@attestry/sdk 0.6.0

package/dist/resources/compliance-check.js

@@ -0,0 +1,402 @@
+// ─── ComplianceCheck resource ───────────────────────────────────────────────
+//
+// Wraps the compliance-check surface (session 15):
+//
+//   - GET /api/v1/compliance-check?systemId=<UUID>
+//   - GET /api/v1/compliance-check?orgName=<string>
+//
+// Third non-decisions resource on `@attestry/sdk`. Sibling to
+// `IncidentsResource`, `DecisionsResource`, `ChatResource`,
+// `AuditLogResource`, `RegulatoryChangesResource`. Single public
+// method today (`check`); the resource class exists as the landing
+// pad for future compliance-check methods if/when the kernel adds
+// them (resource-class-per-kernel-resource convention, carry-forward
+// invariant candidate #43).
+//
+// Multi-permission UNION auth scope: the kernel route gates on
+// `requireApiKeyWithPermission(request, READ_SYSTEMS, READ_ASSESSMENTS)`
+// which is OR semantics — `permissions.ts:53-55` uses `Array.some()`,
+// NOT `.every()`. A key with EITHER permission (or `ADMIN`, or empty
+// permissions for backwards-compat) succeeds. **HTTP 401** for
+// no/invalid API key (the `requireApiKey` branch fires first inside
+// `requireApiKeyWithPermission`); **HTTP 403** for an authenticated
+// key that has NEITHER required permission. Pin BOTH branches
+// separately. **Different from `auditLog.export`** which returns 401
+// for both unauth and insufficient-permission (ADMIN-only convention;
+// carry-forward invariant #42 governs ADMIN routes specifically).
+// First SDK route to exercise the multi-arg form of
+// `requireApiKeyWithPermission` — invariant candidate #45.
+//
+// XOR input mode (the **first** non-obvious gotcha): exactly one of
+// `systemId` OR `orgName` must be provided. The kernel is NOT strictly
+// XOR — when both are provided, kernel uses `systemId` and silently
+// ignores `orgName` (route.ts:80-87). The SDK is **stricter** than the
+// kernel — synchronously rejects "both provided" with a clear
+// `TypeError`. This protects consumers from silent shadow-of-orgName
+// bugs that the kernel quietly enables. Invariant candidate #46.
+//
+// Asymmetric cross-org error codes (the **second** non-obvious
+// gotcha): cross-org systemId returns **404** (kernel collapses to
+// "System not found", route.ts:76 — mirror of decisions.retrieve),
+// while cross-org orgName returns **403** ("Access denied",
+// route.ts:95). Pin BOTH branches and document the asymmetry in
+// JSDoc + README. Invariant candidate #47.
+//
+// Silent `.limit(100)` on orgName path (the **third** non-obvious
+// gotcha): route.ts:107 hardcodes `.limit(100)` on the org-systems
+// query. Orgs with more than 100 systems see a truncated set with NO
+// indicator — no `total` field, no `hasMore` cursor. The SDK does NOT
+// mask this — JSDoc + README call it out as a kernel surface gap.
+// Faithful-courier policy.
+//
+// Sync JSON request/response: reuses `client._request` and the
+// existing `{success:true, data}` envelope-unwrap (carry-forward
+// invariant #9). NO new SDK primitive needed — smaller blast radius
+// than `auditLog.export`. Returns
+// `Promise<ComplianceCheckResponse>`.
+import { AttestryError } from "../errors.js";
+import { readInputField } from "./safe-input-read.js";
+// Module-load snapshot of `Object.hasOwn` — defends against a
+// late-loading hostile/buggy npm dependency that overrides the global
+// (e.g., `Object.hasOwn = () => true`). Without the snapshot, the H4
+// prototype-pollution defense uses whatever Object.hasOwn the
+// dependency replaced it with at request time. Snapshotting at module
+// load captures the original implementation BEFORE most consumer
+// code has a chance to monkey-patch.
+//
+// Caveat: this is partial. If the hostile dependency is imported
+// BEFORE @attestry/sdk in the consumer's load graph, the snapshot
+// captures the bad version. Consumers ordering imports
+// SDK-then-untrusted-deps benefit; the reverse ordering does not.
+// Combined with `Object.hasOwn` itself being immune to
+// `obj.hasOwnProperty = ...` overrides (per MDN), this gives a
+// layered defense — perfect protection isn't possible at the SDK
+// layer.
+//
+// Hostile review session 15 finding (LOW #2).
+const objectHasOwn = Object.hasOwn;
+/**
+ * ComplianceCheck resource — sibling to `IncidentsResource`,
+ * `DecisionsResource`, `ChatResource`, `AuditLogResource`,
+ * `RegulatoryChangesResource`. Today wraps a single endpoint
+ * (`check`); the class is the landing pad for future compliance-check
+ * methods if the kernel adds them (resource-class-per-kernel-resource
+ * convention, invariant candidate #43).
+ */
+export class ComplianceCheckResource {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Return a per-system compliance summary for either a single system
+     * (by UUID) or every system in an org (by org name, capped at 100).
+     * Returns `Promise<ComplianceCheckResponse>` — sync JSON, no
+     * pagination, no streaming.
+     *
+     * **Input mode — XOR with kernel quirk** (read carefully): exactly
+     * one of `systemId` OR `orgName` must be provided. The kernel is
+     * NOT strictly XOR — when both are provided, kernel silently picks
+     * `systemId` and ignores `orgName`. The SDK is **stricter** than
+     * the kernel and synchronously throws `TypeError` when both are
+     * provided. This is a deliberate D3 deviation: the kernel's
+     * silent-pick is a quirk that future maintenance could change at
+     * any time, and surfacing the conflict at the SDK boundary makes
+     * consumer code stable across kernel revisions.
+     *
+     * **Multi-permission UNION auth scope**: kernel uses
+     * `requireApiKeyWithPermission(req, READ_SYSTEMS, READ_ASSESSMENTS)`
+     * which is OR semantics (`Array.some()` at
+     * `permissions.ts:53-55`). A key with EITHER permission (or `ADMIN`,
+     * or null/empty permissions for backwards-compat) succeeds.
+     * **HTTP 401** for no/invalid API key, **HTTP 403** for an
+     * authenticated key that has NEITHER required permission. Pin
+     * BOTH branches separately. **Distinct from `auditLog.export`** in
+     * the auth MODEL — that route is ADMIN-only dual-auth — but NOT in
+     * the status surface: `auditLog.export` also returns 401 vs 403
+     * distinctly (corrected session-22 hostile review #2; the prior
+     * "ADMIN-only 401-for-both" framing of invariant #42 was wrong).
+     * First SDK route to exercise multi-arg
+     * `requireApiKeyWithPermission` — invariant candidate #45.
+     *
+     * **Asymmetric cross-org error codes** (read carefully):
+     * cross-org `systemId` returns **404** (kernel collapses to
+     * "System not found" at route.ts:76 — mirror of
+     * `decisions.retrieve`); cross-org `orgName` returns **403**
+     * ("Access denied" at route.ts:95). Consumers writing defensive
+     * error-handling logic must distinguish: a 404 on systemId path
+     * may be "not your org" OR "genuine missing UUID"; a 403 on
+     * orgName path is unambiguously "the org exists but you don't
+     * own it". Invariant candidate #47.
+     *
+     * **Silent `.limit(100)` on orgName path** (read carefully): if
+     * the org has more than 100 systems, the response is silently
+     * truncated to the first 100 — NO `total` field, NO `hasMore`
+     * cursor, NO warning. The SDK does NOT mask this (faithful
+     * courier — kernel decided 100 is enough). Consumers managing
+     * >100-system orgs should switch to systemId-per-row.
+     *
+     * **`compliant` field — implicit threshold of 70**:
+     * `compliant === activeAttestations > 0 && (overallScore === null || overallScore >= 70)`.
+     * Documented in detail on `ComplianceCheckResult.compliant` —
+     * consumers wanting a different bar can apply it post-hoc via
+     * the `score` field.
+     *
+     * Errors (kernel firing precedence: rate-limit → auth → input
+     * validation, so a request with multiple problems surfaces only the
+     * highest-precedence one. Hostile-review LOW #8):
+     *   - `AttestryAPIError` (status 429) — rate limit FIRES FIRST
+     *     (auto-retried by default — invariant #18; per-IP rate-limit
+     *     key `v1-compliance-check:${ip}`). A flooded IP gets 429 even
+     *     for unauthenticated or malformed requests.
+     *   - `AttestryAPIError` (status 401) — no API key OR invalid key
+     *     (the `requireApiKey` branch). Fires AFTER rate-limit but
+     *     BEFORE input validation.
+     *   - `AttestryAPIError` (status 403) — authenticated key has
+     *     NEITHER `READ_SYSTEMS` nor `READ_ASSESSMENTS` (the
+     *     permission-check branch); OR cross-org orgName ("Access
+     *     denied"). Distinguish via the response body's `error`
+     *     message.
+     *   - `AttestryAPIError` (status 400) — invalid systemId UUID
+     *     format (kernel's `isValidUuid` rejection). Fires AFTER auth.
+     *     The SDK does NOT pre-validate UUID format (D2: kernel is the
+     *     authority). The "neither systemId nor orgName" 400 is
+     *     UNREACHABLE through the SDK — pre-rejected as `TypeError`.
+     *   - `AttestryAPIError` (status 404) — systemId not found OR
+     *     systemId belongs to a different org (kernel collapses
+     *     cross-org systemId to 404); OR orgName not found.
+     *   - `AttestryAPIError` (status 500) — internal kernel error
+     *     (scrubbed message via `internalErrorResponse`).
+     *   - `AttestryError` ("request aborted by caller") — caller-supplied
+     *     `options.signal` fired (pre-aborted or mid-flight).
+     *   - `AttestryError` (P2 hardening) — kernel response failed
+     *     SDK-side shape validation (not an object, missing `systems`
+     *     array, missing `checkedAt` string).
+     *   - `AttestryAPIError` (P3 hardening) — kernel response had a
+     *     wrong Content-Type (transport-level guard before body parsing).
+     *   - `TypeError` (synchronous, no fetch issued) — input failed
+     *     SDK-side validation (null / array / non-object input,
+     *     neither systemId nor orgName provided, both provided, empty
+     *     string, non-string, lone surrogates).
+     *
+     * **Notably ABSENT**:
+     *   - **No 422** — no Zod schema; no closed enums in input.
+     *   - **No 413** — no body size limit (no body — GET).
+     *   - **No 402** — read-only, doesn't count against decisionsPerMonth quota.
+     *
+     * **SDK-side validation** (synchronous `TypeError`, no fetch
+     * issued):
+     *   - `input` itself: required; must be a non-null, non-array
+     *     object.
+     *   - `input.systemId` XOR `input.orgName`: exactly one must be
+     *     provided. Both = `TypeError` (stricter than kernel — D3).
+     *     Neither = `TypeError`.
+     *   - `input.systemId` (when provided): non-empty string.
+     *     Lone-surrogate guard via `assertEncodableQueryString`
+     *     (carry-forward invariant #32). UUID format NOT pre-validated
+     *     (D2 — kernel is the authority).
+     *   - `input.orgName` (when provided): non-empty string.
+     *     Lone-surrogate guard.
+     *
+     * **Response-shape validation** (P2 hardening):
+     *   - Rejects with `AttestryError` if the kernel response isn't a
+     *     non-null, non-array object.
+     *   - Rejects if `response.systems` isn't an array.
+     *   - Rejects if `response.checkedAt` isn't a string.
+     *   - Per-row shape (the 7-field `ComplianceCheckResult`) is
+     *     faithful-courier — NOT validated (P4 candidate).
+     *
+     * **Transport-shape validation** (P3 hardening):
+     *   - Rejects with `AttestryAPIError` if the kernel responds with
+     *     a non-`application/json` Content-Type — protects against
+     *     proxy-injected HTML 200 pages parsing into junk consumer
+     *     state.
+     *
+     * @example Compliance check by system UUID
+     * ```ts
+     * const result = await client.complianceCheck.check({
+     *   systemId: "11111111-1111-1111-1111-111111111111",
+     * });
+     * for (const system of result.systems) {
+     *   console.log(system.systemName, system.compliant, system.score);
+     * }
+     * ```
+     *
+     * @example Compliance check by org name (capped at 100 systems)
+     * ```ts
+     * const result = await client.complianceCheck.check({
+     *   orgName: "Acme Corp",
+     * });
+     * console.log(`${result.systems.length} systems checked at ${result.checkedAt}`);
+     * ```
+     */
+    check(input, options) {
+        // Top-level shape — input is REQUIRED (unlike auditLog.export /
+        // regulatoryChanges.list which accept undefined). typeof null ===
+        // "object" and typeof [] === "object", so guard both explicitly.
+        if (input === null ||
+            typeof input !== "object" ||
+            Array.isArray(input)) {
+            throw new TypeError("complianceCheck.check: `input` must be a non-null object with `systemId` or `orgName`");
+        }
+        // XOR check — snapshot each field's value EXACTLY ONCE up front,
+        // then operate only on the locals downstream. Three motivations:
+        //   1. **Prototype-pollution defense (hostile round H4)**:
+        //      `Object.prototype.systemId = "evil-uuid"` (set somewhere
+        //      else in the consumer's process) DOES NOT trick the SDK
+        //      into thinking systemId was provided when the user passed
+        //      `{orgName: "Acme"}`. `Object.hasOwn` only checks own
+        //      properties (ES2022, Node 16.9+ — well below the SDK's
+        //      Node 18 floor). Use the module-load snapshot
+        //      (`objectHasOwn`) so a late-loading dep that overrides the
+        //      global doesn't defeat the defense. Hostile-review LOW #2.
+        //   2. **TOCTOU defense (hostile-review LOW #1)**: a Proxy or
+        //      getter-defining input could yield DIFFERENT values across
+        //      multiple reads of the same field — the SDK would validate
+        //      one value and send another to the wire. Snapshotting once
+        //      collapses validate-then-send to a single read per field;
+        //      the validated value is provably the value sent.
+        //   3. An explicit `{systemId: "uuid", orgName: undefined}` (which
+        //      TS permits via the `orgName?: never` branch) is treated as
+        //      systemId-only — `objectHasOwn` says "yes, orgName is an
+        //      own property" but the value is `undefined`, so the
+        //      undefined-check filters it out.
+        //
+        // Each input field is read exactly once via the indexer below;
+        // every subsequent operation uses the local snapshot.
+        const systemIdRaw = objectHasOwn(input, "systemId")
+            ? readInputField(input, "systemId", "complianceCheck.check")
+            : undefined;
+        const orgNameRaw = objectHasOwn(input, "orgName")
+            ? readInputField(input, "orgName", "complianceCheck.check")
+            : undefined;
+        const hasSystemId = systemIdRaw !== undefined;
+        const hasOrgName = orgNameRaw !== undefined;
+        if (!hasSystemId && !hasOrgName) {
+            throw new TypeError("complianceCheck.check: must provide exactly one of `systemId` or `orgName`");
+        }
+        if (hasSystemId && hasOrgName) {
+            // **SDK is STRICTER than the kernel**. The kernel silently
+            // picks systemId when both are provided (route.ts:80-87).
+            // The SDK rejects to prevent shadow-of-orgName bugs that
+            // could otherwise pass kernel-side and produce confusing
+            // results (consumer expects orgName to take effect; gets
+            // systemId-shaped response). D3 / invariant candidate #46.
+            throw new TypeError("complianceCheck.check: provide either `systemId` or `orgName`, not both " +
+                "(kernel silently ignores `orgName` when both are present; SDK rejects " +
+                "synchronously to prevent shadow-of-orgName bugs)");
+        }
+        let validatedSystemId;
+        let validatedOrgName;
+        if (hasSystemId) {
+            if (typeof systemIdRaw !== "string" || systemIdRaw.length === 0) {
+                throw new TypeError("complianceCheck.check: `systemId` must be a non-empty string when provided");
+            }
+            // UUID format NOT pre-validated (D2 — kernel's `isValidUuid`
+            // is the authority). Lone-surrogate guard (#32) catches the
+            // URIError defect class.
+            assertEncodableQueryString(systemIdRaw, "systemId", "complianceCheck.check");
+            validatedSystemId = systemIdRaw;
+        }
+        else {
+            if (typeof orgNameRaw !== "string" || orgNameRaw.length === 0) {
+                throw new TypeError("complianceCheck.check: `orgName` must be a non-empty string when provided");
+            }
+            assertEncodableQueryString(orgNameRaw, "orgName", "complianceCheck.check");
+            validatedOrgName = orgNameRaw;
+        }
+        return this.client
+            ._request({
+            method: "GET",
+            path: "/api/v1/compliance-check",
+            query: {
+                systemId: validatedSystemId,
+                orgName: validatedOrgName,
+            },
+            options,
+        })
+            .then((result) => {
+            // P2 hardening: validate the kernel returned an object with
+            // the expected top-level shape. The route emits
+            // `successResponse({systems, checkedAt})` where systems is
+            // always an array (initialized as `[]` and populated via
+            // `.push`) and checkedAt is always a string
+            // (`new Date().toISOString()`). A kernel-side regression that
+            // breaks any of these invariants would let a malformed shape
+            // reach consumers, who would crash on `result.systems.length`
+            // or similar with a confusing TypeError. Catch at the SDK
+            // boundary with a clear AttestryError.
+            if (result === null ||
+                typeof result !== "object" ||
+                Array.isArray(result)) {
+                throw new AttestryError(`complianceCheck.check: expected an object response from the kernel (got ${describeType(result)})`);
+            }
+            const obj = result;
+            if (!Array.isArray(obj.systems)) {
+                throw new AttestryError(`complianceCheck.check: expected response.systems to be an array (got ${describeType(obj.systems)})`);
+            }
+            if (typeof obj.checkedAt !== "string") {
+                throw new AttestryError(`complianceCheck.check: expected response.checkedAt to be a string (got ${describeType(obj.checkedAt)})`);
+            }
+            return result;
+        });
+    }
+}
+/**
+ * Synchronously verify a query-string value is encodable via
+ * `encodeURIComponent`. Mirrors the helper in `decisions.ts`,
+ * `audit-log.ts`, and `regulatory-changes.ts` (carry-forward invariant
+ * #32 — URIError defect-class is uniformly handled).
+ *
+ * Duplicated rather than shared because cross-resource imports between
+ * leaf-resource modules would create graph-cycle hazards. A future
+ * SDK refactor may extract validation helpers to a shared module
+ * (e.g., `src/validate.ts`) when a fifth caller shows up; for now the
+ * duplication is intentional and documented.
+ */
+function assertEncodableQueryString(value, fieldName, methodName) {
+    try {
+        encodeURIComponent(value);
+    }
+    catch (err) {
+        throw new TypeError(`${methodName}: \`${fieldName}\` contains invalid UTF-16 sequences (${
+        // encodeURIComponent always throws URIError (an Error
+        // subclass), so the String(err) branch is unreachable.
+        // Defense-in-depth marker for the v8 coverage tool.
+        /* v8 ignore next */
+        err instanceof Error ? err.message : String(err)})`, { cause: err });
+    }
+}
+/**
+ * Human-readable type description for response-shape error messages.
+ * Distinguishes `null` and `array` from generic `object`.
+ *
+ * Duplicated in `decisions.ts`, `incidents.ts`, and
+ * `regulatory-changes.ts` per project pattern (small helper,
+ * leaf-resource modules, no shared module yet).
+ *
+ * In complianceCheck.check, `describeType` is invoked from THREE
+ * call sites:
+ *   1. Top-level "expected an object" error — value is null OR a
+ *      non-object scalar OR an array (the negation of "non-null
+ *      non-array object"). All three branches are reachable here.
+ *   2. "expected response.systems to be an array" — value is the
+ *      `systems` field, which can be anything but `Array`. All
+ *      branches reachable.
+ *   3. "expected response.checkedAt to be a string" — value is the
+ *      `checkedAt` field, which can be anything but `string`. All
+ *      branches reachable.
+ *
+ * Unlike regulatoryChanges.list (which only invokes describeType
+ * from the "not an array" path, making the array branch
+ * structurally unreachable in that call site), every branch here
+ * IS reachable. No v8-ignore-next marker needed on any branch.
+ */
+function describeType(value) {
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+//# sourceMappingURL=compliance-check.js.map

package/dist/resources/compliance-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compliance-check.js","sourceRoot":"","sources":["../../src/resources/compliance-check.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,mDAAmD;AACnD,EAAE;AACF,mDAAmD;AACnD,oDAAoD;AACpD,EAAE;AACF,8DAA8D;AAC9D,4DAA4D;AAC5D,iEAAiE;AACjE,mEAAmE;AACnE,kEAAkE;AAClE,qEAAqE;AACrE,4BAA4B;AAC5B,EAAE;AACF,+DAA+D;AAC/D,yEAAyE;AACzE,sEAAsE;AACtE,qEAAqE;AACrE,+DAA+D;AAC/D,oEAAoE;AACpE,oEAAoE;AACpE,8DAA8D;AAC9D,qEAAqE;AACrE,sEAAsE;AACtE,kEAAkE;AAClE,oDAAoD;AACpD,2DAA2D;AAC3D,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,oEAAoE;AACpE,uEAAuE;AACvE,8DAA8D;AAC9D,qEAAqE;AACrE,iEAAiE;AACjE,EAAE;AACF,+DAA+D;AAC/D,mEAAmE;AACnE,mEAAmE;AACnE,4DAA4D;AAC5D,gEAAgE;AAChE,2CAA2C;AAC3C,EAAE;AACF,kEAAkE;AAClE,mEAAmE;AACnE,qEAAqE;AACrE,sEAAsE;AACtE,kEAAkE;AAClE,2BAA2B;AAC3B,EAAE;AACF,+DAA+D;AAC/D,iEAAiE;AACjE,oEAAoE;AACpE,kCAAkC;AAClC,sCAAsC;AAGtC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,8DAA8D;AAC9D,sEAAsE;AACtE,qEAAqE;AACrE,8DAA8D;AAC9D,sEAAsE;AACtE,iEAAiE;AACjE,qCAAqC;AACrC,EAAE;AACF,iEAAiE;AACjE,kEAAkE;AAClE,uDAAuD;AACvD,kEAAkE;AAClE,uDAAuD;AACvD,+DAA+D;AAC/D,iEAAiE;AACjE,SAAS;AACT,EAAE;AACF,8CAA8C;AAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;AAoLnC;;;;;;;GAOG;AACH,MAAM,OAAO,uBAAuB;IACL;IAA7B,YAA6B,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IAAG,CAAC;IAEvD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6IG;IACH,KAAK,CACH,KAA2B,EAC3B,OAAwB;QAExB,gEAAgE;QAChE,kEAAkE;QAClE,iEAAiE;QACjE,IACE,KAAK,KAAK,IAAI;YACd,OAAO,KAAK,KAAK,QAAQ;YACzB,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EACpB,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,iEAAiE;QACjE,2DAA2D;QAC3D,gEAAgE;QAChE,8DAA8D;QAC9D,gEAAgE;QAChE,4DAA4D;QAC5D,6DAA6D;QAC7D,oDAAoD;QACpD,iEAAiE;QACjE,iEAAiE;QACjE,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,iEAAiE;QACjE,gEAAgE;QAChE,uDAAuD;QACvD,mEAAmE;QACnE,kEAAkE;QAClE,+DAA+D;QAC/D,0DAA0D;QAC1D,uCAAuC;QACvC,EAAE;QACF,+DAA+D;QAC/D,sDAAsD;QACtD,MAAM,WAAW,GAAY,YAAY,CAAC,KAAK,EAAE,UAAU,CAAC;YAC1D,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,UAAU,EAAE,uBAAuB,CAAC;YAC5D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,UAAU,GAAY,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC;YACxD,CAAC,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,uBAAuB,CAAC;YAC3D,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,WAAW,GAAG,WAAW,KAAK,SAAS,CAAC;QAC9C,MAAM,UAAU,GAAG,UAAU,KAAK,SAAS,CAAC;QAE5C,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;YAChC,MAAM,IAAI,SAAS,CACjB,4EAA4E,CAC7E,CAAC;QACJ,CAAC;QACD,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;YAC9B,2DAA2D;YAC3D,0DAA0D;YAC1D,yDAAyD;YACzD,yDAAyD;YACzD,yDAAyD;YACzD,2DAA2D;YAC3D,MAAM,IAAI,SAAS,CACjB,0EAA0E;gBACxE,wEAAwE;gBACxE,kDAAkD,CACrD,CAAC;QACJ,CAAC;QAED,IAAI,iBAAqC,CAAC;QAC1C,IAAI,gBAAoC,CAAC;QAEzC,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChE,MAAM,IAAI,SAAS,CACjB,4EAA4E,CAC7E,CAAC;YACJ,CAAC;YACD,6DAA6D;YAC7D,4DAA4D;YAC5D,yBAAyB;YACzB,0BAA0B,CAAC,WAAW,EAAE,UAAU,EAAE,uBAAuB,CAAC,CAAC;YAC7E,iBAAiB,GAAG,WAAW,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9D,MAAM,IAAI,SAAS,CACjB,2EAA2E,CAC5E,CAAC;YACJ,CAAC;YACD,0BAA0B,CAAC,UAAU,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;YAC3E,gBAAgB,GAAG,UAAU,CAAC;QAChC,CAAC;QAED,OAAO,IAAI,CAAC,MAAM;aACf,QAAQ,CAA0B;YACjC,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE;gBACL,QAAQ,EAAE,iBAAiB;gBAC3B,OAAO,EAAE,gBAAgB;aAC1B;YACD,OAAO;SACR,CAAC;aACD,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YACf,4DAA4D;YAC5D,gDAAgD;YAChD,2DAA2D;YAC3D,yDAAyD;YACzD,4CAA4C;YAC5C,8DAA8D;YAC9D,6DAA6D;YAC7D,8DAA8D;YAC9D,0DAA0D;YAC1D,uCAAuC;YACvC,IACE,MAAM,KAAK,IAAI;gBACf,OAAO,MAAM,KAAK,QAAQ;gBAC1B,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EACrB,CAAC;gBACD,MAAM,IAAI,aAAa,CACrB,2EAA2E,YAAY,CAAC,MAAM,CAAC,GAAG,CACnG,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,GAAG,MAA4C,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,aAAa,CACrB,wEAAwE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CACrG,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;gBACtC,MAAM,IAAI,aAAa,CACrB,0EAA0E,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CACzG,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;IACP,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,SAAiB,EACjB,UAAkB;IAElB,IAAI,CAAC;QACH,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CACjB,GAAG,UAAU,OAAO,SAAS,yCAAyC;QACpE,sDAAsD;QACtD,uDAAuD;QACvD,oDAAoD;QACpD,oBAAoB;QACpB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CACjD,GAAG,EACH,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IACzC,OAAO,OAAO,KAAK,CAAC;AACtB,CAAC"}