing_1 = isNothing;\nvar isObject_1 = isObject;\nvar toArray_1 = toArray;\nvar repeat_1 = repeat;\nvar isNegativeZero_1 = isNegativeZero;\nvar extend_1 = extend;\n\nvar common = {\n\tisNothing: isNothing_1,\n\tisObject: isObject_1,\n\ttoArray: toArray_1,\n\trepeat: repeat_1,\n\tisNegativeZero: isNegativeZero_1,\n\textend: extend_1\n};\n\n// YAML error class. http://stackoverflow.com/questions/8458984\n\n\nfunction formatError(exception, compact) {\n var where = '', message = exception.reason \|\| '(unknown reason)';\n\n if (!exception.mark) return message;\n\n if (exception.mark.name) {\n where += 'in \"' + exception.mark.name + '\" ';\n }\n\n where += '(' + (exception.mark.line + 1) + ':' + (exception.mark.column + 1) + ')';\n\n if (!compact && exception.mark.snippet) {\n where += '\\n\\n' + exception.mark.snippet;\n }\n\n return message + ' ' + where;\n}\n\n\nfunction YAMLException$1(reason, mark) {\n // Super constructor\n Error.call(this);\n\n this.name = 'YAMLException';\n this.reason = reason;\n this.mark = mark;\n this.message = formatError(this, false);\n\n // Include stack trace in error object\n if (Error.captureStackTrace) {\n // Chrome and NodeJS\n Error.captureStackTrace(this, this.constructor);\n } else {\n // FF, IE 10+ and Safari 6+. Fallback for others\n this.stack = (new Error()).stack \|\| '';\n }\n}\n\n\n// Inherit from Error\nYAMLException$1.prototype = Object.create(Error.prototype);\nYAMLException$1.prototype.constructor = YAMLException$1;\n\n\nYAMLException$1.prototype.toString = function toString(compact) {\n return this.name + ': ' + formatError(this, compact);\n};\n\n\nvar exception = YAMLException$1;\n\n// get snippet for a single line, respecting maxLength\nfunction getLine(buffer, lineStart, lineEnd, position, maxLineLength) {\n var head = '';\n var tail = '';\n var maxHalfLength = Math.floor(maxLineLength / 2) - 1;\n\n if (position - lineStart > maxHalfLength) {\n head = ' ... ';\n lineStart = position - maxHalfLength + head.length;\n }\n\n if (lineEnd - position > maxHalfLength) {\n tail = ' ...';\n lineEnd = position + maxHalfLength - tail.length;\n }\n\n return {\n str: head + buffer.slice(lineStart, lineEnd).replace(/\\t/g, '→') + tail,\n pos: position - lineStart + head.length // relative position\n };\n}\n\n\nfunction padStart(string, max) {\n return common.repeat(' ', max - string.length) + string;\n}\n\n\nfunction makeSnippet(mark, options) {\n options = Object.create(options \|\| null);\n\n if (!mark.buffer) return null;\n\n if (!options.maxLength) options.maxLength = 79;\n if (typeof options.indent !== 'number') options.indent = 1;\n if (typeof options.linesBefore !== 'number') options.linesBefore = 3;\n if (typeof options.linesAfter !== 'number') options.linesAfter = 2;\n\n var re = /\\r?\\n\|\\r\|\\0/g;\n var lineStarts = [ 0 ];\n var lineEnds = [];\n var match;\n var foundLineNo = -1;\n\n while ((match = re.exec(mark.buffer))) {\n lineEnds.push(match.index);\n lineStarts.push(match.index + match[0].length);\n\n if (mark.position <= match.index && foundLineNo < 0) {\n foundLineNo = lineStarts.length - 2;\n }\n }\n\n if (foundLineNo < 0) foundLineNo = lineStarts.length - 1;\n\n var result = '', i, line;\n var lineNoLength = Math.min(mark.line + options.linesAfter, lineEnds.length).toString().length;\n var maxLineLength = options.maxLength - (options.indent + lineNoLength + 3);\n\n for (i = 1; i <= options.linesBefore; i++) {\n if (foundLineNo - i < 0) break;\n line = getLine(\n mark.buffer,\n lineStarts[foundLineNo - i],\n lineEnds[foundLineNo - i],\n mark.position - (lineStarts[foundLineNo] - lineStarts[foundLineNo - i]),\n maxLineLength\n );\n result = common.repeat(' ', options.indent) + padStart((mark.line - i + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n' + result;\n }\n\n line = getLine(mark.buffer, lineStarts[foundLineNo], lineEnds[foundLineNo], mark.position, maxLineLength);\n result += common.repeat(' ', options.indent) + padStart((mark.line + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n';\n result += common.repeat('-', options.indent + lineNoLength + 3 + line.pos) + '^' + '\\n';\n\n for (i = 1; i <= options.linesAfter; i++) {\n if (foundLineNo + i >= lineEnds.length) break;\n line = getLine(\n mark.buffer,\n lineStarts[foundLineNo + i],\n lineEnds[foundLineNo + i],\n mark.position - (lineStarts[foundLineNo] - lineStarts[foundLineNo + i]),\n maxLineLength\n );\n result += common.repeat(' ', options.indent) + padStart((mark.line + i + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n';\n }\n\n return result.replace(/\\n$/, '');\n}\n\n\nvar snippet = makeSnippet;\n\nvar TYPE_CONSTRUCTOR_OPTIONS = [\n 'kind',\n 'multi',\n 'resolve',\n 'construct',\n 'instanceOf',\n 'predicate',\n 'represent',\n 'representName',\n 'defaultStyle',\n 'styleAliases'\n];\n\nvar YAML_NODE_KINDS = [\n 'scalar',\n 'sequence',\n 'mapping'\n];\n\nfunction compileStyleAliases(map) {\n var result = {};\n\n if (map !== null) {\n Object.keys(map).forEach(function (style) {\n map[style].forEach(function (alias) {\n result[String(alias)] = style;\n });\n });\n }\n\n return result;\n}\n\nfunction Type$1(tag, options) {\n options = options \|\| {};\n\n Object.keys(options).forEach(function (name) {\n if (TYPE_CONSTRUCTOR_OPTIONS.indexOf(name) === -1) {\n throw new exception('Unknown option \"' + name + '\" is met in definition of \"' + tag + '\" YAML type.');\n }\n });\n\n // TODO: Add tag format check.\n this.options = options; // keep original options in case user wants to extend this type later\n this.tag = tag;\n this.kind = options['kind'] \|\| null;\n this.resolve = options['resolve'] \|\| function () { return true; };\n this.construct = options['construct'] \|\| function (data) { return data; };\n this.instanceOf = options['instanceOf'] \|\| null;\n this.predicate = options['predicate'] \|\| null;\n this.represent = options['represent'] \|\| null;\n this.representName = options['representName'] \|\| null;\n this.defaultStyle = options['defaultStyle'] \|\| null;\n this.multi = options['multi'] \|\| false;\n this.styleAliases = compileStyleAliases(options['styleAliases'] \|\| null);\n\n if (YAML_NODE_KINDS.indexOf(this.kind) === -1) {\n throw new exception('Unknown kind \"' + this.kind + '\" is specified for \"' + tag + '\" YAML type.');\n }\n}\n\nvar type = Type$1;\n\n/eslint-disable max-len/\n\n\n\n\n\nfunction compileList(schema, name) {\n var result = [];\n\n schema[name].forEach(function (currentType) {\n var newIndex = result.length;\n\n result.forEach(function (previousType, previousIndex) {\n if (previousType.tag === currentType.tag &&\n previousType.kind === currentType.kind &&\n previousType.multi === currentType.multi) {\n\n newIndex = previousIndex;\n }\n });\n\n result[newIndex] = currentType;\n });\n\n return result;\n}\n\n\nfunction compileMap(/ lists... /) {\n var result = {\n scalar: {},\n sequence: {},\n mapping: {},\n fallback: {},\n multi: {\n scalar: [],\n sequence: [],\n mapping: [],\n fallback: []\n }\n }, index, length;\n\n function collectType(type) {\n if (type.multi) {\n result.multi[type.kind].push(type);\n result.multi['fallback'].push(type);\n } else {\n result[type.kind][type.tag] = result['fallback'][type.tag] = type;\n }\n }\n\n for (index = 0, length = arguments.length; index < length; index += 1) {\n arguments[index].forEach(collectType);\n }\n return result;\n}\n\n\nfunction Schema$1(definition) {\n return this.extend(definition);\n}\n\n\nSchema$1.prototype.extend = function extend(definition) {\n var implicit = [];\n var explicit = [];\n\n if (definition instanceof type) {\n // Schema.extend(type)\n explicit.push(definition);\n\n } else if (Array.isArray(definition)) {\n // Schema.extend([ type1, type2, ... ])\n explicit = explicit.concat(definition);\n\n } else if (definition && (Array.isArray(definition.implicit) \|\| Array.isArray(definition.explicit))) {\n // Schema.extend({ explicit: [ type1, type2, ... ], implicit: [ type1, type2, ... ] })\n if (definition.implicit) implicit = implicit.concat(definition.implicit);\n if (definition.explicit) explicit = explicit.concat(definition.explicit);\n\n } else {\n throw new exception('Schema.extend argument should be a Type, [ Type ], ' +\n 'or a schema definition ({ implicit: [...], explicit: [...] })');\n }\n\n implicit.forEach(function (type$1) {\n if (!(type$1 instanceof type)) {\n throw new exception('Specified list of YAML types (or a single Type object) contains a non-Type object.');\n }\n\n if (type$1.loadKind && type$1.loadKind !== 'scalar') {\n throw new exception('There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.');\n }\n\n if (type$1.multi) {\n throw new exception('There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.');\n }\n });\n\n explicit.forEach(function (type$1) {\n if (!(type$1 instanceof type)) {\n throw new exception('Specified list of YAML types (or a single Type object) contains a non-Type object.');\n }\n });\n\n var result = Object.create(Schema$1.prototype);\n\n result.implicit = (this.implicit \|\| []).concat(implicit);\n result.explicit = (this.explicit \|\| []).concat(explicit);\n\n result.compiledImplicit = compileList(result, 'implicit');\n result.compiledExplicit = compileList(result, 'explicit');\n result.compiledTypeMap = compileMap(result.compiledImplicit, result.compiledExplicit);\n\n return result;\n};\n\n\nvar schema = Schema$1;\n\nvar str = new type('tag:yaml.org,2002:str', {\n kind: 'scalar',\n construct: function (data) { return data !== null ? data : ''; }\n});\n\nvar seq = new type('tag:yaml.org,2002:seq', {\n kind: 'sequence',\n construct: function (data) { return data !== null ? data : []; }\n});\n\nvar map = new type('tag:yaml.org,2002:map', {\n kind: 'mapping',\n construct: function (data) { return data !== null ? data : {}; }\n});\n\nvar failsafe = new schema({\n explicit: [\n str,\n seq,\n map\n ]\n});\n\nfunction resolveYamlNull(data) {\n if (data === null) return true;\n\n var max = data.length;\n\n return (max === 1 && data === '~') \|\|\n (max === 4 && (data === 'null' \|\| data === 'Null' \|\| data === 'NULL'));\n}\n\nfunction constructYamlNull() {\n return null;\n}\n\nfunction isNull(object) {\n return object === null;\n}\n\nvar _null = new type('tag:yaml.org,2002:null', {\n kind: 'scalar',\n resolve: resolveYamlNull,\n construct: constructYamlNull,\n predicate: isNull,\n represent: {\n canonical: function () { return '~'; },\n lowercase: function () { return 'null'; },\n uppercase: function () { return 'NULL'; },\n camelcase: function () { return 'Null'; },\n empty: function () { return ''; }\n },\n defaultStyle: 'lowercase'\n});\n\nfunction resolveYamlBoolean(data) {\n if (data === null) return false;\n\n var max = data.length;\n\n return (max === 4 && (data === 'true' \|\| data === 'True' \|\| data === 'TRUE')) \|\|\n (max === 5 && (data === 'false' \|\| data === 'False' \|\| data === 'FALSE'));\n}\n\nfunction constructYamlBoolean(data) {\n return data === 'true' \|\|\n data === 'True' \|\|\n data === 'TRUE';\n}\n\nfunction isBoolean(object) {\n return Object.prototype.toString.call(object) === '[object Boolean]';\n}\n\nvar bool = new type('tag:yaml.org,2002:bool', {\n kind: 'scalar',\n resolve: resolveYamlBoolean,\n construct: constructYamlBoolean,\n predicate: isBoolean,\n represent: {\n lowercase: function (object) { return object ? 'true' : 'false'; },\n uppercase: function (object) { return object ? 'TRUE' : 'FALSE'; },\n camelcase: function (object) { return object ? 'True' : 'False'; }\n },\n defaultStyle: 'lowercase'\n});\n\nfunction isHexCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) \|\|\n ((0x41/ A / <= c) && (c <= 0x46/ F /)) \|\|\n ((0x61/ a / <= c) && (c <= 0x66/ f /));\n}\n\nfunction isOctCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x37/ 7 /));\n}\n\nfunction isDecCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /));\n}\n\nfunction resolveYamlInteger(data) {\n if (data === null) return false;\n\n var max = data.length,\n index = 0,\n hasDigits = false,\n ch;\n\n if (!max) return false;\n\n ch = data[index];\n\n // sign\n if (ch === '-' \|\| ch === '+') {\n ch = data[++index];\n }\n\n if (ch === '0') {\n // 0\n if (index + 1 === max) return true;\n ch = data[++index];\n\n // base 2, base 8, base 16\n\n if (ch === 'b') {\n // base 2\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (ch !== '0' && ch !== '1') return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n\n\n if (ch === 'x') {\n // base 16\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isHexCode(data.charCodeAt(index))) return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n\n\n if (ch === 'o') {\n // base 8\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isOctCode(data.charCodeAt(index))) return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n }\n\n // base 10 (except 0)\n\n // value should not start with `_`;\n if (ch === '_') return false;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isDecCode(data.charCodeAt(index))) {\n return false;\n }\n hasDigits = true;\n }\n\n // Should have digits and should not end with `_`\n if (!hasDigits \|\| ch === '_') return false;\n\n return true;\n}\n\nfunction constructYamlInteger(data) {\n var value = data, sign = 1, ch;\n\n if (value.indexOf('_') !== -1) {\n value = value.replace(/_/g, '');\n }\n\n ch = value[0];\n\n if (ch === '-' \|\| ch === '+') {\n if (ch === '-') sign = -1;\n value = value.slice(1);\n ch = value[0];\n }\n\n if (value === '0') return 0;\n\n if (ch === '0') {\n if (value[1] === 'b') return sign parseInt(value.slice(2), 2);\n if (value[1] === 'x') return sign * parseInt(value.slice(2), 16);\n if (value[1] === 'o') return sign * parseInt(value.slice(2), 8);\n }\n\n return sign * parseInt(value, 10);\n}\n\nfunction isInteger(object) {\n return (Object.prototype.toString.call(object)) === '[object Number]' &&\n (object % 1 === 0 && !common.isNegativeZero(object));\n}\n\nvar int = new type('tag:yaml.org,2002:int', {\n kind: 'scalar',\n resolve: resolveYamlInteger,\n construct: constructYamlInteger,\n predicate: isInteger,\n represent: {\n binary: function (obj) { return obj >= 0 ? '0b' + obj.toString(2) : '-0b' + obj.toString(2).slice(1); },\n octal: function (obj) { return obj >= 0 ? '0o' + obj.toString(8) : '-0o' + obj.toString(8).slice(1); },\n decimal: function (obj) { return obj.toString(10); },\n /* eslint-disable max-len /\n hexadecimal: function (obj) { return obj >= 0 ? '0x' + obj.toString(16).toUpperCase() : '-0x' + obj.toString(16).toUpperCase().slice(1); }\n },\n defaultStyle: 'decimal',\n styleAliases: {\n binary: [ 2, 'bin' ],\n octal: [ 8, 'oct' ],\n decimal: [ 10, 'dec' ],\n hexadecimal: [ 16, 'hex' ]\n }\n});\n\nvar YAML_FLOAT_PATTERN = new RegExp(\n // 2.5e4, 2.5 and integers\n '^(?:[-+]?(?:[0-9][0-9_])(?:\\\\.[0-9_])?(?:[eE][-+]?[0-9]+)?' +\n // .2e4, .2\n // special case, seems not from spec\n '\|\\\\.[0-9_]+(?:[eE][-+]?[0-9]+)?' +\n // .inf\n '\|[-+]?\\\\.(?:inf\|Inf\|INF)' +\n // .nan\n '\|\\\\.(?:nan\|NaN\|NAN))$');\n\nfunction resolveYamlFloat(data) {\n if (data === null) return false;\n\n if (!YAML_FLOAT_PATTERN.test(data) \|\|\n // Quick hack to not allow integers end with `_`\n // Probably should update regexp & check speed\n data[data.length - 1] === '_') {\n return false;\n }\n\n return true;\n}\n\nfunction constructYamlFloat(data) {\n var value, sign;\n\n value = data.replace(/_/g, '').toLowerCase();\n sign = value[0] === '-' ? -1 : 1;\n\n if ('+-'.indexOf(value[0]) >= 0) {\n value = value.slice(1);\n }\n\n if (value === '.inf') {\n return (sign === 1) ? Number.POSITIVE_INFINITY : Number.NEGATIVE_INFINITY;\n\n } else if (value === '.nan') {\n return NaN;\n }\n return sign parseFloat(value, 10);\n}\n\n\nvar SCIENTIFIC_WITHOUT_DOT = /^[-+]?[0-9]+e/;\n\nfunction representYamlFloat(object, style) {\n var res;\n\n if (isNaN(object)) {\n switch (style) {\n case 'lowercase': return '.nan';\n case 'uppercase': return '.NAN';\n case 'camelcase': return '.NaN';\n }\n } else if (Number.POSITIVE_INFINITY === object) {\n switch (style) {\n case 'lowercase': return '.inf';\n case 'uppercase': return '.INF';\n case 'camelcase': return '.Inf';\n }\n } else if (Number.NEGATIVE_INFINITY === object) {\n switch (style) {\n case 'lowercase': return '-.inf';\n case 'uppercase': return '-.INF';\n case 'camelcase': return '-.Inf';\n }\n } else if (common.isNegativeZero(object)) {\n return '-0.0';\n }\n\n res = object.toString(10);\n\n // JS stringifier can build scientific format without dots: 5e-100,\n // while YAML requres dot: 5.e-100. Fix it with simple hack\n\n return SCIENTIFIC_WITHOUT_DOT.test(res) ? res.replace('e', '.e') : res;\n}\n\nfunction isFloat(object) {\n return (Object.prototype.toString.call(object) === '[object Number]') &&\n (object % 1 !== 0 \|\| common.isNegativeZero(object));\n}\n\nvar float = new type('tag:yaml.org,2002:float', {\n kind: 'scalar',\n resolve: resolveYamlFloat,\n construct: constructYamlFloat,\n predicate: isFloat,\n represent: representYamlFloat,\n defaultStyle: 'lowercase'\n});\n\nvar json = failsafe.extend({\n implicit: [\n _null,\n bool,\n int,\n float\n ]\n});\n\nvar core = json;\n\nvar YAML_DATE_REGEXP = new RegExp(\n '^([0-9][0-9][0-9][0-9])' + // [1] year\n '-([0-9][0-9])' + // [2] month\n '-([0-9][0-9])$'); // [3] day\n\nvar YAML_TIMESTAMP_REGEXP = new RegExp(\n '^([0-9][0-9][0-9][0-9])' + // [1] year\n '-([0-9][0-9]?)' + // [2] month\n '-([0-9][0-9]?)' + // [3] day\n '(?:[Tt]\|[ \\\\t]+)' + // ...\n '([0-9][0-9]?)' + // [4] hour\n ':([0-9][0-9])' + // [5] minute\n ':([0-9][0-9])' + // [6] second\n '(?:\\\\.([0-9]))?' + // [7] fraction\n '(?:[ \\\\t](Z\|([-+])([0-9][0-9]?)' + // [8] tz [9] tz_sign [10] tz_hour\n '(?::([0-9][0-9]))?))?$'); // [11] tz_minute\n\nfunction resolveYamlTimestamp(data) {\n if (data === null) return false;\n if (YAML_DATE_REGEXP.exec(data) !== null) return true;\n if (YAML_TIMESTAMP_REGEXP.exec(data) !== null) return true;\n return false;\n}\n\nfunction constructYamlTimestamp(data) {\n var match, year, month, day, hour, minute, second, fraction = 0,\n delta = null, tz_hour, tz_minute, date;\n\n match = YAML_DATE_REGEXP.exec(data);\n if (match === null) match = YAML_TIMESTAMP_REGEXP.exec(data);\n\n if (match === null) throw new Error('Date resolve error');\n\n // match: [1] year [2] month [3] day\n\n year = +(match[1]);\n month = +(match[2]) - 1; // JS month starts with 0\n day = +(match[3]);\n\n if (!match[4]) { // no hour\n return new Date(Date.UTC(year, month, day));\n }\n\n // match: [4] hour [5] minute [6] second [7] fraction\n\n hour = +(match[4]);\n minute = +(match[5]);\n second = +(match[6]);\n\n if (match[7]) {\n fraction = match[7].slice(0, 3);\n while (fraction.length < 3) { // milli-seconds\n fraction += '0';\n }\n fraction = +fraction;\n }\n\n // match: [8] tz [9] tz_sign [10] tz_hour [11] tz_minute\n\n if (match[9]) {\n tz_hour = +(match[10]);\n tz_minute = +(match[11] \|\| 0);\n delta = (tz_hour * 60 + tz_minute) * 60000; // delta in mili-seconds\n if (match[9] === '-') delta = -delta;\n }\n\n date = new Date(Date.UTC(year, month, day, hour, minute, second, fraction));\n\n if (delta) date.setTime(date.getTime() - delta);\n\n return date;\n}\n\nfunction representYamlTimestamp(object /, style/) {\n return object.toISOString();\n}\n\nvar timestamp = new type('tag:yaml.org,2002:timestamp', {\n kind: 'scalar',\n resolve: resolveYamlTimestamp,\n construct: constructYamlTimestamp,\n instanceOf: Date,\n represent: representYamlTimestamp\n});\n\nfunction resolveYamlMerge(data) {\n return data === '<<' \|\| data === null;\n}\n\nvar merge = new type('tag:yaml.org,2002:merge', {\n kind: 'scalar',\n resolve: resolveYamlMerge\n});\n\n/eslint-disable no-bitwise/\n\n\n\n\n\n// [ 64, 65, 66 ] -> [ padding, CR, LF ]\nvar BASE64_MAP = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\\n\\r';\n\n\nfunction resolveYamlBinary(data) {\n if (data === null) return false;\n\n var code, idx, bitlen = 0, max = data.length, map = BASE64_MAP;\n\n // Convert one by one.\n for (idx = 0; idx < max; idx++) {\n code = map.indexOf(data.charAt(idx));\n\n // Skip CR/LF\n if (code > 64) continue;\n\n // Fail on illegal characters\n if (code < 0) return false;\n\n bitlen += 6;\n }\n\n // If there are any bits left, source was corrupted\n return (bitlen % 8) === 0;\n}\n\nfunction constructYamlBinary(data) {\n var idx, tailbits,\n input = data.replace(/[\\r\\n=]/g, ''), // remove CR/LF & padding to simplify scan\n max = input.length,\n map = BASE64_MAP,\n bits = 0,\n result = [];\n\n // Collect by 64 bits (3 bytes)\n\n for (idx = 0; idx < max; idx++) {\n if ((idx % 4 === 0) && idx) {\n result.push((bits >> 16) & 0xFF);\n result.push((bits >> 8) & 0xFF);\n result.push(bits & 0xFF);\n }\n\n bits = (bits << 6) \| map.indexOf(input.charAt(idx));\n }\n\n // Dump tail\n\n tailbits = (max % 4) 6;\n\n if (tailbits === 0) {\n result.push((bits >> 16) & 0xFF);\n result.push((bits >> 8) & 0xFF);\n result.push(bits & 0xFF);\n } else if (tailbits === 18) {\n result.push((bits >> 10) & 0xFF);\n result.push((bits >> 2) & 0xFF);\n } else if (tailbits === 12) {\n result.push((bits >> 4) & 0xFF);\n }\n\n return new Uint8Array(result);\n}\n\nfunction representYamlBinary(object /, style/) {\n var result = '', bits = 0, idx, tail,\n max = object.length,\n map = BASE64_MAP;\n\n // Convert every three bytes to 4 ASCII characters.\n\n for (idx = 0; idx < max; idx++) {\n if ((idx % 3 === 0) && idx) {\n result += map[(bits >> 18) & 0x3F];\n result += map[(bits >> 12) & 0x3F];\n result += map[(bits >> 6) & 0x3F];\n result += map[bits & 0x3F];\n }\n\n bits = (bits << 8) + object[idx];\n }\n\n // Dump tail\n\n tail = max % 3;\n\n if (tail === 0) {\n result += map[(bits >> 18) & 0x3F];\n result += map[(bits >> 12) & 0x3F];\n result += map[(bits >> 6) & 0x3F];\n result += map[bits & 0x3F];\n } else if (tail === 2) {\n result += map[(bits >> 10) & 0x3F];\n result += map[(bits >> 4) & 0x3F];\n result += map[(bits << 2) & 0x3F];\n result += map[64];\n } else if (tail === 1) {\n result += map[(bits >> 2) & 0x3F];\n result += map[(bits << 4) & 0x3F];\n result += map[64];\n result += map[64];\n }\n\n return result;\n}\n\nfunction isBinary(obj) {\n return Object.prototype.toString.call(obj) === '[object Uint8Array]';\n}\n\nvar binary = new type('tag:yaml.org,2002:binary', {\n kind: 'scalar',\n resolve: resolveYamlBinary,\n construct: constructYamlBinary,\n predicate: isBinary,\n represent: representYamlBinary\n});\n\nvar _hasOwnProperty$3 = Object.prototype.hasOwnProperty;\nvar _toString$2 = Object.prototype.toString;\n\nfunction resolveYamlOmap(data) {\n if (data === null) return true;\n\n var objectKeys = [], index, length, pair, pairKey, pairHasKey,\n object = data;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n pairHasKey = false;\n\n if (_toString$2.call(pair) !== '[object Object]') return false;\n\n for (pairKey in pair) {\n if (_hasOwnProperty$3.call(pair, pairKey)) {\n if (!pairHasKey) pairHasKey = true;\n else return false;\n }\n }\n\n if (!pairHasKey) return false;\n\n if (objectKeys.indexOf(pairKey) === -1) objectKeys.push(pairKey);\n else return false;\n }\n\n return true;\n}\n\nfunction constructYamlOmap(data) {\n return data !== null ? data : [];\n}\n\nvar omap = new type('tag:yaml.org,2002:omap', {\n kind: 'sequence',\n resolve: resolveYamlOmap,\n construct: constructYamlOmap\n});\n\nvar _toString$1 = Object.prototype.toString;\n\nfunction resolveYamlPairs(data) {\n if (data === null) return true;\n\n var index, length, pair, keys, result,\n object = data;\n\n result = new Array(object.length);\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n\n if (_toString$1.call(pair) !== '[object Object]') return false;\n\n keys = Object.keys(pair);\n\n if (keys.length !== 1) return false;\n\n result[index] = [ keys[0], pair[keys[0]] ];\n }\n\n return true;\n}\n\nfunction constructYamlPairs(data) {\n if (data === null) return [];\n\n var index, length, pair, keys, result,\n object = data;\n\n result = new Array(object.length);\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n\n keys = Object.keys(pair);\n\n result[index] = [ keys[0], pair[keys[0]] ];\n }\n\n return result;\n}\n\nvar pairs = new type('tag:yaml.org,2002:pairs', {\n kind: 'sequence',\n resolve: resolveYamlPairs,\n construct: constructYamlPairs\n});\n\nvar _hasOwnProperty$2 = Object.prototype.hasOwnProperty;\n\nfunction resolveYamlSet(data) {\n if (data === null) return true;\n\n var key, object = data;\n\n for (key in object) {\n if (_hasOwnProperty$2.call(object, key)) {\n if (object[key] !== null) return false;\n }\n }\n\n return true;\n}\n\nfunction constructYamlSet(data) {\n return data !== null ? data : {};\n}\n\nvar set = new type('tag:yaml.org,2002:set', {\n kind: 'mapping',\n resolve: resolveYamlSet,\n construct: constructYamlSet\n});\n\nvar _default = core.extend({\n implicit: [\n timestamp,\n merge\n ],\n explicit: [\n binary,\n omap,\n pairs,\n set\n ]\n});\n\n/eslint-disable max-len,no-use-before-define/\n\n\n\n\n\n\n\nvar _hasOwnProperty$1 = Object.prototype.hasOwnProperty;\n\n\nvar CONTEXT_FLOW_IN = 1;\nvar CONTEXT_FLOW_OUT = 2;\nvar CONTEXT_BLOCK_IN = 3;\nvar CONTEXT_BLOCK_OUT = 4;\n\n\nvar CHOMPING_CLIP = 1;\nvar CHOMPING_STRIP = 2;\nvar CHOMPING_KEEP = 3;\n\n\nvar PATTERN_NON_PRINTABLE = /[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F-\\x84\\x86-\\x9F\\uFFFE\\uFFFF]\|[\\uD800-\\uDBFF](?![\\uDC00-\\uDFFF])\|(?:[^\\uD800-\\uDBFF]\|^)[\\uDC00-\\uDFFF]/;\nvar PATTERN_NON_ASCII_LINE_BREAKS = /[\\x85\\u2028\\u2029]/;\nvar PATTERN_FLOW_INDICATORS = /[,\\[\\]\\{\\}]/;\nvar PATTERN_TAG_HANDLE = /^(?:!\|!!\|![a-z\\-]+!)$/i;\nvar PATTERN_TAG_URI = /^(?:!\|[^,\\[\\]\\{\\}])(?:%[0-9a-f]{2}\|[0-9a-z\\-#;\\/\\?:@&=\\+\\$,_\\.!~\\'\$\$\\[\\]])$/i;\n\n\nfunction _class(obj) { return Object.prototype.toString.call(obj); }\n\nfunction is_EOL(c) {\n return (c === 0x0A/* LF /) \|\| (c === 0x0D/ CR /);\n}\n\nfunction is_WHITE_SPACE(c) {\n return (c === 0x09/ Tab /) \|\| (c === 0x20/ Space /);\n}\n\nfunction is_WS_OR_EOL(c) {\n return (c === 0x09/ Tab /) \|\|\n (c === 0x20/ Space /) \|\|\n (c === 0x0A/ LF /) \|\|\n (c === 0x0D/ CR /);\n}\n\nfunction is_FLOW_INDICATOR(c) {\n return c === 0x2C/ , / \|\|\n c === 0x5B/ [ / \|\|\n c === 0x5D/ ] / \|\|\n c === 0x7B/ { / \|\|\n c === 0x7D/ } /;\n}\n\nfunction fromHexCode(c) {\n var lc;\n\n if ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) {\n return c - 0x30;\n }\n\n /eslint-disable no-bitwise/\n lc = c \| 0x20;\n\n if ((0x61/ a / <= lc) && (lc <= 0x66/ f /)) {\n return lc - 0x61 + 10;\n }\n\n return -1;\n}\n\nfunction escapedHexLen(c) {\n if (c === 0x78/ x /) { return 2; }\n if (c === 0x75/ u /) { return 4; }\n if (c === 0x55/ U /) { return 8; }\n return 0;\n}\n\nfunction fromDecimalCode(c) {\n if ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) {\n return c - 0x30;\n }\n\n return -1;\n}\n\nfunction simpleEscapeSequence(c) {\n / eslint-disable indent /\n return (c === 0x30/ 0 /) ? '\\x00' :\n (c === 0x61/ a /) ? '\\x07' :\n (c === 0x62/ b /) ? '\\x08' :\n (c === 0x74/ t /) ? '\\x09' :\n (c === 0x09/ Tab /) ? '\\x09' :\n (c === 0x6E/ n /) ? '\\x0A' :\n (c === 0x76/ v /) ? '\\x0B' :\n (c === 0x66/ f /) ? '\\x0C' :\n (c === 0x72/ r /) ? '\\x0D' :\n (c === 0x65/ e /) ? '\\x1B' :\n (c === 0x20/ Space /) ? ' ' :\n (c === 0x22/ \" /) ? '\\x22' :\n (c === 0x2F/ / /) ? '/' :\n (c === 0x5C/ \\ /) ? '\\x5C' :\n (c === 0x4E/ N /) ? '\\x85' :\n (c === 0x5F/ _ /) ? '\\xA0' :\n (c === 0x4C/ L /) ? '\\u2028' :\n (c === 0x50/ P /) ? '\\u2029' : '';\n}\n\nfunction charFromCodepoint(c) {\n if (c <= 0xFFFF) {\n return String.fromCharCode(c);\n }\n // Encode UTF-16 surrogate pair\n // https://en.wikipedia.org/wiki/UTF-16#Code_points_U.2B010000_to_U.2B10FFFF\n return String.fromCharCode(\n ((c - 0x010000) >> 10) + 0xD800,\n ((c - 0x010000) & 0x03FF) + 0xDC00\n );\n}\n\n// set a property of a literal object, while protecting against prototype pollution,\n// see https://github.com/nodeca/js-yaml/issues/164 for more details\nfunction setProperty(object, key, value) {\n // used for this specific key only because Object.defineProperty is slow\n if (key === '__proto__') {\n Object.defineProperty(object, key, {\n configurable: true,\n enumerable: true,\n writable: true,\n value: value\n });\n } else {\n object[key] = value;\n }\n}\n\nvar simpleEscapeCheck = new Array(256); // integer, for fast access\nvar simpleEscapeMap = new Array(256);\nfor (var i = 0; i < 256; i++) {\n simpleEscapeCheck[i] = simpleEscapeSequence(i) ? 1 : 0;\n simpleEscapeMap[i] = simpleEscapeSequence(i);\n}\n\n\nfunction State$1(input, options) {\n this.input = input;\n\n this.filename = options['filename'] \|\| null;\n this.schema = options['schema'] \|\| _default;\n this.onWarning = options['onWarning'] \|\| null;\n // (Hidden) Remove? makes the loader to expect YAML 1.1 documents\n // if such documents have no explicit %YAML directive\n this.legacy = options['legacy'] \|\| false;\n\n this.json = options['json'] \|\| false;\n this.listener = options['listener'] \|\| null;\n\n this.implicitTypes = this.schema.compiledImplicit;\n this.typeMap = this.schema.compiledTypeMap;\n\n this.length = input.length;\n this.position = 0;\n this.line = 0;\n this.lineStart = 0;\n this.lineIndent = 0;\n\n // position of first leading tab in the current line,\n // used to make sure there are no tabs in the indentation\n this.firstTabInLine = -1;\n\n this.documents = [];\n\n /\n this.version;\n this.checkLineBreaks;\n this.tagMap;\n this.anchorMap;\n this.tag;\n this.anchor;\n this.kind;\n this.result;/\n\n}\n\n\nfunction generateError(state, message) {\n var mark = {\n name: state.filename,\n buffer: state.input.slice(0, -1), // omit trailing \\0\n position: state.position,\n line: state.line,\n column: state.position - state.lineStart\n };\n\n mark.snippet = snippet(mark);\n\n return new exception(message, mark);\n}\n\nfunction throwError(state, message) {\n throw generateError(state, message);\n}\n\nfunction throwWarning(state, message) {\n if (state.onWarning) {\n state.onWarning.call(null, generateError(state, message));\n }\n}\n\n\nvar directiveHandlers = {\n\n YAML: function handleYamlDirective(state, name, args) {\n\n var match, major, minor;\n\n if (state.version !== null) {\n throwError(state, 'duplication of %YAML directive');\n }\n\n if (args.length !== 1) {\n throwError(state, 'YAML directive accepts exactly one argument');\n }\n\n match = /^([0-9]+)\\.([0-9]+)$/.exec(args[0]);\n\n if (match === null) {\n throwError(state, 'ill-formed argument of the YAML directive');\n }\n\n major = parseInt(match[1], 10);\n minor = parseInt(match[2], 10);\n\n if (major !== 1) {\n throwError(state, 'unacceptable YAML version of the document');\n }\n\n state.version = args[0];\n state.checkLineBreaks = (minor < 2);\n\n if (minor !== 1 && minor !== 2) {\n throwWarning(state, 'unsupported YAML version of the document');\n }\n },\n\n TAG: function handleTagDirective(state, name, args) {\n\n var handle, prefix;\n\n if (args.length !== 2) {\n throwError(state, 'TAG directive accepts exactly two arguments');\n }\n\n handle = args[0];\n prefix = args[1];\n\n if (!PATTERN_TAG_HANDLE.test(handle)) {\n throwError(state, 'ill-formed tag handle (first argument) of the TAG directive');\n }\n\n if (_hasOwnProperty$1.call(state.tagMap, handle)) {\n throwError(state, 'there is a previously declared suffix for \"' + handle + '\" tag handle');\n }\n\n if (!PATTERN_TAG_URI.test(prefix)) {\n throwError(state, 'ill-formed tag prefix (second argument) of the TAG directive');\n }\n\n try {\n prefix = decodeURIComponent(prefix);\n } catch (err) {\n throwError(state, 'tag prefix is malformed: ' + prefix);\n }\n\n state.tagMap[handle] = prefix;\n }\n};\n\n\nfunction captureSegment(state, start, end, checkJson) {\n var _position, _length, _character, _result;\n\n if (start < end) {\n _result = state.input.slice(start, end);\n\n if (checkJson) {\n for (_position = 0, _length = _result.length; _position < _length; _position += 1) {\n _character = _result.charCodeAt(_position);\n if (!(_character === 0x09 \|\|\n (0x20 <= _character && _character <= 0x10FFFF))) {\n throwError(state, 'expected valid JSON character');\n }\n }\n } else if (PATTERN_NON_PRINTABLE.test(_result)) {\n throwError(state, 'the stream contains non-printable characters');\n }\n\n state.result += _result;\n }\n}\n\nfunction mergeMappings(state, destination, source, overridableKeys) {\n var sourceKeys, key, index, quantity;\n\n if (!common.isObject(source)) {\n throwError(state, 'cannot merge mappings; the provided source object is unacceptable');\n }\n\n sourceKeys = Object.keys(source);\n\n for (index = 0, quantity = sourceKeys.length; index < quantity; index += 1) {\n key = sourceKeys[index];\n\n if (!_hasOwnProperty$1.call(destination, key)) {\n setProperty(destination, key, source[key]);\n overridableKeys[key] = true;\n }\n }\n}\n\nfunction storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode,\n startLine, startLineStart, startPos) {\n\n var index, quantity;\n\n // The output is a plain object here, so keys can only be strings.\n // We need to convert keyNode to a string, but doing so can hang the process\n // (deeply nested arrays that explode exponentially using aliases).\n if (Array.isArray(keyNode)) {\n keyNode = Array.prototype.slice.call(keyNode);\n\n for (index = 0, quantity = keyNode.length; index < quantity; index += 1) {\n if (Array.isArray(keyNode[index])) {\n throwError(state, 'nested arrays are not supported inside keys');\n }\n\n if (typeof keyNode === 'object' && _class(keyNode[index]) === '[object Object]') {\n keyNode[index] = '[object Object]';\n }\n }\n }\n\n // Avoid code execution in load() via toString property\n // (still use its own toString for arrays, timestamps,\n // and whatever user schema extensions happen to have @@toStringTag)\n if (typeof keyNode === 'object' && _class(keyNode) === '[object Object]') {\n keyNode = '[object Object]';\n }\n\n\n keyNode = String(keyNode);\n\n if (_result === null) {\n _result = {};\n }\n\n if (keyTag === 'tag:yaml.org,2002:merge') {\n if (Array.isArray(valueNode)) {\n for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {\n mergeMappings(state, _result, valueNode[index], overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n } else {\n if (!state.json &&\n !_hasOwnProperty$1.call(overridableKeys, keyNode) &&\n _hasOwnProperty$1.call(_result, keyNode)) {\n state.line = startLine \|\| state.line;\n state.lineStart = startLineStart \|\| state.lineStart;\n state.position = startPos \|\| state.position;\n throwError(state, 'duplicated mapping key');\n }\n\n setProperty(_result, keyNode, valueNode);\n delete overridableKeys[keyNode];\n }\n\n return _result;\n}\n\nfunction readLineBreak(state) {\n var ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x0A/ LF /) {\n state.position++;\n } else if (ch === 0x0D/ CR /) {\n state.position++;\n if (state.input.charCodeAt(state.position) === 0x0A/ LF /) {\n state.position++;\n }\n } else {\n throwError(state, 'a line break is expected');\n }\n\n state.line += 1;\n state.lineStart = state.position;\n state.firstTabInLine = -1;\n}\n\nfunction skipSeparationSpace(state, allowComments, checkIndent) {\n var lineBreaks = 0,\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n while (is_WHITE_SPACE(ch)) {\n if (ch === 0x09/ Tab / && state.firstTabInLine === -1) {\n state.firstTabInLine = state.position;\n }\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (allowComments && ch === 0x23/ # /) {\n do {\n ch = state.input.charCodeAt(++state.position);\n } while (ch !== 0x0A/ LF / && ch !== 0x0D/ CR / && ch !== 0);\n }\n\n if (is_EOL(ch)) {\n readLineBreak(state);\n\n ch = state.input.charCodeAt(state.position);\n lineBreaks++;\n state.lineIndent = 0;\n\n while (ch === 0x20/ Space /) {\n state.lineIndent++;\n ch = state.input.charCodeAt(++state.position);\n }\n } else {\n break;\n }\n }\n\n if (checkIndent !== -1 && lineBreaks !== 0 && state.lineIndent < checkIndent) {\n throwWarning(state, 'deficient indentation');\n }\n\n return lineBreaks;\n}\n\nfunction testDocumentSeparator(state) {\n var _position = state.position,\n ch;\n\n ch = state.input.charCodeAt(_position);\n\n // Condition state.position === state.lineStart is tested\n // in parent on each call, for efficiency. No needs to test here again.\n if ((ch === 0x2D/ - / \|\| ch === 0x2E/ . /) &&\n ch === state.input.charCodeAt(_position + 1) &&\n ch === state.input.charCodeAt(_position + 2)) {\n\n _position += 3;\n\n ch = state.input.charCodeAt(_position);\n\n if (ch === 0 \|\| is_WS_OR_EOL(ch)) {\n return true;\n }\n }\n\n return false;\n}\n\nfunction writeFoldedLines(state, count) {\n if (count === 1) {\n state.result += ' ';\n } else if (count > 1) {\n state.result += common.repeat('\\n', count - 1);\n }\n}\n\n\nfunction readPlainScalar(state, nodeIndent, withinFlowCollection) {\n var preceding,\n following,\n captureStart,\n captureEnd,\n hasPendingContent,\n _line,\n _lineStart,\n _lineIndent,\n _kind = state.kind,\n _result = state.result,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (is_WS_OR_EOL(ch) \|\|\n is_FLOW_INDICATOR(ch) \|\|\n ch === 0x23/ # / \|\|\n ch === 0x26/ & / \|\|\n ch === 0x2A/ * / \|\|\n ch === 0x21/ ! / \|\|\n ch === 0x7C/ \| / \|\|\n ch === 0x3E/ > / \|\|\n ch === 0x27/ ' / \|\|\n ch === 0x22/ \" / \|\|\n ch === 0x25/ % / \|\|\n ch === 0x40/ @ / \|\|\n ch === 0x60/ ` /) {\n return false;\n }\n\n if (ch === 0x3F/ ? / \|\| ch === 0x2D/ - /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(following)) {\n return false;\n }\n }\n\n state.kind = 'scalar';\n state.result = '';\n captureStart = captureEnd = state.position;\n hasPendingContent = false;\n\n while (ch !== 0) {\n if (ch === 0x3A/ : /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(following)) {\n break;\n }\n\n } else if (ch === 0x23/ # /) {\n preceding = state.input.charCodeAt(state.position - 1);\n\n if (is_WS_OR_EOL(preceding)) {\n break;\n }\n\n } else if ((state.position === state.lineStart && testDocumentSeparator(state)) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(ch)) {\n break;\n\n } else if (is_EOL(ch)) {\n _line = state.line;\n _lineStart = state.lineStart;\n _lineIndent = state.lineIndent;\n skipSeparationSpace(state, false, -1);\n\n if (state.lineIndent >= nodeIndent) {\n hasPendingContent = true;\n ch = state.input.charCodeAt(state.position);\n continue;\n } else {\n state.position = captureEnd;\n state.line = _line;\n state.lineStart = _lineStart;\n state.lineIndent = _lineIndent;\n break;\n }\n }\n\n if (hasPendingContent) {\n captureSegment(state, captureStart, captureEnd, false);\n writeFoldedLines(state, state.line - _line);\n captureStart = captureEnd = state.position;\n hasPendingContent = false;\n }\n\n if (!is_WHITE_SPACE(ch)) {\n captureEnd = state.position + 1;\n }\n\n ch = state.input.charCodeAt(++state.position);\n }\n\n captureSegment(state, captureStart, captureEnd, false);\n\n if (state.result) {\n return true;\n }\n\n state.kind = _kind;\n state.result = _result;\n return false;\n}\n\nfunction readSingleQuotedScalar(state, nodeIndent) {\n var ch,\n captureStart, captureEnd;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x27/ ' /) {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n state.position++;\n captureStart = captureEnd = state.position;\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n if (ch === 0x27/ ' /) {\n captureSegment(state, captureStart, state.position, true);\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x27/ ' /) {\n captureStart = state.position;\n state.position++;\n captureEnd = state.position;\n } else {\n return true;\n }\n\n } else if (is_EOL(ch)) {\n captureSegment(state, captureStart, captureEnd, true);\n writeFoldedLines(state, skipSeparationSpace(state, false, nodeIndent));\n captureStart = captureEnd = state.position;\n\n } else if (state.position === state.lineStart && testDocumentSeparator(state)) {\n throwError(state, 'unexpected end of the document within a single quoted scalar');\n\n } else {\n state.position++;\n captureEnd = state.position;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a single quoted scalar');\n}\n\nfunction readDoubleQuotedScalar(state, nodeIndent) {\n var captureStart,\n captureEnd,\n hexLength,\n hexResult,\n tmp,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x22/ \" /) {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n state.position++;\n captureStart = captureEnd = state.position;\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n if (ch === 0x22/ \" /) {\n captureSegment(state, captureStart, state.position, true);\n state.position++;\n return true;\n\n } else if (ch === 0x5C/ \\ /) {\n captureSegment(state, captureStart, state.position, true);\n ch = state.input.charCodeAt(++state.position);\n\n if (is_EOL(ch)) {\n skipSeparationSpace(state, false, nodeIndent);\n\n // TODO: rework to inline fn with no type cast?\n } else if (ch < 256 && simpleEscapeCheck[ch]) {\n state.result += simpleEscapeMap[ch];\n state.position++;\n\n } else if ((tmp = escapedHexLen(ch)) > 0) {\n hexLength = tmp;\n hexResult = 0;\n\n for (; hexLength > 0; hexLength--) {\n ch = state.input.charCodeAt(++state.position);\n\n if ((tmp = fromHexCode(ch)) >= 0) {\n hexResult = (hexResult << 4) + tmp;\n\n } else {\n throwError(state, 'expected hexadecimal character');\n }\n }\n\n state.result += charFromCodepoint(hexResult);\n\n state.position++;\n\n } else {\n throwError(state, 'unknown escape sequence');\n }\n\n captureStart = captureEnd = state.position;\n\n } else if (is_EOL(ch)) {\n captureSegment(state, captureStart, captureEnd, true);\n writeFoldedLines(state, skipSeparationSpace(state, false, nodeIndent));\n captureStart = captureEnd = state.position;\n\n } else if (state.position === state.lineStart && testDocumentSeparator(state)) {\n throwError(state, 'unexpected end of the document within a double quoted scalar');\n\n } else {\n state.position++;\n captureEnd = state.position;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a double quoted scalar');\n}\n\nfunction readFlowCollection(state, nodeIndent) {\n var readNext = true,\n _line,\n _lineStart,\n _pos,\n _tag = state.tag,\n _result,\n _anchor = state.anchor,\n following,\n terminator,\n isPair,\n isExplicitPair,\n isMapping,\n overridableKeys = Object.create(null),\n keyNode,\n keyTag,\n valueNode,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x5B/ [ /) {\n terminator = 0x5D;/ ] /\n isMapping = false;\n _result = [];\n } else if (ch === 0x7B/ { /) {\n terminator = 0x7D;/ } /\n isMapping = true;\n _result = {};\n } else {\n return false;\n }\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(++state.position);\n\n while (ch !== 0) {\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === terminator) {\n state.position++;\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = isMapping ? 'mapping' : 'sequence';\n state.result = _result;\n return true;\n } else if (!readNext) {\n throwError(state, 'missed comma between flow collection entries');\n } else if (ch === 0x2C/ , /) {\n // \"flow collection entries can never be completely empty\", as per YAML 1.2, section 7.4\n throwError(state, \"expected the node content, but found ','\");\n }\n\n keyTag = keyNode = valueNode = null;\n isPair = isExplicitPair = false;\n\n if (ch === 0x3F/ ? /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following)) {\n isPair = isExplicitPair = true;\n state.position++;\n skipSeparationSpace(state, true, nodeIndent);\n }\n }\n\n _line = state.line; // Save the current line.\n _lineStart = state.lineStart;\n _pos = state.position;\n composeNode(state, nodeIndent, CONTEXT_FLOW_IN, false, true);\n keyTag = state.tag;\n keyNode = state.result;\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if ((isExplicitPair \|\| state.line === _line) && ch === 0x3A/ : /) {\n isPair = true;\n ch = state.input.charCodeAt(++state.position);\n skipSeparationSpace(state, true, nodeIndent);\n composeNode(state, nodeIndent, CONTEXT_FLOW_IN, false, true);\n valueNode = state.result;\n }\n\n if (isMapping) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, _line, _lineStart, _pos);\n } else if (isPair) {\n _result.push(storeMappingPair(state, null, overridableKeys, keyTag, keyNode, valueNode, _line, _lineStart, _pos));\n } else {\n _result.push(keyNode);\n }\n\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x2C/ , /) {\n readNext = true;\n ch = state.input.charCodeAt(++state.position);\n } else {\n readNext = false;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a flow collection');\n}\n\nfunction readBlockScalar(state, nodeIndent) {\n var captureStart,\n folding,\n chomping = CHOMPING_CLIP,\n didReadContent = false,\n detectedIndent = false,\n textIndent = nodeIndent,\n emptyLines = 0,\n atMoreIndented = false,\n tmp,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x7C/ \| /) {\n folding = false;\n } else if (ch === 0x3E/ > /) {\n folding = true;\n } else {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n\n while (ch !== 0) {\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x2B/ + / \|\| ch === 0x2D/ - /) {\n if (CHOMPING_CLIP === chomping) {\n chomping = (ch === 0x2B/ + /) ? CHOMPING_KEEP : CHOMPING_STRIP;\n } else {\n throwError(state, 'repeat of a chomping mode identifier');\n }\n\n } else if ((tmp = fromDecimalCode(ch)) >= 0) {\n if (tmp === 0) {\n throwError(state, 'bad explicit indentation width of a block scalar; it cannot be less than one');\n } else if (!detectedIndent) {\n textIndent = nodeIndent + tmp - 1;\n detectedIndent = true;\n } else {\n throwError(state, 'repeat of an indentation width identifier');\n }\n\n } else {\n break;\n }\n }\n\n if (is_WHITE_SPACE(ch)) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (is_WHITE_SPACE(ch));\n\n if (ch === 0x23/ # /) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (!is_EOL(ch) && (ch !== 0));\n }\n }\n\n while (ch !== 0) {\n readLineBreak(state);\n state.lineIndent = 0;\n\n ch = state.input.charCodeAt(state.position);\n\n while ((!detectedIndent \|\| state.lineIndent < textIndent) &&\n (ch === 0x20/ Space /)) {\n state.lineIndent++;\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (!detectedIndent && state.lineIndent > textIndent) {\n textIndent = state.lineIndent;\n }\n\n if (is_EOL(ch)) {\n emptyLines++;\n continue;\n }\n\n // End of the scalar.\n if (state.lineIndent < textIndent) {\n\n // Perform the chomping.\n if (chomping === CHOMPING_KEEP) {\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n } else if (chomping === CHOMPING_CLIP) {\n if (didReadContent) { // i.e. only if the scalar is not empty.\n state.result += '\\n';\n }\n }\n\n // Break this `while` cycle and go to the funciton's epilogue.\n break;\n }\n\n // Folded style: use fancy rules to handle line breaks.\n if (folding) {\n\n // Lines starting with white space characters (more-indented lines) are not folded.\n if (is_WHITE_SPACE(ch)) {\n atMoreIndented = true;\n // except for the first content line (cf. Example 8.1)\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n\n // End of more-indented block.\n } else if (atMoreIndented) {\n atMoreIndented = false;\n state.result += common.repeat('\\n', emptyLines + 1);\n\n // Just one line break - perceive as the same line.\n } else if (emptyLines === 0) {\n if (didReadContent) { // i.e. only if we have already read some scalar content.\n state.result += ' ';\n }\n\n // Several line breaks - perceive as different lines.\n } else {\n state.result += common.repeat('\\n', emptyLines);\n }\n\n // Literal style: just add exact number of line breaks between content lines.\n } else {\n // Keep all line breaks except the header line break.\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n }\n\n didReadContent = true;\n detectedIndent = true;\n emptyLines = 0;\n captureStart = state.position;\n\n while (!is_EOL(ch) && (ch !== 0)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n captureSegment(state, captureStart, state.position, false);\n }\n\n return true;\n}\n\nfunction readBlockSequence(state, nodeIndent) {\n var _line,\n _tag = state.tag,\n _anchor = state.anchor,\n _result = [],\n following,\n detected = false,\n ch;\n\n // there is a leading tab before this token, so it can't be a block sequence/mapping;\n // it can still be flow sequence/mapping or a scalar\n if (state.firstTabInLine !== -1) return false;\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n if (state.firstTabInLine !== -1) {\n state.position = state.firstTabInLine;\n throwError(state, 'tab characters must not be used in indentation');\n }\n\n if (ch !== 0x2D/ - /) {\n break;\n }\n\n following = state.input.charCodeAt(state.position + 1);\n\n if (!is_WS_OR_EOL(following)) {\n break;\n }\n\n detected = true;\n state.position++;\n\n if (skipSeparationSpace(state, true, -1)) {\n if (state.lineIndent <= nodeIndent) {\n _result.push(null);\n ch = state.input.charCodeAt(state.position);\n continue;\n }\n }\n\n _line = state.line;\n composeNode(state, nodeIndent, CONTEXT_BLOCK_IN, false, true);\n _result.push(state.result);\n skipSeparationSpace(state, true, -1);\n\n ch = state.input.charCodeAt(state.position);\n\n if ((state.line === _line \|\| state.lineIndent > nodeIndent) && (ch !== 0)) {\n throwError(state, 'bad indentation of a sequence entry');\n } else if (state.lineIndent < nodeIndent) {\n break;\n }\n }\n\n if (detected) {\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = 'sequence';\n state.result = _result;\n return true;\n }\n return false;\n}\n\nfunction readBlockMapping(state, nodeIndent, flowIndent) {\n var following,\n allowCompact,\n _line,\n _keyLine,\n _keyLineStart,\n _keyPos,\n _tag = state.tag,\n _anchor = state.anchor,\n _result = {},\n overridableKeys = Object.create(null),\n keyTag = null,\n keyNode = null,\n valueNode = null,\n atExplicitKey = false,\n detected = false,\n ch;\n\n // there is a leading tab before this token, so it can't be a block sequence/mapping;\n // it can still be flow sequence/mapping or a scalar\n if (state.firstTabInLine !== -1) return false;\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n if (!atExplicitKey && state.firstTabInLine !== -1) {\n state.position = state.firstTabInLine;\n throwError(state, 'tab characters must not be used in indentation');\n }\n\n following = state.input.charCodeAt(state.position + 1);\n _line = state.line; // Save the current line.\n\n //\n // Explicit notation case. There are two separate blocks:\n // first for the key (denoted by \"?\") and second for the value (denoted by \":\")\n //\n if ((ch === 0x3F/ ? / \|\| ch === 0x3A/ : /) && is_WS_OR_EOL(following)) {\n\n if (ch === 0x3F/ ? /) {\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n detected = true;\n atExplicitKey = true;\n allowCompact = true;\n\n } else if (atExplicitKey) {\n // i.e. 0x3A/ : / === character after the explicit key.\n atExplicitKey = false;\n allowCompact = true;\n\n } else {\n throwError(state, 'incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line');\n }\n\n state.position += 1;\n ch = following;\n\n //\n // Implicit notation case. Flow-style node as the key first, then \":\", and the value.\n //\n } else {\n _keyLine = state.line;\n _keyLineStart = state.lineStart;\n _keyPos = state.position;\n\n if (!composeNode(state, flowIndent, CONTEXT_FLOW_OUT, false, true)) {\n // Neither implicit nor explicit notation.\n // Reading is done. Go to the epilogue.\n break;\n }\n\n if (state.line === _line) {\n ch = state.input.charCodeAt(state.position);\n\n while (is_WHITE_SPACE(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (ch === 0x3A/ : /) {\n ch = state.input.charCodeAt(++state.position);\n\n if (!is_WS_OR_EOL(ch)) {\n throwError(state, 'a whitespace character is expected after the key-value separator within a block mapping');\n }\n\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n detected = true;\n atExplicitKey = false;\n allowCompact = false;\n keyTag = state.tag;\n keyNode = state.result;\n\n } else if (detected) {\n throwError(state, 'can not read an implicit mapping pair; a colon is missed');\n\n } else {\n state.tag = _tag;\n state.anchor = _anchor;\n return true; // Keep the result of `composeNode`.\n }\n\n } else if (detected) {\n throwError(state, 'can not read a block mapping entry; a multiline key may not be an implicit key');\n\n } else {\n state.tag = _tag;\n state.anchor = _anchor;\n return true; // Keep the result of `composeNode`.\n }\n }\n\n //\n // Common reading code for both explicit and implicit notations.\n //\n if (state.line === _line \|\| state.lineIndent > nodeIndent) {\n if (atExplicitKey) {\n _keyLine = state.line;\n _keyLineStart = state.lineStart;\n _keyPos = state.position;\n }\n\n if (composeNode(state, nodeIndent, CONTEXT_BLOCK_OUT, true, allowCompact)) {\n if (atExplicitKey) {\n keyNode = state.result;\n } else {\n valueNode = state.result;\n }\n }\n\n if (!atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n skipSeparationSpace(state, true, -1);\n ch = state.input.charCodeAt(state.position);\n }\n\n if ((state.line === _line \|\| state.lineIndent > nodeIndent) && (ch !== 0)) {\n throwError(state, 'bad indentation of a mapping entry');\n } else if (state.lineIndent < nodeIndent) {\n break;\n }\n }\n\n //\n // Epilogue.\n //\n\n // Special case: last mapping's node contains only the key in explicit notation.\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n }\n\n // Expose the resulting mapping.\n if (detected) {\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = 'mapping';\n state.result = _result;\n }\n\n return detected;\n}\n\nfunction readTagProperty(state) {\n var _position,\n isVerbatim = false,\n isNamed = false,\n tagHandle,\n tagName,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x21/ ! /) return false;\n\n if (state.tag !== null) {\n throwError(state, 'duplication of a tag property');\n }\n\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x3C/ < /) {\n isVerbatim = true;\n ch = state.input.charCodeAt(++state.position);\n\n } else if (ch === 0x21/ ! /) {\n isNamed = true;\n tagHandle = '!!';\n ch = state.input.charCodeAt(++state.position);\n\n } else {\n tagHandle = '!';\n }\n\n _position = state.position;\n\n if (isVerbatim) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (ch !== 0 && ch !== 0x3E/ > /);\n\n if (state.position < state.length) {\n tagName = state.input.slice(_position, state.position);\n ch = state.input.charCodeAt(++state.position);\n } else {\n throwError(state, 'unexpected end of the stream within a verbatim tag');\n }\n } else {\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n\n if (ch === 0x21/ ! /) {\n if (!isNamed) {\n tagHandle = state.input.slice(_position - 1, state.position + 1);\n\n if (!PATTERN_TAG_HANDLE.test(tagHandle)) {\n throwError(state, 'named tag handle cannot contain such characters');\n }\n\n isNamed = true;\n _position = state.position + 1;\n } else {\n throwError(state, 'tag suffix cannot contain exclamation marks');\n }\n }\n\n ch = state.input.charCodeAt(++state.position);\n }\n\n tagName = state.input.slice(_position, state.position);\n\n if (PATTERN_FLOW_INDICATORS.test(tagName)) {\n throwError(state, 'tag suffix cannot contain flow indicator characters');\n }\n }\n\n if (tagName && !PATTERN_TAG_URI.test(tagName)) {\n throwError(state, 'tag name cannot contain such characters: ' + tagName);\n }\n\n try {\n tagName = decodeURIComponent(tagName);\n } catch (err) {\n throwError(state, 'tag name is malformed: ' + tagName);\n }\n\n if (isVerbatim) {\n state.tag = tagName;\n\n } else if (_hasOwnProperty$1.call(state.tagMap, tagHandle)) {\n state.tag = state.tagMap[tagHandle] + tagName;\n\n } else if (tagHandle === '!') {\n state.tag = '!' + tagName;\n\n } else if (tagHandle === '!!') {\n state.tag = 'tag:yaml.org,2002:' + tagName;\n\n } else {\n throwError(state, 'undeclared tag handle \"' + tagHandle + '\"');\n }\n\n return true;\n}\n\nfunction readAnchorProperty(state) {\n var _position,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x26/ & /) return false;\n\n if (state.anchor !== null) {\n throwError(state, 'duplication of an anchor property');\n }\n\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch) && !is_FLOW_INDICATOR(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (state.position === _position) {\n throwError(state, 'name of an anchor node must contain at least one character');\n }\n\n state.anchor = state.input.slice(_position, state.position);\n return true;\n}\n\nfunction readAlias(state) {\n var _position, alias,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x2A/ * /) return false;\n\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch) && !is_FLOW_INDICATOR(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (state.position === _position) {\n throwError(state, 'name of an alias node must contain at least one character');\n }\n\n alias = state.input.slice(_position, state.position);\n\n if (!_hasOwnProperty$1.call(state.anchorMap, alias)) {\n throwError(state, 'unidentified alias \"' + alias + '\"');\n }\n\n state.result = state.anchorMap[alias];\n skipSeparationSpace(state, true, -1);\n return true;\n}\n\nfunction composeNode(state, parentIndent, nodeContext, allowToSeek, allowCompact) {\n var allowBlockStyles,\n allowBlockScalars,\n allowBlockCollections,\n indentStatus = 1, // 1: this>parent, 0: this=parent, -1: this<parent\n atNewLine = false,\n hasContent = false,\n typeIndex,\n typeQuantity,\n typeList,\n type,\n flowIndent,\n blockIndent;\n\n if (state.listener !== null) {\n state.listener('open', state);\n }\n\n state.tag = null;\n state.anchor = null;\n state.kind = null;\n state.result = null;\n\n allowBlockStyles = allowBlockScalars = allowBlockCollections =\n CONTEXT_BLOCK_OUT === nodeContext \|\|\n CONTEXT_BLOCK_IN === nodeContext;\n\n if (allowToSeek) {\n if (skipSeparationSpace(state, true, -1)) {\n atNewLine = true;\n\n if (state.lineIndent > parentIndent) {\n indentStatus = 1;\n } else if (state.lineIndent === parentIndent) {\n indentStatus = 0;\n } else if (state.lineIndent < parentIndent) {\n indentStatus = -1;\n }\n }\n }\n\n if (indentStatus === 1) {\n while (readTagProperty(state) \|\| readAnchorProperty(state)) {\n if (skipSeparationSpace(state, true, -1)) {\n atNewLine = true;\n allowBlockCollections = allowBlockStyles;\n\n if (state.lineIndent > parentIndent) {\n indentStatus = 1;\n } else if (state.lineIndent === parentIndent) {\n indentStatus = 0;\n } else if (state.lineIndent < parentIndent) {\n indentStatus = -1;\n }\n } else {\n allowBlockCollections = false;\n }\n }\n }\n\n if (allowBlockCollections) {\n allowBlockCollections = atNewLine \|\| allowCompact;\n }\n\n if (indentStatus === 1 \|\| CONTEXT_BLOCK_OUT === nodeContext) {\n if (CONTEXT_FLOW_IN === nodeContext \|\| CONTEXT_FLOW_OUT === nodeContext) {\n flowIndent = parentIndent;\n } else {\n flowIndent = parentIndent + 1;\n }\n\n blockIndent = state.position - state.lineStart;\n\n if (indentStatus === 1) {\n if (allowBlockCollections &&\n (readBlockSequence(state, blockIndent) \|\|\n readBlockMapping(state, blockIndent, flowIndent)) \|\|\n readFlowCollection(state, flowIndent)) {\n hasContent = true;\n } else {\n if ((allowBlockScalars && readBlockScalar(state, flowIndent)) \|\|\n readSingleQuotedScalar(state, flowIndent) \|\|\n readDoubleQuotedScalar(state, flowIndent)) {\n hasContent = true;\n\n } else if (readAlias(state)) {\n hasContent = true;\n\n if (state.tag !== null \|\| state.anchor !== null) {\n throwError(state, 'alias node should not have any properties');\n }\n\n } else if (readPlainScalar(state, flowIndent, CONTEXT_FLOW_IN === nodeContext)) {\n hasContent = true;\n\n if (state.tag === null) {\n state.tag = '?';\n }\n }\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n }\n } else if (indentStatus === 0) {\n // Special case: block sequences are allowed to have same indentation level as the parent.\n // http://www.yaml.org/spec/1.2/spec.html#id2799784\n hasContent = allowBlockCollections && readBlockSequence(state, blockIndent);\n }\n }\n\n if (state.tag === null) {\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n\n } else if (state.tag === '?') {\n // Implicit resolving is not allowed for non-scalar types, and '?'\n // non-specific tag is only automatically assigned to plain scalars.\n //\n // We only need to check kind conformity in case user explicitly assigns '?'\n // tag, for example like this: \"!<?> [0]\"\n //\n if (state.result !== null && state.kind !== 'scalar') {\n throwError(state, 'unacceptable node kind for !<?> tag; it should be \"scalar\", not \"' + state.kind + '\"');\n }\n\n for (typeIndex = 0, typeQuantity = state.implicitTypes.length; typeIndex < typeQuantity; typeIndex += 1) {\n type = state.implicitTypes[typeIndex];\n\n if (type.resolve(state.result)) { // `state.result` updated in resolver if matched\n state.result = type.construct(state.result);\n state.tag = type.tag;\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n break;\n }\n }\n } else if (state.tag !== '!') {\n if (_hasOwnProperty$1.call(state.typeMap[state.kind \|\| 'fallback'], state.tag)) {\n type = state.typeMap[state.kind \|\| 'fallback'][state.tag];\n } else {\n // looking for multi type\n type = null;\n typeList = state.typeMap.multi[state.kind \|\| 'fallback'];\n\n for (typeIndex = 0, typeQuantity = typeList.length; typeIndex < typeQuantity; typeIndex += 1) {\n if (state.tag.slice(0, typeList[typeIndex].tag.length) === typeList[typeIndex].tag) {\n type = typeList[typeIndex];\n break;\n }\n }\n }\n\n if (!type) {\n throwError(state, 'unknown tag !<' + state.tag + '>');\n }\n\n if (state.result !== null && type.kind !== state.kind) {\n throwError(state, 'unacceptable node kind for !<' + state.tag + '> tag; it should be \"' + type.kind + '\", not \"' + state.kind + '\"');\n }\n\n if (!type.resolve(state.result, state.tag)) { // `state.result` updated in resolver if matched\n throwError(state, 'cannot resolve a node with !<' + state.tag + '> explicit tag');\n } else {\n state.result = type.construct(state.result, state.tag);\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n }\n }\n\n if (state.listener !== null) {\n state.listener('close', state);\n }\n return state.tag !== null \|\| state.anchor !== null \|\| hasContent;\n}\n\nfunction readDocument(state) {\n var documentStart = state.position,\n _position,\n directiveName,\n directiveArgs,\n hasDirectives = false,\n ch;\n\n state.version = null;\n state.checkLineBreaks = state.legacy;\n state.tagMap = Object.create(null);\n state.anchorMap = Object.create(null);\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n skipSeparationSpace(state, true, -1);\n\n ch = state.input.charCodeAt(state.position);\n\n if (state.lineIndent > 0 \|\| ch !== 0x25/ % /) {\n break;\n }\n\n hasDirectives = true;\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n directiveName = state.input.slice(_position, state.position);\n directiveArgs = [];\n\n if (directiveName.length < 1) {\n throwError(state, 'directive name must not be less than one character in length');\n }\n\n while (ch !== 0) {\n while (is_WHITE_SPACE(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (ch === 0x23/ # /) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (ch !== 0 && !is_EOL(ch));\n break;\n }\n\n if (is_EOL(ch)) break;\n\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n directiveArgs.push(state.input.slice(_position, state.position));\n }\n\n if (ch !== 0) readLineBreak(state);\n\n if (_hasOwnProperty$1.call(directiveHandlers, directiveName)) {\n directiveHandlers[directiveName](state, directiveName, directiveArgs);\n } else {\n throwWarning(state, 'unknown document directive \"' + directiveName + '\"');\n }\n }\n\n skipSeparationSpace(state, true, -1);\n\n if (state.lineIndent === 0 &&\n state.input.charCodeAt(state.position) === 0x2D/ - / &&\n state.input.charCodeAt(state.position + 1) === 0x2D/ - / &&\n state.input.charCodeAt(state.position + 2) === 0x2D/ - /) {\n state.position += 3;\n skipSeparationSpace(state, true, -1);\n\n } else if (hasDirectives) {\n throwError(state, 'directives end mark is expected');\n }\n\n composeNode(state, state.lineIndent - 1, CONTEXT_BLOCK_OUT, false, true);\n skipSeparationSpace(state, true, -1);\n\n if (state.checkLineBreaks &&\n PATTERN_NON_ASCII_LINE_BREAKS.test(state.input.slice(documentStart, state.position))) {\n throwWarning(state, 'non-ASCII line breaks are interpreted as content');\n }\n\n state.documents.push(state.result);\n\n if (state.position === state.lineStart && testDocumentSeparator(state)) {\n\n if (state.input.charCodeAt(state.position) === 0x2E/ . /) {\n state.position += 3;\n skipSeparationSpace(state, true, -1);\n }\n return;\n }\n\n if (state.position < (state.length - 1)) {\n throwError(state, 'end of the stream or a document separator is expected');\n } else {\n return;\n }\n}\n\n\nfunction loadDocuments(input, options) {\n input = String(input);\n options = options \|\| {};\n\n if (input.length !== 0) {\n\n // Add tailing `\\n` if not exists\n if (input.charCodeAt(input.length - 1) !== 0x0A/ LF / &&\n input.charCodeAt(input.length - 1) !== 0x0D/ CR /) {\n input += '\\n';\n }\n\n // Strip BOM\n if (input.charCodeAt(0) === 0xFEFF) {\n input = input.slice(1);\n }\n }\n\n var state = new State$1(input, options);\n\n var nullpos = input.indexOf('\\0');\n\n if (nullpos !== -1) {\n state.position = nullpos;\n throwError(state, 'null byte is not allowed in input');\n }\n\n // Use 0 as string terminator. That significantly simplifies bounds check.\n state.input += '\\0';\n\n while (state.input.charCodeAt(state.position) === 0x20/ Space /) {\n state.lineIndent += 1;\n state.position += 1;\n }\n\n while (state.position < (state.length - 1)) {\n readDocument(state);\n }\n\n return state.documents;\n}\n\n\nfunction loadAll$1(input, iterator, options) {\n if (iterator !== null && typeof iterator === 'object' && typeof options === 'undefined') {\n options = iterator;\n iterator = null;\n }\n\n var documents = loadDocuments(input, options);\n\n if (typeof iterator !== 'function') {\n return documents;\n }\n\n for (var index = 0, length = documents.length; index < length; index += 1) {\n iterator(documents[index]);\n }\n}\n\n\nfunction load$1(input, options) {\n var documents = loadDocuments(input, options);\n\n if (documents.length === 0) {\n /eslint-disable no-undefined/\n return undefined;\n } else if (documents.length === 1) {\n return documents[0];\n }\n throw new exception('expected a single document in the stream, but found more');\n}\n\n\nvar loadAll_1 = loadAll$1;\nvar load_1 = load$1;\n\nvar loader = {\n\tloadAll: loadAll_1,\n\tload: load_1\n};\n\n/eslint-disable no-use-before-define/\n\n\n\n\n\nvar _toString = Object.prototype.toString;\nvar _hasOwnProperty = Object.prototype.hasOwnProperty;\n\nvar CHAR_BOM = 0xFEFF;\nvar CHAR_TAB = 0x09; / Tab /\nvar CHAR_LINE_FEED = 0x0A; / LF /\nvar CHAR_CARRIAGE_RETURN = 0x0D; / CR /\nvar CHAR_SPACE = 0x20; / Space /\nvar CHAR_EXCLAMATION = 0x21; / ! /\nvar CHAR_DOUBLE_QUOTE = 0x22; / \" /\nvar CHAR_SHARP = 0x23; / # /\nvar CHAR_PERCENT = 0x25; / % /\nvar CHAR_AMPERSAND = 0x26; / & /\nvar CHAR_SINGLE_QUOTE = 0x27; / ' /\nvar CHAR_ASTERISK = 0x2A; / * /\nvar CHAR_COMMA = 0x2C; / , /\nvar CHAR_MINUS = 0x2D; / - /\nvar CHAR_COLON = 0x3A; / : /\nvar CHAR_EQUALS = 0x3D; / = /\nvar CHAR_GREATER_THAN = 0x3E; / > /\nvar CHAR_QUESTION = 0x3F; / ? /\nvar CHAR_COMMERCIAL_AT = 0x40; / @ /\nvar CHAR_LEFT_SQUARE_BRACKET = 0x5B; / [ /\nvar CHAR_RIGHT_SQUARE_BRACKET = 0x5D; / ] /\nvar CHAR_GRAVE_ACCENT = 0x60; / ` /\nvar CHAR_LEFT_CURLY_BRACKET = 0x7B; / { /\nvar CHAR_VERTICAL_LINE = 0x7C; / \| /\nvar CHAR_RIGHT_CURLY_BRACKET = 0x7D; / } /\n\nvar ESCAPE_SEQUENCES = {};\n\nESCAPE_SEQUENCES[0x00] = '\\\\0';\nESCAPE_SEQUENCES[0x07] = '\\\\a';\nESCAPE_SEQUENCES[0x08] = '\\\\b';\nESCAPE_SEQUENCES[0x09] = '\\\\t';\nESCAPE_SEQUENCES[0x0A] = '\\\\n';\nESCAPE_SEQUENCES[0x0B] = '\\\\v';\nESCAPE_SEQUENCES[0x0C] = '\\\\f';\nESCAPE_SEQUENCES[0x0D] = '\\\\r';\nESCAPE_SEQUENCES[0x1B] = '\\\\e';\nESCAPE_SEQUENCES[0x22] = '\\\\\"';\nESCAPE_SEQUENCES[0x5C] = '\\\\\\\\';\nESCAPE_SEQUENCES[0x85] = '\\\\N';\nESCAPE_SEQUENCES[0xA0] = '\\\\_';\nESCAPE_SEQUENCES[0x2028] = '\\\\L';\nESCAPE_SEQUENCES[0x2029] = '\\\\P';\n\nvar DEPRECATED_BOOLEANS_SYNTAX = [\n 'y', 'Y', 'yes', 'Yes', 'YES', 'on', 'On', 'ON',\n 'n', 'N', 'no', 'No', 'NO', 'off', 'Off', 'OFF'\n];\n\nvar DEPRECATED_BASE60_SYNTAX = /^[-+]?[0-9_]+(?::[0-9_]+)+(?:\\.[0-9_])?$/;\n\nfunction compileStyleMap(schema, map) {\n var result, keys, index, length, tag, style, type;\n\n if (map === null) return {};\n\n result = {};\n keys = Object.keys(map);\n\n for (index = 0, length = keys.length; index < length; index += 1) {\n tag = keys[index];\n style = String(map[tag]);\n\n if (tag.slice(0, 2) === '!!') {\n tag = 'tag:yaml.org,2002:' + tag.slice(2);\n }\n type = schema.compiledTypeMap['fallback'][tag];\n\n if (type && _hasOwnProperty.call(type.styleAliases, style)) {\n style = type.styleAliases[style];\n }\n\n result[tag] = style;\n }\n\n return result;\n}\n\nfunction encodeHex(character) {\n var string, handle, length;\n\n string = character.toString(16).toUpperCase();\n\n if (character <= 0xFF) {\n handle = 'x';\n length = 2;\n } else if (character <= 0xFFFF) {\n handle = 'u';\n length = 4;\n } else if (character <= 0xFFFFFFFF) {\n handle = 'U';\n length = 8;\n } else {\n throw new exception('code point within a string may not be greater than 0xFFFFFFFF');\n }\n\n return '\\\\' + handle + common.repeat('0', length - string.length) + string;\n}\n\n\nvar QUOTING_TYPE_SINGLE = 1,\n QUOTING_TYPE_DOUBLE = 2;\n\nfunction State(options) {\n this.schema = options['schema'] \|\| _default;\n this.indent = Math.max(1, (options['indent'] \|\| 2));\n this.noArrayIndent = options['noArrayIndent'] \|\| false;\n this.skipInvalid = options['skipInvalid'] \|\| false;\n this.flowLevel = (common.isNothing(options['flowLevel']) ? -1 : options['flowLevel']);\n this.styleMap = compileStyleMap(this.schema, options['styles'] \|\| null);\n this.sortKeys = options['sortKeys'] \|\| false;\n this.lineWidth = options['lineWidth'] \|\| 80;\n this.noRefs = options['noRefs'] \|\| false;\n this.noCompatMode = options['noCompatMode'] \|\| false;\n this.condenseFlow = options['condenseFlow'] \|\| false;\n this.quotingType = options['quotingType'] === '\"' ? QUOTING_TYPE_DOUBLE : QUOTING_TYPE_SINGLE;\n this.forceQuotes = options['forceQuotes'] \|\| false;\n this.replacer = typeof options['replacer'] === 'function' ? options['replacer'] : null;\n\n this.implicitTypes = this.schema.compiledImplicit;\n this.explicitTypes = this.schema.compiledExplicit;\n\n this.tag = null;\n this.result = '';\n\n this.duplicates = [];\n this.usedDuplicates = null;\n}\n\n// Indents every line in a string. Empty lines (\\n only) are not indented.\nfunction indentString(string, spaces) {\n var ind = common.repeat(' ', spaces),\n position = 0,\n next = -1,\n result = '',\n line,\n length = string.length;\n\n while (position < length) {\n next = string.indexOf('\\n', position);\n if (next === -1) {\n line = string.slice(position);\n position = length;\n } else {\n line = string.slice(position, next + 1);\n position = next + 1;\n }\n\n if (line.length && line !== '\\n') result += ind;\n\n result += line;\n }\n\n return result;\n}\n\nfunction generateNextLine(state, level) {\n return '\\n' + common.repeat(' ', state.indent * level);\n}\n\nfunction testImplicitResolving(state, str) {\n var index, length, type;\n\n for (index = 0, length = state.implicitTypes.length; index < length; index += 1) {\n type = state.implicitTypes[index];\n\n if (type.resolve(str)) {\n return true;\n }\n }\n\n return false;\n}\n\n// [33] s-white ::= s-space \| s-tab\nfunction isWhitespace(c) {\n return c === CHAR_SPACE \|\| c === CHAR_TAB;\n}\n\n// Returns true if the character can be printed without escaping.\n// From YAML 1.2: \"any allowed characters known to be non-printable\n// should also be escaped. [However,] This isn’t mandatory\"\n// Derived from nb-char - \\t - #x85 - #xA0 - #x2028 - #x2029.\nfunction isPrintable(c) {\n return (0x00020 <= c && c <= 0x00007E)\n \|\| ((0x000A1 <= c && c <= 0x00D7FF) && c !== 0x2028 && c !== 0x2029)\n \|\| ((0x0E000 <= c && c <= 0x00FFFD) && c !== CHAR_BOM)\n \|\| (0x10000 <= c && c <= 0x10FFFF);\n}\n\n// [34] ns-char ::= nb-char - s-white\n// [27] nb-char ::= c-printable - b-char - c-byte-order-mark\n// [26] b-char ::= b-line-feed \| b-carriage-return\n// Including s-white (for some reason, examples doesn't match specs in this aspect)\n// ns-char ::= c-printable - b-line-feed - b-carriage-return - c-byte-order-mark\nfunction isNsCharOrWhitespace(c) {\n return isPrintable(c)\n && c !== CHAR_BOM\n // - b-char\n && c !== CHAR_CARRIAGE_RETURN\n && c !== CHAR_LINE_FEED;\n}\n\n// [127] ns-plain-safe(c) ::= c = flow-out ⇒ ns-plain-safe-out\n// c = flow-in ⇒ ns-plain-safe-in\n// c = block-key ⇒ ns-plain-safe-out\n// c = flow-key ⇒ ns-plain-safe-in\n// [128] ns-plain-safe-out ::= ns-char\n// [129] ns-plain-safe-in ::= ns-char - c-flow-indicator\n// [130] ns-plain-char(c) ::= ( ns-plain-safe(c) - “:” - “#” )\n// \| ( /* An ns-char preceding / “#” )\n// \| ( “:” / Followed by an ns-plain-safe(c) / )\nfunction isPlainSafe(c, prev, inblock) {\n var cIsNsCharOrWhitespace = isNsCharOrWhitespace(c);\n var cIsNsChar = cIsNsCharOrWhitespace && !isWhitespace(c);\n return (\n // ns-plain-safe\n inblock ? // c = flow-in\n cIsNsCharOrWhitespace\n : cIsNsCharOrWhitespace\n // - c-flow-indicator\n && c !== CHAR_COMMA\n && c !== CHAR_LEFT_SQUARE_BRACKET\n && c !== CHAR_RIGHT_SQUARE_BRACKET\n && c !== CHAR_LEFT_CURLY_BRACKET\n && c !== CHAR_RIGHT_CURLY_BRACKET\n )\n // ns-plain-char\n && c !== CHAR_SHARP // false on '#'\n && !(prev === CHAR_COLON && !cIsNsChar) // false on ': '\n \|\| (isNsCharOrWhitespace(prev) && !isWhitespace(prev) && c === CHAR_SHARP) // change to true on '[^ ]#'\n \|\| (prev === CHAR_COLON && cIsNsChar); // change to true on ':[^ ]'\n}\n\n// Simplified test for values allowed as the first character in plain style.\nfunction isPlainSafeFirst(c) {\n // Uses a subset of ns-char - c-indicator\n // where ns-char = nb-char - s-white.\n // No support of ( ( “?” \| “:” \| “-” ) / Followed by an ns-plain-safe(c)) / ) part\n return isPrintable(c) && c !== CHAR_BOM\n && !isWhitespace(c) // - s-white\n // - (c-indicator ::=\n // “-” \| “?” \| “:” \| “,” \| “[” \| “]” \| “{” \| “}”\n && c !== CHAR_MINUS\n && c !== CHAR_QUESTION\n && c !== CHAR_COLON\n && c !== CHAR_COMMA\n && c !== CHAR_LEFT_SQUARE_BRACKET\n && c !== CHAR_RIGHT_SQUARE_BRACKET\n && c !== CHAR_LEFT_CURLY_BRACKET\n && c !== CHAR_RIGHT_CURLY_BRACKET\n // \| “#” \| “&” \| “” \| “!” \| “\|” \| “=” \| “>” \| “'” \| “\"”\n && c !== CHAR_SHARP\n && c !== CHAR_AMPERSAND\n && c !== CHAR_ASTERISK\n && c !== CHAR_EXCLAMATION\n && c !== CHAR_VERTICAL_LINE\n && c !== CHAR_EQUALS\n && c !== CHAR_GREATER_THAN\n && c !== CHAR_SINGLE_QUOTE\n && c !== CHAR_DOUBLE_QUOTE\n // \| “%” \| “@” \| “`”)\n && c !== CHAR_PERCENT\n && c !== CHAR_COMMERCIAL_AT\n && c !== CHAR_GRAVE_ACCENT;\n}\n\n// Simplified test for values allowed as the last character in plain style.\nfunction isPlainSafeLast(c) {\n // just not whitespace or colon, it will be checked to be plain character later\n return !isWhitespace(c) && c !== CHAR_COLON;\n}\n\n// Same as 'string'.codePointAt(pos), but works in older browsers.\nfunction codePointAt(string, pos) {\n var first = string.charCodeAt(pos), second;\n if (first >= 0xD800 && first <= 0xDBFF && pos + 1 < string.length) {\n second = string.charCodeAt(pos + 1);\n if (second >= 0xDC00 && second <= 0xDFFF) {\n // https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae\n return (first - 0xD800) * 0x400 + second - 0xDC00 + 0x10000;\n }\n }\n return first;\n}\n\n// Determines whether block indentation indicator is required.\nfunction needIndentIndicator(string) {\n var leadingSpaceRe = /^\\n* /;\n return leadingSpaceRe.test(string);\n}\n\nvar STYLE_PLAIN = 1,\n STYLE_SINGLE = 2,\n STYLE_LITERAL = 3,\n STYLE_FOLDED = 4,\n STYLE_DOUBLE = 5;\n\n// Determines which scalar styles are possible and returns the preferred style.\n// lineWidth = -1 => no limit.\n// Pre-conditions: str.length > 0.\n// Post-conditions:\n// STYLE_PLAIN or STYLE_SINGLE => no \\n are in the string.\n// STYLE_LITERAL => no lines are suitable for folding (or lineWidth is -1).\n// STYLE_FOLDED => a line > lineWidth and can be folded (and lineWidth != -1).\nfunction chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth,\n testAmbiguousType, quotingType, forceQuotes, inblock) {\n\n var i;\n var char = 0;\n var prevChar = null;\n var hasLineBreak = false;\n var hasFoldableLine = false; // only checked if shouldTrackWidth\n var shouldTrackWidth = lineWidth !== -1;\n var previousLineBreak = -1; // count the first line correctly\n var plain = isPlainSafeFirst(codePointAt(string, 0))\n && isPlainSafeLast(codePointAt(string, string.length - 1));\n\n if (singleLineOnly \|\| forceQuotes) {\n // Case: no block styles.\n // Check for disallowed characters to rule out plain and single.\n for (i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n if (!isPrintable(char)) {\n return STYLE_DOUBLE;\n }\n plain = plain && isPlainSafe(char, prevChar, inblock);\n prevChar = char;\n }\n } else {\n // Case: block styles permitted.\n for (i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n if (char === CHAR_LINE_FEED) {\n hasLineBreak = true;\n // Check if any line can be folded.\n if (shouldTrackWidth) {\n hasFoldableLine = hasFoldableLine \|\|\n // Foldable line = too long, and not more-indented.\n (i - previousLineBreak - 1 > lineWidth &&\n string[previousLineBreak + 1] !== ' ');\n previousLineBreak = i;\n }\n } else if (!isPrintable(char)) {\n return STYLE_DOUBLE;\n }\n plain = plain && isPlainSafe(char, prevChar, inblock);\n prevChar = char;\n }\n // in case the end is missing a \\n\n hasFoldableLine = hasFoldableLine \|\| (shouldTrackWidth &&\n (i - previousLineBreak - 1 > lineWidth &&\n string[previousLineBreak + 1] !== ' '));\n }\n // Although every style can represent \\n without escaping, prefer block styles\n // for multiline, since they're more readable and they don't add empty lines.\n // Also prefer folding a super-long line.\n if (!hasLineBreak && !hasFoldableLine) {\n // Strings interpretable as another type have to be quoted;\n // e.g. the string 'true' vs. the boolean true.\n if (plain && !forceQuotes && !testAmbiguousType(string)) {\n return STYLE_PLAIN;\n }\n return quotingType === QUOTING_TYPE_DOUBLE ? STYLE_DOUBLE : STYLE_SINGLE;\n }\n // Edge case: block indentation indicator can only have one digit.\n if (indentPerLevel > 9 && needIndentIndicator(string)) {\n return STYLE_DOUBLE;\n }\n // At this point we know block styles are valid.\n // Prefer literal style unless we want to fold.\n if (!forceQuotes) {\n return hasFoldableLine ? STYLE_FOLDED : STYLE_LITERAL;\n }\n return quotingType === QUOTING_TYPE_DOUBLE ? STYLE_DOUBLE : STYLE_SINGLE;\n}\n\n// Note: line breaking/folding is implemented for only the folded style.\n// NB. We drop the last trailing newline (if any) of a returned block scalar\n// since the dumper adds its own newline. This always works:\n// • No ending newline => unaffected; already using strip \"-\" chomping.\n// • Ending newline => removed then restored.\n// Importantly, this keeps the \"+\" chomp indicator from gaining an extra line.\nfunction writeScalar(state, string, level, iskey, inblock) {\n state.dump = (function () {\n if (string.length === 0) {\n return state.quotingType === QUOTING_TYPE_DOUBLE ? '\"\"' : \"''\";\n }\n if (!state.noCompatMode) {\n if (DEPRECATED_BOOLEANS_SYNTAX.indexOf(string) !== -1 \|\| DEPRECATED_BASE60_SYNTAX.test(string)) {\n return state.quotingType === QUOTING_TYPE_DOUBLE ? ('\"' + string + '\"') : (\"'\" + string + \"'\");\n }\n }\n\n var indent = state.indent * Math.max(1, level); // no 0-indent scalars\n // As indentation gets deeper, let the width decrease monotonically\n // to the lower bound min(state.lineWidth, 40).\n // Note that this implies\n // state.lineWidth ≤ 40 + state.indent: width is fixed at the lower bound.\n // state.lineWidth > 40 + state.indent: width decreases until the lower bound.\n // This behaves better than a constant minimum width which disallows narrower options,\n // or an indent threshold which causes the width to suddenly increase.\n var lineWidth = state.lineWidth === -1\n ? -1 : Math.max(Math.min(state.lineWidth, 40), state.lineWidth - indent);\n\n // Without knowing if keys are implicit/explicit, assume implicit for safety.\n var singleLineOnly = iskey\n // No block styles in flow mode.\n \|\| (state.flowLevel > -1 && level >= state.flowLevel);\n function testAmbiguity(string) {\n return testImplicitResolving(state, string);\n }\n\n switch (chooseScalarStyle(string, singleLineOnly, state.indent, lineWidth,\n testAmbiguity, state.quotingType, state.forceQuotes && !iskey, inblock)) {\n\n case STYLE_PLAIN:\n return string;\n case STYLE_SINGLE:\n return \"'\" + string.replace(/'/g, \"''\") + \"'\";\n case STYLE_LITERAL:\n return '\|' + blockHeader(string, state.indent)\n + dropEndingNewline(indentString(string, indent));\n case STYLE_FOLDED:\n return '>' + blockHeader(string, state.indent)\n + dropEndingNewline(indentString(foldString(string, lineWidth), indent));\n case STYLE_DOUBLE:\n return '\"' + escapeString(string) + '\"';\n default:\n throw new exception('impossible error: invalid scalar style');\n }\n }());\n}\n\n// Pre-conditions: string is valid for a block scalar, 1 <= indentPerLevel <= 9.\nfunction blockHeader(string, indentPerLevel) {\n var indentIndicator = needIndentIndicator(string) ? String(indentPerLevel) : '';\n\n // note the special case: the string '\\n' counts as a \"trailing\" empty line.\n var clip = string[string.length - 1] === '\\n';\n var keep = clip && (string[string.length - 2] === '\\n' \|\| string === '\\n');\n var chomp = keep ? '+' : (clip ? '' : '-');\n\n return indentIndicator + chomp + '\\n';\n}\n\n// (See the note for writeScalar.)\nfunction dropEndingNewline(string) {\n return string[string.length - 1] === '\\n' ? string.slice(0, -1) : string;\n}\n\n// Note: a long line without a suitable break point will exceed the width limit.\n// Pre-conditions: every char in str isPrintable, str.length > 0, width > 0.\nfunction foldString(string, width) {\n // In folded style, $k$ consecutive newlines output as $k+1$ newlines—\n // unless they're before or after a more-indented line, or at the very\n // beginning or end, in which case $k$ maps to $k$.\n // Therefore, parse each chunk as newline(s) followed by a content line.\n var lineRe = /(\\n+)([^\\n])/g;\n\n // first line (possibly an empty line)\n var result = (function () {\n var nextLF = string.indexOf('\\n');\n nextLF = nextLF !== -1 ? nextLF : string.length;\n lineRe.lastIndex = nextLF;\n return foldLine(string.slice(0, nextLF), width);\n }());\n // If we haven't reached the first content line yet, don't add an extra \\n.\n var prevMoreIndented = string[0] === '\\n' \|\| string[0] === ' ';\n var moreIndented;\n\n // rest of the lines\n var match;\n while ((match = lineRe.exec(string))) {\n var prefix = match[1], line = match[2];\n moreIndented = (line[0] === ' ');\n result += prefix\n + (!prevMoreIndented && !moreIndented && line !== ''\n ? '\\n' : '')\n + foldLine(line, width);\n prevMoreIndented = moreIndented;\n }\n\n return result;\n}\n\n// Greedy line breaking.\n// Picks the longest line under the limit each time,\n// otherwise settles for the shortest line over the limit.\n// NB. More-indented lines cannot* be folded, as that would add an extra \\n.\nfunction foldLine(line, width) {\n if (line === '' \|\| line[0] === ' ') return line;\n\n // Since a more-indented line adds a \\n, breaks can't be followed by a space.\n var breakRe = / [^ ]/g; // note: the match index will always be <= length-2.\n var match;\n // start is an inclusive index. end, curr, and next are exclusive.\n var start = 0, end, curr = 0, next = 0;\n var result = '';\n\n // Invariants: 0 <= start <= length-1.\n // 0 <= curr <= next <= max(0, length-2). curr - start <= width.\n // Inside the loop:\n // A match implies length >= 2, so curr and next are <= length-2.\n while ((match = breakRe.exec(line))) {\n next = match.index;\n // maintain invariant: curr - start <= width\n if (next - start > width) {\n end = (curr > start) ? curr : next; // derive end <= length-2\n result += '\\n' + line.slice(start, end);\n // skip the space that was output as \\n\n start = end + 1; // derive start <= length-1\n }\n curr = next;\n }\n\n // By the invariants, start <= length-1, so there is something left over.\n // It is either the whole string or a part starting from non-whitespace.\n result += '\\n';\n // Insert a break if the remainder is too long and there is a break available.\n if (line.length - start > width && curr > start) {\n result += line.slice(start, curr) + '\\n' + line.slice(curr + 1);\n } else {\n result += line.slice(start);\n }\n\n return result.slice(1); // drop extra \\n joiner\n}\n\n// Escapes a double-quoted string.\nfunction escapeString(string) {\n var result = '';\n var char = 0;\n var escapeSeq;\n\n for (var i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n escapeSeq = ESCAPE_SEQUENCES[char];\n\n if (!escapeSeq && isPrintable(char)) {\n result += string[i];\n if (char >= 0x10000) result += string[i + 1];\n } else {\n result += escapeSeq \|\| encodeHex(char);\n }\n }\n\n return result;\n}\n\nfunction writeFlowSequence(state, level, object) {\n var _result = '',\n _tag = state.tag,\n index,\n length,\n value;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n value = object[index];\n\n if (state.replacer) {\n value = state.replacer.call(object, String(index), value);\n }\n\n // Write only valid elements, put null instead of invalid elements.\n if (writeNode(state, level, value, false, false) \|\|\n (typeof value === 'undefined' &&\n writeNode(state, level, null, false, false))) {\n\n if (_result !== '') _result += ',' + (!state.condenseFlow ? ' ' : '');\n _result += state.dump;\n }\n }\n\n state.tag = _tag;\n state.dump = '[' + _result + ']';\n}\n\nfunction writeBlockSequence(state, level, object, compact) {\n var _result = '',\n _tag = state.tag,\n index,\n length,\n value;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n value = object[index];\n\n if (state.replacer) {\n value = state.replacer.call(object, String(index), value);\n }\n\n // Write only valid elements, put null instead of invalid elements.\n if (writeNode(state, level + 1, value, true, true, false, true) \|\|\n (typeof value === 'undefined' &&\n writeNode(state, level + 1, null, true, true, false, true))) {\n\n if (!compact \|\| _result !== '') {\n _result += generateNextLine(state, level);\n }\n\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n _result += '-';\n } else {\n _result += '- ';\n }\n\n _result += state.dump;\n }\n }\n\n state.tag = _tag;\n state.dump = _result \|\| '[]'; // Empty sequence if no valid values.\n}\n\nfunction writeFlowMapping(state, level, object) {\n var _result = '',\n _tag = state.tag,\n objectKeyList = Object.keys(object),\n index,\n length,\n objectKey,\n objectValue,\n pairBuffer;\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n\n pairBuffer = '';\n if (_result !== '') pairBuffer += ', ';\n\n if (state.condenseFlow) pairBuffer += '\"';\n\n objectKey = objectKeyList[index];\n objectValue = object[objectKey];\n\n if (state.replacer) {\n objectValue = state.replacer.call(object, objectKey, objectValue);\n }\n\n if (!writeNode(state, level, objectKey, false, false)) {\n continue; // Skip this pair because of invalid key;\n }\n\n if (state.dump.length > 1024) pairBuffer += '? ';\n\n pairBuffer += state.dump + (state.condenseFlow ? '\"' : '') + ':' + (state.condenseFlow ? '' : ' ');\n\n if (!writeNode(state, level, objectValue, false, false)) {\n continue; // Skip this pair because of invalid value.\n }\n\n pairBuffer += state.dump;\n\n // Both key and value are valid.\n _result += pairBuffer;\n }\n\n state.tag = _tag;\n state.dump = '{' + _result + '}';\n}\n\nfunction writeBlockMapping(state, level, object, compact) {\n var _result = '',\n _tag = state.tag,\n objectKeyList = Object.keys(object),\n index,\n length,\n objectKey,\n objectValue,\n explicitPair,\n pairBuffer;\n\n // Allow sorting keys so that the output file is deterministic\n if (state.sortKeys === true) {\n // Default sorting\n objectKeyList.sort();\n } else if (typeof state.sortKeys === 'function') {\n // Custom sort function\n objectKeyList.sort(state.sortKeys);\n } else if (state.sortKeys) {\n // Something is wrong\n throw new exception('sortKeys must be a boolean or a function');\n }\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n pairBuffer = '';\n\n if (!compact \|\| _result !== '') {\n pairBuffer += generateNextLine(state, level);\n }\n\n objectKey = objectKeyList[index];\n objectValue = object[objectKey];\n\n if (state.replacer) {\n objectValue = state.replacer.call(object, objectKey, objectValue);\n }\n\n if (!writeNode(state, level + 1, objectKey, true, true, true)) {\n continue; // Skip this pair because of invalid key.\n }\n\n explicitPair = (state.tag !== null && state.tag !== '?') \|\|\n (state.dump && state.dump.length > 1024);\n\n if (explicitPair) {\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n pairBuffer += '?';\n } else {\n pairBuffer += '? ';\n }\n }\n\n pairBuffer += state.dump;\n\n if (explicitPair) {\n pairBuffer += generateNextLine(state, level);\n }\n\n if (!writeNode(state, level + 1, objectValue, true, explicitPair)) {\n continue; // Skip this pair because of invalid value.\n }\n\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n pairBuffer += ':';\n } else {\n pairBuffer += ': ';\n }\n\n pairBuffer += state.dump;\n\n // Both key and value are valid.\n _result += pairBuffer;\n }\n\n state.tag = _tag;\n state.dump = _result \|\| '{}'; // Empty mapping if no valid pairs.\n}\n\nfunction detectType(state, object, explicit) {\n var _result, typeList, index, length, type, style;\n\n typeList = explicit ? state.explicitTypes : state.implicitTypes;\n\n for (index = 0, length = typeList.length; index < length; index += 1) {\n type = typeList[index];\n\n if ((type.instanceOf \|\| type.predicate) &&\n (!type.instanceOf \|\| ((typeof object === 'object') && (object instanceof type.instanceOf))) &&\n (!type.predicate \|\| type.predicate(object))) {\n\n if (explicit) {\n if (type.multi && type.representName) {\n state.tag = type.representName(object);\n } else {\n state.tag = type.tag;\n }\n } else {\n state.tag = '?';\n }\n\n if (type.represent) {\n style = state.styleMap[type.tag] \|\| type.defaultStyle;\n\n if (_toString.call(type.represent) === '[object Function]') {\n _result = type.represent(object, style);\n } else if (_hasOwnProperty.call(type.represent, style)) {\n _result = type.represent[style](object, style);\n } else {\n throw new exception('!<' + type.tag + '> tag resolver accepts not \"' + style + '\" style');\n }\n\n state.dump = _result;\n }\n\n return true;\n }\n }\n\n return false;\n}\n\n// Serializes `object` and writes it to global `result`.\n// Returns true on success, or false on invalid object.\n//\nfunction writeNode(state, level, object, block, compact, iskey, isblockseq) {\n state.tag = null;\n state.dump = object;\n\n if (!detectType(state, object, false)) {\n detectType(state, object, true);\n }\n\n var type = _toString.call(state.dump);\n var inblock = block;\n var tagStr;\n\n if (block) {\n block = (state.flowLevel < 0 \|\| state.flowLevel > level);\n }\n\n var objectOrArray = type === '[object Object]' \|\| type === '[object Array]',\n duplicateIndex,\n duplicate;\n\n if (objectOrArray) {\n duplicateIndex = state.duplicates.indexOf(object);\n duplicate = duplicateIndex !== -1;\n }\n\n if ((state.tag !== null && state.tag !== '?') \|\| duplicate \|\| (state.indent !== 2 && level > 0)) {\n compact = false;\n }\n\n if (duplicate && state.usedDuplicates[duplicateIndex]) {\n state.dump = 'ref_' + duplicateIndex;\n } else {\n if (objectOrArray && duplicate && !state.usedDuplicates[duplicateIndex]) {\n state.usedDuplicates[duplicateIndex] = true;\n }\n if (type === '[object Object]') {\n if (block && (Object.keys(state.dump).length !== 0)) {\n writeBlockMapping(state, level, state.dump, compact);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + state.dump;\n }\n } else {\n writeFlowMapping(state, level, state.dump);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + ' ' + state.dump;\n }\n }\n } else if (type === '[object Array]') {\n if (block && (state.dump.length !== 0)) {\n if (state.noArrayIndent && !isblockseq && level > 0) {\n writeBlockSequence(state, level - 1, state.dump, compact);\n } else {\n writeBlockSequence(state, level, state.dump, compact);\n }\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + state.dump;\n }\n } else {\n writeFlowSequence(state, level, state.dump);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + ' ' + state.dump;\n }\n }\n } else if (type === '[object String]') {\n if (state.tag !== '?') {\n writeScalar(state, state.dump, level, iskey, inblock);\n }\n } else if (type === '[object Undefined]') {\n return false;\n } else {\n if (state.skipInvalid) return false;\n throw new exception('unacceptable kind of an object to dump ' + type);\n }\n\n if (state.tag !== null && state.tag !== '?') {\n // Need to encode all characters except those allowed by the spec:\n //\n // [35] ns-dec-digit ::= [#x30-#x39] / 0-9 /\n // [36] ns-hex-digit ::= ns-dec-digit\n // \| [#x41-#x46] / A-F / \| [#x61-#x66] / a-f /\n // [37] ns-ascii-letter ::= [#x41-#x5A] / A-Z / \| [#x61-#x7A] / a-z /\n // [38] ns-word-char ::= ns-dec-digit \| ns-ascii-letter \| “-”\n // [39] ns-uri-char ::= “%” ns-hex-digit ns-hex-digit \| ns-word-char \| “#”\n // \| “;” \| “/” \| “?” \| “:” \| “@” \| “&” \| “=” \| “+” \| “$” \| “,”\n // \| “_” \| “.” \| “!” \| “~” \| “” \| “'” \| “(” \| “)” \| “[” \| “]”\n //\n // Also need to encode '!' because it has special meaning (end of tag prefix).\n //\n tagStr = encodeURI(\n state.tag[0] === '!' ? state.tag.slice(1) : state.tag\n ).replace(/!/g, '%21');\n\n if (state.tag[0] === '!') {\n tagStr = '!' + tagStr;\n } else if (tagStr.slice(0, 18) === 'tag:yaml.org,2002:') {\n tagStr = '!!' + tagStr.slice(18);\n } else {\n tagStr = '!<' + tagStr + '>';\n }\n\n state.dump = tagStr + ' ' + state.dump;\n }\n }\n\n return true;\n}\n\nfunction getDuplicateReferences(object, state) {\n var objects = [],\n duplicatesIndexes = [],\n index,\n length;\n\n inspectNode(object, objects, duplicatesIndexes);\n\n for (index = 0, length = duplicatesIndexes.length; index < length; index += 1) {\n state.duplicates.push(objects[duplicatesIndexes[index]]);\n }\n state.usedDuplicates = new Array(length);\n}\n\nfunction inspectNode(object, objects, duplicatesIndexes) {\n var objectKeyList,\n index,\n length;\n\n if (object !== null && typeof object === 'object') {\n index = objects.indexOf(object);\n if (index !== -1) {\n if (duplicatesIndexes.indexOf(index) === -1) {\n duplicatesIndexes.push(index);\n }\n } else {\n objects.push(object);\n\n if (Array.isArray(object)) {\n for (index = 0, length = object.length; index < length; index += 1) {\n inspectNode(object[index], objects, duplicatesIndexes);\n }\n } else {\n objectKeyList = Object.keys(object);\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n inspectNode(object[objectKeyList[index]], objects, duplicatesIndexes);\n }\n }\n }\n }\n}\n\nfunction dump$1(input, options) {\n options = options \|\| {};\n\n var state = new State(options);\n\n if (!state.noRefs) getDuplicateReferences(input, state);\n\n var value = input;\n\n if (state.replacer) {\n value = state.replacer.call({ '': value }, '', value);\n }\n\n if (writeNode(state, 0, value, true, true)) return state.dump + '\\n';\n\n return '';\n}\n\nvar dump_1 = dump$1;\n\nvar dumper = {\n\tdump: dump_1\n};\n\nfunction renamed(from, to) {\n return function () {\n throw new Error('Function yaml.' + from + ' is removed in js-yaml 4. ' +\n 'Use yaml.' + to + ' instead, which is now safe by default.');\n };\n}\n\n\nvar Type = type;\nvar Schema = schema;\nvar FAILSAFE_SCHEMA = failsafe;\nvar JSON_SCHEMA = json;\nvar CORE_SCHEMA = core;\nvar DEFAULT_SCHEMA = _default;\nvar load = loader.load;\nvar loadAll = loader.loadAll;\nvar dump = dumper.dump;\nvar YAMLException = exception;\n\n// Re-export all types in case user wants to create custom schema\nvar types = {\n binary: binary,\n float: float,\n map: map,\n null: _null,\n pairs: pairs,\n set: set,\n timestamp: timestamp,\n bool: bool,\n int: int,\n merge: merge,\n omap: omap,\n seq: seq,\n str: str\n};\n\n// Removed functions from JS-YAML 3.0.x\nvar safeLoad = renamed('safeLoad', 'load');\nvar safeLoadAll = renamed('safeLoadAll', 'loadAll');\nvar safeDump = renamed('safeDump', 'dump');\n\nvar jsYaml = {\n\tType: Type,\n\tSchema: Schema,\n\tFAILSAFE_SCHEMA: FAILSAFE_SCHEMA,\n\tJSON_SCHEMA: JSON_SCHEMA,\n\tCORE_SCHEMA: CORE_SCHEMA,\n\tDEFAULT_SCHEMA: DEFAULT_SCHEMA,\n\tload: load,\n\tloadAll: loadAll,\n\tdump: dump,\n\tYAMLException: YAMLException,\n\ttypes: types,\n\tsafeLoad: safeLoad,\n\tsafeLoadAll: safeLoadAll,\n\tsafeDump: safeDump\n};\n\nexport { CORE_SCHEMA, DEFAULT_SCHEMA, FAILSAFE_SCHEMA, JSON_SCHEMA, Schema, Type, YAMLException, jsYaml as default, dump, load, loadAll, safeDump, safeLoad, safeLoadAll, types };\n","/*\n PDLSS Policy Parser\n \n Parses local YAML policy files into typed LocalPolicy objects.\n * Validates against the PDLSS schema to ensure cloud compatibility.\n /\n\nimport as yaml from 'js-yaml';\nimport { readFileSync } from 'fs';\nimport type { LocalPolicy } from '../gateway/types';\nimport { validatePolicy, type ValidationResult } from './schema';\n\nexport interface ParseResult {\n policy: LocalPolicy \| null;\n validation: ValidationResult;\n rawYaml?: string;\n}\n\n/*\n Parse a YAML string into a LocalPolicy.\n /\nexport function parseYaml(yamlContent: string): ParseResult {\n let parsed: unknown;\n\n try {\n parsed = yaml.load(yamlContent);\n } catch (err) {\n const message = err instanceof Error ? err.message : 'Invalid YAML';\n return {\n policy: null,\n validation: { valid: false, errors: [{ path: '', message: `YAML parse error: ${message}` }] },\n rawYaml: yamlContent,\n };\n }\n\n const validation = validatePolicy(parsed);\n\n if (!validation.valid) {\n return { policy: null, validation, rawYaml: yamlContent };\n }\n\n return {\n policy: parsed as LocalPolicy,\n validation,\n rawYaml: yamlContent,\n };\n}\n\n/\n Parse a YAML file from disk into a LocalPolicy.\n /\nexport function parseFile(filePath: string): ParseResult {\n let content: string;\n\n try {\n content = readFileSync(filePath, 'utf-8');\n } catch (err) {\n const message = err instanceof Error ? err.message : 'File read error';\n return {\n policy: null,\n validation: { valid: false, errors: [{ path: '', message: `Failed to read policy file: ${message}` }] },\n };\n }\n\n return parseYaml(content);\n}\n\n/\n Convert a LocalPolicy back to YAML string (for upload to cloud).\n /\nexport function toYaml(policy: LocalPolicy): string {\n return yaml.dump(policy, { lineWidth: 120, noRefs: true });\n}\n","/\n PDLSS Policy Schema Validation\n \n Validates local YAML policy files against the PDLSS schema.\n * Ensures local policies can be uploaded to cloud without lossy transformation.\n /\n\nimport type { LocalRiskThresholds } from '../gateway/types';\n\nexport interface ValidationError {\n path: string;\n message: string;\n}\n\nexport interface ValidationResult {\n valid: boolean;\n errors: ValidationError[];\n}\n\n/\n Validate a parsed local policy object against the PDLSS schema.\n /\nexport function validatePolicy(policy: unknown): ValidationResult {\n const errors: ValidationError[] = [];\n\n if (!policy \|\| typeof policy !== 'object') {\n return { valid: false, errors: [{ path: '', message: 'Policy must be an object' }] };\n }\n\n const p = policy as Record<string, unknown>;\n\n // Required fields\n if (typeof p.version !== 'string') {\n errors.push({ path: 'version', message: 'version is required and must be a string' });\n }\n if (typeof p.name !== 'string') {\n errors.push({ path: 'name', message: 'name is required and must be a string' });\n }\n\n // Purposes\n if (!Array.isArray(p.purposes)) {\n errors.push({ path: 'purposes', message: 'purposes is required and must be an array' });\n } else {\n p.purposes.forEach((purpose: unknown, i: number) => {\n errors.push(...validatePurpose(purpose, `purposes[${i}]`));\n });\n }\n\n // Scope (optional)\n if (p.scope !== undefined) {\n errors.push(...validateScope(p.scope, 'scope'));\n }\n\n // Limits (optional)\n if (p.limits !== undefined) {\n errors.push(...validateLimits(p.limits, 'limits'));\n }\n\n // Risk thresholds (optional)\n if (p.riskThresholds !== undefined) {\n errors.push(...validateRiskThresholds(p.riskThresholds, 'riskThresholds'));\n }\n\n return { valid: errors.length === 0, errors };\n}\n\nfunction validatePurpose(purpose: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (!purpose \|\| typeof purpose !== 'object') {\n return [{ path, message: 'purpose must be an object' }];\n }\n\n const p = purpose as Record<string, unknown>;\n\n if (typeof p.id !== 'string' \|\| !p.id) {\n errors.push({ path: `${path}.id`, message: 'id is required and must be a non-empty string' });\n }\n\n if (typeof p.allowed !== 'boolean') {\n errors.push({ path: `${path}.allowed`, message: 'allowed is required and must be a boolean' });\n }\n\n if (p.targets !== undefined && !isStringArray(p.targets)) {\n errors.push({ path: `${path}.targets`, message: 'targets must be an array of strings' });\n }\n\n if (p.blockedPatterns !== undefined && !isStringArray(p.blockedPatterns)) {\n errors.push({ path: `${path}.blockedPatterns`, message: 'blockedPatterns must be an array of strings' });\n }\n\n if (p.requiresApproval !== undefined && typeof p.requiresApproval !== 'boolean') {\n errors.push({ path: `${path}.requiresApproval`, message: 'requiresApproval must be a boolean' });\n }\n\n return errors;\n}\n\nfunction validateScope(scope: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof scope !== 'object' \|\| scope === null) {\n return [{ path, message: 'scope must be an object' }];\n }\n\n const s = scope as Record<string, unknown>;\n\n for (const field of ['allowedDomains', 'blockedDomains', 'blockedResources']) {\n if (s[field] !== undefined && !isStringArray(s[field])) {\n errors.push({ path: `${path}.${field}`, message: `${field} must be an array of strings` });\n }\n }\n\n return errors;\n}\n\nfunction validateLimits(limits: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof limits !== 'object' \|\| limits === null) {\n return [{ path, message: 'limits must be an object' }];\n }\n\n const l = limits as Record<string, unknown>;\n\n if (l.maxTransactionAmount !== undefined && typeof l.maxTransactionAmount !== 'number') {\n errors.push({ path: `${path}.maxTransactionAmount`, message: 'maxTransactionAmount must be a number' });\n }\n\n if (l.maxRequestsPerHour !== undefined && typeof l.maxRequestsPerHour !== 'number') {\n errors.push({ path: `${path}.maxRequestsPerHour`, message: 'maxRequestsPerHour must be a number' });\n }\n\n if (l.currency !== undefined && typeof l.currency !== 'string') {\n errors.push({ path: `${path}.currency`, message: 'currency must be a string' });\n }\n\n return errors;\n}\n\nfunction validateRiskThresholds(thresholds: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof thresholds !== 'object' \|\| thresholds === null) {\n return [{ path, message: 'riskThresholds must be an object' }];\n }\n\n const t = thresholds as Record<string, unknown>;\n\n for (const range of ['autoAllow', 'requireApproval', 'autoBlock'] as const) {\n if (!t[range] \|\| typeof t[range] !== 'object') {\n errors.push({ path: `${path}.${range}`, message: `${range} is required and must be an object with min and max` });\n continue;\n }\n\n const r = t[range] as Record<string, unknown>;\n if (typeof r.min !== 'number' \|\| typeof r.max !== 'number') {\n errors.push({ path: `${path}.${range}`, message: `${range} must have numeric min and max` });\n } else if (r.min > r.max) {\n errors.push({ path: `${path}.${range}`, message: `${range}.min must be <= ${range}.max` });\n }\n }\n\n // Validate contiguous ranges (no gaps)\n if (isValidThresholdShape(t)) {\n const thresholdObj = t as unknown as LocalRiskThresholds;\n if (thresholdObj.autoAllow.max + 1 !== thresholdObj.requireApproval.min) {\n errors.push({\n path: `${path}`,\n message: `Gap between autoAllow.max (${thresholdObj.autoAllow.max}) and requireApproval.min (${thresholdObj.requireApproval.min}). Ranges must be contiguous.`,\n });\n }\n if (thresholdObj.requireApproval.max + 1 !== thresholdObj.autoBlock.min) {\n errors.push({\n path: `${path}`,\n message: `Gap between requireApproval.max (${thresholdObj.requireApproval.max}) and autoBlock.min (${thresholdObj.autoBlock.min}). Ranges must be contiguous.`,\n });\n }\n }\n\n return errors;\n}\n\nfunction isStringArray(val: unknown): val is string[] {\n return Array.isArray(val) && val.every((v) => typeof v === 'string');\n}\n\nfunction isValidThresholdShape(t: Record<string, unknown>): boolean {\n for (const key of ['autoAllow', 'requireApproval', 'autoBlock']) {\n const r = t[key];\n if (!r \|\| typeof r !== 'object') return false;\n const range = r as Record<string, unknown>;\n if (typeof range.min !== 'number' \|\| typeof range.max !== 'number') return false;\n }\n return true;\n}\n","/\n Local Mode — Evaluates actions against a local PDLSS policy file.\n * No network calls, no account required, runs entirely in-process.\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from '../types';\nimport { LocalEvaluator } from '../../local-evaluator/evaluator';\nimport { parseFile } from '../../local-evaluator/pdlss-parser';\n\n/\n Load a local evaluator from config.\n /\nexport function loadEvaluator(config: AstraSyncGatewayConfig): LocalEvaluator {\n if (config.policy) {\n return new LocalEvaluator(config.policy);\n }\n\n if (config.policyFile) {\n const result = parseFile(config.policyFile);\n if (!result.policy) {\n const errors = result.validation.errors.map((e) => `${e.path}: ${e.message}`).join('; ');\n throw new Error(`Invalid policy file ${config.policyFile}: ${errors}`);\n }\n return new LocalEvaluator(result.policy);\n }\n\n throw new Error('Local mode requires either policyFile or policy in config');\n}\n\n/\n Verify locally against the loaded PDLSS policy.\n /\nexport function verifyLocal(evaluator: LocalEvaluator, context: PDLSSContext): VerificationDecision {\n return evaluator.evaluate(context);\n}\n","/\n AstraSync Universal Verification Gateway - Access Level Definitions\n \n Defines the hierarchy and capabilities of each access level.\n \n v2.3.9 (defect #30): renamed `'guidance'` band → `'restricted'`. See\n * `types.ts` AccessLevel for the rationale (value-name collision with the\n * `guidance: {...}` help-payload object on VerificationResult).\n /\n\nimport type { AccessLevel, TrustLevel } from './types';\n\n/\n Access level hierarchy (higher number = more access)\n /\nexport const ACCESS_LEVEL_HIERARCHY: Record<AccessLevel, number> = {\n none: 0,\n restricted: 1,\n 'read-only': 2,\n standard: 3,\n full: 4,\n internal: 5,\n};\n\n/\n Access level descriptions for UI\n /\nexport const ACCESS_LEVEL_DESCRIPTIONS: Record<AccessLevel, string> = {\n none: 'No access - credentials required',\n restricted: 'Restricted access - registration prompt only',\n 'read-only': 'Read-only access - can browse but not modify',\n standard: 'Standard access - normal operations per PDLSS policy',\n full: 'Full access - all operations for high-trust agents',\n internal: 'Internal access - organization member privileges',\n};\n\n/\n Default trust score thresholds for access levels\n /\nexport const DEFAULT_TRUST_THRESHOLDS: Record<AccessLevel, number> = {\n none: 0,\n restricted: 0,\n 'read-only': 20,\n standard: 40,\n full: 70,\n internal: 0, // Internal is based on org membership, not score\n};\n\n/\n Trust level score ranges\n /\nexport const TRUST_LEVEL_RANGES: Record<TrustLevel, { min: number; max: number }> = {\n BRONZE: { min: 0, max: 39 },\n SILVER: { min: 40, max: 59 },\n GOLD: { min: 60, max: 79 },\n PLATINUM: { min: 80, max: 100 },\n};\n\n/\n Determine trust level from score\n /\nexport function getTrustLevel(score: number): TrustLevel {\n if (score >= 80) return 'PLATINUM';\n if (score >= 60) return 'GOLD';\n if (score >= 40) return 'SILVER';\n return 'BRONZE';\n}\n\n/\n Check if access level A is greater than or equal to access level B\n /\nexport function hasMinimumAccess(actual: AccessLevel, required: AccessLevel): boolean {\n return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];\n}\n\n/\n Get the highest access level for a given trust score\n /\nexport function getAccessLevelForScore(\n trustScore: number,\n thresholds: Record<AccessLevel, number> = DEFAULT_TRUST_THRESHOLDS\n): AccessLevel {\n if (trustScore >= thresholds.full) return 'full';\n if (trustScore >= thresholds.standard) return 'standard';\n if (trustScore >= thresholds['read-only']) return 'read-only';\n return 'restricted';\n}\n\n/\n Determine access level from verification result.\n \n v2.3.9 (defect #30): unverified callers now return `'none'` (was\n * `'guidance'`). Denials grant zero — never a positive band.\n /\nexport function determineAccessLevel(\n verified: boolean,\n trustScore: number,\n isOrgMember: boolean,\n customThresholds?: Partial<Record<AccessLevel, number>>\n): AccessLevel {\n if (!verified) {\n return 'none';\n }\n\n if (isOrgMember) {\n return 'internal';\n }\n\n const thresholds = {\n ...DEFAULT_TRUST_THRESHOLDS,\n ...customThresholds,\n };\n\n return getAccessLevelForScore(trustScore, thresholds);\n}\n\n/\n Access capabilities per level\n /\nexport interface AccessCapabilities {\n canRead: boolean;\n canWrite: boolean;\n canDelete: boolean;\n canAdmin: boolean;\n canAccessInternal: boolean;\n maxTransactionValue?: number;\n allowedPurposes?: string[];\n}\n\n/\n Get capabilities for an access level\n /\nexport function getCapabilities(accessLevel: AccessLevel): AccessCapabilities {\n switch (accessLevel) {\n case 'none':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'restricted':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'read-only':\n return {\n canRead: true,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'standard':\n return {\n canRead: true,\n canWrite: true,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'full':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'internal':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: true,\n canAccessInternal: true,\n };\n default:\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n }\n}\n","/\n Round-13 (F14 closure / R13-7): single source-of-truth for the SDK's\n * package version emitted on verify-access bodies (and any future\n * telemetry). Bumped alongside `package.json#version` on every release.\n \n Why a constant rather than `import pkg from '../package.json'`:\n * - `tsconfig.json` sets `rootDir: ./src`; importing the sibling\n * package.json fails the build with \"outside rootDir\".\n * - Build-time string replacement (tsup `define`, esbuild banner, etc.)\n * adds toolchain coupling for a trivial gain.\n * - Embedded readonly constant works in every environment (Node, browser,\n * bundlers, Deno) without runtime fs / network access.\n \n Release discipline: a CI lint can grep `package.json#version` against\n * this constant if the two ever diverge in the wild. Round-13 manual bump\n * is fine — bumping both in the release-ceremony commit keeps them\n * lockstep.\n /\nexport const SDK_VERSION = '2.4.9';\n","/\n AstraSync Universal Verification Gateway - Core Verification Logic\n \n This module handles the core verification logic, calling the AstraSync API\n * and processing the response into a standardized VerificationResult.\n /\n\nimport type {\n GatewayConfig,\n AgentCredentials,\n VerificationRequest,\n VerificationResult,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n GuidanceInfo,\n AccessLevel,\n EnhancedVerificationResult,\n TokenGuidance,\n RuntimeChallengeResult,\n} from './types';\nimport { getTrustLevel, ACCESS_LEVEL_HIERARCHY } from './access-levels';\nimport { SDK_VERSION } from './version';\n\n/\n Default configuration values\n \n apiBaseUrl matches the OpenAPI authoritative server (https://astrasync.ai/api\n * for prod, https://staging.astrasync.ai/api for staging). Always include the\n * /api path prefix when overriding — registration / docs URLs are derived by\n * stripping it.\n /\nconst DEFAULT_CONFIG: Partial<GatewayConfig> = {\n apiBaseUrl: 'https://astrasync.ai/api',\n // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no\n // access). Pre-rename this defaulted to `'guidance'`, which combined with\n // a route gated at `'guidance'` to silently let unverified traffic\n // through (`hasMinimumAccess('guidance', 'guidance') === true`).\n defaultAccessLevel: 'none',\n // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.\n cacheTtl: 300, // 5 minutes\n debug: false,\n};\n\n/\n Init self-test state. Fires once per process on first verify() call to warn\n * if apiBaseUrl is pointing at the wrong host (e.g. a marketing site that\n * 200s with text/html instead of the API).\n /\nlet initCheckPerformed = false;\n\n/* One-shot guard for v2.3.0 deprecation warning. /\nlet deprecationWarningShown = false;\n\nasync function performInitCheck(apiBaseUrl: string, debug?: boolean): Promise<void> {\n initCheckPerformed = true;\n try {\n const probeUrl = `${apiBaseUrl}/agents/verify-access`;\n // HEAD mirrors GET semantics (running the full request pipeline without a\n // body) so the response carries the same content-type the marketing 404\n // would return. OPTIONS often gets short-circuited by CORS-preflight\n // handlers and returns no content-type, defeating the check.\n const response = await fetch(probeUrl, { method: 'HEAD' });\n const contentType = response.headers.get('content-type') ?? '';\n if (contentType.startsWith('text/html')) {\n console.warn(\n `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). ` +\n `This usually means apiBaseUrl is pointing at a marketing site instead of the API. ` +\n `Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). ` +\n `Set disableInitChecks: true on GatewayConfig to silence this warning.`\n );\n } else if (debug) {\n console.log(\n `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`\n );\n }\n } catch (err) {\n if (debug) {\n console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);\n }\n }\n}\n\n/\n Simple in-memory cache for verification results\n /\nconst verificationCache = new Map<string, { result: VerificationResult; expiresAt: number }>();\n\n/\n Generate cache key from credentials\n /\nfunction getCacheKey(credentials: AgentCredentials): string {\n return `${credentials.astraId \|\| ''}-${credentials.apiKey \|\| ''}-${credentials.jwt \|\| ''}`;\n}\n\n/\n Check if cached result is still valid\n /\nfunction getCachedResult(credentials: AgentCredentials): VerificationResult \| null {\n const key = getCacheKey(credentials);\n const cached = verificationCache.get(key);\n\n if (cached && cached.expiresAt > Date.now()) {\n return cached.result;\n }\n\n if (cached) {\n verificationCache.delete(key);\n }\n\n return null;\n}\n\n/\n Cache a verification result\n /\nfunction cacheResult(\n credentials: AgentCredentials,\n result: VerificationResult,\n ttlSeconds: number\n): void {\n const key = getCacheKey(credentials);\n verificationCache.set(key, {\n result,\n expiresAt: Date.now() + ttlSeconds 1000,\n });\n}\n\n/*\n Clear the verification cache\n /\nexport function clearCache(): void {\n verificationCache.clear();\n}\n\n/\n Extract agent credentials from various sources\n /\nexport function extractCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n query?: Record<string, string \| undefined>\n): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers (case-insensitive). Accepts the historical\n // X-Astra-Id name plus the X-Astra-AgentId / x-astra-agent-id alias the\n // partner asked for in #9a — both surface the same field.\n const astraIdHeader =\n headers['x-astra-id'] \|\|\n headers['X-Astra-Id'] \|\|\n headers['X-ASTRA-ID'] \|\|\n headers['x-astra-agentid'] \|\|\n headers['X-Astra-AgentId'] \|\|\n headers['x-astra-agent-id'] \|\|\n headers['X-Astra-Agent-Id'] \|\|\n headers['X-ASTRA-AGENT-ID'];\n if (astraIdHeader) {\n credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;\n }\n\n // Check for API key in headers\n const apiKeyHeader = headers['x-api-key'] \|\| headers['X-Api-Key'] \|\| headers['X-API-KEY'];\n if (apiKeyHeader) {\n credentials.apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;\n }\n\n // Check Authorization header for Bearer token\n const authHeader = headers['authorization'] \|\| headers['Authorization'];\n if (authHeader) {\n const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n credentials.authorizationHeader = authValue;\n\n if (authValue.startsWith('Bearer ')) {\n credentials.jwt = authValue.slice(7);\n }\n }\n\n // Check query parameters as fallback\n if (query) {\n if (query.astraId && !credentials.astraId) {\n credentials.astraId = query.astraId;\n }\n if (query.apiKey && !credentials.apiKey) {\n credentials.apiKey = query.apiKey;\n }\n }\n\n return credentials;\n}\n\n/\n Check if credentials are present\n /\nexport function hasCredentials(credentials: AgentCredentials): boolean {\n return !!(credentials.astraId \|\| credentials.apiKey \|\| credentials.jwt);\n}\n\n/\n Source of a synthesised guidance response. Round-10 split — the\n * `'no_credentials'` shape is the original (caller has no AstraSync\n * credentials, suggest registration). The `'api_error'` shape is for when\n * the verify-access HTTP call itself failed (5xx, network, etc.) — DON'T\n * tell a verified-but-currently-blocked partner to \"register your agent\".\n /\ntype GuidanceSource = 'no_credentials' \| 'api_error';\n\n/\n Create guidance response for unverified agents or for API-error fallback.\n \n Round-10 (#47, O5): split source so the `register your agent` template\n * doesn't fire on transient backend failures. Also threads `correlationId`\n * through so adapter `onDenied` handlers can surface it on the merchant's\n * response body for log correlation.\n /\nfunction createGuidanceResponse(\n config: GatewayConfig,\n reason?: string,\n options: { source?: GuidanceSource; correlationId?: string } = {}\n): VerificationResult {\n const source = options.source ?? 'no_credentials';\n const isApiError = source === 'api_error';\n\n const guidance: GuidanceInfo = isApiError\n ? {\n message:\n 'Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Retry the request with exponential backoff',\n 'If failures persist, share the correlationId with support',\n ],\n }\n : {\n message:\n 'This service verifies AI agents before granting access. Please register your agent with AstraSync.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Register for an AstraSync account',\n 'Create and register your agent',\n 'Add your ASTRA-ID to request headers',\n 'Retry your request',\n ],\n };\n\n return {\n // Round-18 G4: createGuidanceResponse fires for unverified-agent path or\n // API-error fallback. Identity is not verified (no agent resolved);\n // policy is not evaluated (we never reached the gate).\n identityVerified: false,\n policyAllowed: false,\n // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.\n // Adapters additionally short-circuit on `!identityVerified \|\|\n // !policyAllowed` before the gate check, but the access level still has\n // to be honest at the data layer so downstream consumers (SDK adapters\n // in other languages, custom integrations) inherit the correct\n // semantics.\n accessLevel: 'none',\n guidance,\n denialReasons: reason ? [reason] : ['No valid agent credentials provided'],\n // Round-10 (#47, O5): on API-error fallback, surface a typed failure so\n // partners (and their custom onDenied handlers) can branch on\n // dimension. Without this, the synthesised stub was indistinguishable\n // from a real policy deny.\n failures: isApiError\n ? [\n {\n dimension: 'verify_access.api_error',\n message: reason ?? 'Verification temporarily unavailable',\n guidance: guidance.message,\n },\n ]\n : undefined,\n correlationId: options.correlationId,\n verifiedAt: new Date(),\n };\n}\n\n/\n Call the AstraSync verify-access API\n /\nasync function callVerifyAccessAPI(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<{\n success: boolean;\n access?: {\n allowed: boolean;\n /\n Server-decided access level. Read verbatim — do NOT remap client-side.\n * The server resolves this from endpoint policy + agent trust score using\n * the canonical thresholds (see backend `apps/backend/src/utils/access-levels.ts`).\n /\n accessLevel?: AccessLevel;\n reason?: string;\n /\n Aggregated denial failures (v2.9.8+). Empty / absent when allowed.\n * Each entry is `{ dimension, message, guidance? }` — see\n * `AccessFailure` for the contract.\n /\n failures?: Array<{ dimension: string; message: string; guidance?: string }>;\n requiresStepUp?: boolean;\n requiresApproval?: boolean;\n appliedPolicy?: {\n boundaryName: string;\n policyVersion: string;\n };\n counterparty?: {\n id: string;\n name: string;\n trustScoreRequirement: number;\n };\n };\n agent?: {\n kyaAgentId: string;\n astraId: string;\n name: string;\n trustScore: number;\n trustLevel: string;\n agentStatus: string;\n blockchainStatus: string;\n };\n developer?: {\n kyaOwnerId: string;\n fullName: string;\n email: string;\n identityVerified: boolean;\n trustScore: number;\n };\n organization?: {\n name: string;\n verified: boolean;\n trustScore: number;\n };\n /\n Structured explanation of the verification decision. Tells the merchant\n * WHY (id verified? challenge passed? request within PDLSS? trust score?)\n * without exposing thresholds, scope lists, or other-tenant counterparty\n * membership. Empty `attestations` unless the endpoint's access policy\n * declared `required_attestations`.\n /\n verificationContext?: {\n idVerified: boolean;\n runtimeChallenge: {\n status: 'passed' \| 'skipped' \| 'failed' \| 'timeout' \| 'not_supported';\n checkedAt: string \| null;\n };\n pdlssCheck: {\n result: 'within' \| 'exceeded' \| 'denied' \| 'not_evaluated';\n purpose: 'approved' \| 'denied';\n scope: 'approved' \| 'denied';\n };\n dynamicTrustScore: number;\n attestations: Array<{\n type: string;\n status: 'passed' \| 'failed';\n validUntil?: string;\n proofType: 'reference' \| 'zkp';\n proof: string;\n }>;\n };\n error?: string;\n /\n Round-10 (#47, O5): when the verify-access server response carries a\n * correlationId on an error envelope, propagate it so the SDK can thread\n * it through createGuidanceResponse → adapter onDenied → merchant body.\n /\n correlationId?: string;\n}> {\n const { credentials, ...requestData } = request;\n\n // Build the request body. agentId is omitted when not provided so the\n // server treats it as an anonymous canonical-flow call (Branch A/B/C).\n const body: Record<string, unknown> = {\n ...(credentials.astraId && { agentId: credentials.astraId }),\n purpose: requestData.purpose \|\| 'general',\n };\n\n // Add optional fields\n if (requestData.action) body.action = requestData.action;\n if (requestData.resourceType) body.resourceType = requestData.resourceType;\n if (requestData.resource) body.resource = requestData.resource;\n if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;\n if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;\n if (requestData.currency) body.currency = requestData.currency;\n if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;\n if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;\n if (requestData.subAgentDepth !== undefined) body.subAgentDepth = requestData.subAgentDepth;\n // Handshake Protocol v10 additions\n if (requestData.enableRuntimeChallenge)\n body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;\n if (requestData.createSession) body.createSession = requestData.createSession;\n if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;\n if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;\n if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;\n if (config.counterpartyId) body.counterpartyId = config.counterpartyId;\n if (requestData.runtimeChallengeOptions)\n body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;\n // Round-12 (F19): transport-vs-intent separation. MCP middleware sets\n // this to 'mcp'; non-MCP callers leave it unset.\n if (requestData.invocationProtocol) body.invocationProtocol = requestData.invocationProtocol;\n\n // Round-13 (F14 closure / R13-7): emit the SDK package version on every\n // verify-access body so the backend can auto-populate `kya_counterparty.\n // sdk_version` for the calling endpoint. Body field (not User-Agent\n // header) is the canonical channel — works in Node, browser, behind\n // Cloudflare, and across SDK bundlers without environment-specific\n // header gymnastics. Backend's `validation.ts:verifyAccessSchema`\n // accepts the semver regex; the auto-pop logic is forward-only.\n body.sdkVersion = SDK_VERSION;\n\n // Forward caller metadata when present. Merges the legacy top-level\n // clientIp/userAgent into the nested block for backward compatibility.\n if (requestData.callerMetadata \|\| requestData.clientIp \|\| requestData.userAgent) {\n const meta = {\n ...(requestData.clientIp && { sourceIp: requestData.clientIp }),\n ...(requestData.userAgent && { userAgent: requestData.userAgent }),\n ...requestData.callerMetadata,\n };\n if (Object.keys(meta).length > 0) body.callerMetadata = meta;\n }\n\n // Build headers\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n ...config.customHeaders,\n };\n\n // verify-access requires authentication. The backend's authenticate middleware\n // accepts either a JWT or an API key (starts with kya_) via `Authorization: Bearer <token>`.\n // Credential-supplied auth header (e.g. the agent's own token) takes priority.\n if (credentials.authorizationHeader) {\n headers['Authorization'] = credentials.authorizationHeader;\n } else if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n }\n // Legacy header kept for compatibility with any middleware that reads it directly.\n if (config.apiKey) {\n headers['X-API-Key'] = config.apiKey;\n }\n\n try {\n const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n const data = await response.json();\n\n // v2.3.8 (defect #29): treat 410 Gone as a deterministic deactivated-endpoint\n // signal. Older SDKs may treat any non-2xx as transient and retry; v2.3.8+\n // surfaces it as a structured denial with `reason: 'endpoint_deactivated'`\n // so callers can distinguish \"endpoint gone\" from \"endpoint denied this\".\n if (response.status === 410) {\n return {\n success: true,\n access: {\n allowed: false,\n accessLevel: 'none',\n reason: 'endpoint_deactivated',\n failures: [\n {\n dimension: 'endpoint.deactivated',\n message:\n typeof data?.message === 'string' ? data.message : 'Endpoint has been deactivated',\n guidance:\n typeof data?.guidance === 'string'\n ? data.guidance\n : 'Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent.',\n },\n ],\n },\n };\n }\n\n if (!response.ok) {\n // Round-10 (#47, O5): propagate correlationId on the error path too if\n // the server happened to include one (some 5xx error envelopes carry\n // it). Lets the SDK pass it through to the adapter onDenied handler.\n return {\n success: false,\n error: data.message \|\| data.error \|\| `API returned ${response.status}`,\n correlationId: typeof data?.correlationId === 'string' ? data.correlationId : undefined,\n };\n }\n\n return data;\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n success: false,\n error: `Failed to call verify-access API: ${message}`,\n };\n }\n}\n\n/\n Main verification function\n /\nexport async function verify(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n\n // One-time init self-test — fire-and-forget, never blocks verify().\n if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {\n void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);\n }\n\n // Deprecation warning for v2.3.0 removed config fields. Fires once per process.\n if (\n !deprecationWarningShown &&\n (config.minTrustScore !== undefined \|\| config.minTrustScoreForFull !== undefined)\n ) {\n deprecationWarningShown = true;\n console.warn(\n '[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 ' +\n 'and have no effect. Server is now the single source of truth for access-level decisions ' +\n '(the SDK reads access.accessLevel from the verify-access response). To gate access ' +\n \"to an endpoint, configure the endpoint's trust_score_requirement server-side.\"\n );\n }\n\n // v2.3.0: anonymous traffic no longer short-circuits here. We forward the\n // request to the server with no agentId; the server applies the endpoint's\n // unverifiedAgentPolicy and returns advisory. createGuidanceResponse remains\n // as the offline fallback if the API itself fails (handled below).\n\n // Check cache first\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {\n const cached = getCachedResult(request.credentials);\n if (cached) {\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Returning cached result');\n }\n return cached;\n }\n }\n\n // Inject counterparty info from config if not already set in request\n const enrichedRequest = { ...request };\n if (!enrichedRequest.counterpartyUrl && mergedConfig.counterpartyUrl) {\n enrichedRequest.counterpartyUrl = mergedConfig.counterpartyUrl;\n }\n if (!enrichedRequest.counterpartyType && mergedConfig.counterpartyType) {\n enrichedRequest.counterpartyType = mergedConfig.counterpartyType;\n }\n\n // Call the API\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Calling verify-access API');\n }\n\n const apiResponse = await callVerifyAccessAPI(mergedConfig, enrichedRequest);\n\n // Handle API errors\n if (!apiResponse.success) {\n // Round-10 (#47, O5): distinguish API errors from missing-credentials.\n // The previous default tagged any failure with the \"register your\n // agent\" template, which is misleading to a verified partner whose\n // verify-access call hit a 500. The `api_error` source surfaces a\n // typed `verify_access.api_error` failure entry instead.\n return createGuidanceResponse(mergedConfig, apiResponse.error, {\n source: 'api_error',\n correlationId: (apiResponse as { correlationId?: string }).correlationId,\n });\n }\n\n // Check access result\n if (!apiResponse.access?.allowed) {\n // v2.9.8 (defect M1): aggregated failures across every gate that\n // denied. Surface them on the result so the integrator can see every\n // blocker in one go instead of the previous fail-fast cascade.\n const aggregatedFailures = (apiResponse.access as Record<string, unknown> \| undefined)\n ?.failures as Array<{ dimension: string; message: string; guidance?: string }> \| undefined;\n // Round-18 G4: backend denied access (PDLSS or other gate); identity status\n // depends on whether the backend resolved the caller. Read from\n // verificationContext.idVerified; default false if absent (anonymous or\n // identity-fail paths land here too). policyAllowed is false by definition\n // in this branch (apiResponse.access.allowed === false).\n const idVerifiedFromBackend =\n (apiResponse.verificationContext as { idVerified?: boolean } \| undefined)?.idVerified ===\n true;\n const result: EnhancedVerificationResult = {\n identityVerified: idVerifiedFromBackend,\n policyAllowed: false,\n // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.\n // Pre-rename this hardcoded `'guidance'`, which conflated with the\n // colocated `guidance: {...}` help-payload object below and let\n // denied requests pass any route gated at `'guidance'` because\n // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now\n // ALSO short-circuit on `!identityVerified \|\| !policyAllowed` before\n // the gate check — belt-and-braces.\n accessLevel: 'none',\n denialReasons:\n aggregatedFailures && aggregatedFailures.length > 0\n ? aggregatedFailures.map((f) => f.message)\n : apiResponse.access?.reason\n ? [apiResponse.access.reason]\n : ['Access denied'],\n failures: aggregatedFailures,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n guidance: {\n message: apiResponse.access?.reason \|\| 'Access denied by PDLSS policy',\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n // Extract sessionId so decisions can be recorded for denials too\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n // v2.3.10 (defect #34, round-4): anonymous traffic has no session →\n // correlationId is the linking key for paired local_override events.\n correlationId: (apiResponse as Record<string, unknown>).correlationId as string \| undefined,\n recommendation: (apiResponse as Record<string, unknown>)\n .recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as\n \| string[]\n \| undefined,\n };\n\n return result;\n }\n\n // Build successful result\n const agent: VerifiedAgent \| undefined = apiResponse.agent\n ? {\n astraId: apiResponse.agent.astraId,\n name: apiResponse.agent.name,\n trustScore: apiResponse.agent.trustScore,\n trustLevel: getTrustLevel(apiResponse.agent.trustScore),\n blockchainVerified: apiResponse.agent.blockchainStatus === 'verified',\n status: apiResponse.agent.agentStatus as VerifiedAgent['status'],\n }\n : undefined;\n\n const developer: VerifiedDeveloper \| undefined = apiResponse.developer\n ? {\n astradId: apiResponse.developer.kyaOwnerId,\n name: apiResponse.developer.fullName,\n trustScore: apiResponse.developer.trustScore \|\| 0,\n verified: apiResponse.developer.identityVerified,\n }\n : undefined;\n\n const organization: VerifiedOrganization \| undefined = apiResponse.organization\n ? {\n name: apiResponse.organization.name,\n verified: apiResponse.organization.verified,\n trustScore: apiResponse.organization.trustScore,\n }\n : undefined;\n\n // Verification context — structured \"why\" the merchant gets in v2.2.4+.\n // Carries appliedPolicy (no UUIDs), pdlssCheck summary, dynamic trust score,\n // and policy-driven attestations. Replaces the old over-sharing `pdlss` block.\n const verificationContext = apiResponse.verificationContext;\n\n // Server is the single source of truth for access level. SDK reads\n // apiResponse.access.accessLevel verbatim — no client-side trust-score remap.\n // Fallback to 'standard' if the server response is missing the field (older\n // backend without the v2.3.0 contract); it covers the verified-access case.\n const accessLevel: AccessLevel = apiResponse.access?.accessLevel ?? 'standard';\n\n const result: EnhancedVerificationResult = {\n // Round-18 G4: backend allowed access. Identity is verified (we resolved\n // the caller to an agent) and policy passed all gates. Read idVerified\n // from verificationContext for symmetry with the deny branch; default true\n // on success path since `access.allowed === true` implies identity was\n // resolvable (anonymous-allow paths flow through createGuidanceResponse).\n identityVerified:\n (apiResponse.verificationContext as { idVerified?: boolean } \| undefined)?.idVerified !==\n false,\n policyAllowed: true,\n accessLevel,\n agent,\n developer,\n organization,\n appliedPolicy: apiResponse.access?.appliedPolicy,\n verificationContext,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n verifiedAt: new Date(),\n cacheTtl: mergedConfig.cacheTtl,\n // Handshake Protocol v10 enhanced fields (present when backend returns them)\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n // v2.3.10 (defect #34, round-4): anonymous responses surface correlationId\n // (no session row exists for unverified callers).\n correlationId: (apiResponse as Record<string, unknown>).correlationId as string \| undefined,\n runtimeChallenge: (apiResponse as Record<string, unknown>).runtimeChallenge as\n \| RuntimeChallengeResult\n \| undefined,\n tokenGuidance: (apiResponse as Record<string, unknown>).tokenGuidance as\n \| TokenGuidance\n \| undefined,\n recommendation: (apiResponse as Record<string, unknown>)\n .recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as\n \| string[]\n \| undefined,\n warningHeader: (apiResponse as Record<string, unknown>).warningHeader as\n \| { name: string; value: string }\n \| undefined,\n };\n\n // Enforce AstraSync recommendation\n if (result.recommendation === 'deny') {\n // Round-18 G4: recommendation-driven deny lands on the success-path\n // construction (identity was resolved). Flip policy only — identity stays\n // verified — so adapters return 403 (re-auth won't help; the policy\n // decision is the blocker).\n result.policyAllowed = false;\n result.accessLevel = 'none';\n result.denialReasons = result.recommendationReasons \|\| [\n 'Access denied by AstraSync recommendation',\n ];\n if (result.runtimeChallenge) {\n result.guidance = {\n message: `Verification failed: ${result.runtimeChallenge.reason \|\| 'runtime challenge failed'}`,\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/runtime-challenge`,\n };\n }\n } else if (result.recommendation === 'step_up_required') {\n result.requiresStepUp = true;\n if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY['read-only']) {\n result.accessLevel = 'read-only';\n }\n result.denialReasons = result.recommendationReasons \|\| ['Step-up verification required'];\n }\n\n // Cache the result (skip caching denials — agent may fix challenge endpoint and retry)\n if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== 'deny') {\n cacheResult(request.credentials, result, mergedConfig.cacheTtl);\n }\n\n return result;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * Fire-and-forget — errors are silently swallowed.\n /\n/\n v2.3.9 (defect #34): optional override metadata. Set when the SDK's\n * local enforcement (toolGate / methodGate / trustScore floor) rejected\n * a request the SERVER had granted. Backend emits a distinct\n * `verification.local_override` event so the activity feed surfaces the\n * divergence as a separate row.\n /\nexport interface DecisionOverride {\n overriddenBy: 'toolGate' \| 'methodGate' \| 'trustScore' \| 'other';\n toolName?: string;\n requestedLevel?: AccessLevel;\n grantedLevel?: AccessLevel;\n}\n\nexport async function recordDecision(\n config: GatewayConfig,\n sessionId: string,\n decision: 'granted' \| 'denied',\n reason?: string,\n override?: DecisionOverride\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {\n method: 'POST',\n headers,\n body: JSON.stringify({\n decision,\n reason,\n ...(override && {\n overriddenBy: override.overriddenBy,\n toolName: override.toolName,\n requestedLevel: override.requestedLevel,\n grantedLevel: override.grantedLevel,\n }),\n }),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n v2.3.10 (defect #34, round-4): record a SDK-side local override for an\n * anonymous verify-access response. Anonymous traffic has no session row, so\n * `recordDecision` (above) doesn't apply — but we still need to surface the\n * dashboard-vs-runtime divergence (e.g. server granted with audit warning\n * but local toolGate floor denied) on the activity feed.\n \n Backend ties the resulting `verification.local_override` event back to the\n * original `verification.unverified_audit` event via `correlationId`. The\n * endpoint is sessionless — see the docstring on the backend route for the\n * abuse-mitigation rationale (rate-limited per IP).\n \n Fire-and-forget — errors are silently swallowed.\n /\nexport async function recordAnonymousLocalOverride(\n config: GatewayConfig,\n correlationId: string,\n override: DecisionOverride,\n reason?: string\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/local-override`, {\n method: 'POST',\n headers,\n body: JSON.stringify({\n correlationId,\n reason,\n overriddenBy: override.overriddenBy,\n toolName: override.toolName,\n requestedLevel: override.requestedLevel,\n grantedLevel: override.grantedLevel,\n }),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Fetch the per-route policy for an endpoint from the AstraSync backend.\n * v2.9.7 moved policy authority into the dashboard — the SDK no longer\n * accepts `routes` from merchant-side source code, it fetches them from\n * here on init (and refreshes periodically).\n \n Returns `null` when the request fails for any reason — the caller decides\n * how to fall back (the middleware allows-all when no policy is loaded so\n * a misconfigured init doesn't take down the merchant's API).\n /\nexport async function fetchRoutes(\n config: GatewayConfig,\n counterpartyId: string\n): Promise<RouteAccessConfigShape[] \| null> {\n if (!counterpartyId) return null;\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n try {\n const response = await fetch(\n `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,\n { method: 'GET', headers }\n );\n if (!response.ok) return null;\n const body = (await response.json()) as { data?: { routes?: RouteAccessConfigShape[] } };\n return body.data?.routes ?? [];\n } catch {\n return null;\n }\n}\n\n/\n Minimal shape of an EndpointRoute as the SDK consumes it. Mirrors the\n * server's `EndpointRoute` type and the SDK's `RouteAccessConfig` — same\n * JSON moves between server and SDK unchanged.\n /\nexport interface RouteAccessConfigShape {\n pattern: string;\n method: string;\n minAccessLevel: 'none' \| 'restricted' \| 'read-only' \| 'standard' \| 'full' \| 'internal';\n minTrustScore?: number;\n requiredPurposes?: string[];\n allowedPurposes?: string[];\n allowedJurisdictions?: string[];\n maxDuration?: number;\n maxTransactionValue?: number;\n}\n\n/\n Verify an agent AND automatically record the grant/deny decision.\n \n This is the recommended entry point for counterparties that call verify()\n * directly (e.g. MCP servers) rather than using createMiddleware().\n * It adds createSession: true, then fire-and-forgets the decision.\n /\nexport async function verifyAndRecord(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n const result = await verify(mergedConfig, { ...request, createSession: true });\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n if (sessionId) {\n // Round-18 G4: a session is \"granted\" only if identity verified AND\n // policy allowed; either failing is a deny.\n if (result.identityVerified && result.policyAllowed) {\n recordDecision(mergedConfig, sessionId, 'granted').catch(() => {});\n } else {\n recordDecision(mergedConfig, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n }\n\n return result;\n}\n\n/\n Report an unregistered agent attempt (no AstraSync credentials).\n * Called by SDK adapters when an agent is redirected to /docs/agent-access.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function reportUnregisteredAttempt(\n config: GatewayConfig,\n data: {\n counterpartyUrl: string;\n counterpartyType?: string;\n sourceIp?: string;\n userAgent?: string;\n requestPath?: string;\n requestMethod?: string;\n }\n): Promise<void> {\n const apiBaseUrl = config.apiBaseUrl \|\| DEFAULT_CONFIG.apiBaseUrl!;\n\n await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(data),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Report a counterparty-side PDLSS pre-check failure.\n * Called by SDK adapters when the agent's requested PDLSS exceeds\n * counterparty-defined maximums BEFORE calling verify-access.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function reportCounterpartyPreCheckFailure(\n config: GatewayConfig,\n data: {\n agentId: string;\n counterpartyUrl: string;\n counterpartyType?: string;\n failures: Array<{\n field: string;\n requested: string \| number;\n limit: string \| number \| string[];\n message: string;\n }>;\n requestPath?: string;\n requestMethod?: string;\n }\n): Promise<void> {\n const apiBaseUrl = config.apiBaseUrl \|\| DEFAULT_CONFIG.apiBaseUrl!;\n\n await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(data),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Quick verification — checks credentials and policy in one call.\n \n Round-18 G4: return shape mirrors `VerificationResult`'s split — partners\n * writing custom handlers around `quickVerify` get the same identity/policy\n * distinction as those calling `verify()` directly. Map to HTTP status the\n * same way: `!identityVerified` → 401; `identityVerified && !policyAllowed`\n * → 403.\n /\nexport async function quickVerify(\n config: GatewayConfig,\n credentials: AgentCredentials\n): Promise<{\n identityVerified: boolean;\n policyAllowed: boolean;\n accessLevel: AccessLevel;\n reason?: string;\n}> {\n const result = await verify(config, {\n credentials,\n purpose: 'verification',\n });\n\n return {\n identityVerified: result.identityVerified,\n policyAllowed: result.policyAllowed,\n accessLevel: result.accessLevel,\n reason: result.denialReasons?.[0],\n };\n}\n","/\n AstraSync Universal Verification Gateway - Express Middleware\n \n Express.js middleware for verifying AI agents on API endpoints.\n \n @example\n * ```typescript\n * import express from 'express';\n * import { createMiddleware } from '@astrasyncai/verification-gateway/express';\n \n const app = express();\n \n app.use(createMiddleware({\n * apiBaseUrl: 'https://astrasync.ai/api',\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/data/', method: 'GET', minAccessLevel: 'read-only' },\n { pattern: '/api/data/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/api/admin/', method: '', minAccessLevel: 'internal' },\n * ],\n * }));\n * ```\n /\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport type {\n ExpressMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n EnhancedVerificationResult,\n RouteAccessConfig,\n AstraSyncCredentials,\n} from '../types';\nimport {\n verify,\n extractCredentials,\n recordDecision,\n reportCounterpartyPreCheckFailure,\n fetchRoutes,\n} from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\nimport { performCounterpartyPreCheck } from '../pdlss-pre-check';\n\n/\n Extend Express Request with verification result\n /\ndeclare global {\n // eslint-disable-next-line @typescript-eslint/no-namespace\n namespace Express {\n interface Request {\n agentVerification?: VerificationResult;\n }\n }\n}\n\n/\n Default credential extractor\n /\nfunction defaultExtractCredentials(req: Request): AgentCredentials {\n return extractCredentials(\n req.headers as Record<string, string \| string[] \| undefined>,\n req.query as Record<string, string \| undefined>\n );\n}\n\n/\n Extract extended AstraSync credentials (X-Astra-* headers) from Express request.\n * Returns null if no AstraSync headers are present.\n /\nexport function extractAstraSyncCredentials(req: Request): AstraSyncCredentials \| null {\n return extractHttpCredentials(req.headers as Record<string, string \| string[] \| undefined>);\n}\n\n/\n Default purpose extractor.\n \n Priority:\n * 1. Agent's declared PDLSS purpose from X-Astra-Purpose header (e.g. \"read_data:search\")\n * 2. Explicit x-purpose header\n * 3. Query parameter ?purpose=\n * 4. HTTP method → PDLSS category fallback\n /\nfunction defaultExtractPurpose(req: Request): string \| undefined {\n // 1. Check agent's declared PDLSS purpose (X-Astra-Purpose header)\n const astraPurpose = req.headers['x-astra-purpose'];\n if (astraPurpose) {\n const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;\n // Extract category from \"category:action\" format — the verify API expects the category\n const category = value.split(':')[0];\n return category;\n }\n\n // 2. Try explicit purpose header\n const purposeHeader = req.headers['x-purpose'] \|\| req.headers['X-Purpose'];\n if (purposeHeader) {\n return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;\n }\n\n // 3. Try query parameter\n if (req.query.purpose && typeof req.query.purpose === 'string') {\n return req.query.purpose;\n }\n\n // 4. Infer from HTTP method using PDLSS-compatible categories\n switch (req.method) {\n case 'GET':\n return 'read_data';\n case 'POST':\n return 'write_data';\n case 'PUT':\n case 'PATCH':\n return 'write_data';\n case 'DELETE':\n return 'delete_data';\n default:\n return 'general';\n }\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n // Convert pattern to regex\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Default denied handler\n \n Round-10 (#47, O5): the response body now carries the full `failures[]`\n * array and the `correlationId` so partners can render per-dimension UX\n * and tie a denial back to a server log line. Previously the merchant only\n * got the first denialReason — meaningful detail was thrown away before\n * the response left the SDK. Also stamps `X-Astra-Gateway-Mode: enforced`\n * so partners can tell a gate-evaluated denial apart from a gate-skipped\n * pass-through (#49/O10 — the `unenforced` complement).\n /\nfunction defaultOnDenied(result: VerificationResult, _req: Request, res: Response): void {\n // Round-18 G4: identity-verification failures → 401 (re-authenticate);\n // identity-verified-but-policy-denied → 403 (re-auth won't help; update\n // PDLSS scope or escalate to step-up). Maps to the two distinct recovery\n // actions that HTTP middleware acts on without parsing bodies. The\n // impossible state `!identityVerified && policyAllowed` falls into the\n // `!identityVerified` branch — identity is the more-fundamental missing\n // precondition.\n const statusCode = !result.identityVerified ? 401 : 403;\n\n res.setHeader('X-Astra-Gateway-Mode', 'enforced');\n\n res.status(statusCode).json({\n success: false,\n error: {\n code: !result.identityVerified ? 'UNAUTHORIZED' : 'INSUFFICIENT_ACCESS',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n guidance: result.guidance,\n // Round-10: aggregated per-dimension detail + correlation handle.\n failures: result.failures,\n correlationId: result.correlationId,\n },\n });\n}\n\n/\n Refresh interval for the remote-fetched route policy. Default: every 5\n * minutes. Override via `routesRefreshMs` on the middleware options. Each\n * middleware instance keeps its own cache; multiple instances pointing at the\n * same endpoint will each fetch independently.\n /\nconst DEFAULT_ROUTES_REFRESH_MS = 5 60 * 1000;\n\n/*\n Create Express middleware for agent verification.\n \n v2.9.7 moved per-route policy authority out of merchant-side source code\n * into the AstraSync dashboard. `createMiddleware` no longer accepts a\n * `routes` array — it fetches the endpoint's stored policy via\n * `GET /endpoints/:counterpartyId/routes` on init and refreshes\n * periodically. Policy edits in the dashboard take effect on the next\n * refresh (or sooner if the operator manually restarts the SDK).\n \n `counterpartyId` is required: the SDK can't know which endpoint's policy\n * to fetch without it. Local-development workflows that don't have an\n * AstraSync endpoint registered can omit it — the middleware logs a\n * one-time warning and falls through (allows all) until a policy is\n * fetchable.\n /\nexport function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler {\n const {\n extractCredentials: customExtractCredentials,\n extractPurpose: customExtractPurpose,\n skipPaths = [],\n onDenied = defaultOnDenied,\n recordDecisions,\n enableRuntimeChallenge = true,\n routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,\n ...config\n } = options;\n\n // Per-middleware-instance route cache. Populated on first fetch; refreshed\n // every `routesRefreshMs`. Until first successful fetch we hold an empty\n // array which means \"no per-route gating active\" — the middleware falls\n // through. Pre-fix the array came from merchant source, which both broke\n // the auth-boundary story (defect 24) and silently disagreed with the\n // dashboard.\n let cachedRoutes: RouteAccessConfig[] = [];\n let lastFetchAt = 0;\n let refreshing: Promise<void> \| null = null;\n let warnedNoCounterparty = false;\n let warnedEmptyRoutes = false;\n\n async function refreshRoutes(): Promise<void> {\n if (!config.counterpartyId) {\n if (!warnedNoCounterparty) {\n // eslint-disable-next-line no-console\n console.warn(\n '[VerificationGateway] No counterpartyId configured — falling through (allow all). ' +\n 'Per-route policy lives in the AstraSync dashboard now; register the endpoint and ' +\n 'set counterpartyId in your middleware config to enforce policy.'\n );\n warnedNoCounterparty = true;\n }\n return;\n }\n const fetched = await fetchRoutes(config, config.counterpartyId);\n if (fetched) {\n cachedRoutes = fetched;\n lastFetchAt = Date.now();\n // v2.3.8 (defect #25): if the fetch succeeded but returned an empty\n // policy, the endpoint is registered correctly but the operator hasn't\n // configured any routes yet — every request will fall through ungated.\n // Surface this loudly once so silent pass-through can't go unnoticed.\n if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {\n const dashboard = config.dashboardUrl ?? 'https://app.astrasync.ai';\n // eslint-disable-next-line no-console\n console.warn(\n `[VerificationGateway] No route policy configured for ${config.counterpartyId}. ` +\n `Gateway is in pass-through mode for ALL traffic until you add at least one route. ` +\n `Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`\n );\n warnedEmptyRoutes = true;\n }\n }\n }\n\n // Eager first fetch so the first request after init has policy loaded.\n // Errors are swallowed (handled by fetchRoutes returning null).\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n try {\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));\n if (shouldSkip) {\n return next();\n }\n\n // Wait for in-flight init fetch (only on the very first request) so we\n // don't admit traffic with no policy loaded.\n if (refreshing) {\n await refreshing.catch(() => {});\n }\n // Time-based refresh: kick off a background refresh if the cache is\n // stale. Doesn't block the current request — readers see whatever is\n // cached at this moment; the next request will see the refreshed copy.\n if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);\n\n // If no route config, skip verification (allow through)\n if (!routeConfig) {\n if (config.setPassThroughHeader) {\n // Round-10 (#49, O10): `unenforced` replaces the previous\n // `pass-through` label. The previous name conflated \"gateway\n // didn't evaluate policy\" with \"request succeeded end-to-end\" —\n // the downstream handler may still return any status. The new\n // semantic describes the GATE state only.\n res.setHeader('X-Astra-Gateway-Mode', 'unenforced');\n res.setHeader(\n 'X-Astra-Gateway-Reason',\n cachedRoutes.length === 0 ? 'no-policy' : 'no-match'\n );\n }\n return next();\n }\n\n // Extract credentials (hoisted from below the route-none check so the\n // round-12 F9 evaluateAlwaysIfCredentialed flag can decide whether to\n // evaluate vs short-circuit).\n const credentials = customExtractCredentials\n ? customExtractCredentials(req)\n : defaultExtractCredentials(req);\n\n // Round-12 (F9): route-none short-circuit unless the caller wants\n // evaluation-without-enforcement. With evaluateAlwaysIfCredentialed\n // set to true AND credentials present, the middleware calls\n // verify-access for audit + req.agentVerification population, then\n // proceeds without gating. Default behaviour (flag off) preserves\n // pre-F9 short-circuit semantics.\n const shouldEnforce = routeConfig.minAccessLevel !== 'none';\n if (\n routeConfig.minAccessLevel === 'none' &&\n (!config.evaluateAlwaysIfCredentialed \|\| !credentials.astraId)\n ) {\n if (config.setPassThroughHeader) {\n res.setHeader('X-Astra-Gateway-Mode', 'unenforced');\n res.setHeader('X-Astra-Gateway-Reason', 'route-none');\n }\n return next();\n }\n\n // v2.3.0: anonymous traffic no longer short-circuits client-side.\n // The server applies the endpoint's `unverifiedAgentPolicy` (deny /\n // allow_partial / allow_full) and emits the verification event +\n // blockchain record per the canonical flow. SDK forwards verbatim.\n\n // Extract purpose\n const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);\n\n // Extract full AstraSync credentials (includes PDLSS from X-Astra- headers)\n const astraCreds = extractAstraSyncCredentials(req);\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| `${req.protocol}://${req.get('host')}`;\n\n // Step 2: Counterparty-side PDLSS pre-check — compare agent's requested PDLSS\n // against counterparty-defined maximums on the route config.\n // Rejects immediately if outside limits, BEFORE calling verify-access.\n const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);\n if (preCheckFailures.length > 0) {\n // Round-18 G4: counterparty pre-check failure — request rejected\n // before reaching verify-access. Neither identity nor policy was\n // remotely verified; both axes truthfully false.\n const result: VerificationResult = {\n identityVerified: false,\n policyAllowed: false,\n accessLevel: 'none',\n denialReasons: preCheckFailures.map((f) => f.message),\n guidance: {\n message: 'Request exceeds counterparty-defined PDLSS limits.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n };\n\n req.agentVerification = result;\n\n // Fire-and-forget: notify AstraSync of the pre-check failure\n reportCounterpartyPreCheckFailure(config, {\n agentId: astraCreds?.agentId \|\| credentials.astraId \|\| 'unknown',\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'api',\n failures: preCheckFailures,\n requestPath: req.path,\n requestMethod: req.method,\n }).catch(() => {});\n\n onDenied(result, req, res);\n return;\n }\n\n // Step 3: Call AstraSync verify-access with runtime challenge enabled\n const shouldRecordDecisions = recordDecisions !== false;\n const forwardedFor = req.headers['x-forwarded-for'];\n const forwardedForStr = Array.isArray(forwardedFor) ? forwardedFor.join(', ') : forwardedFor;\n // X-Forwarded-For's first entry is the original client. Fall back to req.ip\n // (which Express already resolves via trust proxy settings when configured).\n const originalClientIp = forwardedForStr ? forwardedForStr.split(',')[0].trim() : req.ip;\n const agentCardUrl =\n typeof req.headers['x-astrasync-agent-card'] === 'string'\n ? (req.headers['x-astrasync-agent-card'] as string)\n : undefined;\n\n const result = await verify(config, {\n credentials,\n purpose,\n action: req.method.toLowerCase(),\n resource: req.path,\n createSession: shouldRecordDecisions,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'api',\n enableRuntimeChallenge,\n durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,\n callerMetadata: {\n sourceIp: originalClientIp,\n userAgent: req.headers['user-agent'] as string \| undefined,\n referer: req.headers.referer as string \| undefined,\n host: req.headers.host as string \| undefined,\n forwardedFor: forwardedForStr,\n agentCardUrl,\n },\n });\n\n // Attach result to request\n req.agentVerification = result;\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n // v2.3.9 (defect #30): denied verifications short-circuit BEFORE the\n // gate-level comparison. Pre-rename, denials returned\n // `accessLevel: 'guidance'` and routes gated at `'guidance'` passed\n // `hasMinimumAccess('guidance', 'guidance') === true` — letting\n // unverified anonymous traffic through to the merchant handler. The\n // verify.ts denial branches now return `'none'` (so the gate check\n // alone would correctly deny), but trusting access-level math for a\n // denial is a category error: failing either identity OR policy already\n // means \"deny.\" We check that first.\n // Round-18 G4: short-circuit on either axis failing — identity-fail\n // (no resolved caller) or policy-fail (PDLSS or recommendation deny).\n if (!result.identityVerified \|\| !result.policyAllowed) {\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Round-12 (F9): evaluation-without-enforcement. When the route is\n // 'none' but we ran verify-access for audit, skip the gates and call\n // next() — the result is on req.agentVerification for the handler\n // to render tier-aware responses (e.g. anonymous vs verified\n // catalog view on the same path).\n if (!shouldEnforce) {\n if (config.setPassThroughHeader) {\n res.setHeader('X-Astra-Gateway-Mode', 'enforced');\n res.setHeader('X-Astra-Gateway-Reason', 'evaluated-not-enforced');\n }\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n return next();\n }\n\n // Check if access level is sufficient (verified caller path only —\n // denials handled above)\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n // Round-12 (F12): synthesise the structured failure entry so the\n // partner-facing response carries the same shape as every other\n // denial dimension. Guidance positions step-up only — increasing\n // trust score or lowering the route floor both read as gaming the\n // gate. Step-up flow ships separately this month.\n const insufficientFailure = {\n dimension: 'access_level.insufficient',\n message: `Endpoint requires accessLevel '${routeConfig.minAccessLevel}'; agent has '${result.accessLevel}'.`,\n guidance:\n \"Request elevated access via step-up verification (coming soon — ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score.\",\n };\n result.failures = [...(result.failures ?? []), insufficientFailure];\n result.denialReasons = [...(result.denialReasons ?? []), insufficientFailure.message];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', insufficientFailure.message).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Check trust score requirement if specified\n if (routeConfig.minTrustScore && result.agent) {\n if (result.agent.trustScore < routeConfig.minTrustScore) {\n // Round-12 (F12): structured failure entry + step-up framing.\n const trustFailure = {\n dimension: 'access_level.insufficient',\n message: `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore} for this route.`,\n guidance:\n \"Request elevated access via step-up verification (coming soon — ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score.\",\n };\n result.failures = [...(result.failures ?? []), trustFailure];\n result.denialReasons = [trustFailure.message];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', trustFailure.message).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n }\n\n // All checks passed — record grant decision\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n // v2.3.8 (defect #26): if the endpoint's `unverifiedAgentPolicy` is\n // `'audit'` (allow + soft-launch warning), the server returns the\n // header to relay. Lift it onto the merchant's response BEFORE\n // calling next() so downstream handlers and the eventual response\n // back to the agent both carry it.\n const enhancedResult = result as EnhancedVerificationResult;\n if (enhancedResult.warningHeader) {\n res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);\n }\n next();\n } catch (error) {\n // Log error and continue (fail open by default)\n console.error('[VerificationGateway] Middleware error:', error);\n next();\n }\n };\n}\n\n// `requireAccess` and `verifyOnly` were removed in v2.9.7. Both injected a\n// local `routes` array into the merchant's source code, which is the exact\n// dual-config attack vector defect 24 closed. Per-route policy now lives in\n// the AstraSync dashboard (gated by team.role admin auth + audit + alerts).\n// To enforce a minimum tier, set the route's `minAccessLevel` in the\n// dashboard. For \"verify but don't block,\" set every route to `none` there.\n","/*\n AstraSync Universal Verification Gateway - Next.js Middleware\n \n Next.js middleware for verifying AI agents on web applications.\n * Supports Commerce Shield overlay for unverified agents.\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createMiddleware } from '@astrasyncai/verification-gateway/nextjs';\n \n export const middleware = createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * showCommerceShield: true,\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/dashboard/', method: '', minAccessLevel: 'read-only' },\n * ],\n * });\n \n export const config = {\n * matcher: ['/api/:path', '/dashboard/:path'],\n * };\n * ```\n /\n\nimport type { NextRequest } from 'next/server';\nimport type {\n NextJsMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n RouteAccessConfig,\n AstraSyncCredentials,\n} from '../types';\nimport { verify, reportCounterpartyPreCheckFailure, fetchRoutes } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\nimport { performCounterpartyPreCheck } from '../pdlss-pre-check';\n\n/\n Extract credentials from Next.js request\n /\nfunction extractCredentialsFromNextRequest(request: NextRequest): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers\n const astraId = request.headers.get('x-astra-id') \|\| request.headers.get('X-Astra-Id');\n if (astraId) {\n credentials.astraId = astraId;\n }\n\n // Check for API key\n const apiKey = request.headers.get('x-api-key') \|\| request.headers.get('X-Api-Key');\n if (apiKey) {\n credentials.apiKey = apiKey;\n }\n\n // Check Authorization header\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n credentials.authorizationHeader = authHeader;\n if (authHeader.startsWith('Bearer ')) {\n credentials.jwt = authHeader.slice(7);\n }\n }\n\n // Check query parameters\n const url = new URL(request.url);\n const astraIdParam = url.searchParams.get('astraId');\n const apiKeyParam = url.searchParams.get('apiKey');\n\n if (astraIdParam && !credentials.astraId) {\n credentials.astraId = astraIdParam;\n }\n if (apiKeyParam && !credentials.apiKey) {\n credentials.apiKey = apiKeyParam;\n }\n\n return credentials;\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Extract AstraSyncCredentials from Next.js request headers.\n * Returns null if no AstraSync headers are present.\n /\nfunction extractAstraSyncCredentialsFromNextRequest(\n request: NextRequest\n): AstraSyncCredentials \| null {\n const headers: Record<string, string> = {};\n request.headers.forEach((value, key) => {\n headers[key] = value;\n });\n return extractHttpCredentials(headers);\n}\n\n/\n Extract purpose from request.\n \n Priority:\n * 1. Agent's declared PDLSS purpose from X-Astra-Purpose header (e.g. \"read_data:search\")\n * 2. Explicit x-purpose header\n * 3. HTTP method → PDLSS category fallback\n /\nfunction extractPurpose(request: NextRequest): string {\n // 1. Check agent's declared PDLSS purpose (X-Astra-Purpose header)\n const astraPurpose = request.headers.get('x-astra-purpose');\n if (astraPurpose) {\n // Extract category from \"category:action\" format\n return astraPurpose.split(':')[0];\n }\n\n // 2. Try explicit purpose header\n const purposeHeader = request.headers.get('x-purpose');\n if (purposeHeader) {\n return purposeHeader;\n }\n\n // 3. Infer from HTTP method using PDLSS-compatible categories\n switch (request.method.toUpperCase()) {\n case 'GET':\n return 'read_data';\n case 'POST':\n return 'write_data';\n case 'PUT':\n case 'PATCH':\n return 'write_data';\n case 'DELETE':\n return 'delete_data';\n default:\n return 'general';\n }\n}\n\n/\n Generate Commerce Shield HTML response\n /\nfunction generateCommerceShieldHtml(\n result: VerificationResult,\n options: NextJsMiddlewareOptions\n): string {\n const title = options.commerceShield?.title \|\| 'AstraSync Agent Verification';\n const message =\n options.commerceShield?.message \|\|\n result.guidance?.message \|\|\n \"This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.\";\n const registrationUrl = result.guidance?.registrationUrl \|\| 'https://astrasync.ai/register';\n const docsUrl = result.guidance?.documentationUrl \|\| 'https://astrasync.ai/docs/agent-access';\n const allowGuest = options.commerceShield?.allowGuestAccess ?? true;\n\n return `\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${title}</title>\n <style>\n {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;\n background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);\n min-height: 100vh;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px;\n }\n .shield-container {\n background: rgba(255, 255, 255, 0.95);\n border-radius: 16px;\n box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);\n max-width: 480px;\n width: 100%;\n padding: 40px;\n text-align: center;\n }\n .shield-icon {\n font-size: 48px;\n margin-bottom: 20px;\n }\n .shield-title {\n font-size: 24px;\n font-weight: 700;\n color: #1a1a2e;\n margin-bottom: 16px;\n }\n .shield-message {\n color: #4a5568;\n line-height: 1.6;\n margin-bottom: 24px;\n }\n .shield-steps {\n text-align: left;\n background: #f7fafc;\n border-radius: 8px;\n padding: 20px;\n margin-bottom: 24px;\n }\n .shield-steps h3 {\n font-size: 14px;\n font-weight: 600;\n color: #2d3748;\n margin-bottom: 12px;\n }\n .shield-steps ol {\n padding-left: 20px;\n color: #4a5568;\n }\n .shield-steps li {\n margin-bottom: 8px;\n }\n .shield-buttons {\n display: flex;\n flex-direction: column;\n gap: 12px;\n }\n .btn {\n display: inline-block;\n padding: 14px 24px;\n border-radius: 8px;\n font-weight: 600;\n text-decoration: none;\n transition: all 0.2s;\n cursor: pointer;\n border: none;\n font-size: 16px;\n }\n .btn-primary {\n background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);\n color: white;\n }\n .btn-primary:hover {\n transform: translateY(-2px);\n box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);\n }\n .btn-secondary {\n background: #e2e8f0;\n color: #4a5568;\n }\n .btn-secondary:hover {\n background: #cbd5e0;\n }\n .shield-footer {\n margin-top: 24px;\n font-size: 14px;\n color: #718096;\n }\n .shield-footer a {\n color: #6366f1;\n text-decoration: none;\n }\n .shield-footer a:hover {\n text-decoration: underline;\n }\n </style>\n</head>\n<body>\n <div class=\"shield-container\">\n <div class=\"shield-icon\">🛡️</div>\n <h1 class=\"shield-title\">${title}</h1>\n <p class=\"shield-message\">${message}</p>\n\n <div class=\"shield-steps\">\n <h3>To get verified access:</h3>\n <ol>\n <li>Register at <a href=\"${registrationUrl}\">astrasync.ai/register</a></li>\n <li>Create and register your agent</li>\n <li>Add your ASTRA-ID to request headers</li>\n <li>Refresh this page</li>\n </ol>\n </div>\n\n <div class=\"shield-buttons\">\n <a href=\"${registrationUrl}\" class=\"btn btn-primary\">Register Now</a>\n ${allowGuest ? '<button onclick=\"window.location.reload()\" class=\"btn btn-secondary\">Continue as Guest (Limited)</button>' : ''}\n </div>\n\n <p class=\"shield-footer\">\n Learn more: <a href=\"${docsUrl}\">Agent Access Documentation</a>\n </p>\n </div>\n</body>\n</html>\n `.trim();\n}\n\nconst DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1000;\n\n/*\n Create Next.js middleware for agent verification.\n \n v2.9.7 moved per-route policy out of merchant-side source code into the\n * AstraSync dashboard. The middleware fetches its routes from the backend\n * via `GET /endpoints/:counterpartyId/routes` on init and refreshes\n * periodically — see `ExpressMiddlewareOptions` for the rationale (defect\n * 24, dual-config silent-conflict).\n /\nexport function createMiddleware(options: NextJsMiddlewareOptions) {\n const {\n skipPaths = [],\n showCommerceShield = true,\n enableRuntimeChallenge = true,\n routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,\n ...config\n } = options;\n\n let cachedRoutes: RouteAccessConfig[] = [];\n let lastFetchAt = 0;\n let refreshing: Promise<void> \| null = null;\n let warnedNoCounterparty = false;\n\n async function refreshRoutes(): Promise<void> {\n if (!config.counterpartyId) {\n if (!warnedNoCounterparty) {\n // eslint-disable-next-line no-console\n console.warn(\n '[VerificationGateway/Next.js] No counterpartyId configured — falling through (allow all). ' +\n 'Per-route policy lives in the AstraSync dashboard now; register the endpoint and ' +\n 'set counterpartyId in your middleware config to enforce policy.'\n );\n warnedNoCounterparty = true;\n }\n return;\n }\n const fetched = await fetchRoutes(config, config.counterpartyId);\n if (fetched) {\n cachedRoutes = fetched;\n lastFetchAt = Date.now();\n }\n }\n\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n\n return async function middleware(request: NextRequest) {\n // Dynamic import NextResponse to avoid build issues\n const { NextResponse } = await import('next/server');\n\n const pathname = request.nextUrl.pathname;\n\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, pathname));\n if (shouldSkip) {\n return NextResponse.next();\n }\n\n if (refreshing) {\n await refreshing.catch(() => {});\n }\n if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n }\n\n // Find route configuration (from remote-fetched cache)\n const routeConfig = findRouteConfig(cachedRoutes, pathname, request.method);\n\n // If no route config, allow through\n if (!routeConfig) {\n return NextResponse.next();\n }\n\n // If route requires 'none' access, allow through\n if (routeConfig.minAccessLevel === 'none') {\n return NextResponse.next();\n }\n\n // Extract credentials\n const credentials = extractCredentialsFromNextRequest(request);\n\n // v2.3.0: anonymous traffic no longer short-circuits client-side.\n // The server applies the endpoint's `unverifiedAgentPolicy` (deny /\n // allow_partial / allow_full) and emits the verification event +\n // blockchain record per the canonical flow. SDK forwards verbatim.\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| request.nextUrl.origin;\n\n // Extract purpose and full AstraSync credentials (includes PDLSS from X-Astra- headers)\n const purpose = extractPurpose(request);\n const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);\n\n // Step 2: Counterparty-side PDLSS pre-check — compare agent's requested PDLSS\n // against counterparty-defined maximums on the route config.\n // Rejects immediately if outside limits, BEFORE calling verify-access.\n const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);\n if (preCheckFailures.length > 0) {\n // Round-18 G4: counterparty pre-check failure — see express.ts for the\n // rationale. Neither axis verified remotely → both false.\n const preCheckResult: VerificationResult = {\n identityVerified: false,\n policyAllowed: false,\n accessLevel: 'none',\n denialReasons: preCheckFailures.map((f) => f.message),\n guidance: {\n message: 'Request exceeds counterparty-defined PDLSS limits.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n };\n\n // Fire-and-forget: notify AstraSync of the pre-check failure\n reportCounterpartyPreCheckFailure(config, {\n agentId: astraCreds?.agentId \|\| credentials.astraId \|\| 'unknown',\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'website',\n failures: preCheckFailures,\n requestPath: pathname,\n requestMethod: request.method,\n }).catch(() => {});\n\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: 'PDLSS_PRE_CHECK_FAILED',\n message: preCheckResult.denialReasons?.[0] \|\| 'PDLSS pre-check failed',\n guidance: preCheckResult.guidance,\n },\n },\n { status: 403 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(preCheckResult, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // Step 3: Call AstraSync verify-access with runtime challenge enabled\n const forwardedFor = request.headers.get('x-forwarded-for') \|\| undefined;\n const originalClientIp = forwardedFor?.split(',')[0]?.trim();\n const result = await verify(config, {\n credentials,\n purpose,\n action: request.method.toLowerCase(),\n resource: pathname,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'website',\n enableRuntimeChallenge,\n durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,\n callerMetadata: {\n sourceIp: originalClientIp,\n userAgent: request.headers.get('user-agent') \|\| undefined,\n referer: request.headers.get('referer') \|\| undefined,\n host: request.headers.get('host') \|\| undefined,\n forwardedFor,\n agentCardUrl: request.headers.get('x-astrasync-agent-card') \|\| undefined,\n },\n });\n\n // v2.3.9 (defect #30): denied verifications short-circuit BEFORE the\n // gate-level comparison. The OR-prefix shape here keeps the\n // single-expression branch this adapter uses, but ensures any axis of\n // failure triggers the denial path even if the access level math would\n // otherwise let it through (the historical bug). See express.ts for the\n // full rationale.\n // Round-18 G4: short-circuit on either axis failing (identity-fail or\n // policy-fail). The OR with hasMinimumAccess() preserves access-level\n // gating for over-tier requests.\n if (\n !result.identityVerified \|\|\n !result.policyAllowed \|\|\n !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)\n ) {\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n // Round-18 G4: 401 → identity missing (re-auth); 403 → identity\n // OK, policy denied (update PDLSS / step up).\n code: !result.identityVerified ? 'UNAUTHORIZED' : 'INSUFFICIENT_ACCESS',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n required: routeConfig.minAccessLevel,\n guidance: result.guidance,\n },\n },\n { status: !result.identityVerified ? 401 : 403 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Redirect to unauthorized page\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // All checks passed - continue with verification info in headers\n const response = NextResponse.next();\n\n // Add verification info to response headers\n // Round-18 G4: composite `verified` (identity AND policy) for legacy\n // header consumers; new headers expose each axis separately so middleware\n // chains can branch without re-running verify-access.\n response.headers.set(\n 'X-AstraSync-Verified',\n (result.identityVerified && result.policyAllowed).toString()\n );\n response.headers.set('X-AstraSync-Identity-Verified', result.identityVerified.toString());\n response.headers.set('X-AstraSync-Policy-Allowed', result.policyAllowed.toString());\n response.headers.set('X-AstraSync-Access-Level', result.accessLevel);\n\n if (result.agent) {\n response.headers.set('X-AstraSync-Agent-Id', result.agent.astraId);\n response.headers.set('X-AstraSync-Trust-Score', result.agent.trustScore.toString());\n }\n\n return response;\n };\n}\n\n/*\n Helper to create matcher config\n /\nexport function createMatcherConfig(paths: string[]): { matcher: string[] } {\n return { matcher: paths };\n}\n","/\n RFC 9421 HTTP Message Signatures parser.\n \n Wraps `structured-headers` (transitive dep of http-message-signatures) to\n * parse the Signature-Input and Signature Dictionary headers per RFC 9421 §2.\n \n Produces structured metadata (kid, algorithm, covered components, tag,\n * created/expires/nonce, signature bytes) without verifying the signature —\n * verification lives in rfc9421-verify.ts.\n \n Shared by:\n * - Agent Pay (Mastercard) — kid resolves via Mastercard Agent Registry\n * - TAP (Visa) — kid resolves via Visa JWKS\n * - Web Bot Auth (generic transport substrate) — kid resolves via\n * /.well-known/http-message-signatures-directory\n /\n\nimport { parseDictionary } from 'structured-headers';\n\nexport interface RFC9421SignatureParams {\n /* The label identifying the signature in the Dictionary header (e.g. \"sig1\"). /\n label: string;\n /* Key ID used to look up the verifying key in the relevant registry. /\n kid: string;\n /* Algorithm declared in the Signature-Input params (e.g. \"ecdsa-p256-sha256\", \"ed25519\"). /\n alg?: string;\n /* Covered components, in order, per RFC 9421 §2.1. /\n covered: string[];\n /* Base64url-encoded signature bytes extracted from the paired Signature header. /\n signatureBase64: string;\n /* Unix seconds when the signature was created. /\n created?: number;\n /* Unix seconds when the signature expires. /\n expires?: number;\n /* Nonce (opaque string) for replay protection. /\n nonce?: string;\n /* Tag parameter. For Agent Pay/TAP this is \"browse\" or \"purchase\"; undefined otherwise. /\n tag?: 'browse' \| 'purchase' \| string;\n}\n\nexport interface ParsedRFC9421 {\n signatures: RFC9421SignatureParams[];\n}\n\n/\n Parse the RFC 9421 Signature-Input and Signature headers from a request or response.\n * Returns all signatures present (a single message may carry multiple labelled signatures).\n \n Returns null if either header is missing or malformed.\n /\nexport function parseRFC9421(\n headers: Record<string, string \| string[] \| undefined>\n): ParsedRFC9421 \| null {\n const sigInput = readHeader(headers, 'signature-input');\n const sig = readHeader(headers, 'signature');\n if (!sigInput \|\| !sig) return null;\n\n let inputDict;\n let sigDict;\n try {\n inputDict = parseDictionary(sigInput);\n sigDict = parseDictionary(sig);\n } catch {\n return null;\n }\n\n const signatures: RFC9421SignatureParams[] = [];\n\n for (const [label, entry] of inputDict) {\n // entry.value is the inner list of covered components; entry[1] is the params Map.\n const innerList = Array.isArray(entry)\n ? entry[0]\n : (entry as { value?: unknown; params?: unknown }).value;\n const params = Array.isArray(entry)\n ? entry[1]\n : (entry as { value?: unknown; params?: unknown }).params;\n if (!Array.isArray(innerList) \|\| !params) continue;\n\n const covered: string[] = [];\n for (const item of innerList as Array<[unknown, Map<string, unknown>]>) {\n const [bare] = Array.isArray(item) ? item : [item];\n if (typeof bare === 'string') covered.push(bare);\n else if (bare && typeof bare === 'object' && 'toString' in bare) covered.push(String(bare));\n }\n\n const paramsMap = params as Map<string, unknown>;\n const kid = coerceString(paramsMap.get('keyid'));\n if (!kid) continue;\n\n const sigEntry = sigDict.get(label);\n if (!sigEntry) continue;\n\n const sigBare = Array.isArray(sigEntry) ? sigEntry[0] : (sigEntry as { value?: unknown }).value;\n const signatureBase64 = extractBase64(sigBare);\n if (!signatureBase64) continue;\n\n signatures.push({\n label,\n kid,\n alg: coerceString(paramsMap.get('alg')),\n covered,\n signatureBase64,\n created: coerceNumber(paramsMap.get('created')),\n expires: coerceNumber(paramsMap.get('expires')),\n nonce: coerceString(paramsMap.get('nonce')),\n tag: coerceString(paramsMap.get('tag')),\n });\n }\n\n if (signatures.length === 0) return null;\n return { signatures };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| null {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n return null;\n }\n }\n return null;\n}\n\nfunction coerceString(value: unknown): string \| undefined {\n if (typeof value === 'string') return value;\n if (value == null) return undefined;\n if (typeof value === 'object' && 'toString' in (value as object)) {\n const s = String(value);\n return s.length > 0 ? s : undefined;\n }\n return undefined;\n}\n\nfunction coerceNumber(value: unknown): number \| undefined {\n if (typeof value === 'number' && Number.isFinite(value)) return value;\n if (typeof value === 'bigint') return Number(value);\n return undefined;\n}\n\nfunction extractBase64(value: unknown): string \| null {\n if (value instanceof Uint8Array) return bufferToBase64(value);\n if (value instanceof ArrayBuffer) return bufferToBase64(new Uint8Array(value));\n if (ArrayBuffer.isView(value)) {\n const v = value as ArrayBufferView;\n return bufferToBase64(new Uint8Array(v.buffer, v.byteOffset, v.byteLength));\n }\n if (typeof value === 'string') {\n if (value.startsWith(':') && value.endsWith(':')) return value.slice(1, -1);\n return value;\n }\n return null;\n}\n\nfunction bufferToBase64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n","/\n RFC 9421 HTTP Message Signatures verification.\n \n Wraps http-message-signatures (dhensby) verifyMessage() with a RegistryResolver\n * hook for kid → JWK lookup. Library handles canonicalization + ES256/EdDSA/\n * HMAC/RSA verification; we supply the key-finding callback and policy around\n * clock skew.\n \n Shared by:\n * - Agent Pay (Mastercard) — resolver = createMastercardRegistry\n * - TAP (Visa) — resolver = createVisaRegistry\n * - Web Bot Auth (generic) — resolver = createWebBotAuthRegistry\n /\n\nimport { httpbis, type VerifierFinder, type VerifyingKey } from 'http-message-signatures';\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './registry/types';\n\nexport interface RFC9421VerifyRequest {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n body?: string;\n}\n\nexport interface RFC9421VerifyOptions {\n resolver: RegistryResolver;\n /* Seconds of tolerance around created/expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface RFC9421VerifyResult {\n ok: boolean;\n kid?: string;\n registry?: RegistryResolver['name'];\n algorithm?: string;\n error?: string;\n}\n\nexport async function verifyRFC9421(\n request: RFC9421VerifyRequest,\n options: RFC9421VerifyOptions\n): Promise<RFC9421VerifyResult> {\n const { resolver } = options;\n const tolerance = options.clockSkewSec ?? 300;\n const nowSec = options.now ? options.now() : Math.floor(Date.now() / 1000);\n\n let resolvedKid: string \| undefined;\n let resolvedAlg: string \| undefined;\n\n const keyLookup: VerifierFinder = async (parameters) => {\n const kid = typeof parameters.keyid === 'string' ? parameters.keyid : undefined;\n if (!kid) return null;\n resolvedKid = kid;\n const alg = typeof parameters.alg === 'string' ? parameters.alg : undefined;\n if (alg) resolvedAlg = alg;\n\n const origin = safeOrigin(request.url);\n const jwk = await resolver.resolve(kid, { origin, algorithm: alg });\n if (!jwk) return null;\n\n // Check clock-skew on this specific signature's created/expires.\n // SignatureParameters may carry Date, number, or ISO string per library.\n const created = toUnixSeconds(parameters.created);\n const expires = toUnixSeconds(parameters.expires);\n if (created !== undefined && Math.abs(nowSec - created) > tolerance) return null;\n if (expires !== undefined && nowSec > expires + tolerance) return null;\n\n return jwkToVerifyingKey(kid, jwk, alg);\n };\n\n try {\n const result = await httpbis.verifyMessage(\n {\n keyLookup,\n },\n normalizeRequest(request)\n );\n if (result === true) {\n return {\n ok: true,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n };\n }\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: result === false ? 'signature invalid' : 'no signature found',\n };\n } catch (err) {\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: err instanceof Error ? err.message : 'verification error',\n };\n }\n}\n\nfunction normalizeRequest(request: RFC9421VerifyRequest): {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n} {\n return {\n method: request.method.toUpperCase(),\n url: request.url,\n headers: request.headers,\n };\n}\n\nfunction safeOrigin(url: string): string \| undefined {\n try {\n return new URL(url).origin;\n } catch {\n return undefined;\n }\n}\n\nasync function jwkToVerifyingKey(\n id: string,\n jwk: JWK,\n alg: string \| undefined\n): Promise<VerifyingKey> {\n const algorithm = alg ?? inferAlgFromJwk(jwk);\n const { subtle } = await getCrypto();\n const importAlg = webCryptoImportAlgFor(algorithm);\n const verifyAlg = webCryptoAlgFor(algorithm);\n if (!importAlg \|\| !verifyAlg) {\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async () => false,\n };\n }\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, importAlg, false, ['verify']);\n\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async (data: Buffer, signature: Buffer): Promise<boolean> => {\n try {\n return await subtle.verify(verifyAlg, key, toArrayBuffer(signature), toArrayBuffer(data));\n } catch {\n return false;\n }\n },\n };\n}\n\nfunction inferAlgFromJwk(jwk: JWK): string {\n if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519') return 'ed25519';\n if (jwk.kty === 'EC' && jwk.crv === 'P-256') return 'ecdsa-p256-sha256';\n if (jwk.kty === 'EC' && jwk.crv === 'P-384') return 'ecdsa-p384-sha384';\n if (jwk.kty === 'RSA') return 'rsa-v1_5-sha256';\n return 'ecdsa-p256-sha256';\n}\n\nfunction webCryptoAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcdsaParams \| RsaPssParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', hash: 'SHA-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', hash: 'SHA-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', saltLength: 64 };\n default:\n return null;\n }\n}\n\nfunction webCryptoImportAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcKeyImportParams \| RsaHashedImportParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', namedCurve: 'P-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', namedCurve: 'P-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', hash: 'SHA-512' };\n default:\n return null;\n }\n}\n\nfunction toArrayBuffer(buf: Buffer): ArrayBuffer {\n const out = new ArrayBuffer(buf.byteLength);\n new Uint8Array(out).set(buf);\n return out;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (v instanceof Date) return Math.floor(v.getTime() / 1000);\n if (typeof v === 'string') {\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nasync function getCrypto(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n // Node fallback\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/\n VI (Verifiable Intent) SD-JWT extraction.\n \n Open-sourced 5 March 2026 by Mastercard + Google (v0.1-draft).\n * VI is a 3-layer SD-JWT chain:\n * L1 — issuer → wallet (credential provider)\n * L2 — user → agent (cnf.jwk binding to L3 agent key)\n * L3 — agent → merchant (payment or checkout mandate, split into L3a / L3b\n * cross-referenced via transaction_id)\n \n This module does EXTRACTION ONLY — it decodes SD-JWT structure and pulls\n * out the mandate type, kid, executionMode, 8 constraint types, checkoutHash\n * (constraint type 8), transactionId, and raw layers for later verification.\n \n Signature verification lives in vi-verify.ts; this module uses @sd-jwt's\n * sync decoder with a SHA-256 hasher for structural parsing only.\n /\n\nimport { splitSdJwt, decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { VIMandateType } from './purpose-mapping';\n\nexport type { VIMandateType };\nexport type VIExecutionMode = 'Immediate' \| 'Autonomous' \| 'Both';\n\nexport interface VIAllowedParty {\n id?: string;\n name?: string;\n website?: string;\n}\n\nexport interface VILineItem {\n id?: string;\n acceptableItems?: string[];\n quantity?: number;\n}\n\nexport interface VIPaymentAmount {\n currency?: string;\n min?: number;\n max?: number;\n}\n\nexport interface VIBudgetLimit {\n currency?: string;\n max?: number;\n}\n\nexport interface VIRecurrence {\n frequency?: string;\n startDate?: string;\n endDate?: string;\n maxOccurrences?: number;\n}\n\nexport interface VIConstraints {\n allowedMerchants?: VIAllowedParty[];\n allowedPayees?: VIAllowedParty[];\n lineItems?: VILineItem[];\n paymentAmount?: VIPaymentAmount;\n budgetLimit?: VIBudgetLimit;\n recurrence?: VIRecurrence;\n agentRecurrence?: VIRecurrence;\n}\n\nexport interface VIExtractedClaims {\n mandateType: VIMandateType;\n kid?: string;\n executionMode?: VIExecutionMode;\n credentialProvider?: string;\n constraints: VIConstraints;\n /* VI constraint type 8 — SHA-256 of the paired L2 checkout disclosure. /\n checkoutHash?: string;\n transactionId?: string;\n rawLayers: { l1?: string; l2?: string; l3?: string };\n}\n\n/\n Extract VI claims from a compact SD-JWT string.\n \n Input shape:\n * <jwt>~<disclosure1>~<disclosure2>~...~<kbJwt?>\n \n Returns null if parsing fails at any layer. Does not verify signatures.\n /\nexport function extractVIClaims(sdJwtCompact: string): VIExtractedClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const split = safeSplit(sdJwtCompact);\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n\n // Apply disclosures onto payload to resolve _sd references.\n // Disclosure from @sd-jwt/utils has { key, value, digest() } where digest is\n // a function — we only need key+value here, so narrow via a structural cast.\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const mandateType = coerceMandateType(\n claims.mandate_type ?? claims.mandateType ?? payload.mandate_type ?? payload.mandateType\n );\n if (!mandateType) return null;\n\n const kid = coerceString(\n (decoded.jwt?.header as Record<string, unknown> \| undefined)?.kid ?? claims.kid ?? payload.kid\n );\n\n const executionMode = coerceExecutionMode(claims.execution_mode ?? claims.executionMode);\n const credentialProvider = coerceString(claims.iss ?? payload.iss);\n\n const constraints = extractConstraints(\n (claims.constraints ?? claims.default_constraints ?? {}) as Record<string, unknown>\n );\n\n const transactionId = coerceString(claims.transaction_id ?? claims.transactionId);\n const checkoutHash = coerceString(\n claims.checkout_hash ??\n claims.conditional_transaction_id ??\n (claims.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n\n return {\n mandateType,\n kid,\n executionMode,\n credentialProvider,\n constraints,\n checkoutHash,\n transactionId,\n rawLayers: split,\n };\n}\n\nfunction safeSplit(compact: string): { l1?: string; l2?: string; l3?: string } {\n try {\n const { jwt, kbJwt } = splitSdJwt(compact);\n // VI layering maps loosely: the outer JWT is L3 (agent mandate), KB-JWT\n // (if present) is the key-binding proof, and disclosures carry L2/L1 fragments.\n return { l3: jwt, l2: kbJwt };\n } catch {\n return {};\n }\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction extractConstraints(raw: Record<string, unknown>): VIConstraints {\n return {\n allowedMerchants: toAllowedPartyArray(raw.allowed_merchants ?? raw.allowedMerchants),\n allowedPayees: toAllowedPartyArray(raw.allowed_payees ?? raw.allowedPayees),\n lineItems: toLineItemArray(raw.line_items ?? raw.lineItems),\n paymentAmount: toPaymentAmount(raw.payment_amount ?? raw.paymentAmount),\n budgetLimit: toBudgetLimit(raw.budget_limit ?? raw.budgetLimit ?? raw.budget),\n recurrence: toRecurrence(raw.recurrence),\n agentRecurrence: toRecurrence(raw.agent_recurrence ?? raw.agentRecurrence),\n };\n}\n\nfunction toAllowedPartyArray(v: unknown): VIAllowedParty[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VIAllowedParty[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n out.push({\n id: coerceString(r.id),\n name: coerceString(r.name),\n website: coerceString(r.website),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toLineItemArray(v: unknown): VILineItem[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VILineItem[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n const acc = r.acceptable_items ?? r.acceptableItems;\n out.push({\n id: coerceString(r.id),\n acceptableItems: Array.isArray(acc)\n ? (acc.filter((a) => typeof a === 'string') as string[])\n : undefined,\n quantity: coerceNumber(r.quantity),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toPaymentAmount(v: unknown): VIPaymentAmount \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n min: coerceNumber(r.min),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toBudgetLimit(v: unknown): VIBudgetLimit \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toRecurrence(v: unknown): VIRecurrence \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n frequency: coerceString(r.frequency),\n startDate: coerceString(r.start_date ?? r.startDate),\n endDate: coerceString(r.end_date ?? r.endDate),\n maxOccurrences: coerceNumber(r.max_occurrences ?? r.maxOccurrences),\n };\n}\n\nfunction coerceMandateType(v: unknown): VIMandateType \| null {\n if (v === 'checkout' \|\| v === 'payment' \|\| v === 'checkout.open' \|\| v === 'payment.open') {\n return v;\n }\n return null;\n}\n\nfunction coerceExecutionMode(v: unknown): VIExecutionMode \| undefined {\n return v === 'Immediate' \|\| v === 'Autonomous' \|\| v === 'Both' ? v : undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n Stripe webhook HMAC-SHA256 verifier (inline).\n \n Stripe-Signature header format: \"t=TIMESTAMP,v1=HEX_SIGNATURE\"\n * - t: unix seconds when Stripe signed the webhook\n * - v1: HMAC-SHA256(webhook_secret, `${t}.${payload}`) as hex\n \n Multiple v1 signatures can coexist during secret rotation; any match wins.\n * Default tolerance on timestamp age: 300s (matches Stripe's own default).\n \n Documented at docs.stripe.com — we intentionally inline ~25 LOC rather\n * than pull in the full stripe npm package (MIT but 600KB+ with deps).\n /\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyStripeWebhookResult {\n ok: boolean;\n timestamp?: number;\n error?: string;\n}\n\nexport interface VerifyStripeWebhookOptions {\n toleranceSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport function verifyStripeWebhook(\n payload: string,\n signatureHeader: string \| undefined,\n secret: string,\n options: VerifyStripeWebhookOptions = {}\n): VerifyStripeWebhookResult {\n if (!signatureHeader) return { ok: false, error: 'missing Stripe-Signature header' };\n if (!secret) return { ok: false, error: 'missing webhook secret' };\n\n const parsed = parseStripeSignature(signatureHeader);\n if (!parsed.timestamp) return { ok: false, error: 'malformed Stripe-Signature (missing t=)' };\n if (parsed.v1Signatures.length === 0) {\n return { ok: false, error: 'malformed Stripe-Signature (no v1=)' };\n }\n\n const tolerance = options.toleranceSec ?? 300;\n const now = options.now ? options.now() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - parsed.timestamp) > tolerance) {\n return {\n ok: false,\n timestamp: parsed.timestamp,\n error: `timestamp outside tolerance (${tolerance}s)`,\n };\n }\n\n const signedPayload = `${parsed.timestamp}.${payload}`;\n const expected = createHmac('sha256', secret).update(signedPayload).digest();\n\n for (const candidateHex of parsed.v1Signatures) {\n const candidate = hexToBuffer(candidateHex);\n if (!candidate) continue;\n if (candidate.length !== expected.length) continue;\n if (timingSafeEqual(candidate, expected)) {\n return { ok: true, timestamp: parsed.timestamp };\n }\n }\n\n return { ok: false, timestamp: parsed.timestamp, error: 'signature mismatch' };\n}\n\ninterface ParsedStripeSignature {\n timestamp: number \| null;\n v1Signatures: string[];\n}\n\nfunction parseStripeSignature(header: string): ParsedStripeSignature {\n let timestamp: number \| null = null;\n const v1Signatures: string[] = [];\n for (const part of header.split(',')) {\n const [rawKey, rawValue] = part.split('=');\n if (!rawKey \|\| !rawValue) continue;\n const key = rawKey.trim();\n const value = rawValue.trim();\n if (key === 't') {\n const n = Number(value);\n if (Number.isFinite(n)) timestamp = n;\n } else if (key === 'v1') {\n v1Signatures.push(value);\n }\n }\n return { timestamp, v1Signatures };\n}\n\nfunction hexToBuffer(hex: string): Buffer \| null {\n if (!/^[0-9a-fA-F]+$/.test(hex) \|\| hex.length % 2 !== 0) return null;\n return Buffer.from(hex, 'hex');\n}\n","/\n AP2 (Agent Payments Protocol) mandate extraction.\n \n Google-led, launched 3 April 2026 with 60+ partners (Mastercard, PayPal,\n * Coinbase, AmEx, Revolut, UnionPay, ...). AP2 ships three mandate types as\n * SD-JWTs in series:\n * - intent_mandate — user declares intent (amount, merchant category, etc.)\n * - cart_mandate — user approves a cart (specific items, totals)\n * - payment_mandate — authorizes the actual payment rail\n \n Mandates are cross-referenced via ids; each is an SD-JWT over ES256 (or\n * equivalent). We decode via @sd-jwt/decode and extract the AP2-specific\n * shape — verification lives in ap2-verify.ts.\n /\n\nimport { decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { AP2MandateType } from './purpose-mapping';\n\nexport type { AP2MandateType };\n\nexport interface AP2PaymentDetailsTotal {\n amount?: { value?: string \| number; currency?: string };\n label?: string;\n}\n\nexport interface AP2IntentMandateClaims {\n type: 'intent_mandate';\n agent_id?: string;\n user_id?: string;\n merchant_category?: string;\n allowedMerchantDomains?: string[];\n paymentMethods?: string[];\n expires?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2CartMandateClaims {\n type: 'cart_mandate';\n agent_id?: string;\n intent_mandate_id?: string;\n merchant_id?: string;\n line_items?: Array<{\n id?: string;\n quantity?: number;\n price?: { value?: string \| number; currency?: string };\n }>;\n payment_details_total?: AP2PaymentDetailsTotal;\n expires?: string;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2PaymentMandateClaims {\n type: 'payment_mandate';\n agent_id?: string;\n cart_mandate_id?: string;\n payment_method?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n credential_provider?: string;\n raw: Record<string, unknown>;\n}\n\nexport type AP2MandateClaims =\n \| AP2IntentMandateClaims\n \| AP2CartMandateClaims\n \| AP2PaymentMandateClaims;\n\nexport interface AP2MandateTriple {\n intent?: AP2IntentMandateClaims;\n cart?: AP2CartMandateClaims;\n payment?: AP2PaymentMandateClaims;\n rawLayers: { intentJwt?: string; cartJwt?: string; paymentJwt?: string };\n}\n\n/\n Extract a single AP2 mandate from a compact SD-JWT.\n * Returns null if the SD-JWT is malformed or lacks a recognized type field.\n /\nexport function extractAP2Mandate(sdJwtCompact: string): AP2MandateClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const type = coerceMandateType(claims.type ?? claims.mandate_type ?? claims.mandateType);\n if (!type) return null;\n\n if (type === 'intent_mandate') return buildIntent(claims);\n if (type === 'cart_mandate') return buildCart(claims);\n return buildPayment(claims);\n}\n\nexport interface AP2MandateTripleInput {\n intent?: string;\n cart?: string;\n payment?: string;\n}\n\n/\n Extract an intent / cart / payment triple, returning whichever are present.\n * Does NOT enforce cross-reference consistency — that's ap2-verify.ts's job.\n /\nexport function extractAP2Mandates(input: AP2MandateTripleInput): AP2MandateTriple {\n const intent = input.intent\n ? (extractAP2Mandate(input.intent) as AP2IntentMandateClaims \| null)\n : null;\n const cart = input.cart ? (extractAP2Mandate(input.cart) as AP2CartMandateClaims \| null) : null;\n const payment = input.payment\n ? (extractAP2Mandate(input.payment) as AP2PaymentMandateClaims \| null)\n : null;\n return {\n intent: intent ?? undefined,\n cart: cart ?? undefined,\n payment: payment ?? undefined,\n rawLayers: {\n intentJwt: input.intent,\n cartJwt: input.cart,\n paymentJwt: input.payment,\n },\n };\n}\n\nfunction buildIntent(claims: Record<string, unknown>): AP2IntentMandateClaims {\n return {\n type: 'intent_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n user_id: coerceString(claims.user_id ?? claims.userId ?? claims.sub),\n merchant_category: coerceString(claims.merchant_category ?? claims.merchantCategory),\n allowedMerchantDomains: toStringArray(\n claims.allowed_merchant_domains ?? claims.allowedMerchantDomains\n ),\n paymentMethods: toStringArray(claims.payment_methods ?? claims.paymentMethods),\n expires: coerceString(claims.expires ?? claims.exp),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n raw: claims,\n };\n}\n\nfunction buildCart(claims: Record<string, unknown>): AP2CartMandateClaims {\n return {\n type: 'cart_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n intent_mandate_id: coerceString(claims.intent_mandate_id ?? claims.intentMandateId),\n merchant_id: coerceString(claims.merchant_id ?? claims.merchantId),\n line_items: toLineItems(claims.line_items ?? claims.lineItems),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n expires: coerceString(claims.expires ?? claims.exp),\n raw: claims,\n };\n}\n\nfunction buildPayment(claims: Record<string, unknown>): AP2PaymentMandateClaims {\n return {\n type: 'payment_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n cart_mandate_id: coerceString(claims.cart_mandate_id ?? claims.cartMandateId),\n payment_method: coerceString(claims.payment_method ?? claims.paymentMethod),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n credential_provider: coerceString(claims.credential_provider ?? claims.credentialProvider),\n raw: claims,\n };\n}\n\nfunction toPaymentDetails(v: unknown): AP2PaymentDetailsTotal \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n const amount = r.amount as Record<string, unknown> \| undefined;\n return {\n amount: amount\n ? {\n value: coerceStringOrNumber(amount.value),\n currency: coerceString(amount.currency),\n }\n : undefined,\n label: coerceString(r.label),\n };\n}\n\nfunction toLineItems(v: unknown): AP2CartMandateClaims['line_items'] {\n if (!Array.isArray(v)) return undefined;\n const items: NonNullable<AP2CartMandateClaims['line_items']> = [];\n for (const item of v) {\n if (!item \|\| typeof item !== 'object') continue;\n const r = item as Record<string, unknown>;\n const price = r.price as Record<string, unknown> \| undefined;\n items.push({\n id: coerceString(r.id),\n quantity: coerceNumber(r.quantity),\n price: price\n ? {\n value: coerceStringOrNumber(price.value),\n currency: coerceString(price.currency),\n }\n : undefined,\n });\n }\n return items.length > 0 ? items : undefined;\n}\n\nfunction toStringArray(v: unknown): string[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out = v.filter((i): i is string => typeof i === 'string' && i.length > 0);\n return out.length > 0 ? out : undefined;\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction coerceMandateType(v: unknown): AP2MandateType \| null {\n if (v === 'intent_mandate' \|\| v === 'cart_mandate' \|\| v === 'payment_mandate') return v;\n return null;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction coerceStringOrNumber(v: unknown): string \| number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string' && v.length > 0) return v;\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n MPP (Machine Payments Protocol) extractor.\n \n Wraps mppx (wevm) — pinned to 0.5.13, wrapped behind this adapter so\n * upgrades localise here. MPP launched March 18 2026 (Stripe + Tempo +\n * Paradigm), IETF draft-ryan-httpauth-payment-01.\n \n Flow:\n * Client → GET /resource\n * Server → 402 + WWW-Authenticate: Payment id=..., realm=..., method=tempo\|stripe\|...\n * Client → GET /resource with Authorization: Payment <base64url-json credential>\n * Server → 200 + Payment-Receipt: <base64url-json receipt>\n \n What we extract:\n * - Challenge: id, realm, method, intent, request{amount,currency,...}, expires, digest\n * - Credential: challenge + source (DID/chain-key) + payload (method-specific)\n * - Receipt: challengeId, method, reference (tx hash / pi_... ID), settlement\n * - Multi-method 402 offers (may be multiple WWW-Authenticate headers)\n \n What we do NOT verify here (pass-through):\n * - HMAC challenge binding (requires merchant's MPP_SECRET_KEY)\n * - Payment proof cryptography (Tempo tx sig, Stripe SPT, Lightning preimage)\n * — each requires upstream connectivity\n \n Verification (expiry + BodyDigest + source extraction) in mpp-verify.ts.\n /\n\nimport { Challenge, Credential, Receipt } from 'mppx';\n\nexport interface MPPChallengeSummary {\n id: string;\n realm: string;\n method: string;\n intent: string;\n /* Method-specific request data (amount, currency, recipient, etc.) /\n request: Record<string, unknown>;\n expires?: string;\n digest?: string;\n description?: string;\n opaque?: Record<string, string>;\n}\n\nexport interface MPPCredentialSummary {\n challenge: MPPChallengeSummary;\n /* DID or chain-native key identifying the payer. /\n source?: string;\n /* Method-specific payment proof (Tempo tx, SPT, Lightning preimage, etc.). /\n payload: unknown;\n}\n\nexport interface MPPReceiptSummary {\n method?: string;\n reference?: string;\n externalId?: string;\n status?: string;\n timestamp?: string;\n raw: Record<string, unknown>;\n}\n\nexport type MPPKind = 'challenge' \| 'credential' \| 'receipt' \| 'error' \| 'unknown';\n\nexport interface MPPRequestContext {\n kind: MPPKind;\n /* For 402 responses: one or more challenge offers. /\n challenges?: MPPChallengeSummary[];\n /* For requests with Authorization: Payment header. /\n credential?: MPPCredentialSummary;\n /* For 200 responses with Payment-Receipt header. /\n receipt?: MPPReceiptSummary;\n /* For problem+json error responses. /\n error?: { type?: string; title?: string; detail?: string };\n /* Detected payment methods offered (for multi-method 402). /\n offeredMethods?: string[];\n /* Raw body captured for BodyDigest verification in mpp-verify.ts. /\n rawBody?: string;\n}\n\nexport interface MPPRequestLike {\n method: string;\n url: string;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport interface MPPResponseLike {\n status: number;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\n/\n Extract MPP context from an agent → merchant request.\n * Looks for `Authorization: Payment <credential>` header.\n /\nexport function extractMPPFromRequest(request: MPPRequestLike): MPPRequestContext \| null {\n const auth = readHeader(request.headers, 'authorization');\n if (!auth \|\| !/^\\sPayment\\s+/i.test(auth)) return null;\n\n try {\n const credential = Credential.deserialize(auth);\n return {\n kind: 'credential',\n credential: {\n challenge: summarizeChallenge(credential.challenge),\n source: credential.source,\n payload: credential.payload,\n },\n rawBody: request.rawBody,\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-credential-encoding' } };\n }\n}\n\n/*\n Extract MPP context from a merchant → agent response.\n * Handles 402 (challenge offers), 200 (receipt), 4xx (problem+json errors).\n /\nexport function extractMPPFromResponse(response: MPPResponseLike): MPPRequestContext \| null {\n if (response.status === 402) {\n const challenges = collectChallenges(response);\n if (challenges.length === 0) return null;\n const methods = Array.from(new Set(challenges.map((c) => c.method)));\n return {\n kind: 'challenge',\n challenges,\n offeredMethods: methods,\n };\n }\n\n const receiptHeader = readHeader(response.headers, 'payment-receipt');\n if (receiptHeader) {\n try {\n const parsed = Receipt.deserialize(receiptHeader);\n const r = parsed as unknown as Record<string, unknown>;\n return {\n kind: 'receipt',\n receipt: {\n method: coerceString(r.method),\n reference: coerceString(r.reference),\n externalId: coerceString(r.externalId ?? r.external_id),\n status: coerceString(r.status),\n timestamp: coerceString(r.timestamp),\n raw: r,\n },\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-receipt-encoding' } };\n }\n }\n\n const contentType = readHeader(response.headers, 'content-type');\n if (contentType && /application\\/problem\\+json/i.test(contentType)) {\n const body =\n typeof response.body === 'object' && response.body !== null\n ? (response.body as Record<string, unknown>)\n : {};\n return {\n kind: 'error',\n error: {\n type: coerceString(body.type),\n title: coerceString(body.title),\n detail: coerceString(body.detail),\n },\n };\n }\n\n return null;\n}\n\n/\n Extract from either a request OR a response, auto-detecting which has MPP\n * artifacts. Convenience for pipeline callers.\n /\nexport function extractMPPContext(\n message:\n \| { request: MPPRequestLike }\n \| { response: MPPResponseLike }\n \| (MPPRequestLike & Partial<MPPResponseLike>)\n): MPPRequestContext \| null {\n if ('request' in message) return extractMPPFromRequest(message.request);\n if ('response' in message) return extractMPPFromResponse(message.response);\n if (typeof (message as MPPResponseLike).status === 'number') {\n return extractMPPFromResponse(message as MPPResponseLike);\n }\n return extractMPPFromRequest(message as MPPRequestLike);\n}\n\nfunction collectChallenges(response: MPPResponseLike): MPPChallengeSummary[] {\n const wwwAuth = readHeader(response.headers, 'www-authenticate');\n if (!wwwAuth) return [];\n const headers = new Headers();\n headers.set('www-authenticate', wwwAuth);\n\n const out: MPPChallengeSummary[] = [];\n try {\n const list = Challenge.fromHeadersList(headers);\n for (const ch of list) {\n out.push(summarizeChallenge(ch as unknown as Challenge.Challenge));\n }\n } catch {\n // fall through with empty list\n }\n return out;\n}\n\nfunction summarizeChallenge(\n ch: Challenge.Challenge \| Record<string, unknown>\n): MPPChallengeSummary {\n const raw = ch as Record<string, unknown>;\n return {\n id: coerceString(raw.id) ?? '',\n realm: coerceString(raw.realm) ?? '',\n method: coerceString(raw.method) ?? '',\n intent: coerceString(raw.intent) ?? '',\n request: (raw.request as Record<string, unknown>) ?? {},\n expires: coerceString(raw.expires),\n digest: coerceString(raw.digest),\n description: coerceString(raw.description),\n opaque: raw.opaque as Record<string, string> \| undefined,\n };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n }\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n MPP verification — expiry + optional BodyDigest + source extraction.\n \n We do NOT verify the challenge's HMAC binding (needs merchant's secret)\n * or the cryptographic payment proof (per-method, requires upstream\n * connectivity). Those are the merchant's / settlement layer's job.\n \n Our job: structural correctness, expiry policy, tamper detection via\n * optional BodyDigest, and identity extraction for PDLSS binding.\n /\n\nimport { BodyDigest } from 'mppx';\nimport type { MPPRequestContext } from './mpp';\n\nexport interface MPPVerifyInput {\n context: MPPRequestContext;\n /* Raw request body to validate BodyDigest against, if the challenge declares one. /\n rawBody?: string;\n /* Seconds of clock-skew tolerance on challenge.expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface MPPVerifyResult {\n ok: boolean;\n expiryOk: boolean;\n bodyDigestOk: boolean \| null;\n source?: string;\n method?: string;\n error?: string;\n}\n\nexport function verifyMPP(input: MPPVerifyInput): MPPVerifyResult {\n const { context } = input;\n const tolerance = input.clockSkewSec ?? 300;\n const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1000);\n\n // Extract the challenge under test — for credential flow, from inside the\n // wrapped challenge; for bare challenge flow, from context.challenges[0].\n const challenge = context.credential?.challenge ?? (context.challenges && context.challenges[0]);\n const source = context.credential?.source;\n const method = challenge?.method;\n\n let expiryOk = true;\n if (challenge?.expires) {\n const parsedExpiry = Date.parse(challenge.expires);\n if (!Number.isFinite(parsedExpiry)) {\n return {\n ok: false,\n expiryOk: false,\n bodyDigestOk: null,\n source,\n method,\n error: 'unparseable challenge.expires',\n };\n }\n const expiresSec = Math.floor(parsedExpiry / 1000);\n if (nowSec > expiresSec + tolerance) {\n expiryOk = false;\n }\n }\n\n let bodyDigestOk: boolean \| null = null;\n if (challenge?.digest && input.rawBody !== undefined) {\n try {\n if (!/^sha-256=/.test(challenge.digest)) {\n bodyDigestOk = false;\n } else {\n bodyDigestOk = BodyDigest.verify(challenge.digest as `sha-256=${string}`, input.rawBody);\n }\n } catch {\n bodyDigestOk = false;\n }\n }\n\n const ok = expiryOk && (bodyDigestOk === null \|\| bodyDigestOk === true);\n const errors: string[] = [];\n if (!expiryOk) errors.push('challenge expired');\n if (bodyDigestOk === false) errors.push('body digest mismatch');\n\n return {\n ok,\n expiryOk,\n bodyDigestOk,\n source,\n method,\n error: errors.length > 0 ? errors.join('; ') : undefined,\n };\n}\n","/\n x402 (Coinbase / Linux Foundation x402 Foundation) extractor.\n \n Wraps @x402/core's schema parsers. x402 Foundation launched April 2 2026\n * with v2 adding network-agnostic identifiers + multiple facilitators +\n * Bazaar discovery. MPP (Machine Payments Protocol) is the IETF-formalised\n * superset of x402; this module normalizes x402 output to MPP-shape so\n * downstream pipeline code is uniform.\n \n Where x402 lives on the wire:\n * - 402 response body (v2) OR `X-PAYMENT-REQUIRED` header (v1) — PaymentRequired\n * - Request body (v2) OR `X-PAYMENT` header (v1, base64) — PaymentPayload\n /\n\nimport {\n validatePaymentRequired,\n validatePaymentPayload,\n type PaymentRequired,\n type PaymentPayload,\n type PaymentRequirements,\n} from '@x402/core/schemas';\nimport { safeBase64Decode } from '@x402/core/utils';\n\nexport type X402Kind = 'required' \| 'payload' \| 'error' \| 'unknown';\n\nexport interface X402RequirementsSummary {\n scheme: string;\n network: string;\n asset: string;\n /* Normalized to string for v1/v2 compat — v1 uses maxAmountRequired, v2 uses amount. /\n amount: string;\n payTo: string;\n maxTimeoutSeconds?: number;\n resource?: string;\n description?: string;\n}\n\nexport interface X402RequestContext {\n kind: X402Kind;\n version: 1 \| 2 \| null;\n /* For 402 responses: the PaymentRequired body. /\n paymentRequired?: {\n resource: string;\n accepts: X402RequirementsSummary[];\n extensions?: Record<string, unknown>;\n error?: string;\n };\n /* For request body (v2) or X-PAYMENT header (v1 base64): the PaymentPayload. /\n paymentPayload?: {\n scheme: string;\n network: string;\n /* Free-form per-scheme payload (e.g. EIP-3009 authorization, Solana tx). /\n payload: Record<string, unknown>;\n extensions?: Record<string, unknown>;\n };\n error?: { type: string; detail?: string };\n /* Whether this was parsed from a header (v1 back-compat) or body (v2). /\n source: 'header' \| 'body' \| null;\n}\n\nexport interface X402RequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface X402ResponseLike {\n status?: number;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\n/\n Extract x402 PaymentPayload from an agent → merchant request.\n * Checks v2 body (if it parses as PaymentPayload) and v1 X-PAYMENT header.\n /\nexport function extractX402FromRequest(request: X402RequestLike): X402RequestContext \| null {\n const headerValue = readHeader(request.headers, 'x-payment');\n\n // v2 body path first\n if (request.body && typeof request.body === 'object') {\n const parsed = tryParsePayload(request.body);\n if (parsed) return buildPayloadContext(parsed, 'body');\n }\n\n // v1 header path\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParsePayload(json);\n if (parsed) return buildPayloadContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-payload' },\n };\n }\n }\n\n return null;\n}\n\n/\n Extract x402 PaymentRequired from a merchant → agent 402 response.\n /\nexport function extractX402FromResponse(response: X402ResponseLike): X402RequestContext \| null {\n if (response.status !== 402) return null;\n\n // v2 body path\n if (response.body && typeof response.body === 'object') {\n const parsed = tryParseRequired(response.body);\n if (parsed) return buildRequiredContext(parsed, 'body');\n }\n\n // v1 header path\n const headerValue = readHeader(response.headers, 'x-payment-required');\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParseRequired(json);\n if (parsed) return buildRequiredContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-required' },\n };\n }\n }\n\n return null;\n}\n\nexport function extractX402Context(\n message:\n \| { request: X402RequestLike }\n \| { response: X402ResponseLike }\n \| (X402RequestLike & Partial<X402ResponseLike>)\n): X402RequestContext \| null {\n if ('request' in message) return extractX402FromRequest(message.request);\n if ('response' in message) return extractX402FromResponse(message.response);\n if (typeof (message as X402ResponseLike).status === 'number') {\n return extractX402FromResponse(message as X402ResponseLike);\n }\n return extractX402FromRequest(message as X402RequestLike);\n}\n\nfunction tryParseRequired(data: unknown): PaymentRequired \| null {\n try {\n return validatePaymentRequired(data);\n } catch {\n return null;\n }\n}\n\nfunction tryParsePayload(data: unknown): PaymentPayload \| null {\n try {\n return validatePaymentPayload(data);\n } catch {\n return null;\n }\n}\n\nfunction buildRequiredContext(\n parsed: PaymentRequired,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepts = (asRecord.accepts as PaymentRequirements[] \| undefined) ?? [];\n return {\n kind: 'required',\n version,\n source,\n paymentRequired: {\n resource: resolveResource(asRecord.resource),\n accepts: accepts.map(summarizeRequirement),\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n error: typeof asRecord.error === 'string' ? asRecord.error : undefined,\n },\n };\n}\n\nfunction buildPayloadContext(\n parsed: PaymentPayload,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepted = asRecord.accepted as PaymentRequirements \| undefined;\n const payload = (asRecord.payload as Record<string, unknown>) ?? {};\n return {\n kind: 'payload',\n version,\n source,\n paymentPayload: {\n scheme: accepted?.scheme ?? (typeof asRecord.scheme === 'string' ? asRecord.scheme : ''),\n network: accepted?.network ?? (typeof asRecord.network === 'string' ? asRecord.network : ''),\n payload,\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n },\n };\n}\n\nfunction summarizeRequirement(req: PaymentRequirements): X402RequirementsSummary {\n const r = req as unknown as Record<string, unknown>;\n const amount = (r.amount ?? r.maxAmountRequired ?? '0') as string;\n return {\n scheme: (r.scheme as string) ?? '',\n network: (r.network as string) ?? '',\n asset: (r.asset as string) ?? '',\n amount: String(amount),\n payTo: (r.payTo as string) ?? '',\n maxTimeoutSeconds: typeof r.maxTimeoutSeconds === 'number' ? r.maxTimeoutSeconds : undefined,\n resource: typeof r.resource === 'string' ? r.resource : undefined,\n description: typeof r.description === 'string' ? r.description : undefined,\n };\n}\n\nfunction resolveResource(v: unknown): string {\n if (typeof v === 'string') return v;\n if (v && typeof v === 'object' && 'url' in v && typeof (v as { url: unknown }).url === 'string') {\n return (v as { url: string }).url;\n }\n return '';\n}\n\nfunction coerceVersion(v: unknown): 1 \| 2 \| null {\n if (v === 1 \|\| v === 2) return v;\n return null;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined> \| undefined,\n name: string\n): string \| undefined {\n if (!headers) return undefined;\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n","/\n VI (Verifiable Intent) 3-layer SD-JWT chain verification.\n \n VI chains: L1 (credential provider → wallet) → L2 (user → agent) → L3\n * (agent → merchant). L3 itself can split into L3a (payment mandate) + L3b\n * (checkout mandate) cross-referenced via transaction_id, with L3b carrying\n * a checkout_hash (VI constraint type 8) that must match SHA-256 of the L2\n * checkout disclosure.\n \n Signature primitives are delegated to @sd-jwt/core (via our extractor);\n * cnf.jwk chain-walking + cross-references + checkout_hash binding is\n * AstraSync-specific composition logic — that's the whitespace here.\n \n This module does NOT re-verify selective-disclosure hashes (the extractor\n * already applied them via @sd-jwt/decode). It DOES verify:\n * - cnf.jwk in L1 payload points to L2's signing key (thumbprint match)\n * - cnf.jwk in L2 payload points to L3's signing key\n * - L3a.transaction_id === L3b.transaction_id (when both present)\n * - L3b.checkout_hash === SHA-256(L2 canonical checkout disclosure) — type 8\n * - mandate-level `exp` is not in the past (beyond clock skew)\n \n Cryptographic signature verification on each layer uses the verifier\n * callback the caller supplies (e.g. resolves via @sd-jwt/core with the\n * right JWK from the L1 issuer's JWKS).\n /\n\nimport { createHash, webcrypto } from 'node:crypto';\nimport type { JWK } from 'jose';\n\nexport interface VILayer {\n /* Compact SD-JWT / JWS for this layer. /\n compact: string;\n /* Decoded JWT payload (already disclosure-merged). /\n payload: Record<string, unknown>;\n /* Decoded JWT header. /\n header: Record<string, unknown>;\n}\n\nexport interface VIVerifyInput {\n /\n Layers in chain order. L1 may be omitted when the caller has already\n * resolved the chain via a trusted wallet binding.\n /\n layers: {\n l1?: VILayer;\n l2: VILayer;\n l3a?: VILayer;\n l3b?: VILayer;\n };\n /\n Verifier callback invoked per layer. Should return true iff the layer's\n * JWS signature verifies against the resolved public key (for L2 this is\n * L1's cnf.jwk; for L3 this is L2's cnf.jwk; for L1 this is the issuer's\n * JWKS per `iss` claim).\n /\n verifySignature: (layer: VILayer, expectedKey: JWK \| null) => Promise<boolean>;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface VIVerifyResult {\n ok: boolean;\n checks: {\n l1SigOk: boolean \| null;\n l2SigOk: boolean;\n l3aSigOk: boolean \| null;\n l3bSigOk: boolean \| null;\n l1BindsL2: boolean;\n l2BindsL3: boolean;\n l3aL3bTxnIdMatch: boolean \| null;\n checkoutHashOk: boolean \| null;\n expiryOk: boolean;\n };\n errors: string[];\n}\n\nexport async function verifyVIChain(input: VIVerifyInput): Promise<VIVerifyResult> {\n const errors: string[] = [];\n const tolerance = input.clockSkewSec ?? 300;\n const now = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const { l1, l2, l3a, l3b } = input.layers;\n\n // Signature verification ---------------------------------\n const l1SigOk = l1 ? await input.verifySignature(l1, null) : null;\n if (l1 && !l1SigOk) errors.push('L1 signature invalid');\n\n const l1Cnf = extractCnfJwk(l1?.payload);\n const l2SigOk = await input.verifySignature(l2, l1Cnf ?? null);\n if (!l2SigOk) errors.push('L2 signature invalid');\n\n const l2Cnf = extractCnfJwk(l2.payload);\n const l3aSigOk = l3a ? await input.verifySignature(l3a, l2Cnf ?? null) : null;\n if (l3a && !l3aSigOk) errors.push('L3a signature invalid');\n const l3bSigOk = l3b ? await input.verifySignature(l3b, l2Cnf ?? null) : null;\n if (l3b && !l3bSigOk) errors.push('L3b signature invalid');\n\n // cnf.jwk binding ----------------------------------------\n let l1BindsL2 = true;\n if (l1Cnf) {\n const l2KeyFromHeader = await jwkForLayer(l2);\n l1BindsL2 = l2KeyFromHeader ? await thumbprintsMatch(l1Cnf, l2KeyFromHeader) : false;\n if (!l1BindsL2) errors.push('L1.cnf.jwk does not bind L2 signing key');\n }\n\n let l2BindsL3 = true;\n if (l2Cnf && (l3a \|\| l3b)) {\n const l3Layer = l3a ?? l3b!;\n const l3KeyFromHeader = await jwkForLayer(l3Layer);\n l2BindsL3 = l3KeyFromHeader ? await thumbprintsMatch(l2Cnf, l3KeyFromHeader) : false;\n if (!l2BindsL3) errors.push('L2.cnf.jwk does not bind L3 signing key');\n }\n\n // L3a/L3b cross-reference --------------------------------\n let l3aL3bTxnIdMatch: boolean \| null = null;\n if (l3a && l3b) {\n const a = coerceString(l3a.payload.transaction_id ?? l3a.payload.transactionId);\n const b = coerceString(l3b.payload.transaction_id ?? l3b.payload.transactionId);\n if (a && b) {\n l3aL3bTxnIdMatch = a === b;\n if (!l3aL3bTxnIdMatch) {\n errors.push(`L3a.transaction_id (${a}) does not match L3b.transaction_id (${b})`);\n }\n }\n }\n\n // checkout_hash (VI constraint type 8) -------------------\n let checkoutHashOk: boolean \| null = null;\n if (l3b) {\n const declaredHash = coerceString(\n l3b.payload.checkout_hash ??\n l3b.payload.conditional_transaction_id ??\n (l3b.payload.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n if (declaredHash) {\n const computed = computeCheckoutHashFromL2(l2);\n checkoutHashOk = computed ? declaredHash === computed : false;\n if (!checkoutHashOk) {\n errors.push('L3b.checkout_hash does not match SHA-256 of L2 checkout disclosure');\n }\n }\n }\n\n // Expiry policy ------------------------------------------\n const expiryOk = checkExpiryAcross([l1, l2, l3a, l3b], tolerance, now, errors);\n\n const ok =\n l1SigOk !== false &&\n l2SigOk &&\n l3aSigOk !== false &&\n l3bSigOk !== false &&\n l1BindsL2 &&\n l2BindsL3 &&\n l3aL3bTxnIdMatch !== false &&\n checkoutHashOk !== false &&\n expiryOk;\n\n return {\n ok,\n checks: {\n l1SigOk,\n l2SigOk,\n l3aSigOk,\n l3bSigOk,\n l1BindsL2,\n l2BindsL3,\n l3aL3bTxnIdMatch,\n checkoutHashOk,\n expiryOk,\n },\n errors,\n };\n}\n\nfunction extractCnfJwk(payload: Record<string, unknown> \| undefined): JWK \| null {\n if (!payload) return null;\n const cnf = payload.cnf as Record<string, unknown> \| undefined;\n if (!cnf) return null;\n const jwk = cnf.jwk as JWK \| undefined;\n return jwk ?? null;\n}\n\nasync function jwkForLayer(layer: VILayer): Promise<JWK \| null> {\n // Prefer explicit cnf.jwk in the header, then payload; fallback to null.\n const fromHeader = extractCnfJwk(layer.header);\n if (fromHeader) return fromHeader;\n const fromPayload = extractCnfJwk(layer.payload);\n return fromPayload;\n}\n\nasync function thumbprintsMatch(a: JWK, b: JWK): Promise<boolean> {\n try {\n const ta = await jwkThumbprint(a);\n const tb = await jwkThumbprint(b);\n return ta === tb;\n } catch {\n return false;\n }\n}\n\n// RFC 7638 thumbprint: SHA-256 over the canonical JSON of required JWK members.\nasync function jwkThumbprint(jwk: JWK): Promise<string> {\n const canonical = canonicalJwk(jwk);\n const bytes = new TextEncoder().encode(JSON.stringify(canonical));\n const subtle = webcrypto.subtle as SubtleCrypto;\n const buffer = await new Promise<ArrayBuffer>((resolve, reject) => {\n const source = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(source).set(bytes);\n subtle.digest('SHA-256', source).then(resolve).catch(reject);\n });\n return Buffer.from(new Uint8Array(buffer)).toString('base64url').replace(/=+$/, '');\n}\n\nfunction canonicalJwk(jwk: JWK): Record<string, string> {\n // Per RFC 7638: members must appear in lexicographic order; only required\n // fields per kty are included.\n if (jwk.kty === 'EC') {\n return { crv: jwk.crv ?? '', kty: 'EC', x: jwk.x ?? '', y: jwk.y ?? '' };\n }\n if (jwk.kty === 'OKP') {\n return { crv: jwk.crv ?? '', kty: 'OKP', x: jwk.x ?? '' };\n }\n if (jwk.kty === 'RSA') {\n return { e: jwk.e ?? '', kty: 'RSA', n: jwk.n ?? '' };\n }\n return { kty: jwk.kty ?? '' };\n}\n\nfunction computeCheckoutHashFromL2(l2: VILayer): string \| null {\n const checkoutDisclosure = (l2.payload.checkout ?? l2.payload.checkout_mandate) as unknown;\n if (!checkoutDisclosure) return null;\n const canonical = canonicalStringify(checkoutDisclosure);\n const hash = createHash('sha256').update(canonical).digest('base64url').replace(/=+$/, '');\n return hash;\n}\n\nfunction canonicalStringify(value: unknown): string {\n if (value === null \|\| typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return '[' + value.map(canonicalStringify).join(',') + ']';\n const entries = Object.entries(value as Record<string, unknown>).sort(([a], [b]) =>\n a < b ? -1 : a > b ? 1 : 0\n );\n return (\n '{' + entries.map(([k, v]) => JSON.stringify(k) + ':' + canonicalStringify(v)).join(',') + '}'\n );\n}\n\nfunction checkExpiryAcross(\n layers: Array<VILayer \| undefined>,\n toleranceSec: number,\n nowSec: number,\n errors: string[]\n): boolean {\n let ok = true;\n const names = ['L1', 'L2', 'L3a', 'L3b'];\n layers.forEach((layer, idx) => {\n if (!layer) return;\n const exp = toUnixSeconds(layer.payload.exp ?? layer.payload.expires);\n if (exp === undefined) return;\n if (nowSec > exp + toleranceSec) {\n errors.push(`${names[idx]} mandate expired at ${exp}`);\n ok = false;\n }\n });\n return ok;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const asInt = Number(v);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n Visa JWKS registry resolver.\n \n Default endpoint: https://mcp.visa.com/.well-known/jwks (per Visa TAP spec).\n * Wraps jose.createRemoteJWKSet which handles caching + rotation natively.\n /\n\nimport { createRemoteJWKSet, type JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DEFAULT_VISA_JWKS_URL = 'https://mcp.visa.com/.well-known/jwks';\n\nexport interface VisaRegistryOptions {\n jwksUrl?: string;\n cacheMaxAge?: number;\n cooldownDuration?: number;\n}\n\nexport function createVisaRegistry(options: VisaRegistryOptions = {}): RegistryResolver {\n const url = new URL(options.jwksUrl ?? DEFAULT_VISA_JWKS_URL);\n const jwks = createRemoteJWKSet(url, {\n cacheMaxAge: options.cacheMaxAge,\n cooldownDuration: options.cooldownDuration,\n });\n\n return {\n name: 'visa',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n try {\n const key = await jwks({\n kid,\n alg: context?.algorithm ?? 'ES256',\n typ: 'JWT',\n });\n return exportJwkFromKeyLike(key);\n } catch {\n return null;\n }\n },\n };\n}\n\nasync function exportJwkFromKeyLike(keyLike: unknown): Promise<JWK \| null> {\n if (!keyLike) return null;\n // jose returns KeyObject or CryptoKey — both export via exportJWK at caller side.\n // Runtime shape check: if it already looks like a JWK, pass through.\n if (typeof keyLike === 'object' && 'kty' in (keyLike as object)) {\n return keyLike as JWK;\n }\n const { exportJWK } = await import('jose');\n try {\n return await exportJWK(keyLike as Parameters<typeof exportJWK>[0]);\n } catch {\n return null;\n }\n}\n","/\n Online Mode — Delegates to the existing verify() function.\n * Full trust scoring, blockchain verification, audit trail, PDLSS evaluation via API.\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from '../types';\nimport {\n verify,\n type VerificationResult,\n type VerificationRequest,\n type GatewayConfig,\n} from '../../index';\n\n/\n Convert gateway config to the existing GatewayConfig format.\n /\nfunction toGatewayConfig(config: AstraSyncGatewayConfig): GatewayConfig {\n return {\n apiBaseUrl: config.apiBaseUrl \|\| 'https://api.astrasync.ai',\n apiKey: config.apiKey,\n defaultAccessLevel: config.defaultAccessLevel,\n minTrustScore: config.minTrustScore,\n minTrustScoreForFull: config.minTrustScoreForFull,\n cacheTtl: config.cacheTtl,\n debug: config.debug,\n customHeaders: config.customHeaders,\n counterpartyUrl: config.counterpartyUrl,\n counterpartyType: config.counterpartyType,\n };\n}\n\n/\n Convert PDLSS context to a verification request.\n /\nfunction toVerificationRequest(context: PDLSSContext, astraId?: string): VerificationRequest {\n return {\n credentials: { astraId },\n purpose: context.purpose,\n action: context.action,\n resourceType: context.resourceType,\n resource: context.target,\n transactionValue: context.transactionValue,\n currency: context.currency,\n createSession: true,\n };\n}\n\n/\n Convert verification result to a VerificationDecision.\n /\nfunction toDecision(result: VerificationResult): VerificationDecision {\n // Round-18 G4: ALLOW only when both identity AND policy pass.\n if (result.identityVerified && result.policyAllowed) {\n return {\n recommendation: 'ALLOW',\n reason: `Verified with access level: ${result.accessLevel}`,\n trustScore: result.agent?.trustScore,\n sessionId:\n 'sessionId' in result\n ? ((result as Record<string, unknown>).sessionId as string)\n : undefined,\n };\n }\n\n if (result.requiresStepUp \|\| result.requiresApproval) {\n return {\n recommendation: 'MANUAL_REVIEW',\n reason: result.denialReasons?.[0] \|\| 'Step-up or approval required',\n trustScore: result.agent?.trustScore,\n };\n }\n\n return {\n recommendation: 'DENY',\n reason: result.denialReasons?.[0] \|\| 'Access denied',\n trustScore: result.agent?.trustScore,\n };\n}\n\n/\n Verify via the AstraSync API (online mode).\n /\nexport async function verifyOnline(\n config: AstraSyncGatewayConfig,\n context: PDLSSContext,\n astraId?: string\n): Promise<VerificationDecision> {\n const gatewayConfig = toGatewayConfig(config);\n const request = toVerificationRequest(context, astraId);\n const result = await verify(gatewayConfig, request);\n return toDecision(result);\n}\n","/\n Hybrid Mode — Local evaluation for speed, async API sync for trust scoring.\n \n Immediate: local PDLSS evaluation (< 1ms)\n * Async: queued API verification for audit trail and trust score updates\n \n Queue entries are persisted to disk so they survive process restarts.\n /\n\nimport { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';\nimport { dirname } from 'path';\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision, SyncQueueEntry } from '../types';\nimport type { LocalEvaluator } from '../../local-evaluator/evaluator';\nimport { verifyOnline } from './online';\n\nconst MAX_QUEUE_SIZE = 1000;\nconst MAX_RETRIES = 3;\n\nexport class HybridSyncQueue {\n private queue: SyncQueueEntry[] = [];\n private timer: ReturnType<typeof setInterval> \| null = null;\n private config: AstraSyncGatewayConfig;\n private processing = false;\n private persistPath: string \| null = null;\n\n constructor(config: AstraSyncGatewayConfig, persistPath?: string) {\n this.config = config;\n this.persistPath = persistPath ?? null;\n this.loadFromDisk();\n }\n\n /\n Start periodic sync.\n /\n start(intervalMs: number): void {\n if (this.timer) return;\n this.timer = setInterval(() => this.flush(), intervalMs);\n }\n\n /\n Stop periodic sync and flush remaining entries.\n /\n async stop(): Promise<void> {\n if (this.timer) {\n clearInterval(this.timer);\n this.timer = null;\n }\n await this.flush();\n this.saveToDisk();\n }\n\n /\n Add a decision to the sync queue.\n /\n enqueue(context: PDLSSContext, decision: VerificationDecision): void {\n if (this.queue.length >= MAX_QUEUE_SIZE) {\n // Drop oldest entry\n this.queue.shift();\n }\n\n this.queue.push({\n id: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,\n context,\n decision,\n timestamp: new Date(),\n retryCount: 0,\n status: 'pending',\n });\n\n this.saveToDisk();\n }\n\n /\n Flush pending entries to the API.\n /\n async flush(): Promise<void> {\n if (this.processing) return;\n this.processing = true;\n\n try {\n const pending = this.queue.filter((e) => e.status === 'pending');\n\n for (const entry of pending) {\n try {\n await verifyOnline(this.config, entry.context);\n entry.status = 'synced';\n } catch {\n entry.retryCount++;\n if (entry.retryCount >= MAX_RETRIES) {\n entry.status = 'failed';\n }\n }\n }\n\n // Remove synced and permanently failed entries\n this.queue = this.queue.filter((e) => e.status === 'pending');\n this.saveToDisk();\n } finally {\n this.processing = false;\n }\n }\n\n /\n Get queue status.\n /\n getStatus(): { pending: number; total: number } {\n return {\n pending: this.queue.filter((e) => e.status === 'pending').length,\n total: this.queue.length,\n };\n }\n\n /\n Load persisted queue entries from disk.\n /\n private loadFromDisk(): void {\n if (!this.persistPath) return;\n\n try {\n if (!existsSync(this.persistPath)) return;\n const data = readFileSync(this.persistPath, 'utf-8');\n const entries = JSON.parse(data) as SyncQueueEntry[];\n // Only restore pending entries\n this.queue = entries\n .filter((e) => e.status === 'pending')\n .map((e) => ({ ...e, timestamp: new Date(e.timestamp) }));\n } catch {\n // Corrupted file or read error — start with empty queue\n this.queue = [];\n }\n }\n\n /\n Persist queue entries to disk.\n /\n private saveToDisk(): void {\n if (!this.persistPath) return;\n\n try {\n const dir = dirname(this.persistPath);\n if (!existsSync(dir)) mkdirSync(dir, { recursive: true });\n writeFileSync(this.persistPath, JSON.stringify(this.queue, null, 2), 'utf-8');\n } catch {\n // Best-effort — don't crash if disk write fails\n }\n }\n}\n\n/\n Verify in hybrid mode: local eval + queued sync.\n /\nexport function verifyHybrid(\n evaluator: LocalEvaluator,\n syncQueue: HybridSyncQueue,\n context: PDLSSContext,\n): VerificationDecision {\n // Local evaluation is the immediate response\n const decision = evaluator.evaluate(context);\n\n // Queue for async API sync (fire-and-forget)\n syncQueue.enqueue(context, decision);\n\n return decision;\n}\n","/\n Trace Logger — append-only JSONL audit trail.\n \n Cherry-picked from trust-harness-core and simplified.\n * Writes evaluation events to .astrasync/traces/ as JSONL files,\n * one file per day, with rotation.\n /\n\nimport { appendFileSync, mkdirSync, existsSync, statSync, readdirSync, unlinkSync } from 'fs';\nimport { join } from 'path';\nimport type { TraceEvent, PDLSSContext, VerificationDecision } from './types';\n\nconst MAX_FILE_SIZE = 10 1024 * 1024; // 10MB\nconst MAX_FILES = 10;\n\nexport class TraceLogger {\n private tracePath: string;\n private enabled: boolean;\n\n constructor(tracePath: string, enabled: boolean) {\n this.tracePath = tracePath;\n this.enabled = enabled;\n\n if (enabled) {\n mkdirSync(tracePath, { recursive: true });\n }\n }\n\n /*\n Log an evaluation event.\n /\n logEvaluation(context: PDLSSContext, decision: VerificationDecision): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'evaluation',\n context,\n decision,\n });\n }\n\n /\n Log a mode switch event.\n /\n logModeSwitch(from: string, to: string): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'mode_switch',\n metadata: { from, to },\n });\n }\n\n /\n Log an error event.\n /\n logError(error: string, context?: PDLSSContext): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'error',\n context,\n metadata: { error },\n });\n }\n\n private write(event: TraceEvent): void {\n try {\n const filePath = this.getCurrentFilePath();\n const line = JSON.stringify(event) + '\\n';\n\n // Rotate if needed\n if (existsSync(filePath)) {\n const stats = statSync(filePath);\n if (stats.size > MAX_FILE_SIZE) {\n this.rotate();\n }\n }\n\n appendFileSync(filePath, line);\n } catch {\n // Trace logging should never crash the gateway\n }\n }\n\n private getCurrentFilePath(): string {\n const date = new Date().toISOString().split('T')[0];\n return join(this.tracePath, `trace-${date}.jsonl`);\n }\n\n private rotate(): void {\n try {\n const files = readdirSync(this.tracePath)\n .filter((f) => f.startsWith('trace-') && f.endsWith('.jsonl'))\n .sort();\n\n while (files.length >= MAX_FILES) {\n const oldest = files.shift()!;\n unlinkSync(join(this.tracePath, oldest));\n }\n } catch {\n // Best effort rotation\n }\n }\n\n private generateId(): string {\n return `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;\n }\n}\n","/\n AstraSyncGateway — Primary API surface for agent verification.\n \n Supports three operational modes:\n * - online: Full API-based verification with trust scoring and audit trail\n * - local: Offline PDLSS evaluation using a local policy file (no account required)\n * - hybrid: Local eval for speed + async API sync for trust scoring\n \n @example\n * ```typescript\n * // Local mode (free, no account)\n * const gateway = new AstraSyncGateway({ mode: 'local', policyFile: './policy.yaml' });\n * const decision = await gateway.evaluate(context);\n \n // Online mode (paid, full features)\n * const gateway = new AstraSyncGateway({ mode: 'online', apiKey: 'key' });\n * const decision = await gateway.evaluate(context);\n * ```\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from './types';\nimport type { LocalEvaluator } from '../local-evaluator/evaluator';\nimport { loadEvaluator } from './modes/local';\nimport { verifyLocal } from './modes/local';\nimport { verifyOnline } from './modes/online';\nimport { verifyHybrid, HybridSyncQueue } from './modes/hybrid';\nimport { TraceLogger } from './trace-logger';\n\nexport class AstraSyncGateway {\n private config: AstraSyncGatewayConfig;\n private evaluator: LocalEvaluator \| null = null;\n private syncQueue: HybridSyncQueue \| null = null;\n private traceLogger: TraceLogger \| null = null;\n private initialized = false;\n\n constructor(config: AstraSyncGatewayConfig) {\n this.config = config;\n this.validateConfig();\n }\n\n private validateConfig(): void {\n const { mode } = this.config;\n\n if (mode === 'online') {\n if (!this.config.apiBaseUrl && !this.config.apiKey) {\n throw new Error('Online mode requires apiBaseUrl or apiKey');\n }\n }\n\n if (mode === 'local') {\n if (!this.config.policyFile && !this.config.policy) {\n throw new Error('Local mode requires policyFile or policy');\n }\n }\n\n if (mode === 'hybrid') {\n if (!this.config.policyFile && !this.config.policy) {\n throw new Error('Hybrid mode requires policyFile or policy');\n }\n }\n }\n\n /\n Initialize the gateway (loads policy files, starts sync queues).\n * Called automatically on first evaluate() if not called manually.\n /\n async initialize(): Promise<void> {\n if (this.initialized) return;\n\n const { mode } = this.config;\n\n if (mode === 'local' \|\| mode === 'hybrid') {\n this.evaluator = loadEvaluator(this.config);\n }\n\n if (mode === 'hybrid') {\n const persistPath = this.config.tracePath\n ? `${this.config.tracePath}/../sync-queue.json`\n : '.astrasync/sync-queue.json';\n this.syncQueue = new HybridSyncQueue(this.config, persistPath);\n const intervalMs = (this.config.syncInterval \|\| 3600) 1000;\n this.syncQueue.start(intervalMs);\n }\n\n // Initialize trace logger\n if (this.config.traceEnabled) {\n const tracePath = this.config.tracePath \|\| '.astrasync/traces';\n this.traceLogger = new TraceLogger(tracePath, true);\n }\n\n this.initialized = true;\n\n if (this.config.debug) {\n const posture = this.config.posture \|\| 'active';\n console.log(`[AstraSyncGateway] Initialized in ${mode} mode (${posture})`);\n }\n }\n\n /*\n Graceful shutdown. Flushes sync queue and cleans up resources.\n /\n async shutdown(): Promise<void> {\n if (this.syncQueue) {\n await this.syncQueue.stop();\n this.syncQueue = null;\n }\n\n this.evaluator = null;\n this.initialized = false;\n\n if (this.config.debug) {\n console.log('[AstraSyncGateway] Shut down');\n }\n }\n\n /\n Evaluate an action against the verification policy.\n * Routes to the appropriate mode handler.\n \n In passive posture, evaluation runs but always returns ALLOW\n * (the real decision is logged for telemetry).\n /\n async evaluate(context: PDLSSContext, astraId?: string): Promise<VerificationDecision> {\n if (!this.initialized) {\n await this.initialize();\n }\n\n let decision: VerificationDecision;\n\n switch (this.config.mode) {\n case 'online':\n decision = await verifyOnline(this.config, context, astraId);\n break;\n\n case 'local':\n if (!this.evaluator) throw new Error('Local evaluator not initialized');\n decision = verifyLocal(this.evaluator, context);\n break;\n\n case 'hybrid':\n if (!this.evaluator \|\| !this.syncQueue) throw new Error('Hybrid mode not initialized');\n decision = verifyHybrid(this.evaluator, this.syncQueue, context);\n break;\n\n default:\n throw new Error(`Unknown mode: ${this.config.mode}`);\n }\n\n // In passive posture, log but don't block\n if (this.config.posture === 'passive' && decision.recommendation !== 'ALLOW') {\n decision = {\n ...decision,\n recommendation: 'ALLOW',\n reason: `[PASSIVE] Would have been ${decision.recommendation}: ${decision.reason}`,\n };\n }\n\n // Trace logging — captures the final decision (including passive override)\n this.traceLogger?.logEvaluation(context, decision);\n\n return decision;\n }\n\n /\n Get the current mode.\n /\n get mode(): AstraSyncGatewayConfig['mode'] {\n return this.config.mode;\n }\n\n /\n Get the current posture (active or passive).\n /\n get posture(): 'active' \| 'passive' {\n return this.config.posture \|\| 'active';\n }\n\n /\n Switch modes at runtime (e.g. after upgrade from free to paid).\n /\n async switchMode(newMode: AstraSyncGatewayConfig['mode'], additionalConfig?: Partial<AstraSyncGatewayConfig>): Promise<void> {\n const oldMode = this.config.mode;\n await this.shutdown();\n\n this.config = { ...this.config, ...additionalConfig, mode: newMode };\n this.validateConfig();\n await this.initialize();\n\n this.traceLogger?.logModeSwitch(oldMode, newMode);\n\n if (this.config.debug) {\n console.log(`[AstraSyncGateway] Switched to ${newMode} mode`);\n }\n }\n\n /\n Get sync queue status (hybrid mode only).\n */\n getSyncStatus(): { pending: number; total: number } \| null {\n return this.syncQueue?.getStatus() \|\| null;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACsEO,IAAM,4BAA4B;;;AC1DzC,IAAM,mBAA2C;AAAA;AAAA,EAE/C,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,SAAS;AAAA,EACT,eAAe;AAAA,EACf,sBAAsB;AAAA;AAAA,EAGtB,WAAW;AAAA,EACX,WAAW;AAAA;AAAA,EAGX,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,WAAW;AAAA;AAAA,EAGX,aAAa;AAAA,EACb,aAAa;AAAA;AAAA,EAGb,cAAc;AAAA,EACd,OAAO;AAAA,EACP,aAAa;AAAA;AAAA,EAGb,YAAY;AAAA,EACZ,YAAY;AAAA;AAAA,EAGZ,cAAc;AAAA;AAAA,EAGd,gBAAgB;AAAA,EAChB,gBAAgB;AAAA;AAAA,EAGhB,iBAAiB;AACnB;AAMO,SAAS,iBAAiB,UAA0B;AACzD,SAAO,iBAAiB,QAAQ,KAAK,QAAQ,QAAQ;AACvD;AAsBO,SAAS,cAAc,UAAkB,MAAuC;AACrF,QAAM,UAAU,iBAAiB,QAAQ;AAEzC,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,WAAW,KAAK,OAAO,KAAK,UAAU,EAAE;AAAA,EAC7D;AAEA,MAAI,QAAQ,WAAW,OAAO,GAAG;AAC/B,WAAO,OAAO,KAAK,QAAQ,KAAK,QAAQ,KAAK,YAAY,KAAK,aAAa,EAAE;AAAA,EAC/E;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,OAAO,EAAE;AAAA,EAC3D;AAEA,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,MAAM,KAAK,aAAa,KAAK,WAAW,EAAE;AAAA,EAC/D;AAEA,MAAI,QAAQ,WAAW,WAAW,GAAG;AACnC,WAAO,OAAO,KAAK,SAAS,KAAK,SAAS,EAAE;AAAA,EAC9C;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,eAAe,KAAK,YAAY,KAAK,UAAU,EAAE;AAAA,EACtE;AAGA,MAAI,KAAK,QAAS,QAAO,OAAO,KAAK,OAAO;AAC5C,MAAI,KAAK,KAAM,QAAO,OAAO,KAAK,IAAI;AACtC,MAAI,KAAK,IAAK,QAAO,OAAO,KAAK,GAAG;AAGpC,aAAW,OAAO,OAAO,OAAO,IAAI,GAAG;AACrC,QAAI,OAAO,QAAQ,YAAY,IAAI,SAAS,EAAG,QAAO;AAAA,EACxD;AACA,SAAO;AACT;AAUO,SAAS,sBAAsB,QAAsC;AAC1E,MAAI;AACF,QAAI,OAAO,WAAW,SAAS,KAAK,OAAO,WAAW,UAAU,GAAG;AACjE,YAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,aAAO,CAAC,IAAI,QAAQ;AAAA,IACtB;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;;;ACtDO,IAAM,gBAAN,MAA+C;AAAA,EAUpD,YAAY,SAAyC;AATrD,SAAS,mBAAmB;AAI5B,SAAQ,cAA4B,CAAC;AACrC,SAAQ,gBAA0C;AAElD,SAAQ,aAAa;AAGnB,SAAK,qBAAqB,SAAS,uBAAuB,YAAY;AACtE,QAAI,SAAS,QAAQ;AACnB,WAAK,SAAS,QAAQ;AAAA,IACxB;AAAA,EACF;AAAA,EAEA,IAAI,YAAqB;AACvB,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAM,WAAW,QAAsC;AACrD,SAAK,UAAU,OAAO;AAEtB,QAAI,OAAO,eAAe,QAAQ;AAChC,WAAK,SAAS,OAAO,eAAe;AAAA,IACtC;AAEA,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,4EAAuE;AAAA,IACzF;AAGA,SAAK,gBAAgB,KAAK,OAAO,OAAO,oBAAoB,uBAAuB;AAGnF,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,iBAAiB,CAAC,MAAM;AAC5C,mBAAW,QAAQ,EAAE,OAAO;AAC1B,eAAK,mBAAmB,cAAc,KAAK,MAAM;AAAA,QACnD;AAAA,MACF,CAAC;AAAA,IACH;AAEA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,iBAAiB,CAAC,MAAM;AAC5C,mBAAW,QAAQ,EAAE,OAAO;AAC1B,eAAK,mBAAmB,eAAe,KAAK,MAAM;AAAA,QACpD;AAAA,MACF,CAAC;AAAA,IACH;AAEA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,sBAAsB,CAAC,QAAQ;AACnD,aAAK,mBAAmB,cAAc,IAAI,QAAQ;AAAA,MACpD,CAAC;AAAA,IACH;AAGA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,SAAS,gBAAgB,oBAAoB,MAAM;AAC7D,aAAK,eAAe,KAAK;AACzB,aAAK,OAAO,OAAO,uBAAuB,iCAAiC;AAAA,MAC7E,CAAC;AAAA,IACH;AAEA,SAAK,aAAa;AAClB,SAAK,IAAI,qDAAgD;AAAA,EAC3D;AAAA,EAEA,MAAM,WAA0B;AAC9B,eAAW,KAAK,KAAK,aAAa;AAChC,QAAE,QAAQ;AAAA,IACZ;AACA,SAAK,cAAc,CAAC;AACpB,SAAK,eAAe,QAAQ;AAC5B,SAAK,gBAAgB;AACrB,SAAK,aAAa;AAAA,EACpB;AAAA,EAEA,MAAM,gBAAgB,QAA+C;AACnE,UAAM,MAAM,OAAO;AAEnB,QAAI,CAAC,IAAI,MAAM;AACb,aAAO,EAAE,aAAa,OAAO,YAAY,iBAAiB;AAAA,IAC5D;AAEA,UAAM,UAAU,KAAK,eAAe,MAAM;AAC1C,WAAO,EAAE,aAAa,MAAM,QAAQ;AAAA,EACtC;AAAA,EAEA,eAAe,QAAmC;AAChD,UAAM,MAAM,OAAO;AAEnB,QAAI;AACJ,UAAM,OAAgC,CAAC;AAEvC,YAAQ,IAAI,MAAM;AAAA,MAChB,KAAK;AAAA,MACL,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,UAAU,IAAI,WAAW;AAC9B;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,MAAM,IAAI,OAAO;AACtB;AAAA,MACF;AACE,mBAAW,IAAI;AAAA,IACnB;AAEA,UAAM,UAAU,iBAAiB,QAAQ;AACzC,UAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,UAAM,gBAAgB,sBAAsB,MAAM;AAElD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA,GAAI,iBAAiB,EAAE,cAAc;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,UAA+C;AACnE,YAAQ,SAAS,gBAAgB;AAAA,MAC/B,KAAK;AACH,aAAK,IAAI,YAAY,SAAS,MAAM,EAAE;AACtC,aAAK,OAAO,OAAO;AAAA,UACjB,6BAA6B,SAAS,MAAM;AAAA,QAC9C;AACA;AAAA,MACF,KAAK;AACH,aAAK,IAAI,WAAW,SAAS,MAAM,EAAE;AACrC;AAAA,MACF,KAAK;AAEH;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,mBAAmB,UAAkB,UAAiC;AAClF,UAAM,SAAsB;AAAA,MAC1B,KAAK;AAAA,QACH,MAAM,aAAa,gBAAgB,gBAAgB;AAAA,QACnD,MAAM;AAAA,MACR;AAAA,MACA,UAAU;AAAA,MACV,WAAW,oBAAI,KAAK;AAAA,IACtB;AAEA,UAAM,eAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAI,CAAC,aAAa,eAAe,CAAC,aAAa,QAAS;AAExD,UAAM,WAAW,MAAM,KAAK,QAAQ,SAAS,aAAa,OAAO;AAEjE,QAAI,SAAS,mBAAmB,QAAQ;AACtC,YAAM,KAAK,gBAAgB,QAAQ;AAAA,IACrC,WAAW,SAAS,mBAAmB,iBAAiB;AACtD,YAAM,WAAW,MAAM,KAAK,eAAe,aAAa,SAAS,QAAQ;AACzE,UAAI,CAAC,UAAU;AACb,cAAM,KAAK,gBAAgB,EAAE,GAAG,UAAU,gBAAgB,OAAO,CAAC;AAAA,MACpE;AAAA,IACF;AAEA,SAAK,IAAI,GAAG,SAAS,cAAc,KAAK,aAAa,QAAQ,OAAO,OAAO,aAAa,QAAQ,MAAM,EAAE;AAAA,EAC1G;AAAA,EAEA,MAAc,eAAe,SAAuB,UAAkD;AACpG,QAAI,KAAK,oBAAoB;AAC3B,aAAO,KAAK,mBAAmB,SAAS,QAAQ;AAAA,IAClD;AAGA,UAAM,SAAS,MAAM,KAAK,OAAO,OAAO;AAAA,MACtC,cAAc,SAAS,MAAM;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AACA,WAAO,WAAW;AAAA,EACpB;AAAA,EAEQ,IAAI,SAAuB;AACjC,SAAK,eAAe,WAAW,KAAI,oBAAI,KAAK,GAAE,YAAY,CAAC,KAAK,OAAO,EAAE;AAAA,EAC3E;AACF;;;AC5GO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EAAM;AAAA,EAAS;AAAA,EAAM;AAAA,EAAQ;AAAA,EAAS;AAAA,EACtC;AAAA,EAAQ;AAAA,EAAM;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAM;AAAA,EACpC;AAAA,EAAO;AAAA,EAAO;AAAA,EAAS;AAAA,EAAY;AAAA,EACnC;AAAA,EAAU;AACZ;AAGO,IAAM,kBAAkB;AAAA,EAC7B;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAU;AAAA,EAAQ;AAAA,EAClC;AAAA,EAAW;AAAA,EAAY;AAAA,EAAe;AAAA,EAAQ;AAAA,EAAQ;AAAA,EACtD;AAAA,EAAU;AAAA,EAAU;AACtB;;;AC3KO,IAAM,iBAAN,MAAqB;AAAA,EAI1B,YAAY,QAAqB;AAFjC,SAAQ,gBAAqE,oBAAI,IAAI;AAGnF,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAA2B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,SAA6C;AAEpD,UAAM,cAAc,KAAK,OAAO,SAAS,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,OAAO;AAC7E,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,wBAAwB;AAAA,IACnE;AACA,QAAI,CAAC,YAAY,SAAS;AACxB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,6BAA6B;AAAA,IACxE;AAGA,QAAI,YAAY,WAAW,CAAC,KAAK,kBAAkB,QAAQ,QAAQ,YAAY,OAAO,GAAG;AACvF,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,6BAA6B;AAAA,IACxE;AAGA,QAAI,YAAY,mBAAmB,KAAK,kBAAkB,QAAQ,QAAQ,YAAY,eAAe,GAAG;AACtG,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,iCAAiC;AAAA,IAC5E;AAGA,UAAM,aAAa,KAAK,gBAAgB,OAAO;AAC/C,QAAI,YAAY;AACd,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,WAAW;AAAA,IACtD;AAGA,UAAM,iBAAiB,KAAK,YAAY,OAAO;AAC/C,QAAI,gBAAgB;AAClB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,eAAe;AAAA,IAC1D;AAGA,QAAI,QAAQ,YAAY,qBAAqB,KAAK,OAAO,mBAAmB;AAC1E,UAAI,CAAC,KAAK,OAAO,kBAAkB,SAAS;AAC1C,eAAO,EAAE,gBAAgB,QAAQ,QAAQ,oCAAoC;AAAA,MAC/E;AACA,YAAM,QAAS,QAAQ,UAAU,iBAA4B;AAC7D,UAAI,KAAK,OAAO,kBAAkB,aAAa,UAAa,SAAS,KAAK,OAAO,kBAAkB,UAAU;AAC3G,eAAO,EAAE,gBAAgB,QAAQ,QAAQ,mBAAmB,KAAK,sBAAsB,KAAK,OAAO,kBAAkB,QAAQ,GAAG;AAAA,MAClI;AAAA,IACF;AAGA,QAAI,YAAY,kBAAkB;AAChC,aAAO,EAAE,gBAAgB,iBAAiB,QAAQ,4BAA4B;AAAA,IAChF;AAEA,UAAM,eAAe,KAAK,oBAAoB,OAAO;AACrD,QAAI,cAAc;AAChB,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ;AAAA,MACR,qBAAqB;AAAA,QACnB,SAAS;AAAA,QACT,OAAO,CAAC,CAAC,KAAK,OAAO;AAAA,QACrB,QAAQ,CAAC,CAAC,KAAK,OAAO;AAAA,QACtB,gBAAgB,CAAC,CAAC,KAAK,OAAO;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,gBAAgB,SAAsC;AAC5D,UAAM,QAAQ,KAAK,OAAO;AAC1B,QAAI,CAAC,MAAO,QAAO;AAGnB,QAAI,MAAM,gBAAgB;AACxB,YAAM,eAAe,KAAK,cAAc,QAAQ,MAAM;AACtD,UAAI,KAAK,kBAAkB,cAAc,MAAM,cAAc,GAAG;AAC9D,eAAO,4BAA4B,QAAQ,MAAM;AAAA,MACnD;AACA,UAAI,QAAQ,eAAe;AACzB,mBAAW,UAAU,QAAQ,eAAe;AAC1C,cAAI,KAAK,kBAAkB,KAAK,cAAc,MAAM,GAAG,MAAM,cAAc,GAAG;AAC5E,mBAAO,4BAA4B,MAAM;AAAA,UAC3C;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,MAAM,oBAAoB,KAAK,kBAAkB,QAAQ,QAAQ,MAAM,gBAAgB,GAAG;AAC5F,aAAO,8BAA8B,QAAQ,MAAM;AAAA,IACrD;AAGA,QAAI,MAAM,kBAAkB,QAAQ,eAAe;AACjD,iBAAW,UAAU,QAAQ,eAAe;AAC1C,YAAI,CAAC,KAAK,kBAAkB,KAAK,cAAc,MAAM,GAAG,MAAM,cAAc,GAAG;AAC7E,iBAAO,+BAA+B,MAAM;AAAA,QAC9C;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,YAAY,SAAsC;AACxD,UAAM,SAAS,KAAK,OAAO;AAC3B,QAAI,CAAC,OAAQ,QAAO;AAGpB,QAAI,OAAO,yBAAyB,UAAa,QAAQ,qBAAqB,QAAW;AACvF,UAAI,QAAQ,mBAAmB,OAAO,sBAAsB;AAC1D,eAAO,qBAAqB,QAAQ,gBAAgB,kBAAkB,OAAO,oBAAoB;AAAA,MACnG;AAAA,IACF;AAGA,QAAI,OAAO,uBAAuB,QAAW;AAC3C,YAAM,MAAM,QAAQ;AACpB,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,QAAQ,KAAK,cAAc,IAAI,GAAG;AACxC,YAAM,SAAS;AAEf,UAAI,CAAC,SAAS,MAAM,MAAM,cAAc,QAAQ;AAC9C,aAAK,cAAc,IAAI,KAAK,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAAA,MAC5D,OAAO;AACL,cAAM;AACN,YAAI,MAAM,QAAQ,OAAO,oBAAoB;AAC3C,iBAAO,wBAAwB,MAAM,KAAK,IAAI,OAAO,kBAAkB;AAAA,QACzE;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,SAAoD;AAC9E,QAAI,CAAC,KAAK,OAAO,eAAgB,QAAO;AAExC,UAAM,YAAY,KAAK,mBAAmB,OAAO;AACjD,UAAM,aAAa,KAAK,OAAO;AAE/B,QAAI,aAAa,WAAW,UAAU,KAAK;AACzC,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,cAAc,SAAS,2BAA2B;AAAA,IAC7F;AAEA,QAAI,aAAa,WAAW,gBAAgB,KAAK;AAC/C,aAAO,EAAE,gBAAgB,iBAAiB,QAAQ,cAAc,SAAS,qBAAqB;AAAA,IAChG;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,mBAAmB,SAA+B;AACxD,QAAI,QAAQ;AAGZ,QAAI,QAAQ,aAAa,QAAQ;AAC/B,YAAM,iBAAyC;AAAA,QAC7C,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,UAAU;AAAA,MACZ;AAEA,iBAAW,UAAU,QAAQ,aAAa;AACxC,cAAM,cAAc,eAAe,OAAO,QAAQ,KAAK;AACvD,YAAI,cAAc,MAAO,SAAQ;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,YAAY,gBAAgB,QAAQ,QAAQ;AACtD,YAAM,cAAc,QAAQ,OAAO,YAAY;AAC/C,iBAAW,OAAO,oBAAoB;AACpC,YAAI,YAAY,WAAW,GAAG,KAAK,YAAY,SAAS,IAAI,GAAG,GAAG,KAAK,YAAY,SAAS,IAAI,GAAG,EAAE,GAAG;AACtG,kBAAQ,KAAK,IAAI,OAAO,EAAE;AAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,SAAK,QAAQ,YAAY,eAAe,QAAQ,YAAY,gBAAgB,QAAQ,YAAY,kBAAkB,QAAQ,QAAQ;AAChI,YAAM,cAAc,QAAQ,OAAO,YAAY;AAC/C,iBAAW,iBAAiB,iBAAiB;AAC3C,YAAI,YAAY,SAAS,cAAc,YAAY,CAAC,GAAG;AACrD,kBAAQ,KAAK,IAAI,OAAO,EAAE;AAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAc,OAAuB;AAC3C,QAAI,SAAS;AAEb,UAAM,aAAa,OAAO,QAAQ,KAAK;AACvC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,aAAa,CAAC;AAE3D,UAAM,aAAa,OAAO,QAAQ,GAAG;AACrC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,GAAG,UAAU;AAE1D,UAAM,aAAa,OAAO,QAAQ,GAAG;AACrC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,GAAG,UAAU;AAC1D,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,OAAe,UAA6B;AACpE,WAAO,SAAS,KAAK,CAAC,YAAY,KAAK,UAAU,OAAO,OAAO,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,UAAU,OAAe,SAA0B;AAEzD,QAAI,YAAY,MAAO,QAAO;AAG9B,UAAM,WAAW,QACd,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,GAAG;AAErB,QAAI;AACF,aAAO,IAAI,OAAO,IAAI,QAAQ,KAAK,GAAG,EAAE,KAAK,KAAK;AAAA,IACpD,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;AChRA,SAAS,UAAU,SAAS;AAC1B,SAAQ,OAAO,YAAY,eAAiB,YAAY;AAC1D;AAGA,SAAS,SAAS,SAAS;AACzB,SAAQ,OAAO,YAAY,YAAc,YAAY;AACvD;AAGA,SAAS,QAAQ,UAAU;AACzB,MAAI,MAAM,QAAQ,QAAQ,EAAG,QAAO;AAAA,WAC3B,UAAU,QAAQ,EAAG,QAAO,CAAC;AAEtC,SAAO,CAAE,QAAS;AACpB;AAGA,SAAS,OAAO,QAAQ,QAAQ;AAC9B,MAAI,OAAO,QAAQ,KAAK;AAExB,MAAI,QAAQ;AACV,iBAAa,OAAO,KAAK,MAAM;AAE/B,SAAK,QAAQ,GAAG,SAAS,WAAW,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACtE,YAAM,WAAW,KAAK;AACtB,aAAO,GAAG,IAAI,OAAO,GAAG;AAAA,IAC1B;AAAA,EACF;AAEA,SAAO;AACT;AAGA,SAAS,OAAO,QAAQ,OAAO;AAC7B,MAAI,SAAS,IAAI;AAEjB,OAAK,QAAQ,GAAG,QAAQ,OAAO,SAAS,GAAG;AACzC,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAGA,SAAS,eAAe,QAAQ;AAC9B,SAAQ,WAAW,KAAO,OAAO,sBAAsB,IAAI;AAC7D;AAGA,IAAI,cAAmB;AACvB,IAAI,aAAmB;AACvB,IAAI,YAAmB;AACvB,IAAI,WAAmB;AACvB,IAAI,mBAAmB;AACvB,IAAI,WAAmB;AAEvB,IAAI,SAAS;AAAA,EACZ,WAAW;AAAA,EACX,UAAU;AAAA,EACV,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,gBAAgB;AAAA,EAChB,QAAQ;AACT;AAKA,SAAS,YAAYA,YAAW,SAAS;AACvC,MAAI,QAAQ,IAAI,UAAUA,WAAU,UAAU;AAE9C,MAAI,CAACA,WAAU,KAAM,QAAO;AAE5B,MAAIA,WAAU,KAAK,MAAM;AACvB,aAAS,SAASA,WAAU,KAAK,OAAO;AAAA,EAC1C;AAEA,WAAS,OAAOA,WAAU,KAAK,OAAO,KAAK,OAAOA,WAAU,KAAK,SAAS,KAAK;AAE/E,MAAI,CAAC,WAAWA,WAAU,KAAK,SAAS;AACtC,aAAS,SAASA,WAAU,KAAK;AAAA,EACnC;AAEA,SAAO,UAAU,MAAM;AACzB;AAGA,SAAS,gBAAgB,QAAQ,MAAM;AAErC,QAAM,KAAK,IAAI;AAEf,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,OAAK,OAAO;AACZ,OAAK,UAAU,YAAY,MAAM,KAAK;AAGtC,MAAI,MAAM,mBAAmB;AAE3B,UAAM,kBAAkB,MAAM,KAAK,WAAW;AAAA,EAChD,OAAO;AAEL,SAAK,QAAS,IAAI,MAAM,EAAG,SAAS;AAAA,EACtC;AACF;AAIA,gBAAgB,YAAY,OAAO,OAAO,MAAM,SAAS;AACzD,gBAAgB,UAAU,cAAc;AAGxC,gBAAgB,UAAU,WAAW,SAAS,SAAS,SAAS;AAC9D,SAAO,KAAK,OAAO,OAAO,YAAY,MAAM,OAAO;AACrD;AAGA,IAAI,YAAY;AAGhB,SAAS,QAAQ,QAAQ,WAAW,SAAS,UAAU,eAAe;AACpE,MAAI,OAAO;AACX,MAAI,OAAO;AACX,MAAI,gBAAgB,KAAK,MAAM,gBAAgB,CAAC,IAAI;AAEpD,MAAI,WAAW,YAAY,eAAe;AACxC,WAAO;AACP,gBAAY,WAAW,gBAAgB,KAAK;AAAA,EAC9C;AAEA,MAAI,UAAU,WAAW,eAAe;AACtC,WAAO;AACP,cAAU,WAAW,gBAAgB,KAAK;AAAA,EAC5C;AAEA,SAAO;AAAA,IACL,KAAK,OAAO,OAAO,MAAM,WAAW,OAAO,EAAE,QAAQ,OAAO,QAAG,IAAI;AAAA,IACnE,KAAK,WAAW,YAAY,KAAK;AAAA;AAAA,EACnC;AACF;AAGA,SAAS,SAAS,QAAQ,KAAK;AAC7B,SAAO,OAAO,OAAO,KAAK,MAAM,OAAO,MAAM,IAAI;AACnD;AAGA,SAAS,YAAY,MAAM,SAAS;AAClC,YAAU,OAAO,OAAO,WAAW,IAAI;AAEvC,MAAI,CAAC,KAAK,OAAQ,QAAO;AAEzB,MAAI,CAAC,QAAQ,UAAW,SAAQ,YAAY;AAC5C,MAAI,OAAO,QAAQ,WAAgB,SAAU,SAAQ,SAAc;AACnE,MAAI,OAAO,QAAQ,gBAAgB,SAAU,SAAQ,cAAc;AACnE,MAAI,OAAO,QAAQ,eAAgB,SAAU,SAAQ,aAAc;AAEnE,MAAI,KAAK;AACT,MAAI,aAAa,CAAE,CAAE;AACrB,MAAI,WAAW,CAAC;AAChB,MAAI;AACJ,MAAI,cAAc;AAElB,SAAQ,QAAQ,GAAG,KAAK,KAAK,MAAM,GAAI;AACrC,aAAS,KAAK,MAAM,KAAK;AACzB,eAAW,KAAK,MAAM,QAAQ,MAAM,CAAC,EAAE,MAAM;AAE7C,QAAI,KAAK,YAAY,MAAM,SAAS,cAAc,GAAG;AACnD,oBAAc,WAAW,SAAS;AAAA,IACpC;AAAA,EACF;AAEA,MAAI,cAAc,EAAG,eAAc,WAAW,SAAS;AAEvD,MAAI,SAAS,IAAI,GAAG;AACpB,MAAI,eAAe,KAAK,IAAI,KAAK,OAAO,QAAQ,YAAY,SAAS,MAAM,EAAE,SAAS,EAAE;AACxF,MAAI,gBAAgB,QAAQ,aAAa,QAAQ,SAAS,eAAe;AAEzE,OAAK,IAAI,GAAG,KAAK,QAAQ,aAAa,KAAK;AACzC,QAAI,cAAc,IAAI,EAAG;AACzB,WAAO;AAAA,MACL,KAAK;AAAA,MACL,WAAW,cAAc,CAAC;AAAA,MAC1B,SAAS,cAAc,CAAC;AAAA,MACxB,KAAK,YAAY,WAAW,WAAW,IAAI,WAAW,cAAc,CAAC;AAAA,MACrE;AAAA,IACF;AACA,aAAS,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,IAAI,GAAG,SAAS,GAAG,YAAY,IACjG,QAAQ,KAAK,MAAM,OAAO;AAAA,EAC9B;AAEA,SAAO,QAAQ,KAAK,QAAQ,WAAW,WAAW,GAAG,SAAS,WAAW,GAAG,KAAK,UAAU,aAAa;AACxG,YAAU,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,GAAG,SAAS,GAAG,YAAY,IAC9F,QAAQ,KAAK,MAAM;AACrB,YAAU,OAAO,OAAO,KAAK,QAAQ,SAAS,eAAe,IAAI,KAAK,GAAG,IAAI;AAE7E,OAAK,IAAI,GAAG,KAAK,QAAQ,YAAY,KAAK;AACxC,QAAI,cAAc,KAAK,SAAS,OAAQ;AACxC,WAAO;AAAA,MACL,KAAK;AAAA,MACL,WAAW,cAAc,CAAC;AAAA,MAC1B,SAAS,cAAc,CAAC;AAAA,MACxB,KAAK,YAAY,WAAW,WAAW,IAAI,WAAW,cAAc,CAAC;AAAA,MACrE;AAAA,IACF;AACA,cAAU,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,IAAI,GAAG,SAAS,GAAG,YAAY,IAClG,QAAQ,KAAK,MAAM;AAAA,EACvB;AAEA,SAAO,OAAO,QAAQ,OAAO,EAAE;AACjC;AAGA,IAAI,UAAU;AAEd,IAAI,2BAA2B;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAI,kBAAkB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,oBAAoBC,MAAK;AAChC,MAAI,SAAS,CAAC;AAEd,MAAIA,SAAQ,MAAM;AAChB,WAAO,KAAKA,IAAG,EAAE,QAAQ,SAAU,OAAO;AACxC,MAAAA,KAAI,KAAK,EAAE,QAAQ,SAAU,OAAO;AAClC,eAAO,OAAO,KAAK,CAAC,IAAI;AAAA,MAC1B,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAU,WAAW,CAAC;AAEtB,SAAO,KAAK,OAAO,EAAE,QAAQ,SAAU,MAAM;AAC3C,QAAI,yBAAyB,QAAQ,IAAI,MAAM,IAAI;AACjD,YAAM,IAAI,UAAU,qBAAqB,OAAO,gCAAgC,MAAM,cAAc;AAAA,IACtG;AAAA,EACF,CAAC;AAGD,OAAK,UAAgB;AACrB,OAAK,MAAgB;AACrB,OAAK,OAAgB,QAAQ,MAAM,KAAc;AACjD,OAAK,UAAgB,QAAQ,SAAS,KAAW,WAAY;AAAE,WAAO;AAAA,EAAM;AAC5E,OAAK,YAAgB,QAAQ,WAAW,KAAS,SAAU,MAAM;AAAE,WAAO;AAAA,EAAM;AAChF,OAAK,aAAgB,QAAQ,YAAY,KAAQ;AACjD,OAAK,YAAgB,QAAQ,WAAW,KAAS;AACjD,OAAK,YAAgB,QAAQ,WAAW,KAAS;AACjD,OAAK,gBAAgB,QAAQ,eAAe,KAAK;AACjD,OAAK,eAAgB,QAAQ,cAAc,KAAM;AACjD,OAAK,QAAgB,QAAQ,OAAO,KAAa;AACjD,OAAK,eAAgB,oBAAoB,QAAQ,cAAc,KAAK,IAAI;AAExE,MAAI,gBAAgB,QAAQ,KAAK,IAAI,MAAM,IAAI;AAC7C,UAAM,IAAI,UAAU,mBAAmB,KAAK,OAAO,yBAAyB,MAAM,cAAc;AAAA,EAClG;AACF;AAEA,IAAI,OAAO;AAQX,SAAS,YAAYC,SAAQ,MAAM;AACjC,MAAI,SAAS,CAAC;AAEd,EAAAA,QAAO,IAAI,EAAE,QAAQ,SAAU,aAAa;AAC1C,QAAI,WAAW,OAAO;AAEtB,WAAO,QAAQ,SAAU,cAAc,eAAe;AACpD,UAAI,aAAa,QAAQ,YAAY,OACjC,aAAa,SAAS,YAAY,QAClC,aAAa,UAAU,YAAY,OAAO;AAE5C,mBAAW;AAAA,MACb;AAAA,IACF,CAAC;AAED,WAAO,QAAQ,IAAI;AAAA,EACrB,CAAC;AAED,SAAO;AACT;AAGA,SAAS,aAA2B;AAClC,MAAI,SAAS;AAAA,IACP,QAAQ,CAAC;AAAA,IACT,UAAU,CAAC;AAAA,IACX,SAAS,CAAC;AAAA,IACV,UAAU,CAAC;AAAA,IACX,OAAO;AAAA,MACL,QAAQ,CAAC;AAAA,MACT,UAAU,CAAC;AAAA,MACX,SAAS,CAAC;AAAA,MACV,UAAU,CAAC;AAAA,IACb;AAAA,EACF,GAAG,OAAO;AAEd,WAAS,YAAYC,OAAM;AACzB,QAAIA,MAAK,OAAO;AACd,aAAO,MAAMA,MAAK,IAAI,EAAE,KAAKA,KAAI;AACjC,aAAO,MAAM,UAAU,EAAE,KAAKA,KAAI;AAAA,IACpC,OAAO;AACL,aAAOA,MAAK,IAAI,EAAEA,MAAK,GAAG,IAAI,OAAO,UAAU,EAAEA,MAAK,GAAG,IAAIA;AAAA,IAC/D;AAAA,EACF;AAEA,OAAK,QAAQ,GAAG,SAAS,UAAU,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACrE,cAAU,KAAK,EAAE,QAAQ,WAAW;AAAA,EACtC;AACA,SAAO;AACT;AAGA,SAAS,SAAS,YAAY;AAC5B,SAAO,KAAK,OAAO,UAAU;AAC/B;AAGA,SAAS,UAAU,SAAS,SAASC,QAAO,YAAY;AACtD,MAAI,WAAW,CAAC;AAChB,MAAI,WAAW,CAAC;AAEhB,MAAI,sBAAsB,MAAM;AAE9B,aAAS,KAAK,UAAU;AAAA,EAE1B,WAAW,MAAM,QAAQ,UAAU,GAAG;AAEpC,eAAW,SAAS,OAAO,UAAU;AAAA,EAEvC,WAAW,eAAe,MAAM,QAAQ,WAAW,QAAQ,KAAK,MAAM,QAAQ,WAAW,QAAQ,IAAI;AAEnG,QAAI,WAAW,SAAU,YAAW,SAAS,OAAO,WAAW,QAAQ;AACvE,QAAI,WAAW,SAAU,YAAW,SAAS,OAAO,WAAW,QAAQ;AAAA,EAEzE,OAAO;AACL,UAAM,IAAI,UAAU,kHAC6C;AAAA,EACnE;AAEA,WAAS,QAAQ,SAAU,QAAQ;AACjC,QAAI,EAAE,kBAAkB,OAAO;AAC7B,YAAM,IAAI,UAAU,oFAAoF;AAAA,IAC1G;AAEA,QAAI,OAAO,YAAY,OAAO,aAAa,UAAU;AACnD,YAAM,IAAI,UAAU,iHAAiH;AAAA,IACvI;AAEA,QAAI,OAAO,OAAO;AAChB,YAAM,IAAI,UAAU,oGAAoG;AAAA,IAC1H;AAAA,EACF,CAAC;AAED,WAAS,QAAQ,SAAU,QAAQ;AACjC,QAAI,EAAE,kBAAkB,OAAO;AAC7B,YAAM,IAAI,UAAU,oFAAoF;AAAA,IAC1G;AAAA,EACF,CAAC;AAED,MAAI,SAAS,OAAO,OAAO,SAAS,SAAS;AAE7C,SAAO,YAAY,KAAK,YAAY,CAAC,GAAG,OAAO,QAAQ;AACvD,SAAO,YAAY,KAAK,YAAY,CAAC,GAAG,OAAO,QAAQ;AAEvD,SAAO,mBAAmB,YAAY,QAAQ,UAAU;AACxD,SAAO,mBAAmB,YAAY,QAAQ,UAAU;AACxD,SAAO,kBAAmB,WAAW,OAAO,kBAAkB,OAAO,gBAAgB;AAErF,SAAO;AACT;AAGA,IAAI,SAAS;AAEb,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO;AAAA,EAAI;AACjE,CAAC;AAED,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO,CAAC;AAAA,EAAG;AACjE,CAAC;AAED,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO,CAAC;AAAA,EAAG;AACjE,CAAC;AAED,IAAI,WAAW,IAAI,OAAO;AAAA,EACxB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAED,SAAS,gBAAgB,MAAM;AAC7B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK;AAEf,SAAQ,QAAQ,KAAK,SAAS,OACtB,QAAQ,MAAM,SAAS,UAAU,SAAS,UAAU,SAAS;AACvE;AAEA,SAAS,oBAAoB;AAC3B,SAAO;AACT;AAEA,SAAS,OAAO,QAAQ;AACtB,SAAO,WAAW;AACpB;AAEA,IAAI,QAAQ,IAAI,KAAK,0BAA0B;AAAA,EAC7C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,OAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,EAC1C;AAAA,EACA,cAAc;AAChB,CAAC;AAED,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK;AAEf,SAAQ,QAAQ,MAAM,SAAS,UAAU,SAAS,UAAU,SAAS,WAC7D,QAAQ,MAAM,SAAS,WAAW,SAAS,WAAW,SAAS;AACzE;AAEA,SAAS,qBAAqB,MAAM;AAClC,SAAO,SAAS,UACT,SAAS,UACT,SAAS;AAClB;AAEA,SAAS,UAAU,QAAQ;AACzB,SAAO,OAAO,UAAU,SAAS,KAAK,MAAM,MAAM;AACpD;AAEA,IAAI,OAAO,IAAI,KAAK,0BAA0B;AAAA,EAC5C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,IACjE,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,IACjE,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,EACnE;AAAA,EACA,cAAc;AAChB,CAAC;AAED,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK,MAC3B,MAAe,KAAO,KAAK,MAC3B,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK,QACX,QAAQ,GACR,YAAY,OACZ;AAEJ,MAAI,CAAC,IAAK,QAAO;AAEjB,OAAK,KAAK,KAAK;AAGf,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,SAAK,KAAK,EAAE,KAAK;AAAA,EACnB;AAEA,MAAI,OAAO,KAAK;AAEd,QAAI,QAAQ,MAAM,IAAK,QAAO;AAC9B,SAAK,KAAK,EAAE,KAAK;AAIjB,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,OAAO,OAAO,OAAO,IAAK,QAAO;AACrC,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAGA,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,EAAG,QAAO;AAC/C,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAGA,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,EAAG,QAAO;AAC/C,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAAA,EACF;AAKA,MAAI,OAAO,IAAK,QAAO;AAEvB,SAAO,QAAQ,KAAK,SAAS;AAC3B,SAAK,KAAK,KAAK;AACf,QAAI,OAAO,IAAK;AAChB,QAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,GAAG;AACtC,aAAO;AAAA,IACT;AACA,gBAAY;AAAA,EACd;AAGA,MAAI,CAAC,aAAa,OAAO,IAAK,QAAO;AAErC,SAAO;AACT;AAEA,SAAS,qBAAqB,MAAM;AAClC,MAAI,QAAQ,MAAM,OAAO,GAAG;AAE5B,MAAI,MAAM,QAAQ,GAAG,MAAM,IAAI;AAC7B,YAAQ,MAAM,QAAQ,MAAM,EAAE;AAAA,EAChC;AAEA,OAAK,MAAM,CAAC;AAEZ,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,QAAI,OAAO,IAAK,QAAO;AACvB,YAAQ,MAAM,MAAM,CAAC;AACrB,SAAK,MAAM,CAAC;AAAA,EACd;AAEA,MAAI,UAAU,IAAK,QAAO;AAE1B,MAAI,OAAO,KAAK;AACd,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,CAAC;AAC9D,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,EAAE;AAC/D,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,CAAC;AAAA,EAChE;AAEA,SAAO,OAAO,SAAS,OAAO,EAAE;AAClC;AAEA,SAAS,UAAU,QAAQ;AACzB,SAAQ,OAAO,UAAU,SAAS,KAAK,MAAM,MAAO,sBAC5C,SAAS,MAAM,KAAK,CAAC,OAAO,eAAe,MAAM;AAC3D;AAEA,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,QAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAO,IAAI,SAAS,CAAC,IAAI,QAAQ,IAAI,SAAS,CAAC,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,IAC3G,OAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAQ,IAAI,SAAS,CAAC,IAAI,QAAS,IAAI,SAAS,CAAC,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,IAC7G,SAAa,SAAU,KAAK;AAAE,aAAO,IAAI,SAAS,EAAE;AAAA,IAAG;AAAA;AAAA,IAEvD,aAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAO,IAAI,SAAS,EAAE,EAAE,YAAY,IAAK,QAAQ,IAAI,SAAS,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,EAC5I;AAAA,EACA,cAAc;AAAA,EACd,cAAc;AAAA,IACZ,QAAa,CAAE,GAAI,KAAM;AAAA,IACzB,OAAa,CAAE,GAAI,KAAM;AAAA,IACzB,SAAa,CAAE,IAAI,KAAM;AAAA,IACzB,aAAa,CAAE,IAAI,KAAM;AAAA,EAC3B;AACF,CAAC;AAED,IAAI,qBAAqB,IAAI;AAAA;AAAA,EAE3B;AAOuB;AAEzB,SAAS,iBAAiB,MAAM;AAC9B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,CAAC,mBAAmB,KAAK,IAAI;AAAA;AAAA,EAG7B,KAAK,KAAK,SAAS,CAAC,MAAM,KAAK;AACjC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,OAAO;AAEX,UAAS,KAAK,QAAQ,MAAM,EAAE,EAAE,YAAY;AAC5C,SAAS,MAAM,CAAC,MAAM,MAAM,KAAK;AAEjC,MAAI,KAAK,QAAQ,MAAM,CAAC,CAAC,KAAK,GAAG;AAC/B,YAAQ,MAAM,MAAM,CAAC;AAAA,EACvB;AAEA,MAAI,UAAU,QAAQ;AACpB,WAAQ,SAAS,IAAK,OAAO,oBAAoB,OAAO;AAAA,EAE1D,WAAW,UAAU,QAAQ;AAC3B,WAAO;AAAA,EACT;AACA,SAAO,OAAO,WAAW,OAAO,EAAE;AACpC;AAGA,IAAI,yBAAyB;AAE7B,SAAS,mBAAmB,QAAQ,OAAO;AACzC,MAAI;AAEJ,MAAI,MAAM,MAAM,GAAG;AACjB,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,sBAAsB,QAAQ;AAC9C,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,sBAAsB,QAAQ;AAC9C,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,eAAe,MAAM,GAAG;AACxC,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,SAAS,EAAE;AAKxB,SAAO,uBAAuB,KAAK,GAAG,IAAI,IAAI,QAAQ,KAAK,IAAI,IAAI;AACrE;AAEA,SAAS,QAAQ,QAAQ;AACvB,SAAQ,OAAO,UAAU,SAAS,KAAK,MAAM,MAAM,sBAC3C,SAAS,MAAM,KAAK,OAAO,eAAe,MAAM;AAC1D;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,EACX,cAAc;AAChB,CAAC;AAED,IAAI,OAAO,SAAS,OAAO;AAAA,EACzB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAED,IAAI,OAAO;AAEX,IAAI,mBAAmB,IAAI;AAAA,EACzB;AAEgB;AAElB,IAAI,wBAAwB,IAAI;AAAA,EAC9B;AASwB;AAE1B,SAAS,qBAAqB,MAAM;AAClC,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,KAAK,IAAI,MAAM,KAAM,QAAO;AACjD,MAAI,sBAAsB,KAAK,IAAI,MAAM,KAAM,QAAO;AACtD,SAAO;AACT;AAEA,SAAS,uBAAuB,MAAM;AACpC,MAAI,OAAO,MAAM,OAAO,KAAK,MAAM,QAAQ,QAAQ,WAAW,GAC1D,QAAQ,MAAM,SAAS,WAAW;AAEtC,UAAQ,iBAAiB,KAAK,IAAI;AAClC,MAAI,UAAU,KAAM,SAAQ,sBAAsB,KAAK,IAAI;AAE3D,MAAI,UAAU,KAAM,OAAM,IAAI,MAAM,oBAAoB;AAIxD,SAAO,CAAE,MAAM,CAAC;AAChB,UAAQ,CAAE,MAAM,CAAC,IAAK;AACtB,QAAM,CAAE,MAAM,CAAC;AAEf,MAAI,CAAC,MAAM,CAAC,GAAG;AACb,WAAO,IAAI,KAAK,KAAK,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,EAC5C;AAIA,SAAO,CAAE,MAAM,CAAC;AAChB,WAAS,CAAE,MAAM,CAAC;AAClB,WAAS,CAAE,MAAM,CAAC;AAElB,MAAI,MAAM,CAAC,GAAG;AACZ,eAAW,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC;AAC9B,WAAO,SAAS,SAAS,GAAG;AAC1B,kBAAY;AAAA,IACd;AACA,eAAW,CAAC;AAAA,EACd;AAIA,MAAI,MAAM,CAAC,GAAG;AACZ,cAAU,CAAE,MAAM,EAAE;AACpB,gBAAY,EAAE,MAAM,EAAE,KAAK;AAC3B,aAAS,UAAU,KAAK,aAAa;AACrC,QAAI,MAAM,CAAC,MAAM,IAAK,SAAQ,CAAC;AAAA,EACjC;AAEA,SAAO,IAAI,KAAK,KAAK,IAAI,MAAM,OAAO,KAAK,MAAM,QAAQ,QAAQ,QAAQ,CAAC;AAE1E,MAAI,MAAO,MAAK,QAAQ,KAAK,QAAQ,IAAI,KAAK;AAE9C,SAAO;AACT;AAEA,SAAS,uBAAuB,QAAoB;AAClD,SAAO,OAAO,YAAY;AAC5B;AAEA,IAAI,YAAY,IAAI,KAAK,+BAA+B;AAAA,EACtD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,WAAW;AACb,CAAC;AAED,SAAS,iBAAiB,MAAM;AAC9B,SAAO,SAAS,QAAQ,SAAS;AACnC;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AACX,CAAC;AASD,IAAI,aAAa;AAGjB,SAAS,kBAAkB,MAAM;AAC/B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK,SAAS,GAAG,MAAM,KAAK,QAAQH,OAAM;AAGpD,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,WAAOA,KAAI,QAAQ,KAAK,OAAO,GAAG,CAAC;AAGnC,QAAI,OAAO,GAAI;AAGf,QAAI,OAAO,EAAG,QAAO;AAErB,cAAU;AAAA,EACZ;AAGA,SAAQ,SAAS,MAAO;AAC1B;AAEA,SAAS,oBAAoB,MAAM;AACjC,MAAI,KAAK,UACL,QAAQ,KAAK,QAAQ,YAAY,EAAE,GACnC,MAAM,MAAM,QACZA,OAAM,YACN,OAAO,GACP,SAAS,CAAC;AAId,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,QAAK,MAAM,MAAM,KAAM,KAAK;AAC1B,aAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,aAAO,KAAM,QAAQ,IAAK,GAAI;AAC9B,aAAO,KAAK,OAAO,GAAI;AAAA,IACzB;AAEA,WAAQ,QAAQ,IAAKA,KAAI,QAAQ,MAAM,OAAO,GAAG,CAAC;AAAA,EACpD;AAIA,aAAY,MAAM,IAAK;AAEvB,MAAI,aAAa,GAAG;AAClB,WAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAC9B,WAAO,KAAK,OAAO,GAAI;AAAA,EACzB,WAAW,aAAa,IAAI;AAC1B,WAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAAA,EAChC,WAAW,aAAa,IAAI;AAC1B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAAA,EAChC;AAEA,SAAO,IAAI,WAAW,MAAM;AAC9B;AAEA,SAAS,oBAAoB,QAAoB;AAC/C,MAAI,SAAS,IAAI,OAAO,GAAG,KAAK,MAC5B,MAAM,OAAO,QACbA,OAAM;AAIV,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,QAAK,MAAM,MAAM,KAAM,KAAK;AAC1B,gBAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,gBAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,gBAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,gBAAUA,KAAI,OAAO,EAAI;AAAA,IAC3B;AAEA,YAAQ,QAAQ,KAAK,OAAO,GAAG;AAAA,EACjC;AAIA,SAAO,MAAM;AAEb,MAAI,SAAS,GAAG;AACd,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,OAAO,EAAI;AAAA,EAC3B,WAAW,SAAS,GAAG;AACrB,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,EAAE;AAAA,EAClB,WAAW,SAAS,GAAG;AACrB,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,EAAE;AAChB,cAAUA,KAAI,EAAE;AAAA,EAClB;AAEA,SAAO;AACT;AAEA,SAAS,SAAS,KAAK;AACrB,SAAO,OAAO,UAAU,SAAS,KAAK,GAAG,MAAO;AAClD;AAEA,IAAI,SAAS,IAAI,KAAK,4BAA4B;AAAA,EAChD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AACb,CAAC;AAED,IAAI,oBAAoB,OAAO,UAAU;AACzC,IAAI,cAAoB,OAAO,UAAU;AAEzC,SAAS,gBAAgB,MAAM;AAC7B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,aAAa,CAAC,GAAG,OAAO,QAAQ,MAAM,SAAS,YAC/C,SAAS;AAEb,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AACnB,iBAAa;AAEb,QAAI,YAAY,KAAK,IAAI,MAAM,kBAAmB,QAAO;AAEzD,SAAK,WAAW,MAAM;AACpB,UAAI,kBAAkB,KAAK,MAAM,OAAO,GAAG;AACzC,YAAI,CAAC,WAAY,cAAa;AAAA,YACzB,QAAO;AAAA,MACd;AAAA,IACF;AAEA,QAAI,CAAC,WAAY,QAAO;AAExB,QAAI,WAAW,QAAQ,OAAO,MAAM,GAAI,YAAW,KAAK,OAAO;AAAA,QAC1D,QAAO;AAAA,EACd;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,MAAM;AAC/B,SAAO,SAAS,OAAO,OAAO,CAAC;AACjC;AAEA,IAAI,OAAO,IAAI,KAAK,0BAA0B;AAAA,EAC5C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,cAAc,OAAO,UAAU;AAEnC,SAAS,iBAAiB,MAAM;AAC9B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,OAAO,QAAQ,MAAM,MAAM,QAC3B,SAAS;AAEb,WAAS,IAAI,MAAM,OAAO,MAAM;AAEhC,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AAEnB,QAAI,YAAY,KAAK,IAAI,MAAM,kBAAmB,QAAO;AAEzD,WAAO,OAAO,KAAK,IAAI;AAEvB,QAAI,KAAK,WAAW,EAAG,QAAO;AAE9B,WAAO,KAAK,IAAI,CAAE,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,CAAE;AAAA,EAC3C;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO,CAAC;AAE3B,MAAI,OAAO,QAAQ,MAAM,MAAM,QAC3B,SAAS;AAEb,WAAS,IAAI,MAAM,OAAO,MAAM;AAEhC,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AAEnB,WAAO,OAAO,KAAK,IAAI;AAEvB,WAAO,KAAK,IAAI,CAAE,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,CAAE;AAAA,EAC3C;AAEA,SAAO;AACT;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,oBAAoB,OAAO,UAAU;AAEzC,SAAS,eAAe,MAAM;AAC5B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,KAAK,SAAS;AAElB,OAAK,OAAO,QAAQ;AAClB,QAAI,kBAAkB,KAAK,QAAQ,GAAG,GAAG;AACvC,UAAI,OAAO,GAAG,MAAM,KAAM,QAAO;AAAA,IACnC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,MAAM;AAC9B,SAAO,SAAS,OAAO,OAAO,CAAC;AACjC;AAEA,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,WAAW,KAAK,OAAO;AAAA,EACzB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AAAA,EACA,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAUD,IAAI,oBAAoB,OAAO,UAAU;AAGzC,IAAI,kBAAoB;AACxB,IAAI,mBAAoB;AACxB,IAAI,mBAAoB;AACxB,IAAI,oBAAoB;AAGxB,IAAI,gBAAiB;AACrB,IAAI,iBAAiB;AACrB,IAAI,gBAAiB;AAGrB,IAAI,wBAAgC;AACpC,IAAI,gCAAgC;AACpC,IAAI,0BAAgC;AACpC,IAAI,qBAAgC;AACpC,IAAI,kBAAgC;AAGpC,SAAS,OAAO,KAAK;AAAE,SAAO,OAAO,UAAU,SAAS,KAAK,GAAG;AAAG;AAEnE,SAAS,OAAO,GAAG;AACjB,SAAQ,MAAM,MAAkB,MAAM;AACxC;AAEA,SAAS,eAAe,GAAG;AACzB,SAAQ,MAAM,KAAmB,MAAM;AACzC;AAEA,SAAS,aAAa,GAAG;AACvB,SAAQ,MAAM,KACN,MAAM,MACN,MAAM,MACN,MAAM;AAChB;AAEA,SAAS,kBAAkB,GAAG;AAC5B,SAAO,MAAM,MACN,MAAM,MACN,MAAM,MACN,MAAM,OACN,MAAM;AACf;AAEA,SAAS,YAAY,GAAG;AACtB,MAAI;AAEJ,MAAK,MAAe,KAAO,KAAK,IAAc;AAC5C,WAAO,IAAI;AAAA,EACb;AAGA,OAAK,IAAI;AAET,MAAK,MAAe,MAAQ,MAAM,KAAc;AAC9C,WAAO,KAAK,KAAO;AAAA,EACrB;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,GAAG;AACxB,MAAI,MAAM,KAAa;AAAE,WAAO;AAAA,EAAG;AACnC,MAAI,MAAM,KAAa;AAAE,WAAO;AAAA,EAAG;AACnC,MAAI,MAAM,IAAa;AAAE,WAAO;AAAA,EAAG;AACnC,SAAO;AACT;AAEA,SAAS,gBAAgB,GAAG;AAC1B,MAAK,MAAe,KAAO,KAAK,IAAc;AAC5C,WAAO,IAAI;AAAA,EACb;AAEA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAG;AAE/B,SAAQ,MAAM,KAAe,OACtB,MAAM,KAAe,SACrB,MAAM,KAAe,OACrB,MAAM,MAAe,MACrB,MAAM,IAAiB,MACvB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,SACrB,MAAM,KAAmB,MACzB,MAAM,KAAe,MACrB,MAAM,KAAe,MACrB,MAAM,KAAe,OACrB,MAAM,KAAe,SACrB,MAAM,KAAe,SACrB,MAAM,KAAe,WACrB,MAAM,KAAe,WAAW;AACzC;AAEA,SAAS,kBAAkB,GAAG;AAC5B,MAAI,KAAK,OAAQ;AACf,WAAO,OAAO,aAAa,CAAC;AAAA,EAC9B;AAGA,SAAO,OAAO;AAAA,KACV,IAAI,SAAa,MAAM;AAAA,KACvB,IAAI,QAAY,QAAU;AAAA,EAC9B;AACF;AAIA,SAAS,YAAY,QAAQ,KAAK,OAAO;AAEvC,MAAI,QAAQ,aAAa;AACvB,WAAO,eAAe,QAAQ,KAAK;AAAA,MACjC,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,WAAO,GAAG,IAAI;AAAA,EAChB;AACF;AAEA,IAAI,oBAAoB,IAAI,MAAM,GAAG;AACrC,IAAI,kBAAkB,IAAI,MAAM,GAAG;AACnC,KAAS,IAAI,GAAG,IAAI,KAAK,KAAK;AAC5B,oBAAkB,CAAC,IAAI,qBAAqB,CAAC,IAAI,IAAI;AACrD,kBAAgB,CAAC,IAAI,qBAAqB,CAAC;AAC7C;AAHS;AAMT,SAAS,QAAQ,OAAO,SAAS;AAC/B,OAAK,QAAQ;AAEb,OAAK,WAAY,QAAQ,UAAU,KAAM;AACzC,OAAK,SAAY,QAAQ,QAAQ,KAAQ;AACzC,OAAK,YAAY,QAAQ,WAAW,KAAK;AAGzC,OAAK,SAAY,QAAQ,QAAQ,KAAQ;AAEzC,OAAK,OAAY,QAAQ,MAAM,KAAU;AACzC,OAAK,WAAY,QAAQ,UAAU,KAAM;AAEzC,OAAK,gBAAgB,KAAK,OAAO;AACjC,OAAK,UAAgB,KAAK,OAAO;AAEjC,OAAK,SAAa,MAAM;AACxB,OAAK,WAAa;AAClB,OAAK,OAAa;AAClB,OAAK,YAAa;AAClB,OAAK,aAAa;AAIlB,OAAK,iBAAiB;AAEtB,OAAK,YAAY,CAAC;AAYpB;AAGA,SAAS,cAAc,OAAO,SAAS;AACrC,MAAI,OAAO;AAAA,IACT,MAAU,MAAM;AAAA,IAChB,QAAU,MAAM,MAAM,MAAM,GAAG,EAAE;AAAA;AAAA,IACjC,UAAU,MAAM;AAAA,IAChB,MAAU,MAAM;AAAA,IAChB,QAAU,MAAM,WAAW,MAAM;AAAA,EACnC;AAEA,OAAK,UAAU,QAAQ,IAAI;AAE3B,SAAO,IAAI,UAAU,SAAS,IAAI;AACpC;AAEA,SAAS,WAAW,OAAO,SAAS;AAClC,QAAM,cAAc,OAAO,OAAO;AACpC;AAEA,SAAS,aAAa,OAAO,SAAS;AACpC,MAAI,MAAM,WAAW;AACnB,UAAM,UAAU,KAAK,MAAM,cAAc,OAAO,OAAO,CAAC;AAAA,EAC1D;AACF;AAGA,IAAI,oBAAoB;AAAA,EAEtB,MAAM,SAAS,oBAAoB,OAAO,MAAM,MAAM;AAEpD,QAAI,OAAO,OAAO;AAElB,QAAI,MAAM,YAAY,MAAM;AAC1B,iBAAW,OAAO,gCAAgC;AAAA,IACpD;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,iBAAW,OAAO,6CAA6C;AAAA,IACjE;AAEA,YAAQ,uBAAuB,KAAK,KAAK,CAAC,CAAC;AAE3C,QAAI,UAAU,MAAM;AAClB,iBAAW,OAAO,2CAA2C;AAAA,IAC/D;AAEA,YAAQ,SAAS,MAAM,CAAC,GAAG,EAAE;AAC7B,YAAQ,SAAS,MAAM,CAAC,GAAG,EAAE;AAE7B,QAAI,UAAU,GAAG;AACf,iBAAW,OAAO,2CAA2C;AAAA,IAC/D;AAEA,UAAM,UAAU,KAAK,CAAC;AACtB,UAAM,kBAAmB,QAAQ;AAEjC,QAAI,UAAU,KAAK,UAAU,GAAG;AAC9B,mBAAa,OAAO,0CAA0C;AAAA,IAChE;AAAA,EACF;AAAA,EAEA,KAAK,SAAS,mBAAmB,OAAO,MAAM,MAAM;AAElD,QAAI,QAAQ;AAEZ,QAAI,KAAK,WAAW,GAAG;AACrB,iBAAW,OAAO,6CAA6C;AAAA,IACjE;AAEA,aAAS,KAAK,CAAC;AACf,aAAS,KAAK,CAAC;AAEf,QAAI,CAAC,mBAAmB,KAAK,MAAM,GAAG;AACpC,iBAAW,OAAO,6DAA6D;AAAA,IACjF;AAEA,QAAI,kBAAkB,KAAK,MAAM,QAAQ,MAAM,GAAG;AAChD,iBAAW,OAAO,gDAAgD,SAAS,cAAc;AAAA,IAC3F;AAEA,QAAI,CAAC,gBAAgB,KAAK,MAAM,GAAG;AACjC,iBAAW,OAAO,8DAA8D;AAAA,IAClF;AAEA,QAAI;AACF,eAAS,mBAAmB,MAAM;AAAA,IACpC,SAAS,KAAK;AACZ,iBAAW,OAAO,8BAA8B,MAAM;AAAA,IACxD;AAEA,UAAM,OAAO,MAAM,IAAI;AAAA,EACzB;AACF;AAGA,SAAS,eAAe,OAAO,OAAO,KAAK,WAAW;AACpD,MAAI,WAAW,SAAS,YAAY;AAEpC,MAAI,QAAQ,KAAK;AACf,cAAU,MAAM,MAAM,MAAM,OAAO,GAAG;AAEtC,QAAI,WAAW;AACb,WAAK,YAAY,GAAG,UAAU,QAAQ,QAAQ,YAAY,SAAS,aAAa,GAAG;AACjF,qBAAa,QAAQ,WAAW,SAAS;AACzC,YAAI,EAAE,eAAe,KACd,MAAQ,cAAc,cAAc,UAAY;AACrD,qBAAW,OAAO,+BAA+B;AAAA,QACnD;AAAA,MACF;AAAA,IACF,WAAW,sBAAsB,KAAK,OAAO,GAAG;AAC9C,iBAAW,OAAO,8CAA8C;AAAA,IAClE;AAEA,UAAM,UAAU;AAAA,EAClB;AACF;AAEA,SAAS,cAAc,OAAO,aAAa,QAAQ,iBAAiB;AAClE,MAAI,YAAY,KAAK,OAAO;AAE5B,MAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC5B,eAAW,OAAO,mEAAmE;AAAA,EACvF;AAEA,eAAa,OAAO,KAAK,MAAM;AAE/B,OAAK,QAAQ,GAAG,WAAW,WAAW,QAAQ,QAAQ,UAAU,SAAS,GAAG;AAC1E,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,kBAAkB,KAAK,aAAa,GAAG,GAAG;AAC7C,kBAAY,aAAa,KAAK,OAAO,GAAG,CAAC;AACzC,sBAAgB,GAAG,IAAI;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAC1E,WAAW,gBAAgB,UAAU;AAErC,MAAI,OAAO;AAKX,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,cAAU,MAAM,UAAU,MAAM,KAAK,OAAO;AAE5C,SAAK,QAAQ,GAAG,WAAW,QAAQ,QAAQ,QAAQ,UAAU,SAAS,GAAG;AACvE,UAAI,MAAM,QAAQ,QAAQ,KAAK,CAAC,GAAG;AACjC,mBAAW,OAAO,6CAA6C;AAAA,MACjE;AAEA,UAAI,OAAO,YAAY,YAAY,OAAO,QAAQ,KAAK,CAAC,MAAM,mBAAmB;AAC/E,gBAAQ,KAAK,IAAI;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAKA,MAAI,OAAO,YAAY,YAAY,OAAO,OAAO,MAAM,mBAAmB;AACxE,cAAU;AAAA,EACZ;AAGA,YAAU,OAAO,OAAO;AAExB,MAAI,YAAY,MAAM;AACpB,cAAU,CAAC;AAAA,EACb;AAEA,MAAI,WAAW,2BAA2B;AACxC,QAAI,MAAM,QAAQ,SAAS,GAAG;AAC5B,WAAK,QAAQ,GAAG,WAAW,UAAU,QAAQ,QAAQ,UAAU,SAAS,GAAG;AACzE,sBAAc,OAAO,SAAS,UAAU,KAAK,GAAG,eAAe;AAAA,MACjE;AAAA,IACF,OAAO;AACL,oBAAc,OAAO,SAAS,WAAW,eAAe;AAAA,IAC1D;AAAA,EACF,OAAO;AACL,QAAI,CAAC,MAAM,QACP,CAAC,kBAAkB,KAAK,iBAAiB,OAAO,KAChD,kBAAkB,KAAK,SAAS,OAAO,GAAG;AAC5C,YAAM,OAAO,aAAa,MAAM;AAChC,YAAM,YAAY,kBAAkB,MAAM;AAC1C,YAAM,WAAW,YAAY,MAAM;AACnC,iBAAW,OAAO,wBAAwB;AAAA,IAC5C;AAEA,gBAAY,SAAS,SAAS,SAAS;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,OAAO;AAC5B,MAAI;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAc;AACvB,UAAM;AAAA,EACR,WAAW,OAAO,IAAc;AAC9B,UAAM;AACN,QAAI,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAc;AAC3D,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,eAAW,OAAO,0BAA0B;AAAA,EAC9C;AAEA,QAAM,QAAQ;AACd,QAAM,YAAY,MAAM;AACxB,QAAM,iBAAiB;AACzB;AAEA,SAAS,oBAAoB,OAAO,eAAe,aAAa;AAC9D,MAAI,aAAa,GACb,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE9C,SAAO,OAAO,GAAG;AACf,WAAO,eAAe,EAAE,GAAG;AACzB,UAAI,OAAO,KAAiB,MAAM,mBAAmB,IAAI;AACvD,cAAM,iBAAiB,MAAM;AAAA,MAC/B;AACA,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,QAAI,iBAAiB,OAAO,IAAa;AACvC,SAAG;AACD,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C,SAAS,OAAO,MAAgB,OAAO,MAAgB,OAAO;AAAA,IAChE;AAEA,QAAI,OAAO,EAAE,GAAG;AACd,oBAAc,KAAK;AAEnB,WAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AACA,YAAM,aAAa;AAEnB,aAAO,OAAO,IAAiB;AAC7B,cAAM;AACN,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAAA,IACF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,gBAAgB,MAAM,eAAe,KAAK,MAAM,aAAa,aAAa;AAC5E,iBAAa,OAAO,uBAAuB;AAAA,EAC7C;AAEA,SAAO;AACT;AAEA,SAAS,sBAAsB,OAAO;AACpC,MAAI,YAAY,MAAM,UAClB;AAEJ,OAAK,MAAM,MAAM,WAAW,SAAS;AAIrC,OAAK,OAAO,MAAe,OAAO,OAC9B,OAAO,MAAM,MAAM,WAAW,YAAY,CAAC,KAC3C,OAAO,MAAM,MAAM,WAAW,YAAY,CAAC,GAAG;AAEhD,iBAAa;AAEb,SAAK,MAAM,MAAM,WAAW,SAAS;AAErC,QAAI,OAAO,KAAK,aAAa,EAAE,GAAG;AAChC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,OAAO;AACtC,MAAI,UAAU,GAAG;AACf,UAAM,UAAU;AAAA,EAClB,WAAW,QAAQ,GAAG;AACpB,UAAM,UAAU,OAAO,OAAO,MAAM,QAAQ,CAAC;AAAA,EAC/C;AACF;AAGA,SAAS,gBAAgB,OAAO,YAAY,sBAAsB;AAChE,MAAI,WACA,WACA,cACA,YACA,mBACA,OACA,YACA,aACA,QAAQ,MAAM,MACd,UAAU,MAAM,QAChB;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,aAAa,EAAE,KACf,kBAAkB,EAAE,KACpB,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,OACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAe,OAAO,IAAa;AAC5C,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,QAAI,aAAa,SAAS,KACtB,wBAAwB,kBAAkB,SAAS,GAAG;AACxD,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,iBAAe,aAAa,MAAM;AAClC,sBAAoB;AAEpB,SAAO,OAAO,GAAG;AACf,QAAI,OAAO,IAAa;AACtB,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,KACtB,wBAAwB,kBAAkB,SAAS,GAAG;AACxD;AAAA,MACF;AAAA,IAEF,WAAW,OAAO,IAAa;AAC7B,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,GAAG;AAC3B;AAAA,MACF;AAAA,IAEF,WAAY,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,KAClE,wBAAwB,kBAAkB,EAAE,GAAG;AACxD;AAAA,IAEF,WAAW,OAAO,EAAE,GAAG;AACrB,cAAQ,MAAM;AACd,mBAAa,MAAM;AACnB,oBAAc,MAAM;AACpB,0BAAoB,OAAO,OAAO,EAAE;AAEpC,UAAI,MAAM,cAAc,YAAY;AAClC,4BAAoB;AACpB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AAAA,MACF,OAAO;AACL,cAAM,WAAW;AACjB,cAAM,OAAO;AACb,cAAM,YAAY;AAClB,cAAM,aAAa;AACnB;AAAA,MACF;AAAA,IACF;AAEA,QAAI,mBAAmB;AACrB,qBAAe,OAAO,cAAc,YAAY,KAAK;AACrD,uBAAiB,OAAO,MAAM,OAAO,KAAK;AAC1C,qBAAe,aAAa,MAAM;AAClC,0BAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,eAAe,EAAE,GAAG;AACvB,mBAAa,MAAM,WAAW;AAAA,IAChC;AAEA,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,iBAAe,OAAO,cAAc,YAAY,KAAK;AAErD,MAAI,MAAM,QAAQ;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,SAAO;AACT;AAEA,SAAS,uBAAuB,OAAO,YAAY;AACjD,MAAI,IACA,cAAc;AAElB,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,QAAM;AACN,iBAAe,aAAa,MAAM;AAElC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,QAAI,OAAO,IAAa;AACtB,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,UAAI,OAAO,IAAa;AACtB,uBAAe,MAAM;AACrB,cAAM;AACN,qBAAa,MAAM;AAAA,MACrB,OAAO;AACL,eAAO;AAAA,MACT;AAAA,IAEF,WAAW,OAAO,EAAE,GAAG;AACrB,qBAAe,OAAO,cAAc,YAAY,IAAI;AACpD,uBAAiB,OAAO,oBAAoB,OAAO,OAAO,UAAU,CAAC;AACrE,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAC7E,iBAAW,OAAO,8DAA8D;AAAA,IAElF,OAAO;AACL,YAAM;AACN,mBAAa,MAAM;AAAA,IACrB;AAAA,EACF;AAEA,aAAW,OAAO,4DAA4D;AAChF;AAEA,SAAS,uBAAuB,OAAO,YAAY;AACjD,MAAI,cACA,YACA,WACA,WACA,KACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,QAAM;AACN,iBAAe,aAAa,MAAM;AAElC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,QAAI,OAAO,IAAa;AACtB,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,YAAM;AACN,aAAO;AAAA,IAET,WAAW,OAAO,IAAa;AAC7B,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,UAAI,OAAO,EAAE,GAAG;AACd,4BAAoB,OAAO,OAAO,UAAU;AAAA,MAG9C,WAAW,KAAK,OAAO,kBAAkB,EAAE,GAAG;AAC5C,cAAM,UAAU,gBAAgB,EAAE;AAClC,cAAM;AAAA,MAER,YAAY,MAAM,cAAc,EAAE,KAAK,GAAG;AACxC,oBAAY;AACZ,oBAAY;AAEZ,eAAO,YAAY,GAAG,aAAa;AACjC,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,eAAK,MAAM,YAAY,EAAE,MAAM,GAAG;AAChC,yBAAa,aAAa,KAAK;AAAA,UAEjC,OAAO;AACL,uBAAW,OAAO,gCAAgC;AAAA,UACpD;AAAA,QACF;AAEA,cAAM,UAAU,kBAAkB,SAAS;AAE3C,cAAM;AAAA,MAER,OAAO;AACL,mBAAW,OAAO,yBAAyB;AAAA,MAC7C;AAEA,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,OAAO,EAAE,GAAG;AACrB,qBAAe,OAAO,cAAc,YAAY,IAAI;AACpD,uBAAiB,OAAO,oBAAoB,OAAO,OAAO,UAAU,CAAC;AACrE,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAC7E,iBAAW,OAAO,8DAA8D;AAAA,IAElF,OAAO;AACL,YAAM;AACN,mBAAa,MAAM;AAAA,IACrB;AAAA,EACF;AAEA,aAAW,OAAO,4DAA4D;AAChF;AAEA,SAAS,mBAAmB,OAAO,YAAY;AAC7C,MAAI,WAAW,MACX,OACA,YACA,MACA,OAAW,MAAM,KACjB,SACA,UAAW,MAAM,QACjB,WACA,YACA,QACA,gBACA,WACA,kBAAkB,uBAAO,OAAO,IAAI,GACpC,SACA,QACA,WACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,iBAAa;AACb,gBAAY;AACZ,cAAU,CAAC;AAAA,EACb,WAAW,OAAO,KAAa;AAC7B,iBAAa;AACb,gBAAY;AACZ,cAAU,CAAC;AAAA,EACb,OAAO;AACL,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,SAAO,OAAO,GAAG;AACf,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,OAAO,YAAY;AACrB,YAAM;AACN,YAAM,MAAM;AACZ,YAAM,SAAS;AACf,YAAM,OAAO,YAAY,YAAY;AACrC,YAAM,SAAS;AACf,aAAO;AAAA,IACT,WAAW,CAAC,UAAU;AACpB,iBAAW,OAAO,8CAA8C;AAAA,IAClE,WAAW,OAAO,IAAa;AAE7B,iBAAW,OAAO,0CAA0C;AAAA,IAC9D;AAEA,aAAS,UAAU,YAAY;AAC/B,aAAS,iBAAiB;AAE1B,QAAI,OAAO,IAAa;AACtB,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,GAAG;AAC3B,iBAAS,iBAAiB;AAC1B,cAAM;AACN,4BAAoB,OAAO,MAAM,UAAU;AAAA,MAC7C;AAAA,IACF;AAEA,YAAQ,MAAM;AACd,iBAAa,MAAM;AACnB,WAAO,MAAM;AACb,gBAAY,OAAO,YAAY,iBAAiB,OAAO,IAAI;AAC3D,aAAS,MAAM;AACf,cAAU,MAAM;AAChB,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAK,kBAAkB,MAAM,SAAS,UAAU,OAAO,IAAa;AAClE,eAAS;AACT,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,0BAAoB,OAAO,MAAM,UAAU;AAC3C,kBAAY,OAAO,YAAY,iBAAiB,OAAO,IAAI;AAC3D,kBAAY,MAAM;AAAA,IACpB;AAEA,QAAI,WAAW;AACb,uBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAAW,OAAO,YAAY,IAAI;AAAA,IACvG,WAAW,QAAQ;AACjB,cAAQ,KAAK,iBAAiB,OAAO,MAAM,iBAAiB,QAAQ,SAAS,WAAW,OAAO,YAAY,IAAI,CAAC;AAAA,IAClH,OAAO;AACL,cAAQ,KAAK,OAAO;AAAA,IACtB;AAEA,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,OAAO,IAAa;AACtB,iBAAW;AACX,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C,OAAO;AACL,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,aAAW,OAAO,uDAAuD;AAC3E;AAEA,SAAS,gBAAgB,OAAO,YAAY;AAC1C,MAAI,cACA,SACA,WAAiB,eACjB,iBAAiB,OACjB,iBAAiB,OACjB,aAAiB,YACjB,aAAiB,GACjB,iBAAiB,OACjB,KACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,KAAa;AACtB,cAAU;AAAA,EACZ,WAAW,OAAO,IAAa;AAC7B,cAAU;AAAA,EACZ,OAAO;AACL,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AAEf,SAAO,OAAO,GAAG;AACf,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,QAAI,OAAO,MAAe,OAAO,IAAa;AAC5C,UAAI,kBAAkB,UAAU;AAC9B,mBAAY,OAAO,KAAe,gBAAgB;AAAA,MACpD,OAAO;AACL,mBAAW,OAAO,sCAAsC;AAAA,MAC1D;AAAA,IAEF,YAAY,MAAM,gBAAgB,EAAE,MAAM,GAAG;AAC3C,UAAI,QAAQ,GAAG;AACb,mBAAW,OAAO,8EAA8E;AAAA,MAClG,WAAW,CAAC,gBAAgB;AAC1B,qBAAa,aAAa,MAAM;AAChC,yBAAiB;AAAA,MACnB,OAAO;AACL,mBAAW,OAAO,2CAA2C;AAAA,MAC/D;AAAA,IAEF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,eAAe,EAAE,GAAG;AACtB,OAAG;AAAE,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAAG,SAC7C,eAAe,EAAE;AAExB,QAAI,OAAO,IAAa;AACtB,SAAG;AAAE,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAAG,SAC7C,CAAC,OAAO,EAAE,KAAM,OAAO;AAAA,IAChC;AAAA,EACF;AAEA,SAAO,OAAO,GAAG;AACf,kBAAc,KAAK;AACnB,UAAM,aAAa;AAEnB,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,YAAQ,CAAC,kBAAkB,MAAM,aAAa,eACtC,OAAO,IAAkB;AAC/B,YAAM;AACN,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,QAAI,CAAC,kBAAkB,MAAM,aAAa,YAAY;AACpD,mBAAa,MAAM;AAAA,IACrB;AAEA,QAAI,OAAO,EAAE,GAAG;AACd;AACA;AAAA,IACF;AAGA,QAAI,MAAM,aAAa,YAAY;AAGjC,UAAI,aAAa,eAAe;AAC9B,cAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,MAClF,WAAW,aAAa,eAAe;AACrC,YAAI,gBAAgB;AAClB,gBAAM,UAAU;AAAA,QAClB;AAAA,MACF;AAGA;AAAA,IACF;AAGA,QAAI,SAAS;AAGX,UAAI,eAAe,EAAE,GAAG;AACtB,yBAAiB;AAEjB,cAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,MAGlF,WAAW,gBAAgB;AACzB,yBAAiB;AACjB,cAAM,UAAU,OAAO,OAAO,MAAM,aAAa,CAAC;AAAA,MAGpD,WAAW,eAAe,GAAG;AAC3B,YAAI,gBAAgB;AAClB,gBAAM,UAAU;AAAA,QAClB;AAAA,MAGF,OAAO;AACL,cAAM,UAAU,OAAO,OAAO,MAAM,UAAU;AAAA,MAChD;AAAA,IAGF,OAAO;AAEL,YAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,IAClF;AAEA,qBAAiB;AACjB,qBAAiB;AACjB,iBAAa;AACb,mBAAe,MAAM;AAErB,WAAO,CAAC,OAAO,EAAE,KAAM,OAAO,GAAI;AAChC,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,mBAAe,OAAO,cAAc,MAAM,UAAU,KAAK;AAAA,EAC3D;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAO,YAAY;AAC5C,MAAI,OACA,OAAY,MAAM,KAClB,UAAY,MAAM,QAClB,UAAY,CAAC,GACb,WACA,WAAY,OACZ;AAIJ,MAAI,MAAM,mBAAmB,GAAI,QAAO;AAExC,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAO,OAAO,GAAG;AACf,QAAI,MAAM,mBAAmB,IAAI;AAC/B,YAAM,WAAW,MAAM;AACvB,iBAAW,OAAO,gDAAgD;AAAA,IACpE;AAEA,QAAI,OAAO,IAAa;AACtB;AAAA,IACF;AAEA,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,QAAI,CAAC,aAAa,SAAS,GAAG;AAC5B;AAAA,IACF;AAEA,eAAW;AACX,UAAM;AAEN,QAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,UAAI,MAAM,cAAc,YAAY;AAClC,gBAAQ,KAAK,IAAI;AACjB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AAAA,MACF;AAAA,IACF;AAEA,YAAQ,MAAM;AACd,gBAAY,OAAO,YAAY,kBAAkB,OAAO,IAAI;AAC5D,YAAQ,KAAK,MAAM,MAAM;AACzB,wBAAoB,OAAO,MAAM,EAAE;AAEnC,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAK,MAAM,SAAS,SAAS,MAAM,aAAa,eAAgB,OAAO,GAAI;AACzE,iBAAW,OAAO,qCAAqC;AAAA,IACzD,WAAW,MAAM,aAAa,YAAY;AACxC;AAAA,IACF;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,UAAM,MAAM;AACZ,UAAM,SAAS;AACf,UAAM,OAAO;AACb,UAAM,SAAS;AACf,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,YAAY,YAAY;AACvD,MAAI,WACA,cACA,OACA,UACA,eACA,SACA,OAAgB,MAAM,KACtB,UAAgB,MAAM,QACtB,UAAgB,CAAC,GACjB,kBAAkB,uBAAO,OAAO,IAAI,GACpC,SAAgB,MAChB,UAAgB,MAChB,YAAgB,MAChB,gBAAgB,OAChB,WAAgB,OAChB;AAIJ,MAAI,MAAM,mBAAmB,GAAI,QAAO;AAExC,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAO,OAAO,GAAG;AACf,QAAI,CAAC,iBAAiB,MAAM,mBAAmB,IAAI;AACjD,YAAM,WAAW,MAAM;AACvB,iBAAW,OAAO,gDAAgD;AAAA,IACpE;AAEA,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AACrD,YAAQ,MAAM;AAMd,SAAK,OAAO,MAAe,OAAO,OAAgB,aAAa,SAAS,GAAG;AAEzE,UAAI,OAAO,IAAa;AACtB,YAAI,eAAe;AACjB,2BAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AACzG,mBAAS,UAAU,YAAY;AAAA,QACjC;AAEA,mBAAW;AACX,wBAAgB;AAChB,uBAAe;AAAA,MAEjB,WAAW,eAAe;AAExB,wBAAgB;AAChB,uBAAe;AAAA,MAEjB,OAAO;AACL,mBAAW,OAAO,mGAAmG;AAAA,MACvH;AAEA,YAAM,YAAY;AAClB,WAAK;AAAA,IAKP,OAAO;AACL,iBAAW,MAAM;AACjB,sBAAgB,MAAM;AACtB,gBAAU,MAAM;AAEhB,UAAI,CAAC,YAAY,OAAO,YAAY,kBAAkB,OAAO,IAAI,GAAG;AAGlE;AAAA,MACF;AAEA,UAAI,MAAM,SAAS,OAAO;AACxB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,eAAO,eAAe,EAAE,GAAG;AACzB,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,QAC9C;AAEA,YAAI,OAAO,IAAa;AACtB,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,cAAI,CAAC,aAAa,EAAE,GAAG;AACrB,uBAAW,OAAO,yFAAyF;AAAA,UAC7G;AAEA,cAAI,eAAe;AACjB,6BAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AACzG,qBAAS,UAAU,YAAY;AAAA,UACjC;AAEA,qBAAW;AACX,0BAAgB;AAChB,yBAAe;AACf,mBAAS,MAAM;AACf,oBAAU,MAAM;AAAA,QAElB,WAAW,UAAU;AACnB,qBAAW,OAAO,0DAA0D;AAAA,QAE9E,OAAO;AACL,gBAAM,MAAM;AACZ,gBAAM,SAAS;AACf,iBAAO;AAAA,QACT;AAAA,MAEF,WAAW,UAAU;AACnB,mBAAW,OAAO,gFAAgF;AAAA,MAEpG,OAAO;AACL,cAAM,MAAM;AACZ,cAAM,SAAS;AACf,eAAO;AAAA,MACT;AAAA,IACF;AAKA,QAAI,MAAM,SAAS,SAAS,MAAM,aAAa,YAAY;AACzD,UAAI,eAAe;AACjB,mBAAW,MAAM;AACjB,wBAAgB,MAAM;AACtB,kBAAU,MAAM;AAAA,MAClB;AAEA,UAAI,YAAY,OAAO,YAAY,mBAAmB,MAAM,YAAY,GAAG;AACzE,YAAI,eAAe;AACjB,oBAAU,MAAM;AAAA,QAClB,OAAO;AACL,sBAAY,MAAM;AAAA,QACpB;AAAA,MACF;AAEA,UAAI,CAAC,eAAe;AAClB,yBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAAW,UAAU,eAAe,OAAO;AAC9G,iBAAS,UAAU,YAAY;AAAA,MACjC;AAEA,0BAAoB,OAAO,MAAM,EAAE;AACnC,WAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAAA,IAC5C;AAEA,SAAK,MAAM,SAAS,SAAS,MAAM,aAAa,eAAgB,OAAO,GAAI;AACzE,iBAAW,OAAO,oCAAoC;AAAA,IACxD,WAAW,MAAM,aAAa,YAAY;AACxC;AAAA,IACF;AAAA,EACF;AAOA,MAAI,eAAe;AACjB,qBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AAAA,EAC3G;AAGA,MAAI,UAAU;AACZ,UAAM,MAAM;AACZ,UAAM,SAAS;AACf,UAAM,OAAO;AACb,UAAM,SAAS;AAAA,EACjB;AAEA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAAO;AAC9B,MAAI,WACA,aAAa,OACb,UAAa,OACb,WACA,SACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,MAAI,MAAM,QAAQ,MAAM;AACtB,eAAW,OAAO,+BAA+B;AAAA,EACnD;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,MAAI,OAAO,IAAa;AACtB,iBAAa;AACb,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAE9C,WAAW,OAAO,IAAa;AAC7B,cAAU;AACV,gBAAY;AACZ,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAE9C,OAAO;AACL,gBAAY;AAAA,EACd;AAEA,cAAY,MAAM;AAElB,MAAI,YAAY;AACd,OAAG;AAAE,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAAG,SAC7C,OAAO,KAAK,OAAO;AAE1B,QAAI,MAAM,WAAW,MAAM,QAAQ;AACjC,gBAAU,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AACrD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C,OAAO;AACL,iBAAW,OAAO,oDAAoD;AAAA,IACxE;AAAA,EACF,OAAO;AACL,WAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AAEpC,UAAI,OAAO,IAAa;AACtB,YAAI,CAAC,SAAS;AACZ,sBAAY,MAAM,MAAM,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC;AAE/D,cAAI,CAAC,mBAAmB,KAAK,SAAS,GAAG;AACvC,uBAAW,OAAO,iDAAiD;AAAA,UACrE;AAEA,oBAAU;AACV,sBAAY,MAAM,WAAW;AAAA,QAC/B,OAAO;AACL,qBAAW,OAAO,6CAA6C;AAAA,QACjE;AAAA,MACF;AAEA,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,cAAU,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAErD,QAAI,wBAAwB,KAAK,OAAO,GAAG;AACzC,iBAAW,OAAO,qDAAqD;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,WAAW,CAAC,gBAAgB,KAAK,OAAO,GAAG;AAC7C,eAAW,OAAO,8CAA8C,OAAO;AAAA,EACzE;AAEA,MAAI;AACF,cAAU,mBAAmB,OAAO;AAAA,EACtC,SAAS,KAAK;AACZ,eAAW,OAAO,4BAA4B,OAAO;AAAA,EACvD;AAEA,MAAI,YAAY;AACd,UAAM,MAAM;AAAA,EAEd,WAAW,kBAAkB,KAAK,MAAM,QAAQ,SAAS,GAAG;AAC1D,UAAM,MAAM,MAAM,OAAO,SAAS,IAAI;AAAA,EAExC,WAAW,cAAc,KAAK;AAC5B,UAAM,MAAM,MAAM;AAAA,EAEpB,WAAW,cAAc,MAAM;AAC7B,UAAM,MAAM,uBAAuB;AAAA,EAErC,OAAO;AACL,eAAW,OAAO,4BAA4B,YAAY,GAAG;AAAA,EAC/D;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,OAAO;AACjC,MAAI,WACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,MAAI,MAAM,WAAW,MAAM;AACzB,eAAW,OAAO,mCAAmC;AAAA,EACvD;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,cAAY,MAAM;AAElB,SAAO,OAAO,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,kBAAkB,EAAE,GAAG;AAC9D,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,MAAI,MAAM,aAAa,WAAW;AAChC,eAAW,OAAO,4DAA4D;AAAA,EAChF;AAEA,QAAM,SAAS,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1D,SAAO;AACT;AAEA,SAAS,UAAU,OAAO;AACxB,MAAI,WAAW,OACX;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,cAAY,MAAM;AAElB,SAAO,OAAO,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,kBAAkB,EAAE,GAAG;AAC9D,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,MAAI,MAAM,aAAa,WAAW;AAChC,eAAW,OAAO,2DAA2D;AAAA,EAC/E;AAEA,UAAQ,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAEnD,MAAI,CAAC,kBAAkB,KAAK,MAAM,WAAW,KAAK,GAAG;AACnD,eAAW,OAAO,yBAAyB,QAAQ,GAAG;AAAA,EACxD;AAEA,QAAM,SAAS,MAAM,UAAU,KAAK;AACpC,sBAAoB,OAAO,MAAM,EAAE;AACnC,SAAO;AACT;AAEA,SAAS,YAAY,OAAO,cAAc,aAAa,aAAa,cAAc;AAChF,MAAI,kBACA,mBACA,uBACA,eAAe,GACf,YAAa,OACb,aAAa,OACb,WACA,cACA,UACAE,OACA,YACA;AAEJ,MAAI,MAAM,aAAa,MAAM;AAC3B,UAAM,SAAS,QAAQ,KAAK;AAAA,EAC9B;AAEA,QAAM,MAAS;AACf,QAAM,SAAS;AACf,QAAM,OAAS;AACf,QAAM,SAAS;AAEf,qBAAmB,oBAAoB,wBACrC,sBAAsB,eACtB,qBAAsB;AAExB,MAAI,aAAa;AACf,QAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,kBAAY;AAEZ,UAAI,MAAM,aAAa,cAAc;AACnC,uBAAe;AAAA,MACjB,WAAW,MAAM,eAAe,cAAc;AAC5C,uBAAe;AAAA,MACjB,WAAW,MAAM,aAAa,cAAc;AAC1C,uBAAe;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAEA,MAAI,iBAAiB,GAAG;AACtB,WAAO,gBAAgB,KAAK,KAAK,mBAAmB,KAAK,GAAG;AAC1D,UAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,oBAAY;AACZ,gCAAwB;AAExB,YAAI,MAAM,aAAa,cAAc;AACnC,yBAAe;AAAA,QACjB,WAAW,MAAM,eAAe,cAAc;AAC5C,yBAAe;AAAA,QACjB,WAAW,MAAM,aAAa,cAAc;AAC1C,yBAAe;AAAA,QACjB;AAAA,MACF,OAAO;AACL,gCAAwB;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,MAAI,uBAAuB;AACzB,4BAAwB,aAAa;AAAA,EACvC;AAEA,MAAI,iBAAiB,KAAK,sBAAsB,aAAa;AAC3D,QAAI,oBAAoB,eAAe,qBAAqB,aAAa;AACvE,mBAAa;AAAA,IACf,OAAO;AACL,mBAAa,eAAe;AAAA,IAC9B;AAEA,kBAAc,MAAM,WAAW,MAAM;AAErC,QAAI,iBAAiB,GAAG;AACtB,UAAI,0BACC,kBAAkB,OAAO,WAAW,KACpC,iBAAiB,OAAO,aAAa,UAAU,MAChD,mBAAmB,OAAO,UAAU,GAAG;AACzC,qBAAa;AAAA,MACf,OAAO;AACL,YAAK,qBAAqB,gBAAgB,OAAO,UAAU,KACvD,uBAAuB,OAAO,UAAU,KACxC,uBAAuB,OAAO,UAAU,GAAG;AAC7C,uBAAa;AAAA,QAEf,WAAW,UAAU,KAAK,GAAG;AAC3B,uBAAa;AAEb,cAAI,MAAM,QAAQ,QAAQ,MAAM,WAAW,MAAM;AAC/C,uBAAW,OAAO,2CAA2C;AAAA,UAC/D;AAAA,QAEF,WAAW,gBAAgB,OAAO,YAAY,oBAAoB,WAAW,GAAG;AAC9E,uBAAa;AAEb,cAAI,MAAM,QAAQ,MAAM;AACtB,kBAAM,MAAM;AAAA,UACd;AAAA,QACF;AAEA,YAAI,MAAM,WAAW,MAAM;AACzB,gBAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,QACxC;AAAA,MACF;AAAA,IACF,WAAW,iBAAiB,GAAG;AAG7B,mBAAa,yBAAyB,kBAAkB,OAAO,WAAW;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,MAAM,QAAQ,MAAM;AACtB,QAAI,MAAM,WAAW,MAAM;AACzB,YAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,IACxC;AAAA,EAEF,WAAW,MAAM,QAAQ,KAAK;AAO5B,QAAI,MAAM,WAAW,QAAQ,MAAM,SAAS,UAAU;AACpD,iBAAW,OAAO,sEAAsE,MAAM,OAAO,GAAG;AAAA,IAC1G;AAEA,SAAK,YAAY,GAAG,eAAe,MAAM,cAAc,QAAQ,YAAY,cAAc,aAAa,GAAG;AACvG,MAAAA,QAAO,MAAM,cAAc,SAAS;AAEpC,UAAIA,MAAK,QAAQ,MAAM,MAAM,GAAG;AAC9B,cAAM,SAASA,MAAK,UAAU,MAAM,MAAM;AAC1C,cAAM,MAAMA,MAAK;AACjB,YAAI,MAAM,WAAW,MAAM;AACzB,gBAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,QACxC;AACA;AAAA,MACF;AAAA,IACF;AAAA,EACF,WAAW,MAAM,QAAQ,KAAK;AAC5B,QAAI,kBAAkB,KAAK,MAAM,QAAQ,MAAM,QAAQ,UAAU,GAAG,MAAM,GAAG,GAAG;AAC9E,MAAAA,QAAO,MAAM,QAAQ,MAAM,QAAQ,UAAU,EAAE,MAAM,GAAG;AAAA,IAC1D,OAAO;AAEL,MAAAA,QAAO;AACP,iBAAW,MAAM,QAAQ,MAAM,MAAM,QAAQ,UAAU;AAEvD,WAAK,YAAY,GAAG,eAAe,SAAS,QAAQ,YAAY,cAAc,aAAa,GAAG;AAC5F,YAAI,MAAM,IAAI,MAAM,GAAG,SAAS,SAAS,EAAE,IAAI,MAAM,MAAM,SAAS,SAAS,EAAE,KAAK;AAClF,UAAAA,QAAO,SAAS,SAAS;AACzB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAACA,OAAM;AACT,iBAAW,OAAO,mBAAmB,MAAM,MAAM,GAAG;AAAA,IACtD;AAEA,QAAI,MAAM,WAAW,QAAQA,MAAK,SAAS,MAAM,MAAM;AACrD,iBAAW,OAAO,kCAAkC,MAAM,MAAM,0BAA0BA,MAAK,OAAO,aAAa,MAAM,OAAO,GAAG;AAAA,IACrI;AAEA,QAAI,CAACA,MAAK,QAAQ,MAAM,QAAQ,MAAM,GAAG,GAAG;AAC1C,iBAAW,OAAO,kCAAkC,MAAM,MAAM,gBAAgB;AAAA,IAClF,OAAO;AACL,YAAM,SAASA,MAAK,UAAU,MAAM,QAAQ,MAAM,GAAG;AACrD,UAAI,MAAM,WAAW,MAAM;AACzB,cAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAEA,MAAI,MAAM,aAAa,MAAM;AAC3B,UAAM,SAAS,SAAS,KAAK;AAAA,EAC/B;AACA,SAAO,MAAM,QAAQ,QAAS,MAAM,WAAW,QAAQ;AACzD;AAEA,SAAS,aAAa,OAAO;AAC3B,MAAI,gBAAgB,MAAM,UACtB,WACA,eACA,eACA,gBAAgB,OAChB;AAEJ,QAAM,UAAU;AAChB,QAAM,kBAAkB,MAAM;AAC9B,QAAM,SAAS,uBAAO,OAAO,IAAI;AACjC,QAAM,YAAY,uBAAO,OAAO,IAAI;AAEpC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,wBAAoB,OAAO,MAAM,EAAE;AAEnC,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,MAAM,aAAa,KAAK,OAAO,IAAa;AAC9C;AAAA,IACF;AAEA,oBAAgB;AAChB,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,gBAAY,MAAM;AAElB,WAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AACpC,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,oBAAgB,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC3D,oBAAgB,CAAC;AAEjB,QAAI,cAAc,SAAS,GAAG;AAC5B,iBAAW,OAAO,8DAA8D;AAAA,IAClF;AAEA,WAAO,OAAO,GAAG;AACf,aAAO,eAAe,EAAE,GAAG;AACzB,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAEA,UAAI,OAAO,IAAa;AACtB,WAAG;AAAE,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,QAAG,SAC7C,OAAO,KAAK,CAAC,OAAO,EAAE;AAC7B;AAAA,MACF;AAEA,UAAI,OAAO,EAAE,EAAG;AAEhB,kBAAY,MAAM;AAElB,aAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AACpC,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAEA,oBAAc,KAAK,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ,CAAC;AAAA,IACjE;AAEA,QAAI,OAAO,EAAG,eAAc,KAAK;AAEjC,QAAI,kBAAkB,KAAK,mBAAmB,aAAa,GAAG;AAC5D,wBAAkB,aAAa,EAAE,OAAO,eAAe,aAAa;AAAA,IACtE,OAAO;AACL,mBAAa,OAAO,iCAAiC,gBAAgB,GAAG;AAAA,IAC1E;AAAA,EACF;AAEA,sBAAoB,OAAO,MAAM,EAAE;AAEnC,MAAI,MAAM,eAAe,KACrB,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAU,MAC/C,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC,MAAM,MAC/C,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC,MAAM,IAAa;AAC9D,UAAM,YAAY;AAClB,wBAAoB,OAAO,MAAM,EAAE;AAAA,EAErC,WAAW,eAAe;AACxB,eAAW,OAAO,iCAAiC;AAAA,EACrD;AAEA,cAAY,OAAO,MAAM,aAAa,GAAG,mBAAmB,OAAO,IAAI;AACvE,sBAAoB,OAAO,MAAM,EAAE;AAEnC,MAAI,MAAM,mBACN,8BAA8B,KAAK,MAAM,MAAM,MAAM,eAAe,MAAM,QAAQ,CAAC,GAAG;AACxF,iBAAa,OAAO,kDAAkD;AAAA,EACxE;AAEA,QAAM,UAAU,KAAK,MAAM,MAAM;AAEjC,MAAI,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAEtE,QAAI,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAa;AAC1D,YAAM,YAAY;AAClB,0BAAoB,OAAO,MAAM,EAAE;AAAA,IACrC;AACA;AAAA,EACF;AAEA,MAAI,MAAM,WAAY,MAAM,SAAS,GAAI;AACvC,eAAW,OAAO,uDAAuD;AAAA,EAC3E,OAAO;AACL;AAAA,EACF;AACF;AAGA,SAAS,cAAc,OAAO,SAAS;AACrC,UAAQ,OAAO,KAAK;AACpB,YAAU,WAAW,CAAC;AAEtB,MAAI,MAAM,WAAW,GAAG;AAGtB,QAAI,MAAM,WAAW,MAAM,SAAS,CAAC,MAAM,MACvC,MAAM,WAAW,MAAM,SAAS,CAAC,MAAM,IAAc;AACvD,eAAS;AAAA,IACX;AAGA,QAAI,MAAM,WAAW,CAAC,MAAM,OAAQ;AAClC,cAAQ,MAAM,MAAM,CAAC;AAAA,IACvB;AAAA,EACF;AAEA,MAAI,QAAQ,IAAI,QAAQ,OAAO,OAAO;AAEtC,MAAI,UAAU,MAAM,QAAQ,IAAI;AAEhC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW;AACjB,eAAW,OAAO,mCAAmC;AAAA,EACvD;AAGA,QAAM,SAAS;AAEf,SAAO,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAiB;AACjE,UAAM,cAAc;AACpB,UAAM,YAAY;AAAA,EACpB;AAEA,SAAO,MAAM,WAAY,MAAM,SAAS,GAAI;AAC1C,iBAAa,KAAK;AAAA,EACpB;AAEA,SAAO,MAAM;AACf;AAGA,SAAS,UAAU,OAAO,UAAU,SAAS;AAC3C,MAAI,aAAa,QAAQ,OAAO,aAAa,YAAY,OAAO,YAAY,aAAa;AACvF,cAAU;AACV,eAAW;AAAA,EACb;AAEA,MAAI,YAAY,cAAc,OAAO,OAAO;AAE5C,MAAI,OAAO,aAAa,YAAY;AAClC,WAAO;AAAA,EACT;AAEA,WAAS,QAAQ,GAAG,SAAS,UAAU,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,aAAS,UAAU,KAAK,CAAC;AAAA,EAC3B;AACF;AAGA,SAAS,OAAO,OAAO,SAAS;AAC9B,MAAI,YAAY,cAAc,OAAO,OAAO;AAE5C,MAAI,UAAU,WAAW,GAAG;AAE1B,WAAO;AAAA,EACT,WAAW,UAAU,WAAW,GAAG;AACjC,WAAO,UAAU,CAAC;AAAA,EACpB;AACA,QAAM,IAAI,UAAU,0DAA0D;AAChF;AAGA,IAAI,YAAY;AAChB,IAAI,SAAY;AAEhB,IAAI,SAAS;AAAA,EACZ,SAAS;AAAA,EACT,MAAM;AACP;AAQA,IAAI,YAAkB,OAAO,UAAU;AACvC,IAAI,kBAAkB,OAAO,UAAU;AAEvC,IAAI,WAA4B;AAChC,IAAI,WAA4B;AAChC,IAAI,iBAA4B;AAChC,IAAI,uBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,mBAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,eAA4B;AAChC,IAAI,iBAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,gBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,cAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,gBAA4B;AAChC,IAAI,qBAA4B;AAChC,IAAI,2BAA4B;AAChC,IAAI,4BAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,0BAA4B;AAChC,IAAI,qBAA4B;AAChC,IAAI,2BAA4B;AAEhC,IAAI,mBAAmB,CAAC;AAExB,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,GAAI,IAAM;AAC3B,iBAAiB,GAAI,IAAM;AAC3B,iBAAiB,IAAM,IAAI;AAC3B,iBAAiB,IAAM,IAAI;AAE3B,IAAI,6BAA6B;AAAA,EAC/B;AAAA,EAAK;AAAA,EAAK;AAAA,EAAO;AAAA,EAAO;AAAA,EAAO;AAAA,EAAM;AAAA,EAAM;AAAA,EAC3C;AAAA,EAAK;AAAA,EAAK;AAAA,EAAM;AAAA,EAAM;AAAA,EAAM;AAAA,EAAO;AAAA,EAAO;AAC5C;AAEA,IAAI,2BAA2B;AAE/B,SAAS,gBAAgBD,SAAQD,MAAK;AACpC,MAAI,QAAQ,MAAM,OAAO,QAAQ,KAAK,OAAOE;AAE7C,MAAIF,SAAQ,KAAM,QAAO,CAAC;AAE1B,WAAS,CAAC;AACV,SAAO,OAAO,KAAKA,IAAG;AAEtB,OAAK,QAAQ,GAAG,SAAS,KAAK,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAChE,UAAM,KAAK,KAAK;AAChB,YAAQ,OAAOA,KAAI,GAAG,CAAC;AAEvB,QAAI,IAAI,MAAM,GAAG,CAAC,MAAM,MAAM;AAC5B,YAAM,uBAAuB,IAAI,MAAM,CAAC;AAAA,IAC1C;AACA,IAAAE,QAAOD,QAAO,gBAAgB,UAAU,EAAE,GAAG;AAE7C,QAAIC,SAAQ,gBAAgB,KAAKA,MAAK,cAAc,KAAK,GAAG;AAC1D,cAAQA,MAAK,aAAa,KAAK;AAAA,IACjC;AAEA,WAAO,GAAG,IAAI;AAAA,EAChB;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,WAAW;AAC5B,MAAI,QAAQ,QAAQ;AAEpB,WAAS,UAAU,SAAS,EAAE,EAAE,YAAY;AAE5C,MAAI,aAAa,KAAM;AACrB,aAAS;AACT,aAAS;AAAA,EACX,WAAW,aAAa,OAAQ;AAC9B,aAAS;AACT,aAAS;AAAA,EACX,WAAW,aAAa,YAAY;AAClC,aAAS;AACT,aAAS;AAAA,EACX,OAAO;AACL,UAAM,IAAI,UAAU,+DAA+D;AAAA,EACrF;AAEA,SAAO,OAAO,SAAS,OAAO,OAAO,KAAK,SAAS,OAAO,MAAM,IAAI;AACtE;AAGA,IAAI,sBAAsB;AAA1B,IACI,sBAAsB;AAE1B,SAAS,MAAM,SAAS;AACtB,OAAK,SAAgB,QAAQ,QAAQ,KAAK;AAC1C,OAAK,SAAgB,KAAK,IAAI,GAAI,QAAQ,QAAQ,KAAK,CAAE;AACzD,OAAK,gBAAgB,QAAQ,eAAe,KAAK;AACjD,OAAK,cAAgB,QAAQ,aAAa,KAAK;AAC/C,OAAK,YAAiB,OAAO,UAAU,QAAQ,WAAW,CAAC,IAAI,KAAK,QAAQ,WAAW;AACvF,OAAK,WAAgB,gBAAgB,KAAK,QAAQ,QAAQ,QAAQ,KAAK,IAAI;AAC3E,OAAK,WAAgB,QAAQ,UAAU,KAAK;AAC5C,OAAK,YAAgB,QAAQ,WAAW,KAAK;AAC7C,OAAK,SAAgB,QAAQ,QAAQ,KAAK;AAC1C,OAAK,eAAgB,QAAQ,cAAc,KAAK;AAChD,OAAK,eAAgB,QAAQ,cAAc,KAAK;AAChD,OAAK,cAAgB,QAAQ,aAAa,MAAM,MAAM,sBAAsB;AAC5E,OAAK,cAAgB,QAAQ,aAAa,KAAK;AAC/C,OAAK,WAAgB,OAAO,QAAQ,UAAU,MAAM,aAAa,QAAQ,UAAU,IAAI;AAEvF,OAAK,gBAAgB,KAAK,OAAO;AACjC,OAAK,gBAAgB,KAAK,OAAO;AAEjC,OAAK,MAAM;AACX,OAAK,SAAS;AAEd,OAAK,aAAa,CAAC;AACnB,OAAK,iBAAiB;AACxB;AAGA,SAAS,aAAa,QAAQ,QAAQ;AACpC,MAAI,MAAM,OAAO,OAAO,KAAK,MAAM,GAC/B,WAAW,GACX,OAAO,IACP,SAAS,IACT,MACA,SAAS,OAAO;AAEpB,SAAO,WAAW,QAAQ;AACxB,WAAO,OAAO,QAAQ,MAAM,QAAQ;AACpC,QAAI,SAAS,IAAI;AACf,aAAO,OAAO,MAAM,QAAQ;AAC5B,iBAAW;AAAA,IACb,OAAO;AACL,aAAO,OAAO,MAAM,UAAU,OAAO,CAAC;AACtC,iBAAW,OAAO;AAAA,IACpB;AAEA,QAAI,KAAK,UAAU,SAAS,KAAM,WAAU;AAE5C,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,OAAO;AACtC,SAAO,OAAO,OAAO,OAAO,KAAK,MAAM,SAAS,KAAK;AACvD;AAEA,SAAS,sBAAsB,OAAOE,MAAK;AACzC,MAAI,OAAO,QAAQF;AAEnB,OAAK,QAAQ,GAAG,SAAS,MAAM,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAC/E,IAAAA,QAAO,MAAM,cAAc,KAAK;AAEhC,QAAIA,MAAK,QAAQE,IAAG,GAAG;AACrB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAGA,SAAS,aAAa,GAAG;AACvB,SAAO,MAAM,cAAc,MAAM;AACnC;AAMA,SAAS,YAAY,GAAG;AACtB,SAAS,MAAW,KAAK,KAAK,OACrB,OAAW,KAAK,KAAK,SAAa,MAAM,QAAU,MAAM,QACxD,SAAW,KAAK,KAAK,SAAa,MAAM,YACxC,SAAW,KAAK,KAAK;AAChC;AAOA,SAAS,qBAAqB,GAAG;AAC/B,SAAO,YAAY,CAAC,KACf,MAAM,YAEN,MAAM,wBACN,MAAM;AACb;AAWA,SAAS,YAAY,GAAG,MAAM,SAAS;AACrC,MAAI,wBAAwB,qBAAqB,CAAC;AAClD,MAAI,YAAY,yBAAyB,CAAC,aAAa,CAAC;AACxD;AAAA;AAAA,KAEE;AAAA;AAAA,MACE;AAAA,QACE,yBAEG,MAAM,cACN,MAAM,4BACN,MAAM,6BACN,MAAM,2BACN,MAAM,6BAGV,MAAM,cACN,EAAE,SAAS,cAAc,CAAC,cACzB,qBAAqB,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,MAAM,cAC3D,SAAS,cAAc;AAAA;AAC/B;AAGA,SAAS,iBAAiB,GAAG;AAI3B,SAAO,YAAY,CAAC,KAAK,MAAM,YAC1B,CAAC,aAAa,CAAC,KAGf,MAAM,cACN,MAAM,iBACN,MAAM,cACN,MAAM,cACN,MAAM,4BACN,MAAM,6BACN,MAAM,2BACN,MAAM,4BAEN,MAAM,cACN,MAAM,kBACN,MAAM,iBACN,MAAM,oBACN,MAAM,sBACN,MAAM,eACN,MAAM,qBACN,MAAM,qBACN,MAAM,qBAEN,MAAM,gBACN,MAAM,sBACN,MAAM;AACb;AAGA,SAAS,gBAAgB,GAAG;AAE1B,SAAO,CAAC,aAAa,CAAC,KAAK,MAAM;AACnC;AAGA,SAAS,YAAY,QAAQ,KAAK;AAChC,MAAI,QAAQ,OAAO,WAAW,GAAG,GAAG;AACpC,MAAI,SAAS,SAAU,SAAS,SAAU,MAAM,IAAI,OAAO,QAAQ;AACjE,aAAS,OAAO,WAAW,MAAM,CAAC;AAClC,QAAI,UAAU,SAAU,UAAU,OAAQ;AAExC,cAAQ,QAAQ,SAAU,OAAQ,SAAS,QAAS;AAAA,IACtD;AAAA,EACF;AACA,SAAO;AACT;AAGA,SAAS,oBAAoB,QAAQ;AACnC,MAAI,iBAAiB;AACrB,SAAO,eAAe,KAAK,MAAM;AACnC;AAEA,IAAI,cAAgB;AAApB,IACI,eAAgB;AADpB,IAEI,gBAAgB;AAFpB,IAGI,eAAgB;AAHpB,IAII,eAAgB;AASpB,SAAS,kBAAkB,QAAQ,gBAAgB,gBAAgB,WACjE,mBAAmB,aAAa,aAAa,SAAS;AAEtD,MAAI;AACJ,MAAI,OAAO;AACX,MAAI,WAAW;AACf,MAAI,eAAe;AACnB,MAAI,kBAAkB;AACtB,MAAI,mBAAmB,cAAc;AACrC,MAAI,oBAAoB;AACxB,MAAI,QAAQ,iBAAiB,YAAY,QAAQ,CAAC,CAAC,KACxC,gBAAgB,YAAY,QAAQ,OAAO,SAAS,CAAC,CAAC;AAEjE,MAAI,kBAAkB,aAAa;AAGjC,SAAK,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AAC7D,aAAO,YAAY,QAAQ,CAAC;AAC5B,UAAI,CAAC,YAAY,IAAI,GAAG;AACtB,eAAO;AAAA,MACT;AACA,cAAQ,SAAS,YAAY,MAAM,UAAU,OAAO;AACpD,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AAEL,SAAK,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AAC7D,aAAO,YAAY,QAAQ,CAAC;AAC5B,UAAI,SAAS,gBAAgB;AAC3B,uBAAe;AAEf,YAAI,kBAAkB;AACpB,4BAAkB;AAAA,UAEf,IAAI,oBAAoB,IAAI,aAC5B,OAAO,oBAAoB,CAAC,MAAM;AACrC,8BAAoB;AAAA,QACtB;AAAA,MACF,WAAW,CAAC,YAAY,IAAI,GAAG;AAC7B,eAAO;AAAA,MACT;AACA,cAAQ,SAAS,YAAY,MAAM,UAAU,OAAO;AACpD,iBAAW;AAAA,IACb;AAEA,sBAAkB,mBAAoB,qBACnC,IAAI,oBAAoB,IAAI,aAC5B,OAAO,oBAAoB,CAAC,MAAM;AAAA,EACvC;AAIA,MAAI,CAAC,gBAAgB,CAAC,iBAAiB;AAGrC,QAAI,SAAS,CAAC,eAAe,CAAC,kBAAkB,MAAM,GAAG;AACvD,aAAO;AAAA,IACT;AACA,WAAO,gBAAgB,sBAAsB,eAAe;AAAA,EAC9D;AAEA,MAAI,iBAAiB,KAAK,oBAAoB,MAAM,GAAG;AACrD,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,aAAa;AAChB,WAAO,kBAAkB,eAAe;AAAA,EAC1C;AACA,SAAO,gBAAgB,sBAAsB,eAAe;AAC9D;AAQA,SAAS,YAAY,OAAO,QAAQ,OAAO,OAAO,SAAS;AACzD,QAAM,QAAQ,WAAY;AACxB,QAAI,OAAO,WAAW,GAAG;AACvB,aAAO,MAAM,gBAAgB,sBAAsB,OAAO;AAAA,IAC5D;AACA,QAAI,CAAC,MAAM,cAAc;AACvB,UAAI,2BAA2B,QAAQ,MAAM,MAAM,MAAM,yBAAyB,KAAK,MAAM,GAAG;AAC9F,eAAO,MAAM,gBAAgB,sBAAuB,MAAM,SAAS,MAAQ,MAAM,SAAS;AAAA,MAC5F;AAAA,IACF;AAEA,QAAI,SAAS,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAQ7C,QAAI,YAAY,MAAM,cAAc,KAChC,KAAK,KAAK,IAAI,KAAK,IAAI,MAAM,WAAW,EAAE,GAAG,MAAM,YAAY,MAAM;AAGzE,QAAI,iBAAiB,SAEf,MAAM,YAAY,MAAM,SAAS,MAAM;AAC7C,aAAS,cAAcC,SAAQ;AAC7B,aAAO,sBAAsB,OAAOA,OAAM;AAAA,IAC5C;AAEA,YAAQ;AAAA,MAAkB;AAAA,MAAQ;AAAA,MAAgB,MAAM;AAAA,MAAQ;AAAA,MAC9D;AAAA,MAAe,MAAM;AAAA,MAAa,MAAM,eAAe,CAAC;AAAA,MAAO;AAAA,IAAO,GAAG;AAAA,MAEzE,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO,MAAM,OAAO,QAAQ,MAAM,IAAI,IAAI;AAAA,MAC5C,KAAK;AACH,eAAO,MAAM,YAAY,QAAQ,MAAM,MAAM,IACzC,kBAAkB,aAAa,QAAQ,MAAM,CAAC;AAAA,MACpD,KAAK;AACH,eAAO,MAAM,YAAY,QAAQ,MAAM,MAAM,IACzC,kBAAkB,aAAa,WAAW,QAAQ,SAAS,GAAG,MAAM,CAAC;AAAA,MAC3E,KAAK;AACH,eAAO,MAAM,aAAa,MAAM,IAAI;AAAA,MACtC;AACE,cAAM,IAAI,UAAU,wCAAwC;AAAA,IAChE;AAAA,EACF,GAAE;AACJ;AAGA,SAAS,YAAY,QAAQ,gBAAgB;AAC3C,MAAI,kBAAkB,oBAAoB,MAAM,IAAI,OAAO,cAAc,IAAI;AAG7E,MAAI,OAAgB,OAAO,OAAO,SAAS,CAAC,MAAM;AAClD,MAAI,OAAO,SAAS,OAAO,OAAO,SAAS,CAAC,MAAM,QAAQ,WAAW;AACrE,MAAI,QAAQ,OAAO,MAAO,OAAO,KAAK;AAEtC,SAAO,kBAAkB,QAAQ;AACnC;AAGA,SAAS,kBAAkB,QAAQ;AACjC,SAAO,OAAO,OAAO,SAAS,CAAC,MAAM,OAAO,OAAO,MAAM,GAAG,EAAE,IAAI;AACpE;AAIA,SAAS,WAAW,QAAQ,OAAO;AAKjC,MAAI,SAAS;AAGb,MAAI,UAAU,WAAY;AACxB,QAAI,SAAS,OAAO,QAAQ,IAAI;AAChC,aAAS,WAAW,KAAK,SAAS,OAAO;AACzC,WAAO,YAAY;AACnB,WAAO,SAAS,OAAO,MAAM,GAAG,MAAM,GAAG,KAAK;AAAA,EAChD,GAAE;AAEF,MAAI,mBAAmB,OAAO,CAAC,MAAM,QAAQ,OAAO,CAAC,MAAM;AAC3D,MAAI;AAGJ,MAAI;AACJ,SAAQ,QAAQ,OAAO,KAAK,MAAM,GAAI;AACpC,QAAI,SAAS,MAAM,CAAC,GAAG,OAAO,MAAM,CAAC;AACrC,mBAAgB,KAAK,CAAC,MAAM;AAC5B,cAAU,UACL,CAAC,oBAAoB,CAAC,gBAAgB,SAAS,KAC9C,OAAO,MACT,SAAS,MAAM,KAAK;AACxB,uBAAmB;AAAA,EACrB;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,MAAM,OAAO;AAC7B,MAAI,SAAS,MAAM,KAAK,CAAC,MAAM,IAAK,QAAO;AAG3C,MAAI,UAAU;AACd,MAAI;AAEJ,MAAI,QAAQ,GAAG,KAAK,OAAO,GAAG,OAAO;AACrC,MAAI,SAAS;AAMb,SAAQ,QAAQ,QAAQ,KAAK,IAAI,GAAI;AACnC,WAAO,MAAM;AAEb,QAAI,OAAO,QAAQ,OAAO;AACxB,YAAO,OAAO,QAAS,OAAO;AAC9B,gBAAU,OAAO,KAAK,MAAM,OAAO,GAAG;AAEtC,cAAQ,MAAM;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AAIA,YAAU;AAEV,MAAI,KAAK,SAAS,QAAQ,SAAS,OAAO,OAAO;AAC/C,cAAU,KAAK,MAAM,OAAO,IAAI,IAAI,OAAO,KAAK,MAAM,OAAO,CAAC;AAAA,EAChE,OAAO;AACL,cAAU,KAAK,MAAM,KAAK;AAAA,EAC5B;AAEA,SAAO,OAAO,MAAM,CAAC;AACvB;AAGA,SAAS,aAAa,QAAQ;AAC5B,MAAI,SAAS;AACb,MAAI,OAAO;AACX,MAAI;AAEJ,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AACjE,WAAO,YAAY,QAAQ,CAAC;AAC5B,gBAAY,iBAAiB,IAAI;AAEjC,QAAI,CAAC,aAAa,YAAY,IAAI,GAAG;AACnC,gBAAU,OAAO,CAAC;AAClB,UAAI,QAAQ,MAAS,WAAU,OAAO,IAAI,CAAC;AAAA,IAC7C,OAAO;AACL,gBAAU,aAAa,UAAU,IAAI;AAAA,IACvC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAO,OAAO,QAAQ;AAC/C,MAAI,UAAU,IACV,OAAU,MAAM,KAChB,OACA,QACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,YAAQ,OAAO,KAAK;AAEpB,QAAI,MAAM,UAAU;AAClB,cAAQ,MAAM,SAAS,KAAK,QAAQ,OAAO,KAAK,GAAG,KAAK;AAAA,IAC1D;AAGA,QAAI,UAAU,OAAO,OAAO,OAAO,OAAO,KAAK,KAC1C,OAAO,UAAU,eACjB,UAAU,OAAO,OAAO,MAAM,OAAO,KAAK,GAAI;AAEjD,UAAI,YAAY,GAAI,YAAW,OAAO,CAAC,MAAM,eAAe,MAAM;AAClE,iBAAW,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,MAAM,UAAU;AAC/B;AAEA,SAAS,mBAAmB,OAAO,OAAO,QAAQ,SAAS;AACzD,MAAI,UAAU,IACV,OAAU,MAAM,KAChB,OACA,QACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,YAAQ,OAAO,KAAK;AAEpB,QAAI,MAAM,UAAU;AAClB,cAAQ,MAAM,SAAS,KAAK,QAAQ,OAAO,KAAK,GAAG,KAAK;AAAA,IAC1D;AAGA,QAAI,UAAU,OAAO,QAAQ,GAAG,OAAO,MAAM,MAAM,OAAO,IAAI,KACzD,OAAO,UAAU,eACjB,UAAU,OAAO,QAAQ,GAAG,MAAM,MAAM,MAAM,OAAO,IAAI,GAAI;AAEhE,UAAI,CAAC,WAAW,YAAY,IAAI;AAC9B,mBAAW,iBAAiB,OAAO,KAAK;AAAA,MAC1C;AAEA,UAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,mBAAW;AAAA,MACb,OAAO;AACL,mBAAW;AAAA,MACb;AAEA,iBAAW,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,WAAW;AAC1B;AAEA,SAAS,iBAAiB,OAAO,OAAO,QAAQ;AAC9C,MAAI,UAAgB,IAChB,OAAgB,MAAM,KACtB,gBAAgB,OAAO,KAAK,MAAM,GAClC,OACA,QACA,WACA,aACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAEzE,iBAAa;AACb,QAAI,YAAY,GAAI,eAAc;AAElC,QAAI,MAAM,aAAc,eAAc;AAEtC,gBAAY,cAAc,KAAK;AAC/B,kBAAc,OAAO,SAAS;AAE9B,QAAI,MAAM,UAAU;AAClB,oBAAc,MAAM,SAAS,KAAK,QAAQ,WAAW,WAAW;AAAA,IAClE;AAEA,QAAI,CAAC,UAAU,OAAO,OAAO,WAAW,OAAO,KAAK,GAAG;AACrD;AAAA,IACF;AAEA,QAAI,MAAM,KAAK,SAAS,KAAM,eAAc;AAE5C,kBAAc,MAAM,QAAQ,MAAM,eAAe,MAAM,MAAM,OAAO,MAAM,eAAe,KAAK;AAE9F,QAAI,CAAC,UAAU,OAAO,OAAO,aAAa,OAAO,KAAK,GAAG;AACvD;AAAA,IACF;AAEA,kBAAc,MAAM;AAGpB,eAAW;AAAA,EACb;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,MAAM,UAAU;AAC/B;AAEA,SAAS,kBAAkB,OAAO,OAAO,QAAQ,SAAS;AACxD,MAAI,UAAgB,IAChB,OAAgB,MAAM,KACtB,gBAAgB,OAAO,KAAK,MAAM,GAClC,OACA,QACA,WACA,aACA,cACA;AAGJ,MAAI,MAAM,aAAa,MAAM;AAE3B,kBAAc,KAAK;AAAA,EACrB,WAAW,OAAO,MAAM,aAAa,YAAY;AAE/C,kBAAc,KAAK,MAAM,QAAQ;AAAA,EACnC,WAAW,MAAM,UAAU;AAEzB,UAAM,IAAI,UAAU,0CAA0C;AAAA,EAChE;AAEA,OAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,iBAAa;AAEb,QAAI,CAAC,WAAW,YAAY,IAAI;AAC9B,oBAAc,iBAAiB,OAAO,KAAK;AAAA,IAC7C;AAEA,gBAAY,cAAc,KAAK;AAC/B,kBAAc,OAAO,SAAS;AAE9B,QAAI,MAAM,UAAU;AAClB,oBAAc,MAAM,SAAS,KAAK,QAAQ,WAAW,WAAW;AAAA,IAClE;AAEA,QAAI,CAAC,UAAU,OAAO,QAAQ,GAAG,WAAW,MAAM,MAAM,IAAI,GAAG;AAC7D;AAAA,IACF;AAEA,mBAAgB,MAAM,QAAQ,QAAQ,MAAM,QAAQ,OACpC,MAAM,QAAQ,MAAM,KAAK,SAAS;AAElD,QAAI,cAAc;AAChB,UAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,sBAAc;AAAA,MAChB,OAAO;AACL,sBAAc;AAAA,MAChB;AAAA,IACF;AAEA,kBAAc,MAAM;AAEpB,QAAI,cAAc;AAChB,oBAAc,iBAAiB,OAAO,KAAK;AAAA,IAC7C;AAEA,QAAI,CAAC,UAAU,OAAO,QAAQ,GAAG,aAAa,MAAM,YAAY,GAAG;AACjE;AAAA,IACF;AAEA,QAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,oBAAc;AAAA,IAChB,OAAO;AACL,oBAAc;AAAA,IAChB;AAEA,kBAAc,MAAM;AAGpB,eAAW;AAAA,EACb;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,WAAW;AAC1B;AAEA,SAAS,WAAW,OAAO,QAAQ,UAAU;AAC3C,MAAI,SAAS,UAAU,OAAO,QAAQH,OAAM;AAE5C,aAAW,WAAW,MAAM,gBAAgB,MAAM;AAElD,OAAK,QAAQ,GAAG,SAAS,SAAS,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACpE,IAAAA,QAAO,SAAS,KAAK;AAErB,SAAKA,MAAK,cAAeA,MAAK,eACzB,CAACA,MAAK,cAAgB,OAAO,WAAW,YAAc,kBAAkBA,MAAK,gBAC7E,CAACA,MAAK,aAAcA,MAAK,UAAU,MAAM,IAAI;AAEhD,UAAI,UAAU;AACZ,YAAIA,MAAK,SAASA,MAAK,eAAe;AACpC,gBAAM,MAAMA,MAAK,cAAc,MAAM;AAAA,QACvC,OAAO;AACL,gBAAM,MAAMA,MAAK;AAAA,QACnB;AAAA,MACF,OAAO;AACL,cAAM,MAAM;AAAA,MACd;AAEA,UAAIA,MAAK,WAAW;AAClB,gBAAQ,MAAM,SAASA,MAAK,GAAG,KAAKA,MAAK;AAEzC,YAAI,UAAU,KAAKA,MAAK,SAAS,MAAM,qBAAqB;AAC1D,oBAAUA,MAAK,UAAU,QAAQ,KAAK;AAAA,QACxC,WAAW,gBAAgB,KAAKA,MAAK,WAAW,KAAK,GAAG;AACtD,oBAAUA,MAAK,UAAU,KAAK,EAAE,QAAQ,KAAK;AAAA,QAC/C,OAAO;AACL,gBAAM,IAAI,UAAU,OAAOA,MAAK,MAAM,iCAAiC,QAAQ,SAAS;AAAA,QAC1F;AAEA,cAAM,OAAO;AAAA,MACf;AAEA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,UAAU,OAAO,OAAO,QAAQ,OAAO,SAAS,OAAO,YAAY;AAC1E,QAAM,MAAM;AACZ,QAAM,OAAO;AAEb,MAAI,CAAC,WAAW,OAAO,QAAQ,KAAK,GAAG;AACrC,eAAW,OAAO,QAAQ,IAAI;AAAA,EAChC;AAEA,MAAIA,QAAO,UAAU,KAAK,MAAM,IAAI;AACpC,MAAI,UAAU;AACd,MAAI;AAEJ,MAAI,OAAO;AACT,YAAS,MAAM,YAAY,KAAK,MAAM,YAAY;AAAA,EACpD;AAEA,MAAI,gBAAgBA,UAAS,qBAAqBA,UAAS,kBACvD,gBACA;AAEJ,MAAI,eAAe;AACjB,qBAAiB,MAAM,WAAW,QAAQ,MAAM;AAChD,gBAAY,mBAAmB;AAAA,EACjC;AAEA,MAAK,MAAM,QAAQ,QAAQ,MAAM,QAAQ,OAAQ,aAAc,MAAM,WAAW,KAAK,QAAQ,GAAI;AAC/F,cAAU;AAAA,EACZ;AAEA,MAAI,aAAa,MAAM,eAAe,cAAc,GAAG;AACrD,UAAM,OAAO,UAAU;AAAA,EACzB,OAAO;AACL,QAAI,iBAAiB,aAAa,CAAC,MAAM,eAAe,cAAc,GAAG;AACvE,YAAM,eAAe,cAAc,IAAI;AAAA,IACzC;AACA,QAAIA,UAAS,mBAAmB;AAC9B,UAAI,SAAU,OAAO,KAAK,MAAM,IAAI,EAAE,WAAW,GAAI;AACnD,0BAAkB,OAAO,OAAO,MAAM,MAAM,OAAO;AACnD,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM;AAAA,QAChD;AAAA,MACF,OAAO;AACL,yBAAiB,OAAO,OAAO,MAAM,IAAI;AACzC,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM,MAAM;AAAA,QACtD;AAAA,MACF;AAAA,IACF,WAAWA,UAAS,kBAAkB;AACpC,UAAI,SAAU,MAAM,KAAK,WAAW,GAAI;AACtC,YAAI,MAAM,iBAAiB,CAAC,cAAc,QAAQ,GAAG;AACnD,6BAAmB,OAAO,QAAQ,GAAG,MAAM,MAAM,OAAO;AAAA,QAC1D,OAAO;AACL,6BAAmB,OAAO,OAAO,MAAM,MAAM,OAAO;AAAA,QACtD;AACA,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM;AAAA,QAChD;AAAA,MACF,OAAO;AACL,0BAAkB,OAAO,OAAO,MAAM,IAAI;AAC1C,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM,MAAM;AAAA,QACtD;AAAA,MACF;AAAA,IACF,WAAWA,UAAS,mBAAmB;AACrC,UAAI,MAAM,QAAQ,KAAK;AACrB,oBAAY,OAAO,MAAM,MAAM,OAAO,OAAO,OAAO;AAAA,MACtD;AAAA,IACF,WAAWA,UAAS,sBAAsB;AACxC,aAAO;AAAA,IACT,OAAO;AACL,UAAI,MAAM,YAAa,QAAO;AAC9B,YAAM,IAAI,UAAU,4CAA4CA,KAAI;AAAA,IACtE;AAEA,QAAI,MAAM,QAAQ,QAAQ,MAAM,QAAQ,KAAK;AAc3C,eAAS;AAAA,QACP,MAAM,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,MAAM;AAAA,MACpD,EAAE,QAAQ,MAAM,KAAK;AAErB,UAAI,MAAM,IAAI,CAAC,MAAM,KAAK;AACxB,iBAAS,MAAM;AAAA,MACjB,WAAW,OAAO,MAAM,GAAG,EAAE,MAAM,sBAAsB;AACvD,iBAAS,OAAO,OAAO,MAAM,EAAE;AAAA,MACjC,OAAO;AACL,iBAAS,OAAO,SAAS;AAAA,MAC3B;AAEA,YAAM,OAAO,SAAS,MAAM,MAAM;AAAA,IACpC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,uBAAuB,QAAQ,OAAO;AAC7C,MAAI,UAAU,CAAC,GACX,oBAAoB,CAAC,GACrB,OACA;AAEJ,cAAY,QAAQ,SAAS,iBAAiB;AAE9C,OAAK,QAAQ,GAAG,SAAS,kBAAkB,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAC7E,UAAM,WAAW,KAAK,QAAQ,kBAAkB,KAAK,CAAC,CAAC;AAAA,EACzD;AACA,QAAM,iBAAiB,IAAI,MAAM,MAAM;AACzC;AAEA,SAAS,YAAY,QAAQ,SAAS,mBAAmB;AACvD,MAAI,eACA,OACA;AAEJ,MAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,YAAQ,QAAQ,QAAQ,MAAM;AAC9B,QAAI,UAAU,IAAI;AAChB,UAAI,kBAAkB,QAAQ,KAAK,MAAM,IAAI;AAC3C,0BAAkB,KAAK,KAAK;AAAA,MAC9B;AAAA,IACF,OAAO;AACL,cAAQ,KAAK,MAAM;AAEnB,UAAI,MAAM,QAAQ,MAAM,GAAG;AACzB,aAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,sBAAY,OAAO,KAAK,GAAG,SAAS,iBAAiB;AAAA,QACvD;AAAA,MACF,OAAO;AACL,wBAAgB,OAAO,KAAK,MAAM;AAElC,aAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,sBAAY,OAAO,cAAc,KAAK,CAAC,GAAG,SAAS,iBAAiB;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,OAAO,OAAO,SAAS;AAC9B,YAAU,WAAW,CAAC;AAEtB,MAAI,QAAQ,IAAI,MAAM,OAAO;AAE7B,MAAI,CAAC,MAAM,OAAQ,wBAAuB,OAAO,KAAK;AAEtD,MAAI,QAAQ;AAEZ,MAAI,MAAM,UAAU;AAClB,YAAQ,MAAM,SAAS,KAAK,EAAE,IAAI,MAAM,GAAG,IAAI,KAAK;AAAA,EACtD;AAEA,MAAI,UAAU,OAAO,GAAG,OAAO,MAAM,IAAI,EAAG,QAAO,MAAM,OAAO;AAEhE,SAAO;AACT;AAEA,IAAI,SAAS;AAEb,IAAI,SAAS;AAAA,EACZ,MAAM;AACP;AAEA,SAAS,QAAQ,MAAM,IAAI;AACzB,SAAO,WAAY;AACjB,UAAM,IAAI,MAAM,mBAAmB,OAAO,wCAC1B,KAAK,yCAAyC;AAAA,EAChE;AACF;AASA,IAAI,OAAsB,OAAO;AACjC,IAAI,UAAsB,OAAO;AACjC,IAAI,OAAsB,OAAO;AAqBjC,IAAI,WAAsB,QAAQ,YAAY,MAAM;AACpD,IAAI,cAAsB,QAAQ,eAAe,SAAS;AAC1D,IAAI,WAAsB,QAAQ,YAAY,MAAM;;;ACpvHpD,gBAA6B;;;ACctB,SAAS,eAAe,QAAmC;AAChE,QAAM,SAA4B,CAAC;AAEnC,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,2BAA2B,CAAC,EAAE;AAAA,EACrF;AAEA,QAAM,IAAI;AAGV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,WAAO,KAAK,EAAE,MAAM,WAAW,SAAS,2CAA2C,CAAC;AAAA,EACtF;AACA,MAAI,OAAO,EAAE,SAAS,UAAU;AAC9B,WAAO,KAAK,EAAE,MAAM,QAAQ,SAAS,wCAAwC,CAAC;AAAA,EAChF;AAGA,MAAI,CAAC,MAAM,QAAQ,EAAE,QAAQ,GAAG;AAC9B,WAAO,KAAK,EAAE,MAAM,YAAY,SAAS,4CAA4C,CAAC;AAAA,EACxF,OAAO;AACL,MAAE,SAAS,QAAQ,CAAC,SAAkB,MAAc;AAClD,aAAO,KAAK,GAAG,gBAAgB,SAAS,YAAY,CAAC,GAAG,CAAC;AAAA,IAC3D,CAAC;AAAA,EACH;AAGA,MAAI,EAAE,UAAU,QAAW;AACzB,WAAO,KAAK,GAAG,cAAc,EAAE,OAAO,OAAO,CAAC;AAAA,EAChD;AAGA,MAAI,EAAE,WAAW,QAAW;AAC1B,WAAO,KAAK,GAAG,eAAe,EAAE,QAAQ,QAAQ,CAAC;AAAA,EACnD;AAGA,MAAI,EAAE,mBAAmB,QAAW;AAClC,WAAO,KAAK,GAAG,uBAAuB,EAAE,gBAAgB,gBAAgB,CAAC;AAAA,EAC3E;AAEA,SAAO,EAAE,OAAO,OAAO,WAAW,GAAG,OAAO;AAC9C;AAEA,SAAS,gBAAgB,SAAkB,MAAiC;AAC1E,QAAM,SAA4B,CAAC;AAEnC,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,WAAO,CAAC,EAAE,MAAM,SAAS,4BAA4B,CAAC;AAAA,EACxD;AAEA,QAAM,IAAI;AAEV,MAAI,OAAO,EAAE,OAAO,YAAY,CAAC,EAAE,IAAI;AACrC,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,OAAO,SAAS,gDAAgD,CAAC;AAAA,EAC9F;AAEA,MAAI,OAAO,EAAE,YAAY,WAAW;AAClC,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,4CAA4C,CAAC;AAAA,EAC/F;AAEA,MAAI,EAAE,YAAY,UAAa,CAAC,cAAc,EAAE,OAAO,GAAG;AACxD,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,sCAAsC,CAAC;AAAA,EACzF;AAEA,MAAI,EAAE,oBAAoB,UAAa,CAAC,cAAc,EAAE,eAAe,GAAG;AACxE,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,oBAAoB,SAAS,8CAA8C,CAAC;AAAA,EACzG;AAEA,MAAI,EAAE,qBAAqB,UAAa,OAAO,EAAE,qBAAqB,WAAW;AAC/E,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,qBAAqB,SAAS,qCAAqC,CAAC;AAAA,EACjG;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,OAAgB,MAAiC;AACtE,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,UAAU,YAAY,UAAU,MAAM;AAC/C,WAAO,CAAC,EAAE,MAAM,SAAS,0BAA0B,CAAC;AAAA,EACtD;AAEA,QAAM,IAAI;AAEV,aAAW,SAAS,CAAC,kBAAkB,kBAAkB,kBAAkB,GAAG;AAC5E,QAAI,EAAE,KAAK,MAAM,UAAa,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG;AACtD,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,+BAA+B,CAAC;AAAA,IAC3F;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,QAAiB,MAAiC;AACxE,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,WAAO,CAAC,EAAE,MAAM,SAAS,2BAA2B,CAAC;AAAA,EACvD;AAEA,QAAM,IAAI;AAEV,MAAI,EAAE,yBAAyB,UAAa,OAAO,EAAE,yBAAyB,UAAU;AACtF,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,yBAAyB,SAAS,wCAAwC,CAAC;AAAA,EACxG;AAEA,MAAI,EAAE,uBAAuB,UAAa,OAAO,EAAE,uBAAuB,UAAU;AAClF,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,uBAAuB,SAAS,sCAAsC,CAAC;AAAA,EACpG;AAEA,MAAI,EAAE,aAAa,UAAa,OAAO,EAAE,aAAa,UAAU;AAC9D,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,aAAa,SAAS,4BAA4B,CAAC;AAAA,EAChF;AAEA,SAAO;AACT;AAEA,SAAS,uBAAuB,YAAqB,MAAiC;AACpF,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,eAAe,YAAY,eAAe,MAAM;AACzD,WAAO,CAAC,EAAE,MAAM,SAAS,mCAAmC,CAAC;AAAA,EAC/D;AAEA,QAAM,IAAI;AAEV,aAAW,SAAS,CAAC,aAAa,mBAAmB,WAAW,GAAY;AAC1E,QAAI,CAAC,EAAE,KAAK,KAAK,OAAO,EAAE,KAAK,MAAM,UAAU;AAC7C,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,sDAAsD,CAAC;AAChH;AAAA,IACF;AAEA,UAAM,IAAI,EAAE,KAAK;AACjB,QAAI,OAAO,EAAE,QAAQ,YAAY,OAAO,EAAE,QAAQ,UAAU;AAC1D,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,iCAAiC,CAAC;AAAA,IAC7F,WAAW,EAAE,MAAM,EAAE,KAAK;AACxB,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,mBAAmB,KAAK,OAAO,CAAC;AAAA,IAC3F;AAAA,EACF;AAGA,MAAI,sBAAsB,CAAC,GAAG;AAC5B,UAAM,eAAe;AACrB,QAAI,aAAa,UAAU,MAAM,MAAM,aAAa,gBAAgB,KAAK;AACvE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,8BAA8B,aAAa,UAAU,GAAG,8BAA8B,aAAa,gBAAgB,GAAG;AAAA,MACjI,CAAC;AAAA,IACH;AACA,QAAI,aAAa,gBAAgB,MAAM,MAAM,aAAa,UAAU,KAAK;AACvE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,oCAAoC,aAAa,gBAAgB,GAAG,wBAAwB,aAAa,UAAU,GAAG;AAAA,MACjI,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,KAA+B;AACpD,SAAO,MAAM,QAAQ,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,OAAO,MAAM,QAAQ;AACrE;AAEA,SAAS,sBAAsB,GAAqC;AAClE,aAAW,OAAO,CAAC,aAAa,mBAAmB,WAAW,GAAG;AAC/D,UAAM,IAAI,EAAE,GAAG;AACf,QAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,UAAM,QAAQ;AACd,QAAI,OAAO,MAAM,QAAQ,YAAY,OAAO,MAAM,QAAQ,SAAU,QAAO;AAAA,EAC7E;AACA,SAAO;AACT;;;AD9KO,SAAS,UAAU,aAAkC;AAC1D,MAAI;AAEJ,MAAI;AACF,aAAc,KAAK,WAAW;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,qBAAqB,OAAO,GAAG,CAAC,EAAE;AAAA,MAC5F,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,aAAa,eAAe,MAAM;AAExC,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,EAAE,QAAQ,MAAM,YAAY,SAAS,YAAY;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR;AAAA,IACA,SAAS;AAAA,EACX;AACF;AAKO,SAAS,UAAU,UAA+B;AACvD,MAAI;AAEJ,MAAI;AACF,kBAAU,wBAAa,UAAU,OAAO;AAAA,EAC1C,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,+BAA+B,OAAO,GAAG,CAAC,EAAE;AAAA,IACxG;AAAA,EACF;AAEA,SAAO,UAAU,OAAO;AAC1B;;;AErDO,SAAS,cAAc,QAAgD;AAC5E,MAAI,OAAO,QAAQ;AACjB,WAAO,IAAI,eAAe,OAAO,MAAM;AAAA,EACzC;AAEA,MAAI,OAAO,YAAY;AACrB,UAAM,SAAS,UAAU,OAAO,UAAU;AAC1C,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,SAAS,OAAO,WAAW,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AACvF,YAAM,IAAI,MAAM,uBAAuB,OAAO,UAAU,KAAK,MAAM,EAAE;AAAA,IACvE;AACA,WAAO,IAAI,eAAe,OAAO,MAAM;AAAA,EACzC;AAEA,QAAM,IAAI,MAAM,2DAA2D;AAC7E;AAKO,SAAS,YAAY,WAA2B,SAA6C;AAClG,SAAO,UAAU,SAAS,OAAO;AACnC;;;ACnBO,IAAM,yBAAsD;AAAA,EACjE,MAAM;AAAA,EACN,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAuCO,SAAS,cAAc,OAA2B;AACvD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;;;AChDO,IAAM,cAAc;;;ACc3B,IAAM,iBAAyC;AAAA,EAC7C,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA,EAKZ,oBAAoB;AAAA;AAAA,EAEpB,UAAU;AAAA;AAAA,EACV,OAAO;AACT;AAOA,IAAI,qBAAqB;AAGzB,IAAI,0BAA0B;AAE9B,eAAe,iBAAiB,YAAoB,OAAgC;AAClF,uBAAqB;AACrB,MAAI;AACF,UAAM,WAAW,GAAG,UAAU;AAK9B,UAAM,WAAW,MAAM,MAAM,UAAU,EAAE,QAAQ,OAAO,CAAC;AACzD,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,WAAW,WAAW,GAAG;AACvC,cAAQ;AAAA,QACN,qCAAqC,UAAU,kCAAkC,WAAW;AAAA,MAI9F;AAAA,IACF,WAAW,OAAO;AAChB,cAAQ;AAAA,QACN,+CAA+C,UAAU,mBAAmB,WAAW;AAAA,MACzF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,OAAO;AACT,cAAQ,IAAI,2DAA2D,OAAO,GAAG,CAAC,EAAE;AAAA,IACtF;AAAA,EACF;AACF;AAKA,IAAM,oBAAoB,oBAAI,IAA+D;AAK7F,SAAS,YAAY,aAAuC;AAC1D,SAAO,GAAG,YAAY,WAAW,EAAE,IAAI,YAAY,UAAU,EAAE,IAAI,YAAY,OAAO,EAAE;AAC1F;AAKA,SAAS,gBAAgB,aAA0D;AACjF,QAAM,MAAM,YAAY,WAAW;AACnC,QAAM,SAAS,kBAAkB,IAAI,GAAG;AAExC,MAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,WAAO,OAAO;AAAA,EAChB;AAEA,MAAI,QAAQ;AACV,sBAAkB,OAAO,GAAG;AAAA,EAC9B;AAEA,SAAO;AACT;AAKA,SAAS,YACP,aACA,QACA,YACM;AACN,QAAM,MAAM,YAAY,WAAW;AACnC,oBAAkB,IAAI,KAAK;AAAA,IACzB;AAAA,IACA,WAAW,KAAK,IAAI,IAAI,aAAa;AAAA,EACvC,CAAC;AACH;AAwFA,SAAS,uBACP,QACA,QACA,UAA+D,CAAC,GAC5C;AACpB,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,aAAa,WAAW;AAE9B,QAAM,WAAyB,aAC3B;AAAA,IACE,SACE;AAAA,IACF,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF,IACA;AAAA,IACE,SACE;AAAA,IACF,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEJ,SAAO;AAAA;AAAA;AAAA;AAAA,IAIL,kBAAkB;AAAA,IAClB,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOf,aAAa;AAAA,IACb;AAAA,IACA,eAAe,SAAS,CAAC,MAAM,IAAI,CAAC,qCAAqC;AAAA;AAAA;AAAA;AAAA;AAAA,IAKzE,UAAU,aACN;AAAA,MACE;AAAA,QACE,WAAW;AAAA,QACX,SAAS,UAAU;AAAA,QACnB,UAAU,SAAS;AAAA,MACrB;AAAA,IACF,IACA;AAAA,IACJ,eAAe,QAAQ;AAAA,IACvB,YAAY,oBAAI,KAAK;AAAA,EACvB;AACF;AAKA,eAAe,oBACb,QACA,SAqFC;AACD,QAAM,EAAE,aAAa,GAAG,YAAY,IAAI;AAIxC,QAAM,OAAgC;AAAA,IACpC,GAAI,YAAY,WAAW,EAAE,SAAS,YAAY,QAAQ;AAAA,IAC1D,SAAS,YAAY,WAAW;AAAA,EAClC;AAGA,MAAI,YAAY,OAAQ,MAAK,SAAS,YAAY;AAClD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,kBAAmB,MAAK,oBAAoB,YAAY;AACxE,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,kBAAkB,OAAW,MAAK,gBAAgB,YAAY;AAE9E,MAAI,YAAY;AACd,SAAK,yBAAyB,YAAY;AAC5C,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,gBAAiB,MAAK,kBAAkB,YAAY;AACpE,MAAI,OAAO,eAAgB,MAAK,iBAAiB,OAAO;AACxD,MAAI,YAAY;AACd,SAAK,0BAA0B,YAAY;AAG7C,MAAI,YAAY,mBAAoB,MAAK,qBAAqB,YAAY;AAS1E,OAAK,aAAa;AAIlB,MAAI,YAAY,kBAAkB,YAAY,YAAY,YAAY,WAAW;AAC/E,UAAM,OAAO;AAAA,MACX,GAAI,YAAY,YAAY,EAAE,UAAU,YAAY,SAAS;AAAA,MAC7D,GAAI,YAAY,aAAa,EAAE,WAAW,YAAY,UAAU;AAAA,MAChE,GAAG,YAAY;AAAA,IACjB;AACA,QAAI,OAAO,KAAK,IAAI,EAAE,SAAS,EAAG,MAAK,iBAAiB;AAAA,EAC1D;AAGA,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAG,OAAO;AAAA,EACZ;AAKA,MAAI,YAAY,qBAAqB;AACnC,YAAQ,eAAe,IAAI,YAAY;AAAA,EACzC,WAAW,OAAO,QAAQ;AACxB,YAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,EACpD;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,WAAW,IAAI,OAAO;AAAA,EAChC;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB;AAAA,MACxE,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAMjC,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,QACL,SAAS;AAAA,QACT,QAAQ;AAAA,UACN,SAAS;AAAA,UACT,aAAa;AAAA,UACb,QAAQ;AAAA,UACR,UAAU;AAAA,YACR;AAAA,cACE,WAAW;AAAA,cACX,SACE,OAAO,MAAM,YAAY,WAAW,KAAK,UAAU;AAAA,cACrD,UACE,OAAO,MAAM,aAAa,WACtB,KAAK,WACL;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,IAAI;AAIhB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,WAAW,KAAK,SAAS,gBAAgB,SAAS,MAAM;AAAA,QACpE,eAAe,OAAO,MAAM,kBAAkB,WAAW,KAAK,gBAAgB;AAAA,MAChF;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,qCAAqC,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAKA,eAAsB,OACpB,QACA,SAC6B;AAC7B,QAAM,eAAe,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAGpD,MAAI,CAAC,sBAAsB,CAAC,aAAa,qBAAqB,aAAa,YAAY;AACrF,SAAK,iBAAiB,aAAa,YAAY,aAAa,KAAK;AAAA,EACnE;AAGA,MACE,CAAC,4BACA,OAAO,kBAAkB,UAAa,OAAO,yBAAyB,SACvE;AACA,8BAA0B;AAC1B,YAAQ;AAAA,MACN;AAAA,IAIF;AAAA,EACF;AAQA,MAAI,aAAa,YAAY,aAAa,WAAW,GAAG;AACtD,UAAM,SAAS,gBAAgB,QAAQ,WAAW;AAClD,QAAI,QAAQ;AACV,UAAI,aAAa,OAAO;AACtB,gBAAQ,IAAI,+CAA+C;AAAA,MAC7D;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAGA,QAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAI,CAAC,gBAAgB,mBAAmB,aAAa,iBAAiB;AACpE,oBAAgB,kBAAkB,aAAa;AAAA,EACjD;AACA,MAAI,CAAC,gBAAgB,oBAAoB,aAAa,kBAAkB;AACtE,oBAAgB,mBAAmB,aAAa;AAAA,EAClD;AAGA,MAAI,aAAa,OAAO;AACtB,YAAQ,IAAI,iDAAiD;AAAA,EAC/D;AAEA,QAAM,cAAc,MAAM,oBAAoB,cAAc,eAAe;AAG3E,MAAI,CAAC,YAAY,SAAS;AAMxB,WAAO,uBAAuB,cAAc,YAAY,OAAO;AAAA,MAC7D,QAAQ;AAAA,MACR,eAAgB,YAA2C;AAAA,IAC7D,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,YAAY,QAAQ,SAAS;AAIhC,UAAM,qBAAsB,YAAY,QACpC;AAMJ,UAAM,wBACH,YAAY,qBAA8D,eAC3E;AACF,UAAMI,UAAqC;AAAA,MACzC,kBAAkB;AAAA,MAClB,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQf,aAAa;AAAA,MACb,eACE,sBAAsB,mBAAmB,SAAS,IAC9C,mBAAmB,IAAI,CAAC,MAAM,EAAE,OAAO,IACvC,YAAY,QAAQ,SAClB,CAAC,YAAY,OAAO,MAAM,IAC1B,CAAC,eAAe;AAAA,MACxB,UAAU;AAAA,MACV,gBAAgB,YAAY,QAAQ;AAAA,MACpC,kBAAkB,YAAY,QAAQ;AAAA,MACtC,UAAU;AAAA,QACR,SAAS,YAAY,QAAQ,UAAU;AAAA,QACvC,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,MACA,YAAY,oBAAI,KAAK;AAAA;AAAA,MAErB,WAAY,YAAwC;AAAA;AAAA;AAAA,MAGpD,eAAgB,YAAwC;AAAA,MACxD,gBAAiB,YACd;AAAA,MACH,uBAAwB,YAAwC;AAAA,IAGlE;AAEA,WAAOA;AAAA,EACT;AAGA,QAAM,QAAmC,YAAY,QACjD;AAAA,IACE,SAAS,YAAY,MAAM;AAAA,IAC3B,MAAM,YAAY,MAAM;AAAA,IACxB,YAAY,YAAY,MAAM;AAAA,IAC9B,YAAY,cAAc,YAAY,MAAM,UAAU;AAAA,IACtD,oBAAoB,YAAY,MAAM,qBAAqB;AAAA,IAC3D,QAAQ,YAAY,MAAM;AAAA,EAC5B,IACA;AAEJ,QAAM,YAA2C,YAAY,YACzD;AAAA,IACE,UAAU,YAAY,UAAU;AAAA,IAChC,MAAM,YAAY,UAAU;AAAA,IAC5B,YAAY,YAAY,UAAU,cAAc;AAAA,IAChD,UAAU,YAAY,UAAU;AAAA,EAClC,IACA;AAEJ,QAAM,eAAiD,YAAY,eAC/D;AAAA,IACE,MAAM,YAAY,aAAa;AAAA,IAC/B,UAAU,YAAY,aAAa;AAAA,IACnC,YAAY,YAAY,aAAa;AAAA,EACvC,IACA;AAKJ,QAAM,sBAAsB,YAAY;AAMxC,QAAM,cAA2B,YAAY,QAAQ,eAAe;AAEpE,QAAM,SAAqC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMzC,kBACG,YAAY,qBAA8D,eAC3E;AAAA,IACF,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,YAAY,QAAQ;AAAA,IACnC;AAAA,IACA,gBAAgB,YAAY,QAAQ;AAAA,IACpC,kBAAkB,YAAY,QAAQ;AAAA,IACtC,YAAY,oBAAI,KAAK;AAAA,IACrB,UAAU,aAAa;AAAA;AAAA,IAEvB,WAAY,YAAwC;AAAA;AAAA;AAAA,IAGpD,eAAgB,YAAwC;AAAA,IACxD,kBAAmB,YAAwC;AAAA,IAG3D,eAAgB,YAAwC;AAAA,IAGxD,gBAAiB,YACd;AAAA,IACH,uBAAwB,YAAwC;AAAA,IAGhE,eAAgB,YAAwC;AAAA,EAG1D;AAGA,MAAI,OAAO,mBAAmB,QAAQ;AAKpC,WAAO,gBAAgB;AACvB,WAAO,cAAc;AACrB,WAAO,gBAAgB,OAAO,yBAAyB;AAAA,MACrD;AAAA,IACF;AACA,QAAI,OAAO,kBAAkB;AAC3B,aAAO,WAAW;AAAA,QAChB,SAAS,wBAAwB,OAAO,iBAAiB,UAAU,0BAA0B;AAAA,QAC7F,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF,WAAW,OAAO,mBAAmB,oBAAoB;AACvD,WAAO,iBAAiB;AACxB,QAAI,uBAAuB,OAAO,WAAW,IAAI,uBAAuB,WAAW,GAAG;AACpF,aAAO,cAAc;AAAA,IACvB;AACA,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,+BAA+B;AAAA,EACzF;AAGA,MAAI,aAAa,YAAY,aAAa,WAAW,KAAK,OAAO,mBAAmB,QAAQ;AAC1F,gBAAY,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAAA,EAChE;AAEA,SAAO;AACT;;;ACtiBA,IAAM,4BAA4B,IAAI,KAAK;;;AC+H3C,IAAMC,6BAA4B,IAAI,KAAK;;;AC5S3C,gCAAgC;;;ACHhC,qCAAgE;;;ACIhE,oBAA4C;AAC5C,yBAA2B;;;ACL3B,IAAAC,sBAA4C;;;ACC5C,IAAAC,iBAAgC;AAChC,IAAAC,sBAA2B;;;ACW3B,kBAA+C;;;AChB/C,IAAAC,eAA2B;;;ACG3B,qBAMO;AACP,mBAAiC;;;ACKjC,IAAAC,sBAAsC;;;ACnBtC,kBAA6C;;;ACS7C,SAAS,gBAAgB,QAA+C;AACtE,SAAO;AAAA,IACL,YAAY,OAAO,cAAc;AAAA,IACjC,QAAQ,OAAO;AAAA,IACf,oBAAoB,OAAO;AAAA,IAC3B,eAAe,OAAO;AAAA,IACtB,sBAAsB,OAAO;AAAA,IAC7B,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,eAAe,OAAO;AAAA,IACtB,iBAAiB,OAAO;AAAA,IACxB,kBAAkB,OAAO;AAAA,EAC3B;AACF;AAKA,SAAS,sBAAsB,SAAuB,SAAuC;AAC3F,SAAO;AAAA,IACL,aAAa,EAAE,QAAQ;AAAA,IACvB,SAAS,QAAQ;AAAA,IACjB,QAAQ,QAAQ;AAAA,IAChB,cAAc,QAAQ;AAAA,IACtB,UAAU,QAAQ;AAAA,IAClB,kBAAkB,QAAQ;AAAA,IAC1B,UAAU,QAAQ;AAAA,IAClB,eAAe;AAAA,EACjB;AACF;AAKA,SAAS,WAAW,QAAkD;AAEpE,MAAI,OAAO,oBAAoB,OAAO,eAAe;AACnD,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ,+BAA+B,OAAO,WAAW;AAAA,MACzD,YAAY,OAAO,OAAO;AAAA,MAC1B,WACE,eAAe,SACT,OAAmC,YACrC;AAAA,IACR;AAAA,EACF;AAEA,MAAI,OAAO,kBAAkB,OAAO,kBAAkB;AACpD,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ,OAAO,gBAAgB,CAAC,KAAK;AAAA,MACrC,YAAY,OAAO,OAAO;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,gBAAgB;AAAA,IAChB,QAAQ,OAAO,gBAAgB,CAAC,KAAK;AAAA,IACrC,YAAY,OAAO,OAAO;AAAA,EAC5B;AACF;AAKA,eAAsB,aACpB,QACA,SACA,SAC+B;AAC/B,QAAM,gBAAgB,gBAAgB,MAAM;AAC5C,QAAM,UAAU,sBAAsB,SAAS,OAAO;AACtD,QAAM,SAAS,MAAM,OAAO,eAAe,OAAO;AAClD,SAAO,WAAW,MAAM;AAC1B;;;AClFA,IAAAC,aAAmE;AACnE,kBAAwB;AAKxB,IAAM,iBAAiB;AACvB,IAAM,cAAc;AAEb,IAAM,kBAAN,MAAsB;AAAA,EAO3B,YAAY,QAAgC,aAAsB;AANlE,SAAQ,QAA0B,CAAC;AACnC,SAAQ,QAA+C;AAEvD,SAAQ,aAAa;AACrB,SAAQ,cAA6B;AAGnC,SAAK,SAAS;AACd,SAAK,cAAc,eAAe;AAClC,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAA0B;AAC9B,QAAI,KAAK,MAAO;AAChB,SAAK,QAAQ,YAAY,MAAM,KAAK,MAAM,GAAG,UAAU;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAsB;AAC1B,QAAI,KAAK,OAAO;AACd,oBAAc,KAAK,KAAK;AACxB,WAAK,QAAQ;AAAA,IACf;AACA,UAAM,KAAK,MAAM;AACjB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,QAAQ,SAAuB,UAAsC;AACnE,QAAI,KAAK,MAAM,UAAU,gBAAgB;AAEvC,WAAK,MAAM,MAAM;AAAA,IACnB;AAEA,SAAK,MAAM,KAAK;AAAA,MACd,IAAI,GAAG,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,MAC3D;AAAA,MACA;AAAA,MACA,WAAW,oBAAI,KAAK;AAAA,MACpB,YAAY;AAAA,MACZ,QAAQ;AAAA,IACV,CAAC;AAED,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAuB;AAC3B,QAAI,KAAK,WAAY;AACrB,SAAK,aAAa;AAElB,QAAI;AACF,YAAM,UAAU,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS;AAE/D,iBAAW,SAAS,SAAS;AAC3B,YAAI;AACF,gBAAM,aAAa,KAAK,QAAQ,MAAM,OAAO;AAC7C,gBAAM,SAAS;AAAA,QACjB,QAAQ;AACN,gBAAM;AACN,cAAI,MAAM,cAAc,aAAa;AACnC,kBAAM,SAAS;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAGA,WAAK,QAAQ,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS;AAC5D,WAAK,WAAW;AAAA,IAClB,UAAE;AACA,WAAK,aAAa;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAgD;AAC9C,WAAO;AAAA,MACL,SAAS,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,EAAE;AAAA,MAC1D,OAAO,KAAK,MAAM;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAqB;AAC3B,QAAI,CAAC,KAAK,YAAa;AAEvB,QAAI;AACF,UAAI,KAAC,uBAAW,KAAK,WAAW,EAAG;AACnC,YAAM,WAAO,yBAAa,KAAK,aAAa,OAAO;AACnD,YAAM,UAAU,KAAK,MAAM,IAAI;AAE/B,WAAK,QAAQ,QACV,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,EACpC,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,WAAW,IAAI,KAAK,EAAE,SAAS,EAAE,EAAE;AAAA,IAC5D,QAAQ;AAEN,WAAK,QAAQ,CAAC;AAAA,IAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAmB;AACzB,QAAI,CAAC,KAAK,YAAa;AAEvB,QAAI;AACF,YAAM,UAAM,qBAAQ,KAAK,WAAW;AACpC,UAAI,KAAC,uBAAW,GAAG,EAAG,2BAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACxD,oCAAc,KAAK,aAAa,KAAK,UAAU,KAAK,OAAO,MAAM,CAAC,GAAG,OAAO;AAAA,IAC9E,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAKO,SAAS,aACd,WACA,WACA,SACsB;AAEtB,QAAM,WAAW,UAAU,SAAS,OAAO;AAG3C,YAAU,QAAQ,SAAS,QAAQ;AAEnC,SAAO;AACT;;;AC3JA,IAAAC,aAAyF;AACzF,IAAAC,eAAqB;AAGrB,IAAM,gBAAgB,KAAK,OAAO;AAClC,IAAM,YAAY;AAEX,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAY,WAAmB,SAAkB;AAC/C,SAAK,YAAY;AACjB,SAAK,UAAU;AAEf,QAAI,SAAS;AACX,gCAAU,WAAW,EAAE,WAAW,KAAK,CAAC;AAAA,IAC1C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,SAAuB,UAAsC;AACzE,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,MAAc,IAAkB;AAC5C,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN,UAAU,EAAE,MAAM,GAAG;AAAA,IACvB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,OAAe,SAA8B;AACpD,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN;AAAA,MACA,UAAU,EAAE,MAAM;AAAA,IACpB,CAAC;AAAA,EACH;AAAA,EAEQ,MAAM,OAAyB;AACrC,QAAI;AACF,YAAM,WAAW,KAAK,mBAAmB;AACzC,YAAM,OAAO,KAAK,UAAU,KAAK,IAAI;AAGrC,cAAI,uBAAW,QAAQ,GAAG;AACxB,cAAM,YAAQ,qBAAS,QAAQ;AAC/B,YAAI,MAAM,OAAO,eAAe;AAC9B,eAAK,OAAO;AAAA,QACd;AAAA,MACF;AAEA,qCAAe,UAAU,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEQ,qBAA6B;AACnC,UAAM,QAAO,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,CAAC;AAClD,eAAO,mBAAK,KAAK,WAAW,SAAS,IAAI,QAAQ;AAAA,EACnD;AAAA,EAEQ,SAAe;AACrB,QAAI;AACF,YAAM,YAAQ,wBAAY,KAAK,SAAS,EACrC,OAAO,CAAC,MAAM,EAAE,WAAW,QAAQ,KAAK,EAAE,SAAS,QAAQ,CAAC,EAC5D,KAAK;AAER,aAAO,MAAM,UAAU,WAAW;AAChC,cAAM,SAAS,MAAM,MAAM;AAC3B,uCAAW,mBAAK,KAAK,WAAW,MAAM,CAAC;AAAA,MACzC;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEQ,aAAqB;AAC3B,WAAO,GAAG,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,EAChE;AACF;;;ACtFO,IAAM,mBAAN,MAAuB;AAAA,EAO5B,YAAY,QAAgC;AAL5C,SAAQ,YAAmC;AAC3C,SAAQ,YAAoC;AAC5C,SAAQ,cAAkC;AAC1C,SAAQ,cAAc;AAGpB,SAAK,SAAS;AACd,SAAK,eAAe;AAAA,EACtB;AAAA,EAEQ,iBAAuB;AAC7B,UAAM,EAAE,KAAK,IAAI,KAAK;AAEtB,QAAI,SAAS,UAAU;AACrB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,2CAA2C;AAAA,MAC7D;AAAA,IACF;AAEA,QAAI,SAAS,SAAS;AACpB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,0CAA0C;AAAA,MAC5D;AAAA,IACF;AAEA,QAAI,SAAS,UAAU;AACrB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,2CAA2C;AAAA,MAC7D;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAA4B;AAChC,QAAI,KAAK,YAAa;AAEtB,UAAM,EAAE,KAAK,IAAI,KAAK;AAEtB,QAAI,SAAS,WAAW,SAAS,UAAU;AACzC,WAAK,YAAY,cAAc,KAAK,MAAM;AAAA,IAC5C;AAEA,QAAI,SAAS,UAAU;AACrB,YAAM,cAAc,KAAK,OAAO,YAC5B,GAAG,KAAK,OAAO,SAAS,wBACxB;AACJ,WAAK,YAAY,IAAI,gBAAgB,KAAK,QAAQ,WAAW;AAC7D,YAAM,cAAc,KAAK,OAAO,gBAAgB,QAAQ;AACxD,WAAK,UAAU,MAAM,UAAU;AAAA,IACjC;AAGA,QAAI,KAAK,OAAO,cAAc;AAC5B,YAAM,YAAY,KAAK,OAAO,aAAa;AAC3C,WAAK,cAAc,IAAI,YAAY,WAAW,IAAI;AAAA,IACpD;AAEA,SAAK,cAAc;AAEnB,QAAI,KAAK,OAAO,OAAO;AACrB,YAAM,UAAU,KAAK,OAAO,WAAW;AACvC,cAAQ,IAAI,qCAAqC,IAAI,UAAU,OAAO,GAAG;AAAA,IAC3E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA0B;AAC9B,QAAI,KAAK,WAAW;AAClB,YAAM,KAAK,UAAU,KAAK;AAC1B,WAAK,YAAY;AAAA,IACnB;AAEA,SAAK,YAAY;AACjB,SAAK,cAAc;AAEnB,QAAI,KAAK,OAAO,OAAO;AACrB,cAAQ,IAAI,8BAA8B;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,SAAS,SAAuB,SAAiD;AACrF,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,WAAW;AAAA,IACxB;AAEA,QAAI;AAEJ,YAAQ,KAAK,OAAO,MAAM;AAAA,MACxB,KAAK;AACH,mBAAW,MAAM,aAAa,KAAK,QAAQ,SAAS,OAAO;AAC3D;AAAA,MAEF,KAAK;AACH,YAAI,CAAC,KAAK,UAAW,OAAM,IAAI,MAAM,iCAAiC;AACtE,mBAAW,YAAY,KAAK,WAAW,OAAO;AAC9C;AAAA,MAEF,KAAK;AACH,YAAI,CAAC,KAAK,aAAa,CAAC,KAAK,UAAW,OAAM,IAAI,MAAM,6BAA6B;AACrF,mBAAW,aAAa,KAAK,WAAW,KAAK,WAAW,OAAO;AAC/D;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,iBAAiB,KAAK,OAAO,IAAI,EAAE;AAAA,IACvD;AAGA,QAAI,KAAK,OAAO,YAAY,aAAa,SAAS,mBAAmB,SAAS;AAC5E,iBAAW;AAAA,QACT,GAAG;AAAA,QACH,gBAAgB;AAAA,QAChB,QAAQ,6BAA6B,SAAS,cAAc,KAAK,SAAS,MAAM;AAAA,MAClF;AAAA,IACF;AAGA,SAAK,aAAa,cAAc,SAAS,QAAQ;AAEjD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,OAAuC;AACzC,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAgC;AAClC,WAAO,KAAK,OAAO,WAAW;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,SAAyC,kBAAmE;AAC3H,UAAM,UAAU,KAAK,OAAO;AAC5B,UAAM,KAAK,SAAS;AAEpB,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,kBAAkB,MAAM,QAAQ;AACnE,SAAK,eAAe;AACpB,UAAM,KAAK,WAAW;AAEtB,SAAK,aAAa,cAAc,SAAS,OAAO;AAEhD,QAAI,KAAK,OAAO,OAAO;AACrB,cAAQ,IAAI,kCAAkC,OAAO,OAAO;AAAA,IAC9D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAA2D;AACzD,WAAO,KAAK,WAAW,UAAU,KAAK;AAAA,EACxC;AACF;;;A5B1LA,IAAI,UAAgC;AACpC,IAAI,UAAmC;AAMvC,eAAsB,SAAS,WAAqC;AAClE,QAAM,SAAS,kBAAkB;AAEjC,YAAU,IAAI,iBAAiB,OAAO,aAAa;AAEnD,YAAU,IAAI,cAAc;AAAA,IAC1B,QAAQ;AAAA,IACR,oBAAoB,OAAO,SAAS,aAAa;AAC/C,YAAM,SAAS,MAAM,UAAU,OAAO;AAAA,QACpC,cAAc,SAAS,MAAM;AAAA;AAAA,UAAe,QAAQ,MAAM,WAAM,QAAQ,MAAM;AAAA,QAC9E;AAAA,QACA;AAAA,MACF;AACA,aAAO,WAAW;AAAA,IACpB;AAAA,EACF,CAAC;AAED,QAAM,QAAQ,WAAW;AAAA,IACvB;AAAA,IACA,gBAAgB,EAAE,QAAQ,UAAU;AAAA,EACtC,CAAC;AAGD,YAAU,SAAS,gBAAgB,wBAAwB,MAAM;AAC/D,UAAM,UAAU,UAAU,OAAO,oBAAoB,kBAAkB;AACvE,YAAQ,WAAW,SAAS,QAAS,IAAI,EAAE;AAC3C,YAAQ,WAAW,YAAY,QAAS,OAAO,EAAE;AACjD,YAAQ,WAAW,gBAAgB,OAAO,cAAc,cAAc,eAAe,EAAE;AACvF,YAAQ,KAAK;AAAA,EACf,CAAC;AAED,YAAU,SAAS,gBAAgB,wBAAwB,YAAY;AAErE,QAAI,CAAC,OAAO,cAAc,QAAQ;AAChC,gBAAU,OAAO;AAAA,QACf;AAAA,MACF;AACA;AAAA,IACF;AAEA,UAAM,SAAS,MAAM,UAAU,OAAO;AAAA,MACpC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,YAAM,OAAO,OAAO,YAAY;AAChC,YAAM,QAAS,WAAW,IAAI;AAC9B,gBAAU,OAAO,uBAAuB,0BAA0B,IAAI,OAAO;AAAA,IAC/E;AAAA,EACF,CAAC;AACH;AAKA,eAAsB,aAA4B;AAChD,MAAI,SAAS;AACX,UAAM,QAAQ,SAAS;AACvB,cAAU;AAAA,EACZ;AACA,MAAI,SAAS;AACX,UAAM,QAAQ,SAAS;AACvB,cAAU;AAAA,EACZ;AACF;AAuBA,SAAS,oBAAqC;AAK5C,SAAO;AAAA,IACL,eAAe;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,cAAc;AAAA,MACd,SAAS;AAAA;AAAA,MAET,QAAQ;AAAA,QACN,SAAS;AAAA,QACT,MAAM;AAAA,QACN,UAAU;AAAA,UACR,EAAE,IAAI,aAAa,SAAS,KAAK;AAAA,UACjC,EAAE,IAAI,cAAc,SAAS,KAAK;AAAA,UAClC,EAAE,IAAI,eAAe,SAAS,MAAM;AAAA,UACpC,EAAE,IAAI,cAAc,SAAS,KAAK;AAAA,UAClC,EAAE,IAAI,iBAAiB,SAAS,KAAK;AAAA,UACrC,EAAE,IAAI,mBAAmB,SAAS,MAAM;AAAA,UACxC,EAAE,IAAI,cAAc,SAAS,MAAM;AAAA,QACrC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;","names":["exception","map","schema","type","extend","str","string","result","DEFAULT_ROUTES_REFRESH_MS","import_node_crypto","import_decode","import_node_crypto","import_mppx","import_node_crypto","import_fs","import_fs","import_path"]}
1	+ {"version":3,"sources":["../../src/cursor/extension.ts","../../src/adapter-interface/interface.ts","../../src/adapter-interface/purpose-mapping.ts","../../src/cursor/cursor-adapter.ts","../../src/gateway/types.ts","../../src/local-evaluator/evaluator.ts","../../../../node_modules/js-yaml/dist/js-yaml.mjs","../../src/local-evaluator/pdlss-parser.ts","../../src/local-evaluator/schema.ts","../../src/gateway/modes/local.ts","../../src/access-levels.ts","../../src/version.ts","../../src/verify.ts","../../src/adapters/express.ts","../../src/adapters/nextjs.ts","../../src/transport/rfc9421.ts","../../src/transport/rfc9421-verify.ts","../../src/transport/vi.ts","../../src/transport/stripe-webhook.ts","../../src/transport/ap2.ts","../../src/transport/mpp.ts","../../src/transport/mpp-verify.ts","../../src/transport/x402.ts","../../src/transport/vi-verify.ts","../../src/transport/registry/visa.ts","../../src/gateway/modes/online.ts","../../src/gateway/modes/hybrid.ts","../../src/gateway/trace-logger.ts","../../src/gateway/gateway.ts"],"sourcesContent":["/*\n VS Code Extension entry point for AstraSync Local Guard (Cursor/VS Code).\n \n This file is the `main` referenced in the extension's package.json.\n * It creates a CursorAdapter, wires it to the real `vscode` API,\n * and manages its lifecycle through activate/deactivate.\n \n Build: bundled separately via tsup/esbuild with `vscode` marked as external.\n /\n\nimport { CursorAdapter } from './cursor-adapter';\nimport { AstraSyncGateway } from '../gateway/gateway';\nimport type { VSCodeAPI } from './cursor-adapter';\n\n// Extension state\nlet adapter: CursorAdapter \| null = null;\nlet gateway: AstraSyncGateway \| null = null;\n\n/\n Called by VS Code when the extension activates.\n * The `vscode` module is passed in at runtime — never bundled.\n /\nexport async function activate(vscodeApi: VSCodeAPI): Promise<void> {\n const config = loadConfiguration();\n\n gateway = new AstraSyncGateway(config.gatewayConfig);\n\n adapter = new CursorAdapter({\n vscode: vscodeApi,\n onApprovalRequired: async (context, decision) => {\n const choice = await vscodeApi.window.showWarningMessage(\n `AstraSync: ${decision.reason}\\n\\nAction: ${context.action} → ${context.target}`,\n 'Allow',\n 'Deny',\n );\n return choice === 'Allow';\n },\n });\n\n await adapter.initialize({\n gateway,\n adapterOptions: { vscode: vscodeApi },\n });\n\n // Register commands\n vscodeApi.commands.registerCommand('astrasync.showPolicy', () => {\n const channel = vscodeApi.window.createOutputChannel('AstraSync Policy');\n channel.appendLine(`Mode: ${gateway!.mode}`);\n channel.appendLine(`Posture: ${gateway!.posture}`);\n channel.appendLine(`Policy file: ${config.gatewayConfig.policyFile \|\| '(inline/none)'}`);\n channel.show();\n });\n\n vscodeApi.commands.registerCommand('astrasync.switchMode', async () => {\n // Mode switching only available if API key is set\n if (!config.gatewayConfig.apiKey) {\n vscodeApi.window.showInformationMessage(\n 'AstraSync: Set astrasync.apiKey in settings to enable online/hybrid mode.',\n );\n return;\n }\n\n const choice = await vscodeApi.window.showWarningMessage(\n 'Switch AstraSync mode?',\n 'Local',\n 'Online',\n 'Hybrid',\n );\n\n if (choice) {\n const mode = choice.toLowerCase() as 'local' \| 'online' \| 'hybrid';\n await gateway!.switchMode(mode);\n vscodeApi.window.showInformationMessage(`AstraSync: Switched to ${mode} mode`);\n }\n });\n}\n\n/\n Called by VS Code when the extension deactivates.\n /\nexport async function deactivate(): Promise<void> {\n if (adapter) {\n await adapter.shutdown();\n adapter = null;\n }\n if (gateway) {\n await gateway.shutdown();\n gateway = null;\n }\n}\n\n// -----------------------------------------------------------------------\n// Configuration\n// -----------------------------------------------------------------------\n\ninterface ExtensionConfig {\n gatewayConfig: {\n mode: 'local' \| 'online' \| 'hybrid';\n policyFile?: string;\n apiKey?: string;\n apiBaseUrl?: string;\n debug?: boolean;\n traceEnabled?: boolean;\n posture?: 'active' \| 'passive';\n policy?: {\n version: string;\n name: string;\n purposes: Array<{ id: string; allowed: boolean }>;\n };\n };\n}\n\nfunction loadConfiguration(): ExtensionConfig {\n // In a real VS Code extension, this reads from vscode.workspace.getConfiguration('astrasync').\n // Since VSCodeAPI is minimal (no workspace.getConfiguration), we use sensible defaults.\n // Users configure via a .astrasync/policy.yaml file in their workspace root.\n\n return {\n gatewayConfig: {\n mode: 'local',\n policyFile: '.astrasync/policy.yaml',\n debug: false,\n traceEnabled: true,\n posture: 'active',\n // Fallback inline policy if no YAML file exists\n policy: {\n version: '1.0',\n name: 'default-cursor-policy',\n purposes: [\n { id: 'file.read', allowed: true },\n { id: 'file.write', allowed: true },\n { id: 'file.delete', allowed: false },\n { id: 'shell.exec', allowed: true },\n { id: 'network.fetch', allowed: true },\n { id: 'payment.execute', allowed: false },\n { id: 'email.send', allowed: false },\n ],\n },\n },\n };\n}\n","/\n PlatformAdapter Interface\n \n The contract that Layer 4 platform adapters implement.\n * Agent-side interception: governs what agents are allowed to do before they do it.\n \n Each adapter is 200-500 lines of platform-specific code.\n * All verification logic lives in the gateway — adapters just translate\n * between the platform's world and AstraSync's world.\n /\n\nimport type { AstraSyncGateway } from '../gateway/gateway';\nimport type { PDLSSContext, VerificationDecision, AgentAction, InterceptResult } from '../gateway/types';\n\nexport interface AdapterConfig {\n /* The AstraSyncGateway instance (handles mode routing) /\n gateway: AstraSyncGateway;\n /* Platform-specific configuration /\n adapterOptions: Record<string, unknown>;\n}\n\nexport interface PlatformAdapter {\n /\n Interface version for compatibility checking.\n * Current version: 1.\n /\n readonly interfaceVersion: number;\n\n /\n Platform-specific initialization.\n * Load config, register hooks, establish connections.\n /\n initialize(config: AdapterConfig): Promise<void>;\n\n /\n Graceful shutdown.\n * Drain in-flight verifications, deregister hooks, close connections.\n /\n shutdown(): Promise<void>;\n\n /\n Intercept an agent action before execution.\n \n How this works depends on the platform:\n * - CLI adapter: proxy server captures outbound request\n * - Browser adapter: content script intercepts DOM interaction\n * - Express: middleware captures inbound request\n /\n interceptAction(action: AgentAction): Promise<InterceptResult>;\n\n /\n Extract PDLSS-compatible context from a platform-specific action.\n * Maps platform-native action format to the universal PDLSSContext.\n /\n extractContext(action: AgentAction): PDLSSContext;\n\n /\n Enforce the verification decision in a platform-specific way.\n \n How this works depends on the platform:\n * - CLI: block command / allow command / prompt for approval\n * - Browser: block navigation / show confirmation dialog\n * - Express: return 403 / pass through / inject headers\n /\n enforceDecision(decision: VerificationDecision): Promise<void>;\n}\n\n/\n Current adapter interface version.\n /\nexport const ADAPTER_INTERFACE_VERSION = 1;\n\n/\n Check if an adapter is compatible with the current interface version.\n /\nexport function isCompatibleAdapter(adapter: PlatformAdapter): boolean {\n return adapter.interfaceVersion === ADAPTER_INTERFACE_VERSION;\n}\n","/\n Shared purpose mapping utilities for Layer 4 platform adapters.\n \n Maps platform-native action names to PDLSS purpose categories.\n * Used by OpenClaw CLI, Cursor, browser, and future adapters.\n /\n\n// -----------------------------------------------------------------------\n// Tool → Purpose mapping\n// -----------------------------------------------------------------------\n\n/* Standard tool name → PDLSS purpose mapping used by all adapters /\nconst TOOL_PURPOSE_MAP: Record<string, string> = {\n // Shell\n shell_exec: 'shell.exec',\n run_command: 'shell.exec',\n execute: 'shell.exec',\n terminal_exec: 'shell.exec',\n run_terminal_command: 'shell.exec',\n\n // File read\n file_read: 'file.read',\n read_file: 'file.read',\n\n // File write\n file_write: 'file.write',\n write_file: 'file.write',\n create_file: 'file.write',\n edit_file: 'file.write',\n\n // File delete\n file_delete: 'file.delete',\n delete_file: 'file.delete',\n\n // Network\n http_request: 'network.request',\n fetch: 'network.request',\n web_request: 'network.request',\n\n // Email\n send_email: 'email.send',\n read_email: 'email.read',\n\n // Calendar\n create_event: 'calendar.create',\n\n // Database\n query_database: 'database.query',\n write_database: 'database.write',\n\n // Payment\n payment_execute: 'payment.execute',\n};\n\n/\n Map a tool/action name to a PDLSS purpose category.\n * Returns `tool.<name>` for unmapped tools (denied by default).\n /\nexport function mapToolToPurpose(toolName: string): string {\n return TOOL_PURPOSE_MAP[toolName] \|\| `tool.${toolName}`;\n}\n\n/\n Register additional tool → purpose mappings (e.g. from a platform adapter).\n * Does not overwrite existing mappings.\n /\nexport function registerToolMappings(mappings: Record<string, string>): void {\n for (const [tool, purpose] of Object.entries(mappings)) {\n if (!(tool in TOOL_PURPOSE_MAP)) {\n TOOL_PURPOSE_MAP[tool] = purpose;\n }\n }\n}\n\n// -----------------------------------------------------------------------\n// Target extraction\n// -----------------------------------------------------------------------\n\n/\n Extract the meaningful target string from tool arguments.\n * Uses the purpose category to determine which argument field is relevant.\n /\nexport function extractTarget(toolName: string, args: Record<string, unknown>): string {\n const purpose = mapToolToPurpose(toolName);\n\n if (purpose.startsWith('shell.')) {\n return String(args.command \|\| args.cmd \|\| args.script \|\| '');\n }\n\n if (purpose.startsWith('file.')) {\n return String(args.path \|\| args.file \|\| args.filename \|\| args.file_path \|\| '');\n }\n\n if (purpose.startsWith('network.')) {\n return String(args.url \|\| args.endpoint \|\| args.uri \|\| '');\n }\n\n if (purpose.startsWith('email.')) {\n return String(args.to \|\| args.recipient \|\| args.address \|\| '');\n }\n\n if (purpose.startsWith('database.')) {\n return String(args.query \|\| args.table \|\| '');\n }\n\n if (purpose.startsWith('payment.')) {\n return String(args.description \|\| args.merchant \|\| args.amount \|\| '');\n }\n\n // Fallback: try common field names\n if (args.command) return String(args.command);\n if (args.path) return String(args.path);\n if (args.url) return String(args.url);\n\n // Default: use first non-empty string argument or tool name\n for (const val of Object.values(args)) {\n if (typeof val === 'string' && val.length > 0) return val;\n }\n return toolName;\n}\n\n// -----------------------------------------------------------------------\n// Network domain extraction\n// -----------------------------------------------------------------------\n\n/\n Extract network domains from a URL target.\n * Returns undefined if the target is not a URL.\n /\nexport function extractNetworkDomains(target: string): string[] \| undefined {\n try {\n if (target.startsWith('http://') \|\| target.startsWith('https://')) {\n const url = new URL(target);\n return [url.hostname];\n }\n } catch {\n // Not a URL\n }\n return undefined;\n}\n","/\n @astrasyncai/adapter-cursor\n \n Layer 4 adapter for Cursor / VS Code AI agents.\n * Intercepts file operations, terminal commands, and network requests\n * made by the AI agent within the editor.\n \n The adapter does NOT depend on @types/vscode. Instead, the VS Code\n * extension passes the real `vscode` module via a minimal interface\n * at initialize() time. This keeps the library free of extension host deps.\n \n ~250 lines — thin, disposable, platform-specific.\n /\n\nimport type { PlatformAdapter, AdapterConfig } from '../adapter-interface/interface';\nimport type { PDLSSContext, VerificationDecision, AgentAction, InterceptResult } from '../gateway/types';\nimport type { AstraSyncGateway } from '../gateway/gateway';\nimport { ADAPTER_INTERFACE_VERSION } from '../adapter-interface/interface';\nimport { mapToolToPurpose, extractTarget, extractNetworkDomains } from '../adapter-interface/purpose-mapping';\n\n// -----------------------------------------------------------------------\n// Minimal VS Code type stubs (injected at runtime by the extension)\n// -----------------------------------------------------------------------\n\nexport interface Disposable {\n dispose(): void;\n}\n\nexport interface VSCodeAPI {\n workspace: {\n onDidCreateFiles: (listener: (e: FileEvent) => void) => Disposable;\n onDidDeleteFiles: (listener: (e: FileEvent) => void) => Disposable;\n onDidSaveTextDocument: (listener: (doc: TextDocumentLike) => void) => Disposable;\n };\n window: {\n onDidOpenTerminal: (listener: (terminal: TerminalLike) => void) => Disposable;\n showWarningMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n showInformationMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n showErrorMessage(message: string, ...items: string[]): Thenable<string \| undefined>;\n createOutputChannel(name: string): OutputChannelLike;\n };\n commands: {\n registerCommand(command: string, callback: (...args: unknown[]) => unknown): Disposable;\n };\n}\n\ninterface FileEvent {\n files: ReadonlyArray<{ fsPath: string; path: string }>;\n}\n\ninterface TextDocumentLike {\n uri: { fsPath: string; path: string };\n languageId: string;\n fileName: string;\n}\n\ninterface TerminalLike {\n name: string;\n processId: Thenable<number \| undefined>;\n sendText(text: string, addNewLine?: boolean): void;\n}\n\ntype Thenable<T> = PromiseLike<T>;\n\ninterface OutputChannelLike {\n appendLine(value: string): void;\n show(): void;\n dispose(): void;\n}\n\n// -----------------------------------------------------------------------\n// Configuration\n// -----------------------------------------------------------------------\n\nexport interface CursorAdapterOptions {\n /* The VS Code API object (passed by the extension at runtime) /\n vscode: VSCodeAPI;\n /* Callback for MANUAL_REVIEW decisions /\n onApprovalRequired?: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;\n}\n\n// -----------------------------------------------------------------------\n// Adapter implementation\n// -----------------------------------------------------------------------\n\nexport class CursorAdapter implements PlatformAdapter {\n readonly interfaceVersion = ADAPTER_INTERFACE_VERSION;\n\n private gateway!: AstraSyncGateway;\n private vscode!: VSCodeAPI;\n private disposables: Disposable[] = [];\n private outputChannel: OutputChannelLike \| null = null;\n private onApprovalRequired: (context: PDLSSContext, decision: VerificationDecision) => Promise<boolean>;\n private _isRunning = false;\n\n constructor(options?: Partial<CursorAdapterOptions>) {\n this.onApprovalRequired = options?.onApprovalRequired ?? (async () => false);\n if (options?.vscode) {\n this.vscode = options.vscode;\n }\n }\n\n get isRunning(): boolean {\n return this._isRunning;\n }\n\n async initialize(config: AdapterConfig): Promise<void> {\n this.gateway = config.gateway as AstraSyncGateway;\n\n if (config.adapterOptions.vscode) {\n this.vscode = config.adapterOptions.vscode as VSCodeAPI;\n }\n\n if (!this.vscode) {\n throw new Error('CursorAdapter requires vscode API — pass it via adapterOptions.vscode');\n }\n\n // Output channel for logging decisions\n this.outputChannel = this.vscode.window.createOutputChannel('AstraSync Local Guard');\n\n // Register file watchers\n this.disposables.push(\n this.vscode.workspace.onDidCreateFiles((e) => {\n for (const file of e.files) {\n this.evaluateFileAction('file_write', file.fsPath);\n }\n }),\n );\n\n this.disposables.push(\n this.vscode.workspace.onDidDeleteFiles((e) => {\n for (const file of e.files) {\n this.evaluateFileAction('file_delete', file.fsPath);\n }\n }),\n );\n\n this.disposables.push(\n this.vscode.workspace.onDidSaveTextDocument((doc) => {\n this.evaluateFileAction('file_write', doc.fileName);\n }),\n );\n\n // Register status command\n this.disposables.push(\n this.vscode.commands.registerCommand('astrasync.status', () => {\n this.outputChannel?.show();\n this.vscode.window.showInformationMessage('AstraSync Local Guard is active');\n }),\n );\n\n this._isRunning = true;\n this.log('AstraSync Local Guard for Cursor — initialized');\n }\n\n async shutdown(): Promise<void> {\n for (const d of this.disposables) {\n d.dispose();\n }\n this.disposables = [];\n this.outputChannel?.dispose();\n this.outputChannel = null;\n this._isRunning = false;\n }\n\n async interceptAction(action: AgentAction): Promise<InterceptResult> {\n const raw = action.raw as { type: string; path?: string; command?: string };\n\n if (!raw.type) {\n return { intercepted: false, skipReason: 'No action type' };\n }\n\n const context = this.extractContext(action);\n return { intercepted: true, context };\n }\n\n extractContext(action: AgentAction): PDLSSContext {\n const raw = action.raw as { type: string; path?: string; command?: string; url?: string };\n\n let toolName: string;\n const args: Record<string, unknown> = {};\n\n switch (raw.type) {\n case 'file.create':\n case 'file.save':\n toolName = 'file_write';\n args.path = raw.path \|\| '';\n break;\n case 'file.delete':\n toolName = 'file_delete';\n args.path = raw.path \|\| '';\n break;\n case 'file.read':\n toolName = 'file_read';\n args.path = raw.path \|\| '';\n break;\n case 'terminal.exec':\n toolName = 'shell_exec';\n args.command = raw.command \|\| '';\n break;\n case 'network.request':\n toolName = 'http_request';\n args.url = raw.url \|\| '';\n break;\n default:\n toolName = raw.type;\n }\n\n const purpose = mapToolToPurpose(toolName);\n const target = extractTarget(toolName, args);\n const networkAccess = extractNetworkDomains(target);\n\n return {\n purpose,\n action: toolName,\n target,\n ...(networkAccess && { networkAccess }),\n };\n }\n\n async enforceDecision(decision: VerificationDecision): Promise<void> {\n switch (decision.recommendation) {\n case 'DENY':\n this.log(`BLOCKED: ${decision.reason}`);\n this.vscode.window.showErrorMessage(\n `AstraSync blocked action: ${decision.reason}`,\n );\n break;\n case 'MANUAL_REVIEW':\n this.log(`REVIEW: ${decision.reason}`);\n break;\n case 'ALLOW':\n // No action needed\n break;\n }\n }\n\n // =====================================================================\n // Internal helpers\n // =====================================================================\n\n private async evaluateFileAction(toolName: string, filePath: string): Promise<void> {\n const action: AgentAction = {\n raw: {\n type: toolName === 'file_delete' ? 'file.delete' : 'file.save',\n path: filePath,\n },\n platform: 'cursor',\n timestamp: new Date(),\n };\n\n const interception = await this.interceptAction(action);\n if (!interception.intercepted \|\| !interception.context) return;\n\n const decision = await this.gateway.evaluate(interception.context);\n\n if (decision.recommendation === 'DENY') {\n await this.enforceDecision(decision);\n } else if (decision.recommendation === 'MANUAL_REVIEW') {\n const approved = await this.handleApproval(interception.context, decision);\n if (!approved) {\n await this.enforceDecision({ ...decision, recommendation: 'DENY' });\n }\n }\n\n this.log(`${decision.recommendation}: ${interception.context.purpose} -> ${interception.context.target}`);\n }\n\n private async handleApproval(context: PDLSSContext, decision: VerificationDecision): Promise<boolean> {\n if (this.onApprovalRequired) {\n return this.onApprovalRequired(context, decision);\n }\n\n // Default: VS Code prompt\n const choice = await this.vscode.window.showWarningMessage(\n `AstraSync: ${decision.reason}. Allow?`,\n 'Allow',\n 'Deny',\n );\n return choice === 'Allow';\n }\n\n private log(message: string): void {\n this.outputChannel?.appendLine(`[${new Date().toISOString()}] ${message}`);\n }\n}\n","/\n AstraSync Gateway - Types for gateway modes, local evaluation, and adapter interface.\n /\n\n// ========================================================================\n// Gateway Configuration\n// ========================================================================\n\nexport type GatewayMode = 'online' \| 'local' \| 'hybrid';\n\n/\n Posture controls whether the gateway actively blocks or just monitors.\n * - active: Evaluate and enforce decisions (block/allow/review)\n * - passive: Evaluate and log but never block (telemetry-only mode)\n /\nexport type GatewayPosture = 'active' \| 'passive';\n\nexport interface AstraSyncGatewayConfig {\n mode: GatewayMode;\n /* Enforcement posture: 'active' blocks actions, 'passive' logs only (default: 'active') /\n posture?: GatewayPosture;\n /* AstraSync API base URL (required for online/hybrid modes) /\n apiBaseUrl?: string;\n /* API key for authenticating with AstraSync (required for online/hybrid modes) /\n apiKey?: string;\n /* Path to local PDLSS policy YAML file (required for local/hybrid modes) /\n policyFile?: string;\n /* Inline policy object (alternative to policyFile) /\n policy?: LocalPolicy;\n /* Sync interval in seconds for hybrid mode (default: 3600) /\n syncInterval?: number;\n /* Cache verification results TTL in seconds (default: 300) /\n cacheTtl?: number;\n /* Enable debug logging /\n debug?: boolean;\n /* Enable trace logging to .astrasync/traces/ (default: false) /\n traceEnabled?: boolean;\n /* Trace log directory (default: .astrasync/traces/) /\n tracePath?: string;\n /* Default access level for unverified requests /\n defaultAccessLevel?: import('../types').AccessLevel;\n /* Minimum trust score for standard access (online/hybrid) /\n minTrustScore?: number;\n /* Minimum trust score for full access (online/hybrid) /\n minTrustScoreForFull?: number;\n /* Custom headers to send with API requests /\n customHeaders?: Record<string, string>;\n /* Counterparty URL for analytics /\n counterpartyUrl?: string;\n /* Counterparty type for analytics /\n counterpartyType?: import('../types').CounterpartyType;\n}\n\n// ========================================================================\n// PDLSS Context (Agent-side action context)\n// ========================================================================\n\nexport interface PDLSSContext {\n /* Purpose category (e.g. email.send, shell.exec, file.read) /\n purpose: string;\n /* Specific action within purpose /\n action: string;\n /* Target resource, recipient, or counterparty /\n target: string;\n /* Types of data access (read, write, delete) /\n dataAccess?: string[];\n /* Network domains/IPs being accessed /\n networkAccess?: string[];\n /* Resource type (customer, order, file, directory, process) /\n resourceType?: string;\n /* Risk factors for this action /\n riskFactors?: RiskFactor[];\n /* Transaction value (if financial) /\n transactionValue?: number;\n /* Currency for transaction /\n currency?: string;\n /* Additional metadata /\n metadata?: Record<string, unknown>;\n}\n\nexport interface RiskFactor {\n type: 'financial' \| 'data_sensitivity' \| 'privilege_escalation' \| 'network_scope' \| 'destructive';\n severity: 'low' \| 'medium' \| 'high' \| 'critical';\n detail: string;\n}\n\n// ========================================================================\n// Verification Decision\n// ========================================================================\n\nexport interface VerificationDecision {\n recommendation: 'ALLOW' \| 'DENY' \| 'MANUAL_REVIEW';\n reason: string;\n trustScore?: number;\n tokenGuidance?: import('../types').TokenGuidance;\n sessionId?: string;\n /* PDLSS dimensions that were evaluated /\n evaluatedDimensions?: {\n purpose: boolean;\n scope: boolean;\n limits: boolean;\n riskThresholds: boolean;\n };\n}\n\n// ========================================================================\n// Local Policy Types (YAML format)\n// ========================================================================\n\nexport interface LocalPolicy {\n version: string;\n name: string;\n description?: string;\n purposes: LocalPurposeRule[];\n scope?: LocalScope;\n limits?: LocalLimits;\n riskThresholds?: LocalRiskThresholds;\n selfInstantiation?: LocalSelfInstantiation;\n}\n\nexport interface LocalPurposeRule {\n id: string;\n allowed: boolean;\n targets?: string[];\n blockedPatterns?: string[];\n requiresApproval?: boolean;\n}\n\nexport interface LocalScope {\n allowedDomains?: string[];\n blockedDomains?: string[];\n blockedResources?: string[];\n}\n\nexport interface LocalLimits {\n maxTransactionAmount?: number;\n maxRequestsPerHour?: number;\n currency?: string;\n}\n\nexport interface LocalRiskThresholds {\n autoAllow: { min: number; max: number };\n requireApproval: { min: number; max: number };\n autoBlock: { min: number; max: number };\n}\n\nexport interface LocalSelfInstantiation {\n /* Whether sub-agent spawning is allowed /\n allowed: boolean;\n /* Maximum depth of sub-agent chain /\n maxDepth?: number;\n}\n\n// ========================================================================\n// Risk Scoring Defaults (cherry-picked from trust-harness-core)\n// ========================================================================\n\n/* Base risk scores per action category /\nexport const BASE_RISK_SCORES: Record<string, number> = {\n 'file.read': 10,\n 'file.write': 40,\n 'file.delete': 70,\n 'shell.exec': 50,\n 'network.fetch': 60,\n 'network.request': 60,\n 'email.send': 45,\n 'email.read': 15,\n 'calendar.create': 20,\n 'calendar.modify': 30,\n 'database.query': 25,\n 'database.write': 55,\n 'payment.execute': 80,\n 'sub_agent.spawn': 65,\n 'code.execute': 45,\n};\n\n/* Shell commands that significantly increase risk score /\nexport const HIGH_RISK_COMMANDS = [\n 'rm', 'rmdir', 'dd', 'mkfs', 'chmod', 'chown',\n 'sudo', 'su', 'curl', 'wget', 'nc', 'netcat',\n 'ssh', 'scp', 'rsync', 'git push', 'npm publish',\n 'docker', 'kubectl',\n];\n\n/* File paths that indicate sensitive data access /\nexport const SENSITIVE_PATHS = [\n '.ssh', '.aws', '.gnupg', '.env', 'credentials',\n 'secrets', 'password', '.git/config', '/etc', '/var', '/root',\n 'id_rsa', '.npmrc', '.pypirc',\n];\n\n// ========================================================================\n// Trace Event Types\n// ========================================================================\n\nexport interface TraceEvent {\n id: string;\n timestamp: Date;\n type: 'evaluation' \| 'decision' \| 'error' \| 'mode_switch';\n context?: PDLSSContext;\n decision?: VerificationDecision;\n metadata?: Record<string, unknown>;\n}\n\n// ========================================================================\n// Adapter Interface Types\n// ========================================================================\n\nexport interface AdapterConfig {\n /* The gateway instance (handles mode routing) /\n gateway: unknown; // Typed as AstraSyncGateway at usage site to avoid circular deps\n /* Platform-specific configuration /\n adapterOptions: Record<string, unknown>;\n}\n\nexport interface AgentAction {\n /* Raw action data from the platform /\n raw: unknown;\n /* Platform identifier (e.g. 'openclaw-cli', 'cursor', 'browser') /\n platform: string;\n /* Timestamp of the action /\n timestamp: Date;\n}\n\nexport interface InterceptResult {\n /* Whether the action was intercepted /\n intercepted: boolean;\n /* Extracted PDLSS context (if intercepted) /\n context?: PDLSSContext;\n /* Reason for not intercepting (if not intercepted) /\n skipReason?: string;\n}\n\n// ========================================================================\n// Sync Queue Types (Hybrid mode)\n// ========================================================================\n\nexport interface SyncQueueEntry {\n id: string;\n context: PDLSSContext;\n decision: VerificationDecision;\n timestamp: Date;\n retryCount: number;\n status: 'pending' \| 'synced' \| 'failed';\n}\n","/\n Local PDLSS Evaluator\n \n Evaluates agent actions against a local PDLSS policy.\n * Same logic as the cloud evaluator but runs in-process with no I/O.\n \n Evaluation order:\n * 1. Purpose: find matching rule, check if allowed\n * 2. Purpose: check allowed targets (if specified)\n * 3. Purpose: check blocked patterns (if specified)\n * 4. Scope: check global blocked resources/domains\n * 5. Limits: check transaction/rate limits\n * 6. Risk thresholds + approval requirements\n /\n\nimport type { LocalPolicy, PDLSSContext, VerificationDecision, LocalPurposeRule } from '../gateway/types';\nimport { HIGH_RISK_COMMANDS, SENSITIVE_PATHS } from '../gateway/types';\n\nexport class LocalEvaluator {\n private policy: LocalPolicy;\n private requestCounts: Map<string, { count: number; windowStart: number }> = new Map();\n\n constructor(policy: LocalPolicy) {\n this.policy = policy;\n }\n\n /\n Update the policy (e.g. after hot-reload or sync).\n /\n updatePolicy(policy: LocalPolicy): void {\n this.policy = policy;\n }\n\n /\n Evaluate an action context against the loaded policy.\n /\n evaluate(context: PDLSSContext): VerificationDecision {\n // 1. Purpose: find matching rule\n const purposeRule = this.policy.purposes.find((p) => p.id === context.purpose);\n if (!purposeRule) {\n return { recommendation: 'DENY', reason: 'Purpose not in policy' };\n }\n if (!purposeRule.allowed) {\n return { recommendation: 'DENY', reason: 'Purpose explicitly blocked' };\n }\n\n // 2. Purpose: check allowed targets\n if (purposeRule.targets && !this.matchesAnyPattern(context.target, purposeRule.targets)) {\n return { recommendation: 'DENY', reason: 'Target not in allowed list' };\n }\n\n // 3. Purpose: check blocked patterns\n if (purposeRule.blockedPatterns && this.matchesAnyPattern(context.target, purposeRule.blockedPatterns)) {\n return { recommendation: 'DENY', reason: 'Target matches blocked pattern' };\n }\n\n // 4. Scope: check global blocked resources/domains\n const scopeBlock = this.checkScopeBlock(context);\n if (scopeBlock) {\n return { recommendation: 'DENY', reason: scopeBlock };\n }\n\n // 5. Limits: check transaction and rate limits\n const limitViolation = this.checkLimits(context);\n if (limitViolation) {\n return { recommendation: 'DENY', reason: limitViolation };\n }\n\n // 6. Self-instantiation: check sub-agent spawning rules\n if (context.purpose === 'sub_agent.spawn' && this.policy.selfInstantiation) {\n if (!this.policy.selfInstantiation.allowed) {\n return { recommendation: 'DENY', reason: 'Sub-agent spawning is not allowed' };\n }\n const depth = (context.metadata?.subAgentDepth as number) \|\| 0;\n if (this.policy.selfInstantiation.maxDepth !== undefined && depth >= this.policy.selfInstantiation.maxDepth) {\n return { recommendation: 'DENY', reason: `Sub-agent depth ${depth} exceeds max depth ${this.policy.selfInstantiation.maxDepth}` };\n }\n }\n\n // 7. Risk thresholds + approval requirements\n if (purposeRule.requiresApproval) {\n return { recommendation: 'MANUAL_REVIEW', reason: 'Purpose requires approval' };\n }\n\n const riskDecision = this.checkRiskThresholds(context);\n if (riskDecision) {\n return riskDecision;\n }\n\n return {\n recommendation: 'ALLOW',\n reason: 'All PDLSS checks passed',\n evaluatedDimensions: {\n purpose: true,\n scope: !!this.policy.scope,\n limits: !!this.policy.limits,\n riskThresholds: !!this.policy.riskThresholds,\n },\n };\n }\n\n private checkScopeBlock(context: PDLSSContext): string \| null {\n const scope = this.policy.scope;\n if (!scope) return null;\n\n // Check blocked domains against target and network access\n if (scope.blockedDomains) {\n const targetDomain = this.extractDomain(context.target);\n if (this.matchesAnyPattern(targetDomain, scope.blockedDomains)) {\n return `Target blocked by scope: ${context.target}`;\n }\n if (context.networkAccess) {\n for (const domain of context.networkAccess) {\n if (this.matchesAnyPattern(this.extractDomain(domain), scope.blockedDomains)) {\n return `Domain blocked by scope: ${domain}`;\n }\n }\n }\n }\n\n // Check blocked resources against target\n if (scope.blockedResources && this.matchesAnyPattern(context.target, scope.blockedResources)) {\n return `Resource blocked by scope: ${context.target}`;\n }\n\n // Check allowed domains (if specified, target must match)\n if (scope.allowedDomains && context.networkAccess) {\n for (const domain of context.networkAccess) {\n if (!this.matchesAnyPattern(this.extractDomain(domain), scope.allowedDomains)) {\n return `Domain not in allowed list: ${domain}`;\n }\n }\n }\n\n return null;\n }\n\n private checkLimits(context: PDLSSContext): string \| null {\n const limits = this.policy.limits;\n if (!limits) return null;\n\n // Transaction amount check\n if (limits.maxTransactionAmount !== undefined && context.transactionValue !== undefined) {\n if (context.transactionValue > limits.maxTransactionAmount) {\n return `Transaction value ${context.transactionValue} exceeds limit ${limits.maxTransactionAmount}`;\n }\n }\n\n // Rate limit check\n if (limits.maxRequestsPerHour !== undefined) {\n const key = context.purpose;\n const now = Date.now();\n const entry = this.requestCounts.get(key);\n const hourMs = 3600000;\n\n if (!entry \|\| now - entry.windowStart > hourMs) {\n this.requestCounts.set(key, { count: 1, windowStart: now });\n } else {\n entry.count++;\n if (entry.count > limits.maxRequestsPerHour) {\n return `Rate limit exceeded: ${entry.count}/${limits.maxRequestsPerHour} requests per hour`;\n }\n }\n }\n\n return null;\n }\n\n private checkRiskThresholds(context: PDLSSContext): VerificationDecision \| null {\n if (!this.policy.riskThresholds) return null;\n\n const riskScore = this.calculateRiskScore(context);\n const thresholds = this.policy.riskThresholds;\n\n if (riskScore >= thresholds.autoBlock.min) {\n return { recommendation: 'DENY', reason: `Risk score ${riskScore} exceeds block threshold` };\n }\n\n if (riskScore >= thresholds.requireApproval.min) {\n return { recommendation: 'MANUAL_REVIEW', reason: `Risk score ${riskScore} requires approval` };\n }\n\n return null;\n }\n\n private calculateRiskScore(context: PDLSSContext): number {\n let score = 0;\n\n // Explicit risk factors take priority (highest severity wins)\n if (context.riskFactors?.length) {\n const severityScores: Record<string, number> = {\n low: 10,\n medium: 40,\n high: 70,\n critical: 90,\n };\n\n for (const factor of context.riskFactors) {\n const factorScore = severityScores[factor.severity] \|\| 0;\n if (factorScore > score) score = factorScore;\n }\n return score;\n }\n\n // Auto-detect risk from high-risk shell commands\n if (context.purpose === 'shell.exec' && context.target) {\n const targetLower = context.target.toLowerCase();\n for (const cmd of HIGH_RISK_COMMANDS) {\n if (targetLower.startsWith(cmd) \|\| targetLower.includes(` ${cmd} `) \|\| targetLower.includes(` ${cmd}`)) {\n score = Math.max(score, 80);\n break;\n }\n }\n }\n\n // Auto-detect risk from sensitive file paths (score 50 = review range)\n if ((context.purpose === 'file.read' \|\| context.purpose === 'file.write' \|\| context.purpose === 'file.delete') && context.target) {\n const targetLower = context.target.toLowerCase();\n for (const sensitivePath of SENSITIVE_PATHS) {\n if (targetLower.includes(sensitivePath.toLowerCase())) {\n score = Math.max(score, 50);\n break;\n }\n }\n }\n\n return score;\n }\n\n /\n Extract domain from a URL-like string (strips protocol and path).\n /\n private extractDomain(value: string): string {\n let domain = value;\n // Strip protocol\n const protoIndex = domain.indexOf('://');\n if (protoIndex !== -1) domain = domain.slice(protoIndex + 3);\n // Strip path\n const slashIndex = domain.indexOf('/');\n if (slashIndex !== -1) domain = domain.slice(0, slashIndex);\n // Strip port\n const colonIndex = domain.indexOf(':');\n if (colonIndex !== -1) domain = domain.slice(0, colonIndex);\n return domain;\n }\n\n /\n Check if a value matches any of the given glob patterns.\n /\n private matchesAnyPattern(value: string, patterns: string[]): boolean {\n return patterns.some((pattern) => this.matchGlob(value, pattern));\n }\n\n /\n Simple glob pattern matching.\n * Supports * (matches any characters including / and spaces) and ? (single char).\n * Uses the same approach as the backend's matchGlobPattern.\n /\n private matchGlob(value: string, pattern: string): boolean {\n // Exact match\n if (pattern === value) return true;\n\n // Convert glob to regex\n const regexStr = pattern\n .replace(/[.+^${}()\|[\\]\\\\]/g, '\\\\$&') // Escape special regex chars (except and ?)\n .replace(/\\/g, '.') // * matches anything\n .replace(/\\?/g, '.'); // ? matches single char\n\n try {\n return new RegExp(`^${regexStr}$`, 'i').test(value);\n } catch {\n return false;\n }\n }\n}\n\n/*\n Convenience: find a matching purpose rule.\n /\nexport function findPurposeRule(policy: LocalPolicy, purposeId: string): LocalPurposeRule \| undefined {\n return policy.purposes.find((p) => p.id === purposeId);\n}\n","\n/! js-yaml 4.1.1 https://github.com/nodeca/js-yaml @license MIT /\nfunction isNothing(subject) {\n return (typeof subject === 'undefined') \|\| (subject === null);\n}\n\n\nfunction isObject(subject) {\n return (typeof subject === 'object') && (subject !== null);\n}\n\n\nfunction toArray(sequence) {\n if (Array.isArray(sequence)) return sequence;\n else if (isNothing(sequence)) return [];\n\n return [ sequence ];\n}\n\n\nfunction extend(target, source) {\n var index, length, key, sourceKeys;\n\n if (source) {\n sourceKeys = Object.keys(source);\n\n for (index = 0, length = sourceKeys.length; index < length; index += 1) {\n key = sourceKeys[index];\n target[key] = source[key];\n }\n }\n\n return target;\n}\n\n\nfunction repeat(string, count) {\n var result = '', cycle;\n\n for (cycle = 0; cycle < count; cycle += 1) {\n result += string;\n }\n\n return result;\n}\n\n\nfunction isNegativeZero(number) {\n return (number === 0) && (Number.NEGATIVE_INFINITY === 1 / number);\n}\n\n\nvar isNothing_1 = isNothing;\nvar isObject_1 = isObject;\nvar toArray_1 = toArray;\nvar repeat_1 = repeat;\nvar isNegativeZero_1 = isNegativeZero;\nvar extend_1 = extend;\n\nvar common = {\n\tisNothing: isNothing_1,\n\tisObject: isObject_1,\n\ttoArray: toArray_1,\n\trepeat: repeat_1,\n\tisNegativeZero: isNegativeZero_1,\n\textend: extend_1\n};\n\n// YAML error class. http://stackoverflow.com/questions/8458984\n\n\nfunction formatError(exception, compact) {\n var where = '', message = exception.reason \|\| '(unknown reason)';\n\n if (!exception.mark) return message;\n\n if (exception.mark.name) {\n where += 'in \"' + exception.mark.name + '\" ';\n }\n\n where += '(' + (exception.mark.line + 1) + ':' + (exception.mark.column + 1) + ')';\n\n if (!compact && exception.mark.snippet) {\n where += '\\n\\n' + exception.mark.snippet;\n }\n\n return message + ' ' + where;\n}\n\n\nfunction YAMLException$1(reason, mark) {\n // Super constructor\n Error.call(this);\n\n this.name = 'YAMLException';\n this.reason = reason;\n this.mark = mark;\n this.message = formatError(this, false);\n\n // Include stack trace in error object\n if (Error.captureStackTrace) {\n // Chrome and NodeJS\n Error.captureStackTrace(this, this.constructor);\n } else {\n // FF, IE 10+ and Safari 6+. Fallback for others\n this.stack = (new Error()).stack \|\| '';\n }\n}\n\n\n// Inherit from Error\nYAMLException$1.prototype = Object.create(Error.prototype);\nYAMLException$1.prototype.constructor = YAMLException$1;\n\n\nYAMLException$1.prototype.toString = function toString(compact) {\n return this.name + ': ' + formatError(this, compact);\n};\n\n\nvar exception = YAMLException$1;\n\n// get snippet for a single line, respecting maxLength\nfunction getLine(buffer, lineStart, lineEnd, position, maxLineLength) {\n var head = '';\n var tail = '';\n var maxHalfLength = Math.floor(maxLineLength / 2) - 1;\n\n if (position - lineStart > maxHalfLength) {\n head = ' ... ';\n lineStart = position - maxHalfLength + head.length;\n }\n\n if (lineEnd - position > maxHalfLength) {\n tail = ' ...';\n lineEnd = position + maxHalfLength - tail.length;\n }\n\n return {\n str: head + buffer.slice(lineStart, lineEnd).replace(/\\t/g, '→') + tail,\n pos: position - lineStart + head.length // relative position\n };\n}\n\n\nfunction padStart(string, max) {\n return common.repeat(' ', max - string.length) + string;\n}\n\n\nfunction makeSnippet(mark, options) {\n options = Object.create(options \|\| null);\n\n if (!mark.buffer) return null;\n\n if (!options.maxLength) options.maxLength = 79;\n if (typeof options.indent !== 'number') options.indent = 1;\n if (typeof options.linesBefore !== 'number') options.linesBefore = 3;\n if (typeof options.linesAfter !== 'number') options.linesAfter = 2;\n\n var re = /\\r?\\n\|\\r\|\\0/g;\n var lineStarts = [ 0 ];\n var lineEnds = [];\n var match;\n var foundLineNo = -1;\n\n while ((match = re.exec(mark.buffer))) {\n lineEnds.push(match.index);\n lineStarts.push(match.index + match[0].length);\n\n if (mark.position <= match.index && foundLineNo < 0) {\n foundLineNo = lineStarts.length - 2;\n }\n }\n\n if (foundLineNo < 0) foundLineNo = lineStarts.length - 1;\n\n var result = '', i, line;\n var lineNoLength = Math.min(mark.line + options.linesAfter, lineEnds.length).toString().length;\n var maxLineLength = options.maxLength - (options.indent + lineNoLength + 3);\n\n for (i = 1; i <= options.linesBefore; i++) {\n if (foundLineNo - i < 0) break;\n line = getLine(\n mark.buffer,\n lineStarts[foundLineNo - i],\n lineEnds[foundLineNo - i],\n mark.position - (lineStarts[foundLineNo] - lineStarts[foundLineNo - i]),\n maxLineLength\n );\n result = common.repeat(' ', options.indent) + padStart((mark.line - i + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n' + result;\n }\n\n line = getLine(mark.buffer, lineStarts[foundLineNo], lineEnds[foundLineNo], mark.position, maxLineLength);\n result += common.repeat(' ', options.indent) + padStart((mark.line + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n';\n result += common.repeat('-', options.indent + lineNoLength + 3 + line.pos) + '^' + '\\n';\n\n for (i = 1; i <= options.linesAfter; i++) {\n if (foundLineNo + i >= lineEnds.length) break;\n line = getLine(\n mark.buffer,\n lineStarts[foundLineNo + i],\n lineEnds[foundLineNo + i],\n mark.position - (lineStarts[foundLineNo] - lineStarts[foundLineNo + i]),\n maxLineLength\n );\n result += common.repeat(' ', options.indent) + padStart((mark.line + i + 1).toString(), lineNoLength) +\n ' \| ' + line.str + '\\n';\n }\n\n return result.replace(/\\n$/, '');\n}\n\n\nvar snippet = makeSnippet;\n\nvar TYPE_CONSTRUCTOR_OPTIONS = [\n 'kind',\n 'multi',\n 'resolve',\n 'construct',\n 'instanceOf',\n 'predicate',\n 'represent',\n 'representName',\n 'defaultStyle',\n 'styleAliases'\n];\n\nvar YAML_NODE_KINDS = [\n 'scalar',\n 'sequence',\n 'mapping'\n];\n\nfunction compileStyleAliases(map) {\n var result = {};\n\n if (map !== null) {\n Object.keys(map).forEach(function (style) {\n map[style].forEach(function (alias) {\n result[String(alias)] = style;\n });\n });\n }\n\n return result;\n}\n\nfunction Type$1(tag, options) {\n options = options \|\| {};\n\n Object.keys(options).forEach(function (name) {\n if (TYPE_CONSTRUCTOR_OPTIONS.indexOf(name) === -1) {\n throw new exception('Unknown option \"' + name + '\" is met in definition of \"' + tag + '\" YAML type.');\n }\n });\n\n // TODO: Add tag format check.\n this.options = options; // keep original options in case user wants to extend this type later\n this.tag = tag;\n this.kind = options['kind'] \|\| null;\n this.resolve = options['resolve'] \|\| function () { return true; };\n this.construct = options['construct'] \|\| function (data) { return data; };\n this.instanceOf = options['instanceOf'] \|\| null;\n this.predicate = options['predicate'] \|\| null;\n this.represent = options['represent'] \|\| null;\n this.representName = options['representName'] \|\| null;\n this.defaultStyle = options['defaultStyle'] \|\| null;\n this.multi = options['multi'] \|\| false;\n this.styleAliases = compileStyleAliases(options['styleAliases'] \|\| null);\n\n if (YAML_NODE_KINDS.indexOf(this.kind) === -1) {\n throw new exception('Unknown kind \"' + this.kind + '\" is specified for \"' + tag + '\" YAML type.');\n }\n}\n\nvar type = Type$1;\n\n/eslint-disable max-len/\n\n\n\n\n\nfunction compileList(schema, name) {\n var result = [];\n\n schema[name].forEach(function (currentType) {\n var newIndex = result.length;\n\n result.forEach(function (previousType, previousIndex) {\n if (previousType.tag === currentType.tag &&\n previousType.kind === currentType.kind &&\n previousType.multi === currentType.multi) {\n\n newIndex = previousIndex;\n }\n });\n\n result[newIndex] = currentType;\n });\n\n return result;\n}\n\n\nfunction compileMap(/ lists... /) {\n var result = {\n scalar: {},\n sequence: {},\n mapping: {},\n fallback: {},\n multi: {\n scalar: [],\n sequence: [],\n mapping: [],\n fallback: []\n }\n }, index, length;\n\n function collectType(type) {\n if (type.multi) {\n result.multi[type.kind].push(type);\n result.multi['fallback'].push(type);\n } else {\n result[type.kind][type.tag] = result['fallback'][type.tag] = type;\n }\n }\n\n for (index = 0, length = arguments.length; index < length; index += 1) {\n arguments[index].forEach(collectType);\n }\n return result;\n}\n\n\nfunction Schema$1(definition) {\n return this.extend(definition);\n}\n\n\nSchema$1.prototype.extend = function extend(definition) {\n var implicit = [];\n var explicit = [];\n\n if (definition instanceof type) {\n // Schema.extend(type)\n explicit.push(definition);\n\n } else if (Array.isArray(definition)) {\n // Schema.extend([ type1, type2, ... ])\n explicit = explicit.concat(definition);\n\n } else if (definition && (Array.isArray(definition.implicit) \|\| Array.isArray(definition.explicit))) {\n // Schema.extend({ explicit: [ type1, type2, ... ], implicit: [ type1, type2, ... ] })\n if (definition.implicit) implicit = implicit.concat(definition.implicit);\n if (definition.explicit) explicit = explicit.concat(definition.explicit);\n\n } else {\n throw new exception('Schema.extend argument should be a Type, [ Type ], ' +\n 'or a schema definition ({ implicit: [...], explicit: [...] })');\n }\n\n implicit.forEach(function (type$1) {\n if (!(type$1 instanceof type)) {\n throw new exception('Specified list of YAML types (or a single Type object) contains a non-Type object.');\n }\n\n if (type$1.loadKind && type$1.loadKind !== 'scalar') {\n throw new exception('There is a non-scalar type in the implicit list of a schema. Implicit resolving of such types is not supported.');\n }\n\n if (type$1.multi) {\n throw new exception('There is a multi type in the implicit list of a schema. Multi tags can only be listed as explicit.');\n }\n });\n\n explicit.forEach(function (type$1) {\n if (!(type$1 instanceof type)) {\n throw new exception('Specified list of YAML types (or a single Type object) contains a non-Type object.');\n }\n });\n\n var result = Object.create(Schema$1.prototype);\n\n result.implicit = (this.implicit \|\| []).concat(implicit);\n result.explicit = (this.explicit \|\| []).concat(explicit);\n\n result.compiledImplicit = compileList(result, 'implicit');\n result.compiledExplicit = compileList(result, 'explicit');\n result.compiledTypeMap = compileMap(result.compiledImplicit, result.compiledExplicit);\n\n return result;\n};\n\n\nvar schema = Schema$1;\n\nvar str = new type('tag:yaml.org,2002:str', {\n kind: 'scalar',\n construct: function (data) { return data !== null ? data : ''; }\n});\n\nvar seq = new type('tag:yaml.org,2002:seq', {\n kind: 'sequence',\n construct: function (data) { return data !== null ? data : []; }\n});\n\nvar map = new type('tag:yaml.org,2002:map', {\n kind: 'mapping',\n construct: function (data) { return data !== null ? data : {}; }\n});\n\nvar failsafe = new schema({\n explicit: [\n str,\n seq,\n map\n ]\n});\n\nfunction resolveYamlNull(data) {\n if (data === null) return true;\n\n var max = data.length;\n\n return (max === 1 && data === '~') \|\|\n (max === 4 && (data === 'null' \|\| data === 'Null' \|\| data === 'NULL'));\n}\n\nfunction constructYamlNull() {\n return null;\n}\n\nfunction isNull(object) {\n return object === null;\n}\n\nvar _null = new type('tag:yaml.org,2002:null', {\n kind: 'scalar',\n resolve: resolveYamlNull,\n construct: constructYamlNull,\n predicate: isNull,\n represent: {\n canonical: function () { return '~'; },\n lowercase: function () { return 'null'; },\n uppercase: function () { return 'NULL'; },\n camelcase: function () { return 'Null'; },\n empty: function () { return ''; }\n },\n defaultStyle: 'lowercase'\n});\n\nfunction resolveYamlBoolean(data) {\n if (data === null) return false;\n\n var max = data.length;\n\n return (max === 4 && (data === 'true' \|\| data === 'True' \|\| data === 'TRUE')) \|\|\n (max === 5 && (data === 'false' \|\| data === 'False' \|\| data === 'FALSE'));\n}\n\nfunction constructYamlBoolean(data) {\n return data === 'true' \|\|\n data === 'True' \|\|\n data === 'TRUE';\n}\n\nfunction isBoolean(object) {\n return Object.prototype.toString.call(object) === '[object Boolean]';\n}\n\nvar bool = new type('tag:yaml.org,2002:bool', {\n kind: 'scalar',\n resolve: resolveYamlBoolean,\n construct: constructYamlBoolean,\n predicate: isBoolean,\n represent: {\n lowercase: function (object) { return object ? 'true' : 'false'; },\n uppercase: function (object) { return object ? 'TRUE' : 'FALSE'; },\n camelcase: function (object) { return object ? 'True' : 'False'; }\n },\n defaultStyle: 'lowercase'\n});\n\nfunction isHexCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) \|\|\n ((0x41/ A / <= c) && (c <= 0x46/ F /)) \|\|\n ((0x61/ a / <= c) && (c <= 0x66/ f /));\n}\n\nfunction isOctCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x37/ 7 /));\n}\n\nfunction isDecCode(c) {\n return ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /));\n}\n\nfunction resolveYamlInteger(data) {\n if (data === null) return false;\n\n var max = data.length,\n index = 0,\n hasDigits = false,\n ch;\n\n if (!max) return false;\n\n ch = data[index];\n\n // sign\n if (ch === '-' \|\| ch === '+') {\n ch = data[++index];\n }\n\n if (ch === '0') {\n // 0\n if (index + 1 === max) return true;\n ch = data[++index];\n\n // base 2, base 8, base 16\n\n if (ch === 'b') {\n // base 2\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (ch !== '0' && ch !== '1') return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n\n\n if (ch === 'x') {\n // base 16\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isHexCode(data.charCodeAt(index))) return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n\n\n if (ch === 'o') {\n // base 8\n index++;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isOctCode(data.charCodeAt(index))) return false;\n hasDigits = true;\n }\n return hasDigits && ch !== '_';\n }\n }\n\n // base 10 (except 0)\n\n // value should not start with `_`;\n if (ch === '_') return false;\n\n for (; index < max; index++) {\n ch = data[index];\n if (ch === '_') continue;\n if (!isDecCode(data.charCodeAt(index))) {\n return false;\n }\n hasDigits = true;\n }\n\n // Should have digits and should not end with `_`\n if (!hasDigits \|\| ch === '_') return false;\n\n return true;\n}\n\nfunction constructYamlInteger(data) {\n var value = data, sign = 1, ch;\n\n if (value.indexOf('_') !== -1) {\n value = value.replace(/_/g, '');\n }\n\n ch = value[0];\n\n if (ch === '-' \|\| ch === '+') {\n if (ch === '-') sign = -1;\n value = value.slice(1);\n ch = value[0];\n }\n\n if (value === '0') return 0;\n\n if (ch === '0') {\n if (value[1] === 'b') return sign parseInt(value.slice(2), 2);\n if (value[1] === 'x') return sign * parseInt(value.slice(2), 16);\n if (value[1] === 'o') return sign * parseInt(value.slice(2), 8);\n }\n\n return sign * parseInt(value, 10);\n}\n\nfunction isInteger(object) {\n return (Object.prototype.toString.call(object)) === '[object Number]' &&\n (object % 1 === 0 && !common.isNegativeZero(object));\n}\n\nvar int = new type('tag:yaml.org,2002:int', {\n kind: 'scalar',\n resolve: resolveYamlInteger,\n construct: constructYamlInteger,\n predicate: isInteger,\n represent: {\n binary: function (obj) { return obj >= 0 ? '0b' + obj.toString(2) : '-0b' + obj.toString(2).slice(1); },\n octal: function (obj) { return obj >= 0 ? '0o' + obj.toString(8) : '-0o' + obj.toString(8).slice(1); },\n decimal: function (obj) { return obj.toString(10); },\n /* eslint-disable max-len /\n hexadecimal: function (obj) { return obj >= 0 ? '0x' + obj.toString(16).toUpperCase() : '-0x' + obj.toString(16).toUpperCase().slice(1); }\n },\n defaultStyle: 'decimal',\n styleAliases: {\n binary: [ 2, 'bin' ],\n octal: [ 8, 'oct' ],\n decimal: [ 10, 'dec' ],\n hexadecimal: [ 16, 'hex' ]\n }\n});\n\nvar YAML_FLOAT_PATTERN = new RegExp(\n // 2.5e4, 2.5 and integers\n '^(?:[-+]?(?:[0-9][0-9_])(?:\\\\.[0-9_])?(?:[eE][-+]?[0-9]+)?' +\n // .2e4, .2\n // special case, seems not from spec\n '\|\\\\.[0-9_]+(?:[eE][-+]?[0-9]+)?' +\n // .inf\n '\|[-+]?\\\\.(?:inf\|Inf\|INF)' +\n // .nan\n '\|\\\\.(?:nan\|NaN\|NAN))$');\n\nfunction resolveYamlFloat(data) {\n if (data === null) return false;\n\n if (!YAML_FLOAT_PATTERN.test(data) \|\|\n // Quick hack to not allow integers end with `_`\n // Probably should update regexp & check speed\n data[data.length - 1] === '_') {\n return false;\n }\n\n return true;\n}\n\nfunction constructYamlFloat(data) {\n var value, sign;\n\n value = data.replace(/_/g, '').toLowerCase();\n sign = value[0] === '-' ? -1 : 1;\n\n if ('+-'.indexOf(value[0]) >= 0) {\n value = value.slice(1);\n }\n\n if (value === '.inf') {\n return (sign === 1) ? Number.POSITIVE_INFINITY : Number.NEGATIVE_INFINITY;\n\n } else if (value === '.nan') {\n return NaN;\n }\n return sign parseFloat(value, 10);\n}\n\n\nvar SCIENTIFIC_WITHOUT_DOT = /^[-+]?[0-9]+e/;\n\nfunction representYamlFloat(object, style) {\n var res;\n\n if (isNaN(object)) {\n switch (style) {\n case 'lowercase': return '.nan';\n case 'uppercase': return '.NAN';\n case 'camelcase': return '.NaN';\n }\n } else if (Number.POSITIVE_INFINITY === object) {\n switch (style) {\n case 'lowercase': return '.inf';\n case 'uppercase': return '.INF';\n case 'camelcase': return '.Inf';\n }\n } else if (Number.NEGATIVE_INFINITY === object) {\n switch (style) {\n case 'lowercase': return '-.inf';\n case 'uppercase': return '-.INF';\n case 'camelcase': return '-.Inf';\n }\n } else if (common.isNegativeZero(object)) {\n return '-0.0';\n }\n\n res = object.toString(10);\n\n // JS stringifier can build scientific format without dots: 5e-100,\n // while YAML requres dot: 5.e-100. Fix it with simple hack\n\n return SCIENTIFIC_WITHOUT_DOT.test(res) ? res.replace('e', '.e') : res;\n}\n\nfunction isFloat(object) {\n return (Object.prototype.toString.call(object) === '[object Number]') &&\n (object % 1 !== 0 \|\| common.isNegativeZero(object));\n}\n\nvar float = new type('tag:yaml.org,2002:float', {\n kind: 'scalar',\n resolve: resolveYamlFloat,\n construct: constructYamlFloat,\n predicate: isFloat,\n represent: representYamlFloat,\n defaultStyle: 'lowercase'\n});\n\nvar json = failsafe.extend({\n implicit: [\n _null,\n bool,\n int,\n float\n ]\n});\n\nvar core = json;\n\nvar YAML_DATE_REGEXP = new RegExp(\n '^([0-9][0-9][0-9][0-9])' + // [1] year\n '-([0-9][0-9])' + // [2] month\n '-([0-9][0-9])$'); // [3] day\n\nvar YAML_TIMESTAMP_REGEXP = new RegExp(\n '^([0-9][0-9][0-9][0-9])' + // [1] year\n '-([0-9][0-9]?)' + // [2] month\n '-([0-9][0-9]?)' + // [3] day\n '(?:[Tt]\|[ \\\\t]+)' + // ...\n '([0-9][0-9]?)' + // [4] hour\n ':([0-9][0-9])' + // [5] minute\n ':([0-9][0-9])' + // [6] second\n '(?:\\\\.([0-9]))?' + // [7] fraction\n '(?:[ \\\\t](Z\|([-+])([0-9][0-9]?)' + // [8] tz [9] tz_sign [10] tz_hour\n '(?::([0-9][0-9]))?))?$'); // [11] tz_minute\n\nfunction resolveYamlTimestamp(data) {\n if (data === null) return false;\n if (YAML_DATE_REGEXP.exec(data) !== null) return true;\n if (YAML_TIMESTAMP_REGEXP.exec(data) !== null) return true;\n return false;\n}\n\nfunction constructYamlTimestamp(data) {\n var match, year, month, day, hour, minute, second, fraction = 0,\n delta = null, tz_hour, tz_minute, date;\n\n match = YAML_DATE_REGEXP.exec(data);\n if (match === null) match = YAML_TIMESTAMP_REGEXP.exec(data);\n\n if (match === null) throw new Error('Date resolve error');\n\n // match: [1] year [2] month [3] day\n\n year = +(match[1]);\n month = +(match[2]) - 1; // JS month starts with 0\n day = +(match[3]);\n\n if (!match[4]) { // no hour\n return new Date(Date.UTC(year, month, day));\n }\n\n // match: [4] hour [5] minute [6] second [7] fraction\n\n hour = +(match[4]);\n minute = +(match[5]);\n second = +(match[6]);\n\n if (match[7]) {\n fraction = match[7].slice(0, 3);\n while (fraction.length < 3) { // milli-seconds\n fraction += '0';\n }\n fraction = +fraction;\n }\n\n // match: [8] tz [9] tz_sign [10] tz_hour [11] tz_minute\n\n if (match[9]) {\n tz_hour = +(match[10]);\n tz_minute = +(match[11] \|\| 0);\n delta = (tz_hour * 60 + tz_minute) * 60000; // delta in mili-seconds\n if (match[9] === '-') delta = -delta;\n }\n\n date = new Date(Date.UTC(year, month, day, hour, minute, second, fraction));\n\n if (delta) date.setTime(date.getTime() - delta);\n\n return date;\n}\n\nfunction representYamlTimestamp(object /, style/) {\n return object.toISOString();\n}\n\nvar timestamp = new type('tag:yaml.org,2002:timestamp', {\n kind: 'scalar',\n resolve: resolveYamlTimestamp,\n construct: constructYamlTimestamp,\n instanceOf: Date,\n represent: representYamlTimestamp\n});\n\nfunction resolveYamlMerge(data) {\n return data === '<<' \|\| data === null;\n}\n\nvar merge = new type('tag:yaml.org,2002:merge', {\n kind: 'scalar',\n resolve: resolveYamlMerge\n});\n\n/eslint-disable no-bitwise/\n\n\n\n\n\n// [ 64, 65, 66 ] -> [ padding, CR, LF ]\nvar BASE64_MAP = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\\n\\r';\n\n\nfunction resolveYamlBinary(data) {\n if (data === null) return false;\n\n var code, idx, bitlen = 0, max = data.length, map = BASE64_MAP;\n\n // Convert one by one.\n for (idx = 0; idx < max; idx++) {\n code = map.indexOf(data.charAt(idx));\n\n // Skip CR/LF\n if (code > 64) continue;\n\n // Fail on illegal characters\n if (code < 0) return false;\n\n bitlen += 6;\n }\n\n // If there are any bits left, source was corrupted\n return (bitlen % 8) === 0;\n}\n\nfunction constructYamlBinary(data) {\n var idx, tailbits,\n input = data.replace(/[\\r\\n=]/g, ''), // remove CR/LF & padding to simplify scan\n max = input.length,\n map = BASE64_MAP,\n bits = 0,\n result = [];\n\n // Collect by 64 bits (3 bytes)\n\n for (idx = 0; idx < max; idx++) {\n if ((idx % 4 === 0) && idx) {\n result.push((bits >> 16) & 0xFF);\n result.push((bits >> 8) & 0xFF);\n result.push(bits & 0xFF);\n }\n\n bits = (bits << 6) \| map.indexOf(input.charAt(idx));\n }\n\n // Dump tail\n\n tailbits = (max % 4) 6;\n\n if (tailbits === 0) {\n result.push((bits >> 16) & 0xFF);\n result.push((bits >> 8) & 0xFF);\n result.push(bits & 0xFF);\n } else if (tailbits === 18) {\n result.push((bits >> 10) & 0xFF);\n result.push((bits >> 2) & 0xFF);\n } else if (tailbits === 12) {\n result.push((bits >> 4) & 0xFF);\n }\n\n return new Uint8Array(result);\n}\n\nfunction representYamlBinary(object /, style/) {\n var result = '', bits = 0, idx, tail,\n max = object.length,\n map = BASE64_MAP;\n\n // Convert every three bytes to 4 ASCII characters.\n\n for (idx = 0; idx < max; idx++) {\n if ((idx % 3 === 0) && idx) {\n result += map[(bits >> 18) & 0x3F];\n result += map[(bits >> 12) & 0x3F];\n result += map[(bits >> 6) & 0x3F];\n result += map[bits & 0x3F];\n }\n\n bits = (bits << 8) + object[idx];\n }\n\n // Dump tail\n\n tail = max % 3;\n\n if (tail === 0) {\n result += map[(bits >> 18) & 0x3F];\n result += map[(bits >> 12) & 0x3F];\n result += map[(bits >> 6) & 0x3F];\n result += map[bits & 0x3F];\n } else if (tail === 2) {\n result += map[(bits >> 10) & 0x3F];\n result += map[(bits >> 4) & 0x3F];\n result += map[(bits << 2) & 0x3F];\n result += map[64];\n } else if (tail === 1) {\n result += map[(bits >> 2) & 0x3F];\n result += map[(bits << 4) & 0x3F];\n result += map[64];\n result += map[64];\n }\n\n return result;\n}\n\nfunction isBinary(obj) {\n return Object.prototype.toString.call(obj) === '[object Uint8Array]';\n}\n\nvar binary = new type('tag:yaml.org,2002:binary', {\n kind: 'scalar',\n resolve: resolveYamlBinary,\n construct: constructYamlBinary,\n predicate: isBinary,\n represent: representYamlBinary\n});\n\nvar _hasOwnProperty$3 = Object.prototype.hasOwnProperty;\nvar _toString$2 = Object.prototype.toString;\n\nfunction resolveYamlOmap(data) {\n if (data === null) return true;\n\n var objectKeys = [], index, length, pair, pairKey, pairHasKey,\n object = data;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n pairHasKey = false;\n\n if (_toString$2.call(pair) !== '[object Object]') return false;\n\n for (pairKey in pair) {\n if (_hasOwnProperty$3.call(pair, pairKey)) {\n if (!pairHasKey) pairHasKey = true;\n else return false;\n }\n }\n\n if (!pairHasKey) return false;\n\n if (objectKeys.indexOf(pairKey) === -1) objectKeys.push(pairKey);\n else return false;\n }\n\n return true;\n}\n\nfunction constructYamlOmap(data) {\n return data !== null ? data : [];\n}\n\nvar omap = new type('tag:yaml.org,2002:omap', {\n kind: 'sequence',\n resolve: resolveYamlOmap,\n construct: constructYamlOmap\n});\n\nvar _toString$1 = Object.prototype.toString;\n\nfunction resolveYamlPairs(data) {\n if (data === null) return true;\n\n var index, length, pair, keys, result,\n object = data;\n\n result = new Array(object.length);\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n\n if (_toString$1.call(pair) !== '[object Object]') return false;\n\n keys = Object.keys(pair);\n\n if (keys.length !== 1) return false;\n\n result[index] = [ keys[0], pair[keys[0]] ];\n }\n\n return true;\n}\n\nfunction constructYamlPairs(data) {\n if (data === null) return [];\n\n var index, length, pair, keys, result,\n object = data;\n\n result = new Array(object.length);\n\n for (index = 0, length = object.length; index < length; index += 1) {\n pair = object[index];\n\n keys = Object.keys(pair);\n\n result[index] = [ keys[0], pair[keys[0]] ];\n }\n\n return result;\n}\n\nvar pairs = new type('tag:yaml.org,2002:pairs', {\n kind: 'sequence',\n resolve: resolveYamlPairs,\n construct: constructYamlPairs\n});\n\nvar _hasOwnProperty$2 = Object.prototype.hasOwnProperty;\n\nfunction resolveYamlSet(data) {\n if (data === null) return true;\n\n var key, object = data;\n\n for (key in object) {\n if (_hasOwnProperty$2.call(object, key)) {\n if (object[key] !== null) return false;\n }\n }\n\n return true;\n}\n\nfunction constructYamlSet(data) {\n return data !== null ? data : {};\n}\n\nvar set = new type('tag:yaml.org,2002:set', {\n kind: 'mapping',\n resolve: resolveYamlSet,\n construct: constructYamlSet\n});\n\nvar _default = core.extend({\n implicit: [\n timestamp,\n merge\n ],\n explicit: [\n binary,\n omap,\n pairs,\n set\n ]\n});\n\n/eslint-disable max-len,no-use-before-define/\n\n\n\n\n\n\n\nvar _hasOwnProperty$1 = Object.prototype.hasOwnProperty;\n\n\nvar CONTEXT_FLOW_IN = 1;\nvar CONTEXT_FLOW_OUT = 2;\nvar CONTEXT_BLOCK_IN = 3;\nvar CONTEXT_BLOCK_OUT = 4;\n\n\nvar CHOMPING_CLIP = 1;\nvar CHOMPING_STRIP = 2;\nvar CHOMPING_KEEP = 3;\n\n\nvar PATTERN_NON_PRINTABLE = /[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F-\\x84\\x86-\\x9F\\uFFFE\\uFFFF]\|[\\uD800-\\uDBFF](?![\\uDC00-\\uDFFF])\|(?:[^\\uD800-\\uDBFF]\|^)[\\uDC00-\\uDFFF]/;\nvar PATTERN_NON_ASCII_LINE_BREAKS = /[\\x85\\u2028\\u2029]/;\nvar PATTERN_FLOW_INDICATORS = /[,\\[\\]\\{\\}]/;\nvar PATTERN_TAG_HANDLE = /^(?:!\|!!\|![a-z\\-]+!)$/i;\nvar PATTERN_TAG_URI = /^(?:!\|[^,\\[\\]\\{\\}])(?:%[0-9a-f]{2}\|[0-9a-z\\-#;\\/\\?:@&=\\+\\$,_\\.!~\\'\$\$\\[\\]])$/i;\n\n\nfunction _class(obj) { return Object.prototype.toString.call(obj); }\n\nfunction is_EOL(c) {\n return (c === 0x0A/* LF /) \|\| (c === 0x0D/ CR /);\n}\n\nfunction is_WHITE_SPACE(c) {\n return (c === 0x09/ Tab /) \|\| (c === 0x20/ Space /);\n}\n\nfunction is_WS_OR_EOL(c) {\n return (c === 0x09/ Tab /) \|\|\n (c === 0x20/ Space /) \|\|\n (c === 0x0A/ LF /) \|\|\n (c === 0x0D/ CR /);\n}\n\nfunction is_FLOW_INDICATOR(c) {\n return c === 0x2C/ , / \|\|\n c === 0x5B/ [ / \|\|\n c === 0x5D/ ] / \|\|\n c === 0x7B/ { / \|\|\n c === 0x7D/ } /;\n}\n\nfunction fromHexCode(c) {\n var lc;\n\n if ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) {\n return c - 0x30;\n }\n\n /eslint-disable no-bitwise/\n lc = c \| 0x20;\n\n if ((0x61/ a / <= lc) && (lc <= 0x66/ f /)) {\n return lc - 0x61 + 10;\n }\n\n return -1;\n}\n\nfunction escapedHexLen(c) {\n if (c === 0x78/ x /) { return 2; }\n if (c === 0x75/ u /) { return 4; }\n if (c === 0x55/ U /) { return 8; }\n return 0;\n}\n\nfunction fromDecimalCode(c) {\n if ((0x30/ 0 / <= c) && (c <= 0x39/ 9 /)) {\n return c - 0x30;\n }\n\n return -1;\n}\n\nfunction simpleEscapeSequence(c) {\n / eslint-disable indent /\n return (c === 0x30/ 0 /) ? '\\x00' :\n (c === 0x61/ a /) ? '\\x07' :\n (c === 0x62/ b /) ? '\\x08' :\n (c === 0x74/ t /) ? '\\x09' :\n (c === 0x09/ Tab /) ? '\\x09' :\n (c === 0x6E/ n /) ? '\\x0A' :\n (c === 0x76/ v /) ? '\\x0B' :\n (c === 0x66/ f /) ? '\\x0C' :\n (c === 0x72/ r /) ? '\\x0D' :\n (c === 0x65/ e /) ? '\\x1B' :\n (c === 0x20/ Space /) ? ' ' :\n (c === 0x22/ \" /) ? '\\x22' :\n (c === 0x2F/ / /) ? '/' :\n (c === 0x5C/ \\ /) ? '\\x5C' :\n (c === 0x4E/ N /) ? '\\x85' :\n (c === 0x5F/ _ /) ? '\\xA0' :\n (c === 0x4C/ L /) ? '\\u2028' :\n (c === 0x50/ P /) ? '\\u2029' : '';\n}\n\nfunction charFromCodepoint(c) {\n if (c <= 0xFFFF) {\n return String.fromCharCode(c);\n }\n // Encode UTF-16 surrogate pair\n // https://en.wikipedia.org/wiki/UTF-16#Code_points_U.2B010000_to_U.2B10FFFF\n return String.fromCharCode(\n ((c - 0x010000) >> 10) + 0xD800,\n ((c - 0x010000) & 0x03FF) + 0xDC00\n );\n}\n\n// set a property of a literal object, while protecting against prototype pollution,\n// see https://github.com/nodeca/js-yaml/issues/164 for more details\nfunction setProperty(object, key, value) {\n // used for this specific key only because Object.defineProperty is slow\n if (key === '__proto__') {\n Object.defineProperty(object, key, {\n configurable: true,\n enumerable: true,\n writable: true,\n value: value\n });\n } else {\n object[key] = value;\n }\n}\n\nvar simpleEscapeCheck = new Array(256); // integer, for fast access\nvar simpleEscapeMap = new Array(256);\nfor (var i = 0; i < 256; i++) {\n simpleEscapeCheck[i] = simpleEscapeSequence(i) ? 1 : 0;\n simpleEscapeMap[i] = simpleEscapeSequence(i);\n}\n\n\nfunction State$1(input, options) {\n this.input = input;\n\n this.filename = options['filename'] \|\| null;\n this.schema = options['schema'] \|\| _default;\n this.onWarning = options['onWarning'] \|\| null;\n // (Hidden) Remove? makes the loader to expect YAML 1.1 documents\n // if such documents have no explicit %YAML directive\n this.legacy = options['legacy'] \|\| false;\n\n this.json = options['json'] \|\| false;\n this.listener = options['listener'] \|\| null;\n\n this.implicitTypes = this.schema.compiledImplicit;\n this.typeMap = this.schema.compiledTypeMap;\n\n this.length = input.length;\n this.position = 0;\n this.line = 0;\n this.lineStart = 0;\n this.lineIndent = 0;\n\n // position of first leading tab in the current line,\n // used to make sure there are no tabs in the indentation\n this.firstTabInLine = -1;\n\n this.documents = [];\n\n /\n this.version;\n this.checkLineBreaks;\n this.tagMap;\n this.anchorMap;\n this.tag;\n this.anchor;\n this.kind;\n this.result;/\n\n}\n\n\nfunction generateError(state, message) {\n var mark = {\n name: state.filename,\n buffer: state.input.slice(0, -1), // omit trailing \\0\n position: state.position,\n line: state.line,\n column: state.position - state.lineStart\n };\n\n mark.snippet = snippet(mark);\n\n return new exception(message, mark);\n}\n\nfunction throwError(state, message) {\n throw generateError(state, message);\n}\n\nfunction throwWarning(state, message) {\n if (state.onWarning) {\n state.onWarning.call(null, generateError(state, message));\n }\n}\n\n\nvar directiveHandlers = {\n\n YAML: function handleYamlDirective(state, name, args) {\n\n var match, major, minor;\n\n if (state.version !== null) {\n throwError(state, 'duplication of %YAML directive');\n }\n\n if (args.length !== 1) {\n throwError(state, 'YAML directive accepts exactly one argument');\n }\n\n match = /^([0-9]+)\\.([0-9]+)$/.exec(args[0]);\n\n if (match === null) {\n throwError(state, 'ill-formed argument of the YAML directive');\n }\n\n major = parseInt(match[1], 10);\n minor = parseInt(match[2], 10);\n\n if (major !== 1) {\n throwError(state, 'unacceptable YAML version of the document');\n }\n\n state.version = args[0];\n state.checkLineBreaks = (minor < 2);\n\n if (minor !== 1 && minor !== 2) {\n throwWarning(state, 'unsupported YAML version of the document');\n }\n },\n\n TAG: function handleTagDirective(state, name, args) {\n\n var handle, prefix;\n\n if (args.length !== 2) {\n throwError(state, 'TAG directive accepts exactly two arguments');\n }\n\n handle = args[0];\n prefix = args[1];\n\n if (!PATTERN_TAG_HANDLE.test(handle)) {\n throwError(state, 'ill-formed tag handle (first argument) of the TAG directive');\n }\n\n if (_hasOwnProperty$1.call(state.tagMap, handle)) {\n throwError(state, 'there is a previously declared suffix for \"' + handle + '\" tag handle');\n }\n\n if (!PATTERN_TAG_URI.test(prefix)) {\n throwError(state, 'ill-formed tag prefix (second argument) of the TAG directive');\n }\n\n try {\n prefix = decodeURIComponent(prefix);\n } catch (err) {\n throwError(state, 'tag prefix is malformed: ' + prefix);\n }\n\n state.tagMap[handle] = prefix;\n }\n};\n\n\nfunction captureSegment(state, start, end, checkJson) {\n var _position, _length, _character, _result;\n\n if (start < end) {\n _result = state.input.slice(start, end);\n\n if (checkJson) {\n for (_position = 0, _length = _result.length; _position < _length; _position += 1) {\n _character = _result.charCodeAt(_position);\n if (!(_character === 0x09 \|\|\n (0x20 <= _character && _character <= 0x10FFFF))) {\n throwError(state, 'expected valid JSON character');\n }\n }\n } else if (PATTERN_NON_PRINTABLE.test(_result)) {\n throwError(state, 'the stream contains non-printable characters');\n }\n\n state.result += _result;\n }\n}\n\nfunction mergeMappings(state, destination, source, overridableKeys) {\n var sourceKeys, key, index, quantity;\n\n if (!common.isObject(source)) {\n throwError(state, 'cannot merge mappings; the provided source object is unacceptable');\n }\n\n sourceKeys = Object.keys(source);\n\n for (index = 0, quantity = sourceKeys.length; index < quantity; index += 1) {\n key = sourceKeys[index];\n\n if (!_hasOwnProperty$1.call(destination, key)) {\n setProperty(destination, key, source[key]);\n overridableKeys[key] = true;\n }\n }\n}\n\nfunction storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode,\n startLine, startLineStart, startPos) {\n\n var index, quantity;\n\n // The output is a plain object here, so keys can only be strings.\n // We need to convert keyNode to a string, but doing so can hang the process\n // (deeply nested arrays that explode exponentially using aliases).\n if (Array.isArray(keyNode)) {\n keyNode = Array.prototype.slice.call(keyNode);\n\n for (index = 0, quantity = keyNode.length; index < quantity; index += 1) {\n if (Array.isArray(keyNode[index])) {\n throwError(state, 'nested arrays are not supported inside keys');\n }\n\n if (typeof keyNode === 'object' && _class(keyNode[index]) === '[object Object]') {\n keyNode[index] = '[object Object]';\n }\n }\n }\n\n // Avoid code execution in load() via toString property\n // (still use its own toString for arrays, timestamps,\n // and whatever user schema extensions happen to have @@toStringTag)\n if (typeof keyNode === 'object' && _class(keyNode) === '[object Object]') {\n keyNode = '[object Object]';\n }\n\n\n keyNode = String(keyNode);\n\n if (_result === null) {\n _result = {};\n }\n\n if (keyTag === 'tag:yaml.org,2002:merge') {\n if (Array.isArray(valueNode)) {\n for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {\n mergeMappings(state, _result, valueNode[index], overridableKeys);\n }\n } else {\n mergeMappings(state, _result, valueNode, overridableKeys);\n }\n } else {\n if (!state.json &&\n !_hasOwnProperty$1.call(overridableKeys, keyNode) &&\n _hasOwnProperty$1.call(_result, keyNode)) {\n state.line = startLine \|\| state.line;\n state.lineStart = startLineStart \|\| state.lineStart;\n state.position = startPos \|\| state.position;\n throwError(state, 'duplicated mapping key');\n }\n\n setProperty(_result, keyNode, valueNode);\n delete overridableKeys[keyNode];\n }\n\n return _result;\n}\n\nfunction readLineBreak(state) {\n var ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x0A/ LF /) {\n state.position++;\n } else if (ch === 0x0D/ CR /) {\n state.position++;\n if (state.input.charCodeAt(state.position) === 0x0A/ LF /) {\n state.position++;\n }\n } else {\n throwError(state, 'a line break is expected');\n }\n\n state.line += 1;\n state.lineStart = state.position;\n state.firstTabInLine = -1;\n}\n\nfunction skipSeparationSpace(state, allowComments, checkIndent) {\n var lineBreaks = 0,\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n while (is_WHITE_SPACE(ch)) {\n if (ch === 0x09/ Tab / && state.firstTabInLine === -1) {\n state.firstTabInLine = state.position;\n }\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (allowComments && ch === 0x23/ # /) {\n do {\n ch = state.input.charCodeAt(++state.position);\n } while (ch !== 0x0A/ LF / && ch !== 0x0D/ CR / && ch !== 0);\n }\n\n if (is_EOL(ch)) {\n readLineBreak(state);\n\n ch = state.input.charCodeAt(state.position);\n lineBreaks++;\n state.lineIndent = 0;\n\n while (ch === 0x20/ Space /) {\n state.lineIndent++;\n ch = state.input.charCodeAt(++state.position);\n }\n } else {\n break;\n }\n }\n\n if (checkIndent !== -1 && lineBreaks !== 0 && state.lineIndent < checkIndent) {\n throwWarning(state, 'deficient indentation');\n }\n\n return lineBreaks;\n}\n\nfunction testDocumentSeparator(state) {\n var _position = state.position,\n ch;\n\n ch = state.input.charCodeAt(_position);\n\n // Condition state.position === state.lineStart is tested\n // in parent on each call, for efficiency. No needs to test here again.\n if ((ch === 0x2D/ - / \|\| ch === 0x2E/ . /) &&\n ch === state.input.charCodeAt(_position + 1) &&\n ch === state.input.charCodeAt(_position + 2)) {\n\n _position += 3;\n\n ch = state.input.charCodeAt(_position);\n\n if (ch === 0 \|\| is_WS_OR_EOL(ch)) {\n return true;\n }\n }\n\n return false;\n}\n\nfunction writeFoldedLines(state, count) {\n if (count === 1) {\n state.result += ' ';\n } else if (count > 1) {\n state.result += common.repeat('\\n', count - 1);\n }\n}\n\n\nfunction readPlainScalar(state, nodeIndent, withinFlowCollection) {\n var preceding,\n following,\n captureStart,\n captureEnd,\n hasPendingContent,\n _line,\n _lineStart,\n _lineIndent,\n _kind = state.kind,\n _result = state.result,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (is_WS_OR_EOL(ch) \|\|\n is_FLOW_INDICATOR(ch) \|\|\n ch === 0x23/ # / \|\|\n ch === 0x26/ & / \|\|\n ch === 0x2A/ * / \|\|\n ch === 0x21/ ! / \|\|\n ch === 0x7C/ \| / \|\|\n ch === 0x3E/ > / \|\|\n ch === 0x27/ ' / \|\|\n ch === 0x22/ \" / \|\|\n ch === 0x25/ % / \|\|\n ch === 0x40/ @ / \|\|\n ch === 0x60/ ` /) {\n return false;\n }\n\n if (ch === 0x3F/ ? / \|\| ch === 0x2D/ - /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(following)) {\n return false;\n }\n }\n\n state.kind = 'scalar';\n state.result = '';\n captureStart = captureEnd = state.position;\n hasPendingContent = false;\n\n while (ch !== 0) {\n if (ch === 0x3A/ : /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(following)) {\n break;\n }\n\n } else if (ch === 0x23/ # /) {\n preceding = state.input.charCodeAt(state.position - 1);\n\n if (is_WS_OR_EOL(preceding)) {\n break;\n }\n\n } else if ((state.position === state.lineStart && testDocumentSeparator(state)) \|\|\n withinFlowCollection && is_FLOW_INDICATOR(ch)) {\n break;\n\n } else if (is_EOL(ch)) {\n _line = state.line;\n _lineStart = state.lineStart;\n _lineIndent = state.lineIndent;\n skipSeparationSpace(state, false, -1);\n\n if (state.lineIndent >= nodeIndent) {\n hasPendingContent = true;\n ch = state.input.charCodeAt(state.position);\n continue;\n } else {\n state.position = captureEnd;\n state.line = _line;\n state.lineStart = _lineStart;\n state.lineIndent = _lineIndent;\n break;\n }\n }\n\n if (hasPendingContent) {\n captureSegment(state, captureStart, captureEnd, false);\n writeFoldedLines(state, state.line - _line);\n captureStart = captureEnd = state.position;\n hasPendingContent = false;\n }\n\n if (!is_WHITE_SPACE(ch)) {\n captureEnd = state.position + 1;\n }\n\n ch = state.input.charCodeAt(++state.position);\n }\n\n captureSegment(state, captureStart, captureEnd, false);\n\n if (state.result) {\n return true;\n }\n\n state.kind = _kind;\n state.result = _result;\n return false;\n}\n\nfunction readSingleQuotedScalar(state, nodeIndent) {\n var ch,\n captureStart, captureEnd;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x27/ ' /) {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n state.position++;\n captureStart = captureEnd = state.position;\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n if (ch === 0x27/ ' /) {\n captureSegment(state, captureStart, state.position, true);\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x27/ ' /) {\n captureStart = state.position;\n state.position++;\n captureEnd = state.position;\n } else {\n return true;\n }\n\n } else if (is_EOL(ch)) {\n captureSegment(state, captureStart, captureEnd, true);\n writeFoldedLines(state, skipSeparationSpace(state, false, nodeIndent));\n captureStart = captureEnd = state.position;\n\n } else if (state.position === state.lineStart && testDocumentSeparator(state)) {\n throwError(state, 'unexpected end of the document within a single quoted scalar');\n\n } else {\n state.position++;\n captureEnd = state.position;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a single quoted scalar');\n}\n\nfunction readDoubleQuotedScalar(state, nodeIndent) {\n var captureStart,\n captureEnd,\n hexLength,\n hexResult,\n tmp,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x22/ \" /) {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n state.position++;\n captureStart = captureEnd = state.position;\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n if (ch === 0x22/ \" /) {\n captureSegment(state, captureStart, state.position, true);\n state.position++;\n return true;\n\n } else if (ch === 0x5C/ \\ /) {\n captureSegment(state, captureStart, state.position, true);\n ch = state.input.charCodeAt(++state.position);\n\n if (is_EOL(ch)) {\n skipSeparationSpace(state, false, nodeIndent);\n\n // TODO: rework to inline fn with no type cast?\n } else if (ch < 256 && simpleEscapeCheck[ch]) {\n state.result += simpleEscapeMap[ch];\n state.position++;\n\n } else if ((tmp = escapedHexLen(ch)) > 0) {\n hexLength = tmp;\n hexResult = 0;\n\n for (; hexLength > 0; hexLength--) {\n ch = state.input.charCodeAt(++state.position);\n\n if ((tmp = fromHexCode(ch)) >= 0) {\n hexResult = (hexResult << 4) + tmp;\n\n } else {\n throwError(state, 'expected hexadecimal character');\n }\n }\n\n state.result += charFromCodepoint(hexResult);\n\n state.position++;\n\n } else {\n throwError(state, 'unknown escape sequence');\n }\n\n captureStart = captureEnd = state.position;\n\n } else if (is_EOL(ch)) {\n captureSegment(state, captureStart, captureEnd, true);\n writeFoldedLines(state, skipSeparationSpace(state, false, nodeIndent));\n captureStart = captureEnd = state.position;\n\n } else if (state.position === state.lineStart && testDocumentSeparator(state)) {\n throwError(state, 'unexpected end of the document within a double quoted scalar');\n\n } else {\n state.position++;\n captureEnd = state.position;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a double quoted scalar');\n}\n\nfunction readFlowCollection(state, nodeIndent) {\n var readNext = true,\n _line,\n _lineStart,\n _pos,\n _tag = state.tag,\n _result,\n _anchor = state.anchor,\n following,\n terminator,\n isPair,\n isExplicitPair,\n isMapping,\n overridableKeys = Object.create(null),\n keyNode,\n keyTag,\n valueNode,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x5B/ [ /) {\n terminator = 0x5D;/ ] /\n isMapping = false;\n _result = [];\n } else if (ch === 0x7B/ { /) {\n terminator = 0x7D;/ } /\n isMapping = true;\n _result = {};\n } else {\n return false;\n }\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(++state.position);\n\n while (ch !== 0) {\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === terminator) {\n state.position++;\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = isMapping ? 'mapping' : 'sequence';\n state.result = _result;\n return true;\n } else if (!readNext) {\n throwError(state, 'missed comma between flow collection entries');\n } else if (ch === 0x2C/ , /) {\n // \"flow collection entries can never be completely empty\", as per YAML 1.2, section 7.4\n throwError(state, \"expected the node content, but found ','\");\n }\n\n keyTag = keyNode = valueNode = null;\n isPair = isExplicitPair = false;\n\n if (ch === 0x3F/ ? /) {\n following = state.input.charCodeAt(state.position + 1);\n\n if (is_WS_OR_EOL(following)) {\n isPair = isExplicitPair = true;\n state.position++;\n skipSeparationSpace(state, true, nodeIndent);\n }\n }\n\n _line = state.line; // Save the current line.\n _lineStart = state.lineStart;\n _pos = state.position;\n composeNode(state, nodeIndent, CONTEXT_FLOW_IN, false, true);\n keyTag = state.tag;\n keyNode = state.result;\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if ((isExplicitPair \|\| state.line === _line) && ch === 0x3A/ : /) {\n isPair = true;\n ch = state.input.charCodeAt(++state.position);\n skipSeparationSpace(state, true, nodeIndent);\n composeNode(state, nodeIndent, CONTEXT_FLOW_IN, false, true);\n valueNode = state.result;\n }\n\n if (isMapping) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, _line, _lineStart, _pos);\n } else if (isPair) {\n _result.push(storeMappingPair(state, null, overridableKeys, keyTag, keyNode, valueNode, _line, _lineStart, _pos));\n } else {\n _result.push(keyNode);\n }\n\n skipSeparationSpace(state, true, nodeIndent);\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x2C/ , /) {\n readNext = true;\n ch = state.input.charCodeAt(++state.position);\n } else {\n readNext = false;\n }\n }\n\n throwError(state, 'unexpected end of the stream within a flow collection');\n}\n\nfunction readBlockScalar(state, nodeIndent) {\n var captureStart,\n folding,\n chomping = CHOMPING_CLIP,\n didReadContent = false,\n detectedIndent = false,\n textIndent = nodeIndent,\n emptyLines = 0,\n atMoreIndented = false,\n tmp,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch === 0x7C/ \| /) {\n folding = false;\n } else if (ch === 0x3E/ > /) {\n folding = true;\n } else {\n return false;\n }\n\n state.kind = 'scalar';\n state.result = '';\n\n while (ch !== 0) {\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x2B/ + / \|\| ch === 0x2D/ - /) {\n if (CHOMPING_CLIP === chomping) {\n chomping = (ch === 0x2B/ + /) ? CHOMPING_KEEP : CHOMPING_STRIP;\n } else {\n throwError(state, 'repeat of a chomping mode identifier');\n }\n\n } else if ((tmp = fromDecimalCode(ch)) >= 0) {\n if (tmp === 0) {\n throwError(state, 'bad explicit indentation width of a block scalar; it cannot be less than one');\n } else if (!detectedIndent) {\n textIndent = nodeIndent + tmp - 1;\n detectedIndent = true;\n } else {\n throwError(state, 'repeat of an indentation width identifier');\n }\n\n } else {\n break;\n }\n }\n\n if (is_WHITE_SPACE(ch)) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (is_WHITE_SPACE(ch));\n\n if (ch === 0x23/ # /) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (!is_EOL(ch) && (ch !== 0));\n }\n }\n\n while (ch !== 0) {\n readLineBreak(state);\n state.lineIndent = 0;\n\n ch = state.input.charCodeAt(state.position);\n\n while ((!detectedIndent \|\| state.lineIndent < textIndent) &&\n (ch === 0x20/ Space /)) {\n state.lineIndent++;\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (!detectedIndent && state.lineIndent > textIndent) {\n textIndent = state.lineIndent;\n }\n\n if (is_EOL(ch)) {\n emptyLines++;\n continue;\n }\n\n // End of the scalar.\n if (state.lineIndent < textIndent) {\n\n // Perform the chomping.\n if (chomping === CHOMPING_KEEP) {\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n } else if (chomping === CHOMPING_CLIP) {\n if (didReadContent) { // i.e. only if the scalar is not empty.\n state.result += '\\n';\n }\n }\n\n // Break this `while` cycle and go to the funciton's epilogue.\n break;\n }\n\n // Folded style: use fancy rules to handle line breaks.\n if (folding) {\n\n // Lines starting with white space characters (more-indented lines) are not folded.\n if (is_WHITE_SPACE(ch)) {\n atMoreIndented = true;\n // except for the first content line (cf. Example 8.1)\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n\n // End of more-indented block.\n } else if (atMoreIndented) {\n atMoreIndented = false;\n state.result += common.repeat('\\n', emptyLines + 1);\n\n // Just one line break - perceive as the same line.\n } else if (emptyLines === 0) {\n if (didReadContent) { // i.e. only if we have already read some scalar content.\n state.result += ' ';\n }\n\n // Several line breaks - perceive as different lines.\n } else {\n state.result += common.repeat('\\n', emptyLines);\n }\n\n // Literal style: just add exact number of line breaks between content lines.\n } else {\n // Keep all line breaks except the header line break.\n state.result += common.repeat('\\n', didReadContent ? 1 + emptyLines : emptyLines);\n }\n\n didReadContent = true;\n detectedIndent = true;\n emptyLines = 0;\n captureStart = state.position;\n\n while (!is_EOL(ch) && (ch !== 0)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n captureSegment(state, captureStart, state.position, false);\n }\n\n return true;\n}\n\nfunction readBlockSequence(state, nodeIndent) {\n var _line,\n _tag = state.tag,\n _anchor = state.anchor,\n _result = [],\n following,\n detected = false,\n ch;\n\n // there is a leading tab before this token, so it can't be a block sequence/mapping;\n // it can still be flow sequence/mapping or a scalar\n if (state.firstTabInLine !== -1) return false;\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n if (state.firstTabInLine !== -1) {\n state.position = state.firstTabInLine;\n throwError(state, 'tab characters must not be used in indentation');\n }\n\n if (ch !== 0x2D/ - /) {\n break;\n }\n\n following = state.input.charCodeAt(state.position + 1);\n\n if (!is_WS_OR_EOL(following)) {\n break;\n }\n\n detected = true;\n state.position++;\n\n if (skipSeparationSpace(state, true, -1)) {\n if (state.lineIndent <= nodeIndent) {\n _result.push(null);\n ch = state.input.charCodeAt(state.position);\n continue;\n }\n }\n\n _line = state.line;\n composeNode(state, nodeIndent, CONTEXT_BLOCK_IN, false, true);\n _result.push(state.result);\n skipSeparationSpace(state, true, -1);\n\n ch = state.input.charCodeAt(state.position);\n\n if ((state.line === _line \|\| state.lineIndent > nodeIndent) && (ch !== 0)) {\n throwError(state, 'bad indentation of a sequence entry');\n } else if (state.lineIndent < nodeIndent) {\n break;\n }\n }\n\n if (detected) {\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = 'sequence';\n state.result = _result;\n return true;\n }\n return false;\n}\n\nfunction readBlockMapping(state, nodeIndent, flowIndent) {\n var following,\n allowCompact,\n _line,\n _keyLine,\n _keyLineStart,\n _keyPos,\n _tag = state.tag,\n _anchor = state.anchor,\n _result = {},\n overridableKeys = Object.create(null),\n keyTag = null,\n keyNode = null,\n valueNode = null,\n atExplicitKey = false,\n detected = false,\n ch;\n\n // there is a leading tab before this token, so it can't be a block sequence/mapping;\n // it can still be flow sequence/mapping or a scalar\n if (state.firstTabInLine !== -1) return false;\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = _result;\n }\n\n ch = state.input.charCodeAt(state.position);\n\n while (ch !== 0) {\n if (!atExplicitKey && state.firstTabInLine !== -1) {\n state.position = state.firstTabInLine;\n throwError(state, 'tab characters must not be used in indentation');\n }\n\n following = state.input.charCodeAt(state.position + 1);\n _line = state.line; // Save the current line.\n\n //\n // Explicit notation case. There are two separate blocks:\n // first for the key (denoted by \"?\") and second for the value (denoted by \":\")\n //\n if ((ch === 0x3F/ ? / \|\| ch === 0x3A/ : /) && is_WS_OR_EOL(following)) {\n\n if (ch === 0x3F/ ? /) {\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n detected = true;\n atExplicitKey = true;\n allowCompact = true;\n\n } else if (atExplicitKey) {\n // i.e. 0x3A/ : / === character after the explicit key.\n atExplicitKey = false;\n allowCompact = true;\n\n } else {\n throwError(state, 'incomplete explicit mapping pair; a key node is missed; or followed by a non-tabulated empty line');\n }\n\n state.position += 1;\n ch = following;\n\n //\n // Implicit notation case. Flow-style node as the key first, then \":\", and the value.\n //\n } else {\n _keyLine = state.line;\n _keyLineStart = state.lineStart;\n _keyPos = state.position;\n\n if (!composeNode(state, flowIndent, CONTEXT_FLOW_OUT, false, true)) {\n // Neither implicit nor explicit notation.\n // Reading is done. Go to the epilogue.\n break;\n }\n\n if (state.line === _line) {\n ch = state.input.charCodeAt(state.position);\n\n while (is_WHITE_SPACE(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (ch === 0x3A/ : /) {\n ch = state.input.charCodeAt(++state.position);\n\n if (!is_WS_OR_EOL(ch)) {\n throwError(state, 'a whitespace character is expected after the key-value separator within a block mapping');\n }\n\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n detected = true;\n atExplicitKey = false;\n allowCompact = false;\n keyTag = state.tag;\n keyNode = state.result;\n\n } else if (detected) {\n throwError(state, 'can not read an implicit mapping pair; a colon is missed');\n\n } else {\n state.tag = _tag;\n state.anchor = _anchor;\n return true; // Keep the result of `composeNode`.\n }\n\n } else if (detected) {\n throwError(state, 'can not read a block mapping entry; a multiline key may not be an implicit key');\n\n } else {\n state.tag = _tag;\n state.anchor = _anchor;\n return true; // Keep the result of `composeNode`.\n }\n }\n\n //\n // Common reading code for both explicit and implicit notations.\n //\n if (state.line === _line \|\| state.lineIndent > nodeIndent) {\n if (atExplicitKey) {\n _keyLine = state.line;\n _keyLineStart = state.lineStart;\n _keyPos = state.position;\n }\n\n if (composeNode(state, nodeIndent, CONTEXT_BLOCK_OUT, true, allowCompact)) {\n if (atExplicitKey) {\n keyNode = state.result;\n } else {\n valueNode = state.result;\n }\n }\n\n if (!atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valueNode, _keyLine, _keyLineStart, _keyPos);\n keyTag = keyNode = valueNode = null;\n }\n\n skipSeparationSpace(state, true, -1);\n ch = state.input.charCodeAt(state.position);\n }\n\n if ((state.line === _line \|\| state.lineIndent > nodeIndent) && (ch !== 0)) {\n throwError(state, 'bad indentation of a mapping entry');\n } else if (state.lineIndent < nodeIndent) {\n break;\n }\n }\n\n //\n // Epilogue.\n //\n\n // Special case: last mapping's node contains only the key in explicit notation.\n if (atExplicitKey) {\n storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, null, _keyLine, _keyLineStart, _keyPos);\n }\n\n // Expose the resulting mapping.\n if (detected) {\n state.tag = _tag;\n state.anchor = _anchor;\n state.kind = 'mapping';\n state.result = _result;\n }\n\n return detected;\n}\n\nfunction readTagProperty(state) {\n var _position,\n isVerbatim = false,\n isNamed = false,\n tagHandle,\n tagName,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x21/ ! /) return false;\n\n if (state.tag !== null) {\n throwError(state, 'duplication of a tag property');\n }\n\n ch = state.input.charCodeAt(++state.position);\n\n if (ch === 0x3C/ < /) {\n isVerbatim = true;\n ch = state.input.charCodeAt(++state.position);\n\n } else if (ch === 0x21/ ! /) {\n isNamed = true;\n tagHandle = '!!';\n ch = state.input.charCodeAt(++state.position);\n\n } else {\n tagHandle = '!';\n }\n\n _position = state.position;\n\n if (isVerbatim) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (ch !== 0 && ch !== 0x3E/ > /);\n\n if (state.position < state.length) {\n tagName = state.input.slice(_position, state.position);\n ch = state.input.charCodeAt(++state.position);\n } else {\n throwError(state, 'unexpected end of the stream within a verbatim tag');\n }\n } else {\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n\n if (ch === 0x21/ ! /) {\n if (!isNamed) {\n tagHandle = state.input.slice(_position - 1, state.position + 1);\n\n if (!PATTERN_TAG_HANDLE.test(tagHandle)) {\n throwError(state, 'named tag handle cannot contain such characters');\n }\n\n isNamed = true;\n _position = state.position + 1;\n } else {\n throwError(state, 'tag suffix cannot contain exclamation marks');\n }\n }\n\n ch = state.input.charCodeAt(++state.position);\n }\n\n tagName = state.input.slice(_position, state.position);\n\n if (PATTERN_FLOW_INDICATORS.test(tagName)) {\n throwError(state, 'tag suffix cannot contain flow indicator characters');\n }\n }\n\n if (tagName && !PATTERN_TAG_URI.test(tagName)) {\n throwError(state, 'tag name cannot contain such characters: ' + tagName);\n }\n\n try {\n tagName = decodeURIComponent(tagName);\n } catch (err) {\n throwError(state, 'tag name is malformed: ' + tagName);\n }\n\n if (isVerbatim) {\n state.tag = tagName;\n\n } else if (_hasOwnProperty$1.call(state.tagMap, tagHandle)) {\n state.tag = state.tagMap[tagHandle] + tagName;\n\n } else if (tagHandle === '!') {\n state.tag = '!' + tagName;\n\n } else if (tagHandle === '!!') {\n state.tag = 'tag:yaml.org,2002:' + tagName;\n\n } else {\n throwError(state, 'undeclared tag handle \"' + tagHandle + '\"');\n }\n\n return true;\n}\n\nfunction readAnchorProperty(state) {\n var _position,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x26/ & /) return false;\n\n if (state.anchor !== null) {\n throwError(state, 'duplication of an anchor property');\n }\n\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch) && !is_FLOW_INDICATOR(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (state.position === _position) {\n throwError(state, 'name of an anchor node must contain at least one character');\n }\n\n state.anchor = state.input.slice(_position, state.position);\n return true;\n}\n\nfunction readAlias(state) {\n var _position, alias,\n ch;\n\n ch = state.input.charCodeAt(state.position);\n\n if (ch !== 0x2A/ * /) return false;\n\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch) && !is_FLOW_INDICATOR(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (state.position === _position) {\n throwError(state, 'name of an alias node must contain at least one character');\n }\n\n alias = state.input.slice(_position, state.position);\n\n if (!_hasOwnProperty$1.call(state.anchorMap, alias)) {\n throwError(state, 'unidentified alias \"' + alias + '\"');\n }\n\n state.result = state.anchorMap[alias];\n skipSeparationSpace(state, true, -1);\n return true;\n}\n\nfunction composeNode(state, parentIndent, nodeContext, allowToSeek, allowCompact) {\n var allowBlockStyles,\n allowBlockScalars,\n allowBlockCollections,\n indentStatus = 1, // 1: this>parent, 0: this=parent, -1: this<parent\n atNewLine = false,\n hasContent = false,\n typeIndex,\n typeQuantity,\n typeList,\n type,\n flowIndent,\n blockIndent;\n\n if (state.listener !== null) {\n state.listener('open', state);\n }\n\n state.tag = null;\n state.anchor = null;\n state.kind = null;\n state.result = null;\n\n allowBlockStyles = allowBlockScalars = allowBlockCollections =\n CONTEXT_BLOCK_OUT === nodeContext \|\|\n CONTEXT_BLOCK_IN === nodeContext;\n\n if (allowToSeek) {\n if (skipSeparationSpace(state, true, -1)) {\n atNewLine = true;\n\n if (state.lineIndent > parentIndent) {\n indentStatus = 1;\n } else if (state.lineIndent === parentIndent) {\n indentStatus = 0;\n } else if (state.lineIndent < parentIndent) {\n indentStatus = -1;\n }\n }\n }\n\n if (indentStatus === 1) {\n while (readTagProperty(state) \|\| readAnchorProperty(state)) {\n if (skipSeparationSpace(state, true, -1)) {\n atNewLine = true;\n allowBlockCollections = allowBlockStyles;\n\n if (state.lineIndent > parentIndent) {\n indentStatus = 1;\n } else if (state.lineIndent === parentIndent) {\n indentStatus = 0;\n } else if (state.lineIndent < parentIndent) {\n indentStatus = -1;\n }\n } else {\n allowBlockCollections = false;\n }\n }\n }\n\n if (allowBlockCollections) {\n allowBlockCollections = atNewLine \|\| allowCompact;\n }\n\n if (indentStatus === 1 \|\| CONTEXT_BLOCK_OUT === nodeContext) {\n if (CONTEXT_FLOW_IN === nodeContext \|\| CONTEXT_FLOW_OUT === nodeContext) {\n flowIndent = parentIndent;\n } else {\n flowIndent = parentIndent + 1;\n }\n\n blockIndent = state.position - state.lineStart;\n\n if (indentStatus === 1) {\n if (allowBlockCollections &&\n (readBlockSequence(state, blockIndent) \|\|\n readBlockMapping(state, blockIndent, flowIndent)) \|\|\n readFlowCollection(state, flowIndent)) {\n hasContent = true;\n } else {\n if ((allowBlockScalars && readBlockScalar(state, flowIndent)) \|\|\n readSingleQuotedScalar(state, flowIndent) \|\|\n readDoubleQuotedScalar(state, flowIndent)) {\n hasContent = true;\n\n } else if (readAlias(state)) {\n hasContent = true;\n\n if (state.tag !== null \|\| state.anchor !== null) {\n throwError(state, 'alias node should not have any properties');\n }\n\n } else if (readPlainScalar(state, flowIndent, CONTEXT_FLOW_IN === nodeContext)) {\n hasContent = true;\n\n if (state.tag === null) {\n state.tag = '?';\n }\n }\n\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n }\n } else if (indentStatus === 0) {\n // Special case: block sequences are allowed to have same indentation level as the parent.\n // http://www.yaml.org/spec/1.2/spec.html#id2799784\n hasContent = allowBlockCollections && readBlockSequence(state, blockIndent);\n }\n }\n\n if (state.tag === null) {\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n\n } else if (state.tag === '?') {\n // Implicit resolving is not allowed for non-scalar types, and '?'\n // non-specific tag is only automatically assigned to plain scalars.\n //\n // We only need to check kind conformity in case user explicitly assigns '?'\n // tag, for example like this: \"!<?> [0]\"\n //\n if (state.result !== null && state.kind !== 'scalar') {\n throwError(state, 'unacceptable node kind for !<?> tag; it should be \"scalar\", not \"' + state.kind + '\"');\n }\n\n for (typeIndex = 0, typeQuantity = state.implicitTypes.length; typeIndex < typeQuantity; typeIndex += 1) {\n type = state.implicitTypes[typeIndex];\n\n if (type.resolve(state.result)) { // `state.result` updated in resolver if matched\n state.result = type.construct(state.result);\n state.tag = type.tag;\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n break;\n }\n }\n } else if (state.tag !== '!') {\n if (_hasOwnProperty$1.call(state.typeMap[state.kind \|\| 'fallback'], state.tag)) {\n type = state.typeMap[state.kind \|\| 'fallback'][state.tag];\n } else {\n // looking for multi type\n type = null;\n typeList = state.typeMap.multi[state.kind \|\| 'fallback'];\n\n for (typeIndex = 0, typeQuantity = typeList.length; typeIndex < typeQuantity; typeIndex += 1) {\n if (state.tag.slice(0, typeList[typeIndex].tag.length) === typeList[typeIndex].tag) {\n type = typeList[typeIndex];\n break;\n }\n }\n }\n\n if (!type) {\n throwError(state, 'unknown tag !<' + state.tag + '>');\n }\n\n if (state.result !== null && type.kind !== state.kind) {\n throwError(state, 'unacceptable node kind for !<' + state.tag + '> tag; it should be \"' + type.kind + '\", not \"' + state.kind + '\"');\n }\n\n if (!type.resolve(state.result, state.tag)) { // `state.result` updated in resolver if matched\n throwError(state, 'cannot resolve a node with !<' + state.tag + '> explicit tag');\n } else {\n state.result = type.construct(state.result, state.tag);\n if (state.anchor !== null) {\n state.anchorMap[state.anchor] = state.result;\n }\n }\n }\n\n if (state.listener !== null) {\n state.listener('close', state);\n }\n return state.tag !== null \|\| state.anchor !== null \|\| hasContent;\n}\n\nfunction readDocument(state) {\n var documentStart = state.position,\n _position,\n directiveName,\n directiveArgs,\n hasDirectives = false,\n ch;\n\n state.version = null;\n state.checkLineBreaks = state.legacy;\n state.tagMap = Object.create(null);\n state.anchorMap = Object.create(null);\n\n while ((ch = state.input.charCodeAt(state.position)) !== 0) {\n skipSeparationSpace(state, true, -1);\n\n ch = state.input.charCodeAt(state.position);\n\n if (state.lineIndent > 0 \|\| ch !== 0x25/ % /) {\n break;\n }\n\n hasDirectives = true;\n ch = state.input.charCodeAt(++state.position);\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n directiveName = state.input.slice(_position, state.position);\n directiveArgs = [];\n\n if (directiveName.length < 1) {\n throwError(state, 'directive name must not be less than one character in length');\n }\n\n while (ch !== 0) {\n while (is_WHITE_SPACE(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n if (ch === 0x23/ # /) {\n do { ch = state.input.charCodeAt(++state.position); }\n while (ch !== 0 && !is_EOL(ch));\n break;\n }\n\n if (is_EOL(ch)) break;\n\n _position = state.position;\n\n while (ch !== 0 && !is_WS_OR_EOL(ch)) {\n ch = state.input.charCodeAt(++state.position);\n }\n\n directiveArgs.push(state.input.slice(_position, state.position));\n }\n\n if (ch !== 0) readLineBreak(state);\n\n if (_hasOwnProperty$1.call(directiveHandlers, directiveName)) {\n directiveHandlers[directiveName](state, directiveName, directiveArgs);\n } else {\n throwWarning(state, 'unknown document directive \"' + directiveName + '\"');\n }\n }\n\n skipSeparationSpace(state, true, -1);\n\n if (state.lineIndent === 0 &&\n state.input.charCodeAt(state.position) === 0x2D/ - / &&\n state.input.charCodeAt(state.position + 1) === 0x2D/ - / &&\n state.input.charCodeAt(state.position + 2) === 0x2D/ - /) {\n state.position += 3;\n skipSeparationSpace(state, true, -1);\n\n } else if (hasDirectives) {\n throwError(state, 'directives end mark is expected');\n }\n\n composeNode(state, state.lineIndent - 1, CONTEXT_BLOCK_OUT, false, true);\n skipSeparationSpace(state, true, -1);\n\n if (state.checkLineBreaks &&\n PATTERN_NON_ASCII_LINE_BREAKS.test(state.input.slice(documentStart, state.position))) {\n throwWarning(state, 'non-ASCII line breaks are interpreted as content');\n }\n\n state.documents.push(state.result);\n\n if (state.position === state.lineStart && testDocumentSeparator(state)) {\n\n if (state.input.charCodeAt(state.position) === 0x2E/ . /) {\n state.position += 3;\n skipSeparationSpace(state, true, -1);\n }\n return;\n }\n\n if (state.position < (state.length - 1)) {\n throwError(state, 'end of the stream or a document separator is expected');\n } else {\n return;\n }\n}\n\n\nfunction loadDocuments(input, options) {\n input = String(input);\n options = options \|\| {};\n\n if (input.length !== 0) {\n\n // Add tailing `\\n` if not exists\n if (input.charCodeAt(input.length - 1) !== 0x0A/ LF / &&\n input.charCodeAt(input.length - 1) !== 0x0D/ CR /) {\n input += '\\n';\n }\n\n // Strip BOM\n if (input.charCodeAt(0) === 0xFEFF) {\n input = input.slice(1);\n }\n }\n\n var state = new State$1(input, options);\n\n var nullpos = input.indexOf('\\0');\n\n if (nullpos !== -1) {\n state.position = nullpos;\n throwError(state, 'null byte is not allowed in input');\n }\n\n // Use 0 as string terminator. That significantly simplifies bounds check.\n state.input += '\\0';\n\n while (state.input.charCodeAt(state.position) === 0x20/ Space /) {\n state.lineIndent += 1;\n state.position += 1;\n }\n\n while (state.position < (state.length - 1)) {\n readDocument(state);\n }\n\n return state.documents;\n}\n\n\nfunction loadAll$1(input, iterator, options) {\n if (iterator !== null && typeof iterator === 'object' && typeof options === 'undefined') {\n options = iterator;\n iterator = null;\n }\n\n var documents = loadDocuments(input, options);\n\n if (typeof iterator !== 'function') {\n return documents;\n }\n\n for (var index = 0, length = documents.length; index < length; index += 1) {\n iterator(documents[index]);\n }\n}\n\n\nfunction load$1(input, options) {\n var documents = loadDocuments(input, options);\n\n if (documents.length === 0) {\n /eslint-disable no-undefined/\n return undefined;\n } else if (documents.length === 1) {\n return documents[0];\n }\n throw new exception('expected a single document in the stream, but found more');\n}\n\n\nvar loadAll_1 = loadAll$1;\nvar load_1 = load$1;\n\nvar loader = {\n\tloadAll: loadAll_1,\n\tload: load_1\n};\n\n/eslint-disable no-use-before-define/\n\n\n\n\n\nvar _toString = Object.prototype.toString;\nvar _hasOwnProperty = Object.prototype.hasOwnProperty;\n\nvar CHAR_BOM = 0xFEFF;\nvar CHAR_TAB = 0x09; / Tab /\nvar CHAR_LINE_FEED = 0x0A; / LF /\nvar CHAR_CARRIAGE_RETURN = 0x0D; / CR /\nvar CHAR_SPACE = 0x20; / Space /\nvar CHAR_EXCLAMATION = 0x21; / ! /\nvar CHAR_DOUBLE_QUOTE = 0x22; / \" /\nvar CHAR_SHARP = 0x23; / # /\nvar CHAR_PERCENT = 0x25; / % /\nvar CHAR_AMPERSAND = 0x26; / & /\nvar CHAR_SINGLE_QUOTE = 0x27; / ' /\nvar CHAR_ASTERISK = 0x2A; / * /\nvar CHAR_COMMA = 0x2C; / , /\nvar CHAR_MINUS = 0x2D; / - /\nvar CHAR_COLON = 0x3A; / : /\nvar CHAR_EQUALS = 0x3D; / = /\nvar CHAR_GREATER_THAN = 0x3E; / > /\nvar CHAR_QUESTION = 0x3F; / ? /\nvar CHAR_COMMERCIAL_AT = 0x40; / @ /\nvar CHAR_LEFT_SQUARE_BRACKET = 0x5B; / [ /\nvar CHAR_RIGHT_SQUARE_BRACKET = 0x5D; / ] /\nvar CHAR_GRAVE_ACCENT = 0x60; / ` /\nvar CHAR_LEFT_CURLY_BRACKET = 0x7B; / { /\nvar CHAR_VERTICAL_LINE = 0x7C; / \| /\nvar CHAR_RIGHT_CURLY_BRACKET = 0x7D; / } /\n\nvar ESCAPE_SEQUENCES = {};\n\nESCAPE_SEQUENCES[0x00] = '\\\\0';\nESCAPE_SEQUENCES[0x07] = '\\\\a';\nESCAPE_SEQUENCES[0x08] = '\\\\b';\nESCAPE_SEQUENCES[0x09] = '\\\\t';\nESCAPE_SEQUENCES[0x0A] = '\\\\n';\nESCAPE_SEQUENCES[0x0B] = '\\\\v';\nESCAPE_SEQUENCES[0x0C] = '\\\\f';\nESCAPE_SEQUENCES[0x0D] = '\\\\r';\nESCAPE_SEQUENCES[0x1B] = '\\\\e';\nESCAPE_SEQUENCES[0x22] = '\\\\\"';\nESCAPE_SEQUENCES[0x5C] = '\\\\\\\\';\nESCAPE_SEQUENCES[0x85] = '\\\\N';\nESCAPE_SEQUENCES[0xA0] = '\\\\_';\nESCAPE_SEQUENCES[0x2028] = '\\\\L';\nESCAPE_SEQUENCES[0x2029] = '\\\\P';\n\nvar DEPRECATED_BOOLEANS_SYNTAX = [\n 'y', 'Y', 'yes', 'Yes', 'YES', 'on', 'On', 'ON',\n 'n', 'N', 'no', 'No', 'NO', 'off', 'Off', 'OFF'\n];\n\nvar DEPRECATED_BASE60_SYNTAX = /^[-+]?[0-9_]+(?::[0-9_]+)+(?:\\.[0-9_])?$/;\n\nfunction compileStyleMap(schema, map) {\n var result, keys, index, length, tag, style, type;\n\n if (map === null) return {};\n\n result = {};\n keys = Object.keys(map);\n\n for (index = 0, length = keys.length; index < length; index += 1) {\n tag = keys[index];\n style = String(map[tag]);\n\n if (tag.slice(0, 2) === '!!') {\n tag = 'tag:yaml.org,2002:' + tag.slice(2);\n }\n type = schema.compiledTypeMap['fallback'][tag];\n\n if (type && _hasOwnProperty.call(type.styleAliases, style)) {\n style = type.styleAliases[style];\n }\n\n result[tag] = style;\n }\n\n return result;\n}\n\nfunction encodeHex(character) {\n var string, handle, length;\n\n string = character.toString(16).toUpperCase();\n\n if (character <= 0xFF) {\n handle = 'x';\n length = 2;\n } else if (character <= 0xFFFF) {\n handle = 'u';\n length = 4;\n } else if (character <= 0xFFFFFFFF) {\n handle = 'U';\n length = 8;\n } else {\n throw new exception('code point within a string may not be greater than 0xFFFFFFFF');\n }\n\n return '\\\\' + handle + common.repeat('0', length - string.length) + string;\n}\n\n\nvar QUOTING_TYPE_SINGLE = 1,\n QUOTING_TYPE_DOUBLE = 2;\n\nfunction State(options) {\n this.schema = options['schema'] \|\| _default;\n this.indent = Math.max(1, (options['indent'] \|\| 2));\n this.noArrayIndent = options['noArrayIndent'] \|\| false;\n this.skipInvalid = options['skipInvalid'] \|\| false;\n this.flowLevel = (common.isNothing(options['flowLevel']) ? -1 : options['flowLevel']);\n this.styleMap = compileStyleMap(this.schema, options['styles'] \|\| null);\n this.sortKeys = options['sortKeys'] \|\| false;\n this.lineWidth = options['lineWidth'] \|\| 80;\n this.noRefs = options['noRefs'] \|\| false;\n this.noCompatMode = options['noCompatMode'] \|\| false;\n this.condenseFlow = options['condenseFlow'] \|\| false;\n this.quotingType = options['quotingType'] === '\"' ? QUOTING_TYPE_DOUBLE : QUOTING_TYPE_SINGLE;\n this.forceQuotes = options['forceQuotes'] \|\| false;\n this.replacer = typeof options['replacer'] === 'function' ? options['replacer'] : null;\n\n this.implicitTypes = this.schema.compiledImplicit;\n this.explicitTypes = this.schema.compiledExplicit;\n\n this.tag = null;\n this.result = '';\n\n this.duplicates = [];\n this.usedDuplicates = null;\n}\n\n// Indents every line in a string. Empty lines (\\n only) are not indented.\nfunction indentString(string, spaces) {\n var ind = common.repeat(' ', spaces),\n position = 0,\n next = -1,\n result = '',\n line,\n length = string.length;\n\n while (position < length) {\n next = string.indexOf('\\n', position);\n if (next === -1) {\n line = string.slice(position);\n position = length;\n } else {\n line = string.slice(position, next + 1);\n position = next + 1;\n }\n\n if (line.length && line !== '\\n') result += ind;\n\n result += line;\n }\n\n return result;\n}\n\nfunction generateNextLine(state, level) {\n return '\\n' + common.repeat(' ', state.indent * level);\n}\n\nfunction testImplicitResolving(state, str) {\n var index, length, type;\n\n for (index = 0, length = state.implicitTypes.length; index < length; index += 1) {\n type = state.implicitTypes[index];\n\n if (type.resolve(str)) {\n return true;\n }\n }\n\n return false;\n}\n\n// [33] s-white ::= s-space \| s-tab\nfunction isWhitespace(c) {\n return c === CHAR_SPACE \|\| c === CHAR_TAB;\n}\n\n// Returns true if the character can be printed without escaping.\n// From YAML 1.2: \"any allowed characters known to be non-printable\n// should also be escaped. [However,] This isn’t mandatory\"\n// Derived from nb-char - \\t - #x85 - #xA0 - #x2028 - #x2029.\nfunction isPrintable(c) {\n return (0x00020 <= c && c <= 0x00007E)\n \|\| ((0x000A1 <= c && c <= 0x00D7FF) && c !== 0x2028 && c !== 0x2029)\n \|\| ((0x0E000 <= c && c <= 0x00FFFD) && c !== CHAR_BOM)\n \|\| (0x10000 <= c && c <= 0x10FFFF);\n}\n\n// [34] ns-char ::= nb-char - s-white\n// [27] nb-char ::= c-printable - b-char - c-byte-order-mark\n// [26] b-char ::= b-line-feed \| b-carriage-return\n// Including s-white (for some reason, examples doesn't match specs in this aspect)\n// ns-char ::= c-printable - b-line-feed - b-carriage-return - c-byte-order-mark\nfunction isNsCharOrWhitespace(c) {\n return isPrintable(c)\n && c !== CHAR_BOM\n // - b-char\n && c !== CHAR_CARRIAGE_RETURN\n && c !== CHAR_LINE_FEED;\n}\n\n// [127] ns-plain-safe(c) ::= c = flow-out ⇒ ns-plain-safe-out\n// c = flow-in ⇒ ns-plain-safe-in\n// c = block-key ⇒ ns-plain-safe-out\n// c = flow-key ⇒ ns-plain-safe-in\n// [128] ns-plain-safe-out ::= ns-char\n// [129] ns-plain-safe-in ::= ns-char - c-flow-indicator\n// [130] ns-plain-char(c) ::= ( ns-plain-safe(c) - “:” - “#” )\n// \| ( /* An ns-char preceding / “#” )\n// \| ( “:” / Followed by an ns-plain-safe(c) / )\nfunction isPlainSafe(c, prev, inblock) {\n var cIsNsCharOrWhitespace = isNsCharOrWhitespace(c);\n var cIsNsChar = cIsNsCharOrWhitespace && !isWhitespace(c);\n return (\n // ns-plain-safe\n inblock ? // c = flow-in\n cIsNsCharOrWhitespace\n : cIsNsCharOrWhitespace\n // - c-flow-indicator\n && c !== CHAR_COMMA\n && c !== CHAR_LEFT_SQUARE_BRACKET\n && c !== CHAR_RIGHT_SQUARE_BRACKET\n && c !== CHAR_LEFT_CURLY_BRACKET\n && c !== CHAR_RIGHT_CURLY_BRACKET\n )\n // ns-plain-char\n && c !== CHAR_SHARP // false on '#'\n && !(prev === CHAR_COLON && !cIsNsChar) // false on ': '\n \|\| (isNsCharOrWhitespace(prev) && !isWhitespace(prev) && c === CHAR_SHARP) // change to true on '[^ ]#'\n \|\| (prev === CHAR_COLON && cIsNsChar); // change to true on ':[^ ]'\n}\n\n// Simplified test for values allowed as the first character in plain style.\nfunction isPlainSafeFirst(c) {\n // Uses a subset of ns-char - c-indicator\n // where ns-char = nb-char - s-white.\n // No support of ( ( “?” \| “:” \| “-” ) / Followed by an ns-plain-safe(c)) / ) part\n return isPrintable(c) && c !== CHAR_BOM\n && !isWhitespace(c) // - s-white\n // - (c-indicator ::=\n // “-” \| “?” \| “:” \| “,” \| “[” \| “]” \| “{” \| “}”\n && c !== CHAR_MINUS\n && c !== CHAR_QUESTION\n && c !== CHAR_COLON\n && c !== CHAR_COMMA\n && c !== CHAR_LEFT_SQUARE_BRACKET\n && c !== CHAR_RIGHT_SQUARE_BRACKET\n && c !== CHAR_LEFT_CURLY_BRACKET\n && c !== CHAR_RIGHT_CURLY_BRACKET\n // \| “#” \| “&” \| “” \| “!” \| “\|” \| “=” \| “>” \| “'” \| “\"”\n && c !== CHAR_SHARP\n && c !== CHAR_AMPERSAND\n && c !== CHAR_ASTERISK\n && c !== CHAR_EXCLAMATION\n && c !== CHAR_VERTICAL_LINE\n && c !== CHAR_EQUALS\n && c !== CHAR_GREATER_THAN\n && c !== CHAR_SINGLE_QUOTE\n && c !== CHAR_DOUBLE_QUOTE\n // \| “%” \| “@” \| “`”)\n && c !== CHAR_PERCENT\n && c !== CHAR_COMMERCIAL_AT\n && c !== CHAR_GRAVE_ACCENT;\n}\n\n// Simplified test for values allowed as the last character in plain style.\nfunction isPlainSafeLast(c) {\n // just not whitespace or colon, it will be checked to be plain character later\n return !isWhitespace(c) && c !== CHAR_COLON;\n}\n\n// Same as 'string'.codePointAt(pos), but works in older browsers.\nfunction codePointAt(string, pos) {\n var first = string.charCodeAt(pos), second;\n if (first >= 0xD800 && first <= 0xDBFF && pos + 1 < string.length) {\n second = string.charCodeAt(pos + 1);\n if (second >= 0xDC00 && second <= 0xDFFF) {\n // https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae\n return (first - 0xD800) * 0x400 + second - 0xDC00 + 0x10000;\n }\n }\n return first;\n}\n\n// Determines whether block indentation indicator is required.\nfunction needIndentIndicator(string) {\n var leadingSpaceRe = /^\\n* /;\n return leadingSpaceRe.test(string);\n}\n\nvar STYLE_PLAIN = 1,\n STYLE_SINGLE = 2,\n STYLE_LITERAL = 3,\n STYLE_FOLDED = 4,\n STYLE_DOUBLE = 5;\n\n// Determines which scalar styles are possible and returns the preferred style.\n// lineWidth = -1 => no limit.\n// Pre-conditions: str.length > 0.\n// Post-conditions:\n// STYLE_PLAIN or STYLE_SINGLE => no \\n are in the string.\n// STYLE_LITERAL => no lines are suitable for folding (or lineWidth is -1).\n// STYLE_FOLDED => a line > lineWidth and can be folded (and lineWidth != -1).\nfunction chooseScalarStyle(string, singleLineOnly, indentPerLevel, lineWidth,\n testAmbiguousType, quotingType, forceQuotes, inblock) {\n\n var i;\n var char = 0;\n var prevChar = null;\n var hasLineBreak = false;\n var hasFoldableLine = false; // only checked if shouldTrackWidth\n var shouldTrackWidth = lineWidth !== -1;\n var previousLineBreak = -1; // count the first line correctly\n var plain = isPlainSafeFirst(codePointAt(string, 0))\n && isPlainSafeLast(codePointAt(string, string.length - 1));\n\n if (singleLineOnly \|\| forceQuotes) {\n // Case: no block styles.\n // Check for disallowed characters to rule out plain and single.\n for (i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n if (!isPrintable(char)) {\n return STYLE_DOUBLE;\n }\n plain = plain && isPlainSafe(char, prevChar, inblock);\n prevChar = char;\n }\n } else {\n // Case: block styles permitted.\n for (i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n if (char === CHAR_LINE_FEED) {\n hasLineBreak = true;\n // Check if any line can be folded.\n if (shouldTrackWidth) {\n hasFoldableLine = hasFoldableLine \|\|\n // Foldable line = too long, and not more-indented.\n (i - previousLineBreak - 1 > lineWidth &&\n string[previousLineBreak + 1] !== ' ');\n previousLineBreak = i;\n }\n } else if (!isPrintable(char)) {\n return STYLE_DOUBLE;\n }\n plain = plain && isPlainSafe(char, prevChar, inblock);\n prevChar = char;\n }\n // in case the end is missing a \\n\n hasFoldableLine = hasFoldableLine \|\| (shouldTrackWidth &&\n (i - previousLineBreak - 1 > lineWidth &&\n string[previousLineBreak + 1] !== ' '));\n }\n // Although every style can represent \\n without escaping, prefer block styles\n // for multiline, since they're more readable and they don't add empty lines.\n // Also prefer folding a super-long line.\n if (!hasLineBreak && !hasFoldableLine) {\n // Strings interpretable as another type have to be quoted;\n // e.g. the string 'true' vs. the boolean true.\n if (plain && !forceQuotes && !testAmbiguousType(string)) {\n return STYLE_PLAIN;\n }\n return quotingType === QUOTING_TYPE_DOUBLE ? STYLE_DOUBLE : STYLE_SINGLE;\n }\n // Edge case: block indentation indicator can only have one digit.\n if (indentPerLevel > 9 && needIndentIndicator(string)) {\n return STYLE_DOUBLE;\n }\n // At this point we know block styles are valid.\n // Prefer literal style unless we want to fold.\n if (!forceQuotes) {\n return hasFoldableLine ? STYLE_FOLDED : STYLE_LITERAL;\n }\n return quotingType === QUOTING_TYPE_DOUBLE ? STYLE_DOUBLE : STYLE_SINGLE;\n}\n\n// Note: line breaking/folding is implemented for only the folded style.\n// NB. We drop the last trailing newline (if any) of a returned block scalar\n// since the dumper adds its own newline. This always works:\n// • No ending newline => unaffected; already using strip \"-\" chomping.\n// • Ending newline => removed then restored.\n// Importantly, this keeps the \"+\" chomp indicator from gaining an extra line.\nfunction writeScalar(state, string, level, iskey, inblock) {\n state.dump = (function () {\n if (string.length === 0) {\n return state.quotingType === QUOTING_TYPE_DOUBLE ? '\"\"' : \"''\";\n }\n if (!state.noCompatMode) {\n if (DEPRECATED_BOOLEANS_SYNTAX.indexOf(string) !== -1 \|\| DEPRECATED_BASE60_SYNTAX.test(string)) {\n return state.quotingType === QUOTING_TYPE_DOUBLE ? ('\"' + string + '\"') : (\"'\" + string + \"'\");\n }\n }\n\n var indent = state.indent * Math.max(1, level); // no 0-indent scalars\n // As indentation gets deeper, let the width decrease monotonically\n // to the lower bound min(state.lineWidth, 40).\n // Note that this implies\n // state.lineWidth ≤ 40 + state.indent: width is fixed at the lower bound.\n // state.lineWidth > 40 + state.indent: width decreases until the lower bound.\n // This behaves better than a constant minimum width which disallows narrower options,\n // or an indent threshold which causes the width to suddenly increase.\n var lineWidth = state.lineWidth === -1\n ? -1 : Math.max(Math.min(state.lineWidth, 40), state.lineWidth - indent);\n\n // Without knowing if keys are implicit/explicit, assume implicit for safety.\n var singleLineOnly = iskey\n // No block styles in flow mode.\n \|\| (state.flowLevel > -1 && level >= state.flowLevel);\n function testAmbiguity(string) {\n return testImplicitResolving(state, string);\n }\n\n switch (chooseScalarStyle(string, singleLineOnly, state.indent, lineWidth,\n testAmbiguity, state.quotingType, state.forceQuotes && !iskey, inblock)) {\n\n case STYLE_PLAIN:\n return string;\n case STYLE_SINGLE:\n return \"'\" + string.replace(/'/g, \"''\") + \"'\";\n case STYLE_LITERAL:\n return '\|' + blockHeader(string, state.indent)\n + dropEndingNewline(indentString(string, indent));\n case STYLE_FOLDED:\n return '>' + blockHeader(string, state.indent)\n + dropEndingNewline(indentString(foldString(string, lineWidth), indent));\n case STYLE_DOUBLE:\n return '\"' + escapeString(string) + '\"';\n default:\n throw new exception('impossible error: invalid scalar style');\n }\n }());\n}\n\n// Pre-conditions: string is valid for a block scalar, 1 <= indentPerLevel <= 9.\nfunction blockHeader(string, indentPerLevel) {\n var indentIndicator = needIndentIndicator(string) ? String(indentPerLevel) : '';\n\n // note the special case: the string '\\n' counts as a \"trailing\" empty line.\n var clip = string[string.length - 1] === '\\n';\n var keep = clip && (string[string.length - 2] === '\\n' \|\| string === '\\n');\n var chomp = keep ? '+' : (clip ? '' : '-');\n\n return indentIndicator + chomp + '\\n';\n}\n\n// (See the note for writeScalar.)\nfunction dropEndingNewline(string) {\n return string[string.length - 1] === '\\n' ? string.slice(0, -1) : string;\n}\n\n// Note: a long line without a suitable break point will exceed the width limit.\n// Pre-conditions: every char in str isPrintable, str.length > 0, width > 0.\nfunction foldString(string, width) {\n // In folded style, $k$ consecutive newlines output as $k+1$ newlines—\n // unless they're before or after a more-indented line, or at the very\n // beginning or end, in which case $k$ maps to $k$.\n // Therefore, parse each chunk as newline(s) followed by a content line.\n var lineRe = /(\\n+)([^\\n])/g;\n\n // first line (possibly an empty line)\n var result = (function () {\n var nextLF = string.indexOf('\\n');\n nextLF = nextLF !== -1 ? nextLF : string.length;\n lineRe.lastIndex = nextLF;\n return foldLine(string.slice(0, nextLF), width);\n }());\n // If we haven't reached the first content line yet, don't add an extra \\n.\n var prevMoreIndented = string[0] === '\\n' \|\| string[0] === ' ';\n var moreIndented;\n\n // rest of the lines\n var match;\n while ((match = lineRe.exec(string))) {\n var prefix = match[1], line = match[2];\n moreIndented = (line[0] === ' ');\n result += prefix\n + (!prevMoreIndented && !moreIndented && line !== ''\n ? '\\n' : '')\n + foldLine(line, width);\n prevMoreIndented = moreIndented;\n }\n\n return result;\n}\n\n// Greedy line breaking.\n// Picks the longest line under the limit each time,\n// otherwise settles for the shortest line over the limit.\n// NB. More-indented lines cannot* be folded, as that would add an extra \\n.\nfunction foldLine(line, width) {\n if (line === '' \|\| line[0] === ' ') return line;\n\n // Since a more-indented line adds a \\n, breaks can't be followed by a space.\n var breakRe = / [^ ]/g; // note: the match index will always be <= length-2.\n var match;\n // start is an inclusive index. end, curr, and next are exclusive.\n var start = 0, end, curr = 0, next = 0;\n var result = '';\n\n // Invariants: 0 <= start <= length-1.\n // 0 <= curr <= next <= max(0, length-2). curr - start <= width.\n // Inside the loop:\n // A match implies length >= 2, so curr and next are <= length-2.\n while ((match = breakRe.exec(line))) {\n next = match.index;\n // maintain invariant: curr - start <= width\n if (next - start > width) {\n end = (curr > start) ? curr : next; // derive end <= length-2\n result += '\\n' + line.slice(start, end);\n // skip the space that was output as \\n\n start = end + 1; // derive start <= length-1\n }\n curr = next;\n }\n\n // By the invariants, start <= length-1, so there is something left over.\n // It is either the whole string or a part starting from non-whitespace.\n result += '\\n';\n // Insert a break if the remainder is too long and there is a break available.\n if (line.length - start > width && curr > start) {\n result += line.slice(start, curr) + '\\n' + line.slice(curr + 1);\n } else {\n result += line.slice(start);\n }\n\n return result.slice(1); // drop extra \\n joiner\n}\n\n// Escapes a double-quoted string.\nfunction escapeString(string) {\n var result = '';\n var char = 0;\n var escapeSeq;\n\n for (var i = 0; i < string.length; char >= 0x10000 ? i += 2 : i++) {\n char = codePointAt(string, i);\n escapeSeq = ESCAPE_SEQUENCES[char];\n\n if (!escapeSeq && isPrintable(char)) {\n result += string[i];\n if (char >= 0x10000) result += string[i + 1];\n } else {\n result += escapeSeq \|\| encodeHex(char);\n }\n }\n\n return result;\n}\n\nfunction writeFlowSequence(state, level, object) {\n var _result = '',\n _tag = state.tag,\n index,\n length,\n value;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n value = object[index];\n\n if (state.replacer) {\n value = state.replacer.call(object, String(index), value);\n }\n\n // Write only valid elements, put null instead of invalid elements.\n if (writeNode(state, level, value, false, false) \|\|\n (typeof value === 'undefined' &&\n writeNode(state, level, null, false, false))) {\n\n if (_result !== '') _result += ',' + (!state.condenseFlow ? ' ' : '');\n _result += state.dump;\n }\n }\n\n state.tag = _tag;\n state.dump = '[' + _result + ']';\n}\n\nfunction writeBlockSequence(state, level, object, compact) {\n var _result = '',\n _tag = state.tag,\n index,\n length,\n value;\n\n for (index = 0, length = object.length; index < length; index += 1) {\n value = object[index];\n\n if (state.replacer) {\n value = state.replacer.call(object, String(index), value);\n }\n\n // Write only valid elements, put null instead of invalid elements.\n if (writeNode(state, level + 1, value, true, true, false, true) \|\|\n (typeof value === 'undefined' &&\n writeNode(state, level + 1, null, true, true, false, true))) {\n\n if (!compact \|\| _result !== '') {\n _result += generateNextLine(state, level);\n }\n\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n _result += '-';\n } else {\n _result += '- ';\n }\n\n _result += state.dump;\n }\n }\n\n state.tag = _tag;\n state.dump = _result \|\| '[]'; // Empty sequence if no valid values.\n}\n\nfunction writeFlowMapping(state, level, object) {\n var _result = '',\n _tag = state.tag,\n objectKeyList = Object.keys(object),\n index,\n length,\n objectKey,\n objectValue,\n pairBuffer;\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n\n pairBuffer = '';\n if (_result !== '') pairBuffer += ', ';\n\n if (state.condenseFlow) pairBuffer += '\"';\n\n objectKey = objectKeyList[index];\n objectValue = object[objectKey];\n\n if (state.replacer) {\n objectValue = state.replacer.call(object, objectKey, objectValue);\n }\n\n if (!writeNode(state, level, objectKey, false, false)) {\n continue; // Skip this pair because of invalid key;\n }\n\n if (state.dump.length > 1024) pairBuffer += '? ';\n\n pairBuffer += state.dump + (state.condenseFlow ? '\"' : '') + ':' + (state.condenseFlow ? '' : ' ');\n\n if (!writeNode(state, level, objectValue, false, false)) {\n continue; // Skip this pair because of invalid value.\n }\n\n pairBuffer += state.dump;\n\n // Both key and value are valid.\n _result += pairBuffer;\n }\n\n state.tag = _tag;\n state.dump = '{' + _result + '}';\n}\n\nfunction writeBlockMapping(state, level, object, compact) {\n var _result = '',\n _tag = state.tag,\n objectKeyList = Object.keys(object),\n index,\n length,\n objectKey,\n objectValue,\n explicitPair,\n pairBuffer;\n\n // Allow sorting keys so that the output file is deterministic\n if (state.sortKeys === true) {\n // Default sorting\n objectKeyList.sort();\n } else if (typeof state.sortKeys === 'function') {\n // Custom sort function\n objectKeyList.sort(state.sortKeys);\n } else if (state.sortKeys) {\n // Something is wrong\n throw new exception('sortKeys must be a boolean or a function');\n }\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n pairBuffer = '';\n\n if (!compact \|\| _result !== '') {\n pairBuffer += generateNextLine(state, level);\n }\n\n objectKey = objectKeyList[index];\n objectValue = object[objectKey];\n\n if (state.replacer) {\n objectValue = state.replacer.call(object, objectKey, objectValue);\n }\n\n if (!writeNode(state, level + 1, objectKey, true, true, true)) {\n continue; // Skip this pair because of invalid key.\n }\n\n explicitPair = (state.tag !== null && state.tag !== '?') \|\|\n (state.dump && state.dump.length > 1024);\n\n if (explicitPair) {\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n pairBuffer += '?';\n } else {\n pairBuffer += '? ';\n }\n }\n\n pairBuffer += state.dump;\n\n if (explicitPair) {\n pairBuffer += generateNextLine(state, level);\n }\n\n if (!writeNode(state, level + 1, objectValue, true, explicitPair)) {\n continue; // Skip this pair because of invalid value.\n }\n\n if (state.dump && CHAR_LINE_FEED === state.dump.charCodeAt(0)) {\n pairBuffer += ':';\n } else {\n pairBuffer += ': ';\n }\n\n pairBuffer += state.dump;\n\n // Both key and value are valid.\n _result += pairBuffer;\n }\n\n state.tag = _tag;\n state.dump = _result \|\| '{}'; // Empty mapping if no valid pairs.\n}\n\nfunction detectType(state, object, explicit) {\n var _result, typeList, index, length, type, style;\n\n typeList = explicit ? state.explicitTypes : state.implicitTypes;\n\n for (index = 0, length = typeList.length; index < length; index += 1) {\n type = typeList[index];\n\n if ((type.instanceOf \|\| type.predicate) &&\n (!type.instanceOf \|\| ((typeof object === 'object') && (object instanceof type.instanceOf))) &&\n (!type.predicate \|\| type.predicate(object))) {\n\n if (explicit) {\n if (type.multi && type.representName) {\n state.tag = type.representName(object);\n } else {\n state.tag = type.tag;\n }\n } else {\n state.tag = '?';\n }\n\n if (type.represent) {\n style = state.styleMap[type.tag] \|\| type.defaultStyle;\n\n if (_toString.call(type.represent) === '[object Function]') {\n _result = type.represent(object, style);\n } else if (_hasOwnProperty.call(type.represent, style)) {\n _result = type.represent[style](object, style);\n } else {\n throw new exception('!<' + type.tag + '> tag resolver accepts not \"' + style + '\" style');\n }\n\n state.dump = _result;\n }\n\n return true;\n }\n }\n\n return false;\n}\n\n// Serializes `object` and writes it to global `result`.\n// Returns true on success, or false on invalid object.\n//\nfunction writeNode(state, level, object, block, compact, iskey, isblockseq) {\n state.tag = null;\n state.dump = object;\n\n if (!detectType(state, object, false)) {\n detectType(state, object, true);\n }\n\n var type = _toString.call(state.dump);\n var inblock = block;\n var tagStr;\n\n if (block) {\n block = (state.flowLevel < 0 \|\| state.flowLevel > level);\n }\n\n var objectOrArray = type === '[object Object]' \|\| type === '[object Array]',\n duplicateIndex,\n duplicate;\n\n if (objectOrArray) {\n duplicateIndex = state.duplicates.indexOf(object);\n duplicate = duplicateIndex !== -1;\n }\n\n if ((state.tag !== null && state.tag !== '?') \|\| duplicate \|\| (state.indent !== 2 && level > 0)) {\n compact = false;\n }\n\n if (duplicate && state.usedDuplicates[duplicateIndex]) {\n state.dump = 'ref_' + duplicateIndex;\n } else {\n if (objectOrArray && duplicate && !state.usedDuplicates[duplicateIndex]) {\n state.usedDuplicates[duplicateIndex] = true;\n }\n if (type === '[object Object]') {\n if (block && (Object.keys(state.dump).length !== 0)) {\n writeBlockMapping(state, level, state.dump, compact);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + state.dump;\n }\n } else {\n writeFlowMapping(state, level, state.dump);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + ' ' + state.dump;\n }\n }\n } else if (type === '[object Array]') {\n if (block && (state.dump.length !== 0)) {\n if (state.noArrayIndent && !isblockseq && level > 0) {\n writeBlockSequence(state, level - 1, state.dump, compact);\n } else {\n writeBlockSequence(state, level, state.dump, compact);\n }\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + state.dump;\n }\n } else {\n writeFlowSequence(state, level, state.dump);\n if (duplicate) {\n state.dump = '&ref_' + duplicateIndex + ' ' + state.dump;\n }\n }\n } else if (type === '[object String]') {\n if (state.tag !== '?') {\n writeScalar(state, state.dump, level, iskey, inblock);\n }\n } else if (type === '[object Undefined]') {\n return false;\n } else {\n if (state.skipInvalid) return false;\n throw new exception('unacceptable kind of an object to dump ' + type);\n }\n\n if (state.tag !== null && state.tag !== '?') {\n // Need to encode all characters except those allowed by the spec:\n //\n // [35] ns-dec-digit ::= [#x30-#x39] / 0-9 /\n // [36] ns-hex-digit ::= ns-dec-digit\n // \| [#x41-#x46] / A-F / \| [#x61-#x66] / a-f /\n // [37] ns-ascii-letter ::= [#x41-#x5A] / A-Z / \| [#x61-#x7A] / a-z /\n // [38] ns-word-char ::= ns-dec-digit \| ns-ascii-letter \| “-”\n // [39] ns-uri-char ::= “%” ns-hex-digit ns-hex-digit \| ns-word-char \| “#”\n // \| “;” \| “/” \| “?” \| “:” \| “@” \| “&” \| “=” \| “+” \| “$” \| “,”\n // \| “_” \| “.” \| “!” \| “~” \| “” \| “'” \| “(” \| “)” \| “[” \| “]”\n //\n // Also need to encode '!' because it has special meaning (end of tag prefix).\n //\n tagStr = encodeURI(\n state.tag[0] === '!' ? state.tag.slice(1) : state.tag\n ).replace(/!/g, '%21');\n\n if (state.tag[0] === '!') {\n tagStr = '!' + tagStr;\n } else if (tagStr.slice(0, 18) === 'tag:yaml.org,2002:') {\n tagStr = '!!' + tagStr.slice(18);\n } else {\n tagStr = '!<' + tagStr + '>';\n }\n\n state.dump = tagStr + ' ' + state.dump;\n }\n }\n\n return true;\n}\n\nfunction getDuplicateReferences(object, state) {\n var objects = [],\n duplicatesIndexes = [],\n index,\n length;\n\n inspectNode(object, objects, duplicatesIndexes);\n\n for (index = 0, length = duplicatesIndexes.length; index < length; index += 1) {\n state.duplicates.push(objects[duplicatesIndexes[index]]);\n }\n state.usedDuplicates = new Array(length);\n}\n\nfunction inspectNode(object, objects, duplicatesIndexes) {\n var objectKeyList,\n index,\n length;\n\n if (object !== null && typeof object === 'object') {\n index = objects.indexOf(object);\n if (index !== -1) {\n if (duplicatesIndexes.indexOf(index) === -1) {\n duplicatesIndexes.push(index);\n }\n } else {\n objects.push(object);\n\n if (Array.isArray(object)) {\n for (index = 0, length = object.length; index < length; index += 1) {\n inspectNode(object[index], objects, duplicatesIndexes);\n }\n } else {\n objectKeyList = Object.keys(object);\n\n for (index = 0, length = objectKeyList.length; index < length; index += 1) {\n inspectNode(object[objectKeyList[index]], objects, duplicatesIndexes);\n }\n }\n }\n }\n}\n\nfunction dump$1(input, options) {\n options = options \|\| {};\n\n var state = new State(options);\n\n if (!state.noRefs) getDuplicateReferences(input, state);\n\n var value = input;\n\n if (state.replacer) {\n value = state.replacer.call({ '': value }, '', value);\n }\n\n if (writeNode(state, 0, value, true, true)) return state.dump + '\\n';\n\n return '';\n}\n\nvar dump_1 = dump$1;\n\nvar dumper = {\n\tdump: dump_1\n};\n\nfunction renamed(from, to) {\n return function () {\n throw new Error('Function yaml.' + from + ' is removed in js-yaml 4. ' +\n 'Use yaml.' + to + ' instead, which is now safe by default.');\n };\n}\n\n\nvar Type = type;\nvar Schema = schema;\nvar FAILSAFE_SCHEMA = failsafe;\nvar JSON_SCHEMA = json;\nvar CORE_SCHEMA = core;\nvar DEFAULT_SCHEMA = _default;\nvar load = loader.load;\nvar loadAll = loader.loadAll;\nvar dump = dumper.dump;\nvar YAMLException = exception;\n\n// Re-export all types in case user wants to create custom schema\nvar types = {\n binary: binary,\n float: float,\n map: map,\n null: _null,\n pairs: pairs,\n set: set,\n timestamp: timestamp,\n bool: bool,\n int: int,\n merge: merge,\n omap: omap,\n seq: seq,\n str: str\n};\n\n// Removed functions from JS-YAML 3.0.x\nvar safeLoad = renamed('safeLoad', 'load');\nvar safeLoadAll = renamed('safeLoadAll', 'loadAll');\nvar safeDump = renamed('safeDump', 'dump');\n\nvar jsYaml = {\n\tType: Type,\n\tSchema: Schema,\n\tFAILSAFE_SCHEMA: FAILSAFE_SCHEMA,\n\tJSON_SCHEMA: JSON_SCHEMA,\n\tCORE_SCHEMA: CORE_SCHEMA,\n\tDEFAULT_SCHEMA: DEFAULT_SCHEMA,\n\tload: load,\n\tloadAll: loadAll,\n\tdump: dump,\n\tYAMLException: YAMLException,\n\ttypes: types,\n\tsafeLoad: safeLoad,\n\tsafeLoadAll: safeLoadAll,\n\tsafeDump: safeDump\n};\n\nexport { CORE_SCHEMA, DEFAULT_SCHEMA, FAILSAFE_SCHEMA, JSON_SCHEMA, Schema, Type, YAMLException, jsYaml as default, dump, load, loadAll, safeDump, safeLoad, safeLoadAll, types };\n","/*\n PDLSS Policy Parser\n \n Parses local YAML policy files into typed LocalPolicy objects.\n * Validates against the PDLSS schema to ensure cloud compatibility.\n /\n\nimport as yaml from 'js-yaml';\nimport { readFileSync } from 'fs';\nimport type { LocalPolicy } from '../gateway/types';\nimport { validatePolicy, type ValidationResult } from './schema';\n\nexport interface ParseResult {\n policy: LocalPolicy \| null;\n validation: ValidationResult;\n rawYaml?: string;\n}\n\n/*\n Parse a YAML string into a LocalPolicy.\n /\nexport function parseYaml(yamlContent: string): ParseResult {\n let parsed: unknown;\n\n try {\n parsed = yaml.load(yamlContent);\n } catch (err) {\n const message = err instanceof Error ? err.message : 'Invalid YAML';\n return {\n policy: null,\n validation: { valid: false, errors: [{ path: '', message: `YAML parse error: ${message}` }] },\n rawYaml: yamlContent,\n };\n }\n\n const validation = validatePolicy(parsed);\n\n if (!validation.valid) {\n return { policy: null, validation, rawYaml: yamlContent };\n }\n\n return {\n policy: parsed as LocalPolicy,\n validation,\n rawYaml: yamlContent,\n };\n}\n\n/\n Parse a YAML file from disk into a LocalPolicy.\n /\nexport function parseFile(filePath: string): ParseResult {\n let content: string;\n\n try {\n content = readFileSync(filePath, 'utf-8');\n } catch (err) {\n const message = err instanceof Error ? err.message : 'File read error';\n return {\n policy: null,\n validation: { valid: false, errors: [{ path: '', message: `Failed to read policy file: ${message}` }] },\n };\n }\n\n return parseYaml(content);\n}\n\n/\n Convert a LocalPolicy back to YAML string (for upload to cloud).\n /\nexport function toYaml(policy: LocalPolicy): string {\n return yaml.dump(policy, { lineWidth: 120, noRefs: true });\n}\n","/\n PDLSS Policy Schema Validation\n \n Validates local YAML policy files against the PDLSS schema.\n * Ensures local policies can be uploaded to cloud without lossy transformation.\n /\n\nimport type { LocalRiskThresholds } from '../gateway/types';\n\nexport interface ValidationError {\n path: string;\n message: string;\n}\n\nexport interface ValidationResult {\n valid: boolean;\n errors: ValidationError[];\n}\n\n/\n Validate a parsed local policy object against the PDLSS schema.\n /\nexport function validatePolicy(policy: unknown): ValidationResult {\n const errors: ValidationError[] = [];\n\n if (!policy \|\| typeof policy !== 'object') {\n return { valid: false, errors: [{ path: '', message: 'Policy must be an object' }] };\n }\n\n const p = policy as Record<string, unknown>;\n\n // Required fields\n if (typeof p.version !== 'string') {\n errors.push({ path: 'version', message: 'version is required and must be a string' });\n }\n if (typeof p.name !== 'string') {\n errors.push({ path: 'name', message: 'name is required and must be a string' });\n }\n\n // Purposes\n if (!Array.isArray(p.purposes)) {\n errors.push({ path: 'purposes', message: 'purposes is required and must be an array' });\n } else {\n p.purposes.forEach((purpose: unknown, i: number) => {\n errors.push(...validatePurpose(purpose, `purposes[${i}]`));\n });\n }\n\n // Scope (optional)\n if (p.scope !== undefined) {\n errors.push(...validateScope(p.scope, 'scope'));\n }\n\n // Limits (optional)\n if (p.limits !== undefined) {\n errors.push(...validateLimits(p.limits, 'limits'));\n }\n\n // Risk thresholds (optional)\n if (p.riskThresholds !== undefined) {\n errors.push(...validateRiskThresholds(p.riskThresholds, 'riskThresholds'));\n }\n\n return { valid: errors.length === 0, errors };\n}\n\nfunction validatePurpose(purpose: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (!purpose \|\| typeof purpose !== 'object') {\n return [{ path, message: 'purpose must be an object' }];\n }\n\n const p = purpose as Record<string, unknown>;\n\n if (typeof p.id !== 'string' \|\| !p.id) {\n errors.push({ path: `${path}.id`, message: 'id is required and must be a non-empty string' });\n }\n\n if (typeof p.allowed !== 'boolean') {\n errors.push({ path: `${path}.allowed`, message: 'allowed is required and must be a boolean' });\n }\n\n if (p.targets !== undefined && !isStringArray(p.targets)) {\n errors.push({ path: `${path}.targets`, message: 'targets must be an array of strings' });\n }\n\n if (p.blockedPatterns !== undefined && !isStringArray(p.blockedPatterns)) {\n errors.push({ path: `${path}.blockedPatterns`, message: 'blockedPatterns must be an array of strings' });\n }\n\n if (p.requiresApproval !== undefined && typeof p.requiresApproval !== 'boolean') {\n errors.push({ path: `${path}.requiresApproval`, message: 'requiresApproval must be a boolean' });\n }\n\n return errors;\n}\n\nfunction validateScope(scope: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof scope !== 'object' \|\| scope === null) {\n return [{ path, message: 'scope must be an object' }];\n }\n\n const s = scope as Record<string, unknown>;\n\n for (const field of ['allowedDomains', 'blockedDomains', 'blockedResources']) {\n if (s[field] !== undefined && !isStringArray(s[field])) {\n errors.push({ path: `${path}.${field}`, message: `${field} must be an array of strings` });\n }\n }\n\n return errors;\n}\n\nfunction validateLimits(limits: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof limits !== 'object' \|\| limits === null) {\n return [{ path, message: 'limits must be an object' }];\n }\n\n const l = limits as Record<string, unknown>;\n\n if (l.maxTransactionAmount !== undefined && typeof l.maxTransactionAmount !== 'number') {\n errors.push({ path: `${path}.maxTransactionAmount`, message: 'maxTransactionAmount must be a number' });\n }\n\n if (l.maxRequestsPerHour !== undefined && typeof l.maxRequestsPerHour !== 'number') {\n errors.push({ path: `${path}.maxRequestsPerHour`, message: 'maxRequestsPerHour must be a number' });\n }\n\n if (l.currency !== undefined && typeof l.currency !== 'string') {\n errors.push({ path: `${path}.currency`, message: 'currency must be a string' });\n }\n\n return errors;\n}\n\nfunction validateRiskThresholds(thresholds: unknown, path: string): ValidationError[] {\n const errors: ValidationError[] = [];\n\n if (typeof thresholds !== 'object' \|\| thresholds === null) {\n return [{ path, message: 'riskThresholds must be an object' }];\n }\n\n const t = thresholds as Record<string, unknown>;\n\n for (const range of ['autoAllow', 'requireApproval', 'autoBlock'] as const) {\n if (!t[range] \|\| typeof t[range] !== 'object') {\n errors.push({ path: `${path}.${range}`, message: `${range} is required and must be an object with min and max` });\n continue;\n }\n\n const r = t[range] as Record<string, unknown>;\n if (typeof r.min !== 'number' \|\| typeof r.max !== 'number') {\n errors.push({ path: `${path}.${range}`, message: `${range} must have numeric min and max` });\n } else if (r.min > r.max) {\n errors.push({ path: `${path}.${range}`, message: `${range}.min must be <= ${range}.max` });\n }\n }\n\n // Validate contiguous ranges (no gaps)\n if (isValidThresholdShape(t)) {\n const thresholdObj = t as unknown as LocalRiskThresholds;\n if (thresholdObj.autoAllow.max + 1 !== thresholdObj.requireApproval.min) {\n errors.push({\n path: `${path}`,\n message: `Gap between autoAllow.max (${thresholdObj.autoAllow.max}) and requireApproval.min (${thresholdObj.requireApproval.min}). Ranges must be contiguous.`,\n });\n }\n if (thresholdObj.requireApproval.max + 1 !== thresholdObj.autoBlock.min) {\n errors.push({\n path: `${path}`,\n message: `Gap between requireApproval.max (${thresholdObj.requireApproval.max}) and autoBlock.min (${thresholdObj.autoBlock.min}). Ranges must be contiguous.`,\n });\n }\n }\n\n return errors;\n}\n\nfunction isStringArray(val: unknown): val is string[] {\n return Array.isArray(val) && val.every((v) => typeof v === 'string');\n}\n\nfunction isValidThresholdShape(t: Record<string, unknown>): boolean {\n for (const key of ['autoAllow', 'requireApproval', 'autoBlock']) {\n const r = t[key];\n if (!r \|\| typeof r !== 'object') return false;\n const range = r as Record<string, unknown>;\n if (typeof range.min !== 'number' \|\| typeof range.max !== 'number') return false;\n }\n return true;\n}\n","/\n Local Mode — Evaluates actions against a local PDLSS policy file.\n * No network calls, no account required, runs entirely in-process.\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from '../types';\nimport { LocalEvaluator } from '../../local-evaluator/evaluator';\nimport { parseFile } from '../../local-evaluator/pdlss-parser';\n\n/\n Load a local evaluator from config.\n /\nexport function loadEvaluator(config: AstraSyncGatewayConfig): LocalEvaluator {\n if (config.policy) {\n return new LocalEvaluator(config.policy);\n }\n\n if (config.policyFile) {\n const result = parseFile(config.policyFile);\n if (!result.policy) {\n const errors = result.validation.errors.map((e) => `${e.path}: ${e.message}`).join('; ');\n throw new Error(`Invalid policy file ${config.policyFile}: ${errors}`);\n }\n return new LocalEvaluator(result.policy);\n }\n\n throw new Error('Local mode requires either policyFile or policy in config');\n}\n\n/\n Verify locally against the loaded PDLSS policy.\n /\nexport function verifyLocal(evaluator: LocalEvaluator, context: PDLSSContext): VerificationDecision {\n return evaluator.evaluate(context);\n}\n","/\n AstraSync Universal Verification Gateway - Access Level Definitions\n \n Defines the hierarchy and capabilities of each access level.\n \n v2.3.9 (defect #30): renamed `'guidance'` band → `'restricted'`. See\n * `types.ts` AccessLevel for the rationale (value-name collision with the\n * `guidance: {...}` help-payload object on VerificationResult).\n /\n\nimport type { AccessLevel, TrustLevel } from './types';\n\n/\n Access level hierarchy (higher number = more access)\n /\nexport const ACCESS_LEVEL_HIERARCHY: Record<AccessLevel, number> = {\n none: 0,\n restricted: 1,\n 'read-only': 2,\n standard: 3,\n full: 4,\n internal: 5,\n};\n\n/\n Access level descriptions for UI\n /\nexport const ACCESS_LEVEL_DESCRIPTIONS: Record<AccessLevel, string> = {\n none: 'No access - credentials required',\n restricted: 'Restricted access - registration prompt only',\n 'read-only': 'Read-only access - can browse but not modify',\n standard: 'Standard access - normal operations per PDLSS policy',\n full: 'Full access - all operations for high-trust agents',\n internal: 'Internal access - organization member privileges',\n};\n\n/\n Default trust score thresholds for access levels\n /\nexport const DEFAULT_TRUST_THRESHOLDS: Record<AccessLevel, number> = {\n none: 0,\n restricted: 0,\n 'read-only': 20,\n standard: 40,\n full: 70,\n internal: 0, // Internal is based on org membership, not score\n};\n\n/\n Trust level score ranges\n /\nexport const TRUST_LEVEL_RANGES: Record<TrustLevel, { min: number; max: number }> = {\n BRONZE: { min: 0, max: 39 },\n SILVER: { min: 40, max: 59 },\n GOLD: { min: 60, max: 79 },\n PLATINUM: { min: 80, max: 100 },\n};\n\n/\n Determine trust level from score\n /\nexport function getTrustLevel(score: number): TrustLevel {\n if (score >= 80) return 'PLATINUM';\n if (score >= 60) return 'GOLD';\n if (score >= 40) return 'SILVER';\n return 'BRONZE';\n}\n\n/\n Check if access level A is greater than or equal to access level B\n /\nexport function hasMinimumAccess(actual: AccessLevel, required: AccessLevel): boolean {\n return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];\n}\n\n/\n Get the highest access level for a given trust score\n /\nexport function getAccessLevelForScore(\n trustScore: number,\n thresholds: Record<AccessLevel, number> = DEFAULT_TRUST_THRESHOLDS\n): AccessLevel {\n if (trustScore >= thresholds.full) return 'full';\n if (trustScore >= thresholds.standard) return 'standard';\n if (trustScore >= thresholds['read-only']) return 'read-only';\n return 'restricted';\n}\n\n/\n Determine access level from verification result.\n \n v2.3.9 (defect #30): unverified callers now return `'none'` (was\n * `'guidance'`). Denials grant zero — never a positive band.\n /\nexport function determineAccessLevel(\n verified: boolean,\n trustScore: number,\n isOrgMember: boolean,\n customThresholds?: Partial<Record<AccessLevel, number>>\n): AccessLevel {\n if (!verified) {\n return 'none';\n }\n\n if (isOrgMember) {\n return 'internal';\n }\n\n const thresholds = {\n ...DEFAULT_TRUST_THRESHOLDS,\n ...customThresholds,\n };\n\n return getAccessLevelForScore(trustScore, thresholds);\n}\n\n/\n Access capabilities per level\n /\nexport interface AccessCapabilities {\n canRead: boolean;\n canWrite: boolean;\n canDelete: boolean;\n canAdmin: boolean;\n canAccessInternal: boolean;\n maxTransactionValue?: number;\n allowedPurposes?: string[];\n}\n\n/\n Get capabilities for an access level\n /\nexport function getCapabilities(accessLevel: AccessLevel): AccessCapabilities {\n switch (accessLevel) {\n case 'none':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'restricted':\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'read-only':\n return {\n canRead: true,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'standard':\n return {\n canRead: true,\n canWrite: true,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'full':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: false,\n canAccessInternal: false,\n };\n case 'internal':\n return {\n canRead: true,\n canWrite: true,\n canDelete: true,\n canAdmin: true,\n canAccessInternal: true,\n };\n default:\n return {\n canRead: false,\n canWrite: false,\n canDelete: false,\n canAdmin: false,\n canAccessInternal: false,\n };\n }\n}\n","/\n Round-13 (F14 closure / R13-7): single source-of-truth for the SDK's\n * package version emitted on verify-access bodies (and any future\n * telemetry). Bumped alongside `package.json#version` on every release.\n \n Why a constant rather than `import pkg from '../package.json'`:\n * - `tsconfig.json` sets `rootDir: ./src`; importing the sibling\n * package.json fails the build with \"outside rootDir\".\n * - Build-time string replacement (tsup `define`, esbuild banner, etc.)\n * adds toolchain coupling for a trivial gain.\n * - Embedded readonly constant works in every environment (Node, browser,\n * bundlers, Deno) without runtime fs / network access.\n \n Release discipline: a CI lint can grep `package.json#version` against\n * this constant if the two ever diverge in the wild. Round-13 manual bump\n * is fine — bumping both in the release-ceremony commit keeps them\n * lockstep.\n /\nexport const SDK_VERSION = '2.4.10';\n","/\n AstraSync Universal Verification Gateway - Core Verification Logic\n \n This module handles the core verification logic, calling the AstraSync API\n * and processing the response into a standardized VerificationResult.\n /\n\nimport type {\n GatewayConfig,\n AgentCredentials,\n VerificationRequest,\n VerificationResult,\n VerifiedAgent,\n VerifiedDeveloper,\n VerifiedOrganization,\n GuidanceInfo,\n AccessLevel,\n EnhancedVerificationResult,\n TokenGuidance,\n RuntimeChallengeResult,\n} from './types';\nimport { getTrustLevel, ACCESS_LEVEL_HIERARCHY } from './access-levels';\nimport { SDK_VERSION } from './version';\n\n/\n Default configuration values\n \n apiBaseUrl matches the OpenAPI authoritative server (https://astrasync.ai/api\n * for prod, https://staging.astrasync.ai/api for staging). Always include the\n * /api path prefix when overriding — registration / docs URLs are derived by\n * stripping it.\n /\nconst DEFAULT_CONFIG: Partial<GatewayConfig> = {\n apiBaseUrl: 'https://astrasync.ai/api',\n // v2.3.9 (defect #30): default for unconfigured callers is `'none'` (no\n // access). Pre-rename this defaulted to `'guidance'`, which combined with\n // a route gated at `'guidance'` to silently let unverified traffic\n // through (`hasMinimumAccess('guidance', 'guidance') === true`).\n defaultAccessLevel: 'none',\n // minTrustScore + minTrustScoreForFull deprecated in v2.3.0 — server decides.\n // Round-18.5 F4: cacheTtl deliberately unset. When undefined, cacheResult\n // applies the split default (60s autonomous / 300s step-up). When the\n // caller sets cacheTtl explicitly, that value is honoured uniformly.\n // Set cacheTtl: 0 to disable caching entirely.\n debug: false,\n};\n\n/\n Init self-test state. Fires once per process on first verify() call to warn\n * if apiBaseUrl is pointing at the wrong host (e.g. a marketing site that\n * 200s with text/html instead of the API).\n /\nlet initCheckPerformed = false;\n\n/* One-shot guard for v2.3.0 deprecation warning. /\nlet deprecationWarningShown = false;\n\nasync function performInitCheck(apiBaseUrl: string, debug?: boolean): Promise<void> {\n initCheckPerformed = true;\n try {\n const probeUrl = `${apiBaseUrl}/agents/verify-access`;\n // HEAD mirrors GET semantics (running the full request pipeline without a\n // body) so the response carries the same content-type the marketing 404\n // would return. OPTIONS often gets short-circuited by CORS-preflight\n // handlers and returns no content-type, defeating the check.\n const response = await fetch(probeUrl, { method: 'HEAD' });\n const contentType = response.headers.get('content-type') ?? '';\n if (contentType.startsWith('text/html')) {\n console.warn(\n `[VerificationGateway] apiBaseUrl '${apiBaseUrl}' returned HTML (content-type: ${contentType}). ` +\n `This usually means apiBaseUrl is pointing at a marketing site instead of the API. ` +\n `Expected: 'https://astrasync.ai/api' (prod) or 'https://staging.astrasync.ai/api' (staging). ` +\n `Set disableInitChecks: true on GatewayConfig to silence this warning.`\n );\n } else if (debug) {\n console.log(\n `[VerificationGateway] init check passed for ${apiBaseUrl} (content-type: ${contentType})`\n );\n }\n } catch (err) {\n if (debug) {\n console.log(`[VerificationGateway] init check failed (non-blocking): ${String(err)}`);\n }\n }\n}\n\n/\n Simple in-memory cache for verification results\n /\nconst verificationCache = new Map<string, { result: VerificationResult; expiresAt: number }>();\n\n/\n Generate cache key from the full request shape.\n \n Round-18.5 F4: pre-fix the key was credentials-only (`astraId-apiKey-jwt`),\n * which silently returned the cached result of a prior call even when the\n * subsequent call's purpose/action/counterparty/etc. differed. That was a\n * security gap — a warm cache could serve an allow verdict for a purpose the\n * agent hadn't actually been authorised for. Key now includes every field\n * that affects the backend verdict.\n \n MAINTAIN: when adding a field to VerificationRequest that affects the\n * backend verdict, add it to this key. Fields that don't affect verdict\n * (e.g. requestId, timestamps, sdkVersion) don't belong here — including\n * them would needlessly thrash the cache for repeated identical requests.\n /\nfunction getCacheKey(request: VerificationRequest): string {\n const c = request.credentials;\n return [\n c.astraId \|\| '',\n c.apiKey \|\| '',\n c.jwt \|\| '',\n request.purpose \|\| '',\n request.action \|\| '',\n request.resourceType \|\| '',\n request.resource \|\| '',\n request.jurisdiction \|\| '',\n request.transactionValue ?? '',\n request.currency \|\| '',\n request.counterpartyUrl \|\| '',\n request.counterpartyType \|\| '',\n request.isSubAgentRequest ? '1' : '0',\n request.parentAgentId \|\| '',\n request.subAgentDepth ?? '',\n ].join('\|');\n}\n\n/\n Check if cached result is still valid\n /\nfunction getCachedResult(request: VerificationRequest): VerificationResult \| null {\n const key = getCacheKey(request);\n const cached = verificationCache.get(key);\n\n if (cached && cached.expiresAt > Date.now()) {\n return cached.result;\n }\n\n if (cached) {\n verificationCache.delete(key);\n }\n\n return null;\n}\n\n/\n Cache a verification result.\n \n Round-18.5 F4: TTL splits by step-up status when the caller hasn't pinned\n * `configuredTtl` explicitly. Autonomous verdicts cache for 60s (faster\n * policy-update propagation, better security posture); step-up verdicts cache\n * for 300s (matches human-paced approval cycles, prevents thrashing during\n * the user-action window). When `configuredTtl` is set (truthy positive\n * number), it's honoured uniformly for back-compat with partners pinning a\n * specific TTL today.\n /\nconst DEFAULT_AUTONOMOUS_TTL_SECONDS = 60;\nconst DEFAULT_STEP_UP_TTL_SECONDS = 300;\n\nfunction cacheResult(\n request: VerificationRequest,\n result: VerificationResult,\n configuredTtl: number \| undefined\n): void {\n const ttlSeconds =\n configuredTtl && configuredTtl > 0\n ? configuredTtl\n : result.requiresStepUp\n ? DEFAULT_STEP_UP_TTL_SECONDS\n : DEFAULT_AUTONOMOUS_TTL_SECONDS;\n const key = getCacheKey(request);\n verificationCache.set(key, {\n result,\n expiresAt: Date.now() + ttlSeconds 1000,\n });\n}\n\n/*\n Clear the verification cache\n /\nexport function clearCache(): void {\n verificationCache.clear();\n}\n\n/\n Extract agent credentials from various sources\n /\nexport function extractCredentials(\n headers: Record<string, string \| string[] \| undefined>,\n query?: Record<string, string \| undefined>\n): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers (case-insensitive). Accepts the historical\n // X-Astra-Id name plus the X-Astra-AgentId / x-astra-agent-id alias the\n // partner asked for in #9a — both surface the same field.\n const astraIdHeader =\n headers['x-astra-id'] \|\|\n headers['X-Astra-Id'] \|\|\n headers['X-ASTRA-ID'] \|\|\n headers['x-astra-agentid'] \|\|\n headers['X-Astra-AgentId'] \|\|\n headers['x-astra-agent-id'] \|\|\n headers['X-Astra-Agent-Id'] \|\|\n headers['X-ASTRA-AGENT-ID'];\n if (astraIdHeader) {\n credentials.astraId = Array.isArray(astraIdHeader) ? astraIdHeader[0] : astraIdHeader;\n }\n\n // Check for API key in headers\n const apiKeyHeader = headers['x-api-key'] \|\| headers['X-Api-Key'] \|\| headers['X-API-KEY'];\n if (apiKeyHeader) {\n credentials.apiKey = Array.isArray(apiKeyHeader) ? apiKeyHeader[0] : apiKeyHeader;\n }\n\n // Check Authorization header for Bearer token\n const authHeader = headers['authorization'] \|\| headers['Authorization'];\n if (authHeader) {\n const authValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n credentials.authorizationHeader = authValue;\n\n if (authValue.startsWith('Bearer ')) {\n credentials.jwt = authValue.slice(7);\n }\n }\n\n // Check query parameters as fallback\n if (query) {\n if (query.astraId && !credentials.astraId) {\n credentials.astraId = query.astraId;\n }\n if (query.apiKey && !credentials.apiKey) {\n credentials.apiKey = query.apiKey;\n }\n }\n\n return credentials;\n}\n\n/\n Check if credentials are present\n /\nexport function hasCredentials(credentials: AgentCredentials): boolean {\n return !!(credentials.astraId \|\| credentials.apiKey \|\| credentials.jwt);\n}\n\n/\n Source of a synthesised guidance response. Round-10 split — the\n * `'no_credentials'` shape is the original (caller has no AstraSync\n * credentials, suggest registration). The `'api_error'` shape is for when\n * the verify-access HTTP call itself failed (5xx, network, etc.) — DON'T\n * tell a verified-but-currently-blocked partner to \"register your agent\".\n /\ntype GuidanceSource = 'no_credentials' \| 'api_error';\n\n/\n Create guidance response for unverified agents or for API-error fallback.\n \n Round-10 (#47, O5): split source so the `register your agent` template\n * doesn't fire on transient backend failures. Also threads `correlationId`\n * through so adapter `onDenied` handlers can surface it on the merchant's\n * response body for log correlation.\n /\nfunction createGuidanceResponse(\n config: GatewayConfig,\n reason?: string,\n options: { source?: GuidanceSource; correlationId?: string } = {}\n): VerificationResult {\n const source = options.source ?? 'no_credentials';\n const isApiError = source === 'api_error';\n\n const guidance: GuidanceInfo = isApiError\n ? {\n message:\n 'Verification is temporarily unavailable. Retry with exponential backoff; if the issue persists, contact support with the correlationId.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Retry the request with exponential backoff',\n 'If failures persist, share the correlationId with support',\n ],\n }\n : {\n message:\n 'This service verifies AI agents before granting access. Please register your agent with AstraSync.',\n registrationUrl: `${config.apiBaseUrl.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl.replace('/api', '')}/docs/agent-access`,\n steps: [\n 'Register for an AstraSync account',\n 'Create and register your agent',\n 'Add your ASTRA-ID to request headers',\n 'Retry your request',\n ],\n };\n\n return {\n // Round-18 G4: createGuidanceResponse fires for unverified-agent path or\n // API-error fallback. Identity is not verified (no agent resolved);\n // policy is not evaluated (we never reached the gate).\n identityVerified: false,\n policyAllowed: false,\n // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.\n // Adapters additionally short-circuit on `!identityVerified \|\|\n // !policyAllowed` before the gate check, but the access level still has\n // to be honest at the data layer so downstream consumers (SDK adapters\n // in other languages, custom integrations) inherit the correct\n // semantics.\n accessLevel: 'none',\n guidance,\n denialReasons: reason ? [reason] : ['No valid agent credentials provided'],\n // Round-10 (#47, O5): on API-error fallback, surface a typed failure so\n // partners (and their custom onDenied handlers) can branch on\n // dimension. Without this, the synthesised stub was indistinguishable\n // from a real policy deny.\n failures: isApiError\n ? [\n {\n dimension: 'verify_access.api_error',\n message: reason ?? 'Verification temporarily unavailable',\n guidance: guidance.message,\n },\n ]\n : undefined,\n correlationId: options.correlationId,\n verifiedAt: new Date(),\n };\n}\n\n/\n Call the AstraSync verify-access API\n /\nasync function callVerifyAccessAPI(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<{\n success: boolean;\n access?: {\n allowed: boolean;\n /\n Server-decided access level. Read verbatim — do NOT remap client-side.\n * The server resolves this from endpoint policy + agent trust score using\n * the canonical thresholds (see backend `apps/backend/src/utils/access-levels.ts`).\n /\n accessLevel?: AccessLevel;\n reason?: string;\n /\n Aggregated denial failures (v2.9.8+). Empty / absent when allowed.\n * Each entry is `{ dimension, message, guidance? }` — see\n * `AccessFailure` for the contract.\n /\n failures?: Array<{ dimension: string; message: string; guidance?: string }>;\n requiresStepUp?: boolean;\n requiresApproval?: boolean;\n appliedPolicy?: {\n boundaryName: string;\n policyVersion: string;\n };\n counterparty?: {\n id: string;\n name: string;\n trustScoreRequirement: number;\n };\n };\n agent?: {\n kyaAgentId: string;\n astraId: string;\n name: string;\n trustScore: number;\n trustLevel: string;\n agentStatus: string;\n blockchainStatus: string;\n };\n developer?: {\n kyaOwnerId: string;\n fullName: string;\n email: string;\n identityVerified: boolean;\n trustScore: number;\n };\n organization?: {\n name: string;\n verified: boolean;\n trustScore: number;\n };\n /\n Structured explanation of the verification decision. Tells the merchant\n * WHY (id verified? challenge passed? request within PDLSS? trust score?)\n * without exposing thresholds, scope lists, or other-tenant counterparty\n * membership. Empty `attestations` unless the endpoint's access policy\n * declared `required_attestations`.\n /\n verificationContext?: {\n idVerified: boolean;\n runtimeChallenge: {\n status: 'passed' \| 'skipped' \| 'failed' \| 'timeout' \| 'not_supported';\n checkedAt: string \| null;\n };\n pdlssCheck: {\n result: 'within' \| 'exceeded' \| 'denied' \| 'not_evaluated';\n purpose: 'approved' \| 'denied';\n scope: 'approved' \| 'denied';\n };\n dynamicTrustScore: number;\n attestations: Array<{\n type: string;\n status: 'passed' \| 'failed';\n validUntil?: string;\n proofType: 'reference' \| 'zkp';\n proof: string;\n }>;\n };\n error?: string;\n /\n Round-10 (#47, O5): when the verify-access server response carries a\n * correlationId on an error envelope, propagate it so the SDK can thread\n * it through createGuidanceResponse → adapter onDenied → merchant body.\n /\n correlationId?: string;\n}> {\n const { credentials, ...requestData } = request;\n\n // Build the request body. agentId is omitted when not provided so the\n // server treats it as an anonymous canonical-flow call (Branch A/B/C).\n const body: Record<string, unknown> = {\n ...(credentials.astraId && { agentId: credentials.astraId }),\n purpose: requestData.purpose \|\| 'general',\n };\n\n // Add optional fields\n if (requestData.action) body.action = requestData.action;\n if (requestData.resourceType) body.resourceType = requestData.resourceType;\n if (requestData.resource) body.resource = requestData.resource;\n if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;\n if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;\n if (requestData.currency) body.currency = requestData.currency;\n if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;\n if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;\n if (requestData.subAgentDepth !== undefined) body.subAgentDepth = requestData.subAgentDepth;\n // Handshake Protocol v10 additions\n if (requestData.enableRuntimeChallenge)\n body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;\n if (requestData.createSession) body.createSession = requestData.createSession;\n if (requestData.durationRequired) body.durationRequired = requestData.durationRequired;\n if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;\n if (requestData.counterpartyUrl) body.counterpartyUrl = requestData.counterpartyUrl;\n if (config.counterpartyId) body.counterpartyId = config.counterpartyId;\n if (requestData.runtimeChallengeOptions)\n body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;\n // Round-12 (F19): transport-vs-intent separation. MCP middleware sets\n // this to 'mcp'; non-MCP callers leave it unset.\n if (requestData.invocationProtocol) body.invocationProtocol = requestData.invocationProtocol;\n\n // Round-13 (F14 closure / R13-7): emit the SDK package version on every\n // verify-access body so the backend can auto-populate `kya_counterparty.\n // sdk_version` for the calling endpoint. Body field (not User-Agent\n // header) is the canonical channel — works in Node, browser, behind\n // Cloudflare, and across SDK bundlers without environment-specific\n // header gymnastics. Backend's `validation.ts:verifyAccessSchema`\n // accepts the semver regex; the auto-pop logic is forward-only.\n body.sdkVersion = SDK_VERSION;\n\n // Forward caller metadata when present. Merges the legacy top-level\n // clientIp/userAgent into the nested block for backward compatibility.\n if (requestData.callerMetadata \|\| requestData.clientIp \|\| requestData.userAgent) {\n const meta = {\n ...(requestData.clientIp && { sourceIp: requestData.clientIp }),\n ...(requestData.userAgent && { userAgent: requestData.userAgent }),\n ...requestData.callerMetadata,\n };\n if (Object.keys(meta).length > 0) body.callerMetadata = meta;\n }\n\n // Build headers\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n ...config.customHeaders,\n };\n\n // verify-access requires authentication. The backend's authenticate middleware\n // accepts either a JWT or an API key (starts with kya_) via `Authorization: Bearer <token>`.\n // Credential-supplied auth header (e.g. the agent's own token) takes priority.\n if (credentials.authorizationHeader) {\n headers['Authorization'] = credentials.authorizationHeader;\n } else if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n }\n // Legacy header kept for compatibility with any middleware that reads it directly.\n if (config.apiKey) {\n headers['X-API-Key'] = config.apiKey;\n }\n\n try {\n const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {\n method: 'POST',\n headers,\n body: JSON.stringify(body),\n });\n\n const data = await response.json();\n\n // v2.3.8 (defect #29): treat 410 Gone as a deterministic deactivated-endpoint\n // signal. Older SDKs may treat any non-2xx as transient and retry; v2.3.8+\n // surfaces it as a structured denial with `reason: 'endpoint_deactivated'`\n // so callers can distinguish \"endpoint gone\" from \"endpoint denied this\".\n if (response.status === 410) {\n return {\n success: true,\n access: {\n allowed: false,\n accessLevel: 'none',\n reason: 'endpoint_deactivated',\n failures: [\n {\n dimension: 'endpoint.deactivated',\n message:\n typeof data?.message === 'string' ? data.message : 'Endpoint has been deactivated',\n guidance:\n typeof data?.guidance === 'string'\n ? data.guidance\n : 'Reactivate via POST /api/endpoints/{id}/reactivate, or update the URL on the calling agent.',\n },\n ],\n },\n };\n }\n\n if (!response.ok) {\n // Round-10 (#47, O5): propagate correlationId on the error path too if\n // the server happened to include one (some 5xx error envelopes carry\n // it). Lets the SDK pass it through to the adapter onDenied handler.\n return {\n success: false,\n error: data.message \|\| data.error \|\| `API returned ${response.status}`,\n correlationId: typeof data?.correlationId === 'string' ? data.correlationId : undefined,\n };\n }\n\n return data;\n } catch (error) {\n const message = error instanceof Error ? error.message : 'Unknown error';\n return {\n success: false,\n error: `Failed to call verify-access API: ${message}`,\n };\n }\n}\n\n/\n Main verification function\n /\nexport async function verify(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n\n // One-time init self-test — fire-and-forget, never blocks verify().\n if (!initCheckPerformed && !mergedConfig.disableInitChecks && mergedConfig.apiBaseUrl) {\n void performInitCheck(mergedConfig.apiBaseUrl, mergedConfig.debug);\n }\n\n // Deprecation warning for v2.3.0 removed config fields. Fires once per process.\n if (\n !deprecationWarningShown &&\n (config.minTrustScore !== undefined \|\| config.minTrustScoreForFull !== undefined)\n ) {\n deprecationWarningShown = true;\n console.warn(\n '[VerificationGateway] minTrustScore / minTrustScoreForFull are deprecated in v2.3.0 ' +\n 'and have no effect. Server is now the single source of truth for access-level decisions ' +\n '(the SDK reads access.accessLevel from the verify-access response). To gate access ' +\n \"to an endpoint, configure the endpoint's trust_score_requirement server-side.\"\n );\n }\n\n // v2.3.0: anonymous traffic no longer short-circuits here. We forward the\n // request to the server with no agentId; the server applies the endpoint's\n // unverifiedAgentPolicy and returns advisory. createGuidanceResponse remains\n // as the offline fallback if the API itself fails (handled below).\n\n // Check cache first. Round-18.5 F4: caching on unless caller explicitly\n // sets cacheTtl: 0 to disable. Undefined falls through to the split default\n // (60s autonomous / 300s step-up) at cacheResult write time.\n if (mergedConfig.cacheTtl !== 0) {\n const cached = getCachedResult(request);\n if (cached) {\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Returning cached result');\n }\n return cached;\n }\n }\n\n // Inject counterparty info from config if not already set in request\n const enrichedRequest = { ...request };\n if (!enrichedRequest.counterpartyUrl && mergedConfig.counterpartyUrl) {\n enrichedRequest.counterpartyUrl = mergedConfig.counterpartyUrl;\n }\n if (!enrichedRequest.counterpartyType && mergedConfig.counterpartyType) {\n enrichedRequest.counterpartyType = mergedConfig.counterpartyType;\n }\n\n // Call the API\n if (mergedConfig.debug) {\n console.log('[VerificationGateway] Calling verify-access API');\n }\n\n const apiResponse = await callVerifyAccessAPI(mergedConfig, enrichedRequest);\n\n // Handle API errors\n if (!apiResponse.success) {\n // Round-10 (#47, O5): distinguish API errors from missing-credentials.\n // The previous default tagged any failure with the \"register your\n // agent\" template, which is misleading to a verified partner whose\n // verify-access call hit a 500. The `api_error` source surfaces a\n // typed `verify_access.api_error` failure entry instead.\n return createGuidanceResponse(mergedConfig, apiResponse.error, {\n source: 'api_error',\n correlationId: (apiResponse as { correlationId?: string }).correlationId,\n });\n }\n\n // Check access result\n if (!apiResponse.access?.allowed) {\n // v2.9.8 (defect M1): aggregated failures across every gate that\n // denied. Surface them on the result so the integrator can see every\n // blocker in one go instead of the previous fail-fast cascade.\n const aggregatedFailures = (apiResponse.access as Record<string, unknown> \| undefined)\n ?.failures as Array<{ dimension: string; message: string; guidance?: string }> \| undefined;\n // Round-18 G4: backend denied access (PDLSS or other gate); identity status\n // depends on whether the backend resolved the caller. Read from\n // verificationContext.idVerified; default false if absent (anonymous or\n // identity-fail paths land here too). policyAllowed is false by definition\n // in this branch (apiResponse.access.allowed === false).\n const idVerifiedFromBackend =\n (apiResponse.verificationContext as { idVerified?: boolean } \| undefined)?.idVerified ===\n true;\n const result: EnhancedVerificationResult = {\n identityVerified: idVerifiedFromBackend,\n policyAllowed: false,\n // v2.3.9 (defect #30): denials grant `'none'`, NEVER a positive band.\n // Pre-rename this hardcoded `'guidance'`, which conflated with the\n // colocated `guidance: {...}` help-payload object below and let\n // denied requests pass any route gated at `'guidance'` because\n // `hasMinimumAccess('guidance', 'guidance') === true`. Adapters now\n // ALSO short-circuit on `!identityVerified \|\| !policyAllowed` before\n // the gate check — belt-and-braces.\n accessLevel: 'none',\n denialReasons:\n aggregatedFailures && aggregatedFailures.length > 0\n ? aggregatedFailures.map((f) => f.message)\n : apiResponse.access?.reason\n ? [apiResponse.access.reason]\n : ['Access denied'],\n failures: aggregatedFailures,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n guidance: {\n message: apiResponse.access?.reason \|\| 'Access denied by PDLSS policy',\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n // Extract sessionId so decisions can be recorded for denials too\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n // v2.3.10 (defect #34, round-4): anonymous traffic has no session →\n // correlationId is the linking key for paired local_override events.\n correlationId: (apiResponse as Record<string, unknown>).correlationId as string \| undefined,\n recommendation: (apiResponse as Record<string, unknown>)\n .recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as\n \| string[]\n \| undefined,\n };\n\n return result;\n }\n\n // Build successful result\n const agent: VerifiedAgent \| undefined = apiResponse.agent\n ? {\n astraId: apiResponse.agent.astraId,\n name: apiResponse.agent.name,\n trustScore: apiResponse.agent.trustScore,\n trustLevel: getTrustLevel(apiResponse.agent.trustScore),\n blockchainVerified: apiResponse.agent.blockchainStatus === 'verified',\n status: apiResponse.agent.agentStatus as VerifiedAgent['status'],\n }\n : undefined;\n\n const developer: VerifiedDeveloper \| undefined = apiResponse.developer\n ? {\n astradId: apiResponse.developer.kyaOwnerId,\n name: apiResponse.developer.fullName,\n trustScore: apiResponse.developer.trustScore \|\| 0,\n verified: apiResponse.developer.identityVerified,\n }\n : undefined;\n\n const organization: VerifiedOrganization \| undefined = apiResponse.organization\n ? {\n name: apiResponse.organization.name,\n verified: apiResponse.organization.verified,\n trustScore: apiResponse.organization.trustScore,\n }\n : undefined;\n\n // Verification context — structured \"why\" the merchant gets in v2.2.4+.\n // Carries appliedPolicy (no UUIDs), pdlssCheck summary, dynamic trust score,\n // and policy-driven attestations. Replaces the old over-sharing `pdlss` block.\n const verificationContext = apiResponse.verificationContext;\n\n // Server is the single source of truth for access level. SDK reads\n // apiResponse.access.accessLevel verbatim — no client-side trust-score remap.\n // Fallback to 'standard' if the server response is missing the field (older\n // backend without the v2.3.0 contract); it covers the verified-access case.\n const accessLevel: AccessLevel = apiResponse.access?.accessLevel ?? 'standard';\n\n const result: EnhancedVerificationResult = {\n // Round-18 G4: backend allowed access. Identity is verified (we resolved\n // the caller to an agent) and policy passed all gates. Read idVerified\n // from verificationContext for symmetry with the deny branch; default true\n // on success path since `access.allowed === true` implies identity was\n // resolvable (anonymous-allow paths flow through createGuidanceResponse).\n identityVerified:\n (apiResponse.verificationContext as { idVerified?: boolean } \| undefined)?.idVerified !==\n false,\n policyAllowed: true,\n accessLevel,\n agent,\n developer,\n organization,\n appliedPolicy: apiResponse.access?.appliedPolicy,\n verificationContext,\n requiresStepUp: apiResponse.access?.requiresStepUp,\n requiresApproval: apiResponse.access?.requiresApproval,\n verifiedAt: new Date(),\n cacheTtl: mergedConfig.cacheTtl,\n // Handshake Protocol v10 enhanced fields (present when backend returns them)\n sessionId: (apiResponse as Record<string, unknown>).sessionId as string \| undefined,\n // v2.3.10 (defect #34, round-4): anonymous responses surface correlationId\n // (no session row exists for unverified callers).\n correlationId: (apiResponse as Record<string, unknown>).correlationId as string \| undefined,\n runtimeChallenge: (apiResponse as Record<string, unknown>).runtimeChallenge as\n \| RuntimeChallengeResult\n \| undefined,\n tokenGuidance: (apiResponse as Record<string, unknown>).tokenGuidance as\n \| TokenGuidance\n \| undefined,\n recommendation: (apiResponse as Record<string, unknown>)\n .recommendation as EnhancedVerificationResult['recommendation'],\n recommendationReasons: (apiResponse as Record<string, unknown>).recommendationReasons as\n \| string[]\n \| undefined,\n warningHeader: (apiResponse as Record<string, unknown>).warningHeader as\n \| { name: string; value: string }\n \| undefined,\n };\n\n // Enforce AstraSync recommendation\n if (result.recommendation === 'deny') {\n // Round-18 G4: recommendation-driven deny lands on the success-path\n // construction (identity was resolved). Flip policy only — identity stays\n // verified — so adapters return 403 (re-auth won't help; the policy\n // decision is the blocker).\n result.policyAllowed = false;\n result.accessLevel = 'none';\n result.denialReasons = result.recommendationReasons \|\| [\n 'Access denied by AstraSync recommendation',\n ];\n if (result.runtimeChallenge) {\n result.guidance = {\n message: `Verification failed: ${result.runtimeChallenge.reason \|\| 'runtime challenge failed'}`,\n registrationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${mergedConfig.apiBaseUrl?.replace('/api', '')}/docs/runtime-challenge`,\n };\n }\n } else if (result.recommendation === 'step_up_required') {\n result.requiresStepUp = true;\n if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY['read-only']) {\n result.accessLevel = 'read-only';\n }\n result.denialReasons = result.recommendationReasons \|\| ['Step-up verification required'];\n }\n\n // Cache the result (skip caching denials — agent may fix challenge endpoint\n // and retry). Round-18.5 F4: cacheResult applies split default (60s/300s)\n // when configuredTtl is undefined; honours the caller's value when set.\n if (mergedConfig.cacheTtl !== 0 && result.recommendation !== 'deny') {\n cacheResult(request, result, mergedConfig.cacheTtl);\n }\n\n return result;\n}\n\n/\n Record a counterparty's grant/deny decision for a verification session.\n * Fire-and-forget — errors are silently swallowed.\n /\n/\n v2.3.9 (defect #34): optional override metadata. Set when the SDK's\n * local enforcement (toolGate / methodGate / trustScore floor) rejected\n * a request the SERVER had granted. Backend emits a distinct\n * `verification.local_override` event so the activity feed surfaces the\n * divergence as a separate row.\n /\nexport interface DecisionOverride {\n overriddenBy: 'toolGate' \| 'methodGate' \| 'trustScore' \| 'other';\n toolName?: string;\n requestedLevel?: AccessLevel;\n grantedLevel?: AccessLevel;\n}\n\nexport async function recordDecision(\n config: GatewayConfig,\n sessionId: string,\n decision: 'granted' \| 'denied',\n reason?: string,\n override?: DecisionOverride\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/${sessionId}/decision`, {\n method: 'POST',\n headers,\n body: JSON.stringify({\n decision,\n reason,\n ...(override && {\n overriddenBy: override.overriddenBy,\n toolName: override.toolName,\n requestedLevel: override.requestedLevel,\n grantedLevel: override.grantedLevel,\n }),\n }),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n v2.3.10 (defect #34, round-4): record a SDK-side local override for an\n * anonymous verify-access response. Anonymous traffic has no session row, so\n * `recordDecision` (above) doesn't apply — but we still need to surface the\n * dashboard-vs-runtime divergence (e.g. server granted with audit warning\n * but local toolGate floor denied) on the activity feed.\n \n Backend ties the resulting `verification.local_override` event back to the\n * original `verification.unverified_audit` event via `correlationId`. The\n * endpoint is sessionless — see the docstring on the backend route for the\n * abuse-mitigation rationale (rate-limited per IP).\n \n Fire-and-forget — errors are silently swallowed.\n /\nexport async function recordAnonymousLocalOverride(\n config: GatewayConfig,\n correlationId: string,\n override: DecisionOverride,\n reason?: string\n): Promise<void> {\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n\n await fetch(`${config.apiBaseUrl}/agents/verify-access/local-override`, {\n method: 'POST',\n headers,\n body: JSON.stringify({\n correlationId,\n reason,\n overriddenBy: override.overriddenBy,\n toolName: override.toolName,\n requestedLevel: override.requestedLevel,\n grantedLevel: override.grantedLevel,\n }),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Fetch the per-route policy for an endpoint from the AstraSync backend.\n * v2.9.7 moved policy authority into the dashboard — the SDK no longer\n * accepts `routes` from merchant-side source code, it fetches them from\n * here on init (and refreshes periodically).\n \n Returns `null` when the request fails for any reason — the caller decides\n * how to fall back (the middleware allows-all when no policy is loaded so\n * a misconfigured init doesn't take down the merchant's API).\n /\nexport async function fetchRoutes(\n config: GatewayConfig,\n counterpartyId: string\n): Promise<RouteAccessConfigShape[] \| null> {\n if (!counterpartyId) return null;\n const headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (config.apiKey) {\n headers['Authorization'] = `Bearer ${config.apiKey}`;\n headers['X-API-Key'] = config.apiKey;\n }\n try {\n const response = await fetch(\n `${config.apiBaseUrl}/endpoints/${encodeURIComponent(counterpartyId)}/routes`,\n { method: 'GET', headers }\n );\n if (!response.ok) return null;\n const body = (await response.json()) as { data?: { routes?: RouteAccessConfigShape[] } };\n return body.data?.routes ?? [];\n } catch {\n return null;\n }\n}\n\n/\n Minimal shape of an EndpointRoute as the SDK consumes it. Mirrors the\n * server's `EndpointRoute` type and the SDK's `RouteAccessConfig` — same\n * JSON moves between server and SDK unchanged.\n /\nexport interface RouteAccessConfigShape {\n pattern: string;\n method: string;\n minAccessLevel: 'none' \| 'restricted' \| 'read-only' \| 'standard' \| 'full' \| 'internal';\n minTrustScore?: number;\n requiredPurposes?: string[];\n allowedPurposes?: string[];\n allowedJurisdictions?: string[];\n maxDuration?: number;\n maxTransactionValue?: number;\n}\n\n/\n Verify an agent AND automatically record the grant/deny decision.\n \n This is the recommended entry point for counterparties that call verify()\n * directly (e.g. MCP servers) rather than using createMiddleware().\n * It adds createSession: true, then fire-and-forgets the decision.\n /\nexport async function verifyAndRecord(\n config: GatewayConfig,\n request: VerificationRequest\n): Promise<VerificationResult> {\n const mergedConfig = { ...DEFAULT_CONFIG, ...config };\n const result = await verify(mergedConfig, { ...request, createSession: true });\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n if (sessionId) {\n // Round-18 G4: a session is \"granted\" only if identity verified AND\n // policy allowed; either failing is a deny.\n if (result.identityVerified && result.policyAllowed) {\n recordDecision(mergedConfig, sessionId, 'granted').catch(() => {});\n } else {\n recordDecision(mergedConfig, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n }\n\n return result;\n}\n\n/\n Report an unregistered agent attempt (no AstraSync credentials).\n * Called by SDK adapters when an agent is redirected to /docs/agent-access.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function reportUnregisteredAttempt(\n config: GatewayConfig,\n data: {\n counterpartyUrl: string;\n counterpartyType?: string;\n sourceIp?: string;\n userAgent?: string;\n requestPath?: string;\n requestMethod?: string;\n }\n): Promise<void> {\n const apiBaseUrl = config.apiBaseUrl \|\| DEFAULT_CONFIG.apiBaseUrl!;\n\n await fetch(`${apiBaseUrl}/verification-activity/unregistered-attempt`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(data),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Report a counterparty-side PDLSS pre-check failure.\n * Called by SDK adapters when the agent's requested PDLSS exceeds\n * counterparty-defined maximums BEFORE calling verify-access.\n * Fire-and-forget — errors are silently swallowed.\n /\nexport async function reportCounterpartyPreCheckFailure(\n config: GatewayConfig,\n data: {\n agentId: string;\n counterpartyUrl: string;\n counterpartyType?: string;\n failures: Array<{\n field: string;\n requested: string \| number;\n limit: string \| number \| string[];\n message: string;\n }>;\n requestPath?: string;\n requestMethod?: string;\n }\n): Promise<void> {\n const apiBaseUrl = config.apiBaseUrl \|\| DEFAULT_CONFIG.apiBaseUrl!;\n\n await fetch(`${apiBaseUrl}/verification-activity/counterparty-pre-check-failure`, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(data),\n }).catch(() => {\n / fire-and-forget /\n });\n}\n\n/\n Quick verification — checks credentials and policy in one call.\n \n Round-18 G4: return shape mirrors `VerificationResult`'s split — partners\n * writing custom handlers around `quickVerify` get the same identity/policy\n * distinction as those calling `verify()` directly. Map to HTTP status the\n * same way: `!identityVerified` → 401; `identityVerified && !policyAllowed`\n * → 403.\n /\nexport async function quickVerify(\n config: GatewayConfig,\n credentials: AgentCredentials\n): Promise<{\n identityVerified: boolean;\n policyAllowed: boolean;\n accessLevel: AccessLevel;\n reason?: string;\n}> {\n const result = await verify(config, {\n credentials,\n purpose: 'verification',\n });\n\n return {\n identityVerified: result.identityVerified,\n policyAllowed: result.policyAllowed,\n accessLevel: result.accessLevel,\n reason: result.denialReasons?.[0],\n };\n}\n","/\n AstraSync Universal Verification Gateway - Express Middleware\n \n Express.js middleware for verifying AI agents on API endpoints.\n \n @example\n * ```typescript\n * import express from 'express';\n * import { createMiddleware } from '@astrasyncai/verification-gateway/express';\n \n const app = express();\n \n app.use(createMiddleware({\n * apiBaseUrl: 'https://astrasync.ai/api',\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/data/', method: 'GET', minAccessLevel: 'read-only' },\n { pattern: '/api/data/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/api/admin/', method: '', minAccessLevel: 'internal' },\n * ],\n * }));\n * ```\n /\n\nimport type { Request, Response, NextFunction, RequestHandler } from 'express';\nimport type {\n ExpressMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n EnhancedVerificationResult,\n RouteAccessConfig,\n AstraSyncCredentials,\n} from '../types';\nimport {\n verify,\n extractCredentials,\n recordDecision,\n reportCounterpartyPreCheckFailure,\n fetchRoutes,\n} from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\nimport { performCounterpartyPreCheck } from '../pdlss-pre-check';\n\n/\n Extend Express Request with verification result\n /\ndeclare global {\n // eslint-disable-next-line @typescript-eslint/no-namespace\n namespace Express {\n interface Request {\n agentVerification?: VerificationResult;\n }\n }\n}\n\n/\n Default credential extractor\n /\nfunction defaultExtractCredentials(req: Request): AgentCredentials {\n return extractCredentials(\n req.headers as Record<string, string \| string[] \| undefined>,\n req.query as Record<string, string \| undefined>\n );\n}\n\n/\n Extract extended AstraSync credentials (X-Astra-* headers) from Express request.\n * Returns null if no AstraSync headers are present.\n /\nexport function extractAstraSyncCredentials(req: Request): AstraSyncCredentials \| null {\n return extractHttpCredentials(req.headers as Record<string, string \| string[] \| undefined>);\n}\n\n/\n Default purpose extractor.\n \n Priority:\n * 1. Agent's declared PDLSS purpose from X-Astra-Purpose header (e.g. \"read_data:search\")\n * 2. Explicit x-purpose header\n * 3. Query parameter ?purpose=\n * 4. HTTP method → PDLSS category fallback\n /\nfunction defaultExtractPurpose(req: Request): string \| undefined {\n // 1. Check agent's declared PDLSS purpose (X-Astra-Purpose header)\n const astraPurpose = req.headers['x-astra-purpose'];\n if (astraPurpose) {\n const value = Array.isArray(astraPurpose) ? astraPurpose[0] : astraPurpose;\n // Extract category from \"category:action\" format — the verify API expects the category\n const category = value.split(':')[0];\n return category;\n }\n\n // 2. Try explicit purpose header\n const purposeHeader = req.headers['x-purpose'] \|\| req.headers['X-Purpose'];\n if (purposeHeader) {\n return Array.isArray(purposeHeader) ? purposeHeader[0] : purposeHeader;\n }\n\n // 3. Try query parameter\n if (req.query.purpose && typeof req.query.purpose === 'string') {\n return req.query.purpose;\n }\n\n // 4. Infer from HTTP method using PDLSS-compatible categories\n switch (req.method) {\n case 'GET':\n return 'read_data';\n case 'POST':\n return 'write_data';\n case 'PUT':\n case 'PATCH':\n return 'write_data';\n case 'DELETE':\n return 'delete_data';\n default:\n return 'general';\n }\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n // Convert pattern to regex\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Default denied handler\n \n Round-10 (#47, O5): the response body now carries the full `failures[]`\n * array and the `correlationId` so partners can render per-dimension UX\n * and tie a denial back to a server log line. Previously the merchant only\n * got the first denialReason — meaningful detail was thrown away before\n * the response left the SDK. Also stamps `X-Astra-Gateway-Mode: enforced`\n * so partners can tell a gate-evaluated denial apart from a gate-skipped\n * pass-through (#49/O10 — the `unenforced` complement).\n /\nfunction defaultOnDenied(result: VerificationResult, _req: Request, res: Response): void {\n // Round-18 G4: identity-verification failures → 401 (re-authenticate);\n // identity-verified-but-policy-denied → 403 (re-auth won't help; update\n // PDLSS scope or escalate to step-up). Maps to the two distinct recovery\n // actions that HTTP middleware acts on without parsing bodies. The\n // impossible state `!identityVerified && policyAllowed` falls into the\n // `!identityVerified` branch — identity is the more-fundamental missing\n // precondition.\n const statusCode = !result.identityVerified ? 401 : 403;\n\n res.setHeader('X-Astra-Gateway-Mode', 'enforced');\n\n res.status(statusCode).json({\n success: false,\n error: {\n code: !result.identityVerified ? 'UNAUTHORIZED' : 'INSUFFICIENT_ACCESS',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n guidance: result.guidance,\n // Round-10: aggregated per-dimension detail + correlation handle.\n failures: result.failures,\n correlationId: result.correlationId,\n },\n });\n}\n\n/\n Refresh interval for the remote-fetched route policy. Default: every 5\n * minutes. Override via `routesRefreshMs` on the middleware options. Each\n * middleware instance keeps its own cache; multiple instances pointing at the\n * same endpoint will each fetch independently.\n /\nconst DEFAULT_ROUTES_REFRESH_MS = 5 60 * 1000;\n\n/*\n Create Express middleware for agent verification.\n \n v2.9.7 moved per-route policy authority out of merchant-side source code\n * into the AstraSync dashboard. `createMiddleware` no longer accepts a\n * `routes` array — it fetches the endpoint's stored policy via\n * `GET /endpoints/:counterpartyId/routes` on init and refreshes\n * periodically. Policy edits in the dashboard take effect on the next\n * refresh (or sooner if the operator manually restarts the SDK).\n \n `counterpartyId` is required: the SDK can't know which endpoint's policy\n * to fetch without it. Local-development workflows that don't have an\n * AstraSync endpoint registered can omit it — the middleware logs a\n * one-time warning and falls through (allows all) until a policy is\n * fetchable.\n /\nexport function createMiddleware(options: ExpressMiddlewareOptions): RequestHandler {\n const {\n extractCredentials: customExtractCredentials,\n extractPurpose: customExtractPurpose,\n skipPaths = [],\n onDenied = defaultOnDenied,\n recordDecisions,\n enableRuntimeChallenge = true,\n routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,\n ...config\n } = options;\n\n // Per-middleware-instance route cache. Populated on first fetch; refreshed\n // every `routesRefreshMs`. Until first successful fetch we hold an empty\n // array which means \"no per-route gating active\" — the middleware falls\n // through. Pre-fix the array came from merchant source, which both broke\n // the auth-boundary story (defect 24) and silently disagreed with the\n // dashboard.\n let cachedRoutes: RouteAccessConfig[] = [];\n let lastFetchAt = 0;\n let refreshing: Promise<void> \| null = null;\n let warnedNoCounterparty = false;\n let warnedEmptyRoutes = false;\n\n async function refreshRoutes(): Promise<void> {\n if (!config.counterpartyId) {\n if (!warnedNoCounterparty) {\n // eslint-disable-next-line no-console\n console.warn(\n '[VerificationGateway] No counterpartyId configured — falling through (allow all). ' +\n 'Per-route policy lives in the AstraSync dashboard now; register the endpoint and ' +\n 'set counterpartyId in your middleware config to enforce policy.'\n );\n warnedNoCounterparty = true;\n }\n return;\n }\n const fetched = await fetchRoutes(config, config.counterpartyId);\n if (fetched) {\n cachedRoutes = fetched;\n lastFetchAt = Date.now();\n // v2.3.8 (defect #25): if the fetch succeeded but returned an empty\n // policy, the endpoint is registered correctly but the operator hasn't\n // configured any routes yet — every request will fall through ungated.\n // Surface this loudly once so silent pass-through can't go unnoticed.\n if (cachedRoutes.length === 0 && !warnedEmptyRoutes) {\n const dashboard = config.dashboardUrl ?? 'https://app.astrasync.ai';\n // eslint-disable-next-line no-console\n console.warn(\n `[VerificationGateway] No route policy configured for ${config.counterpartyId}. ` +\n `Gateway is in pass-through mode for ALL traffic until you add at least one route. ` +\n `Configure at ${dashboard}/dashboard/endpoints/${config.counterpartyId}/routes`\n );\n warnedEmptyRoutes = true;\n }\n }\n }\n\n // Eager first fetch so the first request after init has policy loaded.\n // Errors are swallowed (handled by fetchRoutes returning null).\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n\n return async (req: Request, res: Response, next: NextFunction): Promise<void> => {\n try {\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, req.path));\n if (shouldSkip) {\n return next();\n }\n\n // Wait for in-flight init fetch (only on the very first request) so we\n // don't admit traffic with no policy loaded.\n if (refreshing) {\n await refreshing.catch(() => {});\n }\n // Time-based refresh: kick off a background refresh if the cache is\n // stale. Doesn't block the current request — readers see whatever is\n // cached at this moment; the next request will see the refreshed copy.\n if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n }\n\n // Find route configuration\n const routeConfig = findRouteConfig(cachedRoutes, req.path, req.method);\n\n // If no route config, skip verification (allow through)\n if (!routeConfig) {\n if (config.setPassThroughHeader) {\n // Round-10 (#49, O10): `unenforced` replaces the previous\n // `pass-through` label. The previous name conflated \"gateway\n // didn't evaluate policy\" with \"request succeeded end-to-end\" —\n // the downstream handler may still return any status. The new\n // semantic describes the GATE state only.\n res.setHeader('X-Astra-Gateway-Mode', 'unenforced');\n res.setHeader(\n 'X-Astra-Gateway-Reason',\n cachedRoutes.length === 0 ? 'no-policy' : 'no-match'\n );\n }\n return next();\n }\n\n // Extract credentials (hoisted from below the route-none check so the\n // round-12 F9 evaluateAlwaysIfCredentialed flag can decide whether to\n // evaluate vs short-circuit).\n const credentials = customExtractCredentials\n ? customExtractCredentials(req)\n : defaultExtractCredentials(req);\n\n // Round-12 (F9): route-none short-circuit unless the caller wants\n // evaluation-without-enforcement. With evaluateAlwaysIfCredentialed\n // set to true AND credentials present, the middleware calls\n // verify-access for audit + req.agentVerification population, then\n // proceeds without gating. Default behaviour (flag off) preserves\n // pre-F9 short-circuit semantics.\n const shouldEnforce = routeConfig.minAccessLevel !== 'none';\n if (\n routeConfig.minAccessLevel === 'none' &&\n (!config.evaluateAlwaysIfCredentialed \|\| !credentials.astraId)\n ) {\n if (config.setPassThroughHeader) {\n res.setHeader('X-Astra-Gateway-Mode', 'unenforced');\n res.setHeader('X-Astra-Gateway-Reason', 'route-none');\n }\n return next();\n }\n\n // v2.3.0: anonymous traffic no longer short-circuits client-side.\n // The server applies the endpoint's `unverifiedAgentPolicy` (deny /\n // allow_partial / allow_full) and emits the verification event +\n // blockchain record per the canonical flow. SDK forwards verbatim.\n\n // Extract purpose\n const purpose = customExtractPurpose ? customExtractPurpose(req) : defaultExtractPurpose(req);\n\n // Extract full AstraSync credentials (includes PDLSS from X-Astra- headers)\n const astraCreds = extractAstraSyncCredentials(req);\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| `${req.protocol}://${req.get('host')}`;\n\n // Step 2: Counterparty-side PDLSS pre-check — compare agent's requested PDLSS\n // against counterparty-defined maximums on the route config.\n // Rejects immediately if outside limits, BEFORE calling verify-access.\n const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);\n if (preCheckFailures.length > 0) {\n // Round-18 G4: counterparty pre-check failure — request rejected\n // before reaching verify-access. Neither identity nor policy was\n // remotely verified; both axes truthfully false.\n const result: VerificationResult = {\n identityVerified: false,\n policyAllowed: false,\n accessLevel: 'none',\n denialReasons: preCheckFailures.map((f) => f.message),\n guidance: {\n message: 'Request exceeds counterparty-defined PDLSS limits.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n };\n\n req.agentVerification = result;\n\n // Fire-and-forget: notify AstraSync of the pre-check failure\n reportCounterpartyPreCheckFailure(config, {\n agentId: astraCreds?.agentId \|\| credentials.astraId \|\| 'unknown',\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'api',\n failures: preCheckFailures,\n requestPath: req.path,\n requestMethod: req.method,\n }).catch(() => {});\n\n onDenied(result, req, res);\n return;\n }\n\n // Step 3: Call AstraSync verify-access with runtime challenge enabled\n const shouldRecordDecisions = recordDecisions !== false;\n const forwardedFor = req.headers['x-forwarded-for'];\n const forwardedForStr = Array.isArray(forwardedFor) ? forwardedFor.join(', ') : forwardedFor;\n // X-Forwarded-For's first entry is the original client. Fall back to req.ip\n // (which Express already resolves via trust proxy settings when configured).\n const originalClientIp = forwardedForStr ? forwardedForStr.split(',')[0].trim() : req.ip;\n const agentCardUrl =\n typeof req.headers['x-astrasync-agent-card'] === 'string'\n ? (req.headers['x-astrasync-agent-card'] as string)\n : undefined;\n\n const result = await verify(config, {\n credentials,\n purpose,\n action: req.method.toLowerCase(),\n resource: req.path,\n createSession: shouldRecordDecisions,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'api',\n enableRuntimeChallenge,\n durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,\n callerMetadata: {\n sourceIp: originalClientIp,\n userAgent: req.headers['user-agent'] as string \| undefined,\n referer: req.headers.referer as string \| undefined,\n host: req.headers.host as string \| undefined,\n forwardedFor: forwardedForStr,\n agentCardUrl,\n },\n });\n\n // Attach result to request\n req.agentVerification = result;\n const sessionId = (result as EnhancedVerificationResult).sessionId;\n\n // v2.3.9 (defect #30): denied verifications short-circuit BEFORE the\n // gate-level comparison. Pre-rename, denials returned\n // `accessLevel: 'guidance'` and routes gated at `'guidance'` passed\n // `hasMinimumAccess('guidance', 'guidance') === true` — letting\n // unverified anonymous traffic through to the merchant handler. The\n // verify.ts denial branches now return `'none'` (so the gate check\n // alone would correctly deny), but trusting access-level math for a\n // denial is a category error: failing either identity OR policy already\n // means \"deny.\" We check that first.\n // Round-18 G4: short-circuit on either axis failing — identity-fail\n // (no resolved caller) or policy-fail (PDLSS or recommendation deny).\n if (!result.identityVerified \|\| !result.policyAllowed) {\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', result.denialReasons?.[0]).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Round-12 (F9): evaluation-without-enforcement. When the route is\n // 'none' but we ran verify-access for audit, skip the gates and call\n // next() — the result is on req.agentVerification for the handler\n // to render tier-aware responses (e.g. anonymous vs verified\n // catalog view on the same path).\n if (!shouldEnforce) {\n if (config.setPassThroughHeader) {\n res.setHeader('X-Astra-Gateway-Mode', 'enforced');\n res.setHeader('X-Astra-Gateway-Reason', 'evaluated-not-enforced');\n }\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n return next();\n }\n\n // Check if access level is sufficient (verified caller path only —\n // denials handled above)\n if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {\n // Round-12 (F12): synthesise the structured failure entry so the\n // partner-facing response carries the same shape as every other\n // denial dimension. Guidance positions step-up only — increasing\n // trust score or lowering the route floor both read as gaming the\n // gate. Step-up flow ships separately this month.\n const insufficientFailure = {\n dimension: 'access_level.insufficient',\n message: `Endpoint requires accessLevel '${routeConfig.minAccessLevel}'; agent has '${result.accessLevel}'.`,\n guidance:\n \"Request elevated access via step-up verification (coming soon — ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score.\",\n };\n result.failures = [...(result.failures ?? []), insufficientFailure];\n result.denialReasons = [...(result.denialReasons ?? []), insufficientFailure.message];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', insufficientFailure.message).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n\n // Check trust score requirement if specified\n if (routeConfig.minTrustScore && result.agent) {\n if (result.agent.trustScore < routeConfig.minTrustScore) {\n // Round-12 (F12): structured failure entry + step-up framing.\n const trustFailure = {\n dimension: 'access_level.insufficient',\n message: `Trust score ${result.agent.trustScore} is below required ${routeConfig.minTrustScore} for this route.`,\n guidance:\n \"Request elevated access via step-up verification (coming soon — ships this month). Step-up lets the agent owner approve a one-time elevation for this specific counterparty + purpose without changing the agent's baseline trust score.\",\n };\n result.failures = [...(result.failures ?? []), trustFailure];\n result.denialReasons = [trustFailure.message];\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'denied', trustFailure.message).catch(() => {});\n }\n onDenied(result, req, res);\n return;\n }\n }\n\n // All checks passed — record grant decision\n if (shouldRecordDecisions && sessionId) {\n recordDecision(config, sessionId, 'granted').catch(() => {});\n }\n // v2.3.8 (defect #26): if the endpoint's `unverifiedAgentPolicy` is\n // `'audit'` (allow + soft-launch warning), the server returns the\n // header to relay. Lift it onto the merchant's response BEFORE\n // calling next() so downstream handlers and the eventual response\n // back to the agent both carry it.\n const enhancedResult = result as EnhancedVerificationResult;\n if (enhancedResult.warningHeader) {\n res.setHeader(enhancedResult.warningHeader.name, enhancedResult.warningHeader.value);\n }\n next();\n } catch (error) {\n // Log error and continue (fail open by default)\n console.error('[VerificationGateway] Middleware error:', error);\n next();\n }\n };\n}\n\n// `requireAccess` and `verifyOnly` were removed in v2.9.7. Both injected a\n// local `routes` array into the merchant's source code, which is the exact\n// dual-config attack vector defect 24 closed. Per-route policy now lives in\n// the AstraSync dashboard (gated by team.role admin auth + audit + alerts).\n// To enforce a minimum tier, set the route's `minAccessLevel` in the\n// dashboard. For \"verify but don't block,\" set every route to `none` there.\n","/*\n AstraSync Universal Verification Gateway - Next.js Middleware\n \n Next.js middleware for verifying AI agents on web applications.\n * Supports Commerce Shield overlay for unverified agents.\n \n @example\n * ```typescript\n * // middleware.ts\n * import { createMiddleware } from '@astrasyncai/verification-gateway/nextjs';\n \n export const middleware = createMiddleware({\n * apiBaseUrl: 'https://api.astrasync.ai',\n * showCommerceShield: true,\n * routes: [\n * { pattern: '/api/public/', method: '', minAccessLevel: 'none' },\n * { pattern: '/api/', method: '', minAccessLevel: 'standard' },\n * { pattern: '/dashboard/', method: '', minAccessLevel: 'read-only' },\n * ],\n * });\n \n export const config = {\n * matcher: ['/api/:path', '/dashboard/:path'],\n * };\n * ```\n /\n\nimport type { NextRequest } from 'next/server';\nimport type {\n NextJsMiddlewareOptions,\n AgentCredentials,\n VerificationResult,\n RouteAccessConfig,\n AstraSyncCredentials,\n} from '../types';\nimport { verify, reportCounterpartyPreCheckFailure, fetchRoutes } from '../verify';\nimport { hasMinimumAccess } from '../access-levels';\nimport { extractHttpCredentials } from '../transport/http';\nimport { performCounterpartyPreCheck } from '../pdlss-pre-check';\n\n/\n Extract credentials from Next.js request\n /\nfunction extractCredentialsFromNextRequest(request: NextRequest): AgentCredentials {\n const credentials: AgentCredentials = {};\n\n // Check for ASTRA-ID in headers\n const astraId = request.headers.get('x-astra-id') \|\| request.headers.get('X-Astra-Id');\n if (astraId) {\n credentials.astraId = astraId;\n }\n\n // Check for API key\n const apiKey = request.headers.get('x-api-key') \|\| request.headers.get('X-Api-Key');\n if (apiKey) {\n credentials.apiKey = apiKey;\n }\n\n // Check Authorization header\n const authHeader = request.headers.get('authorization');\n if (authHeader) {\n credentials.authorizationHeader = authHeader;\n if (authHeader.startsWith('Bearer ')) {\n credentials.jwt = authHeader.slice(7);\n }\n }\n\n // Check query parameters\n const url = new URL(request.url);\n const astraIdParam = url.searchParams.get('astraId');\n const apiKeyParam = url.searchParams.get('apiKey');\n\n if (astraIdParam && !credentials.astraId) {\n credentials.astraId = astraIdParam;\n }\n if (apiKeyParam && !credentials.apiKey) {\n credentials.apiKey = apiKeyParam;\n }\n\n return credentials;\n}\n\n/\n Match a route pattern against a path\n /\nfunction matchRoute(pattern: string, path: string): boolean {\n const regexPattern = pattern.replace(/\\/g, '.').replace(/\\//g, '\\\\/');\n\n const regex = new RegExp(`^${regexPattern}$`);\n return regex.test(path);\n}\n\n/\n Find the route configuration for a request\n /\nfunction findRouteConfig(\n routes: RouteAccessConfig[],\n path: string,\n method: string\n): RouteAccessConfig \| undefined {\n return routes.find((route) => {\n const methodMatches =\n route.method === '' \|\| route.method.toUpperCase() === method.toUpperCase();\n const pathMatches = matchRoute(route.pattern, path);\n return methodMatches && pathMatches;\n });\n}\n\n/*\n Extract AstraSyncCredentials from Next.js request headers.\n * Returns null if no AstraSync headers are present.\n /\nfunction extractAstraSyncCredentialsFromNextRequest(\n request: NextRequest\n): AstraSyncCredentials \| null {\n const headers: Record<string, string> = {};\n request.headers.forEach((value, key) => {\n headers[key] = value;\n });\n return extractHttpCredentials(headers);\n}\n\n/\n Extract purpose from request.\n \n Priority:\n * 1. Agent's declared PDLSS purpose from X-Astra-Purpose header (e.g. \"read_data:search\")\n * 2. Explicit x-purpose header\n * 3. HTTP method → PDLSS category fallback\n /\nfunction extractPurpose(request: NextRequest): string {\n // 1. Check agent's declared PDLSS purpose (X-Astra-Purpose header)\n const astraPurpose = request.headers.get('x-astra-purpose');\n if (astraPurpose) {\n // Extract category from \"category:action\" format\n return astraPurpose.split(':')[0];\n }\n\n // 2. Try explicit purpose header\n const purposeHeader = request.headers.get('x-purpose');\n if (purposeHeader) {\n return purposeHeader;\n }\n\n // 3. Infer from HTTP method using PDLSS-compatible categories\n switch (request.method.toUpperCase()) {\n case 'GET':\n return 'read_data';\n case 'POST':\n return 'write_data';\n case 'PUT':\n case 'PATCH':\n return 'write_data';\n case 'DELETE':\n return 'delete_data';\n default:\n return 'general';\n }\n}\n\n/\n Generate Commerce Shield HTML response\n /\nfunction generateCommerceShieldHtml(\n result: VerificationResult,\n options: NextJsMiddlewareOptions\n): string {\n const title = options.commerceShield?.title \|\| 'AstraSync Agent Verification';\n const message =\n options.commerceShield?.message \|\|\n result.guidance?.message \|\|\n \"This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.\";\n const registrationUrl = result.guidance?.registrationUrl \|\| 'https://astrasync.ai/register';\n const docsUrl = result.guidance?.documentationUrl \|\| 'https://astrasync.ai/docs/agent-access';\n const allowGuest = options.commerceShield?.allowGuestAccess ?? true;\n\n return `\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <title>${title}</title>\n <style>\n {\n box-sizing: border-box;\n margin: 0;\n padding: 0;\n }\n body {\n font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;\n background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);\n min-height: 100vh;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px;\n }\n .shield-container {\n background: rgba(255, 255, 255, 0.95);\n border-radius: 16px;\n box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);\n max-width: 480px;\n width: 100%;\n padding: 40px;\n text-align: center;\n }\n .shield-icon {\n font-size: 48px;\n margin-bottom: 20px;\n }\n .shield-title {\n font-size: 24px;\n font-weight: 700;\n color: #1a1a2e;\n margin-bottom: 16px;\n }\n .shield-message {\n color: #4a5568;\n line-height: 1.6;\n margin-bottom: 24px;\n }\n .shield-steps {\n text-align: left;\n background: #f7fafc;\n border-radius: 8px;\n padding: 20px;\n margin-bottom: 24px;\n }\n .shield-steps h3 {\n font-size: 14px;\n font-weight: 600;\n color: #2d3748;\n margin-bottom: 12px;\n }\n .shield-steps ol {\n padding-left: 20px;\n color: #4a5568;\n }\n .shield-steps li {\n margin-bottom: 8px;\n }\n .shield-buttons {\n display: flex;\n flex-direction: column;\n gap: 12px;\n }\n .btn {\n display: inline-block;\n padding: 14px 24px;\n border-radius: 8px;\n font-weight: 600;\n text-decoration: none;\n transition: all 0.2s;\n cursor: pointer;\n border: none;\n font-size: 16px;\n }\n .btn-primary {\n background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);\n color: white;\n }\n .btn-primary:hover {\n transform: translateY(-2px);\n box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);\n }\n .btn-secondary {\n background: #e2e8f0;\n color: #4a5568;\n }\n .btn-secondary:hover {\n background: #cbd5e0;\n }\n .shield-footer {\n margin-top: 24px;\n font-size: 14px;\n color: #718096;\n }\n .shield-footer a {\n color: #6366f1;\n text-decoration: none;\n }\n .shield-footer a:hover {\n text-decoration: underline;\n }\n </style>\n</head>\n<body>\n <div class=\"shield-container\">\n <div class=\"shield-icon\">🛡️</div>\n <h1 class=\"shield-title\">${title}</h1>\n <p class=\"shield-message\">${message}</p>\n\n <div class=\"shield-steps\">\n <h3>To get verified access:</h3>\n <ol>\n <li>Register at <a href=\"${registrationUrl}\">astrasync.ai/register</a></li>\n <li>Create and register your agent</li>\n <li>Add your ASTRA-ID to request headers</li>\n <li>Refresh this page</li>\n </ol>\n </div>\n\n <div class=\"shield-buttons\">\n <a href=\"${registrationUrl}\" class=\"btn btn-primary\">Register Now</a>\n ${allowGuest ? '<button onclick=\"window.location.reload()\" class=\"btn btn-secondary\">Continue as Guest (Limited)</button>' : ''}\n </div>\n\n <p class=\"shield-footer\">\n Learn more: <a href=\"${docsUrl}\">Agent Access Documentation</a>\n </p>\n </div>\n</body>\n</html>\n `.trim();\n}\n\nconst DEFAULT_ROUTES_REFRESH_MS = 5 * 60 * 1000;\n\n/*\n Create Next.js middleware for agent verification.\n \n v2.9.7 moved per-route policy out of merchant-side source code into the\n * AstraSync dashboard. The middleware fetches its routes from the backend\n * via `GET /endpoints/:counterpartyId/routes` on init and refreshes\n * periodically — see `ExpressMiddlewareOptions` for the rationale (defect\n * 24, dual-config silent-conflict).\n /\nexport function createMiddleware(options: NextJsMiddlewareOptions) {\n const {\n skipPaths = [],\n showCommerceShield = true,\n enableRuntimeChallenge = true,\n routesRefreshMs = DEFAULT_ROUTES_REFRESH_MS,\n ...config\n } = options;\n\n let cachedRoutes: RouteAccessConfig[] = [];\n let lastFetchAt = 0;\n let refreshing: Promise<void> \| null = null;\n let warnedNoCounterparty = false;\n\n async function refreshRoutes(): Promise<void> {\n if (!config.counterpartyId) {\n if (!warnedNoCounterparty) {\n // eslint-disable-next-line no-console\n console.warn(\n '[VerificationGateway/Next.js] No counterpartyId configured — falling through (allow all). ' +\n 'Per-route policy lives in the AstraSync dashboard now; register the endpoint and ' +\n 'set counterpartyId in your middleware config to enforce policy.'\n );\n warnedNoCounterparty = true;\n }\n return;\n }\n const fetched = await fetchRoutes(config, config.counterpartyId);\n if (fetched) {\n cachedRoutes = fetched;\n lastFetchAt = Date.now();\n }\n }\n\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n\n return async function middleware(request: NextRequest) {\n // Dynamic import NextResponse to avoid build issues\n const { NextResponse } = await import('next/server');\n\n const pathname = request.nextUrl.pathname;\n\n // Check if path should be skipped\n const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, pathname));\n if (shouldSkip) {\n return NextResponse.next();\n }\n\n if (refreshing) {\n await refreshing.catch(() => {});\n }\n if (config.counterpartyId && Date.now() - lastFetchAt > routesRefreshMs) {\n refreshing = refreshRoutes().finally(() => {\n refreshing = null;\n });\n }\n\n // Find route configuration (from remote-fetched cache)\n const routeConfig = findRouteConfig(cachedRoutes, pathname, request.method);\n\n // If no route config, allow through\n if (!routeConfig) {\n return NextResponse.next();\n }\n\n // If route requires 'none' access, allow through\n if (routeConfig.minAccessLevel === 'none') {\n return NextResponse.next();\n }\n\n // Extract credentials\n const credentials = extractCredentialsFromNextRequest(request);\n\n // v2.3.0: anonymous traffic no longer short-circuits client-side.\n // The server applies the endpoint's `unverifiedAgentPolicy` (deny /\n // allow_partial / allow_full) and emits the verification event +\n // blockchain record per the canonical flow. SDK forwards verbatim.\n\n // Auto-detect counterparty URL from the request if not explicitly configured.\n // Since the SDK is installed at this endpoint, we always know the origin.\n const counterpartyUrl = config.counterpartyUrl \|\| request.nextUrl.origin;\n\n // Extract purpose and full AstraSync credentials (includes PDLSS from X-Astra- headers)\n const purpose = extractPurpose(request);\n const astraCreds = extractAstraSyncCredentialsFromNextRequest(request);\n\n // Step 2: Counterparty-side PDLSS pre-check — compare agent's requested PDLSS\n // against counterparty-defined maximums on the route config.\n // Rejects immediately if outside limits, BEFORE calling verify-access.\n const preCheckFailures = performCounterpartyPreCheck(routeConfig, astraCreds, purpose);\n if (preCheckFailures.length > 0) {\n // Round-18 G4: counterparty pre-check failure — see express.ts for the\n // rationale. Neither axis verified remotely → both false.\n const preCheckResult: VerificationResult = {\n identityVerified: false,\n policyAllowed: false,\n accessLevel: 'none',\n denialReasons: preCheckFailures.map((f) => f.message),\n guidance: {\n message: 'Request exceeds counterparty-defined PDLSS limits.',\n registrationUrl: `${config.apiBaseUrl?.replace('/api', '')}/register`,\n documentationUrl: `${config.apiBaseUrl?.replace('/api', '')}/docs/pdlss`,\n },\n verifiedAt: new Date(),\n };\n\n // Fire-and-forget: notify AstraSync of the pre-check failure\n reportCounterpartyPreCheckFailure(config, {\n agentId: astraCreds?.agentId \|\| credentials.astraId \|\| 'unknown',\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'website',\n failures: preCheckFailures,\n requestPath: pathname,\n requestMethod: request.method,\n }).catch(() => {});\n\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n code: 'PDLSS_PRE_CHECK_FAILED',\n message: preCheckResult.denialReasons?.[0] \|\| 'PDLSS pre-check failed',\n guidance: preCheckResult.guidance,\n },\n },\n { status: 403 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(preCheckResult, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // Step 3: Call AstraSync verify-access with runtime challenge enabled\n const forwardedFor = request.headers.get('x-forwarded-for') \|\| undefined;\n const originalClientIp = forwardedFor?.split(',')[0]?.trim();\n const result = await verify(config, {\n credentials,\n purpose,\n action: request.method.toLowerCase(),\n resource: pathname,\n counterpartyUrl,\n counterpartyType: config.counterpartyType \|\| 'website',\n enableRuntimeChallenge,\n durationRequired: astraCreds?.pdlss?.duration?.maxSessionDuration,\n callerMetadata: {\n sourceIp: originalClientIp,\n userAgent: request.headers.get('user-agent') \|\| undefined,\n referer: request.headers.get('referer') \|\| undefined,\n host: request.headers.get('host') \|\| undefined,\n forwardedFor,\n agentCardUrl: request.headers.get('x-astrasync-agent-card') \|\| undefined,\n },\n });\n\n // v2.3.9 (defect #30): denied verifications short-circuit BEFORE the\n // gate-level comparison. The OR-prefix shape here keeps the\n // single-expression branch this adapter uses, but ensures any axis of\n // failure triggers the denial path even if the access level math would\n // otherwise let it through (the historical bug). See express.ts for the\n // full rationale.\n // Round-18 G4: short-circuit on either axis failing (identity-fail or\n // policy-fail). The OR with hasMinimumAccess() preserves access-level\n // gating for over-tier requests.\n if (\n !result.identityVerified \|\|\n !result.policyAllowed \|\|\n !hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)\n ) {\n // For API routes, return JSON\n if (pathname.startsWith('/api/')) {\n return NextResponse.json(\n {\n success: false,\n error: {\n // Round-18 G4: 401 → identity missing (re-auth); 403 → identity\n // OK, policy denied (update PDLSS / step up).\n code: !result.identityVerified ? 'UNAUTHORIZED' : 'INSUFFICIENT_ACCESS',\n message: result.denialReasons?.[0] \|\| 'Access denied',\n accessLevel: result.accessLevel,\n required: routeConfig.minAccessLevel,\n guidance: result.guidance,\n },\n },\n { status: !result.identityVerified ? 401 : 403 }\n );\n }\n\n // For web pages, show Commerce Shield\n if (showCommerceShield) {\n return new NextResponse(generateCommerceShieldHtml(result, options), {\n status: 200,\n headers: {\n 'Content-Type': 'text/html',\n 'X-AstraSync-Verification': 'commerce-shield',\n },\n });\n }\n\n // Redirect to unauthorized page\n return NextResponse.redirect(new URL('/unauthorized', request.url));\n }\n\n // All checks passed - continue with verification info in headers\n const response = NextResponse.next();\n\n // Add verification info to response headers\n // Round-18 G4: composite `verified` (identity AND policy) for legacy\n // header consumers; new headers expose each axis separately so middleware\n // chains can branch without re-running verify-access.\n response.headers.set(\n 'X-AstraSync-Verified',\n (result.identityVerified && result.policyAllowed).toString()\n );\n response.headers.set('X-AstraSync-Identity-Verified', result.identityVerified.toString());\n response.headers.set('X-AstraSync-Policy-Allowed', result.policyAllowed.toString());\n response.headers.set('X-AstraSync-Access-Level', result.accessLevel);\n\n if (result.agent) {\n response.headers.set('X-AstraSync-Agent-Id', result.agent.astraId);\n response.headers.set('X-AstraSync-Trust-Score', result.agent.trustScore.toString());\n }\n\n return response;\n };\n}\n\n/*\n Helper to create matcher config\n /\nexport function createMatcherConfig(paths: string[]): { matcher: string[] } {\n return { matcher: paths };\n}\n","/\n RFC 9421 HTTP Message Signatures parser.\n \n Wraps `structured-headers` (transitive dep of http-message-signatures) to\n * parse the Signature-Input and Signature Dictionary headers per RFC 9421 §2.\n \n Produces structured metadata (kid, algorithm, covered components, tag,\n * created/expires/nonce, signature bytes) without verifying the signature —\n * verification lives in rfc9421-verify.ts.\n \n Shared by:\n * - Agent Pay (Mastercard) — kid resolves via Mastercard Agent Registry\n * - TAP (Visa) — kid resolves via Visa JWKS\n * - Web Bot Auth (generic transport substrate) — kid resolves via\n * /.well-known/http-message-signatures-directory\n /\n\nimport { parseDictionary } from 'structured-headers';\n\nexport interface RFC9421SignatureParams {\n /* The label identifying the signature in the Dictionary header (e.g. \"sig1\"). /\n label: string;\n /* Key ID used to look up the verifying key in the relevant registry. /\n kid: string;\n /* Algorithm declared in the Signature-Input params (e.g. \"ecdsa-p256-sha256\", \"ed25519\"). /\n alg?: string;\n /* Covered components, in order, per RFC 9421 §2.1. /\n covered: string[];\n /* Base64url-encoded signature bytes extracted from the paired Signature header. /\n signatureBase64: string;\n /* Unix seconds when the signature was created. /\n created?: number;\n /* Unix seconds when the signature expires. /\n expires?: number;\n /* Nonce (opaque string) for replay protection. /\n nonce?: string;\n /* Tag parameter. For Agent Pay/TAP this is \"browse\" or \"purchase\"; undefined otherwise. /\n tag?: 'browse' \| 'purchase' \| string;\n}\n\nexport interface ParsedRFC9421 {\n signatures: RFC9421SignatureParams[];\n}\n\n/\n Parse the RFC 9421 Signature-Input and Signature headers from a request or response.\n * Returns all signatures present (a single message may carry multiple labelled signatures).\n \n Returns null if either header is missing or malformed.\n /\nexport function parseRFC9421(\n headers: Record<string, string \| string[] \| undefined>\n): ParsedRFC9421 \| null {\n const sigInput = readHeader(headers, 'signature-input');\n const sig = readHeader(headers, 'signature');\n if (!sigInput \|\| !sig) return null;\n\n let inputDict;\n let sigDict;\n try {\n inputDict = parseDictionary(sigInput);\n sigDict = parseDictionary(sig);\n } catch {\n return null;\n }\n\n const signatures: RFC9421SignatureParams[] = [];\n\n for (const [label, entry] of inputDict) {\n // entry.value is the inner list of covered components; entry[1] is the params Map.\n const innerList = Array.isArray(entry)\n ? entry[0]\n : (entry as { value?: unknown; params?: unknown }).value;\n const params = Array.isArray(entry)\n ? entry[1]\n : (entry as { value?: unknown; params?: unknown }).params;\n if (!Array.isArray(innerList) \|\| !params) continue;\n\n const covered: string[] = [];\n for (const item of innerList as Array<[unknown, Map<string, unknown>]>) {\n const [bare] = Array.isArray(item) ? item : [item];\n if (typeof bare === 'string') covered.push(bare);\n else if (bare && typeof bare === 'object' && 'toString' in bare) covered.push(String(bare));\n }\n\n const paramsMap = params as Map<string, unknown>;\n const kid = coerceString(paramsMap.get('keyid'));\n if (!kid) continue;\n\n const sigEntry = sigDict.get(label);\n if (!sigEntry) continue;\n\n const sigBare = Array.isArray(sigEntry) ? sigEntry[0] : (sigEntry as { value?: unknown }).value;\n const signatureBase64 = extractBase64(sigBare);\n if (!signatureBase64) continue;\n\n signatures.push({\n label,\n kid,\n alg: coerceString(paramsMap.get('alg')),\n covered,\n signatureBase64,\n created: coerceNumber(paramsMap.get('created')),\n expires: coerceNumber(paramsMap.get('expires')),\n nonce: coerceString(paramsMap.get('nonce')),\n tag: coerceString(paramsMap.get('tag')),\n });\n }\n\n if (signatures.length === 0) return null;\n return { signatures };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| null {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n return null;\n }\n }\n return null;\n}\n\nfunction coerceString(value: unknown): string \| undefined {\n if (typeof value === 'string') return value;\n if (value == null) return undefined;\n if (typeof value === 'object' && 'toString' in (value as object)) {\n const s = String(value);\n return s.length > 0 ? s : undefined;\n }\n return undefined;\n}\n\nfunction coerceNumber(value: unknown): number \| undefined {\n if (typeof value === 'number' && Number.isFinite(value)) return value;\n if (typeof value === 'bigint') return Number(value);\n return undefined;\n}\n\nfunction extractBase64(value: unknown): string \| null {\n if (value instanceof Uint8Array) return bufferToBase64(value);\n if (value instanceof ArrayBuffer) return bufferToBase64(new Uint8Array(value));\n if (ArrayBuffer.isView(value)) {\n const v = value as ArrayBufferView;\n return bufferToBase64(new Uint8Array(v.buffer, v.byteOffset, v.byteLength));\n }\n if (typeof value === 'string') {\n if (value.startsWith(':') && value.endsWith(':')) return value.slice(1, -1);\n return value;\n }\n return null;\n}\n\nfunction bufferToBase64(bytes: Uint8Array): string {\n return Buffer.from(bytes).toString('base64');\n}\n","/\n RFC 9421 HTTP Message Signatures verification.\n \n Wraps http-message-signatures (dhensby) verifyMessage() with a RegistryResolver\n * hook for kid → JWK lookup. Library handles canonicalization + ES256/EdDSA/\n * HMAC/RSA verification; we supply the key-finding callback and policy around\n * clock skew.\n \n Shared by:\n * - Agent Pay (Mastercard) — resolver = createMastercardRegistry\n * - TAP (Visa) — resolver = createVisaRegistry\n * - Web Bot Auth (generic) — resolver = createWebBotAuthRegistry\n /\n\nimport { httpbis, type VerifierFinder, type VerifyingKey } from 'http-message-signatures';\nimport type { JWK } from 'jose';\nimport type { RegistryResolver } from './registry/types';\n\nexport interface RFC9421VerifyRequest {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n body?: string;\n}\n\nexport interface RFC9421VerifyOptions {\n resolver: RegistryResolver;\n /* Seconds of tolerance around created/expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface RFC9421VerifyResult {\n ok: boolean;\n kid?: string;\n registry?: RegistryResolver['name'];\n algorithm?: string;\n error?: string;\n}\n\nexport async function verifyRFC9421(\n request: RFC9421VerifyRequest,\n options: RFC9421VerifyOptions\n): Promise<RFC9421VerifyResult> {\n const { resolver } = options;\n const tolerance = options.clockSkewSec ?? 300;\n const nowSec = options.now ? options.now() : Math.floor(Date.now() / 1000);\n\n let resolvedKid: string \| undefined;\n let resolvedAlg: string \| undefined;\n\n const keyLookup: VerifierFinder = async (parameters) => {\n const kid = typeof parameters.keyid === 'string' ? parameters.keyid : undefined;\n if (!kid) return null;\n resolvedKid = kid;\n const alg = typeof parameters.alg === 'string' ? parameters.alg : undefined;\n if (alg) resolvedAlg = alg;\n\n const origin = safeOrigin(request.url);\n const jwk = await resolver.resolve(kid, { origin, algorithm: alg });\n if (!jwk) return null;\n\n // Check clock-skew on this specific signature's created/expires.\n // SignatureParameters may carry Date, number, or ISO string per library.\n const created = toUnixSeconds(parameters.created);\n const expires = toUnixSeconds(parameters.expires);\n if (created !== undefined && Math.abs(nowSec - created) > tolerance) return null;\n if (expires !== undefined && nowSec > expires + tolerance) return null;\n\n return jwkToVerifyingKey(kid, jwk, alg);\n };\n\n try {\n const result = await httpbis.verifyMessage(\n {\n keyLookup,\n },\n normalizeRequest(request)\n );\n if (result === true) {\n return {\n ok: true,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n };\n }\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: result === false ? 'signature invalid' : 'no signature found',\n };\n } catch (err) {\n return {\n ok: false,\n kid: resolvedKid,\n registry: resolver.name,\n algorithm: resolvedAlg,\n error: err instanceof Error ? err.message : 'verification error',\n };\n }\n}\n\nfunction normalizeRequest(request: RFC9421VerifyRequest): {\n method: string;\n url: string;\n headers: Record<string, string \| string[]>;\n} {\n return {\n method: request.method.toUpperCase(),\n url: request.url,\n headers: request.headers,\n };\n}\n\nfunction safeOrigin(url: string): string \| undefined {\n try {\n return new URL(url).origin;\n } catch {\n return undefined;\n }\n}\n\nasync function jwkToVerifyingKey(\n id: string,\n jwk: JWK,\n alg: string \| undefined\n): Promise<VerifyingKey> {\n const algorithm = alg ?? inferAlgFromJwk(jwk);\n const { subtle } = await getCrypto();\n const importAlg = webCryptoImportAlgFor(algorithm);\n const verifyAlg = webCryptoAlgFor(algorithm);\n if (!importAlg \|\| !verifyAlg) {\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async () => false,\n };\n }\n const key = await subtle.importKey('jwk', jwk as JsonWebKey, importAlg, false, ['verify']);\n\n return {\n id,\n algs: alg ? [alg] : undefined,\n verify: async (data: Buffer, signature: Buffer): Promise<boolean> => {\n try {\n return await subtle.verify(verifyAlg, key, toArrayBuffer(signature), toArrayBuffer(data));\n } catch {\n return false;\n }\n },\n };\n}\n\nfunction inferAlgFromJwk(jwk: JWK): string {\n if (jwk.kty === 'OKP' && jwk.crv === 'Ed25519') return 'ed25519';\n if (jwk.kty === 'EC' && jwk.crv === 'P-256') return 'ecdsa-p256-sha256';\n if (jwk.kty === 'EC' && jwk.crv === 'P-384') return 'ecdsa-p384-sha384';\n if (jwk.kty === 'RSA') return 'rsa-v1_5-sha256';\n return 'ecdsa-p256-sha256';\n}\n\nfunction webCryptoAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcdsaParams \| RsaPssParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', hash: 'SHA-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', hash: 'SHA-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', saltLength: 64 };\n default:\n return null;\n }\n}\n\nfunction webCryptoImportAlgFor(\n rfc9421Alg: string\n): AlgorithmIdentifier \| EcKeyImportParams \| RsaHashedImportParams \| null {\n switch (rfc9421Alg) {\n case 'ed25519':\n return { name: 'Ed25519' };\n case 'ecdsa-p256-sha256':\n return { name: 'ECDSA', namedCurve: 'P-256' };\n case 'ecdsa-p384-sha384':\n return { name: 'ECDSA', namedCurve: 'P-384' };\n case 'rsa-v1_5-sha256':\n return { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' };\n case 'rsa-pss-sha512':\n return { name: 'RSA-PSS', hash: 'SHA-512' };\n default:\n return null;\n }\n}\n\nfunction toArrayBuffer(buf: Buffer): ArrayBuffer {\n const out = new ArrayBuffer(buf.byteLength);\n new Uint8Array(out).set(buf);\n return out;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (v instanceof Date) return Math.floor(v.getTime() / 1000);\n if (typeof v === 'string') {\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nasync function getCrypto(): Promise<{ subtle: SubtleCrypto }> {\n if (typeof globalThis.crypto !== 'undefined' && globalThis.crypto.subtle) {\n return { subtle: globalThis.crypto.subtle };\n }\n // Node fallback\n const nodeCrypto = await import('node:crypto');\n return { subtle: nodeCrypto.webcrypto.subtle as SubtleCrypto };\n}\n","/\n VI (Verifiable Intent) SD-JWT extraction.\n \n Open-sourced 5 March 2026 by Mastercard + Google (v0.1-draft).\n * VI is a 3-layer SD-JWT chain:\n * L1 — issuer → wallet (credential provider)\n * L2 — user → agent (cnf.jwk binding to L3 agent key)\n * L3 — agent → merchant (payment or checkout mandate, split into L3a / L3b\n * cross-referenced via transaction_id)\n \n This module does EXTRACTION ONLY — it decodes SD-JWT structure and pulls\n * out the mandate type, kid, executionMode, 8 constraint types, checkoutHash\n * (constraint type 8), transactionId, and raw layers for later verification.\n \n Signature verification lives in vi-verify.ts; this module uses @sd-jwt's\n * sync decoder with a SHA-256 hasher for structural parsing only.\n /\n\nimport { splitSdJwt, decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { VIMandateType } from './purpose-mapping';\n\nexport type { VIMandateType };\nexport type VIExecutionMode = 'Immediate' \| 'Autonomous' \| 'Both';\n\nexport interface VIAllowedParty {\n id?: string;\n name?: string;\n website?: string;\n}\n\nexport interface VILineItem {\n id?: string;\n acceptableItems?: string[];\n quantity?: number;\n}\n\nexport interface VIPaymentAmount {\n currency?: string;\n min?: number;\n max?: number;\n}\n\nexport interface VIBudgetLimit {\n currency?: string;\n max?: number;\n}\n\nexport interface VIRecurrence {\n frequency?: string;\n startDate?: string;\n endDate?: string;\n maxOccurrences?: number;\n}\n\nexport interface VIConstraints {\n allowedMerchants?: VIAllowedParty[];\n allowedPayees?: VIAllowedParty[];\n lineItems?: VILineItem[];\n paymentAmount?: VIPaymentAmount;\n budgetLimit?: VIBudgetLimit;\n recurrence?: VIRecurrence;\n agentRecurrence?: VIRecurrence;\n}\n\nexport interface VIExtractedClaims {\n mandateType: VIMandateType;\n kid?: string;\n executionMode?: VIExecutionMode;\n credentialProvider?: string;\n constraints: VIConstraints;\n /* VI constraint type 8 — SHA-256 of the paired L2 checkout disclosure. /\n checkoutHash?: string;\n transactionId?: string;\n rawLayers: { l1?: string; l2?: string; l3?: string };\n}\n\n/\n Extract VI claims from a compact SD-JWT string.\n \n Input shape:\n * <jwt>~<disclosure1>~<disclosure2>~...~<kbJwt?>\n \n Returns null if parsing fails at any layer. Does not verify signatures.\n /\nexport function extractVIClaims(sdJwtCompact: string): VIExtractedClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const split = safeSplit(sdJwtCompact);\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n\n // Apply disclosures onto payload to resolve _sd references.\n // Disclosure from @sd-jwt/utils has { key, value, digest() } where digest is\n // a function — we only need key+value here, so narrow via a structural cast.\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const mandateType = coerceMandateType(\n claims.mandate_type ?? claims.mandateType ?? payload.mandate_type ?? payload.mandateType\n );\n if (!mandateType) return null;\n\n const kid = coerceString(\n (decoded.jwt?.header as Record<string, unknown> \| undefined)?.kid ?? claims.kid ?? payload.kid\n );\n\n const executionMode = coerceExecutionMode(claims.execution_mode ?? claims.executionMode);\n const credentialProvider = coerceString(claims.iss ?? payload.iss);\n\n const constraints = extractConstraints(\n (claims.constraints ?? claims.default_constraints ?? {}) as Record<string, unknown>\n );\n\n const transactionId = coerceString(claims.transaction_id ?? claims.transactionId);\n const checkoutHash = coerceString(\n claims.checkout_hash ??\n claims.conditional_transaction_id ??\n (claims.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n\n return {\n mandateType,\n kid,\n executionMode,\n credentialProvider,\n constraints,\n checkoutHash,\n transactionId,\n rawLayers: split,\n };\n}\n\nfunction safeSplit(compact: string): { l1?: string; l2?: string; l3?: string } {\n try {\n const { jwt, kbJwt } = splitSdJwt(compact);\n // VI layering maps loosely: the outer JWT is L3 (agent mandate), KB-JWT\n // (if present) is the key-binding proof, and disclosures carry L2/L1 fragments.\n return { l3: jwt, l2: kbJwt };\n } catch {\n return {};\n }\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction extractConstraints(raw: Record<string, unknown>): VIConstraints {\n return {\n allowedMerchants: toAllowedPartyArray(raw.allowed_merchants ?? raw.allowedMerchants),\n allowedPayees: toAllowedPartyArray(raw.allowed_payees ?? raw.allowedPayees),\n lineItems: toLineItemArray(raw.line_items ?? raw.lineItems),\n paymentAmount: toPaymentAmount(raw.payment_amount ?? raw.paymentAmount),\n budgetLimit: toBudgetLimit(raw.budget_limit ?? raw.budgetLimit ?? raw.budget),\n recurrence: toRecurrence(raw.recurrence),\n agentRecurrence: toRecurrence(raw.agent_recurrence ?? raw.agentRecurrence),\n };\n}\n\nfunction toAllowedPartyArray(v: unknown): VIAllowedParty[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VIAllowedParty[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n out.push({\n id: coerceString(r.id),\n name: coerceString(r.name),\n website: coerceString(r.website),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toLineItemArray(v: unknown): VILineItem[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out: VILineItem[] = [];\n for (const item of v) {\n if (item && typeof item === 'object') {\n const r = item as Record<string, unknown>;\n const acc = r.acceptable_items ?? r.acceptableItems;\n out.push({\n id: coerceString(r.id),\n acceptableItems: Array.isArray(acc)\n ? (acc.filter((a) => typeof a === 'string') as string[])\n : undefined,\n quantity: coerceNumber(r.quantity),\n });\n }\n }\n return out.length > 0 ? out : undefined;\n}\n\nfunction toPaymentAmount(v: unknown): VIPaymentAmount \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n min: coerceNumber(r.min),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toBudgetLimit(v: unknown): VIBudgetLimit \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n currency: coerceString(r.currency),\n max: coerceNumber(r.max),\n };\n}\n\nfunction toRecurrence(v: unknown): VIRecurrence \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n return {\n frequency: coerceString(r.frequency),\n startDate: coerceString(r.start_date ?? r.startDate),\n endDate: coerceString(r.end_date ?? r.endDate),\n maxOccurrences: coerceNumber(r.max_occurrences ?? r.maxOccurrences),\n };\n}\n\nfunction coerceMandateType(v: unknown): VIMandateType \| null {\n if (v === 'checkout' \|\| v === 'payment' \|\| v === 'checkout.open' \|\| v === 'payment.open') {\n return v;\n }\n return null;\n}\n\nfunction coerceExecutionMode(v: unknown): VIExecutionMode \| undefined {\n return v === 'Immediate' \|\| v === 'Autonomous' \|\| v === 'Both' ? v : undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n Stripe webhook HMAC-SHA256 verifier (inline).\n \n Stripe-Signature header format: \"t=TIMESTAMP,v1=HEX_SIGNATURE\"\n * - t: unix seconds when Stripe signed the webhook\n * - v1: HMAC-SHA256(webhook_secret, `${t}.${payload}`) as hex\n \n Multiple v1 signatures can coexist during secret rotation; any match wins.\n * Default tolerance on timestamp age: 300s (matches Stripe's own default).\n \n Documented at docs.stripe.com — we intentionally inline ~25 LOC rather\n * than pull in the full stripe npm package (MIT but 600KB+ with deps).\n /\n\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyStripeWebhookResult {\n ok: boolean;\n timestamp?: number;\n error?: string;\n}\n\nexport interface VerifyStripeWebhookOptions {\n toleranceSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport function verifyStripeWebhook(\n payload: string,\n signatureHeader: string \| undefined,\n secret: string,\n options: VerifyStripeWebhookOptions = {}\n): VerifyStripeWebhookResult {\n if (!signatureHeader) return { ok: false, error: 'missing Stripe-Signature header' };\n if (!secret) return { ok: false, error: 'missing webhook secret' };\n\n const parsed = parseStripeSignature(signatureHeader);\n if (!parsed.timestamp) return { ok: false, error: 'malformed Stripe-Signature (missing t=)' };\n if (parsed.v1Signatures.length === 0) {\n return { ok: false, error: 'malformed Stripe-Signature (no v1=)' };\n }\n\n const tolerance = options.toleranceSec ?? 300;\n const now = options.now ? options.now() : Math.floor(Date.now() / 1000);\n if (Math.abs(now - parsed.timestamp) > tolerance) {\n return {\n ok: false,\n timestamp: parsed.timestamp,\n error: `timestamp outside tolerance (${tolerance}s)`,\n };\n }\n\n const signedPayload = `${parsed.timestamp}.${payload}`;\n const expected = createHmac('sha256', secret).update(signedPayload).digest();\n\n for (const candidateHex of parsed.v1Signatures) {\n const candidate = hexToBuffer(candidateHex);\n if (!candidate) continue;\n if (candidate.length !== expected.length) continue;\n if (timingSafeEqual(candidate, expected)) {\n return { ok: true, timestamp: parsed.timestamp };\n }\n }\n\n return { ok: false, timestamp: parsed.timestamp, error: 'signature mismatch' };\n}\n\ninterface ParsedStripeSignature {\n timestamp: number \| null;\n v1Signatures: string[];\n}\n\nfunction parseStripeSignature(header: string): ParsedStripeSignature {\n let timestamp: number \| null = null;\n const v1Signatures: string[] = [];\n for (const part of header.split(',')) {\n const [rawKey, rawValue] = part.split('=');\n if (!rawKey \|\| !rawValue) continue;\n const key = rawKey.trim();\n const value = rawValue.trim();\n if (key === 't') {\n const n = Number(value);\n if (Number.isFinite(n)) timestamp = n;\n } else if (key === 'v1') {\n v1Signatures.push(value);\n }\n }\n return { timestamp, v1Signatures };\n}\n\nfunction hexToBuffer(hex: string): Buffer \| null {\n if (!/^[0-9a-fA-F]+$/.test(hex) \|\| hex.length % 2 !== 0) return null;\n return Buffer.from(hex, 'hex');\n}\n","/\n AP2 (Agent Payments Protocol) mandate extraction.\n \n Google-led, launched 3 April 2026 with 60+ partners (Mastercard, PayPal,\n * Coinbase, AmEx, Revolut, UnionPay, ...). AP2 ships three mandate types as\n * SD-JWTs in series:\n * - intent_mandate — user declares intent (amount, merchant category, etc.)\n * - cart_mandate — user approves a cart (specific items, totals)\n * - payment_mandate — authorizes the actual payment rail\n \n Mandates are cross-referenced via ids; each is an SD-JWT over ES256 (or\n * equivalent). We decode via @sd-jwt/decode and extract the AP2-specific\n * shape — verification lives in ap2-verify.ts.\n /\n\nimport { decodeSdJwtSync } from '@sd-jwt/decode';\nimport { createHash } from 'node:crypto';\nimport type { AP2MandateType } from './purpose-mapping';\n\nexport type { AP2MandateType };\n\nexport interface AP2PaymentDetailsTotal {\n amount?: { value?: string \| number; currency?: string };\n label?: string;\n}\n\nexport interface AP2IntentMandateClaims {\n type: 'intent_mandate';\n agent_id?: string;\n user_id?: string;\n merchant_category?: string;\n allowedMerchantDomains?: string[];\n paymentMethods?: string[];\n expires?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2CartMandateClaims {\n type: 'cart_mandate';\n agent_id?: string;\n intent_mandate_id?: string;\n merchant_id?: string;\n line_items?: Array<{\n id?: string;\n quantity?: number;\n price?: { value?: string \| number; currency?: string };\n }>;\n payment_details_total?: AP2PaymentDetailsTotal;\n expires?: string;\n raw: Record<string, unknown>;\n}\n\nexport interface AP2PaymentMandateClaims {\n type: 'payment_mandate';\n agent_id?: string;\n cart_mandate_id?: string;\n payment_method?: string;\n payment_details_total?: AP2PaymentDetailsTotal;\n credential_provider?: string;\n raw: Record<string, unknown>;\n}\n\nexport type AP2MandateClaims =\n \| AP2IntentMandateClaims\n \| AP2CartMandateClaims\n \| AP2PaymentMandateClaims;\n\nexport interface AP2MandateTriple {\n intent?: AP2IntentMandateClaims;\n cart?: AP2CartMandateClaims;\n payment?: AP2PaymentMandateClaims;\n rawLayers: { intentJwt?: string; cartJwt?: string; paymentJwt?: string };\n}\n\n/\n Extract a single AP2 mandate from a compact SD-JWT.\n * Returns null if the SD-JWT is malformed or lacks a recognized type field.\n /\nexport function extractAP2Mandate(sdJwtCompact: string): AP2MandateClaims \| null {\n if (!sdJwtCompact \|\| typeof sdJwtCompact !== 'string') return null;\n\n let decoded;\n try {\n decoded = decodeSdJwtSync(sdJwtCompact, sha256Sync);\n } catch {\n return null;\n }\n\n const payload = (decoded.jwt?.payload ?? {}) as Record<string, unknown>;\n const disclosures = decoded.disclosures ?? [];\n const claims = applyDisclosures(\n payload,\n disclosures as unknown as Array<{ key?: string; value?: unknown }>\n );\n\n const type = coerceMandateType(claims.type ?? claims.mandate_type ?? claims.mandateType);\n if (!type) return null;\n\n if (type === 'intent_mandate') return buildIntent(claims);\n if (type === 'cart_mandate') return buildCart(claims);\n return buildPayment(claims);\n}\n\nexport interface AP2MandateTripleInput {\n intent?: string;\n cart?: string;\n payment?: string;\n}\n\n/\n Extract an intent / cart / payment triple, returning whichever are present.\n * Does NOT enforce cross-reference consistency — that's ap2-verify.ts's job.\n /\nexport function extractAP2Mandates(input: AP2MandateTripleInput): AP2MandateTriple {\n const intent = input.intent\n ? (extractAP2Mandate(input.intent) as AP2IntentMandateClaims \| null)\n : null;\n const cart = input.cart ? (extractAP2Mandate(input.cart) as AP2CartMandateClaims \| null) : null;\n const payment = input.payment\n ? (extractAP2Mandate(input.payment) as AP2PaymentMandateClaims \| null)\n : null;\n return {\n intent: intent ?? undefined,\n cart: cart ?? undefined,\n payment: payment ?? undefined,\n rawLayers: {\n intentJwt: input.intent,\n cartJwt: input.cart,\n paymentJwt: input.payment,\n },\n };\n}\n\nfunction buildIntent(claims: Record<string, unknown>): AP2IntentMandateClaims {\n return {\n type: 'intent_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n user_id: coerceString(claims.user_id ?? claims.userId ?? claims.sub),\n merchant_category: coerceString(claims.merchant_category ?? claims.merchantCategory),\n allowedMerchantDomains: toStringArray(\n claims.allowed_merchant_domains ?? claims.allowedMerchantDomains\n ),\n paymentMethods: toStringArray(claims.payment_methods ?? claims.paymentMethods),\n expires: coerceString(claims.expires ?? claims.exp),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n raw: claims,\n };\n}\n\nfunction buildCart(claims: Record<string, unknown>): AP2CartMandateClaims {\n return {\n type: 'cart_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n intent_mandate_id: coerceString(claims.intent_mandate_id ?? claims.intentMandateId),\n merchant_id: coerceString(claims.merchant_id ?? claims.merchantId),\n line_items: toLineItems(claims.line_items ?? claims.lineItems),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n expires: coerceString(claims.expires ?? claims.exp),\n raw: claims,\n };\n}\n\nfunction buildPayment(claims: Record<string, unknown>): AP2PaymentMandateClaims {\n return {\n type: 'payment_mandate',\n agent_id: coerceString(claims.agent_id ?? claims.agentId),\n cart_mandate_id: coerceString(claims.cart_mandate_id ?? claims.cartMandateId),\n payment_method: coerceString(claims.payment_method ?? claims.paymentMethod),\n payment_details_total: toPaymentDetails(claims.payment_details_total ?? claims.total),\n credential_provider: coerceString(claims.credential_provider ?? claims.credentialProvider),\n raw: claims,\n };\n}\n\nfunction toPaymentDetails(v: unknown): AP2PaymentDetailsTotal \| undefined {\n if (!v \|\| typeof v !== 'object') return undefined;\n const r = v as Record<string, unknown>;\n const amount = r.amount as Record<string, unknown> \| undefined;\n return {\n amount: amount\n ? {\n value: coerceStringOrNumber(amount.value),\n currency: coerceString(amount.currency),\n }\n : undefined,\n label: coerceString(r.label),\n };\n}\n\nfunction toLineItems(v: unknown): AP2CartMandateClaims['line_items'] {\n if (!Array.isArray(v)) return undefined;\n const items: NonNullable<AP2CartMandateClaims['line_items']> = [];\n for (const item of v) {\n if (!item \|\| typeof item !== 'object') continue;\n const r = item as Record<string, unknown>;\n const price = r.price as Record<string, unknown> \| undefined;\n items.push({\n id: coerceString(r.id),\n quantity: coerceNumber(r.quantity),\n price: price\n ? {\n value: coerceStringOrNumber(price.value),\n currency: coerceString(price.currency),\n }\n : undefined,\n });\n }\n return items.length > 0 ? items : undefined;\n}\n\nfunction toStringArray(v: unknown): string[] \| undefined {\n if (!Array.isArray(v)) return undefined;\n const out = v.filter((i): i is string => typeof i === 'string' && i.length > 0);\n return out.length > 0 ? out : undefined;\n}\n\nfunction applyDisclosures(\n payload: Record<string, unknown>,\n disclosures: Array<{ key?: string; value?: unknown }>\n): Record<string, unknown> {\n const result: Record<string, unknown> = { ...payload };\n for (const d of disclosures) {\n if (d.key && d.value !== undefined && !(d.key in result)) {\n result[d.key] = d.value;\n }\n }\n return result;\n}\n\nfunction coerceMandateType(v: unknown): AP2MandateType \| null {\n if (v === 'intent_mandate' \|\| v === 'cart_mandate' \|\| v === 'payment_mandate') return v;\n return null;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n\nfunction coerceNumber(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const n = Number(v);\n return Number.isFinite(n) ? n : undefined;\n }\n return undefined;\n}\n\nfunction coerceStringOrNumber(v: unknown): string \| number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string' && v.length > 0) return v;\n return undefined;\n}\n\nfunction sha256Sync(data: string \| ArrayBuffer): Uint8Array {\n const buf =\n typeof data === 'string' ? Buffer.from(data, 'utf-8') : Buffer.from(new Uint8Array(data));\n const hash = createHash('sha256').update(buf).digest();\n return new Uint8Array(hash.buffer, hash.byteOffset, hash.byteLength);\n}\n","/\n MPP (Machine Payments Protocol) extractor.\n \n Wraps mppx (wevm) — pinned to 0.5.13, wrapped behind this adapter so\n * upgrades localise here. MPP launched March 18 2026 (Stripe + Tempo +\n * Paradigm), IETF draft-ryan-httpauth-payment-01.\n \n Flow:\n * Client → GET /resource\n * Server → 402 + WWW-Authenticate: Payment id=..., realm=..., method=tempo\|stripe\|...\n * Client → GET /resource with Authorization: Payment <base64url-json credential>\n * Server → 200 + Payment-Receipt: <base64url-json receipt>\n \n What we extract:\n * - Challenge: id, realm, method, intent, request{amount,currency,...}, expires, digest\n * - Credential: challenge + source (DID/chain-key) + payload (method-specific)\n * - Receipt: challengeId, method, reference (tx hash / pi_... ID), settlement\n * - Multi-method 402 offers (may be multiple WWW-Authenticate headers)\n \n What we do NOT verify here (pass-through):\n * - HMAC challenge binding (requires merchant's MPP_SECRET_KEY)\n * - Payment proof cryptography (Tempo tx sig, Stripe SPT, Lightning preimage)\n * — each requires upstream connectivity\n \n Verification (expiry + BodyDigest + source extraction) in mpp-verify.ts.\n /\n\nimport { Challenge, Credential, Receipt } from 'mppx';\n\nexport interface MPPChallengeSummary {\n id: string;\n realm: string;\n method: string;\n intent: string;\n /* Method-specific request data (amount, currency, recipient, etc.) /\n request: Record<string, unknown>;\n expires?: string;\n digest?: string;\n description?: string;\n opaque?: Record<string, string>;\n}\n\nexport interface MPPCredentialSummary {\n challenge: MPPChallengeSummary;\n /* DID or chain-native key identifying the payer. /\n source?: string;\n /* Method-specific payment proof (Tempo tx, SPT, Lightning preimage, etc.). /\n payload: unknown;\n}\n\nexport interface MPPReceiptSummary {\n method?: string;\n reference?: string;\n externalId?: string;\n status?: string;\n timestamp?: string;\n raw: Record<string, unknown>;\n}\n\nexport type MPPKind = 'challenge' \| 'credential' \| 'receipt' \| 'error' \| 'unknown';\n\nexport interface MPPRequestContext {\n kind: MPPKind;\n /* For 402 responses: one or more challenge offers. /\n challenges?: MPPChallengeSummary[];\n /* For requests with Authorization: Payment header. /\n credential?: MPPCredentialSummary;\n /* For 200 responses with Payment-Receipt header. /\n receipt?: MPPReceiptSummary;\n /* For problem+json error responses. /\n error?: { type?: string; title?: string; detail?: string };\n /* Detected payment methods offered (for multi-method 402). /\n offeredMethods?: string[];\n /* Raw body captured for BodyDigest verification in mpp-verify.ts. /\n rawBody?: string;\n}\n\nexport interface MPPRequestLike {\n method: string;\n url: string;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\nexport interface MPPResponseLike {\n status: number;\n headers: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n rawBody?: string;\n}\n\n/\n Extract MPP context from an agent → merchant request.\n * Looks for `Authorization: Payment <credential>` header.\n /\nexport function extractMPPFromRequest(request: MPPRequestLike): MPPRequestContext \| null {\n const auth = readHeader(request.headers, 'authorization');\n if (!auth \|\| !/^\\sPayment\\s+/i.test(auth)) return null;\n\n try {\n const credential = Credential.deserialize(auth);\n return {\n kind: 'credential',\n credential: {\n challenge: summarizeChallenge(credential.challenge),\n source: credential.source,\n payload: credential.payload,\n },\n rawBody: request.rawBody,\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-credential-encoding' } };\n }\n}\n\n/*\n Extract MPP context from a merchant → agent response.\n * Handles 402 (challenge offers), 200 (receipt), 4xx (problem+json errors).\n /\nexport function extractMPPFromResponse(response: MPPResponseLike): MPPRequestContext \| null {\n if (response.status === 402) {\n const challenges = collectChallenges(response);\n if (challenges.length === 0) return null;\n const methods = Array.from(new Set(challenges.map((c) => c.method)));\n return {\n kind: 'challenge',\n challenges,\n offeredMethods: methods,\n };\n }\n\n const receiptHeader = readHeader(response.headers, 'payment-receipt');\n if (receiptHeader) {\n try {\n const parsed = Receipt.deserialize(receiptHeader);\n const r = parsed as unknown as Record<string, unknown>;\n return {\n kind: 'receipt',\n receipt: {\n method: coerceString(r.method),\n reference: coerceString(r.reference),\n externalId: coerceString(r.externalId ?? r.external_id),\n status: coerceString(r.status),\n timestamp: coerceString(r.timestamp),\n raw: r,\n },\n };\n } catch {\n return { kind: 'error', error: { type: 'invalid-receipt-encoding' } };\n }\n }\n\n const contentType = readHeader(response.headers, 'content-type');\n if (contentType && /application\\/problem\\+json/i.test(contentType)) {\n const body =\n typeof response.body === 'object' && response.body !== null\n ? (response.body as Record<string, unknown>)\n : {};\n return {\n kind: 'error',\n error: {\n type: coerceString(body.type),\n title: coerceString(body.title),\n detail: coerceString(body.detail),\n },\n };\n }\n\n return null;\n}\n\n/\n Extract from either a request OR a response, auto-detecting which has MPP\n * artifacts. Convenience for pipeline callers.\n /\nexport function extractMPPContext(\n message:\n \| { request: MPPRequestLike }\n \| { response: MPPResponseLike }\n \| (MPPRequestLike & Partial<MPPResponseLike>)\n): MPPRequestContext \| null {\n if ('request' in message) return extractMPPFromRequest(message.request);\n if ('response' in message) return extractMPPFromResponse(message.response);\n if (typeof (message as MPPResponseLike).status === 'number') {\n return extractMPPFromResponse(message as MPPResponseLike);\n }\n return extractMPPFromRequest(message as MPPRequestLike);\n}\n\nfunction collectChallenges(response: MPPResponseLike): MPPChallengeSummary[] {\n const wwwAuth = readHeader(response.headers, 'www-authenticate');\n if (!wwwAuth) return [];\n const headers = new Headers();\n headers.set('www-authenticate', wwwAuth);\n\n const out: MPPChallengeSummary[] = [];\n try {\n const list = Challenge.fromHeadersList(headers);\n for (const ch of list) {\n out.push(summarizeChallenge(ch as unknown as Challenge.Challenge));\n }\n } catch {\n // fall through with empty list\n }\n return out;\n}\n\nfunction summarizeChallenge(\n ch: Challenge.Challenge \| Record<string, unknown>\n): MPPChallengeSummary {\n const raw = ch as Record<string, unknown>;\n return {\n id: coerceString(raw.id) ?? '',\n realm: coerceString(raw.realm) ?? '',\n method: coerceString(raw.method) ?? '',\n intent: coerceString(raw.intent) ?? '',\n request: (raw.request as Record<string, unknown>) ?? {},\n expires: coerceString(raw.expires),\n digest: coerceString(raw.digest),\n description: coerceString(raw.description),\n opaque: raw.opaque as Record<string, string> \| undefined,\n };\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined>,\n name: string\n): string \| undefined {\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw.join(', ');\n }\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n MPP verification — expiry + optional BodyDigest + source extraction.\n \n We do NOT verify the challenge's HMAC binding (needs merchant's secret)\n * or the cryptographic payment proof (per-method, requires upstream\n * connectivity). Those are the merchant's / settlement layer's job.\n \n Our job: structural correctness, expiry policy, tamper detection via\n * optional BodyDigest, and identity extraction for PDLSS binding.\n /\n\nimport { BodyDigest } from 'mppx';\nimport type { MPPRequestContext } from './mpp';\n\nexport interface MPPVerifyInput {\n context: MPPRequestContext;\n /* Raw request body to validate BodyDigest against, if the challenge declares one. /\n rawBody?: string;\n /* Seconds of clock-skew tolerance on challenge.expires. Default 300. /\n clockSkewSec?: number;\n /* Injectable for deterministic tests. /\n now?: () => number;\n}\n\nexport interface MPPVerifyResult {\n ok: boolean;\n expiryOk: boolean;\n bodyDigestOk: boolean \| null;\n source?: string;\n method?: string;\n error?: string;\n}\n\nexport function verifyMPP(input: MPPVerifyInput): MPPVerifyResult {\n const { context } = input;\n const tolerance = input.clockSkewSec ?? 300;\n const nowSec = input.now ? input.now() : Math.floor(Date.now() / 1000);\n\n // Extract the challenge under test — for credential flow, from inside the\n // wrapped challenge; for bare challenge flow, from context.challenges[0].\n const challenge = context.credential?.challenge ?? (context.challenges && context.challenges[0]);\n const source = context.credential?.source;\n const method = challenge?.method;\n\n let expiryOk = true;\n if (challenge?.expires) {\n const parsedExpiry = Date.parse(challenge.expires);\n if (!Number.isFinite(parsedExpiry)) {\n return {\n ok: false,\n expiryOk: false,\n bodyDigestOk: null,\n source,\n method,\n error: 'unparseable challenge.expires',\n };\n }\n const expiresSec = Math.floor(parsedExpiry / 1000);\n if (nowSec > expiresSec + tolerance) {\n expiryOk = false;\n }\n }\n\n let bodyDigestOk: boolean \| null = null;\n if (challenge?.digest && input.rawBody !== undefined) {\n try {\n if (!/^sha-256=/.test(challenge.digest)) {\n bodyDigestOk = false;\n } else {\n bodyDigestOk = BodyDigest.verify(challenge.digest as `sha-256=${string}`, input.rawBody);\n }\n } catch {\n bodyDigestOk = false;\n }\n }\n\n const ok = expiryOk && (bodyDigestOk === null \|\| bodyDigestOk === true);\n const errors: string[] = [];\n if (!expiryOk) errors.push('challenge expired');\n if (bodyDigestOk === false) errors.push('body digest mismatch');\n\n return {\n ok,\n expiryOk,\n bodyDigestOk,\n source,\n method,\n error: errors.length > 0 ? errors.join('; ') : undefined,\n };\n}\n","/\n x402 (Coinbase / Linux Foundation x402 Foundation) extractor.\n \n Wraps @x402/core's schema parsers. x402 Foundation launched April 2 2026\n * with v2 adding network-agnostic identifiers + multiple facilitators +\n * Bazaar discovery. MPP (Machine Payments Protocol) is the IETF-formalised\n * superset of x402; this module normalizes x402 output to MPP-shape so\n * downstream pipeline code is uniform.\n \n Where x402 lives on the wire:\n * - 402 response body (v2) OR `X-PAYMENT-REQUIRED` header (v1) — PaymentRequired\n * - Request body (v2) OR `X-PAYMENT` header (v1, base64) — PaymentPayload\n /\n\nimport {\n validatePaymentRequired,\n validatePaymentPayload,\n type PaymentRequired,\n type PaymentPayload,\n type PaymentRequirements,\n} from '@x402/core/schemas';\nimport { safeBase64Decode } from '@x402/core/utils';\n\nexport type X402Kind = 'required' \| 'payload' \| 'error' \| 'unknown';\n\nexport interface X402RequirementsSummary {\n scheme: string;\n network: string;\n asset: string;\n /* Normalized to string for v1/v2 compat — v1 uses maxAmountRequired, v2 uses amount. /\n amount: string;\n payTo: string;\n maxTimeoutSeconds?: number;\n resource?: string;\n description?: string;\n}\n\nexport interface X402RequestContext {\n kind: X402Kind;\n version: 1 \| 2 \| null;\n /* For 402 responses: the PaymentRequired body. /\n paymentRequired?: {\n resource: string;\n accepts: X402RequirementsSummary[];\n extensions?: Record<string, unknown>;\n error?: string;\n };\n /* For request body (v2) or X-PAYMENT header (v1 base64): the PaymentPayload. /\n paymentPayload?: {\n scheme: string;\n network: string;\n /* Free-form per-scheme payload (e.g. EIP-3009 authorization, Solana tx). /\n payload: Record<string, unknown>;\n extensions?: Record<string, unknown>;\n };\n error?: { type: string; detail?: string };\n /* Whether this was parsed from a header (v1 back-compat) or body (v2). /\n source: 'header' \| 'body' \| null;\n}\n\nexport interface X402RequestLike {\n method?: string;\n url?: string;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\nexport interface X402ResponseLike {\n status?: number;\n headers?: Record<string, string \| string[] \| undefined>;\n body?: unknown;\n}\n\n/\n Extract x402 PaymentPayload from an agent → merchant request.\n * Checks v2 body (if it parses as PaymentPayload) and v1 X-PAYMENT header.\n /\nexport function extractX402FromRequest(request: X402RequestLike): X402RequestContext \| null {\n const headerValue = readHeader(request.headers, 'x-payment');\n\n // v2 body path first\n if (request.body && typeof request.body === 'object') {\n const parsed = tryParsePayload(request.body);\n if (parsed) return buildPayloadContext(parsed, 'body');\n }\n\n // v1 header path\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParsePayload(json);\n if (parsed) return buildPayloadContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-payload' },\n };\n }\n }\n\n return null;\n}\n\n/\n Extract x402 PaymentRequired from a merchant → agent 402 response.\n /\nexport function extractX402FromResponse(response: X402ResponseLike): X402RequestContext \| null {\n if (response.status !== 402) return null;\n\n // v2 body path\n if (response.body && typeof response.body === 'object') {\n const parsed = tryParseRequired(response.body);\n if (parsed) return buildRequiredContext(parsed, 'body');\n }\n\n // v1 header path\n const headerValue = readHeader(response.headers, 'x-payment-required');\n if (headerValue) {\n try {\n const decoded = safeBase64Decode(headerValue);\n if (decoded) {\n const json = JSON.parse(decoded);\n const parsed = tryParseRequired(json);\n if (parsed) return buildRequiredContext(parsed, 'header');\n }\n } catch {\n return {\n kind: 'error',\n version: 1,\n source: 'header',\n error: { type: 'invalid-x402-required' },\n };\n }\n }\n\n return null;\n}\n\nexport function extractX402Context(\n message:\n \| { request: X402RequestLike }\n \| { response: X402ResponseLike }\n \| (X402RequestLike & Partial<X402ResponseLike>)\n): X402RequestContext \| null {\n if ('request' in message) return extractX402FromRequest(message.request);\n if ('response' in message) return extractX402FromResponse(message.response);\n if (typeof (message as X402ResponseLike).status === 'number') {\n return extractX402FromResponse(message as X402ResponseLike);\n }\n return extractX402FromRequest(message as X402RequestLike);\n}\n\nfunction tryParseRequired(data: unknown): PaymentRequired \| null {\n try {\n return validatePaymentRequired(data);\n } catch {\n return null;\n }\n}\n\nfunction tryParsePayload(data: unknown): PaymentPayload \| null {\n try {\n return validatePaymentPayload(data);\n } catch {\n return null;\n }\n}\n\nfunction buildRequiredContext(\n parsed: PaymentRequired,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepts = (asRecord.accepts as PaymentRequirements[] \| undefined) ?? [];\n return {\n kind: 'required',\n version,\n source,\n paymentRequired: {\n resource: resolveResource(asRecord.resource),\n accepts: accepts.map(summarizeRequirement),\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n error: typeof asRecord.error === 'string' ? asRecord.error : undefined,\n },\n };\n}\n\nfunction buildPayloadContext(\n parsed: PaymentPayload,\n source: 'header' \| 'body'\n): X402RequestContext {\n const asRecord = parsed as unknown as Record<string, unknown>;\n const version = coerceVersion(asRecord.x402Version);\n const accepted = asRecord.accepted as PaymentRequirements \| undefined;\n const payload = (asRecord.payload as Record<string, unknown>) ?? {};\n return {\n kind: 'payload',\n version,\n source,\n paymentPayload: {\n scheme: accepted?.scheme ?? (typeof asRecord.scheme === 'string' ? asRecord.scheme : ''),\n network: accepted?.network ?? (typeof asRecord.network === 'string' ? asRecord.network : ''),\n payload,\n extensions: asRecord.extensions as Record<string, unknown> \| undefined,\n },\n };\n}\n\nfunction summarizeRequirement(req: PaymentRequirements): X402RequirementsSummary {\n const r = req as unknown as Record<string, unknown>;\n const amount = (r.amount ?? r.maxAmountRequired ?? '0') as string;\n return {\n scheme: (r.scheme as string) ?? '',\n network: (r.network as string) ?? '',\n asset: (r.asset as string) ?? '',\n amount: String(amount),\n payTo: (r.payTo as string) ?? '',\n maxTimeoutSeconds: typeof r.maxTimeoutSeconds === 'number' ? r.maxTimeoutSeconds : undefined,\n resource: typeof r.resource === 'string' ? r.resource : undefined,\n description: typeof r.description === 'string' ? r.description : undefined,\n };\n}\n\nfunction resolveResource(v: unknown): string {\n if (typeof v === 'string') return v;\n if (v && typeof v === 'object' && 'url' in v && typeof (v as { url: unknown }).url === 'string') {\n return (v as { url: string }).url;\n }\n return '';\n}\n\nfunction coerceVersion(v: unknown): 1 \| 2 \| null {\n if (v === 1 \|\| v === 2) return v;\n return null;\n}\n\nfunction readHeader(\n headers: Record<string, string \| string[] \| undefined> \| undefined,\n name: string\n): string \| undefined {\n if (!headers) return undefined;\n for (const key of Object.keys(headers)) {\n if (key.toLowerCase() === name) {\n const raw = headers[key];\n if (typeof raw === 'string') return raw;\n if (Array.isArray(raw)) return raw[0];\n }\n }\n return undefined;\n}\n","/\n VI (Verifiable Intent) 3-layer SD-JWT chain verification.\n \n VI chains: L1 (credential provider → wallet) → L2 (user → agent) → L3\n * (agent → merchant). L3 itself can split into L3a (payment mandate) + L3b\n * (checkout mandate) cross-referenced via transaction_id, with L3b carrying\n * a checkout_hash (VI constraint type 8) that must match SHA-256 of the L2\n * checkout disclosure.\n \n Signature primitives are delegated to @sd-jwt/core (via our extractor);\n * cnf.jwk chain-walking + cross-references + checkout_hash binding is\n * AstraSync-specific composition logic — that's the whitespace here.\n \n This module does NOT re-verify selective-disclosure hashes (the extractor\n * already applied them via @sd-jwt/decode). It DOES verify:\n * - cnf.jwk in L1 payload points to L2's signing key (thumbprint match)\n * - cnf.jwk in L2 payload points to L3's signing key\n * - L3a.transaction_id === L3b.transaction_id (when both present)\n * - L3b.checkout_hash === SHA-256(L2 canonical checkout disclosure) — type 8\n * - mandate-level `exp` is not in the past (beyond clock skew)\n \n Cryptographic signature verification on each layer uses the verifier\n * callback the caller supplies (e.g. resolves via @sd-jwt/core with the\n * right JWK from the L1 issuer's JWKS).\n /\n\nimport { createHash, webcrypto } from 'node:crypto';\nimport type { JWK } from 'jose';\n\nexport interface VILayer {\n /* Compact SD-JWT / JWS for this layer. /\n compact: string;\n /* Decoded JWT payload (already disclosure-merged). /\n payload: Record<string, unknown>;\n /* Decoded JWT header. /\n header: Record<string, unknown>;\n}\n\nexport interface VIVerifyInput {\n /\n Layers in chain order. L1 may be omitted when the caller has already\n * resolved the chain via a trusted wallet binding.\n /\n layers: {\n l1?: VILayer;\n l2: VILayer;\n l3a?: VILayer;\n l3b?: VILayer;\n };\n /\n Verifier callback invoked per layer. Should return true iff the layer's\n * JWS signature verifies against the resolved public key (for L2 this is\n * L1's cnf.jwk; for L3 this is L2's cnf.jwk; for L1 this is the issuer's\n * JWKS per `iss` claim).\n /\n verifySignature: (layer: VILayer, expectedKey: JWK \| null) => Promise<boolean>;\n clockSkewSec?: number;\n now?: () => number;\n}\n\nexport interface VIVerifyResult {\n ok: boolean;\n checks: {\n l1SigOk: boolean \| null;\n l2SigOk: boolean;\n l3aSigOk: boolean \| null;\n l3bSigOk: boolean \| null;\n l1BindsL2: boolean;\n l2BindsL3: boolean;\n l3aL3bTxnIdMatch: boolean \| null;\n checkoutHashOk: boolean \| null;\n expiryOk: boolean;\n };\n errors: string[];\n}\n\nexport async function verifyVIChain(input: VIVerifyInput): Promise<VIVerifyResult> {\n const errors: string[] = [];\n const tolerance = input.clockSkewSec ?? 300;\n const now = input.now ? input.now() : Math.floor(Date.now() / 1000);\n const { l1, l2, l3a, l3b } = input.layers;\n\n // Signature verification ---------------------------------\n const l1SigOk = l1 ? await input.verifySignature(l1, null) : null;\n if (l1 && !l1SigOk) errors.push('L1 signature invalid');\n\n const l1Cnf = extractCnfJwk(l1?.payload);\n const l2SigOk = await input.verifySignature(l2, l1Cnf ?? null);\n if (!l2SigOk) errors.push('L2 signature invalid');\n\n const l2Cnf = extractCnfJwk(l2.payload);\n const l3aSigOk = l3a ? await input.verifySignature(l3a, l2Cnf ?? null) : null;\n if (l3a && !l3aSigOk) errors.push('L3a signature invalid');\n const l3bSigOk = l3b ? await input.verifySignature(l3b, l2Cnf ?? null) : null;\n if (l3b && !l3bSigOk) errors.push('L3b signature invalid');\n\n // cnf.jwk binding ----------------------------------------\n let l1BindsL2 = true;\n if (l1Cnf) {\n const l2KeyFromHeader = await jwkForLayer(l2);\n l1BindsL2 = l2KeyFromHeader ? await thumbprintsMatch(l1Cnf, l2KeyFromHeader) : false;\n if (!l1BindsL2) errors.push('L1.cnf.jwk does not bind L2 signing key');\n }\n\n let l2BindsL3 = true;\n if (l2Cnf && (l3a \|\| l3b)) {\n const l3Layer = l3a ?? l3b!;\n const l3KeyFromHeader = await jwkForLayer(l3Layer);\n l2BindsL3 = l3KeyFromHeader ? await thumbprintsMatch(l2Cnf, l3KeyFromHeader) : false;\n if (!l2BindsL3) errors.push('L2.cnf.jwk does not bind L3 signing key');\n }\n\n // L3a/L3b cross-reference --------------------------------\n let l3aL3bTxnIdMatch: boolean \| null = null;\n if (l3a && l3b) {\n const a = coerceString(l3a.payload.transaction_id ?? l3a.payload.transactionId);\n const b = coerceString(l3b.payload.transaction_id ?? l3b.payload.transactionId);\n if (a && b) {\n l3aL3bTxnIdMatch = a === b;\n if (!l3aL3bTxnIdMatch) {\n errors.push(`L3a.transaction_id (${a}) does not match L3b.transaction_id (${b})`);\n }\n }\n }\n\n // checkout_hash (VI constraint type 8) -------------------\n let checkoutHashOk: boolean \| null = null;\n if (l3b) {\n const declaredHash = coerceString(\n l3b.payload.checkout_hash ??\n l3b.payload.conditional_transaction_id ??\n (l3b.payload.payment_reference as Record<string, unknown> \| undefined)?.checkout_hash\n );\n if (declaredHash) {\n const computed = computeCheckoutHashFromL2(l2);\n checkoutHashOk = computed ? declaredHash === computed : false;\n if (!checkoutHashOk) {\n errors.push('L3b.checkout_hash does not match SHA-256 of L2 checkout disclosure');\n }\n }\n }\n\n // Expiry policy ------------------------------------------\n const expiryOk = checkExpiryAcross([l1, l2, l3a, l3b], tolerance, now, errors);\n\n const ok =\n l1SigOk !== false &&\n l2SigOk &&\n l3aSigOk !== false &&\n l3bSigOk !== false &&\n l1BindsL2 &&\n l2BindsL3 &&\n l3aL3bTxnIdMatch !== false &&\n checkoutHashOk !== false &&\n expiryOk;\n\n return {\n ok,\n checks: {\n l1SigOk,\n l2SigOk,\n l3aSigOk,\n l3bSigOk,\n l1BindsL2,\n l2BindsL3,\n l3aL3bTxnIdMatch,\n checkoutHashOk,\n expiryOk,\n },\n errors,\n };\n}\n\nfunction extractCnfJwk(payload: Record<string, unknown> \| undefined): JWK \| null {\n if (!payload) return null;\n const cnf = payload.cnf as Record<string, unknown> \| undefined;\n if (!cnf) return null;\n const jwk = cnf.jwk as JWK \| undefined;\n return jwk ?? null;\n}\n\nasync function jwkForLayer(layer: VILayer): Promise<JWK \| null> {\n // Prefer explicit cnf.jwk in the header, then payload; fallback to null.\n const fromHeader = extractCnfJwk(layer.header);\n if (fromHeader) return fromHeader;\n const fromPayload = extractCnfJwk(layer.payload);\n return fromPayload;\n}\n\nasync function thumbprintsMatch(a: JWK, b: JWK): Promise<boolean> {\n try {\n const ta = await jwkThumbprint(a);\n const tb = await jwkThumbprint(b);\n return ta === tb;\n } catch {\n return false;\n }\n}\n\n// RFC 7638 thumbprint: SHA-256 over the canonical JSON of required JWK members.\nasync function jwkThumbprint(jwk: JWK): Promise<string> {\n const canonical = canonicalJwk(jwk);\n const bytes = new TextEncoder().encode(JSON.stringify(canonical));\n const subtle = webcrypto.subtle as SubtleCrypto;\n const buffer = await new Promise<ArrayBuffer>((resolve, reject) => {\n const source = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(source).set(bytes);\n subtle.digest('SHA-256', source).then(resolve).catch(reject);\n });\n return Buffer.from(new Uint8Array(buffer)).toString('base64url').replace(/=+$/, '');\n}\n\nfunction canonicalJwk(jwk: JWK): Record<string, string> {\n // Per RFC 7638: members must appear in lexicographic order; only required\n // fields per kty are included.\n if (jwk.kty === 'EC') {\n return { crv: jwk.crv ?? '', kty: 'EC', x: jwk.x ?? '', y: jwk.y ?? '' };\n }\n if (jwk.kty === 'OKP') {\n return { crv: jwk.crv ?? '', kty: 'OKP', x: jwk.x ?? '' };\n }\n if (jwk.kty === 'RSA') {\n return { e: jwk.e ?? '', kty: 'RSA', n: jwk.n ?? '' };\n }\n return { kty: jwk.kty ?? '' };\n}\n\nfunction computeCheckoutHashFromL2(l2: VILayer): string \| null {\n const checkoutDisclosure = (l2.payload.checkout ?? l2.payload.checkout_mandate) as unknown;\n if (!checkoutDisclosure) return null;\n const canonical = canonicalStringify(checkoutDisclosure);\n const hash = createHash('sha256').update(canonical).digest('base64url').replace(/=+$/, '');\n return hash;\n}\n\nfunction canonicalStringify(value: unknown): string {\n if (value === null \|\| typeof value !== 'object') return JSON.stringify(value);\n if (Array.isArray(value)) return '[' + value.map(canonicalStringify).join(',') + ']';\n const entries = Object.entries(value as Record<string, unknown>).sort(([a], [b]) =>\n a < b ? -1 : a > b ? 1 : 0\n );\n return (\n '{' + entries.map(([k, v]) => JSON.stringify(k) + ':' + canonicalStringify(v)).join(',') + '}'\n );\n}\n\nfunction checkExpiryAcross(\n layers: Array<VILayer \| undefined>,\n toleranceSec: number,\n nowSec: number,\n errors: string[]\n): boolean {\n let ok = true;\n const names = ['L1', 'L2', 'L3a', 'L3b'];\n layers.forEach((layer, idx) => {\n if (!layer) return;\n const exp = toUnixSeconds(layer.payload.exp ?? layer.payload.expires);\n if (exp === undefined) return;\n if (nowSec > exp + toleranceSec) {\n errors.push(`${names[idx]} mandate expired at ${exp}`);\n ok = false;\n }\n });\n return ok;\n}\n\nfunction toUnixSeconds(v: unknown): number \| undefined {\n if (typeof v === 'number' && Number.isFinite(v)) return v;\n if (typeof v === 'string') {\n const asInt = Number(v);\n if (Number.isFinite(asInt) && asInt > 0) {\n return asInt >= 1e12 ? Math.floor(asInt / 1000) : Math.floor(asInt);\n }\n const parsed = Date.parse(v);\n if (Number.isFinite(parsed)) return Math.floor(parsed / 1000);\n }\n return undefined;\n}\n\nfunction coerceString(v: unknown): string \| undefined {\n return typeof v === 'string' && v.length > 0 ? v : undefined;\n}\n","/\n Visa JWKS registry resolver.\n \n Default endpoint: https://mcp.visa.com/.well-known/jwks (per Visa TAP spec).\n * Wraps jose.createRemoteJWKSet which handles caching + rotation natively.\n /\n\nimport { createRemoteJWKSet, type JWK } from 'jose';\nimport type { RegistryResolver, ResolveContext } from './types';\n\nconst DEFAULT_VISA_JWKS_URL = 'https://mcp.visa.com/.well-known/jwks';\n\nexport interface VisaRegistryOptions {\n jwksUrl?: string;\n cacheMaxAge?: number;\n cooldownDuration?: number;\n}\n\nexport function createVisaRegistry(options: VisaRegistryOptions = {}): RegistryResolver {\n const url = new URL(options.jwksUrl ?? DEFAULT_VISA_JWKS_URL);\n const jwks = createRemoteJWKSet(url, {\n cacheMaxAge: options.cacheMaxAge,\n cooldownDuration: options.cooldownDuration,\n });\n\n return {\n name: 'visa',\n async resolve(kid: string, context?: ResolveContext): Promise<JWK \| null> {\n if (!kid) return null;\n try {\n const key = await jwks({\n kid,\n alg: context?.algorithm ?? 'ES256',\n typ: 'JWT',\n });\n return exportJwkFromKeyLike(key);\n } catch {\n return null;\n }\n },\n };\n}\n\nasync function exportJwkFromKeyLike(keyLike: unknown): Promise<JWK \| null> {\n if (!keyLike) return null;\n // jose returns KeyObject or CryptoKey — both export via exportJWK at caller side.\n // Runtime shape check: if it already looks like a JWK, pass through.\n if (typeof keyLike === 'object' && 'kty' in (keyLike as object)) {\n return keyLike as JWK;\n }\n const { exportJWK } = await import('jose');\n try {\n return await exportJWK(keyLike as Parameters<typeof exportJWK>[0]);\n } catch {\n return null;\n }\n}\n","/\n Online Mode — Delegates to the existing verify() function.\n * Full trust scoring, blockchain verification, audit trail, PDLSS evaluation via API.\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from '../types';\nimport {\n verify,\n type VerificationResult,\n type VerificationRequest,\n type GatewayConfig,\n} from '../../index';\n\n/\n Convert gateway config to the existing GatewayConfig format.\n /\nfunction toGatewayConfig(config: AstraSyncGatewayConfig): GatewayConfig {\n return {\n apiBaseUrl: config.apiBaseUrl \|\| 'https://api.astrasync.ai',\n apiKey: config.apiKey,\n defaultAccessLevel: config.defaultAccessLevel,\n minTrustScore: config.minTrustScore,\n minTrustScoreForFull: config.minTrustScoreForFull,\n cacheTtl: config.cacheTtl,\n debug: config.debug,\n customHeaders: config.customHeaders,\n counterpartyUrl: config.counterpartyUrl,\n counterpartyType: config.counterpartyType,\n };\n}\n\n/\n Convert PDLSS context to a verification request.\n /\nfunction toVerificationRequest(context: PDLSSContext, astraId?: string): VerificationRequest {\n return {\n credentials: { astraId },\n purpose: context.purpose,\n action: context.action,\n resourceType: context.resourceType,\n resource: context.target,\n transactionValue: context.transactionValue,\n currency: context.currency,\n createSession: true,\n };\n}\n\n/\n Convert verification result to a VerificationDecision.\n /\nfunction toDecision(result: VerificationResult): VerificationDecision {\n // Round-18 G4: ALLOW only when both identity AND policy pass.\n if (result.identityVerified && result.policyAllowed) {\n return {\n recommendation: 'ALLOW',\n reason: `Verified with access level: ${result.accessLevel}`,\n trustScore: result.agent?.trustScore,\n sessionId:\n 'sessionId' in result\n ? ((result as Record<string, unknown>).sessionId as string)\n : undefined,\n };\n }\n\n if (result.requiresStepUp \|\| result.requiresApproval) {\n return {\n recommendation: 'MANUAL_REVIEW',\n reason: result.denialReasons?.[0] \|\| 'Step-up or approval required',\n trustScore: result.agent?.trustScore,\n };\n }\n\n return {\n recommendation: 'DENY',\n reason: result.denialReasons?.[0] \|\| 'Access denied',\n trustScore: result.agent?.trustScore,\n };\n}\n\n/\n Verify via the AstraSync API (online mode).\n /\nexport async function verifyOnline(\n config: AstraSyncGatewayConfig,\n context: PDLSSContext,\n astraId?: string\n): Promise<VerificationDecision> {\n const gatewayConfig = toGatewayConfig(config);\n const request = toVerificationRequest(context, astraId);\n const result = await verify(gatewayConfig, request);\n return toDecision(result);\n}\n","/\n Hybrid Mode — Local evaluation for speed, async API sync for trust scoring.\n \n Immediate: local PDLSS evaluation (< 1ms)\n * Async: queued API verification for audit trail and trust score updates\n \n Queue entries are persisted to disk so they survive process restarts.\n /\n\nimport { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';\nimport { dirname } from 'path';\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision, SyncQueueEntry } from '../types';\nimport type { LocalEvaluator } from '../../local-evaluator/evaluator';\nimport { verifyOnline } from './online';\n\nconst MAX_QUEUE_SIZE = 1000;\nconst MAX_RETRIES = 3;\n\nexport class HybridSyncQueue {\n private queue: SyncQueueEntry[] = [];\n private timer: ReturnType<typeof setInterval> \| null = null;\n private config: AstraSyncGatewayConfig;\n private processing = false;\n private persistPath: string \| null = null;\n\n constructor(config: AstraSyncGatewayConfig, persistPath?: string) {\n this.config = config;\n this.persistPath = persistPath ?? null;\n this.loadFromDisk();\n }\n\n /\n Start periodic sync.\n /\n start(intervalMs: number): void {\n if (this.timer) return;\n this.timer = setInterval(() => this.flush(), intervalMs);\n }\n\n /\n Stop periodic sync and flush remaining entries.\n /\n async stop(): Promise<void> {\n if (this.timer) {\n clearInterval(this.timer);\n this.timer = null;\n }\n await this.flush();\n this.saveToDisk();\n }\n\n /\n Add a decision to the sync queue.\n /\n enqueue(context: PDLSSContext, decision: VerificationDecision): void {\n if (this.queue.length >= MAX_QUEUE_SIZE) {\n // Drop oldest entry\n this.queue.shift();\n }\n\n this.queue.push({\n id: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,\n context,\n decision,\n timestamp: new Date(),\n retryCount: 0,\n status: 'pending',\n });\n\n this.saveToDisk();\n }\n\n /\n Flush pending entries to the API.\n /\n async flush(): Promise<void> {\n if (this.processing) return;\n this.processing = true;\n\n try {\n const pending = this.queue.filter((e) => e.status === 'pending');\n\n for (const entry of pending) {\n try {\n await verifyOnline(this.config, entry.context);\n entry.status = 'synced';\n } catch {\n entry.retryCount++;\n if (entry.retryCount >= MAX_RETRIES) {\n entry.status = 'failed';\n }\n }\n }\n\n // Remove synced and permanently failed entries\n this.queue = this.queue.filter((e) => e.status === 'pending');\n this.saveToDisk();\n } finally {\n this.processing = false;\n }\n }\n\n /\n Get queue status.\n /\n getStatus(): { pending: number; total: number } {\n return {\n pending: this.queue.filter((e) => e.status === 'pending').length,\n total: this.queue.length,\n };\n }\n\n /\n Load persisted queue entries from disk.\n /\n private loadFromDisk(): void {\n if (!this.persistPath) return;\n\n try {\n if (!existsSync(this.persistPath)) return;\n const data = readFileSync(this.persistPath, 'utf-8');\n const entries = JSON.parse(data) as SyncQueueEntry[];\n // Only restore pending entries\n this.queue = entries\n .filter((e) => e.status === 'pending')\n .map((e) => ({ ...e, timestamp: new Date(e.timestamp) }));\n } catch {\n // Corrupted file or read error — start with empty queue\n this.queue = [];\n }\n }\n\n /\n Persist queue entries to disk.\n /\n private saveToDisk(): void {\n if (!this.persistPath) return;\n\n try {\n const dir = dirname(this.persistPath);\n if (!existsSync(dir)) mkdirSync(dir, { recursive: true });\n writeFileSync(this.persistPath, JSON.stringify(this.queue, null, 2), 'utf-8');\n } catch {\n // Best-effort — don't crash if disk write fails\n }\n }\n}\n\n/\n Verify in hybrid mode: local eval + queued sync.\n /\nexport function verifyHybrid(\n evaluator: LocalEvaluator,\n syncQueue: HybridSyncQueue,\n context: PDLSSContext,\n): VerificationDecision {\n // Local evaluation is the immediate response\n const decision = evaluator.evaluate(context);\n\n // Queue for async API sync (fire-and-forget)\n syncQueue.enqueue(context, decision);\n\n return decision;\n}\n","/\n Trace Logger — append-only JSONL audit trail.\n \n Cherry-picked from trust-harness-core and simplified.\n * Writes evaluation events to .astrasync/traces/ as JSONL files,\n * one file per day, with rotation.\n /\n\nimport { appendFileSync, mkdirSync, existsSync, statSync, readdirSync, unlinkSync } from 'fs';\nimport { join } from 'path';\nimport type { TraceEvent, PDLSSContext, VerificationDecision } from './types';\n\nconst MAX_FILE_SIZE = 10 1024 * 1024; // 10MB\nconst MAX_FILES = 10;\n\nexport class TraceLogger {\n private tracePath: string;\n private enabled: boolean;\n\n constructor(tracePath: string, enabled: boolean) {\n this.tracePath = tracePath;\n this.enabled = enabled;\n\n if (enabled) {\n mkdirSync(tracePath, { recursive: true });\n }\n }\n\n /*\n Log an evaluation event.\n /\n logEvaluation(context: PDLSSContext, decision: VerificationDecision): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'evaluation',\n context,\n decision,\n });\n }\n\n /\n Log a mode switch event.\n /\n logModeSwitch(from: string, to: string): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'mode_switch',\n metadata: { from, to },\n });\n }\n\n /\n Log an error event.\n /\n logError(error: string, context?: PDLSSContext): void {\n if (!this.enabled) return;\n\n this.write({\n id: this.generateId(),\n timestamp: new Date(),\n type: 'error',\n context,\n metadata: { error },\n });\n }\n\n private write(event: TraceEvent): void {\n try {\n const filePath = this.getCurrentFilePath();\n const line = JSON.stringify(event) + '\\n';\n\n // Rotate if needed\n if (existsSync(filePath)) {\n const stats = statSync(filePath);\n if (stats.size > MAX_FILE_SIZE) {\n this.rotate();\n }\n }\n\n appendFileSync(filePath, line);\n } catch {\n // Trace logging should never crash the gateway\n }\n }\n\n private getCurrentFilePath(): string {\n const date = new Date().toISOString().split('T')[0];\n return join(this.tracePath, `trace-${date}.jsonl`);\n }\n\n private rotate(): void {\n try {\n const files = readdirSync(this.tracePath)\n .filter((f) => f.startsWith('trace-') && f.endsWith('.jsonl'))\n .sort();\n\n while (files.length >= MAX_FILES) {\n const oldest = files.shift()!;\n unlinkSync(join(this.tracePath, oldest));\n }\n } catch {\n // Best effort rotation\n }\n }\n\n private generateId(): string {\n return `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;\n }\n}\n","/\n AstraSyncGateway — Primary API surface for agent verification.\n \n Supports three operational modes:\n * - online: Full API-based verification with trust scoring and audit trail\n * - local: Offline PDLSS evaluation using a local policy file (no account required)\n * - hybrid: Local eval for speed + async API sync for trust scoring\n \n @example\n * ```typescript\n * // Local mode (free, no account)\n * const gateway = new AstraSyncGateway({ mode: 'local', policyFile: './policy.yaml' });\n * const decision = await gateway.evaluate(context);\n \n // Online mode (paid, full features)\n * const gateway = new AstraSyncGateway({ mode: 'online', apiKey: 'key' });\n * const decision = await gateway.evaluate(context);\n * ```\n /\n\nimport type { AstraSyncGatewayConfig, PDLSSContext, VerificationDecision } from './types';\nimport type { LocalEvaluator } from '../local-evaluator/evaluator';\nimport { loadEvaluator } from './modes/local';\nimport { verifyLocal } from './modes/local';\nimport { verifyOnline } from './modes/online';\nimport { verifyHybrid, HybridSyncQueue } from './modes/hybrid';\nimport { TraceLogger } from './trace-logger';\n\nexport class AstraSyncGateway {\n private config: AstraSyncGatewayConfig;\n private evaluator: LocalEvaluator \| null = null;\n private syncQueue: HybridSyncQueue \| null = null;\n private traceLogger: TraceLogger \| null = null;\n private initialized = false;\n\n constructor(config: AstraSyncGatewayConfig) {\n this.config = config;\n this.validateConfig();\n }\n\n private validateConfig(): void {\n const { mode } = this.config;\n\n if (mode === 'online') {\n if (!this.config.apiBaseUrl && !this.config.apiKey) {\n throw new Error('Online mode requires apiBaseUrl or apiKey');\n }\n }\n\n if (mode === 'local') {\n if (!this.config.policyFile && !this.config.policy) {\n throw new Error('Local mode requires policyFile or policy');\n }\n }\n\n if (mode === 'hybrid') {\n if (!this.config.policyFile && !this.config.policy) {\n throw new Error('Hybrid mode requires policyFile or policy');\n }\n }\n }\n\n /\n Initialize the gateway (loads policy files, starts sync queues).\n * Called automatically on first evaluate() if not called manually.\n /\n async initialize(): Promise<void> {\n if (this.initialized) return;\n\n const { mode } = this.config;\n\n if (mode === 'local' \|\| mode === 'hybrid') {\n this.evaluator = loadEvaluator(this.config);\n }\n\n if (mode === 'hybrid') {\n const persistPath = this.config.tracePath\n ? `${this.config.tracePath}/../sync-queue.json`\n : '.astrasync/sync-queue.json';\n this.syncQueue = new HybridSyncQueue(this.config, persistPath);\n const intervalMs = (this.config.syncInterval \|\| 3600) 1000;\n this.syncQueue.start(intervalMs);\n }\n\n // Initialize trace logger\n if (this.config.traceEnabled) {\n const tracePath = this.config.tracePath \|\| '.astrasync/traces';\n this.traceLogger = new TraceLogger(tracePath, true);\n }\n\n this.initialized = true;\n\n if (this.config.debug) {\n const posture = this.config.posture \|\| 'active';\n console.log(`[AstraSyncGateway] Initialized in ${mode} mode (${posture})`);\n }\n }\n\n /*\n Graceful shutdown. Flushes sync queue and cleans up resources.\n /\n async shutdown(): Promise<void> {\n if (this.syncQueue) {\n await this.syncQueue.stop();\n this.syncQueue = null;\n }\n\n this.evaluator = null;\n this.initialized = false;\n\n if (this.config.debug) {\n console.log('[AstraSyncGateway] Shut down');\n }\n }\n\n /\n Evaluate an action against the verification policy.\n * Routes to the appropriate mode handler.\n \n In passive posture, evaluation runs but always returns ALLOW\n * (the real decision is logged for telemetry).\n /\n async evaluate(context: PDLSSContext, astraId?: string): Promise<VerificationDecision> {\n if (!this.initialized) {\n await this.initialize();\n }\n\n let decision: VerificationDecision;\n\n switch (this.config.mode) {\n case 'online':\n decision = await verifyOnline(this.config, context, astraId);\n break;\n\n case 'local':\n if (!this.evaluator) throw new Error('Local evaluator not initialized');\n decision = verifyLocal(this.evaluator, context);\n break;\n\n case 'hybrid':\n if (!this.evaluator \|\| !this.syncQueue) throw new Error('Hybrid mode not initialized');\n decision = verifyHybrid(this.evaluator, this.syncQueue, context);\n break;\n\n default:\n throw new Error(`Unknown mode: ${this.config.mode}`);\n }\n\n // In passive posture, log but don't block\n if (this.config.posture === 'passive' && decision.recommendation !== 'ALLOW') {\n decision = {\n ...decision,\n recommendation: 'ALLOW',\n reason: `[PASSIVE] Would have been ${decision.recommendation}: ${decision.reason}`,\n };\n }\n\n // Trace logging — captures the final decision (including passive override)\n this.traceLogger?.logEvaluation(context, decision);\n\n return decision;\n }\n\n /\n Get the current mode.\n /\n get mode(): AstraSyncGatewayConfig['mode'] {\n return this.config.mode;\n }\n\n /\n Get the current posture (active or passive).\n /\n get posture(): 'active' \| 'passive' {\n return this.config.posture \|\| 'active';\n }\n\n /\n Switch modes at runtime (e.g. after upgrade from free to paid).\n /\n async switchMode(newMode: AstraSyncGatewayConfig['mode'], additionalConfig?: Partial<AstraSyncGatewayConfig>): Promise<void> {\n const oldMode = this.config.mode;\n await this.shutdown();\n\n this.config = { ...this.config, ...additionalConfig, mode: newMode };\n this.validateConfig();\n await this.initialize();\n\n this.traceLogger?.logModeSwitch(oldMode, newMode);\n\n if (this.config.debug) {\n console.log(`[AstraSyncGateway] Switched to ${newMode} mode`);\n }\n }\n\n /\n Get sync queue status (hybrid mode only).\n */\n getSyncStatus(): { pending: number; total: number } \| null {\n return this.syncQueue?.getStatus() \|\| null;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACsEO,IAAM,4BAA4B;;;AC1DzC,IAAM,mBAA2C;AAAA;AAAA,EAE/C,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,SAAS;AAAA,EACT,eAAe;AAAA,EACf,sBAAsB;AAAA;AAAA,EAGtB,WAAW;AAAA,EACX,WAAW;AAAA;AAAA,EAGX,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,WAAW;AAAA;AAAA,EAGX,aAAa;AAAA,EACb,aAAa;AAAA;AAAA,EAGb,cAAc;AAAA,EACd,OAAO;AAAA,EACP,aAAa;AAAA;AAAA,EAGb,YAAY;AAAA,EACZ,YAAY;AAAA;AAAA,EAGZ,cAAc;AAAA;AAAA,EAGd,gBAAgB;AAAA,EAChB,gBAAgB;AAAA;AAAA,EAGhB,iBAAiB;AACnB;AAMO,SAAS,iBAAiB,UAA0B;AACzD,SAAO,iBAAiB,QAAQ,KAAK,QAAQ,QAAQ;AACvD;AAsBO,SAAS,cAAc,UAAkB,MAAuC;AACrF,QAAM,UAAU,iBAAiB,QAAQ;AAEzC,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,WAAW,KAAK,OAAO,KAAK,UAAU,EAAE;AAAA,EAC7D;AAEA,MAAI,QAAQ,WAAW,OAAO,GAAG;AAC/B,WAAO,OAAO,KAAK,QAAQ,KAAK,QAAQ,KAAK,YAAY,KAAK,aAAa,EAAE;AAAA,EAC/E;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,OAAO,EAAE;AAAA,EAC3D;AAEA,MAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,WAAO,OAAO,KAAK,MAAM,KAAK,aAAa,KAAK,WAAW,EAAE;AAAA,EAC/D;AAEA,MAAI,QAAQ,WAAW,WAAW,GAAG;AACnC,WAAO,OAAO,KAAK,SAAS,KAAK,SAAS,EAAE;AAAA,EAC9C;AAEA,MAAI,QAAQ,WAAW,UAAU,GAAG;AAClC,WAAO,OAAO,KAAK,eAAe,KAAK,YAAY,KAAK,UAAU,EAAE;AAAA,EACtE;AAGA,MAAI,KAAK,QAAS,QAAO,OAAO,KAAK,OAAO;AAC5C,MAAI,KAAK,KAAM,QAAO,OAAO,KAAK,IAAI;AACtC,MAAI,KAAK,IAAK,QAAO,OAAO,KAAK,GAAG;AAGpC,aAAW,OAAO,OAAO,OAAO,IAAI,GAAG;AACrC,QAAI,OAAO,QAAQ,YAAY,IAAI,SAAS,EAAG,QAAO;AAAA,EACxD;AACA,SAAO;AACT;AAUO,SAAS,sBAAsB,QAAsC;AAC1E,MAAI;AACF,QAAI,OAAO,WAAW,SAAS,KAAK,OAAO,WAAW,UAAU,GAAG;AACjE,YAAM,MAAM,IAAI,IAAI,MAAM;AAC1B,aAAO,CAAC,IAAI,QAAQ;AAAA,IACtB;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;;;ACtDO,IAAM,gBAAN,MAA+C;AAAA,EAUpD,YAAY,SAAyC;AATrD,SAAS,mBAAmB;AAI5B,SAAQ,cAA4B,CAAC;AACrC,SAAQ,gBAA0C;AAElD,SAAQ,aAAa;AAGnB,SAAK,qBAAqB,SAAS,uBAAuB,YAAY;AACtE,QAAI,SAAS,QAAQ;AACnB,WAAK,SAAS,QAAQ;AAAA,IACxB;AAAA,EACF;AAAA,EAEA,IAAI,YAAqB;AACvB,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAM,WAAW,QAAsC;AACrD,SAAK,UAAU,OAAO;AAEtB,QAAI,OAAO,eAAe,QAAQ;AAChC,WAAK,SAAS,OAAO,eAAe;AAAA,IACtC;AAEA,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,4EAAuE;AAAA,IACzF;AAGA,SAAK,gBAAgB,KAAK,OAAO,OAAO,oBAAoB,uBAAuB;AAGnF,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,iBAAiB,CAAC,MAAM;AAC5C,mBAAW,QAAQ,EAAE,OAAO;AAC1B,eAAK,mBAAmB,cAAc,KAAK,MAAM;AAAA,QACnD;AAAA,MACF,CAAC;AAAA,IACH;AAEA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,iBAAiB,CAAC,MAAM;AAC5C,mBAAW,QAAQ,EAAE,OAAO;AAC1B,eAAK,mBAAmB,eAAe,KAAK,MAAM;AAAA,QACpD;AAAA,MACF,CAAC;AAAA,IACH;AAEA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,UAAU,sBAAsB,CAAC,QAAQ;AACnD,aAAK,mBAAmB,cAAc,IAAI,QAAQ;AAAA,MACpD,CAAC;AAAA,IACH;AAGA,SAAK,YAAY;AAAA,MACf,KAAK,OAAO,SAAS,gBAAgB,oBAAoB,MAAM;AAC7D,aAAK,eAAe,KAAK;AACzB,aAAK,OAAO,OAAO,uBAAuB,iCAAiC;AAAA,MAC7E,CAAC;AAAA,IACH;AAEA,SAAK,aAAa;AAClB,SAAK,IAAI,qDAAgD;AAAA,EAC3D;AAAA,EAEA,MAAM,WAA0B;AAC9B,eAAW,KAAK,KAAK,aAAa;AAChC,QAAE,QAAQ;AAAA,IACZ;AACA,SAAK,cAAc,CAAC;AACpB,SAAK,eAAe,QAAQ;AAC5B,SAAK,gBAAgB;AACrB,SAAK,aAAa;AAAA,EACpB;AAAA,EAEA,MAAM,gBAAgB,QAA+C;AACnE,UAAM,MAAM,OAAO;AAEnB,QAAI,CAAC,IAAI,MAAM;AACb,aAAO,EAAE,aAAa,OAAO,YAAY,iBAAiB;AAAA,IAC5D;AAEA,UAAM,UAAU,KAAK,eAAe,MAAM;AAC1C,WAAO,EAAE,aAAa,MAAM,QAAQ;AAAA,EACtC;AAAA,EAEA,eAAe,QAAmC;AAChD,UAAM,MAAM,OAAO;AAEnB,QAAI;AACJ,UAAM,OAAgC,CAAC;AAEvC,YAAQ,IAAI,MAAM;AAAA,MAChB,KAAK;AAAA,MACL,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,OAAO,IAAI,QAAQ;AACxB;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,UAAU,IAAI,WAAW;AAC9B;AAAA,MACF,KAAK;AACH,mBAAW;AACX,aAAK,MAAM,IAAI,OAAO;AACtB;AAAA,MACF;AACE,mBAAW,IAAI;AAAA,IACnB;AAEA,UAAM,UAAU,iBAAiB,QAAQ;AACzC,UAAM,SAAS,cAAc,UAAU,IAAI;AAC3C,UAAM,gBAAgB,sBAAsB,MAAM;AAElD,WAAO;AAAA,MACL;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA,GAAI,iBAAiB,EAAE,cAAc;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,UAA+C;AACnE,YAAQ,SAAS,gBAAgB;AAAA,MAC/B,KAAK;AACH,aAAK,IAAI,YAAY,SAAS,MAAM,EAAE;AACtC,aAAK,OAAO,OAAO;AAAA,UACjB,6BAA6B,SAAS,MAAM;AAAA,QAC9C;AACA;AAAA,MACF,KAAK;AACH,aAAK,IAAI,WAAW,SAAS,MAAM,EAAE;AACrC;AAAA,MACF,KAAK;AAEH;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,mBAAmB,UAAkB,UAAiC;AAClF,UAAM,SAAsB;AAAA,MAC1B,KAAK;AAAA,QACH,MAAM,aAAa,gBAAgB,gBAAgB;AAAA,QACnD,MAAM;AAAA,MACR;AAAA,MACA,UAAU;AAAA,MACV,WAAW,oBAAI,KAAK;AAAA,IACtB;AAEA,UAAM,eAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAI,CAAC,aAAa,eAAe,CAAC,aAAa,QAAS;AAExD,UAAM,WAAW,MAAM,KAAK,QAAQ,SAAS,aAAa,OAAO;AAEjE,QAAI,SAAS,mBAAmB,QAAQ;AACtC,YAAM,KAAK,gBAAgB,QAAQ;AAAA,IACrC,WAAW,SAAS,mBAAmB,iBAAiB;AACtD,YAAM,WAAW,MAAM,KAAK,eAAe,aAAa,SAAS,QAAQ;AACzE,UAAI,CAAC,UAAU;AACb,cAAM,KAAK,gBAAgB,EAAE,GAAG,UAAU,gBAAgB,OAAO,CAAC;AAAA,MACpE;AAAA,IACF;AAEA,SAAK,IAAI,GAAG,SAAS,cAAc,KAAK,aAAa,QAAQ,OAAO,OAAO,aAAa,QAAQ,MAAM,EAAE;AAAA,EAC1G;AAAA,EAEA,MAAc,eAAe,SAAuB,UAAkD;AACpG,QAAI,KAAK,oBAAoB;AAC3B,aAAO,KAAK,mBAAmB,SAAS,QAAQ;AAAA,IAClD;AAGA,UAAM,SAAS,MAAM,KAAK,OAAO,OAAO;AAAA,MACtC,cAAc,SAAS,MAAM;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AACA,WAAO,WAAW;AAAA,EACpB;AAAA,EAEQ,IAAI,SAAuB;AACjC,SAAK,eAAe,WAAW,KAAI,oBAAI,KAAK,GAAE,YAAY,CAAC,KAAK,OAAO,EAAE;AAAA,EAC3E;AACF;;;AC5GO,IAAM,qBAAqB;AAAA,EAChC;AAAA,EAAM;AAAA,EAAS;AAAA,EAAM;AAAA,EAAQ;AAAA,EAAS;AAAA,EACtC;AAAA,EAAQ;AAAA,EAAM;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAM;AAAA,EACpC;AAAA,EAAO;AAAA,EAAO;AAAA,EAAS;AAAA,EAAY;AAAA,EACnC;AAAA,EAAU;AACZ;AAGO,IAAM,kBAAkB;AAAA,EAC7B;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAU;AAAA,EAAQ;AAAA,EAClC;AAAA,EAAW;AAAA,EAAY;AAAA,EAAe;AAAA,EAAQ;AAAA,EAAQ;AAAA,EACtD;AAAA,EAAU;AAAA,EAAU;AACtB;;;AC3KO,IAAM,iBAAN,MAAqB;AAAA,EAI1B,YAAY,QAAqB;AAFjC,SAAQ,gBAAqE,oBAAI,IAAI;AAGnF,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAA2B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,SAA6C;AAEpD,UAAM,cAAc,KAAK,OAAO,SAAS,KAAK,CAAC,MAAM,EAAE,OAAO,QAAQ,OAAO;AAC7E,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,wBAAwB;AAAA,IACnE;AACA,QAAI,CAAC,YAAY,SAAS;AACxB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,6BAA6B;AAAA,IACxE;AAGA,QAAI,YAAY,WAAW,CAAC,KAAK,kBAAkB,QAAQ,QAAQ,YAAY,OAAO,GAAG;AACvF,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,6BAA6B;AAAA,IACxE;AAGA,QAAI,YAAY,mBAAmB,KAAK,kBAAkB,QAAQ,QAAQ,YAAY,eAAe,GAAG;AACtG,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,iCAAiC;AAAA,IAC5E;AAGA,UAAM,aAAa,KAAK,gBAAgB,OAAO;AAC/C,QAAI,YAAY;AACd,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,WAAW;AAAA,IACtD;AAGA,UAAM,iBAAiB,KAAK,YAAY,OAAO;AAC/C,QAAI,gBAAgB;AAClB,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,eAAe;AAAA,IAC1D;AAGA,QAAI,QAAQ,YAAY,qBAAqB,KAAK,OAAO,mBAAmB;AAC1E,UAAI,CAAC,KAAK,OAAO,kBAAkB,SAAS;AAC1C,eAAO,EAAE,gBAAgB,QAAQ,QAAQ,oCAAoC;AAAA,MAC/E;AACA,YAAM,QAAS,QAAQ,UAAU,iBAA4B;AAC7D,UAAI,KAAK,OAAO,kBAAkB,aAAa,UAAa,SAAS,KAAK,OAAO,kBAAkB,UAAU;AAC3G,eAAO,EAAE,gBAAgB,QAAQ,QAAQ,mBAAmB,KAAK,sBAAsB,KAAK,OAAO,kBAAkB,QAAQ,GAAG;AAAA,MAClI;AAAA,IACF;AAGA,QAAI,YAAY,kBAAkB;AAChC,aAAO,EAAE,gBAAgB,iBAAiB,QAAQ,4BAA4B;AAAA,IAChF;AAEA,UAAM,eAAe,KAAK,oBAAoB,OAAO;AACrD,QAAI,cAAc;AAChB,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ;AAAA,MACR,qBAAqB;AAAA,QACnB,SAAS;AAAA,QACT,OAAO,CAAC,CAAC,KAAK,OAAO;AAAA,QACrB,QAAQ,CAAC,CAAC,KAAK,OAAO;AAAA,QACtB,gBAAgB,CAAC,CAAC,KAAK,OAAO;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,gBAAgB,SAAsC;AAC5D,UAAM,QAAQ,KAAK,OAAO;AAC1B,QAAI,CAAC,MAAO,QAAO;AAGnB,QAAI,MAAM,gBAAgB;AACxB,YAAM,eAAe,KAAK,cAAc,QAAQ,MAAM;AACtD,UAAI,KAAK,kBAAkB,cAAc,MAAM,cAAc,GAAG;AAC9D,eAAO,4BAA4B,QAAQ,MAAM;AAAA,MACnD;AACA,UAAI,QAAQ,eAAe;AACzB,mBAAW,UAAU,QAAQ,eAAe;AAC1C,cAAI,KAAK,kBAAkB,KAAK,cAAc,MAAM,GAAG,MAAM,cAAc,GAAG;AAC5E,mBAAO,4BAA4B,MAAM;AAAA,UAC3C;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,MAAM,oBAAoB,KAAK,kBAAkB,QAAQ,QAAQ,MAAM,gBAAgB,GAAG;AAC5F,aAAO,8BAA8B,QAAQ,MAAM;AAAA,IACrD;AAGA,QAAI,MAAM,kBAAkB,QAAQ,eAAe;AACjD,iBAAW,UAAU,QAAQ,eAAe;AAC1C,YAAI,CAAC,KAAK,kBAAkB,KAAK,cAAc,MAAM,GAAG,MAAM,cAAc,GAAG;AAC7E,iBAAO,+BAA+B,MAAM;AAAA,QAC9C;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,YAAY,SAAsC;AACxD,UAAM,SAAS,KAAK,OAAO;AAC3B,QAAI,CAAC,OAAQ,QAAO;AAGpB,QAAI,OAAO,yBAAyB,UAAa,QAAQ,qBAAqB,QAAW;AACvF,UAAI,QAAQ,mBAAmB,OAAO,sBAAsB;AAC1D,eAAO,qBAAqB,QAAQ,gBAAgB,kBAAkB,OAAO,oBAAoB;AAAA,MACnG;AAAA,IACF;AAGA,QAAI,OAAO,uBAAuB,QAAW;AAC3C,YAAM,MAAM,QAAQ;AACpB,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,QAAQ,KAAK,cAAc,IAAI,GAAG;AACxC,YAAM,SAAS;AAEf,UAAI,CAAC,SAAS,MAAM,MAAM,cAAc,QAAQ;AAC9C,aAAK,cAAc,IAAI,KAAK,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAAA,MAC5D,OAAO;AACL,cAAM;AACN,YAAI,MAAM,QAAQ,OAAO,oBAAoB;AAC3C,iBAAO,wBAAwB,MAAM,KAAK,IAAI,OAAO,kBAAkB;AAAA,QACzE;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,oBAAoB,SAAoD;AAC9E,QAAI,CAAC,KAAK,OAAO,eAAgB,QAAO;AAExC,UAAM,YAAY,KAAK,mBAAmB,OAAO;AACjD,UAAM,aAAa,KAAK,OAAO;AAE/B,QAAI,aAAa,WAAW,UAAU,KAAK;AACzC,aAAO,EAAE,gBAAgB,QAAQ,QAAQ,cAAc,SAAS,2BAA2B;AAAA,IAC7F;AAEA,QAAI,aAAa,WAAW,gBAAgB,KAAK;AAC/C,aAAO,EAAE,gBAAgB,iBAAiB,QAAQ,cAAc,SAAS,qBAAqB;AAAA,IAChG;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,mBAAmB,SAA+B;AACxD,QAAI,QAAQ;AAGZ,QAAI,QAAQ,aAAa,QAAQ;AAC/B,YAAM,iBAAyC;AAAA,QAC7C,KAAK;AAAA,QACL,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,UAAU;AAAA,MACZ;AAEA,iBAAW,UAAU,QAAQ,aAAa;AACxC,cAAM,cAAc,eAAe,OAAO,QAAQ,KAAK;AACvD,YAAI,cAAc,MAAO,SAAQ;AAAA,MACnC;AACA,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,YAAY,gBAAgB,QAAQ,QAAQ;AACtD,YAAM,cAAc,QAAQ,OAAO,YAAY;AAC/C,iBAAW,OAAO,oBAAoB;AACpC,YAAI,YAAY,WAAW,GAAG,KAAK,YAAY,SAAS,IAAI,GAAG,GAAG,KAAK,YAAY,SAAS,IAAI,GAAG,EAAE,GAAG;AACtG,kBAAQ,KAAK,IAAI,OAAO,EAAE;AAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,SAAK,QAAQ,YAAY,eAAe,QAAQ,YAAY,gBAAgB,QAAQ,YAAY,kBAAkB,QAAQ,QAAQ;AAChI,YAAM,cAAc,QAAQ,OAAO,YAAY;AAC/C,iBAAW,iBAAiB,iBAAiB;AAC3C,YAAI,YAAY,SAAS,cAAc,YAAY,CAAC,GAAG;AACrD,kBAAQ,KAAK,IAAI,OAAO,EAAE;AAC1B;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAc,OAAuB;AAC3C,QAAI,SAAS;AAEb,UAAM,aAAa,OAAO,QAAQ,KAAK;AACvC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,aAAa,CAAC;AAE3D,UAAM,aAAa,OAAO,QAAQ,GAAG;AACrC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,GAAG,UAAU;AAE1D,UAAM,aAAa,OAAO,QAAQ,GAAG;AACrC,QAAI,eAAe,GAAI,UAAS,OAAO,MAAM,GAAG,UAAU;AAC1D,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,OAAe,UAA6B;AACpE,WAAO,SAAS,KAAK,CAAC,YAAY,KAAK,UAAU,OAAO,OAAO,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,UAAU,OAAe,SAA0B;AAEzD,QAAI,YAAY,MAAO,QAAO;AAG9B,UAAM,WAAW,QACd,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,GAAG;AAErB,QAAI;AACF,aAAO,IAAI,OAAO,IAAI,QAAQ,KAAK,GAAG,EAAE,KAAK,KAAK;AAAA,IACpD,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;AChRA,SAAS,UAAU,SAAS;AAC1B,SAAQ,OAAO,YAAY,eAAiB,YAAY;AAC1D;AAGA,SAAS,SAAS,SAAS;AACzB,SAAQ,OAAO,YAAY,YAAc,YAAY;AACvD;AAGA,SAAS,QAAQ,UAAU;AACzB,MAAI,MAAM,QAAQ,QAAQ,EAAG,QAAO;AAAA,WAC3B,UAAU,QAAQ,EAAG,QAAO,CAAC;AAEtC,SAAO,CAAE,QAAS;AACpB;AAGA,SAAS,OAAO,QAAQ,QAAQ;AAC9B,MAAI,OAAO,QAAQ,KAAK;AAExB,MAAI,QAAQ;AACV,iBAAa,OAAO,KAAK,MAAM;AAE/B,SAAK,QAAQ,GAAG,SAAS,WAAW,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACtE,YAAM,WAAW,KAAK;AACtB,aAAO,GAAG,IAAI,OAAO,GAAG;AAAA,IAC1B;AAAA,EACF;AAEA,SAAO;AACT;AAGA,SAAS,OAAO,QAAQ,OAAO;AAC7B,MAAI,SAAS,IAAI;AAEjB,OAAK,QAAQ,GAAG,QAAQ,OAAO,SAAS,GAAG;AACzC,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAGA,SAAS,eAAe,QAAQ;AAC9B,SAAQ,WAAW,KAAO,OAAO,sBAAsB,IAAI;AAC7D;AAGA,IAAI,cAAmB;AACvB,IAAI,aAAmB;AACvB,IAAI,YAAmB;AACvB,IAAI,WAAmB;AACvB,IAAI,mBAAmB;AACvB,IAAI,WAAmB;AAEvB,IAAI,SAAS;AAAA,EACZ,WAAW;AAAA,EACX,UAAU;AAAA,EACV,SAAS;AAAA,EACT,QAAQ;AAAA,EACR,gBAAgB;AAAA,EAChB,QAAQ;AACT;AAKA,SAAS,YAAYA,YAAW,SAAS;AACvC,MAAI,QAAQ,IAAI,UAAUA,WAAU,UAAU;AAE9C,MAAI,CAACA,WAAU,KAAM,QAAO;AAE5B,MAAIA,WAAU,KAAK,MAAM;AACvB,aAAS,SAASA,WAAU,KAAK,OAAO;AAAA,EAC1C;AAEA,WAAS,OAAOA,WAAU,KAAK,OAAO,KAAK,OAAOA,WAAU,KAAK,SAAS,KAAK;AAE/E,MAAI,CAAC,WAAWA,WAAU,KAAK,SAAS;AACtC,aAAS,SAASA,WAAU,KAAK;AAAA,EACnC;AAEA,SAAO,UAAU,MAAM;AACzB;AAGA,SAAS,gBAAgB,QAAQ,MAAM;AAErC,QAAM,KAAK,IAAI;AAEf,OAAK,OAAO;AACZ,OAAK,SAAS;AACd,OAAK,OAAO;AACZ,OAAK,UAAU,YAAY,MAAM,KAAK;AAGtC,MAAI,MAAM,mBAAmB;AAE3B,UAAM,kBAAkB,MAAM,KAAK,WAAW;AAAA,EAChD,OAAO;AAEL,SAAK,QAAS,IAAI,MAAM,EAAG,SAAS;AAAA,EACtC;AACF;AAIA,gBAAgB,YAAY,OAAO,OAAO,MAAM,SAAS;AACzD,gBAAgB,UAAU,cAAc;AAGxC,gBAAgB,UAAU,WAAW,SAAS,SAAS,SAAS;AAC9D,SAAO,KAAK,OAAO,OAAO,YAAY,MAAM,OAAO;AACrD;AAGA,IAAI,YAAY;AAGhB,SAAS,QAAQ,QAAQ,WAAW,SAAS,UAAU,eAAe;AACpE,MAAI,OAAO;AACX,MAAI,OAAO;AACX,MAAI,gBAAgB,KAAK,MAAM,gBAAgB,CAAC,IAAI;AAEpD,MAAI,WAAW,YAAY,eAAe;AACxC,WAAO;AACP,gBAAY,WAAW,gBAAgB,KAAK;AAAA,EAC9C;AAEA,MAAI,UAAU,WAAW,eAAe;AACtC,WAAO;AACP,cAAU,WAAW,gBAAgB,KAAK;AAAA,EAC5C;AAEA,SAAO;AAAA,IACL,KAAK,OAAO,OAAO,MAAM,WAAW,OAAO,EAAE,QAAQ,OAAO,QAAG,IAAI;AAAA,IACnE,KAAK,WAAW,YAAY,KAAK;AAAA;AAAA,EACnC;AACF;AAGA,SAAS,SAAS,QAAQ,KAAK;AAC7B,SAAO,OAAO,OAAO,KAAK,MAAM,OAAO,MAAM,IAAI;AACnD;AAGA,SAAS,YAAY,MAAM,SAAS;AAClC,YAAU,OAAO,OAAO,WAAW,IAAI;AAEvC,MAAI,CAAC,KAAK,OAAQ,QAAO;AAEzB,MAAI,CAAC,QAAQ,UAAW,SAAQ,YAAY;AAC5C,MAAI,OAAO,QAAQ,WAAgB,SAAU,SAAQ,SAAc;AACnE,MAAI,OAAO,QAAQ,gBAAgB,SAAU,SAAQ,cAAc;AACnE,MAAI,OAAO,QAAQ,eAAgB,SAAU,SAAQ,aAAc;AAEnE,MAAI,KAAK;AACT,MAAI,aAAa,CAAE,CAAE;AACrB,MAAI,WAAW,CAAC;AAChB,MAAI;AACJ,MAAI,cAAc;AAElB,SAAQ,QAAQ,GAAG,KAAK,KAAK,MAAM,GAAI;AACrC,aAAS,KAAK,MAAM,KAAK;AACzB,eAAW,KAAK,MAAM,QAAQ,MAAM,CAAC,EAAE,MAAM;AAE7C,QAAI,KAAK,YAAY,MAAM,SAAS,cAAc,GAAG;AACnD,oBAAc,WAAW,SAAS;AAAA,IACpC;AAAA,EACF;AAEA,MAAI,cAAc,EAAG,eAAc,WAAW,SAAS;AAEvD,MAAI,SAAS,IAAI,GAAG;AACpB,MAAI,eAAe,KAAK,IAAI,KAAK,OAAO,QAAQ,YAAY,SAAS,MAAM,EAAE,SAAS,EAAE;AACxF,MAAI,gBAAgB,QAAQ,aAAa,QAAQ,SAAS,eAAe;AAEzE,OAAK,IAAI,GAAG,KAAK,QAAQ,aAAa,KAAK;AACzC,QAAI,cAAc,IAAI,EAAG;AACzB,WAAO;AAAA,MACL,KAAK;AAAA,MACL,WAAW,cAAc,CAAC;AAAA,MAC1B,SAAS,cAAc,CAAC;AAAA,MACxB,KAAK,YAAY,WAAW,WAAW,IAAI,WAAW,cAAc,CAAC;AAAA,MACrE;AAAA,IACF;AACA,aAAS,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,IAAI,GAAG,SAAS,GAAG,YAAY,IACjG,QAAQ,KAAK,MAAM,OAAO;AAAA,EAC9B;AAEA,SAAO,QAAQ,KAAK,QAAQ,WAAW,WAAW,GAAG,SAAS,WAAW,GAAG,KAAK,UAAU,aAAa;AACxG,YAAU,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,GAAG,SAAS,GAAG,YAAY,IAC9F,QAAQ,KAAK,MAAM;AACrB,YAAU,OAAO,OAAO,KAAK,QAAQ,SAAS,eAAe,IAAI,KAAK,GAAG,IAAI;AAE7E,OAAK,IAAI,GAAG,KAAK,QAAQ,YAAY,KAAK;AACxC,QAAI,cAAc,KAAK,SAAS,OAAQ;AACxC,WAAO;AAAA,MACL,KAAK;AAAA,MACL,WAAW,cAAc,CAAC;AAAA,MAC1B,SAAS,cAAc,CAAC;AAAA,MACxB,KAAK,YAAY,WAAW,WAAW,IAAI,WAAW,cAAc,CAAC;AAAA,MACrE;AAAA,IACF;AACA,cAAU,OAAO,OAAO,KAAK,QAAQ,MAAM,IAAI,UAAU,KAAK,OAAO,IAAI,GAAG,SAAS,GAAG,YAAY,IAClG,QAAQ,KAAK,MAAM;AAAA,EACvB;AAEA,SAAO,OAAO,QAAQ,OAAO,EAAE;AACjC;AAGA,IAAI,UAAU;AAEd,IAAI,2BAA2B;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAI,kBAAkB;AAAA,EACpB;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,oBAAoBC,MAAK;AAChC,MAAI,SAAS,CAAC;AAEd,MAAIA,SAAQ,MAAM;AAChB,WAAO,KAAKA,IAAG,EAAE,QAAQ,SAAU,OAAO;AACxC,MAAAA,KAAI,KAAK,EAAE,QAAQ,SAAU,OAAO;AAClC,eAAO,OAAO,KAAK,CAAC,IAAI;AAAA,MAC1B,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAU,WAAW,CAAC;AAEtB,SAAO,KAAK,OAAO,EAAE,QAAQ,SAAU,MAAM;AAC3C,QAAI,yBAAyB,QAAQ,IAAI,MAAM,IAAI;AACjD,YAAM,IAAI,UAAU,qBAAqB,OAAO,gCAAgC,MAAM,cAAc;AAAA,IACtG;AAAA,EACF,CAAC;AAGD,OAAK,UAAgB;AACrB,OAAK,MAAgB;AACrB,OAAK,OAAgB,QAAQ,MAAM,KAAc;AACjD,OAAK,UAAgB,QAAQ,SAAS,KAAW,WAAY;AAAE,WAAO;AAAA,EAAM;AAC5E,OAAK,YAAgB,QAAQ,WAAW,KAAS,SAAU,MAAM;AAAE,WAAO;AAAA,EAAM;AAChF,OAAK,aAAgB,QAAQ,YAAY,KAAQ;AACjD,OAAK,YAAgB,QAAQ,WAAW,KAAS;AACjD,OAAK,YAAgB,QAAQ,WAAW,KAAS;AACjD,OAAK,gBAAgB,QAAQ,eAAe,KAAK;AACjD,OAAK,eAAgB,QAAQ,cAAc,KAAM;AACjD,OAAK,QAAgB,QAAQ,OAAO,KAAa;AACjD,OAAK,eAAgB,oBAAoB,QAAQ,cAAc,KAAK,IAAI;AAExE,MAAI,gBAAgB,QAAQ,KAAK,IAAI,MAAM,IAAI;AAC7C,UAAM,IAAI,UAAU,mBAAmB,KAAK,OAAO,yBAAyB,MAAM,cAAc;AAAA,EAClG;AACF;AAEA,IAAI,OAAO;AAQX,SAAS,YAAYC,SAAQ,MAAM;AACjC,MAAI,SAAS,CAAC;AAEd,EAAAA,QAAO,IAAI,EAAE,QAAQ,SAAU,aAAa;AAC1C,QAAI,WAAW,OAAO;AAEtB,WAAO,QAAQ,SAAU,cAAc,eAAe;AACpD,UAAI,aAAa,QAAQ,YAAY,OACjC,aAAa,SAAS,YAAY,QAClC,aAAa,UAAU,YAAY,OAAO;AAE5C,mBAAW;AAAA,MACb;AAAA,IACF,CAAC;AAED,WAAO,QAAQ,IAAI;AAAA,EACrB,CAAC;AAED,SAAO;AACT;AAGA,SAAS,aAA2B;AAClC,MAAI,SAAS;AAAA,IACP,QAAQ,CAAC;AAAA,IACT,UAAU,CAAC;AAAA,IACX,SAAS,CAAC;AAAA,IACV,UAAU,CAAC;AAAA,IACX,OAAO;AAAA,MACL,QAAQ,CAAC;AAAA,MACT,UAAU,CAAC;AAAA,MACX,SAAS,CAAC;AAAA,MACV,UAAU,CAAC;AAAA,IACb;AAAA,EACF,GAAG,OAAO;AAEd,WAAS,YAAYC,OAAM;AACzB,QAAIA,MAAK,OAAO;AACd,aAAO,MAAMA,MAAK,IAAI,EAAE,KAAKA,KAAI;AACjC,aAAO,MAAM,UAAU,EAAE,KAAKA,KAAI;AAAA,IACpC,OAAO;AACL,aAAOA,MAAK,IAAI,EAAEA,MAAK,GAAG,IAAI,OAAO,UAAU,EAAEA,MAAK,GAAG,IAAIA;AAAA,IAC/D;AAAA,EACF;AAEA,OAAK,QAAQ,GAAG,SAAS,UAAU,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACrE,cAAU,KAAK,EAAE,QAAQ,WAAW;AAAA,EACtC;AACA,SAAO;AACT;AAGA,SAAS,SAAS,YAAY;AAC5B,SAAO,KAAK,OAAO,UAAU;AAC/B;AAGA,SAAS,UAAU,SAAS,SAASC,QAAO,YAAY;AACtD,MAAI,WAAW,CAAC;AAChB,MAAI,WAAW,CAAC;AAEhB,MAAI,sBAAsB,MAAM;AAE9B,aAAS,KAAK,UAAU;AAAA,EAE1B,WAAW,MAAM,QAAQ,UAAU,GAAG;AAEpC,eAAW,SAAS,OAAO,UAAU;AAAA,EAEvC,WAAW,eAAe,MAAM,QAAQ,WAAW,QAAQ,KAAK,MAAM,QAAQ,WAAW,QAAQ,IAAI;AAEnG,QAAI,WAAW,SAAU,YAAW,SAAS,OAAO,WAAW,QAAQ;AACvE,QAAI,WAAW,SAAU,YAAW,SAAS,OAAO,WAAW,QAAQ;AAAA,EAEzE,OAAO;AACL,UAAM,IAAI,UAAU,kHAC6C;AAAA,EACnE;AAEA,WAAS,QAAQ,SAAU,QAAQ;AACjC,QAAI,EAAE,kBAAkB,OAAO;AAC7B,YAAM,IAAI,UAAU,oFAAoF;AAAA,IAC1G;AAEA,QAAI,OAAO,YAAY,OAAO,aAAa,UAAU;AACnD,YAAM,IAAI,UAAU,iHAAiH;AAAA,IACvI;AAEA,QAAI,OAAO,OAAO;AAChB,YAAM,IAAI,UAAU,oGAAoG;AAAA,IAC1H;AAAA,EACF,CAAC;AAED,WAAS,QAAQ,SAAU,QAAQ;AACjC,QAAI,EAAE,kBAAkB,OAAO;AAC7B,YAAM,IAAI,UAAU,oFAAoF;AAAA,IAC1G;AAAA,EACF,CAAC;AAED,MAAI,SAAS,OAAO,OAAO,SAAS,SAAS;AAE7C,SAAO,YAAY,KAAK,YAAY,CAAC,GAAG,OAAO,QAAQ;AACvD,SAAO,YAAY,KAAK,YAAY,CAAC,GAAG,OAAO,QAAQ;AAEvD,SAAO,mBAAmB,YAAY,QAAQ,UAAU;AACxD,SAAO,mBAAmB,YAAY,QAAQ,UAAU;AACxD,SAAO,kBAAmB,WAAW,OAAO,kBAAkB,OAAO,gBAAgB;AAErF,SAAO;AACT;AAGA,IAAI,SAAS;AAEb,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO;AAAA,EAAI;AACjE,CAAC;AAED,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO,CAAC;AAAA,EAAG;AACjE,CAAC;AAED,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,WAAW,SAAU,MAAM;AAAE,WAAO,SAAS,OAAO,OAAO,CAAC;AAAA,EAAG;AACjE,CAAC;AAED,IAAI,WAAW,IAAI,OAAO;AAAA,EACxB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAED,SAAS,gBAAgB,MAAM;AAC7B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK;AAEf,SAAQ,QAAQ,KAAK,SAAS,OACtB,QAAQ,MAAM,SAAS,UAAU,SAAS,UAAU,SAAS;AACvE;AAEA,SAAS,oBAAoB;AAC3B,SAAO;AACT;AAEA,SAAS,OAAO,QAAQ;AACtB,SAAO,WAAW;AACpB;AAEA,IAAI,QAAQ,IAAI,KAAK,0BAA0B;AAAA,EAC7C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,WAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,IACxC,OAAW,WAAY;AAAE,aAAO;AAAA,IAAQ;AAAA,EAC1C;AAAA,EACA,cAAc;AAChB,CAAC;AAED,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK;AAEf,SAAQ,QAAQ,MAAM,SAAS,UAAU,SAAS,UAAU,SAAS,WAC7D,QAAQ,MAAM,SAAS,WAAW,SAAS,WAAW,SAAS;AACzE;AAEA,SAAS,qBAAqB,MAAM;AAClC,SAAO,SAAS,UACT,SAAS,UACT,SAAS;AAClB;AAEA,SAAS,UAAU,QAAQ;AACzB,SAAO,OAAO,UAAU,SAAS,KAAK,MAAM,MAAM;AACpD;AAEA,IAAI,OAAO,IAAI,KAAK,0BAA0B;AAAA,EAC5C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,IACjE,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,IACjE,WAAW,SAAU,QAAQ;AAAE,aAAO,SAAS,SAAS;AAAA,IAAS;AAAA,EACnE;AAAA,EACA,cAAc;AAChB,CAAC;AAED,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK,MAC3B,MAAe,KAAO,KAAK,MAC3B,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,UAAU,GAAG;AACpB,SAAS,MAAe,KAAO,KAAK;AACtC;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK,QACX,QAAQ,GACR,YAAY,OACZ;AAEJ,MAAI,CAAC,IAAK,QAAO;AAEjB,OAAK,KAAK,KAAK;AAGf,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,SAAK,KAAK,EAAE,KAAK;AAAA,EACnB;AAEA,MAAI,OAAO,KAAK;AAEd,QAAI,QAAQ,MAAM,IAAK,QAAO;AAC9B,SAAK,KAAK,EAAE,KAAK;AAIjB,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,OAAO,OAAO,OAAO,IAAK,QAAO;AACrC,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAGA,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,EAAG,QAAO;AAC/C,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAGA,QAAI,OAAO,KAAK;AAEd;AAEA,aAAO,QAAQ,KAAK,SAAS;AAC3B,aAAK,KAAK,KAAK;AACf,YAAI,OAAO,IAAK;AAChB,YAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,EAAG,QAAO;AAC/C,oBAAY;AAAA,MACd;AACA,aAAO,aAAa,OAAO;AAAA,IAC7B;AAAA,EACF;AAKA,MAAI,OAAO,IAAK,QAAO;AAEvB,SAAO,QAAQ,KAAK,SAAS;AAC3B,SAAK,KAAK,KAAK;AACf,QAAI,OAAO,IAAK;AAChB,QAAI,CAAC,UAAU,KAAK,WAAW,KAAK,CAAC,GAAG;AACtC,aAAO;AAAA,IACT;AACA,gBAAY;AAAA,EACd;AAGA,MAAI,CAAC,aAAa,OAAO,IAAK,QAAO;AAErC,SAAO;AACT;AAEA,SAAS,qBAAqB,MAAM;AAClC,MAAI,QAAQ,MAAM,OAAO,GAAG;AAE5B,MAAI,MAAM,QAAQ,GAAG,MAAM,IAAI;AAC7B,YAAQ,MAAM,QAAQ,MAAM,EAAE;AAAA,EAChC;AAEA,OAAK,MAAM,CAAC;AAEZ,MAAI,OAAO,OAAO,OAAO,KAAK;AAC5B,QAAI,OAAO,IAAK,QAAO;AACvB,YAAQ,MAAM,MAAM,CAAC;AACrB,SAAK,MAAM,CAAC;AAAA,EACd;AAEA,MAAI,UAAU,IAAK,QAAO;AAE1B,MAAI,OAAO,KAAK;AACd,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,CAAC;AAC9D,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,EAAE;AAC/D,QAAI,MAAM,CAAC,MAAM,IAAK,QAAO,OAAO,SAAS,MAAM,MAAM,CAAC,GAAG,CAAC;AAAA,EAChE;AAEA,SAAO,OAAO,SAAS,OAAO,EAAE;AAClC;AAEA,SAAS,UAAU,QAAQ;AACzB,SAAQ,OAAO,UAAU,SAAS,KAAK,MAAM,MAAO,sBAC5C,SAAS,MAAM,KAAK,CAAC,OAAO,eAAe,MAAM;AAC3D;AAEA,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,IACT,QAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAO,IAAI,SAAS,CAAC,IAAI,QAAQ,IAAI,SAAS,CAAC,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,IAC3G,OAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAQ,IAAI,SAAS,CAAC,IAAI,QAAS,IAAI,SAAS,CAAC,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,IAC7G,SAAa,SAAU,KAAK;AAAE,aAAO,IAAI,SAAS,EAAE;AAAA,IAAG;AAAA;AAAA,IAEvD,aAAa,SAAU,KAAK;AAAE,aAAO,OAAO,IAAI,OAAO,IAAI,SAAS,EAAE,EAAE,YAAY,IAAK,QAAQ,IAAI,SAAS,EAAE,EAAE,YAAY,EAAE,MAAM,CAAC;AAAA,IAAG;AAAA,EAC5I;AAAA,EACA,cAAc;AAAA,EACd,cAAc;AAAA,IACZ,QAAa,CAAE,GAAI,KAAM;AAAA,IACzB,OAAa,CAAE,GAAI,KAAM;AAAA,IACzB,SAAa,CAAE,IAAI,KAAM;AAAA,IACzB,aAAa,CAAE,IAAI,KAAM;AAAA,EAC3B;AACF,CAAC;AAED,IAAI,qBAAqB,IAAI;AAAA;AAAA,EAE3B;AAOuB;AAEzB,SAAS,iBAAiB,MAAM;AAC9B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,CAAC,mBAAmB,KAAK,IAAI;AAAA;AAAA,EAG7B,KAAK,KAAK,SAAS,CAAC,MAAM,KAAK;AACjC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,OAAO;AAEX,UAAS,KAAK,QAAQ,MAAM,EAAE,EAAE,YAAY;AAC5C,SAAS,MAAM,CAAC,MAAM,MAAM,KAAK;AAEjC,MAAI,KAAK,QAAQ,MAAM,CAAC,CAAC,KAAK,GAAG;AAC/B,YAAQ,MAAM,MAAM,CAAC;AAAA,EACvB;AAEA,MAAI,UAAU,QAAQ;AACpB,WAAQ,SAAS,IAAK,OAAO,oBAAoB,OAAO;AAAA,EAE1D,WAAW,UAAU,QAAQ;AAC3B,WAAO;AAAA,EACT;AACA,SAAO,OAAO,WAAW,OAAO,EAAE;AACpC;AAGA,IAAI,yBAAyB;AAE7B,SAAS,mBAAmB,QAAQ,OAAO;AACzC,MAAI;AAEJ,MAAI,MAAM,MAAM,GAAG;AACjB,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,sBAAsB,QAAQ;AAC9C,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,sBAAsB,QAAQ;AAC9C,YAAQ,OAAO;AAAA,MACb,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,MACzB,KAAK;AAAa,eAAO;AAAA,IAC3B;AAAA,EACF,WAAW,OAAO,eAAe,MAAM,GAAG;AACxC,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,SAAS,EAAE;AAKxB,SAAO,uBAAuB,KAAK,GAAG,IAAI,IAAI,QAAQ,KAAK,IAAI,IAAI;AACrE;AAEA,SAAS,QAAQ,QAAQ;AACvB,SAAQ,OAAO,UAAU,SAAS,KAAK,MAAM,MAAM,sBAC3C,SAAS,MAAM,KAAK,OAAO,eAAe,MAAM;AAC1D;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,EACX,cAAc;AAChB,CAAC;AAED,IAAI,OAAO,SAAS,OAAO;AAAA,EACzB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAED,IAAI,OAAO;AAEX,IAAI,mBAAmB,IAAI;AAAA,EACzB;AAEgB;AAElB,IAAI,wBAAwB,IAAI;AAAA,EAC9B;AASwB;AAE1B,SAAS,qBAAqB,MAAM;AAClC,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,KAAK,IAAI,MAAM,KAAM,QAAO;AACjD,MAAI,sBAAsB,KAAK,IAAI,MAAM,KAAM,QAAO;AACtD,SAAO;AACT;AAEA,SAAS,uBAAuB,MAAM;AACpC,MAAI,OAAO,MAAM,OAAO,KAAK,MAAM,QAAQ,QAAQ,WAAW,GAC1D,QAAQ,MAAM,SAAS,WAAW;AAEtC,UAAQ,iBAAiB,KAAK,IAAI;AAClC,MAAI,UAAU,KAAM,SAAQ,sBAAsB,KAAK,IAAI;AAE3D,MAAI,UAAU,KAAM,OAAM,IAAI,MAAM,oBAAoB;AAIxD,SAAO,CAAE,MAAM,CAAC;AAChB,UAAQ,CAAE,MAAM,CAAC,IAAK;AACtB,QAAM,CAAE,MAAM,CAAC;AAEf,MAAI,CAAC,MAAM,CAAC,GAAG;AACb,WAAO,IAAI,KAAK,KAAK,IAAI,MAAM,OAAO,GAAG,CAAC;AAAA,EAC5C;AAIA,SAAO,CAAE,MAAM,CAAC;AAChB,WAAS,CAAE,MAAM,CAAC;AAClB,WAAS,CAAE,MAAM,CAAC;AAElB,MAAI,MAAM,CAAC,GAAG;AACZ,eAAW,MAAM,CAAC,EAAE,MAAM,GAAG,CAAC;AAC9B,WAAO,SAAS,SAAS,GAAG;AAC1B,kBAAY;AAAA,IACd;AACA,eAAW,CAAC;AAAA,EACd;AAIA,MAAI,MAAM,CAAC,GAAG;AACZ,cAAU,CAAE,MAAM,EAAE;AACpB,gBAAY,EAAE,MAAM,EAAE,KAAK;AAC3B,aAAS,UAAU,KAAK,aAAa;AACrC,QAAI,MAAM,CAAC,MAAM,IAAK,SAAQ,CAAC;AAAA,EACjC;AAEA,SAAO,IAAI,KAAK,KAAK,IAAI,MAAM,OAAO,KAAK,MAAM,QAAQ,QAAQ,QAAQ,CAAC;AAE1E,MAAI,MAAO,MAAK,QAAQ,KAAK,QAAQ,IAAI,KAAK;AAE9C,SAAO;AACT;AAEA,SAAS,uBAAuB,QAAoB;AAClD,SAAO,OAAO,YAAY;AAC5B;AAEA,IAAI,YAAY,IAAI,KAAK,+BAA+B;AAAA,EACtD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,WAAW;AACb,CAAC;AAED,SAAS,iBAAiB,MAAM;AAC9B,SAAO,SAAS,QAAQ,SAAS;AACnC;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AACX,CAAC;AASD,IAAI,aAAa;AAGjB,SAAS,kBAAkB,MAAM;AAC/B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,MAAM,KAAK,SAAS,GAAG,MAAM,KAAK,QAAQH,OAAM;AAGpD,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,WAAOA,KAAI,QAAQ,KAAK,OAAO,GAAG,CAAC;AAGnC,QAAI,OAAO,GAAI;AAGf,QAAI,OAAO,EAAG,QAAO;AAErB,cAAU;AAAA,EACZ;AAGA,SAAQ,SAAS,MAAO;AAC1B;AAEA,SAAS,oBAAoB,MAAM;AACjC,MAAI,KAAK,UACL,QAAQ,KAAK,QAAQ,YAAY,EAAE,GACnC,MAAM,MAAM,QACZA,OAAM,YACN,OAAO,GACP,SAAS,CAAC;AAId,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,QAAK,MAAM,MAAM,KAAM,KAAK;AAC1B,aAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,aAAO,KAAM,QAAQ,IAAK,GAAI;AAC9B,aAAO,KAAK,OAAO,GAAI;AAAA,IACzB;AAEA,WAAQ,QAAQ,IAAKA,KAAI,QAAQ,MAAM,OAAO,GAAG,CAAC;AAAA,EACpD;AAIA,aAAY,MAAM,IAAK;AAEvB,MAAI,aAAa,GAAG;AAClB,WAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAC9B,WAAO,KAAK,OAAO,GAAI;AAAA,EACzB,WAAW,aAAa,IAAI;AAC1B,WAAO,KAAM,QAAQ,KAAM,GAAI;AAC/B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAAA,EAChC,WAAW,aAAa,IAAI;AAC1B,WAAO,KAAM,QAAQ,IAAK,GAAI;AAAA,EAChC;AAEA,SAAO,IAAI,WAAW,MAAM;AAC9B;AAEA,SAAS,oBAAoB,QAAoB;AAC/C,MAAI,SAAS,IAAI,OAAO,GAAG,KAAK,MAC5B,MAAM,OAAO,QACbA,OAAM;AAIV,OAAK,MAAM,GAAG,MAAM,KAAK,OAAO;AAC9B,QAAK,MAAM,MAAM,KAAM,KAAK;AAC1B,gBAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,gBAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,gBAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,gBAAUA,KAAI,OAAO,EAAI;AAAA,IAC3B;AAEA,YAAQ,QAAQ,KAAK,OAAO,GAAG;AAAA,EACjC;AAIA,SAAO,MAAM;AAEb,MAAI,SAAS,GAAG;AACd,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,OAAO,EAAI;AAAA,EAC3B,WAAW,SAAS,GAAG;AACrB,cAAUA,KAAK,QAAQ,KAAM,EAAI;AACjC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,EAAE;AAAA,EAClB,WAAW,SAAS,GAAG;AACrB,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAK,QAAQ,IAAK,EAAI;AAChC,cAAUA,KAAI,EAAE;AAChB,cAAUA,KAAI,EAAE;AAAA,EAClB;AAEA,SAAO;AACT;AAEA,SAAS,SAAS,KAAK;AACrB,SAAO,OAAO,UAAU,SAAS,KAAK,GAAG,MAAO;AAClD;AAEA,IAAI,SAAS,IAAI,KAAK,4BAA4B;AAAA,EAChD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AACb,CAAC;AAED,IAAI,oBAAoB,OAAO,UAAU;AACzC,IAAI,cAAoB,OAAO,UAAU;AAEzC,SAAS,gBAAgB,MAAM;AAC7B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,aAAa,CAAC,GAAG,OAAO,QAAQ,MAAM,SAAS,YAC/C,SAAS;AAEb,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AACnB,iBAAa;AAEb,QAAI,YAAY,KAAK,IAAI,MAAM,kBAAmB,QAAO;AAEzD,SAAK,WAAW,MAAM;AACpB,UAAI,kBAAkB,KAAK,MAAM,OAAO,GAAG;AACzC,YAAI,CAAC,WAAY,cAAa;AAAA,YACzB,QAAO;AAAA,MACd;AAAA,IACF;AAEA,QAAI,CAAC,WAAY,QAAO;AAExB,QAAI,WAAW,QAAQ,OAAO,MAAM,GAAI,YAAW,KAAK,OAAO;AAAA,QAC1D,QAAO;AAAA,EACd;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,MAAM;AAC/B,SAAO,SAAS,OAAO,OAAO,CAAC;AACjC;AAEA,IAAI,OAAO,IAAI,KAAK,0BAA0B;AAAA,EAC5C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,cAAc,OAAO,UAAU;AAEnC,SAAS,iBAAiB,MAAM;AAC9B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,OAAO,QAAQ,MAAM,MAAM,QAC3B,SAAS;AAEb,WAAS,IAAI,MAAM,OAAO,MAAM;AAEhC,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AAEnB,QAAI,YAAY,KAAK,IAAI,MAAM,kBAAmB,QAAO;AAEzD,WAAO,OAAO,KAAK,IAAI;AAEvB,QAAI,KAAK,WAAW,EAAG,QAAO;AAE9B,WAAO,KAAK,IAAI,CAAE,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,CAAE;AAAA,EAC3C;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,MAAM;AAChC,MAAI,SAAS,KAAM,QAAO,CAAC;AAE3B,MAAI,OAAO,QAAQ,MAAM,MAAM,QAC3B,SAAS;AAEb,WAAS,IAAI,MAAM,OAAO,MAAM;AAEhC,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,WAAO,OAAO,KAAK;AAEnB,WAAO,OAAO,KAAK,IAAI;AAEvB,WAAO,KAAK,IAAI,CAAE,KAAK,CAAC,GAAG,KAAK,KAAK,CAAC,CAAC,CAAE;AAAA,EAC3C;AAEA,SAAO;AACT;AAEA,IAAI,QAAQ,IAAI,KAAK,2BAA2B;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,oBAAoB,OAAO,UAAU;AAEzC,SAAS,eAAe,MAAM;AAC5B,MAAI,SAAS,KAAM,QAAO;AAE1B,MAAI,KAAK,SAAS;AAElB,OAAK,OAAO,QAAQ;AAClB,QAAI,kBAAkB,KAAK,QAAQ,GAAG,GAAG;AACvC,UAAI,OAAO,GAAG,MAAM,KAAM,QAAO;AAAA,IACnC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,MAAM;AAC9B,SAAO,SAAS,OAAO,OAAO,CAAC;AACjC;AAEA,IAAI,MAAM,IAAI,KAAK,yBAAyB;AAAA,EAC1C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AACb,CAAC;AAED,IAAI,WAAW,KAAK,OAAO;AAAA,EACzB,UAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AAAA,EACA,UAAU;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF,CAAC;AAUD,IAAI,oBAAoB,OAAO,UAAU;AAGzC,IAAI,kBAAoB;AACxB,IAAI,mBAAoB;AACxB,IAAI,mBAAoB;AACxB,IAAI,oBAAoB;AAGxB,IAAI,gBAAiB;AACrB,IAAI,iBAAiB;AACrB,IAAI,gBAAiB;AAGrB,IAAI,wBAAgC;AACpC,IAAI,gCAAgC;AACpC,IAAI,0BAAgC;AACpC,IAAI,qBAAgC;AACpC,IAAI,kBAAgC;AAGpC,SAAS,OAAO,KAAK;AAAE,SAAO,OAAO,UAAU,SAAS,KAAK,GAAG;AAAG;AAEnE,SAAS,OAAO,GAAG;AACjB,SAAQ,MAAM,MAAkB,MAAM;AACxC;AAEA,SAAS,eAAe,GAAG;AACzB,SAAQ,MAAM,KAAmB,MAAM;AACzC;AAEA,SAAS,aAAa,GAAG;AACvB,SAAQ,MAAM,KACN,MAAM,MACN,MAAM,MACN,MAAM;AAChB;AAEA,SAAS,kBAAkB,GAAG;AAC5B,SAAO,MAAM,MACN,MAAM,MACN,MAAM,MACN,MAAM,OACN,MAAM;AACf;AAEA,SAAS,YAAY,GAAG;AACtB,MAAI;AAEJ,MAAK,MAAe,KAAO,KAAK,IAAc;AAC5C,WAAO,IAAI;AAAA,EACb;AAGA,OAAK,IAAI;AAET,MAAK,MAAe,MAAQ,MAAM,KAAc;AAC9C,WAAO,KAAK,KAAO;AAAA,EACrB;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,GAAG;AACxB,MAAI,MAAM,KAAa;AAAE,WAAO;AAAA,EAAG;AACnC,MAAI,MAAM,KAAa;AAAE,WAAO;AAAA,EAAG;AACnC,MAAI,MAAM,IAAa;AAAE,WAAO;AAAA,EAAG;AACnC,SAAO;AACT;AAEA,SAAS,gBAAgB,GAAG;AAC1B,MAAK,MAAe,KAAO,KAAK,IAAc;AAC5C,WAAO,IAAI;AAAA,EACb;AAEA,SAAO;AACT;AAEA,SAAS,qBAAqB,GAAG;AAE/B,SAAQ,MAAM,KAAe,OACtB,MAAM,KAAe,SACrB,MAAM,KAAe,OACrB,MAAM,MAAe,MACrB,MAAM,IAAiB,MACvB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,OACrB,MAAM,MAAe,SACrB,MAAM,KAAmB,MACzB,MAAM,KAAe,MACrB,MAAM,KAAe,MACrB,MAAM,KAAe,OACrB,MAAM,KAAe,SACrB,MAAM,KAAe,SACrB,MAAM,KAAe,WACrB,MAAM,KAAe,WAAW;AACzC;AAEA,SAAS,kBAAkB,GAAG;AAC5B,MAAI,KAAK,OAAQ;AACf,WAAO,OAAO,aAAa,CAAC;AAAA,EAC9B;AAGA,SAAO,OAAO;AAAA,KACV,IAAI,SAAa,MAAM;AAAA,KACvB,IAAI,QAAY,QAAU;AAAA,EAC9B;AACF;AAIA,SAAS,YAAY,QAAQ,KAAK,OAAO;AAEvC,MAAI,QAAQ,aAAa;AACvB,WAAO,eAAe,QAAQ,KAAK;AAAA,MACjC,cAAc;AAAA,MACd,YAAY;AAAA,MACZ,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,WAAO,GAAG,IAAI;AAAA,EAChB;AACF;AAEA,IAAI,oBAAoB,IAAI,MAAM,GAAG;AACrC,IAAI,kBAAkB,IAAI,MAAM,GAAG;AACnC,KAAS,IAAI,GAAG,IAAI,KAAK,KAAK;AAC5B,oBAAkB,CAAC,IAAI,qBAAqB,CAAC,IAAI,IAAI;AACrD,kBAAgB,CAAC,IAAI,qBAAqB,CAAC;AAC7C;AAHS;AAMT,SAAS,QAAQ,OAAO,SAAS;AAC/B,OAAK,QAAQ;AAEb,OAAK,WAAY,QAAQ,UAAU,KAAM;AACzC,OAAK,SAAY,QAAQ,QAAQ,KAAQ;AACzC,OAAK,YAAY,QAAQ,WAAW,KAAK;AAGzC,OAAK,SAAY,QAAQ,QAAQ,KAAQ;AAEzC,OAAK,OAAY,QAAQ,MAAM,KAAU;AACzC,OAAK,WAAY,QAAQ,UAAU,KAAM;AAEzC,OAAK,gBAAgB,KAAK,OAAO;AACjC,OAAK,UAAgB,KAAK,OAAO;AAEjC,OAAK,SAAa,MAAM;AACxB,OAAK,WAAa;AAClB,OAAK,OAAa;AAClB,OAAK,YAAa;AAClB,OAAK,aAAa;AAIlB,OAAK,iBAAiB;AAEtB,OAAK,YAAY,CAAC;AAYpB;AAGA,SAAS,cAAc,OAAO,SAAS;AACrC,MAAI,OAAO;AAAA,IACT,MAAU,MAAM;AAAA,IAChB,QAAU,MAAM,MAAM,MAAM,GAAG,EAAE;AAAA;AAAA,IACjC,UAAU,MAAM;AAAA,IAChB,MAAU,MAAM;AAAA,IAChB,QAAU,MAAM,WAAW,MAAM;AAAA,EACnC;AAEA,OAAK,UAAU,QAAQ,IAAI;AAE3B,SAAO,IAAI,UAAU,SAAS,IAAI;AACpC;AAEA,SAAS,WAAW,OAAO,SAAS;AAClC,QAAM,cAAc,OAAO,OAAO;AACpC;AAEA,SAAS,aAAa,OAAO,SAAS;AACpC,MAAI,MAAM,WAAW;AACnB,UAAM,UAAU,KAAK,MAAM,cAAc,OAAO,OAAO,CAAC;AAAA,EAC1D;AACF;AAGA,IAAI,oBAAoB;AAAA,EAEtB,MAAM,SAAS,oBAAoB,OAAO,MAAM,MAAM;AAEpD,QAAI,OAAO,OAAO;AAElB,QAAI,MAAM,YAAY,MAAM;AAC1B,iBAAW,OAAO,gCAAgC;AAAA,IACpD;AAEA,QAAI,KAAK,WAAW,GAAG;AACrB,iBAAW,OAAO,6CAA6C;AAAA,IACjE;AAEA,YAAQ,uBAAuB,KAAK,KAAK,CAAC,CAAC;AAE3C,QAAI,UAAU,MAAM;AAClB,iBAAW,OAAO,2CAA2C;AAAA,IAC/D;AAEA,YAAQ,SAAS,MAAM,CAAC,GAAG,EAAE;AAC7B,YAAQ,SAAS,MAAM,CAAC,GAAG,EAAE;AAE7B,QAAI,UAAU,GAAG;AACf,iBAAW,OAAO,2CAA2C;AAAA,IAC/D;AAEA,UAAM,UAAU,KAAK,CAAC;AACtB,UAAM,kBAAmB,QAAQ;AAEjC,QAAI,UAAU,KAAK,UAAU,GAAG;AAC9B,mBAAa,OAAO,0CAA0C;AAAA,IAChE;AAAA,EACF;AAAA,EAEA,KAAK,SAAS,mBAAmB,OAAO,MAAM,MAAM;AAElD,QAAI,QAAQ;AAEZ,QAAI,KAAK,WAAW,GAAG;AACrB,iBAAW,OAAO,6CAA6C;AAAA,IACjE;AAEA,aAAS,KAAK,CAAC;AACf,aAAS,KAAK,CAAC;AAEf,QAAI,CAAC,mBAAmB,KAAK,MAAM,GAAG;AACpC,iBAAW,OAAO,6DAA6D;AAAA,IACjF;AAEA,QAAI,kBAAkB,KAAK,MAAM,QAAQ,MAAM,GAAG;AAChD,iBAAW,OAAO,gDAAgD,SAAS,cAAc;AAAA,IAC3F;AAEA,QAAI,CAAC,gBAAgB,KAAK,MAAM,GAAG;AACjC,iBAAW,OAAO,8DAA8D;AAAA,IAClF;AAEA,QAAI;AACF,eAAS,mBAAmB,MAAM;AAAA,IACpC,SAAS,KAAK;AACZ,iBAAW,OAAO,8BAA8B,MAAM;AAAA,IACxD;AAEA,UAAM,OAAO,MAAM,IAAI;AAAA,EACzB;AACF;AAGA,SAAS,eAAe,OAAO,OAAO,KAAK,WAAW;AACpD,MAAI,WAAW,SAAS,YAAY;AAEpC,MAAI,QAAQ,KAAK;AACf,cAAU,MAAM,MAAM,MAAM,OAAO,GAAG;AAEtC,QAAI,WAAW;AACb,WAAK,YAAY,GAAG,UAAU,QAAQ,QAAQ,YAAY,SAAS,aAAa,GAAG;AACjF,qBAAa,QAAQ,WAAW,SAAS;AACzC,YAAI,EAAE,eAAe,KACd,MAAQ,cAAc,cAAc,UAAY;AACrD,qBAAW,OAAO,+BAA+B;AAAA,QACnD;AAAA,MACF;AAAA,IACF,WAAW,sBAAsB,KAAK,OAAO,GAAG;AAC9C,iBAAW,OAAO,8CAA8C;AAAA,IAClE;AAEA,UAAM,UAAU;AAAA,EAClB;AACF;AAEA,SAAS,cAAc,OAAO,aAAa,QAAQ,iBAAiB;AAClE,MAAI,YAAY,KAAK,OAAO;AAE5B,MAAI,CAAC,OAAO,SAAS,MAAM,GAAG;AAC5B,eAAW,OAAO,mEAAmE;AAAA,EACvF;AAEA,eAAa,OAAO,KAAK,MAAM;AAE/B,OAAK,QAAQ,GAAG,WAAW,WAAW,QAAQ,QAAQ,UAAU,SAAS,GAAG;AAC1E,UAAM,WAAW,KAAK;AAEtB,QAAI,CAAC,kBAAkB,KAAK,aAAa,GAAG,GAAG;AAC7C,kBAAY,aAAa,KAAK,OAAO,GAAG,CAAC;AACzC,sBAAgB,GAAG,IAAI;AAAA,IACzB;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAC1E,WAAW,gBAAgB,UAAU;AAErC,MAAI,OAAO;AAKX,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,cAAU,MAAM,UAAU,MAAM,KAAK,OAAO;AAE5C,SAAK,QAAQ,GAAG,WAAW,QAAQ,QAAQ,QAAQ,UAAU,SAAS,GAAG;AACvE,UAAI,MAAM,QAAQ,QAAQ,KAAK,CAAC,GAAG;AACjC,mBAAW,OAAO,6CAA6C;AAAA,MACjE;AAEA,UAAI,OAAO,YAAY,YAAY,OAAO,QAAQ,KAAK,CAAC,MAAM,mBAAmB;AAC/E,gBAAQ,KAAK,IAAI;AAAA,MACnB;AAAA,IACF;AAAA,EACF;AAKA,MAAI,OAAO,YAAY,YAAY,OAAO,OAAO,MAAM,mBAAmB;AACxE,cAAU;AAAA,EACZ;AAGA,YAAU,OAAO,OAAO;AAExB,MAAI,YAAY,MAAM;AACpB,cAAU,CAAC;AAAA,EACb;AAEA,MAAI,WAAW,2BAA2B;AACxC,QAAI,MAAM,QAAQ,SAAS,GAAG;AAC5B,WAAK,QAAQ,GAAG,WAAW,UAAU,QAAQ,QAAQ,UAAU,SAAS,GAAG;AACzE,sBAAc,OAAO,SAAS,UAAU,KAAK,GAAG,eAAe;AAAA,MACjE;AAAA,IACF,OAAO;AACL,oBAAc,OAAO,SAAS,WAAW,eAAe;AAAA,IAC1D;AAAA,EACF,OAAO;AACL,QAAI,CAAC,MAAM,QACP,CAAC,kBAAkB,KAAK,iBAAiB,OAAO,KAChD,kBAAkB,KAAK,SAAS,OAAO,GAAG;AAC5C,YAAM,OAAO,aAAa,MAAM;AAChC,YAAM,YAAY,kBAAkB,MAAM;AAC1C,YAAM,WAAW,YAAY,MAAM;AACnC,iBAAW,OAAO,wBAAwB;AAAA,IAC5C;AAEA,gBAAY,SAAS,SAAS,SAAS;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,OAAO;AAC5B,MAAI;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAc;AACvB,UAAM;AAAA,EACR,WAAW,OAAO,IAAc;AAC9B,UAAM;AACN,QAAI,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAc;AAC3D,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,eAAW,OAAO,0BAA0B;AAAA,EAC9C;AAEA,QAAM,QAAQ;AACd,QAAM,YAAY,MAAM;AACxB,QAAM,iBAAiB;AACzB;AAEA,SAAS,oBAAoB,OAAO,eAAe,aAAa;AAC9D,MAAI,aAAa,GACb,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE9C,SAAO,OAAO,GAAG;AACf,WAAO,eAAe,EAAE,GAAG;AACzB,UAAI,OAAO,KAAiB,MAAM,mBAAmB,IAAI;AACvD,cAAM,iBAAiB,MAAM;AAAA,MAC/B;AACA,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,QAAI,iBAAiB,OAAO,IAAa;AACvC,SAAG;AACD,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C,SAAS,OAAO,MAAgB,OAAO,MAAgB,OAAO;AAAA,IAChE;AAEA,QAAI,OAAO,EAAE,GAAG;AACd,oBAAc,KAAK;AAEnB,WAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AACA,YAAM,aAAa;AAEnB,aAAO,OAAO,IAAiB;AAC7B,cAAM;AACN,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAAA,IACF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,gBAAgB,MAAM,eAAe,KAAK,MAAM,aAAa,aAAa;AAC5E,iBAAa,OAAO,uBAAuB;AAAA,EAC7C;AAEA,SAAO;AACT;AAEA,SAAS,sBAAsB,OAAO;AACpC,MAAI,YAAY,MAAM,UAClB;AAEJ,OAAK,MAAM,MAAM,WAAW,SAAS;AAIrC,OAAK,OAAO,MAAe,OAAO,OAC9B,OAAO,MAAM,MAAM,WAAW,YAAY,CAAC,KAC3C,OAAO,MAAM,MAAM,WAAW,YAAY,CAAC,GAAG;AAEhD,iBAAa;AAEb,SAAK,MAAM,MAAM,WAAW,SAAS;AAErC,QAAI,OAAO,KAAK,aAAa,EAAE,GAAG;AAChC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,OAAO;AACtC,MAAI,UAAU,GAAG;AACf,UAAM,UAAU;AAAA,EAClB,WAAW,QAAQ,GAAG;AACpB,UAAM,UAAU,OAAO,OAAO,MAAM,QAAQ,CAAC;AAAA,EAC/C;AACF;AAGA,SAAS,gBAAgB,OAAO,YAAY,sBAAsB;AAChE,MAAI,WACA,WACA,cACA,YACA,mBACA,OACA,YACA,aACA,QAAQ,MAAM,MACd,UAAU,MAAM,QAChB;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,aAAa,EAAE,KACf,kBAAkB,EAAE,KACpB,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,OACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,MACP,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,MAAI,OAAO,MAAe,OAAO,IAAa;AAC5C,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,QAAI,aAAa,SAAS,KACtB,wBAAwB,kBAAkB,SAAS,GAAG;AACxD,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,iBAAe,aAAa,MAAM;AAClC,sBAAoB;AAEpB,SAAO,OAAO,GAAG;AACf,QAAI,OAAO,IAAa;AACtB,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,KACtB,wBAAwB,kBAAkB,SAAS,GAAG;AACxD;AAAA,MACF;AAAA,IAEF,WAAW,OAAO,IAAa;AAC7B,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,GAAG;AAC3B;AAAA,MACF;AAAA,IAEF,WAAY,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,KAClE,wBAAwB,kBAAkB,EAAE,GAAG;AACxD;AAAA,IAEF,WAAW,OAAO,EAAE,GAAG;AACrB,cAAQ,MAAM;AACd,mBAAa,MAAM;AACnB,oBAAc,MAAM;AACpB,0BAAoB,OAAO,OAAO,EAAE;AAEpC,UAAI,MAAM,cAAc,YAAY;AAClC,4BAAoB;AACpB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AAAA,MACF,OAAO;AACL,cAAM,WAAW;AACjB,cAAM,OAAO;AACb,cAAM,YAAY;AAClB,cAAM,aAAa;AACnB;AAAA,MACF;AAAA,IACF;AAEA,QAAI,mBAAmB;AACrB,qBAAe,OAAO,cAAc,YAAY,KAAK;AACrD,uBAAiB,OAAO,MAAM,OAAO,KAAK;AAC1C,qBAAe,aAAa,MAAM;AAClC,0BAAoB;AAAA,IACtB;AAEA,QAAI,CAAC,eAAe,EAAE,GAAG;AACvB,mBAAa,MAAM,WAAW;AAAA,IAChC;AAEA,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,iBAAe,OAAO,cAAc,YAAY,KAAK;AAErD,MAAI,MAAM,QAAQ;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,SAAO;AACT;AAEA,SAAS,uBAAuB,OAAO,YAAY;AACjD,MAAI,IACA,cAAc;AAElB,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,QAAM;AACN,iBAAe,aAAa,MAAM;AAElC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,QAAI,OAAO,IAAa;AACtB,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,UAAI,OAAO,IAAa;AACtB,uBAAe,MAAM;AACrB,cAAM;AACN,qBAAa,MAAM;AAAA,MACrB,OAAO;AACL,eAAO;AAAA,MACT;AAAA,IAEF,WAAW,OAAO,EAAE,GAAG;AACrB,qBAAe,OAAO,cAAc,YAAY,IAAI;AACpD,uBAAiB,OAAO,oBAAoB,OAAO,OAAO,UAAU,CAAC;AACrE,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAC7E,iBAAW,OAAO,8DAA8D;AAAA,IAElF,OAAO;AACL,YAAM;AACN,mBAAa,MAAM;AAAA,IACrB;AAAA,EACF;AAEA,aAAW,OAAO,4DAA4D;AAChF;AAEA,SAAS,uBAAuB,OAAO,YAAY;AACjD,MAAI,cACA,YACA,WACA,WACA,KACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AACf,QAAM;AACN,iBAAe,aAAa,MAAM;AAElC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,QAAI,OAAO,IAAa;AACtB,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,YAAM;AACN,aAAO;AAAA,IAET,WAAW,OAAO,IAAa;AAC7B,qBAAe,OAAO,cAAc,MAAM,UAAU,IAAI;AACxD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,UAAI,OAAO,EAAE,GAAG;AACd,4BAAoB,OAAO,OAAO,UAAU;AAAA,MAG9C,WAAW,KAAK,OAAO,kBAAkB,EAAE,GAAG;AAC5C,cAAM,UAAU,gBAAgB,EAAE;AAClC,cAAM;AAAA,MAER,YAAY,MAAM,cAAc,EAAE,KAAK,GAAG;AACxC,oBAAY;AACZ,oBAAY;AAEZ,eAAO,YAAY,GAAG,aAAa;AACjC,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,eAAK,MAAM,YAAY,EAAE,MAAM,GAAG;AAChC,yBAAa,aAAa,KAAK;AAAA,UAEjC,OAAO;AACL,uBAAW,OAAO,gCAAgC;AAAA,UACpD;AAAA,QACF;AAEA,cAAM,UAAU,kBAAkB,SAAS;AAE3C,cAAM;AAAA,MAER,OAAO;AACL,mBAAW,OAAO,yBAAyB;AAAA,MAC7C;AAEA,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,OAAO,EAAE,GAAG;AACrB,qBAAe,OAAO,cAAc,YAAY,IAAI;AACpD,uBAAiB,OAAO,oBAAoB,OAAO,OAAO,UAAU,CAAC;AACrE,qBAAe,aAAa,MAAM;AAAA,IAEpC,WAAW,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAC7E,iBAAW,OAAO,8DAA8D;AAAA,IAElF,OAAO;AACL,YAAM;AACN,mBAAa,MAAM;AAAA,IACrB;AAAA,EACF;AAEA,aAAW,OAAO,4DAA4D;AAChF;AAEA,SAAS,mBAAmB,OAAO,YAAY;AAC7C,MAAI,WAAW,MACX,OACA,YACA,MACA,OAAW,MAAM,KACjB,SACA,UAAW,MAAM,QACjB,WACA,YACA,QACA,gBACA,WACA,kBAAkB,uBAAO,OAAO,IAAI,GACpC,SACA,QACA,WACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,IAAa;AACtB,iBAAa;AACb,gBAAY;AACZ,cAAU,CAAC;AAAA,EACb,WAAW,OAAO,KAAa;AAC7B,iBAAa;AACb,gBAAY;AACZ,cAAU,CAAC;AAAA,EACb,OAAO;AACL,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,SAAO,OAAO,GAAG;AACf,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,OAAO,YAAY;AACrB,YAAM;AACN,YAAM,MAAM;AACZ,YAAM,SAAS;AACf,YAAM,OAAO,YAAY,YAAY;AACrC,YAAM,SAAS;AACf,aAAO;AAAA,IACT,WAAW,CAAC,UAAU;AACpB,iBAAW,OAAO,8CAA8C;AAAA,IAClE,WAAW,OAAO,IAAa;AAE7B,iBAAW,OAAO,0CAA0C;AAAA,IAC9D;AAEA,aAAS,UAAU,YAAY;AAC/B,aAAS,iBAAiB;AAE1B,QAAI,OAAO,IAAa;AACtB,kBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,UAAI,aAAa,SAAS,GAAG;AAC3B,iBAAS,iBAAiB;AAC1B,cAAM;AACN,4BAAoB,OAAO,MAAM,UAAU;AAAA,MAC7C;AAAA,IACF;AAEA,YAAQ,MAAM;AACd,iBAAa,MAAM;AACnB,WAAO,MAAM;AACb,gBAAY,OAAO,YAAY,iBAAiB,OAAO,IAAI;AAC3D,aAAS,MAAM;AACf,cAAU,MAAM;AAChB,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAK,kBAAkB,MAAM,SAAS,UAAU,OAAO,IAAa;AAClE,eAAS;AACT,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,0BAAoB,OAAO,MAAM,UAAU;AAC3C,kBAAY,OAAO,YAAY,iBAAiB,OAAO,IAAI;AAC3D,kBAAY,MAAM;AAAA,IACpB;AAEA,QAAI,WAAW;AACb,uBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAAW,OAAO,YAAY,IAAI;AAAA,IACvG,WAAW,QAAQ;AACjB,cAAQ,KAAK,iBAAiB,OAAO,MAAM,iBAAiB,QAAQ,SAAS,WAAW,OAAO,YAAY,IAAI,CAAC;AAAA,IAClH,OAAO;AACL,cAAQ,KAAK,OAAO;AAAA,IACtB;AAEA,wBAAoB,OAAO,MAAM,UAAU;AAE3C,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,OAAO,IAAa;AACtB,iBAAW;AACX,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C,OAAO;AACL,iBAAW;AAAA,IACb;AAAA,EACF;AAEA,aAAW,OAAO,uDAAuD;AAC3E;AAEA,SAAS,gBAAgB,OAAO,YAAY;AAC1C,MAAI,cACA,SACA,WAAiB,eACjB,iBAAiB,OACjB,iBAAiB,OACjB,aAAiB,YACjB,aAAiB,GACjB,iBAAiB,OACjB,KACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,KAAa;AACtB,cAAU;AAAA,EACZ,WAAW,OAAO,IAAa;AAC7B,cAAU;AAAA,EACZ,OAAO;AACL,WAAO;AAAA,EACT;AAEA,QAAM,OAAO;AACb,QAAM,SAAS;AAEf,SAAO,OAAO,GAAG;AACf,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,QAAI,OAAO,MAAe,OAAO,IAAa;AAC5C,UAAI,kBAAkB,UAAU;AAC9B,mBAAY,OAAO,KAAe,gBAAgB;AAAA,MACpD,OAAO;AACL,mBAAW,OAAO,sCAAsC;AAAA,MAC1D;AAAA,IAEF,YAAY,MAAM,gBAAgB,EAAE,MAAM,GAAG;AAC3C,UAAI,QAAQ,GAAG;AACb,mBAAW,OAAO,8EAA8E;AAAA,MAClG,WAAW,CAAC,gBAAgB;AAC1B,qBAAa,aAAa,MAAM;AAChC,yBAAiB;AAAA,MACnB,OAAO;AACL,mBAAW,OAAO,2CAA2C;AAAA,MAC/D;AAAA,IAEF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAEA,MAAI,eAAe,EAAE,GAAG;AACtB,OAAG;AAAE,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAAG,SAC7C,eAAe,EAAE;AAExB,QAAI,OAAO,IAAa;AACtB,SAAG;AAAE,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAAG,SAC7C,CAAC,OAAO,EAAE,KAAM,OAAO;AAAA,IAChC;AAAA,EACF;AAEA,SAAO,OAAO,GAAG;AACf,kBAAc,KAAK;AACnB,UAAM,aAAa;AAEnB,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,YAAQ,CAAC,kBAAkB,MAAM,aAAa,eACtC,OAAO,IAAkB;AAC/B,YAAM;AACN,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,QAAI,CAAC,kBAAkB,MAAM,aAAa,YAAY;AACpD,mBAAa,MAAM;AAAA,IACrB;AAEA,QAAI,OAAO,EAAE,GAAG;AACd;AACA;AAAA,IACF;AAGA,QAAI,MAAM,aAAa,YAAY;AAGjC,UAAI,aAAa,eAAe;AAC9B,cAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,MAClF,WAAW,aAAa,eAAe;AACrC,YAAI,gBAAgB;AAClB,gBAAM,UAAU;AAAA,QAClB;AAAA,MACF;AAGA;AAAA,IACF;AAGA,QAAI,SAAS;AAGX,UAAI,eAAe,EAAE,GAAG;AACtB,yBAAiB;AAEjB,cAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,MAGlF,WAAW,gBAAgB;AACzB,yBAAiB;AACjB,cAAM,UAAU,OAAO,OAAO,MAAM,aAAa,CAAC;AAAA,MAGpD,WAAW,eAAe,GAAG;AAC3B,YAAI,gBAAgB;AAClB,gBAAM,UAAU;AAAA,QAClB;AAAA,MAGF,OAAO;AACL,cAAM,UAAU,OAAO,OAAO,MAAM,UAAU;AAAA,MAChD;AAAA,IAGF,OAAO;AAEL,YAAM,UAAU,OAAO,OAAO,MAAM,iBAAiB,IAAI,aAAa,UAAU;AAAA,IAClF;AAEA,qBAAiB;AACjB,qBAAiB;AACjB,iBAAa;AACb,mBAAe,MAAM;AAErB,WAAO,CAAC,OAAO,EAAE,KAAM,OAAO,GAAI;AAChC,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,mBAAe,OAAO,cAAc,MAAM,UAAU,KAAK;AAAA,EAC3D;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAO,YAAY;AAC5C,MAAI,OACA,OAAY,MAAM,KAClB,UAAY,MAAM,QAClB,UAAY,CAAC,GACb,WACA,WAAY,OACZ;AAIJ,MAAI,MAAM,mBAAmB,GAAI,QAAO;AAExC,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAO,OAAO,GAAG;AACf,QAAI,MAAM,mBAAmB,IAAI;AAC/B,YAAM,WAAW,MAAM;AACvB,iBAAW,OAAO,gDAAgD;AAAA,IACpE;AAEA,QAAI,OAAO,IAAa;AACtB;AAAA,IACF;AAEA,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AAErD,QAAI,CAAC,aAAa,SAAS,GAAG;AAC5B;AAAA,IACF;AAEA,eAAW;AACX,UAAM;AAEN,QAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,UAAI,MAAM,cAAc,YAAY;AAClC,gBAAQ,KAAK,IAAI;AACjB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1C;AAAA,MACF;AAAA,IACF;AAEA,YAAQ,MAAM;AACd,gBAAY,OAAO,YAAY,kBAAkB,OAAO,IAAI;AAC5D,YAAQ,KAAK,MAAM,MAAM;AACzB,wBAAoB,OAAO,MAAM,EAAE;AAEnC,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAK,MAAM,SAAS,SAAS,MAAM,aAAa,eAAgB,OAAO,GAAI;AACzE,iBAAW,OAAO,qCAAqC;AAAA,IACzD,WAAW,MAAM,aAAa,YAAY;AACxC;AAAA,IACF;AAAA,EACF;AAEA,MAAI,UAAU;AACZ,UAAM,MAAM;AACZ,UAAM,SAAS;AACf,UAAM,OAAO;AACb,UAAM,SAAS;AACf,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,YAAY,YAAY;AACvD,MAAI,WACA,cACA,OACA,UACA,eACA,SACA,OAAgB,MAAM,KACtB,UAAgB,MAAM,QACtB,UAAgB,CAAC,GACjB,kBAAkB,uBAAO,OAAO,IAAI,GACpC,SAAgB,MAChB,UAAgB,MAChB,YAAgB,MAChB,gBAAgB,OAChB,WAAgB,OAChB;AAIJ,MAAI,MAAM,mBAAmB,GAAI,QAAO;AAExC,MAAI,MAAM,WAAW,MAAM;AACzB,UAAM,UAAU,MAAM,MAAM,IAAI;AAAA,EAClC;AAEA,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,SAAO,OAAO,GAAG;AACf,QAAI,CAAC,iBAAiB,MAAM,mBAAmB,IAAI;AACjD,YAAM,WAAW,MAAM;AACvB,iBAAW,OAAO,gDAAgD;AAAA,IACpE;AAEA,gBAAY,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC;AACrD,YAAQ,MAAM;AAMd,SAAK,OAAO,MAAe,OAAO,OAAgB,aAAa,SAAS,GAAG;AAEzE,UAAI,OAAO,IAAa;AACtB,YAAI,eAAe;AACjB,2BAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AACzG,mBAAS,UAAU,YAAY;AAAA,QACjC;AAEA,mBAAW;AACX,wBAAgB;AAChB,uBAAe;AAAA,MAEjB,WAAW,eAAe;AAExB,wBAAgB;AAChB,uBAAe;AAAA,MAEjB,OAAO;AACL,mBAAW,OAAO,mGAAmG;AAAA,MACvH;AAEA,YAAM,YAAY;AAClB,WAAK;AAAA,IAKP,OAAO;AACL,iBAAW,MAAM;AACjB,sBAAgB,MAAM;AACtB,gBAAU,MAAM;AAEhB,UAAI,CAAC,YAAY,OAAO,YAAY,kBAAkB,OAAO,IAAI,GAAG;AAGlE;AAAA,MACF;AAEA,UAAI,MAAM,SAAS,OAAO;AACxB,aAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,eAAO,eAAe,EAAE,GAAG;AACzB,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,QAC9C;AAEA,YAAI,OAAO,IAAa;AACtB,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,cAAI,CAAC,aAAa,EAAE,GAAG;AACrB,uBAAW,OAAO,yFAAyF;AAAA,UAC7G;AAEA,cAAI,eAAe;AACjB,6BAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AACzG,qBAAS,UAAU,YAAY;AAAA,UACjC;AAEA,qBAAW;AACX,0BAAgB;AAChB,yBAAe;AACf,mBAAS,MAAM;AACf,oBAAU,MAAM;AAAA,QAElB,WAAW,UAAU;AACnB,qBAAW,OAAO,0DAA0D;AAAA,QAE9E,OAAO;AACL,gBAAM,MAAM;AACZ,gBAAM,SAAS;AACf,iBAAO;AAAA,QACT;AAAA,MAEF,WAAW,UAAU;AACnB,mBAAW,OAAO,gFAAgF;AAAA,MAEpG,OAAO;AACL,cAAM,MAAM;AACZ,cAAM,SAAS;AACf,eAAO;AAAA,MACT;AAAA,IACF;AAKA,QAAI,MAAM,SAAS,SAAS,MAAM,aAAa,YAAY;AACzD,UAAI,eAAe;AACjB,mBAAW,MAAM;AACjB,wBAAgB,MAAM;AACtB,kBAAU,MAAM;AAAA,MAClB;AAEA,UAAI,YAAY,OAAO,YAAY,mBAAmB,MAAM,YAAY,GAAG;AACzE,YAAI,eAAe;AACjB,oBAAU,MAAM;AAAA,QAClB,OAAO;AACL,sBAAY,MAAM;AAAA,QACpB;AAAA,MACF;AAEA,UAAI,CAAC,eAAe;AAClB,yBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,WAAW,UAAU,eAAe,OAAO;AAC9G,iBAAS,UAAU,YAAY;AAAA,MACjC;AAEA,0BAAoB,OAAO,MAAM,EAAE;AACnC,WAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAAA,IAC5C;AAEA,SAAK,MAAM,SAAS,SAAS,MAAM,aAAa,eAAgB,OAAO,GAAI;AACzE,iBAAW,OAAO,oCAAoC;AAAA,IACxD,WAAW,MAAM,aAAa,YAAY;AACxC;AAAA,IACF;AAAA,EACF;AAOA,MAAI,eAAe;AACjB,qBAAiB,OAAO,SAAS,iBAAiB,QAAQ,SAAS,MAAM,UAAU,eAAe,OAAO;AAAA,EAC3G;AAGA,MAAI,UAAU;AACZ,UAAM,MAAM;AACZ,UAAM,SAAS;AACf,UAAM,OAAO;AACb,UAAM,SAAS;AAAA,EACjB;AAEA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAAO;AAC9B,MAAI,WACA,aAAa,OACb,UAAa,OACb,WACA,SACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,MAAI,MAAM,QAAQ,MAAM;AACtB,eAAW,OAAO,+BAA+B;AAAA,EACnD;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAE5C,MAAI,OAAO,IAAa;AACtB,iBAAa;AACb,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAE9C,WAAW,OAAO,IAAa;AAC7B,cAAU;AACV,gBAAY;AACZ,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAE9C,OAAO;AACL,gBAAY;AAAA,EACd;AAEA,cAAY,MAAM;AAElB,MAAI,YAAY;AACd,OAAG;AAAE,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAAG,SAC7C,OAAO,KAAK,OAAO;AAE1B,QAAI,MAAM,WAAW,MAAM,QAAQ;AACjC,gBAAU,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AACrD,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C,OAAO;AACL,iBAAW,OAAO,oDAAoD;AAAA,IACxE;AAAA,EACF,OAAO;AACL,WAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AAEpC,UAAI,OAAO,IAAa;AACtB,YAAI,CAAC,SAAS;AACZ,sBAAY,MAAM,MAAM,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC;AAE/D,cAAI,CAAC,mBAAmB,KAAK,SAAS,GAAG;AACvC,uBAAW,OAAO,iDAAiD;AAAA,UACrE;AAEA,oBAAU;AACV,sBAAY,MAAM,WAAW;AAAA,QAC/B,OAAO;AACL,qBAAW,OAAO,6CAA6C;AAAA,QACjE;AAAA,MACF;AAEA,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,cAAU,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAErD,QAAI,wBAAwB,KAAK,OAAO,GAAG;AACzC,iBAAW,OAAO,qDAAqD;AAAA,IACzE;AAAA,EACF;AAEA,MAAI,WAAW,CAAC,gBAAgB,KAAK,OAAO,GAAG;AAC7C,eAAW,OAAO,8CAA8C,OAAO;AAAA,EACzE;AAEA,MAAI;AACF,cAAU,mBAAmB,OAAO;AAAA,EACtC,SAAS,KAAK;AACZ,eAAW,OAAO,4BAA4B,OAAO;AAAA,EACvD;AAEA,MAAI,YAAY;AACd,UAAM,MAAM;AAAA,EAEd,WAAW,kBAAkB,KAAK,MAAM,QAAQ,SAAS,GAAG;AAC1D,UAAM,MAAM,MAAM,OAAO,SAAS,IAAI;AAAA,EAExC,WAAW,cAAc,KAAK;AAC5B,UAAM,MAAM,MAAM;AAAA,EAEpB,WAAW,cAAc,MAAM;AAC7B,UAAM,MAAM,uBAAuB;AAAA,EAErC,OAAO;AACL,eAAW,OAAO,4BAA4B,YAAY,GAAG;AAAA,EAC/D;AAEA,SAAO;AACT;AAEA,SAAS,mBAAmB,OAAO;AACjC,MAAI,WACA;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,MAAI,MAAM,WAAW,MAAM;AACzB,eAAW,OAAO,mCAAmC;AAAA,EACvD;AAEA,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,cAAY,MAAM;AAElB,SAAO,OAAO,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,kBAAkB,EAAE,GAAG;AAC9D,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,MAAI,MAAM,aAAa,WAAW;AAChC,eAAW,OAAO,4DAA4D;AAAA,EAChF;AAEA,QAAM,SAAS,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC1D,SAAO;AACT;AAEA,SAAS,UAAU,OAAO;AACxB,MAAI,WAAW,OACX;AAEJ,OAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,MAAI,OAAO,GAAa,QAAO;AAE/B,OAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,cAAY,MAAM;AAElB,SAAO,OAAO,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,kBAAkB,EAAE,GAAG;AAC9D,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,EAC9C;AAEA,MAAI,MAAM,aAAa,WAAW;AAChC,eAAW,OAAO,2DAA2D;AAAA,EAC/E;AAEA,UAAQ,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAEnD,MAAI,CAAC,kBAAkB,KAAK,MAAM,WAAW,KAAK,GAAG;AACnD,eAAW,OAAO,yBAAyB,QAAQ,GAAG;AAAA,EACxD;AAEA,QAAM,SAAS,MAAM,UAAU,KAAK;AACpC,sBAAoB,OAAO,MAAM,EAAE;AACnC,SAAO;AACT;AAEA,SAAS,YAAY,OAAO,cAAc,aAAa,aAAa,cAAc;AAChF,MAAI,kBACA,mBACA,uBACA,eAAe,GACf,YAAa,OACb,aAAa,OACb,WACA,cACA,UACAE,OACA,YACA;AAEJ,MAAI,MAAM,aAAa,MAAM;AAC3B,UAAM,SAAS,QAAQ,KAAK;AAAA,EAC9B;AAEA,QAAM,MAAS;AACf,QAAM,SAAS;AACf,QAAM,OAAS;AACf,QAAM,SAAS;AAEf,qBAAmB,oBAAoB,wBACrC,sBAAsB,eACtB,qBAAsB;AAExB,MAAI,aAAa;AACf,QAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,kBAAY;AAEZ,UAAI,MAAM,aAAa,cAAc;AACnC,uBAAe;AAAA,MACjB,WAAW,MAAM,eAAe,cAAc;AAC5C,uBAAe;AAAA,MACjB,WAAW,MAAM,aAAa,cAAc;AAC1C,uBAAe;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AAEA,MAAI,iBAAiB,GAAG;AACtB,WAAO,gBAAgB,KAAK,KAAK,mBAAmB,KAAK,GAAG;AAC1D,UAAI,oBAAoB,OAAO,MAAM,EAAE,GAAG;AACxC,oBAAY;AACZ,gCAAwB;AAExB,YAAI,MAAM,aAAa,cAAc;AACnC,yBAAe;AAAA,QACjB,WAAW,MAAM,eAAe,cAAc;AAC5C,yBAAe;AAAA,QACjB,WAAW,MAAM,aAAa,cAAc;AAC1C,yBAAe;AAAA,QACjB;AAAA,MACF,OAAO;AACL,gCAAwB;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAEA,MAAI,uBAAuB;AACzB,4BAAwB,aAAa;AAAA,EACvC;AAEA,MAAI,iBAAiB,KAAK,sBAAsB,aAAa;AAC3D,QAAI,oBAAoB,eAAe,qBAAqB,aAAa;AACvE,mBAAa;AAAA,IACf,OAAO;AACL,mBAAa,eAAe;AAAA,IAC9B;AAEA,kBAAc,MAAM,WAAW,MAAM;AAErC,QAAI,iBAAiB,GAAG;AACtB,UAAI,0BACC,kBAAkB,OAAO,WAAW,KACpC,iBAAiB,OAAO,aAAa,UAAU,MAChD,mBAAmB,OAAO,UAAU,GAAG;AACzC,qBAAa;AAAA,MACf,OAAO;AACL,YAAK,qBAAqB,gBAAgB,OAAO,UAAU,KACvD,uBAAuB,OAAO,UAAU,KACxC,uBAAuB,OAAO,UAAU,GAAG;AAC7C,uBAAa;AAAA,QAEf,WAAW,UAAU,KAAK,GAAG;AAC3B,uBAAa;AAEb,cAAI,MAAM,QAAQ,QAAQ,MAAM,WAAW,MAAM;AAC/C,uBAAW,OAAO,2CAA2C;AAAA,UAC/D;AAAA,QAEF,WAAW,gBAAgB,OAAO,YAAY,oBAAoB,WAAW,GAAG;AAC9E,uBAAa;AAEb,cAAI,MAAM,QAAQ,MAAM;AACtB,kBAAM,MAAM;AAAA,UACd;AAAA,QACF;AAEA,YAAI,MAAM,WAAW,MAAM;AACzB,gBAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,QACxC;AAAA,MACF;AAAA,IACF,WAAW,iBAAiB,GAAG;AAG7B,mBAAa,yBAAyB,kBAAkB,OAAO,WAAW;AAAA,IAC5E;AAAA,EACF;AAEA,MAAI,MAAM,QAAQ,MAAM;AACtB,QAAI,MAAM,WAAW,MAAM;AACzB,YAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,IACxC;AAAA,EAEF,WAAW,MAAM,QAAQ,KAAK;AAO5B,QAAI,MAAM,WAAW,QAAQ,MAAM,SAAS,UAAU;AACpD,iBAAW,OAAO,sEAAsE,MAAM,OAAO,GAAG;AAAA,IAC1G;AAEA,SAAK,YAAY,GAAG,eAAe,MAAM,cAAc,QAAQ,YAAY,cAAc,aAAa,GAAG;AACvG,MAAAA,QAAO,MAAM,cAAc,SAAS;AAEpC,UAAIA,MAAK,QAAQ,MAAM,MAAM,GAAG;AAC9B,cAAM,SAASA,MAAK,UAAU,MAAM,MAAM;AAC1C,cAAM,MAAMA,MAAK;AACjB,YAAI,MAAM,WAAW,MAAM;AACzB,gBAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,QACxC;AACA;AAAA,MACF;AAAA,IACF;AAAA,EACF,WAAW,MAAM,QAAQ,KAAK;AAC5B,QAAI,kBAAkB,KAAK,MAAM,QAAQ,MAAM,QAAQ,UAAU,GAAG,MAAM,GAAG,GAAG;AAC9E,MAAAA,QAAO,MAAM,QAAQ,MAAM,QAAQ,UAAU,EAAE,MAAM,GAAG;AAAA,IAC1D,OAAO;AAEL,MAAAA,QAAO;AACP,iBAAW,MAAM,QAAQ,MAAM,MAAM,QAAQ,UAAU;AAEvD,WAAK,YAAY,GAAG,eAAe,SAAS,QAAQ,YAAY,cAAc,aAAa,GAAG;AAC5F,YAAI,MAAM,IAAI,MAAM,GAAG,SAAS,SAAS,EAAE,IAAI,MAAM,MAAM,SAAS,SAAS,EAAE,KAAK;AAClF,UAAAA,QAAO,SAAS,SAAS;AACzB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAACA,OAAM;AACT,iBAAW,OAAO,mBAAmB,MAAM,MAAM,GAAG;AAAA,IACtD;AAEA,QAAI,MAAM,WAAW,QAAQA,MAAK,SAAS,MAAM,MAAM;AACrD,iBAAW,OAAO,kCAAkC,MAAM,MAAM,0BAA0BA,MAAK,OAAO,aAAa,MAAM,OAAO,GAAG;AAAA,IACrI;AAEA,QAAI,CAACA,MAAK,QAAQ,MAAM,QAAQ,MAAM,GAAG,GAAG;AAC1C,iBAAW,OAAO,kCAAkC,MAAM,MAAM,gBAAgB;AAAA,IAClF,OAAO;AACL,YAAM,SAASA,MAAK,UAAU,MAAM,QAAQ,MAAM,GAAG;AACrD,UAAI,MAAM,WAAW,MAAM;AACzB,cAAM,UAAU,MAAM,MAAM,IAAI,MAAM;AAAA,MACxC;AAAA,IACF;AAAA,EACF;AAEA,MAAI,MAAM,aAAa,MAAM;AAC3B,UAAM,SAAS,SAAS,KAAK;AAAA,EAC/B;AACA,SAAO,MAAM,QAAQ,QAAS,MAAM,WAAW,QAAQ;AACzD;AAEA,SAAS,aAAa,OAAO;AAC3B,MAAI,gBAAgB,MAAM,UACtB,WACA,eACA,eACA,gBAAgB,OAChB;AAEJ,QAAM,UAAU;AAChB,QAAM,kBAAkB,MAAM;AAC9B,QAAM,SAAS,uBAAO,OAAO,IAAI;AACjC,QAAM,YAAY,uBAAO,OAAO,IAAI;AAEpC,UAAQ,KAAK,MAAM,MAAM,WAAW,MAAM,QAAQ,OAAO,GAAG;AAC1D,wBAAoB,OAAO,MAAM,EAAE;AAEnC,SAAK,MAAM,MAAM,WAAW,MAAM,QAAQ;AAE1C,QAAI,MAAM,aAAa,KAAK,OAAO,IAAa;AAC9C;AAAA,IACF;AAEA,oBAAgB;AAChB,SAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAC5C,gBAAY,MAAM;AAElB,WAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AACpC,WAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,IAC9C;AAEA,oBAAgB,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ;AAC3D,oBAAgB,CAAC;AAEjB,QAAI,cAAc,SAAS,GAAG;AAC5B,iBAAW,OAAO,8DAA8D;AAAA,IAClF;AAEA,WAAO,OAAO,GAAG;AACf,aAAO,eAAe,EAAE,GAAG;AACzB,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAEA,UAAI,OAAO,IAAa;AACtB,WAAG;AAAE,eAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,QAAG,SAC7C,OAAO,KAAK,CAAC,OAAO,EAAE;AAC7B;AAAA,MACF;AAEA,UAAI,OAAO,EAAE,EAAG;AAEhB,kBAAY,MAAM;AAElB,aAAO,OAAO,KAAK,CAAC,aAAa,EAAE,GAAG;AACpC,aAAK,MAAM,MAAM,WAAW,EAAE,MAAM,QAAQ;AAAA,MAC9C;AAEA,oBAAc,KAAK,MAAM,MAAM,MAAM,WAAW,MAAM,QAAQ,CAAC;AAAA,IACjE;AAEA,QAAI,OAAO,EAAG,eAAc,KAAK;AAEjC,QAAI,kBAAkB,KAAK,mBAAmB,aAAa,GAAG;AAC5D,wBAAkB,aAAa,EAAE,OAAO,eAAe,aAAa;AAAA,IACtE,OAAO;AACL,mBAAa,OAAO,iCAAiC,gBAAgB,GAAG;AAAA,IAC1E;AAAA,EACF;AAEA,sBAAoB,OAAO,MAAM,EAAE;AAEnC,MAAI,MAAM,eAAe,KACrB,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAU,MAC/C,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC,MAAM,MAC/C,MAAM,MAAM,WAAW,MAAM,WAAW,CAAC,MAAM,IAAa;AAC9D,UAAM,YAAY;AAClB,wBAAoB,OAAO,MAAM,EAAE;AAAA,EAErC,WAAW,eAAe;AACxB,eAAW,OAAO,iCAAiC;AAAA,EACrD;AAEA,cAAY,OAAO,MAAM,aAAa,GAAG,mBAAmB,OAAO,IAAI;AACvE,sBAAoB,OAAO,MAAM,EAAE;AAEnC,MAAI,MAAM,mBACN,8BAA8B,KAAK,MAAM,MAAM,MAAM,eAAe,MAAM,QAAQ,CAAC,GAAG;AACxF,iBAAa,OAAO,kDAAkD;AAAA,EACxE;AAEA,QAAM,UAAU,KAAK,MAAM,MAAM;AAEjC,MAAI,MAAM,aAAa,MAAM,aAAa,sBAAsB,KAAK,GAAG;AAEtE,QAAI,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAa;AAC1D,YAAM,YAAY;AAClB,0BAAoB,OAAO,MAAM,EAAE;AAAA,IACrC;AACA;AAAA,EACF;AAEA,MAAI,MAAM,WAAY,MAAM,SAAS,GAAI;AACvC,eAAW,OAAO,uDAAuD;AAAA,EAC3E,OAAO;AACL;AAAA,EACF;AACF;AAGA,SAAS,cAAc,OAAO,SAAS;AACrC,UAAQ,OAAO,KAAK;AACpB,YAAU,WAAW,CAAC;AAEtB,MAAI,MAAM,WAAW,GAAG;AAGtB,QAAI,MAAM,WAAW,MAAM,SAAS,CAAC,MAAM,MACvC,MAAM,WAAW,MAAM,SAAS,CAAC,MAAM,IAAc;AACvD,eAAS;AAAA,IACX;AAGA,QAAI,MAAM,WAAW,CAAC,MAAM,OAAQ;AAClC,cAAQ,MAAM,MAAM,CAAC;AAAA,IACvB;AAAA,EACF;AAEA,MAAI,QAAQ,IAAI,QAAQ,OAAO,OAAO;AAEtC,MAAI,UAAU,MAAM,QAAQ,IAAI;AAEhC,MAAI,YAAY,IAAI;AAClB,UAAM,WAAW;AACjB,eAAW,OAAO,mCAAmC;AAAA,EACvD;AAGA,QAAM,SAAS;AAEf,SAAO,MAAM,MAAM,WAAW,MAAM,QAAQ,MAAM,IAAiB;AACjE,UAAM,cAAc;AACpB,UAAM,YAAY;AAAA,EACpB;AAEA,SAAO,MAAM,WAAY,MAAM,SAAS,GAAI;AAC1C,iBAAa,KAAK;AAAA,EACpB;AAEA,SAAO,MAAM;AACf;AAGA,SAAS,UAAU,OAAO,UAAU,SAAS;AAC3C,MAAI,aAAa,QAAQ,OAAO,aAAa,YAAY,OAAO,YAAY,aAAa;AACvF,cAAU;AACV,eAAW;AAAA,EACb;AAEA,MAAI,YAAY,cAAc,OAAO,OAAO;AAE5C,MAAI,OAAO,aAAa,YAAY;AAClC,WAAO;AAAA,EACT;AAEA,WAAS,QAAQ,GAAG,SAAS,UAAU,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,aAAS,UAAU,KAAK,CAAC;AAAA,EAC3B;AACF;AAGA,SAAS,OAAO,OAAO,SAAS;AAC9B,MAAI,YAAY,cAAc,OAAO,OAAO;AAE5C,MAAI,UAAU,WAAW,GAAG;AAE1B,WAAO;AAAA,EACT,WAAW,UAAU,WAAW,GAAG;AACjC,WAAO,UAAU,CAAC;AAAA,EACpB;AACA,QAAM,IAAI,UAAU,0DAA0D;AAChF;AAGA,IAAI,YAAY;AAChB,IAAI,SAAY;AAEhB,IAAI,SAAS;AAAA,EACZ,SAAS;AAAA,EACT,MAAM;AACP;AAQA,IAAI,YAAkB,OAAO,UAAU;AACvC,IAAI,kBAAkB,OAAO,UAAU;AAEvC,IAAI,WAA4B;AAChC,IAAI,WAA4B;AAChC,IAAI,iBAA4B;AAChC,IAAI,uBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,mBAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,eAA4B;AAChC,IAAI,iBAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,gBAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,aAA4B;AAChC,IAAI,cAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,gBAA4B;AAChC,IAAI,qBAA4B;AAChC,IAAI,2BAA4B;AAChC,IAAI,4BAA4B;AAChC,IAAI,oBAA4B;AAChC,IAAI,0BAA4B;AAChC,IAAI,qBAA4B;AAChC,IAAI,2BAA4B;AAEhC,IAAI,mBAAmB,CAAC;AAExB,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,CAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,EAAI,IAAM;AAC3B,iBAAiB,GAAI,IAAM;AAC3B,iBAAiB,GAAI,IAAM;AAC3B,iBAAiB,IAAM,IAAI;AAC3B,iBAAiB,IAAM,IAAI;AAE3B,IAAI,6BAA6B;AAAA,EAC/B;AAAA,EAAK;AAAA,EAAK;AAAA,EAAO;AAAA,EAAO;AAAA,EAAO;AAAA,EAAM;AAAA,EAAM;AAAA,EAC3C;AAAA,EAAK;AAAA,EAAK;AAAA,EAAM;AAAA,EAAM;AAAA,EAAM;AAAA,EAAO;AAAA,EAAO;AAC5C;AAEA,IAAI,2BAA2B;AAE/B,SAAS,gBAAgBD,SAAQD,MAAK;AACpC,MAAI,QAAQ,MAAM,OAAO,QAAQ,KAAK,OAAOE;AAE7C,MAAIF,SAAQ,KAAM,QAAO,CAAC;AAE1B,WAAS,CAAC;AACV,SAAO,OAAO,KAAKA,IAAG;AAEtB,OAAK,QAAQ,GAAG,SAAS,KAAK,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAChE,UAAM,KAAK,KAAK;AAChB,YAAQ,OAAOA,KAAI,GAAG,CAAC;AAEvB,QAAI,IAAI,MAAM,GAAG,CAAC,MAAM,MAAM;AAC5B,YAAM,uBAAuB,IAAI,MAAM,CAAC;AAAA,IAC1C;AACA,IAAAE,QAAOD,QAAO,gBAAgB,UAAU,EAAE,GAAG;AAE7C,QAAIC,SAAQ,gBAAgB,KAAKA,MAAK,cAAc,KAAK,GAAG;AAC1D,cAAQA,MAAK,aAAa,KAAK;AAAA,IACjC;AAEA,WAAO,GAAG,IAAI;AAAA,EAChB;AAEA,SAAO;AACT;AAEA,SAAS,UAAU,WAAW;AAC5B,MAAI,QAAQ,QAAQ;AAEpB,WAAS,UAAU,SAAS,EAAE,EAAE,YAAY;AAE5C,MAAI,aAAa,KAAM;AACrB,aAAS;AACT,aAAS;AAAA,EACX,WAAW,aAAa,OAAQ;AAC9B,aAAS;AACT,aAAS;AAAA,EACX,WAAW,aAAa,YAAY;AAClC,aAAS;AACT,aAAS;AAAA,EACX,OAAO;AACL,UAAM,IAAI,UAAU,+DAA+D;AAAA,EACrF;AAEA,SAAO,OAAO,SAAS,OAAO,OAAO,KAAK,SAAS,OAAO,MAAM,IAAI;AACtE;AAGA,IAAI,sBAAsB;AAA1B,IACI,sBAAsB;AAE1B,SAAS,MAAM,SAAS;AACtB,OAAK,SAAgB,QAAQ,QAAQ,KAAK;AAC1C,OAAK,SAAgB,KAAK,IAAI,GAAI,QAAQ,QAAQ,KAAK,CAAE;AACzD,OAAK,gBAAgB,QAAQ,eAAe,KAAK;AACjD,OAAK,cAAgB,QAAQ,aAAa,KAAK;AAC/C,OAAK,YAAiB,OAAO,UAAU,QAAQ,WAAW,CAAC,IAAI,KAAK,QAAQ,WAAW;AACvF,OAAK,WAAgB,gBAAgB,KAAK,QAAQ,QAAQ,QAAQ,KAAK,IAAI;AAC3E,OAAK,WAAgB,QAAQ,UAAU,KAAK;AAC5C,OAAK,YAAgB,QAAQ,WAAW,KAAK;AAC7C,OAAK,SAAgB,QAAQ,QAAQ,KAAK;AAC1C,OAAK,eAAgB,QAAQ,cAAc,KAAK;AAChD,OAAK,eAAgB,QAAQ,cAAc,KAAK;AAChD,OAAK,cAAgB,QAAQ,aAAa,MAAM,MAAM,sBAAsB;AAC5E,OAAK,cAAgB,QAAQ,aAAa,KAAK;AAC/C,OAAK,WAAgB,OAAO,QAAQ,UAAU,MAAM,aAAa,QAAQ,UAAU,IAAI;AAEvF,OAAK,gBAAgB,KAAK,OAAO;AACjC,OAAK,gBAAgB,KAAK,OAAO;AAEjC,OAAK,MAAM;AACX,OAAK,SAAS;AAEd,OAAK,aAAa,CAAC;AACnB,OAAK,iBAAiB;AACxB;AAGA,SAAS,aAAa,QAAQ,QAAQ;AACpC,MAAI,MAAM,OAAO,OAAO,KAAK,MAAM,GAC/B,WAAW,GACX,OAAO,IACP,SAAS,IACT,MACA,SAAS,OAAO;AAEpB,SAAO,WAAW,QAAQ;AACxB,WAAO,OAAO,QAAQ,MAAM,QAAQ;AACpC,QAAI,SAAS,IAAI;AACf,aAAO,OAAO,MAAM,QAAQ;AAC5B,iBAAW;AAAA,IACb,OAAO;AACL,aAAO,OAAO,MAAM,UAAU,OAAO,CAAC;AACtC,iBAAW,OAAO;AAAA,IACpB;AAEA,QAAI,KAAK,UAAU,SAAS,KAAM,WAAU;AAE5C,cAAU;AAAA,EACZ;AAEA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAAO,OAAO;AACtC,SAAO,OAAO,OAAO,OAAO,KAAK,MAAM,SAAS,KAAK;AACvD;AAEA,SAAS,sBAAsB,OAAOE,MAAK;AACzC,MAAI,OAAO,QAAQF;AAEnB,OAAK,QAAQ,GAAG,SAAS,MAAM,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAC/E,IAAAA,QAAO,MAAM,cAAc,KAAK;AAEhC,QAAIA,MAAK,QAAQE,IAAG,GAAG;AACrB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAGA,SAAS,aAAa,GAAG;AACvB,SAAO,MAAM,cAAc,MAAM;AACnC;AAMA,SAAS,YAAY,GAAG;AACtB,SAAS,MAAW,KAAK,KAAK,OACrB,OAAW,KAAK,KAAK,SAAa,MAAM,QAAU,MAAM,QACxD,SAAW,KAAK,KAAK,SAAa,MAAM,YACxC,SAAW,KAAK,KAAK;AAChC;AAOA,SAAS,qBAAqB,GAAG;AAC/B,SAAO,YAAY,CAAC,KACf,MAAM,YAEN,MAAM,wBACN,MAAM;AACb;AAWA,SAAS,YAAY,GAAG,MAAM,SAAS;AACrC,MAAI,wBAAwB,qBAAqB,CAAC;AAClD,MAAI,YAAY,yBAAyB,CAAC,aAAa,CAAC;AACxD;AAAA;AAAA,KAEE;AAAA;AAAA,MACE;AAAA,QACE,yBAEG,MAAM,cACN,MAAM,4BACN,MAAM,6BACN,MAAM,2BACN,MAAM,6BAGV,MAAM,cACN,EAAE,SAAS,cAAc,CAAC,cACzB,qBAAqB,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,MAAM,cAC3D,SAAS,cAAc;AAAA;AAC/B;AAGA,SAAS,iBAAiB,GAAG;AAI3B,SAAO,YAAY,CAAC,KAAK,MAAM,YAC1B,CAAC,aAAa,CAAC,KAGf,MAAM,cACN,MAAM,iBACN,MAAM,cACN,MAAM,cACN,MAAM,4BACN,MAAM,6BACN,MAAM,2BACN,MAAM,4BAEN,MAAM,cACN,MAAM,kBACN,MAAM,iBACN,MAAM,oBACN,MAAM,sBACN,MAAM,eACN,MAAM,qBACN,MAAM,qBACN,MAAM,qBAEN,MAAM,gBACN,MAAM,sBACN,MAAM;AACb;AAGA,SAAS,gBAAgB,GAAG;AAE1B,SAAO,CAAC,aAAa,CAAC,KAAK,MAAM;AACnC;AAGA,SAAS,YAAY,QAAQ,KAAK;AAChC,MAAI,QAAQ,OAAO,WAAW,GAAG,GAAG;AACpC,MAAI,SAAS,SAAU,SAAS,SAAU,MAAM,IAAI,OAAO,QAAQ;AACjE,aAAS,OAAO,WAAW,MAAM,CAAC;AAClC,QAAI,UAAU,SAAU,UAAU,OAAQ;AAExC,cAAQ,QAAQ,SAAU,OAAQ,SAAS,QAAS;AAAA,IACtD;AAAA,EACF;AACA,SAAO;AACT;AAGA,SAAS,oBAAoB,QAAQ;AACnC,MAAI,iBAAiB;AACrB,SAAO,eAAe,KAAK,MAAM;AACnC;AAEA,IAAI,cAAgB;AAApB,IACI,eAAgB;AADpB,IAEI,gBAAgB;AAFpB,IAGI,eAAgB;AAHpB,IAII,eAAgB;AASpB,SAAS,kBAAkB,QAAQ,gBAAgB,gBAAgB,WACjE,mBAAmB,aAAa,aAAa,SAAS;AAEtD,MAAI;AACJ,MAAI,OAAO;AACX,MAAI,WAAW;AACf,MAAI,eAAe;AACnB,MAAI,kBAAkB;AACtB,MAAI,mBAAmB,cAAc;AACrC,MAAI,oBAAoB;AACxB,MAAI,QAAQ,iBAAiB,YAAY,QAAQ,CAAC,CAAC,KACxC,gBAAgB,YAAY,QAAQ,OAAO,SAAS,CAAC,CAAC;AAEjE,MAAI,kBAAkB,aAAa;AAGjC,SAAK,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AAC7D,aAAO,YAAY,QAAQ,CAAC;AAC5B,UAAI,CAAC,YAAY,IAAI,GAAG;AACtB,eAAO;AAAA,MACT;AACA,cAAQ,SAAS,YAAY,MAAM,UAAU,OAAO;AACpD,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AAEL,SAAK,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AAC7D,aAAO,YAAY,QAAQ,CAAC;AAC5B,UAAI,SAAS,gBAAgB;AAC3B,uBAAe;AAEf,YAAI,kBAAkB;AACpB,4BAAkB;AAAA,UAEf,IAAI,oBAAoB,IAAI,aAC5B,OAAO,oBAAoB,CAAC,MAAM;AACrC,8BAAoB;AAAA,QACtB;AAAA,MACF,WAAW,CAAC,YAAY,IAAI,GAAG;AAC7B,eAAO;AAAA,MACT;AACA,cAAQ,SAAS,YAAY,MAAM,UAAU,OAAO;AACpD,iBAAW;AAAA,IACb;AAEA,sBAAkB,mBAAoB,qBACnC,IAAI,oBAAoB,IAAI,aAC5B,OAAO,oBAAoB,CAAC,MAAM;AAAA,EACvC;AAIA,MAAI,CAAC,gBAAgB,CAAC,iBAAiB;AAGrC,QAAI,SAAS,CAAC,eAAe,CAAC,kBAAkB,MAAM,GAAG;AACvD,aAAO;AAAA,IACT;AACA,WAAO,gBAAgB,sBAAsB,eAAe;AAAA,EAC9D;AAEA,MAAI,iBAAiB,KAAK,oBAAoB,MAAM,GAAG;AACrD,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,aAAa;AAChB,WAAO,kBAAkB,eAAe;AAAA,EAC1C;AACA,SAAO,gBAAgB,sBAAsB,eAAe;AAC9D;AAQA,SAAS,YAAY,OAAO,QAAQ,OAAO,OAAO,SAAS;AACzD,QAAM,QAAQ,WAAY;AACxB,QAAI,OAAO,WAAW,GAAG;AACvB,aAAO,MAAM,gBAAgB,sBAAsB,OAAO;AAAA,IAC5D;AACA,QAAI,CAAC,MAAM,cAAc;AACvB,UAAI,2BAA2B,QAAQ,MAAM,MAAM,MAAM,yBAAyB,KAAK,MAAM,GAAG;AAC9F,eAAO,MAAM,gBAAgB,sBAAuB,MAAM,SAAS,MAAQ,MAAM,SAAS;AAAA,MAC5F;AAAA,IACF;AAEA,QAAI,SAAS,MAAM,SAAS,KAAK,IAAI,GAAG,KAAK;AAQ7C,QAAI,YAAY,MAAM,cAAc,KAChC,KAAK,KAAK,IAAI,KAAK,IAAI,MAAM,WAAW,EAAE,GAAG,MAAM,YAAY,MAAM;AAGzE,QAAI,iBAAiB,SAEf,MAAM,YAAY,MAAM,SAAS,MAAM;AAC7C,aAAS,cAAcC,SAAQ;AAC7B,aAAO,sBAAsB,OAAOA,OAAM;AAAA,IAC5C;AAEA,YAAQ;AAAA,MAAkB;AAAA,MAAQ;AAAA,MAAgB,MAAM;AAAA,MAAQ;AAAA,MAC9D;AAAA,MAAe,MAAM;AAAA,MAAa,MAAM,eAAe,CAAC;AAAA,MAAO;AAAA,IAAO,GAAG;AAAA,MAEzE,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO,MAAM,OAAO,QAAQ,MAAM,IAAI,IAAI;AAAA,MAC5C,KAAK;AACH,eAAO,MAAM,YAAY,QAAQ,MAAM,MAAM,IACzC,kBAAkB,aAAa,QAAQ,MAAM,CAAC;AAAA,MACpD,KAAK;AACH,eAAO,MAAM,YAAY,QAAQ,MAAM,MAAM,IACzC,kBAAkB,aAAa,WAAW,QAAQ,SAAS,GAAG,MAAM,CAAC;AAAA,MAC3E,KAAK;AACH,eAAO,MAAM,aAAa,MAAM,IAAI;AAAA,MACtC;AACE,cAAM,IAAI,UAAU,wCAAwC;AAAA,IAChE;AAAA,EACF,GAAE;AACJ;AAGA,SAAS,YAAY,QAAQ,gBAAgB;AAC3C,MAAI,kBAAkB,oBAAoB,MAAM,IAAI,OAAO,cAAc,IAAI;AAG7E,MAAI,OAAgB,OAAO,OAAO,SAAS,CAAC,MAAM;AAClD,MAAI,OAAO,SAAS,OAAO,OAAO,SAAS,CAAC,MAAM,QAAQ,WAAW;AACrE,MAAI,QAAQ,OAAO,MAAO,OAAO,KAAK;AAEtC,SAAO,kBAAkB,QAAQ;AACnC;AAGA,SAAS,kBAAkB,QAAQ;AACjC,SAAO,OAAO,OAAO,SAAS,CAAC,MAAM,OAAO,OAAO,MAAM,GAAG,EAAE,IAAI;AACpE;AAIA,SAAS,WAAW,QAAQ,OAAO;AAKjC,MAAI,SAAS;AAGb,MAAI,UAAU,WAAY;AACxB,QAAI,SAAS,OAAO,QAAQ,IAAI;AAChC,aAAS,WAAW,KAAK,SAAS,OAAO;AACzC,WAAO,YAAY;AACnB,WAAO,SAAS,OAAO,MAAM,GAAG,MAAM,GAAG,KAAK;AAAA,EAChD,GAAE;AAEF,MAAI,mBAAmB,OAAO,CAAC,MAAM,QAAQ,OAAO,CAAC,MAAM;AAC3D,MAAI;AAGJ,MAAI;AACJ,SAAQ,QAAQ,OAAO,KAAK,MAAM,GAAI;AACpC,QAAI,SAAS,MAAM,CAAC,GAAG,OAAO,MAAM,CAAC;AACrC,mBAAgB,KAAK,CAAC,MAAM;AAC5B,cAAU,UACL,CAAC,oBAAoB,CAAC,gBAAgB,SAAS,KAC9C,OAAO,MACT,SAAS,MAAM,KAAK;AACxB,uBAAmB;AAAA,EACrB;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,MAAM,OAAO;AAC7B,MAAI,SAAS,MAAM,KAAK,CAAC,MAAM,IAAK,QAAO;AAG3C,MAAI,UAAU;AACd,MAAI;AAEJ,MAAI,QAAQ,GAAG,KAAK,OAAO,GAAG,OAAO;AACrC,MAAI,SAAS;AAMb,SAAQ,QAAQ,QAAQ,KAAK,IAAI,GAAI;AACnC,WAAO,MAAM;AAEb,QAAI,OAAO,QAAQ,OAAO;AACxB,YAAO,OAAO,QAAS,OAAO;AAC9B,gBAAU,OAAO,KAAK,MAAM,OAAO,GAAG;AAEtC,cAAQ,MAAM;AAAA,IAChB;AACA,WAAO;AAAA,EACT;AAIA,YAAU;AAEV,MAAI,KAAK,SAAS,QAAQ,SAAS,OAAO,OAAO;AAC/C,cAAU,KAAK,MAAM,OAAO,IAAI,IAAI,OAAO,KAAK,MAAM,OAAO,CAAC;AAAA,EAChE,OAAO;AACL,cAAU,KAAK,MAAM,KAAK;AAAA,EAC5B;AAEA,SAAO,OAAO,MAAM,CAAC;AACvB;AAGA,SAAS,aAAa,QAAQ;AAC5B,MAAI,SAAS;AACb,MAAI,OAAO;AACX,MAAI;AAEJ,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,QAAQ,QAAU,KAAK,IAAI,KAAK;AACjE,WAAO,YAAY,QAAQ,CAAC;AAC5B,gBAAY,iBAAiB,IAAI;AAEjC,QAAI,CAAC,aAAa,YAAY,IAAI,GAAG;AACnC,gBAAU,OAAO,CAAC;AAClB,UAAI,QAAQ,MAAS,WAAU,OAAO,IAAI,CAAC;AAAA,IAC7C,OAAO;AACL,gBAAU,aAAa,UAAU,IAAI;AAAA,IACvC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,kBAAkB,OAAO,OAAO,QAAQ;AAC/C,MAAI,UAAU,IACV,OAAU,MAAM,KAChB,OACA,QACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,YAAQ,OAAO,KAAK;AAEpB,QAAI,MAAM,UAAU;AAClB,cAAQ,MAAM,SAAS,KAAK,QAAQ,OAAO,KAAK,GAAG,KAAK;AAAA,IAC1D;AAGA,QAAI,UAAU,OAAO,OAAO,OAAO,OAAO,KAAK,KAC1C,OAAO,UAAU,eACjB,UAAU,OAAO,OAAO,MAAM,OAAO,KAAK,GAAI;AAEjD,UAAI,YAAY,GAAI,YAAW,OAAO,CAAC,MAAM,eAAe,MAAM;AAClE,iBAAW,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,MAAM,UAAU;AAC/B;AAEA,SAAS,mBAAmB,OAAO,OAAO,QAAQ,SAAS;AACzD,MAAI,UAAU,IACV,OAAU,MAAM,KAChB,OACA,QACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,YAAQ,OAAO,KAAK;AAEpB,QAAI,MAAM,UAAU;AAClB,cAAQ,MAAM,SAAS,KAAK,QAAQ,OAAO,KAAK,GAAG,KAAK;AAAA,IAC1D;AAGA,QAAI,UAAU,OAAO,QAAQ,GAAG,OAAO,MAAM,MAAM,OAAO,IAAI,KACzD,OAAO,UAAU,eACjB,UAAU,OAAO,QAAQ,GAAG,MAAM,MAAM,MAAM,OAAO,IAAI,GAAI;AAEhE,UAAI,CAAC,WAAW,YAAY,IAAI;AAC9B,mBAAW,iBAAiB,OAAO,KAAK;AAAA,MAC1C;AAEA,UAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,mBAAW;AAAA,MACb,OAAO;AACL,mBAAW;AAAA,MACb;AAEA,iBAAW,MAAM;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,WAAW;AAC1B;AAEA,SAAS,iBAAiB,OAAO,OAAO,QAAQ;AAC9C,MAAI,UAAgB,IAChB,OAAgB,MAAM,KACtB,gBAAgB,OAAO,KAAK,MAAM,GAClC,OACA,QACA,WACA,aACA;AAEJ,OAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAEzE,iBAAa;AACb,QAAI,YAAY,GAAI,eAAc;AAElC,QAAI,MAAM,aAAc,eAAc;AAEtC,gBAAY,cAAc,KAAK;AAC/B,kBAAc,OAAO,SAAS;AAE9B,QAAI,MAAM,UAAU;AAClB,oBAAc,MAAM,SAAS,KAAK,QAAQ,WAAW,WAAW;AAAA,IAClE;AAEA,QAAI,CAAC,UAAU,OAAO,OAAO,WAAW,OAAO,KAAK,GAAG;AACrD;AAAA,IACF;AAEA,QAAI,MAAM,KAAK,SAAS,KAAM,eAAc;AAE5C,kBAAc,MAAM,QAAQ,MAAM,eAAe,MAAM,MAAM,OAAO,MAAM,eAAe,KAAK;AAE9F,QAAI,CAAC,UAAU,OAAO,OAAO,aAAa,OAAO,KAAK,GAAG;AACvD;AAAA,IACF;AAEA,kBAAc,MAAM;AAGpB,eAAW;AAAA,EACb;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,MAAM,UAAU;AAC/B;AAEA,SAAS,kBAAkB,OAAO,OAAO,QAAQ,SAAS;AACxD,MAAI,UAAgB,IAChB,OAAgB,MAAM,KACtB,gBAAgB,OAAO,KAAK,MAAM,GAClC,OACA,QACA,WACA,aACA,cACA;AAGJ,MAAI,MAAM,aAAa,MAAM;AAE3B,kBAAc,KAAK;AAAA,EACrB,WAAW,OAAO,MAAM,aAAa,YAAY;AAE/C,kBAAc,KAAK,MAAM,QAAQ;AAAA,EACnC,WAAW,MAAM,UAAU;AAEzB,UAAM,IAAI,UAAU,0CAA0C;AAAA,EAChE;AAEA,OAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,iBAAa;AAEb,QAAI,CAAC,WAAW,YAAY,IAAI;AAC9B,oBAAc,iBAAiB,OAAO,KAAK;AAAA,IAC7C;AAEA,gBAAY,cAAc,KAAK;AAC/B,kBAAc,OAAO,SAAS;AAE9B,QAAI,MAAM,UAAU;AAClB,oBAAc,MAAM,SAAS,KAAK,QAAQ,WAAW,WAAW;AAAA,IAClE;AAEA,QAAI,CAAC,UAAU,OAAO,QAAQ,GAAG,WAAW,MAAM,MAAM,IAAI,GAAG;AAC7D;AAAA,IACF;AAEA,mBAAgB,MAAM,QAAQ,QAAQ,MAAM,QAAQ,OACpC,MAAM,QAAQ,MAAM,KAAK,SAAS;AAElD,QAAI,cAAc;AAChB,UAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,sBAAc;AAAA,MAChB,OAAO;AACL,sBAAc;AAAA,MAChB;AAAA,IACF;AAEA,kBAAc,MAAM;AAEpB,QAAI,cAAc;AAChB,oBAAc,iBAAiB,OAAO,KAAK;AAAA,IAC7C;AAEA,QAAI,CAAC,UAAU,OAAO,QAAQ,GAAG,aAAa,MAAM,YAAY,GAAG;AACjE;AAAA,IACF;AAEA,QAAI,MAAM,QAAQ,mBAAmB,MAAM,KAAK,WAAW,CAAC,GAAG;AAC7D,oBAAc;AAAA,IAChB,OAAO;AACL,oBAAc;AAAA,IAChB;AAEA,kBAAc,MAAM;AAGpB,eAAW;AAAA,EACb;AAEA,QAAM,MAAM;AACZ,QAAM,OAAO,WAAW;AAC1B;AAEA,SAAS,WAAW,OAAO,QAAQ,UAAU;AAC3C,MAAI,SAAS,UAAU,OAAO,QAAQH,OAAM;AAE5C,aAAW,WAAW,MAAM,gBAAgB,MAAM;AAElD,OAAK,QAAQ,GAAG,SAAS,SAAS,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACpE,IAAAA,QAAO,SAAS,KAAK;AAErB,SAAKA,MAAK,cAAeA,MAAK,eACzB,CAACA,MAAK,cAAgB,OAAO,WAAW,YAAc,kBAAkBA,MAAK,gBAC7E,CAACA,MAAK,aAAcA,MAAK,UAAU,MAAM,IAAI;AAEhD,UAAI,UAAU;AACZ,YAAIA,MAAK,SAASA,MAAK,eAAe;AACpC,gBAAM,MAAMA,MAAK,cAAc,MAAM;AAAA,QACvC,OAAO;AACL,gBAAM,MAAMA,MAAK;AAAA,QACnB;AAAA,MACF,OAAO;AACL,cAAM,MAAM;AAAA,MACd;AAEA,UAAIA,MAAK,WAAW;AAClB,gBAAQ,MAAM,SAASA,MAAK,GAAG,KAAKA,MAAK;AAEzC,YAAI,UAAU,KAAKA,MAAK,SAAS,MAAM,qBAAqB;AAC1D,oBAAUA,MAAK,UAAU,QAAQ,KAAK;AAAA,QACxC,WAAW,gBAAgB,KAAKA,MAAK,WAAW,KAAK,GAAG;AACtD,oBAAUA,MAAK,UAAU,KAAK,EAAE,QAAQ,KAAK;AAAA,QAC/C,OAAO;AACL,gBAAM,IAAI,UAAU,OAAOA,MAAK,MAAM,iCAAiC,QAAQ,SAAS;AAAA,QAC1F;AAEA,cAAM,OAAO;AAAA,MACf;AAEA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKA,SAAS,UAAU,OAAO,OAAO,QAAQ,OAAO,SAAS,OAAO,YAAY;AAC1E,QAAM,MAAM;AACZ,QAAM,OAAO;AAEb,MAAI,CAAC,WAAW,OAAO,QAAQ,KAAK,GAAG;AACrC,eAAW,OAAO,QAAQ,IAAI;AAAA,EAChC;AAEA,MAAIA,QAAO,UAAU,KAAK,MAAM,IAAI;AACpC,MAAI,UAAU;AACd,MAAI;AAEJ,MAAI,OAAO;AACT,YAAS,MAAM,YAAY,KAAK,MAAM,YAAY;AAAA,EACpD;AAEA,MAAI,gBAAgBA,UAAS,qBAAqBA,UAAS,kBACvD,gBACA;AAEJ,MAAI,eAAe;AACjB,qBAAiB,MAAM,WAAW,QAAQ,MAAM;AAChD,gBAAY,mBAAmB;AAAA,EACjC;AAEA,MAAK,MAAM,QAAQ,QAAQ,MAAM,QAAQ,OAAQ,aAAc,MAAM,WAAW,KAAK,QAAQ,GAAI;AAC/F,cAAU;AAAA,EACZ;AAEA,MAAI,aAAa,MAAM,eAAe,cAAc,GAAG;AACrD,UAAM,OAAO,UAAU;AAAA,EACzB,OAAO;AACL,QAAI,iBAAiB,aAAa,CAAC,MAAM,eAAe,cAAc,GAAG;AACvE,YAAM,eAAe,cAAc,IAAI;AAAA,IACzC;AACA,QAAIA,UAAS,mBAAmB;AAC9B,UAAI,SAAU,OAAO,KAAK,MAAM,IAAI,EAAE,WAAW,GAAI;AACnD,0BAAkB,OAAO,OAAO,MAAM,MAAM,OAAO;AACnD,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM;AAAA,QAChD;AAAA,MACF,OAAO;AACL,yBAAiB,OAAO,OAAO,MAAM,IAAI;AACzC,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM,MAAM;AAAA,QACtD;AAAA,MACF;AAAA,IACF,WAAWA,UAAS,kBAAkB;AACpC,UAAI,SAAU,MAAM,KAAK,WAAW,GAAI;AACtC,YAAI,MAAM,iBAAiB,CAAC,cAAc,QAAQ,GAAG;AACnD,6BAAmB,OAAO,QAAQ,GAAG,MAAM,MAAM,OAAO;AAAA,QAC1D,OAAO;AACL,6BAAmB,OAAO,OAAO,MAAM,MAAM,OAAO;AAAA,QACtD;AACA,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM;AAAA,QAChD;AAAA,MACF,OAAO;AACL,0BAAkB,OAAO,OAAO,MAAM,IAAI;AAC1C,YAAI,WAAW;AACb,gBAAM,OAAO,UAAU,iBAAiB,MAAM,MAAM;AAAA,QACtD;AAAA,MACF;AAAA,IACF,WAAWA,UAAS,mBAAmB;AACrC,UAAI,MAAM,QAAQ,KAAK;AACrB,oBAAY,OAAO,MAAM,MAAM,OAAO,OAAO,OAAO;AAAA,MACtD;AAAA,IACF,WAAWA,UAAS,sBAAsB;AACxC,aAAO;AAAA,IACT,OAAO;AACL,UAAI,MAAM,YAAa,QAAO;AAC9B,YAAM,IAAI,UAAU,4CAA4CA,KAAI;AAAA,IACtE;AAEA,QAAI,MAAM,QAAQ,QAAQ,MAAM,QAAQ,KAAK;AAc3C,eAAS;AAAA,QACP,MAAM,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,MAAM;AAAA,MACpD,EAAE,QAAQ,MAAM,KAAK;AAErB,UAAI,MAAM,IAAI,CAAC,MAAM,KAAK;AACxB,iBAAS,MAAM;AAAA,MACjB,WAAW,OAAO,MAAM,GAAG,EAAE,MAAM,sBAAsB;AACvD,iBAAS,OAAO,OAAO,MAAM,EAAE;AAAA,MACjC,OAAO;AACL,iBAAS,OAAO,SAAS;AAAA,MAC3B;AAEA,YAAM,OAAO,SAAS,MAAM,MAAM;AAAA,IACpC;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,uBAAuB,QAAQ,OAAO;AAC7C,MAAI,UAAU,CAAC,GACX,oBAAoB,CAAC,GACrB,OACA;AAEJ,cAAY,QAAQ,SAAS,iBAAiB;AAE9C,OAAK,QAAQ,GAAG,SAAS,kBAAkB,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAC7E,UAAM,WAAW,KAAK,QAAQ,kBAAkB,KAAK,CAAC,CAAC;AAAA,EACzD;AACA,QAAM,iBAAiB,IAAI,MAAM,MAAM;AACzC;AAEA,SAAS,YAAY,QAAQ,SAAS,mBAAmB;AACvD,MAAI,eACA,OACA;AAEJ,MAAI,WAAW,QAAQ,OAAO,WAAW,UAAU;AACjD,YAAQ,QAAQ,QAAQ,MAAM;AAC9B,QAAI,UAAU,IAAI;AAChB,UAAI,kBAAkB,QAAQ,KAAK,MAAM,IAAI;AAC3C,0BAAkB,KAAK,KAAK;AAAA,MAC9B;AAAA,IACF,OAAO;AACL,cAAQ,KAAK,MAAM;AAEnB,UAAI,MAAM,QAAQ,MAAM,GAAG;AACzB,aAAK,QAAQ,GAAG,SAAS,OAAO,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AAClE,sBAAY,OAAO,KAAK,GAAG,SAAS,iBAAiB;AAAA,QACvD;AAAA,MACF,OAAO;AACL,wBAAgB,OAAO,KAAK,MAAM;AAElC,aAAK,QAAQ,GAAG,SAAS,cAAc,QAAQ,QAAQ,QAAQ,SAAS,GAAG;AACzE,sBAAY,OAAO,cAAc,KAAK,CAAC,GAAG,SAAS,iBAAiB;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,OAAO,OAAO,SAAS;AAC9B,YAAU,WAAW,CAAC;AAEtB,MAAI,QAAQ,IAAI,MAAM,OAAO;AAE7B,MAAI,CAAC,MAAM,OAAQ,wBAAuB,OAAO,KAAK;AAEtD,MAAI,QAAQ;AAEZ,MAAI,MAAM,UAAU;AAClB,YAAQ,MAAM,SAAS,KAAK,EAAE,IAAI,MAAM,GAAG,IAAI,KAAK;AAAA,EACtD;AAEA,MAAI,UAAU,OAAO,GAAG,OAAO,MAAM,IAAI,EAAG,QAAO,MAAM,OAAO;AAEhE,SAAO;AACT;AAEA,IAAI,SAAS;AAEb,IAAI,SAAS;AAAA,EACZ,MAAM;AACP;AAEA,SAAS,QAAQ,MAAM,IAAI;AACzB,SAAO,WAAY;AACjB,UAAM,IAAI,MAAM,mBAAmB,OAAO,wCAC1B,KAAK,yCAAyC;AAAA,EAChE;AACF;AASA,IAAI,OAAsB,OAAO;AACjC,IAAI,UAAsB,OAAO;AACjC,IAAI,OAAsB,OAAO;AAqBjC,IAAI,WAAsB,QAAQ,YAAY,MAAM;AACpD,IAAI,cAAsB,QAAQ,eAAe,SAAS;AAC1D,IAAI,WAAsB,QAAQ,YAAY,MAAM;;;ACpvHpD,gBAA6B;;;ACctB,SAAS,eAAe,QAAmC;AAChE,QAAM,SAA4B,CAAC;AAEnC,MAAI,CAAC,UAAU,OAAO,WAAW,UAAU;AACzC,WAAO,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,2BAA2B,CAAC,EAAE;AAAA,EACrF;AAEA,QAAM,IAAI;AAGV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,WAAO,KAAK,EAAE,MAAM,WAAW,SAAS,2CAA2C,CAAC;AAAA,EACtF;AACA,MAAI,OAAO,EAAE,SAAS,UAAU;AAC9B,WAAO,KAAK,EAAE,MAAM,QAAQ,SAAS,wCAAwC,CAAC;AAAA,EAChF;AAGA,MAAI,CAAC,MAAM,QAAQ,EAAE,QAAQ,GAAG;AAC9B,WAAO,KAAK,EAAE,MAAM,YAAY,SAAS,4CAA4C,CAAC;AAAA,EACxF,OAAO;AACL,MAAE,SAAS,QAAQ,CAAC,SAAkB,MAAc;AAClD,aAAO,KAAK,GAAG,gBAAgB,SAAS,YAAY,CAAC,GAAG,CAAC;AAAA,IAC3D,CAAC;AAAA,EACH;AAGA,MAAI,EAAE,UAAU,QAAW;AACzB,WAAO,KAAK,GAAG,cAAc,EAAE,OAAO,OAAO,CAAC;AAAA,EAChD;AAGA,MAAI,EAAE,WAAW,QAAW;AAC1B,WAAO,KAAK,GAAG,eAAe,EAAE,QAAQ,QAAQ,CAAC;AAAA,EACnD;AAGA,MAAI,EAAE,mBAAmB,QAAW;AAClC,WAAO,KAAK,GAAG,uBAAuB,EAAE,gBAAgB,gBAAgB,CAAC;AAAA,EAC3E;AAEA,SAAO,EAAE,OAAO,OAAO,WAAW,GAAG,OAAO;AAC9C;AAEA,SAAS,gBAAgB,SAAkB,MAAiC;AAC1E,QAAM,SAA4B,CAAC;AAEnC,MAAI,CAAC,WAAW,OAAO,YAAY,UAAU;AAC3C,WAAO,CAAC,EAAE,MAAM,SAAS,4BAA4B,CAAC;AAAA,EACxD;AAEA,QAAM,IAAI;AAEV,MAAI,OAAO,EAAE,OAAO,YAAY,CAAC,EAAE,IAAI;AACrC,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,OAAO,SAAS,gDAAgD,CAAC;AAAA,EAC9F;AAEA,MAAI,OAAO,EAAE,YAAY,WAAW;AAClC,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,4CAA4C,CAAC;AAAA,EAC/F;AAEA,MAAI,EAAE,YAAY,UAAa,CAAC,cAAc,EAAE,OAAO,GAAG;AACxD,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,YAAY,SAAS,sCAAsC,CAAC;AAAA,EACzF;AAEA,MAAI,EAAE,oBAAoB,UAAa,CAAC,cAAc,EAAE,eAAe,GAAG;AACxE,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,oBAAoB,SAAS,8CAA8C,CAAC;AAAA,EACzG;AAEA,MAAI,EAAE,qBAAqB,UAAa,OAAO,EAAE,qBAAqB,WAAW;AAC/E,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,qBAAqB,SAAS,qCAAqC,CAAC;AAAA,EACjG;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,OAAgB,MAAiC;AACtE,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,UAAU,YAAY,UAAU,MAAM;AAC/C,WAAO,CAAC,EAAE,MAAM,SAAS,0BAA0B,CAAC;AAAA,EACtD;AAEA,QAAM,IAAI;AAEV,aAAW,SAAS,CAAC,kBAAkB,kBAAkB,kBAAkB,GAAG;AAC5E,QAAI,EAAE,KAAK,MAAM,UAAa,CAAC,cAAc,EAAE,KAAK,CAAC,GAAG;AACtD,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,+BAA+B,CAAC;AAAA,IAC3F;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,eAAe,QAAiB,MAAiC;AACxE,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AACjD,WAAO,CAAC,EAAE,MAAM,SAAS,2BAA2B,CAAC;AAAA,EACvD;AAEA,QAAM,IAAI;AAEV,MAAI,EAAE,yBAAyB,UAAa,OAAO,EAAE,yBAAyB,UAAU;AACtF,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,yBAAyB,SAAS,wCAAwC,CAAC;AAAA,EACxG;AAEA,MAAI,EAAE,uBAAuB,UAAa,OAAO,EAAE,uBAAuB,UAAU;AAClF,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,uBAAuB,SAAS,sCAAsC,CAAC;AAAA,EACpG;AAEA,MAAI,EAAE,aAAa,UAAa,OAAO,EAAE,aAAa,UAAU;AAC9D,WAAO,KAAK,EAAE,MAAM,GAAG,IAAI,aAAa,SAAS,4BAA4B,CAAC;AAAA,EAChF;AAEA,SAAO;AACT;AAEA,SAAS,uBAAuB,YAAqB,MAAiC;AACpF,QAAM,SAA4B,CAAC;AAEnC,MAAI,OAAO,eAAe,YAAY,eAAe,MAAM;AACzD,WAAO,CAAC,EAAE,MAAM,SAAS,mCAAmC,CAAC;AAAA,EAC/D;AAEA,QAAM,IAAI;AAEV,aAAW,SAAS,CAAC,aAAa,mBAAmB,WAAW,GAAY;AAC1E,QAAI,CAAC,EAAE,KAAK,KAAK,OAAO,EAAE,KAAK,MAAM,UAAU;AAC7C,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,sDAAsD,CAAC;AAChH;AAAA,IACF;AAEA,UAAM,IAAI,EAAE,KAAK;AACjB,QAAI,OAAO,EAAE,QAAQ,YAAY,OAAO,EAAE,QAAQ,UAAU;AAC1D,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,iCAAiC,CAAC;AAAA,IAC7F,WAAW,EAAE,MAAM,EAAE,KAAK;AACxB,aAAO,KAAK,EAAE,MAAM,GAAG,IAAI,IAAI,KAAK,IAAI,SAAS,GAAG,KAAK,mBAAmB,KAAK,OAAO,CAAC;AAAA,IAC3F;AAAA,EACF;AAGA,MAAI,sBAAsB,CAAC,GAAG;AAC5B,UAAM,eAAe;AACrB,QAAI,aAAa,UAAU,MAAM,MAAM,aAAa,gBAAgB,KAAK;AACvE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,8BAA8B,aAAa,UAAU,GAAG,8BAA8B,aAAa,gBAAgB,GAAG;AAAA,MACjI,CAAC;AAAA,IACH;AACA,QAAI,aAAa,gBAAgB,MAAM,MAAM,aAAa,UAAU,KAAK;AACvE,aAAO,KAAK;AAAA,QACV,MAAM,GAAG,IAAI;AAAA,QACb,SAAS,oCAAoC,aAAa,gBAAgB,GAAG,wBAAwB,aAAa,UAAU,GAAG;AAAA,MACjI,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,cAAc,KAA+B;AACpD,SAAO,MAAM,QAAQ,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,OAAO,MAAM,QAAQ;AACrE;AAEA,SAAS,sBAAsB,GAAqC;AAClE,aAAW,OAAO,CAAC,aAAa,mBAAmB,WAAW,GAAG;AAC/D,UAAM,IAAI,EAAE,GAAG;AACf,QAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;AACxC,UAAM,QAAQ;AACd,QAAI,OAAO,MAAM,QAAQ,YAAY,OAAO,MAAM,QAAQ,SAAU,QAAO;AAAA,EAC7E;AACA,SAAO;AACT;;;AD9KO,SAAS,UAAU,aAAkC;AAC1D,MAAI;AAEJ,MAAI;AACF,aAAc,KAAK,WAAW;AAAA,EAChC,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,qBAAqB,OAAO,GAAG,CAAC,EAAE;AAAA,MAC5F,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,aAAa,eAAe,MAAM;AAExC,MAAI,CAAC,WAAW,OAAO;AACrB,WAAO,EAAE,QAAQ,MAAM,YAAY,SAAS,YAAY;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR;AAAA,IACA,SAAS;AAAA,EACX;AACF;AAKO,SAAS,UAAU,UAA+B;AACvD,MAAI;AAEJ,MAAI;AACF,kBAAU,wBAAa,UAAU,OAAO;AAAA,EAC1C,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY,EAAE,OAAO,OAAO,QAAQ,CAAC,EAAE,MAAM,IAAI,SAAS,+BAA+B,OAAO,GAAG,CAAC,EAAE;AAAA,IACxG;AAAA,EACF;AAEA,SAAO,UAAU,OAAO;AAC1B;;;AErDO,SAAS,cAAc,QAAgD;AAC5E,MAAI,OAAO,QAAQ;AACjB,WAAO,IAAI,eAAe,OAAO,MAAM;AAAA,EACzC;AAEA,MAAI,OAAO,YAAY;AACrB,UAAM,SAAS,UAAU,OAAO,UAAU;AAC1C,QAAI,CAAC,OAAO,QAAQ;AAClB,YAAM,SAAS,OAAO,WAAW,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,EAAE,OAAO,EAAE,EAAE,KAAK,IAAI;AACvF,YAAM,IAAI,MAAM,uBAAuB,OAAO,UAAU,KAAK,MAAM,EAAE;AAAA,IACvE;AACA,WAAO,IAAI,eAAe,OAAO,MAAM;AAAA,EACzC;AAEA,QAAM,IAAI,MAAM,2DAA2D;AAC7E;AAKO,SAAS,YAAY,WAA2B,SAA6C;AAClG,SAAO,UAAU,SAAS,OAAO;AACnC;;;ACnBO,IAAM,yBAAsD;AAAA,EACjE,MAAM;AAAA,EACN,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,UAAU;AAAA,EACV,MAAM;AAAA,EACN,UAAU;AACZ;AAuCO,SAAS,cAAc,OAA2B;AACvD,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,MAAI,SAAS,GAAI,QAAO;AACxB,SAAO;AACT;;;AChDO,IAAM,cAAc;;;ACc3B,IAAM,iBAAyC;AAAA,EAC7C,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA,EAKZ,oBAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMpB,OAAO;AACT;AAOA,IAAI,qBAAqB;AAGzB,IAAI,0BAA0B;AAE9B,eAAe,iBAAiB,YAAoB,OAAgC;AAClF,uBAAqB;AACrB,MAAI;AACF,UAAM,WAAW,GAAG,UAAU;AAK9B,UAAM,WAAW,MAAM,MAAM,UAAU,EAAE,QAAQ,OAAO,CAAC;AACzD,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,WAAW,WAAW,GAAG;AACvC,cAAQ;AAAA,QACN,qCAAqC,UAAU,kCAAkC,WAAW;AAAA,MAI9F;AAAA,IACF,WAAW,OAAO;AAChB,cAAQ;AAAA,QACN,+CAA+C,UAAU,mBAAmB,WAAW;AAAA,MACzF;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,OAAO;AACT,cAAQ,IAAI,2DAA2D,OAAO,GAAG,CAAC,EAAE;AAAA,IACtF;AAAA,EACF;AACF;AAKA,IAAM,oBAAoB,oBAAI,IAA+D;AAiB7F,SAAS,YAAY,SAAsC;AACzD,QAAM,IAAI,QAAQ;AAClB,SAAO;AAAA,IACL,EAAE,WAAW;AAAA,IACb,EAAE,UAAU;AAAA,IACZ,EAAE,OAAO;AAAA,IACT,QAAQ,WAAW;AAAA,IACnB,QAAQ,UAAU;AAAA,IAClB,QAAQ,gBAAgB;AAAA,IACxB,QAAQ,YAAY;AAAA,IACpB,QAAQ,gBAAgB;AAAA,IACxB,QAAQ,oBAAoB;AAAA,IAC5B,QAAQ,YAAY;AAAA,IACpB,QAAQ,mBAAmB;AAAA,IAC3B,QAAQ,oBAAoB;AAAA,IAC5B,QAAQ,oBAAoB,MAAM;AAAA,IAClC,QAAQ,iBAAiB;AAAA,IACzB,QAAQ,iBAAiB;AAAA,EAC3B,EAAE,KAAK,GAAG;AACZ;AAKA,SAAS,gBAAgB,SAAyD;AAChF,QAAM,MAAM,YAAY,OAAO;AAC/B,QAAM,SAAS,kBAAkB,IAAI,GAAG;AAExC,MAAI,UAAU,OAAO,YAAY,KAAK,IAAI,GAAG;AAC3C,WAAO,OAAO;AAAA,EAChB;AAEA,MAAI,QAAQ;AACV,sBAAkB,OAAO,GAAG;AAAA,EAC9B;AAEA,SAAO;AACT;AAaA,IAAM,iCAAiC;AACvC,IAAM,8BAA8B;AAEpC,SAAS,YACP,SACA,QACA,eACM;AACN,QAAM,aACJ,iBAAiB,gBAAgB,IAC7B,gBACA,OAAO,iBACL,8BACA;AACR,QAAM,MAAM,YAAY,OAAO;AAC/B,oBAAkB,IAAI,KAAK;AAAA,IACzB;AAAA,IACA,WAAW,KAAK,IAAI,IAAI,aAAa;AAAA,EACvC,CAAC;AACH;AAwFA,SAAS,uBACP,QACA,QACA,UAA+D,CAAC,GAC5C;AACpB,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,aAAa,WAAW;AAE9B,QAAM,WAAyB,aAC3B;AAAA,IACE,SACE;AAAA,IACF,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF,IACA;AAAA,IACE,SACE;AAAA,IACF,iBAAiB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IACzD,kBAAkB,GAAG,OAAO,WAAW,QAAQ,QAAQ,EAAE,CAAC;AAAA,IAC1D,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEJ,SAAO;AAAA;AAAA;AAAA;AAAA,IAIL,kBAAkB;AAAA,IAClB,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOf,aAAa;AAAA,IACb;AAAA,IACA,eAAe,SAAS,CAAC,MAAM,IAAI,CAAC,qCAAqC;AAAA;AAAA;AAAA;AAAA;AAAA,IAKzE,UAAU,aACN;AAAA,MACE;AAAA,QACE,WAAW;AAAA,QACX,SAAS,UAAU;AAAA,QACnB,UAAU,SAAS;AAAA,MACrB;AAAA,IACF,IACA;AAAA,IACJ,eAAe,QAAQ;AAAA,IACvB,YAAY,oBAAI,KAAK;AAAA,EACvB;AACF;AAKA,eAAe,oBACb,QACA,SAqFC;AACD,QAAM,EAAE,aAAa,GAAG,YAAY,IAAI;AAIxC,QAAM,OAAgC;AAAA,IACpC,GAAI,YAAY,WAAW,EAAE,SAAS,YAAY,QAAQ;AAAA,IAC1D,SAAS,YAAY,WAAW;AAAA,EAClC;AAGA,MAAI,YAAY,OAAQ,MAAK,SAAS,YAAY;AAClD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,aAAc,MAAK,eAAe,YAAY;AAC9D,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,SAAU,MAAK,WAAW,YAAY;AACtD,MAAI,YAAY,kBAAmB,MAAK,oBAAoB,YAAY;AACxE,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,kBAAkB,OAAW,MAAK,gBAAgB,YAAY;AAE9E,MAAI,YAAY;AACd,SAAK,yBAAyB,YAAY;AAC5C,MAAI,YAAY,cAAe,MAAK,gBAAgB,YAAY;AAChE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,iBAAkB,MAAK,mBAAmB,YAAY;AACtE,MAAI,YAAY,gBAAiB,MAAK,kBAAkB,YAAY;AACpE,MAAI,OAAO,eAAgB,MAAK,iBAAiB,OAAO;AACxD,MAAI,YAAY;AACd,SAAK,0BAA0B,YAAY;AAG7C,MAAI,YAAY,mBAAoB,MAAK,qBAAqB,YAAY;AAS1E,OAAK,aAAa;AAIlB,MAAI,YAAY,kBAAkB,YAAY,YAAY,YAAY,WAAW;AAC/E,UAAM,OAAO;AAAA,MACX,GAAI,YAAY,YAAY,EAAE,UAAU,YAAY,SAAS;AAAA,MAC7D,GAAI,YAAY,aAAa,EAAE,WAAW,YAAY,UAAU;AAAA,MAChE,GAAG,YAAY;AAAA,IACjB;AACA,QAAI,OAAO,KAAK,IAAI,EAAE,SAAS,EAAG,MAAK,iBAAiB;AAAA,EAC1D;AAGA,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAG,OAAO;AAAA,EACZ;AAKA,MAAI,YAAY,qBAAqB;AACnC,YAAQ,eAAe,IAAI,YAAY;AAAA,EACzC,WAAW,OAAO,QAAQ;AACxB,YAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,EACpD;AAEA,MAAI,OAAO,QAAQ;AACjB,YAAQ,WAAW,IAAI,OAAO;AAAA,EAChC;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,GAAG,OAAO,UAAU,yBAAyB;AAAA,MACxE,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,UAAM,OAAO,MAAM,SAAS,KAAK;AAMjC,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,QACL,SAAS;AAAA,QACT,QAAQ;AAAA,UACN,SAAS;AAAA,UACT,aAAa;AAAA,UACb,QAAQ;AAAA,UACR,UAAU;AAAA,YACR;AAAA,cACE,WAAW;AAAA,cACX,SACE,OAAO,MAAM,YAAY,WAAW,KAAK,UAAU;AAAA,cACrD,UACE,OAAO,MAAM,aAAa,WACtB,KAAK,WACL;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,SAAS,IAAI;AAIhB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,KAAK,WAAW,KAAK,SAAS,gBAAgB,SAAS,MAAM;AAAA,QACpE,eAAe,OAAO,MAAM,kBAAkB,WAAW,KAAK,gBAAgB;AAAA,MAChF;AAAA,IACF;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,UAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,qCAAqC,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAKA,eAAsB,OACpB,QACA,SAC6B;AAC7B,QAAM,eAAe,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAGpD,MAAI,CAAC,sBAAsB,CAAC,aAAa,qBAAqB,aAAa,YAAY;AACrF,SAAK,iBAAiB,aAAa,YAAY,aAAa,KAAK;AAAA,EACnE;AAGA,MACE,CAAC,4BACA,OAAO,kBAAkB,UAAa,OAAO,yBAAyB,SACvE;AACA,8BAA0B;AAC1B,YAAQ;AAAA,MACN;AAAA,IAIF;AAAA,EACF;AAUA,MAAI,aAAa,aAAa,GAAG;AAC/B,UAAM,SAAS,gBAAgB,OAAO;AACtC,QAAI,QAAQ;AACV,UAAI,aAAa,OAAO;AACtB,gBAAQ,IAAI,+CAA+C;AAAA,MAC7D;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAGA,QAAM,kBAAkB,EAAE,GAAG,QAAQ;AACrC,MAAI,CAAC,gBAAgB,mBAAmB,aAAa,iBAAiB;AACpE,oBAAgB,kBAAkB,aAAa;AAAA,EACjD;AACA,MAAI,CAAC,gBAAgB,oBAAoB,aAAa,kBAAkB;AACtE,oBAAgB,mBAAmB,aAAa;AAAA,EAClD;AAGA,MAAI,aAAa,OAAO;AACtB,YAAQ,IAAI,iDAAiD;AAAA,EAC/D;AAEA,QAAM,cAAc,MAAM,oBAAoB,cAAc,eAAe;AAG3E,MAAI,CAAC,YAAY,SAAS;AAMxB,WAAO,uBAAuB,cAAc,YAAY,OAAO;AAAA,MAC7D,QAAQ;AAAA,MACR,eAAgB,YAA2C;AAAA,IAC7D,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,YAAY,QAAQ,SAAS;AAIhC,UAAM,qBAAsB,YAAY,QACpC;AAMJ,UAAM,wBACH,YAAY,qBAA8D,eAC3E;AACF,UAAMI,UAAqC;AAAA,MACzC,kBAAkB;AAAA,MAClB,eAAe;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQf,aAAa;AAAA,MACb,eACE,sBAAsB,mBAAmB,SAAS,IAC9C,mBAAmB,IAAI,CAAC,MAAM,EAAE,OAAO,IACvC,YAAY,QAAQ,SAClB,CAAC,YAAY,OAAO,MAAM,IAC1B,CAAC,eAAe;AAAA,MACxB,UAAU;AAAA,MACV,gBAAgB,YAAY,QAAQ;AAAA,MACpC,kBAAkB,YAAY,QAAQ;AAAA,MACtC,UAAU;AAAA,QACR,SAAS,YAAY,QAAQ,UAAU;AAAA,QACvC,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,MACA,YAAY,oBAAI,KAAK;AAAA;AAAA,MAErB,WAAY,YAAwC;AAAA;AAAA;AAAA,MAGpD,eAAgB,YAAwC;AAAA,MACxD,gBAAiB,YACd;AAAA,MACH,uBAAwB,YAAwC;AAAA,IAGlE;AAEA,WAAOA;AAAA,EACT;AAGA,QAAM,QAAmC,YAAY,QACjD;AAAA,IACE,SAAS,YAAY,MAAM;AAAA,IAC3B,MAAM,YAAY,MAAM;AAAA,IACxB,YAAY,YAAY,MAAM;AAAA,IAC9B,YAAY,cAAc,YAAY,MAAM,UAAU;AAAA,IACtD,oBAAoB,YAAY,MAAM,qBAAqB;AAAA,IAC3D,QAAQ,YAAY,MAAM;AAAA,EAC5B,IACA;AAEJ,QAAM,YAA2C,YAAY,YACzD;AAAA,IACE,UAAU,YAAY,UAAU;AAAA,IAChC,MAAM,YAAY,UAAU;AAAA,IAC5B,YAAY,YAAY,UAAU,cAAc;AAAA,IAChD,UAAU,YAAY,UAAU;AAAA,EAClC,IACA;AAEJ,QAAM,eAAiD,YAAY,eAC/D;AAAA,IACE,MAAM,YAAY,aAAa;AAAA,IAC/B,UAAU,YAAY,aAAa;AAAA,IACnC,YAAY,YAAY,aAAa;AAAA,EACvC,IACA;AAKJ,QAAM,sBAAsB,YAAY;AAMxC,QAAM,cAA2B,YAAY,QAAQ,eAAe;AAEpE,QAAM,SAAqC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMzC,kBACG,YAAY,qBAA8D,eAC3E;AAAA,IACF,eAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,YAAY,QAAQ;AAAA,IACnC;AAAA,IACA,gBAAgB,YAAY,QAAQ;AAAA,IACpC,kBAAkB,YAAY,QAAQ;AAAA,IACtC,YAAY,oBAAI,KAAK;AAAA,IACrB,UAAU,aAAa;AAAA;AAAA,IAEvB,WAAY,YAAwC;AAAA;AAAA;AAAA,IAGpD,eAAgB,YAAwC;AAAA,IACxD,kBAAmB,YAAwC;AAAA,IAG3D,eAAgB,YAAwC;AAAA,IAGxD,gBAAiB,YACd;AAAA,IACH,uBAAwB,YAAwC;AAAA,IAGhE,eAAgB,YAAwC;AAAA,EAG1D;AAGA,MAAI,OAAO,mBAAmB,QAAQ;AAKpC,WAAO,gBAAgB;AACvB,WAAO,cAAc;AACrB,WAAO,gBAAgB,OAAO,yBAAyB;AAAA,MACrD;AAAA,IACF;AACA,QAAI,OAAO,kBAAkB;AAC3B,aAAO,WAAW;AAAA,QAChB,SAAS,wBAAwB,OAAO,iBAAiB,UAAU,0BAA0B;AAAA,QAC7F,iBAAiB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,QAChE,kBAAkB,GAAG,aAAa,YAAY,QAAQ,QAAQ,EAAE,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF,WAAW,OAAO,mBAAmB,oBAAoB;AACvD,WAAO,iBAAiB;AACxB,QAAI,uBAAuB,OAAO,WAAW,IAAI,uBAAuB,WAAW,GAAG;AACpF,aAAO,cAAc;AAAA,IACvB;AACA,WAAO,gBAAgB,OAAO,yBAAyB,CAAC,+BAA+B;AAAA,EACzF;AAKA,MAAI,aAAa,aAAa,KAAK,OAAO,mBAAmB,QAAQ;AACnE,gBAAY,SAAS,QAAQ,aAAa,QAAQ;AAAA,EACpD;AAEA,SAAO;AACT;;;AC3lBA,IAAM,4BAA4B,IAAI,KAAK;;;AC+H3C,IAAMC,6BAA4B,IAAI,KAAK;;;AC5S3C,gCAAgC;;;ACHhC,qCAAgE;;;ACIhE,oBAA4C;AAC5C,yBAA2B;;;ACL3B,IAAAC,sBAA4C;;;ACC5C,IAAAC,iBAAgC;AAChC,IAAAC,sBAA2B;;;ACW3B,kBAA+C;;;AChB/C,IAAAC,eAA2B;;;ACG3B,qBAMO;AACP,mBAAiC;;;ACKjC,IAAAC,sBAAsC;;;ACnBtC,kBAA6C;;;ACS7C,SAAS,gBAAgB,QAA+C;AACtE,SAAO;AAAA,IACL,YAAY,OAAO,cAAc;AAAA,IACjC,QAAQ,OAAO;AAAA,IACf,oBAAoB,OAAO;AAAA,IAC3B,eAAe,OAAO;AAAA,IACtB,sBAAsB,OAAO;AAAA,IAC7B,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO;AAAA,IACd,eAAe,OAAO;AAAA,IACtB,iBAAiB,OAAO;AAAA,IACxB,kBAAkB,OAAO;AAAA,EAC3B;AACF;AAKA,SAAS,sBAAsB,SAAuB,SAAuC;AAC3F,SAAO;AAAA,IACL,aAAa,EAAE,QAAQ;AAAA,IACvB,SAAS,QAAQ;AAAA,IACjB,QAAQ,QAAQ;AAAA,IAChB,cAAc,QAAQ;AAAA,IACtB,UAAU,QAAQ;AAAA,IAClB,kBAAkB,QAAQ;AAAA,IAC1B,UAAU,QAAQ;AAAA,IAClB,eAAe;AAAA,EACjB;AACF;AAKA,SAAS,WAAW,QAAkD;AAEpE,MAAI,OAAO,oBAAoB,OAAO,eAAe;AACnD,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ,+BAA+B,OAAO,WAAW;AAAA,MACzD,YAAY,OAAO,OAAO;AAAA,MAC1B,WACE,eAAe,SACT,OAAmC,YACrC;AAAA,IACR;AAAA,EACF;AAEA,MAAI,OAAO,kBAAkB,OAAO,kBAAkB;AACpD,WAAO;AAAA,MACL,gBAAgB;AAAA,MAChB,QAAQ,OAAO,gBAAgB,CAAC,KAAK;AAAA,MACrC,YAAY,OAAO,OAAO;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AAAA,IACL,gBAAgB;AAAA,IAChB,QAAQ,OAAO,gBAAgB,CAAC,KAAK;AAAA,IACrC,YAAY,OAAO,OAAO;AAAA,EAC5B;AACF;AAKA,eAAsB,aACpB,QACA,SACA,SAC+B;AAC/B,QAAM,gBAAgB,gBAAgB,MAAM;AAC5C,QAAM,UAAU,sBAAsB,SAAS,OAAO;AACtD,QAAM,SAAS,MAAM,OAAO,eAAe,OAAO;AAClD,SAAO,WAAW,MAAM;AAC1B;;;AClFA,IAAAC,aAAmE;AACnE,kBAAwB;AAKxB,IAAM,iBAAiB;AACvB,IAAM,cAAc;AAEb,IAAM,kBAAN,MAAsB;AAAA,EAO3B,YAAY,QAAgC,aAAsB;AANlE,SAAQ,QAA0B,CAAC;AACnC,SAAQ,QAA+C;AAEvD,SAAQ,aAAa;AACrB,SAAQ,cAA6B;AAGnC,SAAK,SAAS;AACd,SAAK,cAAc,eAAe;AAClC,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAA0B;AAC9B,QAAI,KAAK,MAAO;AAChB,SAAK,QAAQ,YAAY,MAAM,KAAK,MAAM,GAAG,UAAU;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAsB;AAC1B,QAAI,KAAK,OAAO;AACd,oBAAc,KAAK,KAAK;AACxB,WAAK,QAAQ;AAAA,IACf;AACA,UAAM,KAAK,MAAM;AACjB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,QAAQ,SAAuB,UAAsC;AACnE,QAAI,KAAK,MAAM,UAAU,gBAAgB;AAEvC,WAAK,MAAM,MAAM;AAAA,IACnB;AAEA,SAAK,MAAM,KAAK;AAAA,MACd,IAAI,GAAG,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,MAC3D;AAAA,MACA;AAAA,MACA,WAAW,oBAAI,KAAK;AAAA,MACpB,YAAY;AAAA,MACZ,QAAQ;AAAA,IACV,CAAC;AAED,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAuB;AAC3B,QAAI,KAAK,WAAY;AACrB,SAAK,aAAa;AAElB,QAAI;AACF,YAAM,UAAU,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS;AAE/D,iBAAW,SAAS,SAAS;AAC3B,YAAI;AACF,gBAAM,aAAa,KAAK,QAAQ,MAAM,OAAO;AAC7C,gBAAM,SAAS;AAAA,QACjB,QAAQ;AACN,gBAAM;AACN,cAAI,MAAM,cAAc,aAAa;AACnC,kBAAM,SAAS;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAGA,WAAK,QAAQ,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS;AAC5D,WAAK,WAAW;AAAA,IAClB,UAAE;AACA,WAAK,aAAa;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAAgD;AAC9C,WAAO;AAAA,MACL,SAAS,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,EAAE;AAAA,MAC1D,OAAO,KAAK,MAAM;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAqB;AAC3B,QAAI,CAAC,KAAK,YAAa;AAEvB,QAAI;AACF,UAAI,KAAC,uBAAW,KAAK,WAAW,EAAG;AACnC,YAAM,WAAO,yBAAa,KAAK,aAAa,OAAO;AACnD,YAAM,UAAU,KAAK,MAAM,IAAI;AAE/B,WAAK,QAAQ,QACV,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,EACpC,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,WAAW,IAAI,KAAK,EAAE,SAAS,EAAE,EAAE;AAAA,IAC5D,QAAQ;AAEN,WAAK,QAAQ,CAAC;AAAA,IAChB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAmB;AACzB,QAAI,CAAC,KAAK,YAAa;AAEvB,QAAI;AACF,YAAM,UAAM,qBAAQ,KAAK,WAAW;AACpC,UAAI,KAAC,uBAAW,GAAG,EAAG,2BAAU,KAAK,EAAE,WAAW,KAAK,CAAC;AACxD,oCAAc,KAAK,aAAa,KAAK,UAAU,KAAK,OAAO,MAAM,CAAC,GAAG,OAAO;AAAA,IAC9E,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAKO,SAAS,aACd,WACA,WACA,SACsB;AAEtB,QAAM,WAAW,UAAU,SAAS,OAAO;AAG3C,YAAU,QAAQ,SAAS,QAAQ;AAEnC,SAAO;AACT;;;AC3JA,IAAAC,aAAyF;AACzF,IAAAC,eAAqB;AAGrB,IAAM,gBAAgB,KAAK,OAAO;AAClC,IAAM,YAAY;AAEX,IAAM,cAAN,MAAkB;AAAA,EAIvB,YAAY,WAAmB,SAAkB;AAC/C,SAAK,YAAY;AACjB,SAAK,UAAU;AAEf,QAAI,SAAS;AACX,gCAAU,WAAW,EAAE,WAAW,KAAK,CAAC;AAAA,IAC1C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,SAAuB,UAAsC;AACzE,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,MAAc,IAAkB;AAC5C,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN,UAAU,EAAE,MAAM,GAAG;AAAA,IACvB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,OAAe,SAA8B;AACpD,QAAI,CAAC,KAAK,QAAS;AAEnB,SAAK,MAAM;AAAA,MACT,IAAI,KAAK,WAAW;AAAA,MACpB,WAAW,oBAAI,KAAK;AAAA,MACpB,MAAM;AAAA,MACN;AAAA,MACA,UAAU,EAAE,MAAM;AAAA,IACpB,CAAC;AAAA,EACH;AAAA,EAEQ,MAAM,OAAyB;AACrC,QAAI;AACF,YAAM,WAAW,KAAK,mBAAmB;AACzC,YAAM,OAAO,KAAK,UAAU,KAAK,IAAI;AAGrC,cAAI,uBAAW,QAAQ,GAAG;AACxB,cAAM,YAAQ,qBAAS,QAAQ;AAC/B,YAAI,MAAM,OAAO,eAAe;AAC9B,eAAK,OAAO;AAAA,QACd;AAAA,MACF;AAEA,qCAAe,UAAU,IAAI;AAAA,IAC/B,QAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEQ,qBAA6B;AACnC,UAAM,QAAO,oBAAI,KAAK,GAAE,YAAY,EAAE,MAAM,GAAG,EAAE,CAAC;AAClD,eAAO,mBAAK,KAAK,WAAW,SAAS,IAAI,QAAQ;AAAA,EACnD;AAAA,EAEQ,SAAe;AACrB,QAAI;AACF,YAAM,YAAQ,wBAAY,KAAK,SAAS,EACrC,OAAO,CAAC,MAAM,EAAE,WAAW,QAAQ,KAAK,EAAE,SAAS,QAAQ,CAAC,EAC5D,KAAK;AAER,aAAO,MAAM,UAAU,WAAW;AAChC,cAAM,SAAS,MAAM,MAAM;AAC3B,uCAAW,mBAAK,KAAK,WAAW,MAAM,CAAC;AAAA,MACzC;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAAA,EAEQ,aAAqB;AAC3B,WAAO,GAAG,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,CAAC,CAAC;AAAA,EAChE;AACF;;;ACtFO,IAAM,mBAAN,MAAuB;AAAA,EAO5B,YAAY,QAAgC;AAL5C,SAAQ,YAAmC;AAC3C,SAAQ,YAAoC;AAC5C,SAAQ,cAAkC;AAC1C,SAAQ,cAAc;AAGpB,SAAK,SAAS;AACd,SAAK,eAAe;AAAA,EACtB;AAAA,EAEQ,iBAAuB;AAC7B,UAAM,EAAE,KAAK,IAAI,KAAK;AAEtB,QAAI,SAAS,UAAU;AACrB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,2CAA2C;AAAA,MAC7D;AAAA,IACF;AAEA,QAAI,SAAS,SAAS;AACpB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,0CAA0C;AAAA,MAC5D;AAAA,IACF;AAEA,QAAI,SAAS,UAAU;AACrB,UAAI,CAAC,KAAK,OAAO,cAAc,CAAC,KAAK,OAAO,QAAQ;AAClD,cAAM,IAAI,MAAM,2CAA2C;AAAA,MAC7D;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,aAA4B;AAChC,QAAI,KAAK,YAAa;AAEtB,UAAM,EAAE,KAAK,IAAI,KAAK;AAEtB,QAAI,SAAS,WAAW,SAAS,UAAU;AACzC,WAAK,YAAY,cAAc,KAAK,MAAM;AAAA,IAC5C;AAEA,QAAI,SAAS,UAAU;AACrB,YAAM,cAAc,KAAK,OAAO,YAC5B,GAAG,KAAK,OAAO,SAAS,wBACxB;AACJ,WAAK,YAAY,IAAI,gBAAgB,KAAK,QAAQ,WAAW;AAC7D,YAAM,cAAc,KAAK,OAAO,gBAAgB,QAAQ;AACxD,WAAK,UAAU,MAAM,UAAU;AAAA,IACjC;AAGA,QAAI,KAAK,OAAO,cAAc;AAC5B,YAAM,YAAY,KAAK,OAAO,aAAa;AAC3C,WAAK,cAAc,IAAI,YAAY,WAAW,IAAI;AAAA,IACpD;AAEA,SAAK,cAAc;AAEnB,QAAI,KAAK,OAAO,OAAO;AACrB,YAAM,UAAU,KAAK,OAAO,WAAW;AACvC,cAAQ,IAAI,qCAAqC,IAAI,UAAU,OAAO,GAAG;AAAA,IAC3E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA0B;AAC9B,QAAI,KAAK,WAAW;AAClB,YAAM,KAAK,UAAU,KAAK;AAC1B,WAAK,YAAY;AAAA,IACnB;AAEA,SAAK,YAAY;AACjB,SAAK,cAAc;AAEnB,QAAI,KAAK,OAAO,OAAO;AACrB,cAAQ,IAAI,8BAA8B;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,SAAS,SAAuB,SAAiD;AACrF,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,KAAK,WAAW;AAAA,IACxB;AAEA,QAAI;AAEJ,YAAQ,KAAK,OAAO,MAAM;AAAA,MACxB,KAAK;AACH,mBAAW,MAAM,aAAa,KAAK,QAAQ,SAAS,OAAO;AAC3D;AAAA,MAEF,KAAK;AACH,YAAI,CAAC,KAAK,UAAW,OAAM,IAAI,MAAM,iCAAiC;AACtE,mBAAW,YAAY,KAAK,WAAW,OAAO;AAC9C;AAAA,MAEF,KAAK;AACH,YAAI,CAAC,KAAK,aAAa,CAAC,KAAK,UAAW,OAAM,IAAI,MAAM,6BAA6B;AACrF,mBAAW,aAAa,KAAK,WAAW,KAAK,WAAW,OAAO;AAC/D;AAAA,MAEF;AACE,cAAM,IAAI,MAAM,iBAAiB,KAAK,OAAO,IAAI,EAAE;AAAA,IACvD;AAGA,QAAI,KAAK,OAAO,YAAY,aAAa,SAAS,mBAAmB,SAAS;AAC5E,iBAAW;AAAA,QACT,GAAG;AAAA,QACH,gBAAgB;AAAA,QAChB,QAAQ,6BAA6B,SAAS,cAAc,KAAK,SAAS,MAAM;AAAA,MAClF;AAAA,IACF;AAGA,SAAK,aAAa,cAAc,SAAS,QAAQ;AAEjD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,OAAuC;AACzC,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAgC;AAClC,WAAO,KAAK,OAAO,WAAW;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,SAAyC,kBAAmE;AAC3H,UAAM,UAAU,KAAK,OAAO;AAC5B,UAAM,KAAK,SAAS;AAEpB,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,kBAAkB,MAAM,QAAQ;AACnE,SAAK,eAAe;AACpB,UAAM,KAAK,WAAW;AAEtB,SAAK,aAAa,cAAc,SAAS,OAAO;AAEhD,QAAI,KAAK,OAAO,OAAO;AACrB,cAAQ,IAAI,kCAAkC,OAAO,OAAO;AAAA,IAC9D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAA2D;AACzD,WAAO,KAAK,WAAW,UAAU,KAAK;AAAA,EACxC;AACF;;;A5B1LA,IAAI,UAAgC;AACpC,IAAI,UAAmC;AAMvC,eAAsB,SAAS,WAAqC;AAClE,QAAM,SAAS,kBAAkB;AAEjC,YAAU,IAAI,iBAAiB,OAAO,aAAa;AAEnD,YAAU,IAAI,cAAc;AAAA,IAC1B,QAAQ;AAAA,IACR,oBAAoB,OAAO,SAAS,aAAa;AAC/C,YAAM,SAAS,MAAM,UAAU,OAAO;AAAA,QACpC,cAAc,SAAS,MAAM;AAAA;AAAA,UAAe,QAAQ,MAAM,WAAM,QAAQ,MAAM;AAAA,QAC9E;AAAA,QACA;AAAA,MACF;AACA,aAAO,WAAW;AAAA,IACpB;AAAA,EACF,CAAC;AAED,QAAM,QAAQ,WAAW;AAAA,IACvB;AAAA,IACA,gBAAgB,EAAE,QAAQ,UAAU;AAAA,EACtC,CAAC;AAGD,YAAU,SAAS,gBAAgB,wBAAwB,MAAM;AAC/D,UAAM,UAAU,UAAU,OAAO,oBAAoB,kBAAkB;AACvE,YAAQ,WAAW,SAAS,QAAS,IAAI,EAAE;AAC3C,YAAQ,WAAW,YAAY,QAAS,OAAO,EAAE;AACjD,YAAQ,WAAW,gBAAgB,OAAO,cAAc,cAAc,eAAe,EAAE;AACvF,YAAQ,KAAK;AAAA,EACf,CAAC;AAED,YAAU,SAAS,gBAAgB,wBAAwB,YAAY;AAErE,QAAI,CAAC,OAAO,cAAc,QAAQ;AAChC,gBAAU,OAAO;AAAA,QACf;AAAA,MACF;AACA;AAAA,IACF;AAEA,UAAM,SAAS,MAAM,UAAU,OAAO;AAAA,MACpC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,YAAM,OAAO,OAAO,YAAY;AAChC,YAAM,QAAS,WAAW,IAAI;AAC9B,gBAAU,OAAO,uBAAuB,0BAA0B,IAAI,OAAO;AAAA,IAC/E;AAAA,EACF,CAAC;AACH;AAKA,eAAsB,aAA4B;AAChD,MAAI,SAAS;AACX,UAAM,QAAQ,SAAS;AACvB,cAAU;AAAA,EACZ;AACA,MAAI,SAAS;AACX,UAAM,QAAQ,SAAS;AACvB,cAAU;AAAA,EACZ;AACF;AAuBA,SAAS,oBAAqC;AAK5C,SAAO;AAAA,IACL,eAAe;AAAA,MACb,MAAM;AAAA,MACN,YAAY;AAAA,MACZ,OAAO;AAAA,MACP,cAAc;AAAA,MACd,SAAS;AAAA;AAAA,MAET,QAAQ;AAAA,QACN,SAAS;AAAA,QACT,MAAM;AAAA,QACN,UAAU;AAAA,UACR,EAAE,IAAI,aAAa,SAAS,KAAK;AAAA,UACjC,EAAE,IAAI,cAAc,SAAS,KAAK;AAAA,UAClC,EAAE,IAAI,eAAe,SAAS,MAAM;AAAA,UACpC,EAAE,IAAI,cAAc,SAAS,KAAK;AAAA,UAClC,EAAE,IAAI,iBAAiB,SAAS,KAAK;AAAA,UACrC,EAAE,IAAI,mBAAmB,SAAS,MAAM;AAAA,UACxC,EAAE,IAAI,cAAc,SAAS,MAAM;AAAA,QACrC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;","names":["exception","map","schema","type","extend","str","string","result","DEFAULT_ROUTES_REFRESH_MS","import_node_crypto","import_decode","import_node_crypto","import_mppx","import_node_crypto","import_fs","import_fs","import_path"]}