@atxp/client 0.10.2 → 0.10.4

package/dist/node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","sources":["../../../../../../../../../node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js"],"sourcesContent":["import pkceChallenge from \"pkce-challenge\";\nimport { LATEST_PROTOCOL_VERSION } from \"../types.js\";\nimport { OAuthErrorResponseSchema, OpenIdProviderDiscoveryMetadataSchema } from \"../shared/auth.js\";\nimport { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from \"../shared/auth.js\";\nimport { checkResourceAllowed, resourceUrlFromServerUrl } from \"../shared/auth-utils.js\";\nimport { InvalidClientError, InvalidGrantError, OAUTH_ERRORS, OAuthError, ServerError, UnauthorizedClientError } from \"../server/auth/errors.js\";\nexport class UnauthorizedError extends Error {\n    constructor(message) {\n        super(message !== null && message !== void 0 ? message : \"Unauthorized\");\n    }\n}\n/**\n * Determines the best client authentication method to use based on server support and client configuration.\n *\n * Priority order (highest to lowest):\n * 1. client_secret_basic (if client secret is available)\n * 2. client_secret_post (if client secret is available)\n * 3. none (for public clients)\n *\n * @param clientInformation - OAuth client information containing credentials\n * @param supportedMethods - Authentication methods supported by the authorization server\n * @returns The selected authentication method\n */\nfunction selectClientAuthMethod(clientInformation, supportedMethods) {\n    const hasClientSecret = clientInformation.client_secret !== undefined;\n    // If server doesn't specify supported methods, use RFC 6749 defaults\n    if (supportedMethods.length === 0) {\n        return hasClientSecret ? \"client_secret_post\" : \"none\";\n    }\n    // Try methods in priority order (most secure first)\n    if (hasClientSecret && supportedMethods.includes(\"client_secret_basic\")) {\n        return \"client_secret_basic\";\n    }\n    if (hasClientSecret && supportedMethods.includes(\"client_secret_post\")) {\n        return \"client_secret_post\";\n    }\n    if (supportedMethods.includes(\"none\")) {\n        return \"none\";\n    }\n    // Fallback: use what we have\n    return hasClientSecret ? \"client_secret_post\" : \"none\";\n}\n/**\n * Applies client authentication to the request based on the specified method.\n *\n * Implements OAuth 2.1 client authentication methods:\n * - client_secret_basic: HTTP Basic authentication (RFC 6749 Section 2.3.1)\n * - client_secret_post: Credentials in request body (RFC 6749 Section 2.3.1)\n * - none: Public client authentication (RFC 6749 Section 2.1)\n *\n * @param method - The authentication method to use\n * @param clientInformation - OAuth client information containing credentials\n * @param headers - HTTP headers object to modify\n * @param params - URL search parameters to modify\n * @throws {Error} When required credentials are missing\n */\nfunction applyClientAuthentication(method, clientInformation, headers, params) {\n    const { client_id, client_secret } = clientInformation;\n    switch (method) {\n        case \"client_secret_basic\":\n            applyBasicAuth(client_id, client_secret, headers);\n            return;\n        case \"client_secret_post\":\n            applyPostAuth(client_id, client_secret, params);\n            return;\n        case \"none\":\n            applyPublicAuth(client_id, params);\n            return;\n        default:\n            throw new Error(`Unsupported client authentication method: ${method}`);\n    }\n}\n/**\n * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyBasicAuth(clientId, clientSecret, headers) {\n    if (!clientSecret) {\n        throw new Error(\"client_secret_basic authentication requires a client_secret\");\n    }\n    const credentials = btoa(`${clientId}:${clientSecret}`);\n    headers.set(\"Authorization\", `Basic ${credentials}`);\n}\n/**\n * Applies POST body authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyPostAuth(clientId, clientSecret, params) {\n    params.set(\"client_id\", clientId);\n    if (clientSecret) {\n        params.set(\"client_secret\", clientSecret);\n    }\n}\n/**\n * Applies public client authentication (RFC 6749 Section 2.1)\n */\nfunction applyPublicAuth(clientId, params) {\n    params.set(\"client_id\", clientId);\n}\n/**\n * Parses an OAuth error response from a string or Response object.\n *\n * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec\n * and an instance of the appropriate OAuthError subclass will be returned.\n * If parsing fails, it falls back to a generic ServerError that includes\n * the response status (if available) and original content.\n *\n * @param input - A Response object or string containing the error response\n * @returns A Promise that resolves to an OAuthError instance\n */\nexport async function parseErrorResponse(input) {\n    const statusCode = input instanceof Response ? input.status : undefined;\n    const body = input instanceof Response ? await input.text() : input;\n    try {\n        const result = OAuthErrorResponseSchema.parse(JSON.parse(body));\n        const { error, error_description, error_uri } = result;\n        const errorClass = OAUTH_ERRORS[error] || ServerError;\n        return new errorClass(error_description || '', error_uri);\n    }\n    catch (error) {\n        // Not a valid OAuth error response, but try to inform the user of the raw data anyway\n        const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ''}Invalid OAuth error response: ${error}. Raw body: ${body}`;\n        return new ServerError(errorMessage);\n    }\n}\n/**\n * Orchestrates the full auth flow with a server.\n *\n * This can be used as a single entry point for all authorization functionality,\n * instead of linking together the other lower-level functions in this module.\n */\nexport async function auth(provider, options) {\n    var _a, _b;\n    try {\n        return await authInternal(provider, options);\n    }\n    catch (error) {\n        // Handle recoverable error types by invalidating credentials and retrying\n        if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {\n            await ((_a = provider.invalidateCredentials) === null || _a === void 0 ? void 0 : _a.call(provider, 'all'));\n            return await authInternal(provider, options);\n        }\n        else if (error instanceof InvalidGrantError) {\n            await ((_b = provider.invalidateCredentials) === null || _b === void 0 ? void 0 : _b.call(provider, 'tokens'));\n            return await authInternal(provider, options);\n        }\n        // Throw otherwise\n        throw error;\n    }\n}\nasync function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn, }) {\n    let resourceMetadata;\n    let authorizationServerUrl;\n    try {\n        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);\n        if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {\n            authorizationServerUrl = resourceMetadata.authorization_servers[0];\n        }\n    }\n    catch (_a) {\n        // Ignore errors and fall back to /.well-known/oauth-authorization-server\n    }\n    /**\n     * If we don't get a valid authorization server metadata from protected resource metadata,\n     * fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server acts as the Authorization server.\n     */\n    if (!authorizationServerUrl) {\n        authorizationServerUrl = serverUrl;\n    }\n    const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);\n    const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {\n        fetchFn,\n    });\n    // Handle client registration if needed\n    let clientInformation = await Promise.resolve(provider.clientInformation());\n    if (!clientInformation) {\n        if (authorizationCode !== undefined) {\n            throw new Error(\"Existing OAuth client information is required when exchanging an authorization code\");\n        }\n        if (!provider.saveClientInformation) {\n            throw new Error(\"OAuth client information must be saveable for dynamic registration\");\n        }\n        const fullInformation = await registerClient(authorizationServerUrl, {\n            metadata,\n            clientMetadata: provider.clientMetadata,\n            fetchFn,\n        });\n        await provider.saveClientInformation(fullInformation);\n        clientInformation = fullInformation;\n    }\n    // Exchange authorization code for tokens\n    if (authorizationCode !== undefined) {\n        const codeVerifier = await provider.codeVerifier();\n        const tokens = await exchangeAuthorization(authorizationServerUrl, {\n            metadata,\n            clientInformation,\n            authorizationCode,\n            codeVerifier,\n            redirectUri: provider.redirectUrl,\n            resource,\n            addClientAuthentication: provider.addClientAuthentication,\n            fetchFn: fetchFn,\n        });\n        await provider.saveTokens(tokens);\n        return \"AUTHORIZED\";\n    }\n    const tokens = await provider.tokens();\n    // Handle token refresh or new authorization\n    if (tokens === null || tokens === void 0 ? void 0 : tokens.refresh_token) {\n        try {\n            // Attempt to refresh the token\n            const newTokens = await refreshAuthorization(authorizationServerUrl, {\n                metadata,\n                clientInformation,\n                refreshToken: tokens.refresh_token,\n                resource,\n                addClientAuthentication: provider.addClientAuthentication,\n                fetchFn,\n            });\n            await provider.saveTokens(newTokens);\n            return \"AUTHORIZED\";\n        }\n        catch (error) {\n            // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.\n            if (!(error instanceof OAuthError) || error instanceof ServerError) {\n                // Could not refresh OAuth tokens\n            }\n            else {\n                // Refresh failed for another reason, re-throw\n                throw error;\n            }\n        }\n    }\n    const state = provider.state ? await provider.state() : undefined;\n    // Start new authorization flow\n    const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {\n        metadata,\n        clientInformation,\n        state,\n        redirectUrl: provider.redirectUrl,\n        scope: scope || provider.clientMetadata.scope,\n        resource,\n    });\n    await provider.saveCodeVerifier(codeVerifier);\n    await provider.redirectToAuthorization(authorizationUrl);\n    return \"REDIRECT\";\n}\nexport async function selectResourceURL(serverUrl, provider, resourceMetadata) {\n    const defaultResource = resourceUrlFromServerUrl(serverUrl);\n    // If provider has custom validation, delegate to it\n    if (provider.validateResourceURL) {\n        return await provider.validateResourceURL(defaultResource, resourceMetadata === null || resourceMetadata === void 0 ? void 0 : resourceMetadata.resource);\n    }\n    // Only include resource parameter when Protected Resource Metadata is present\n    if (!resourceMetadata) {\n        return undefined;\n    }\n    // Validate that the metadata's resource is compatible with our request\n    if (!checkResourceAllowed({ requestedResource: defaultResource, configuredResource: resourceMetadata.resource })) {\n        throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${defaultResource} (or origin)`);\n    }\n    // Prefer the resource from metadata since it's what the server is telling us to request\n    return new URL(resourceMetadata.resource);\n}\n/**\n * Extract resource_metadata from response header.\n */\nexport function extractResourceMetadataUrl(res) {\n    const authenticateHeader = res.headers.get(\"WWW-Authenticate\");\n    if (!authenticateHeader) {\n        return undefined;\n    }\n    const [type, scheme] = authenticateHeader.split(' ');\n    if (type.toLowerCase() !== 'bearer' || !scheme) {\n        return undefined;\n    }\n    const regex = /resource_metadata=\"([^\"]*)\"/;\n    const match = regex.exec(authenticateHeader);\n    if (!match) {\n        return undefined;\n    }\n    try {\n        return new URL(match[1]);\n    }\n    catch (_a) {\n        return undefined;\n    }\n}\n/**\n * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n */\nexport async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {\n    const response = await discoverMetadataWithFallback(serverUrl, 'oauth-protected-resource', fetchFn, {\n        protocolVersion: opts === null || opts === void 0 ? void 0 : opts.protocolVersion,\n        metadataUrl: opts === null || opts === void 0 ? void 0 : opts.resourceMetadataUrl,\n    });\n    if (!response || response.status === 404) {\n        throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);\n    }\n    if (!response.ok) {\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);\n    }\n    return OAuthProtectedResourceMetadataSchema.parse(await response.json());\n}\n/**\n * Helper function to handle fetch with CORS retry logic\n */\nasync function fetchWithCorsRetry(url, headers, fetchFn = fetch) {\n    try {\n        return await fetchFn(url, { headers });\n    }\n    catch (error) {\n        if (error instanceof TypeError) {\n            if (headers) {\n                // CORS errors come back as TypeError, retry without headers\n                return fetchWithCorsRetry(url, undefined, fetchFn);\n            }\n            else {\n                // We're getting CORS errors on retry too, return undefined\n                return undefined;\n            }\n        }\n        throw error;\n    }\n}\n/**\n * Constructs the well-known path for auth-related metadata discovery\n */\nfunction buildWellKnownPath(wellKnownPrefix, pathname = '', options = {}) {\n    // Strip trailing slash from pathname to avoid double slashes\n    if (pathname.endsWith('/')) {\n        pathname = pathname.slice(0, -1);\n    }\n    return options.prependPathname\n        ? `${pathname}/.well-known/${wellKnownPrefix}`\n        : `/.well-known/${wellKnownPrefix}${pathname}`;\n}\n/**\n * Tries to discover OAuth metadata at a specific URL\n */\nasync function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {\n    const headers = {\n        \"MCP-Protocol-Version\": protocolVersion\n    };\n    return await fetchWithCorsRetry(url, headers, fetchFn);\n}\n/**\n * Determines if fallback to root discovery should be attempted\n */\nfunction shouldAttemptFallback(response, pathname) {\n    return !response || (response.status >= 400 && response.status < 500) && pathname !== '/';\n}\n/**\n * Generic function for discovering OAuth metadata with fallback support\n */\nasync function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {\n    var _a, _b;\n    const issuer = new URL(serverUrl);\n    const protocolVersion = (_a = opts === null || opts === void 0 ? void 0 : opts.protocolVersion) !== null && _a !== void 0 ? _a : LATEST_PROTOCOL_VERSION;\n    let url;\n    if (opts === null || opts === void 0 ? void 0 : opts.metadataUrl) {\n        url = new URL(opts.metadataUrl);\n    }\n    else {\n        // Try path-aware discovery first\n        const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);\n        url = new URL(wellKnownPath, (_b = opts === null || opts === void 0 ? void 0 : opts.metadataServerUrl) !== null && _b !== void 0 ? _b : issuer);\n        url.search = issuer.search;\n    }\n    let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);\n    // If path-aware discovery fails with 404 and we're not already at root, try fallback to root discovery\n    if (!(opts === null || opts === void 0 ? void 0 : opts.metadataUrl) && shouldAttemptFallback(response, issuer.pathname)) {\n        const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);\n        response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);\n    }\n    return response;\n}\n/**\n * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n *\n * @deprecated This function is deprecated in favor of `discoverAuthorizationServerMetadata`.\n */\nexport async function discoverOAuthMetadata(issuer, { authorizationServerUrl, protocolVersion, } = {}, fetchFn = fetch) {\n    if (typeof issuer === 'string') {\n        issuer = new URL(issuer);\n    }\n    if (!authorizationServerUrl) {\n        authorizationServerUrl = issuer;\n    }\n    if (typeof authorizationServerUrl === 'string') {\n        authorizationServerUrl = new URL(authorizationServerUrl);\n    }\n    protocolVersion !== null && protocolVersion !== void 0 ? protocolVersion : (protocolVersion = LATEST_PROTOCOL_VERSION);\n    const response = await discoverMetadataWithFallback(authorizationServerUrl, 'oauth-authorization-server', fetchFn, {\n        protocolVersion,\n        metadataServerUrl: authorizationServerUrl,\n    });\n    if (!response || response.status === 404) {\n        return undefined;\n    }\n    if (!response.ok) {\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);\n    }\n    return OAuthMetadataSchema.parse(await response.json());\n}\n/**\n * Builds a list of discovery URLs to try for authorization server metadata.\n * URLs are returned in priority order:\n * 1. OAuth metadata at the given URL\n * 2. OAuth metadata at root (if URL has path)\n * 3. OIDC metadata endpoints\n */\nexport function buildDiscoveryUrls(authorizationServerUrl) {\n    const url = typeof authorizationServerUrl === 'string' ? new URL(authorizationServerUrl) : authorizationServerUrl;\n    const hasPath = url.pathname !== '/';\n    const urlsToTry = [];\n    if (!hasPath) {\n        // Root path: https://example.com/.well-known/oauth-authorization-server\n        urlsToTry.push({\n            url: new URL('/.well-known/oauth-authorization-server', url.origin),\n            type: 'oauth'\n        });\n        // OIDC: https://example.com/.well-known/openid-configuration\n        urlsToTry.push({\n            url: new URL(`/.well-known/openid-configuration`, url.origin),\n            type: 'oidc'\n        });\n        return urlsToTry;\n    }\n    // Strip trailing slash from pathname to avoid double slashes\n    let pathname = url.pathname;\n    if (pathname.endsWith('/')) {\n        pathname = pathname.slice(0, -1);\n    }\n    // 1. OAuth metadata at the given URL\n    // Insert well-known before the path: https://example.com/.well-known/oauth-authorization-server/tenant1\n    urlsToTry.push({\n        url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),\n        type: 'oauth'\n    });\n    // Root path: https://example.com/.well-known/oauth-authorization-server\n    urlsToTry.push({\n        url: new URL('/.well-known/oauth-authorization-server', url.origin),\n        type: 'oauth'\n    });\n    // 3. OIDC metadata endpoints\n    // RFC 8414 style: Insert /.well-known/openid-configuration before the path\n    urlsToTry.push({\n        url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),\n        type: 'oidc'\n    });\n    // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path\n    urlsToTry.push({\n        url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),\n        type: 'oidc'\n    });\n    return urlsToTry;\n}\n/**\n * Discovers authorization server metadata with support for RFC 8414 OAuth 2.0 Authorization Server Metadata\n * and OpenID Connect Discovery 1.0 specifications.\n *\n * This function implements a fallback strategy for authorization server discovery:\n * 1. Attempts RFC 8414 OAuth metadata discovery first\n * 2. If OAuth discovery fails, falls back to OpenID Connect Discovery\n *\n * @param authorizationServerUrl - The authorization server URL obtained from the MCP Server's\n *                                 protected resource metadata, or the MCP server's URL if the\n *                                 metadata was not found.\n * @param options - Configuration options\n * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch\n * @param options.protocolVersion - MCP protocol version to use, defaults to LATEST_PROTOCOL_VERSION\n * @returns Promise resolving to authorization server metadata, or undefined if discovery fails\n */\nexport async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION, } = {}) {\n    var _a;\n    const headers = { 'MCP-Protocol-Version': protocolVersion };\n    // Get the list of URLs to try\n    const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);\n    // Try each URL in order\n    for (const { url: endpointUrl, type } of urlsToTry) {\n        const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);\n        if (!response) {\n            /**\n             * CORS error occurred - don't throw as the endpoint may not allow CORS,\n             * continue trying other possible endpoints\n             */\n            continue;\n        }\n        if (!response.ok) {\n            // Continue looking for any 4xx response code.\n            if (response.status >= 400 && response.status < 500) {\n                continue; // Try next URL\n            }\n            throw new Error(`HTTP ${response.status} trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);\n        }\n        // Parse and validate based on type\n        if (type === 'oauth') {\n            return OAuthMetadataSchema.parse(await response.json());\n        }\n        else {\n            const metadata = OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());\n            // MCP spec requires OIDC providers to support S256 PKCE\n            if (!((_a = metadata.code_challenge_methods_supported) === null || _a === void 0 ? void 0 : _a.includes('S256'))) {\n                throw new Error(`Incompatible OIDC provider at ${endpointUrl}: does not support S256 code challenge method required by MCP specification`);\n            }\n            return metadata;\n        }\n    }\n    return undefined;\n}\n/**\n * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.\n */\nexport async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource, }) {\n    const responseType = \"code\";\n    const codeChallengeMethod = \"S256\";\n    let authorizationUrl;\n    if (metadata) {\n        authorizationUrl = new URL(metadata.authorization_endpoint);\n        if (!metadata.response_types_supported.includes(responseType)) {\n            throw new Error(`Incompatible auth server: does not support response type ${responseType}`);\n        }\n        if (!metadata.code_challenge_methods_supported ||\n            !metadata.code_challenge_methods_supported.includes(codeChallengeMethod)) {\n            throw new Error(`Incompatible auth server: does not support code challenge method ${codeChallengeMethod}`);\n        }\n    }\n    else {\n        authorizationUrl = new URL(\"/authorize\", authorizationServerUrl);\n    }\n    // Generate PKCE challenge\n    const challenge = await pkceChallenge();\n    const codeVerifier = challenge.code_verifier;\n    const codeChallenge = challenge.code_challenge;\n    authorizationUrl.searchParams.set(\"response_type\", responseType);\n    authorizationUrl.searchParams.set(\"client_id\", clientInformation.client_id);\n    authorizationUrl.searchParams.set(\"code_challenge\", codeChallenge);\n    authorizationUrl.searchParams.set(\"code_challenge_method\", codeChallengeMethod);\n    authorizationUrl.searchParams.set(\"redirect_uri\", String(redirectUrl));\n    if (state) {\n        authorizationUrl.searchParams.set(\"state\", state);\n    }\n    if (scope) {\n        authorizationUrl.searchParams.set(\"scope\", scope);\n    }\n    if (scope === null || scope === void 0 ? void 0 : scope.includes(\"offline_access\")) {\n        // if the request includes the OIDC-only \"offline_access\" scope,\n        // we need to set the prompt to \"consent\" to ensure the user is prompted to grant offline access\n        // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess\n        authorizationUrl.searchParams.append(\"prompt\", \"consent\");\n    }\n    if (resource) {\n        authorizationUrl.searchParams.set(\"resource\", resource.href);\n    }\n    return { authorizationUrl, codeVerifier };\n}\n/**\n * Exchanges an authorization code for an access token with the given server.\n *\n * Supports multiple client authentication methods as specified in OAuth 2.1:\n * - Automatically selects the best authentication method based on server support\n * - Falls back to appropriate defaults when server metadata is unavailable\n *\n * @param authorizationServerUrl - The authorization server's base URL\n * @param options - Configuration object containing client info, auth code, etc.\n * @returns Promise resolving to OAuth tokens\n * @throws {Error} When token exchange fails or authentication is invalid\n */\nexport async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn, }) {\n    var _a;\n    const grantType = \"authorization_code\";\n    const tokenUrl = (metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint)\n        ? new URL(metadata.token_endpoint)\n        : new URL(\"/token\", authorizationServerUrl);\n    if ((metadata === null || metadata === void 0 ? void 0 : metadata.grant_types_supported) &&\n        !metadata.grant_types_supported.includes(grantType)) {\n        throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);\n    }\n    // Exchange code for tokens\n    const headers = new Headers({\n        \"Content-Type\": \"application/x-www-form-urlencoded\",\n        \"Accept\": \"application/json\",\n    });\n    const params = new URLSearchParams({\n        grant_type: grantType,\n        code: authorizationCode,\n        code_verifier: codeVerifier,\n        redirect_uri: String(redirectUri),\n    });\n    if (addClientAuthentication) {\n        addClientAuthentication(headers, params, authorizationServerUrl, metadata);\n    }\n    else {\n        // Determine and apply client authentication method\n        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];\n        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);\n        applyClientAuthentication(authMethod, clientInformation, headers, params);\n    }\n    if (resource) {\n        params.set(\"resource\", resource.href);\n    }\n    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {\n        method: \"POST\",\n        headers,\n        body: params,\n    });\n    if (!response.ok) {\n        throw await parseErrorResponse(response);\n    }\n    return OAuthTokensSchema.parse(await response.json());\n}\n/**\n * Exchange a refresh token for an updated access token.\n *\n * Supports multiple client authentication methods as specified in OAuth 2.1:\n * - Automatically selects the best authentication method based on server support\n * - Preserves the original refresh token if a new one is not returned\n *\n * @param authorizationServerUrl - The authorization server's base URL\n * @param options - Configuration object containing client info, refresh token, etc.\n * @returns Promise resolving to OAuth tokens (preserves original refresh_token if not replaced)\n * @throws {Error} When token refresh fails or authentication is invalid\n */\nexport async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn, }) {\n    var _a;\n    const grantType = \"refresh_token\";\n    let tokenUrl;\n    if (metadata) {\n        tokenUrl = new URL(metadata.token_endpoint);\n        if (metadata.grant_types_supported &&\n            !metadata.grant_types_supported.includes(grantType)) {\n            throw new Error(`Incompatible auth server: does not support grant type ${grantType}`);\n        }\n    }\n    else {\n        tokenUrl = new URL(\"/token\", authorizationServerUrl);\n    }\n    // Exchange refresh token\n    const headers = new Headers({\n        \"Content-Type\": \"application/x-www-form-urlencoded\",\n    });\n    const params = new URLSearchParams({\n        grant_type: grantType,\n        refresh_token: refreshToken,\n    });\n    if (addClientAuthentication) {\n        addClientAuthentication(headers, params, authorizationServerUrl, metadata);\n    }\n    else {\n        // Determine and apply client authentication method\n        const supportedMethods = (_a = metadata === null || metadata === void 0 ? void 0 : metadata.token_endpoint_auth_methods_supported) !== null && _a !== void 0 ? _a : [];\n        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);\n        applyClientAuthentication(authMethod, clientInformation, headers, params);\n    }\n    if (resource) {\n        params.set(\"resource\", resource.href);\n    }\n    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(tokenUrl, {\n        method: \"POST\",\n        headers,\n        body: params,\n    });\n    if (!response.ok) {\n        throw await parseErrorResponse(response);\n    }\n    return OAuthTokensSchema.parse({ refresh_token: refreshToken, ...(await response.json()) });\n}\n/**\n * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.\n */\nexport async function registerClient(authorizationServerUrl, { metadata, clientMetadata, fetchFn, }) {\n    let registrationUrl;\n    if (metadata) {\n        if (!metadata.registration_endpoint) {\n            throw new Error(\"Incompatible auth server: does not support dynamic client registration\");\n        }\n        registrationUrl = new URL(metadata.registration_endpoint);\n    }\n    else {\n        registrationUrl = new URL(\"/register\", authorizationServerUrl);\n    }\n    const response = await (fetchFn !== null && fetchFn !== void 0 ? fetchFn : fetch)(registrationUrl, {\n        method: \"POST\",\n        headers: {\n            \"Content-Type\": \"application/json\",\n        },\n        body: JSON.stringify(clientMetadata),\n    });\n    if (!response.ok) {\n        throw await parseErrorResponse(response);\n    }\n    return OAuthClientInformationFullSchema.parse(await response.json());\n}\n//# sourceMappingURL=auth.js.map"],"names":[],"mappings":";;;;;;AAMO,MAAM,iBAAiB,SAAS,KAAK,CAAC;AAC7C,IAAI,WAAW,CAAC,OAAO,EAAE;AACzB,QAAQ,KAAK,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,MAAM,GAAG,OAAO,GAAG,cAAc,CAAC;AAChF,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,sBAAsB,CAAC,iBAAiB,EAAE,gBAAgB,EAAE;AACrE,IAAI,MAAM,eAAe,GAAG,iBAAiB,CAAC,aAAa,KAAK,SAAS;AACzE;AACA,IAAI,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE;AACvC,QAAQ,OAAO,eAAe,GAAG,oBAAoB,GAAG,MAAM;AAC9D,IAAI;AACJ;AACA,IAAI,IAAI,eAAe,IAAI,gBAAgB,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE;AAC7E,QAAQ,OAAO,qBAAqB;AACpC,IAAI;AACJ,IAAI,IAAI,eAAe,IAAI,gBAAgB,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE;AAC5E,QAAQ,OAAO,oBAAoB;AACnC,IAAI;AACJ,IAAI,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC3C,QAAQ,OAAO,MAAM;AACrB,IAAI;AACJ;AACA,IAAI,OAAO,eAAe,GAAG,oBAAoB,GAAG,MAAM;AAC1D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,yBAAyB,CAAC,MAAM,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,EAAE;AAC/E,IAAI,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,iBAAiB;AAC1D,IAAI,QAAQ,MAAM;AAClB,QAAQ,KAAK,qBAAqB;AAClC,YAAY,cAAc,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,CAAC;AAC7D,YAAY;AACZ,QAAQ,KAAK,oBAAoB;AACjC,YAAY,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC;AAC3D,YAAY;AACZ,QAAQ,KAAK,MAAM;AACnB,YAAY,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC;AAC9C,YAAY;AACZ,QAAQ;AACR,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,0CAA0C,EAAE,MAAM,CAAC,CAAC,CAAC;AAClF;AACA;AACA;AACA;AACA;AACA,SAAS,cAAc,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE;AACzD,IAAI,IAAI,CAAC,YAAY,EAAE;AACvB,QAAQ,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC;AACtF,IAAI;AACJ,IAAI,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;AAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;AACxD;AACA;AACA;AACA;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE;AACvD,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;AACrC,IAAI,IAAI,YAAY,EAAE;AACtB,QAAQ,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC;AACjD,IAAI;AACJ;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE;AAC3C,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;AACrC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,kBAAkB,CAAC,KAAK,EAAE;AAChD,IAAI,MAAM,UAAU,GAAG,KAAK,YAAY,QAAQ,GAAG,KAAK,CAAC,MAAM,GAAG,SAAS;AAC3E,IAAI,MAAM,IAAI,GAAG,KAAK,YAAY,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,GAAG,KAAK;AACvE,IAAI,IAAI;AACR,QAAQ,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AACvE,QAAQ,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE,SAAS,EAAE,GAAG,MAAM;AAC9D,QAAQ,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,WAAW;AAC7D,QAAQ,OAAO,IAAI,UAAU,CAAC,iBAAiB,IAAI,EAAE,EAAE,SAAS,CAAC;AACjE,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB;AACA,QAAQ,MAAM,YAAY,GAAG,CAAC,EAAE,UAAU,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,8BAA8B,EAAE,KAAK,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;AACnI,QAAQ,OAAO,IAAI,WAAW,CAAC,YAAY,CAAC;AAC5C,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;AAC9C,IAAI,IAAI,EAAE,EAAE,EAAE;AACd,IAAI,IAAI;AACR,QAAQ,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACpD,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB;AACA,QAAQ,IAAI,KAAK,YAAY,kBAAkB,IAAI,KAAK,YAAY,uBAAuB,EAAE;AAC7F,YAAY,OAAO,CAAC,EAAE,GAAG,QAAQ,CAAC,qBAAqB,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,MAAM,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AACvH,YAAY,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACxD,QAAQ;AACR,aAAa,IAAI,KAAK,YAAY,iBAAiB,EAAE;AACrD,YAAY,OAAO,CAAC,EAAE,GAAG,QAAQ,CAAC,qBAAqB,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,MAAM,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC1H,YAAY,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACxD,QAAQ;AACR;AACA,QAAQ,MAAM,KAAK;AACnB,IAAI;AACJ;AACA,eAAe,YAAY,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,GAAG,EAAE;AAC9G,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,sBAAsB;AAC9B,IAAI,IAAI;AACR,QAAQ,gBAAgB,GAAG,MAAM,sCAAsC,CAAC,SAAS,EAAE,EAAE,mBAAmB,EAAE,EAAE,OAAO,CAAC;AACpH,QAAQ,IAAI,gBAAgB,CAAC,qBAAqB,IAAI,gBAAgB,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE;AACzG,YAAY,sBAAsB,GAAG,gBAAgB,CAAC,qBAAqB,CAAC,CAAC,CAAC;AAC9E,QAAQ;AACR,IAAI;AACJ,IAAI,OAAO,EAAE,EAAE;AACf;AACA,IAAI;AACJ;AACA;AACA;AACA;AACA,IAAI,IAAI,CAAC,sBAAsB,EAAE;AACjC,QAAQ,sBAAsB,GAAG,SAAS;AAC1C,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,CAAC;AACnF,IAAI,MAAM,QAAQ,GAAG,MAAM,mCAAmC,CAAC,sBAAsB,EAAE;AACvF,QAAQ,OAAO;AACf,KAAK,CAAC;AACN;AACA,IAAI,IAAI,iBAAiB,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;AAC/E,IAAI,IAAI,CAAC,iBAAiB,EAAE;AAC5B,QAAQ,IAAI,iBAAiB,KAAK,SAAS,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC;AAClH,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC;AACjG,QAAQ;AACR,QAAQ,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,sBAAsB,EAAE;AAC7E,YAAY,QAAQ;AACpB,YAAY,cAAc,EAAE,QAAQ,CAAC,cAAc;AACnD,YAAY,OAAO;AACnB,SAAS,CAAC;AACV,QAAQ,MAAM,QAAQ,CAAC,qBAAqB,CAAC,eAAe,CAAC;AAC7D,QAAQ,iBAAiB,GAAG,eAAe;AAC3C,IAAI;AACJ;AACA,IAAI,IAAI,iBAAiB,KAAK,SAAS,EAAE;AACzC,QAAQ,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE;AAC1D,QAAQ,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,sBAAsB,EAAE;AAC3E,YAAY,QAAQ;AACpB,YAAY,iBAAiB;AAC7B,YAAY,iBAAiB;AAC7B,YAAY,YAAY;AACxB,YAAY,WAAW,EAAE,QAAQ,CAAC,WAAW;AAC7C,YAAY,QAAQ;AACpB,YAAY,uBAAuB,EAAE,QAAQ,CAAC,uBAAuB;AACrE,YAAY,OAAO,EAAE,OAAO;AAC5B,SAAS,CAAC;AACV,QAAQ,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;AACzC,QAAQ,OAAO,YAAY;AAC3B,IAAI;AACJ,IAAI,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE;AAC1C;AACA,IAAI,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC,aAAa,EAAE;AAC9E,QAAQ,IAAI;AACZ;AACA,YAAY,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,sBAAsB,EAAE;AACjF,gBAAgB,QAAQ;AACxB,gBAAgB,iBAAiB;AACjC,gBAAgB,YAAY,EAAE,MAAM,CAAC,aAAa;AAClD,gBAAgB,QAAQ;AACxB,gBAAgB,uBAAuB,EAAE,QAAQ,CAAC,uBAAuB;AACzE,gBAAgB,OAAO;AACvB,aAAa,CAAC;AACd,YAAY,MAAM,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;AAChD,YAAY,OAAO,YAAY;AAC/B,QAAQ;AACR,QAAQ,OAAO,KAAK,EAAE;AACtB;AACA,YAAY,IAAI,EAAE,KAAK,YAAY,UAAU,CAAC,IAAI,KAAK,YAAY,WAAW,EAAE;AAGhF,iBAAiB;AACjB;AACA,gBAAgB,MAAM,KAAK;AAC3B,YAAY;AACZ,QAAQ;AACR,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,GAAG,SAAS;AACrE;AACA,IAAI,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,sBAAsB,EAAE;AAChG,QAAQ,QAAQ;AAChB,QAAQ,iBAAiB;AACzB,QAAQ,KAAK;AACb,QAAQ,WAAW,EAAE,QAAQ,CAAC,WAAW;AACzC,QAAQ,KAAK,EAAE,KAAK,IAAI,QAAQ,CAAC,cAAc,CAAC,KAAK;AACrD,QAAQ,QAAQ;AAChB,KAAK,CAAC;AACN,IAAI,MAAM,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC;AACjD,IAAI,MAAM,QAAQ,CAAC,uBAAuB,CAAC,gBAAgB,CAAC;AAC5D,IAAI,OAAO,UAAU;AACrB;AACO,eAAe,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE;AAC/E,IAAI,MAAM,eAAe,GAAG,wBAAwB,CAAC,SAAS,CAAC;AAC/D;AACA,IAAI,IAAI,QAAQ,CAAC,mBAAmB,EAAE;AACtC,QAAQ,OAAO,MAAM,QAAQ,CAAC,mBAAmB,CAAC,eAAe,EAAE,gBAAgB,KAAK,IAAI,IAAI,gBAAgB,KAAK,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAAC,QAAQ,CAAC;AACjK,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,gBAAgB,EAAE;AAC3B,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,oBAAoB,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,QAAQ,EAAE,CAAC,EAAE;AACtH,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,mBAAmB,EAAE,gBAAgB,CAAC,QAAQ,CAAC,yBAAyB,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC;AACjI,IAAI;AACJ;AACA,IAAI,OAAO,IAAI,GAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC;AAC7C;AACA;AACA;AACA;AACO,SAAS,0BAA0B,CAAC,GAAG,EAAE;AAChD,IAAI,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;AAClE,IAAI,IAAI,CAAC,kBAAkB,EAAE;AAC7B,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC;AACxD,IAAI,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE;AACpD,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,6BAA6B;AAC/C,IAAI,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC;AAChD,IAAI,IAAI,CAAC,KAAK,EAAE;AAChB,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ,IAAI,IAAI;AACR,QAAQ,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAChC,IAAI;AACJ,IAAI,OAAO,EAAE,EAAE;AACf,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,sCAAsC,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,GAAG,KAAK,EAAE;AAC/F,IAAI,MAAM,QAAQ,GAAG,MAAM,4BAA4B,CAAC,SAAS,EAAE,0BAA0B,EAAE,OAAO,EAAE;AACxG,QAAQ,eAAe,EAAE,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,eAAe;AACzF,QAAQ,WAAW,EAAE,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,mBAAmB;AACzF,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9C,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,yEAAyE,CAAC,CAAC;AACpG,IAAI;AACJ,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,6DAA6D,CAAC,CAAC;AAC/G,IAAI;AACJ,IAAI,OAAO,oCAAoC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC5E;AACA;AACA;AACA;AACA,eAAe,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,GAAG,KAAK,EAAE;AACjE,IAAI,IAAI;AACR,QAAQ,OAAO,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC;AAC9C,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB,QAAQ,IAAI,KAAK,YAAY,SAAS,EAAE;AACxC,YAAY,IAAI,OAAO,EAAE;AACzB;AACA,gBAAgB,OAAO,kBAAkB,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC;AAClE,YAAY;AACZ,iBAAiB;AACjB;AACA,gBAAgB,OAAO,SAAS;AAChC,YAAY;AACZ,QAAQ;AACR,QAAQ,MAAM,KAAK;AACnB,IAAI;AACJ;AACA;AACA;AACA;AACA,SAAS,kBAAkB,CAAC,eAAe,EAAE,QAAQ,GAAG,EAAE,EAAE,OAAO,GAAG,EAAE,EAAE;AAC1E;AACA,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AAChC,QAAQ,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AACxC,IAAI;AACJ,IAAI,OAAO,OAAO,CAAC;AACnB,UAAU,CAAC,EAAE,QAAQ,CAAC,aAAa,EAAE,eAAe,CAAC;AACrD,UAAU,CAAC,aAAa,EAAE,eAAe,CAAC,EAAE,QAAQ,CAAC,CAAC;AACtD;AACA;AACA;AACA;AACA,eAAe,oBAAoB,CAAC,GAAG,EAAE,eAAe,EAAE,OAAO,GAAG,KAAK,EAAE;AAC3E,IAAI,MAAM,OAAO,GAAG;AACpB,QAAQ,sBAAsB,EAAE;AAChC,KAAK;AACL,IAAI,OAAO,MAAM,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC;AAC1D;AACA;AACA;AACA;AACA,SAAS,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE;AACnD,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,KAAK,QAAQ,KAAK,GAAG;AAC7F;AACA;AACA;AACA;AACA,eAAe,4BAA4B,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE;AACrF,IAAI,IAAI,EAAE,EAAE,EAAE;AACd,IAAI,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC;AACrC,IAAI,MAAM,eAAe,GAAG,CAAC,EAAE,GAAG,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,eAAe,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,EAAE,GAAG,uBAAuB;AAC5J,IAAI,IAAI,GAAG;AACX,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,WAAW,EAAE;AACtE,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;AACvC,IAAI;AACJ,SAAS;AACT;AACA,QAAQ,MAAM,aAAa,GAAG,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC;AAChF,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC,EAAE,GAAG,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,iBAAiB,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,EAAE,GAAG,MAAM,CAAC;AACvJ,QAAQ,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM;AAClC,IAAI;AACJ,IAAI,IAAI,QAAQ,GAAG,MAAM,oBAAoB,CAAC,GAAG,EAAE,eAAe,EAAE,OAAO,CAAC;AAC5E;AACA,IAAI,IAAI,EAAE,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE;AAC7H,QAAQ,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC;AACxE,QAAQ,QAAQ,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC;AAChF,IAAI;AACJ,IAAI,OAAO,QAAQ;AACnB;AAgCA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAAS,kBAAkB,CAAC,sBAAsB,EAAE;AAC3D,IAAI,MAAM,GAAG,GAAG,OAAO,sBAAsB,KAAK,QAAQ,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC,GAAG,sBAAsB;AACrH,IAAI,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG;AACxC,IAAI,MAAM,SAAS,GAAG,EAAE;AACxB,IAAI,IAAI,CAAC,OAAO,EAAE;AAClB;AACA,QAAQ,SAAS,CAAC,IAAI,CAAC;AACvB,YAAY,GAAG,EAAE,IAAI,GAAG,CAAC,yCAAyC,EAAE,GAAG,CAAC,MAAM,CAAC;AAC/E,YAAY,IAAI,EAAE;AAClB,SAAS,CAAC;AACV;AACA,QAAQ,SAAS,CAAC,IAAI,CAAC;AACvB,YAAY,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,iCAAiC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AACzE,YAAY,IAAI,EAAE;AAClB,SAAS,CAAC;AACV,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA,IAAI,IAAI,QAAQ,GAAG,GAAG,CAAC,QAAQ;AAC/B,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AAChC,QAAQ,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AACxC,IAAI;AACJ;AACA;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,uCAAuC,EAAE,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AACtF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,yCAAyC,EAAE,GAAG,CAAC,MAAM,CAAC;AAC3E,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN;AACA;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,iCAAiC,EAAE,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AAChF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,iCAAiC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AAChF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN,IAAI,OAAO,SAAS;AACpB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,mCAAmC,CAAC,sBAAsB,EAAE,EAAE,OAAO,GAAG,KAAK,EAAE,eAAe,GAAG,uBAAuB,GAAG,GAAG,EAAE,EAAE;AACxJ,IAAI,IAAI,EAAE;AACV,IAAI,MAAM,OAAO,GAAG,EAAE,sBAAsB,EAAE,eAAe,EAAE;AAC/D;AACA,IAAI,MAAM,SAAS,GAAG,kBAAkB,CAAC,sBAAsB,CAAC;AAChE;AACA,IAAI,KAAK,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE;AACxD,QAAQ,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;AAChF,QAAQ,IAAI,CAAC,QAAQ,EAAE;AACvB;AACA;AACA;AACA;AACA,YAAY;AACZ,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AAC1B;AACA,YAAY,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE;AACjE,gBAAgB,SAAS;AACzB,YAAY;AACZ,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,IAAI,KAAK,OAAO,GAAG,OAAO,GAAG,iBAAiB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;AACpJ,QAAQ;AACR;AACA,QAAQ,IAAI,IAAI,KAAK,OAAO,EAAE;AAC9B,YAAY,OAAO,mBAAmB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACnE,QAAQ;AACR,aAAa;AACb,YAAY,MAAM,QAAQ,GAAG,qCAAqC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC/F;AACA,YAAY,IAAI,EAAE,CAAC,EAAE,GAAG,QAAQ,CAAC,gCAAgC,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE;AAC9H,gBAAgB,MAAM,IAAI,KAAK,CAAC,CAAC,8BAA8B,EAAE,WAAW,CAAC,2EAA2E,CAAC,CAAC;AAC1J,YAAY;AACZ,YAAY,OAAO,QAAQ;AAC3B,QAAQ;AACR,IAAI;AACJ,IAAI,OAAO,SAAS;AACpB;AACA;AACA;AACA;AACO,eAAe,kBAAkB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,GAAG,EAAE;AACxI,IAAI,MAAM,YAAY,GAAG,MAAM;AAC/B,IAAI,MAAM,mBAAmB,GAAG,MAAM;AACtC,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC;AACnE,QAAQ,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;AACvE,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,yDAAyD,EAAE,YAAY,CAAC,CAAC,CAAC;AACvG,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,gCAAgC;AACtD,YAAY,CAAC,QAAQ,CAAC,gCAAgC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE;AACtF,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,iEAAiE,EAAE,mBAAmB,CAAC,CAAC,CAAC;AACtH,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,sBAAsB,CAAC;AACxE,IAAI;AACJ;AACA,IAAI,MAAM,SAAS,GAAG,MAAM,aAAa,EAAE;AAC3C,IAAI,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa;AAChD,IAAI,MAAM,aAAa,GAAG,SAAS,CAAC,cAAc;AAClD,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC;AACpE,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,iBAAiB,CAAC,SAAS,CAAC;AAC/E,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC;AACtE,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,mBAAmB,CAAC;AACnF,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;AAC1E,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,MAAM,GAAG,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;AACxF;AACA;AACA;AACA,QAAQ,gBAAgB,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC;AACjE,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AACpE,IAAI;AACJ,IAAI,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE;AAC7C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,qBAAqB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,uBAAuB,EAAE,OAAO,GAAG,EAAE;AAChM,IAAI,IAAI,EAAE;AACV,IAAI,MAAM,SAAS,GAAG,oBAAoB;AAC1C,IAAI,MAAM,QAAQ,GAAG,CAAC,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC,cAAc;AACjG,UAAU,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc;AACzC,UAAU,IAAI,GAAG,CAAC,QAAQ,EAAE,sBAAsB,CAAC;AACnD,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC,qBAAqB;AAC3F,QAAQ,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;AAC7D,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,sDAAsD,EAAE,SAAS,CAAC,CAAC,CAAC;AAC7F,IAAI;AACJ;AACA,IAAI,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;AAChC,QAAQ,cAAc,EAAE,mCAAmC;AAC3D,QAAQ,QAAQ,EAAE,kBAAkB;AACpC,KAAK,CAAC;AACN,IAAI,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;AACvC,QAAQ,UAAU,EAAE,SAAS;AAC7B,QAAQ,IAAI,EAAE,iBAAiB;AAC/B,QAAQ,aAAa,EAAE,YAAY;AACnC,QAAQ,YAAY,EAAE,MAAM,CAAC,WAAW,CAAC;AACzC,KAAK,CAAC;AACN,IAAI,IAAI,uBAAuB,EAAE;AACjC,QAAQ,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,sBAAsB,EAAE,QAAQ,CAAC;AAClF,IAAI;AACJ,SAAS;AACT;AACA,QAAQ,MAAM,gBAAgB,GAAG,CAAC,EAAE,GAAG,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC,qCAAqC,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,EAAE,GAAG,EAAE;AAC9K,QAAQ,MAAM,UAAU,GAAG,sBAAsB,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;AACtF,QAAQ,yBAAyB,CAAC,UAAU,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,CAAC;AACjF,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AAC7C,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,MAAM,GAAG,OAAO,GAAG,KAAK,EAAE,QAAQ,EAAE;AAChG,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO;AACf,QAAQ,IAAI,EAAE,MAAM;AACpB,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,MAAM,kBAAkB,CAAC,QAAQ,CAAC;AAChD,IAAI;AACJ,IAAI,OAAO,iBAAiB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,oBAAoB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,uBAAuB,EAAE,OAAO,GAAG,EAAE;AAC/J,IAAI,IAAI,EAAE;AACV,IAAI,MAAM,SAAS,GAAG,eAAe;AACrC,IAAI,IAAI,QAAQ;AAChB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC;AACnD,QAAQ,IAAI,QAAQ,CAAC,qBAAqB;AAC1C,YAAY,CAAC,QAAQ,CAAC,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE;AACjE,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,sDAAsD,EAAE,SAAS,CAAC,CAAC,CAAC;AACjG,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sBAAsB,CAAC;AAC5D,IAAI;AACJ;AACA,IAAI,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;AAChC,QAAQ,cAAc,EAAE,mCAAmC;AAC3D,KAAK,CAAC;AACN,IAAI,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;AACvC,QAAQ,UAAU,EAAE,SAAS;AAC7B,QAAQ,aAAa,EAAE,YAAY;AACnC,KAAK,CAAC;AACN,IAAI,IAAI,uBAAuB,EAAE;AACjC,QAAQ,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,sBAAsB,EAAE,QAAQ,CAAC;AAClF,IAAI;AACJ,SAAS;AACT;AACA,QAAQ,MAAM,gBAAgB,GAAG,CAAC,EAAE,GAAG,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC,qCAAqC,MAAM,IAAI,IAAI,EAAE,KAAK,MAAM,GAAG,EAAE,GAAG,EAAE;AAC9K,QAAQ,MAAM,UAAU,GAAG,sBAAsB,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;AACtF,QAAQ,yBAAyB,CAAC,UAAU,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,CAAC;AACjF,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AAC7C,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,MAAM,GAAG,OAAO,GAAG,KAAK,EAAE,QAAQ,EAAE;AAChG,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO;AACf,QAAQ,IAAI,EAAE,MAAM;AACpB,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,MAAM,kBAAkB,CAAC,QAAQ,CAAC;AAChD,IAAI;AACJ,IAAI,OAAO,iBAAiB,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,YAAY,EAAE,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;AAC/F;AACA;AACA;AACA;AACO,eAAe,cAAc,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,GAAG,EAAE;AACrG,IAAI,IAAI,eAAe;AACvB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC;AACrG,QAAQ;AACR,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC;AACjE,IAAI;AACJ,SAAS;AACT,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,sBAAsB,CAAC;AACtE,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,MAAM,GAAG,OAAO,GAAG,KAAK,EAAE,eAAe,EAAE;AACvG,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO,EAAE;AACjB,YAAY,cAAc,EAAE,kBAAkB;AAC9C,SAAS;AACT,QAAQ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;AAC5C,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,MAAM,kBAAkB,CAAC,QAAQ,CAAC;AAChD,IAAI;AACJ,IAAI,OAAO,gCAAgC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACxE;;;;","x_google_ignoreList":[0]}
+{"version":3,"file":"auth.js","sources":["../../../../../../../../../node_modules/@modelcontextprotocol/sdk/dist/esm/client/auth.js"],"sourcesContent":["import pkceChallenge from 'pkce-challenge';\nimport { LATEST_PROTOCOL_VERSION } from '../types.js';\nimport { OAuthErrorResponseSchema, OpenIdProviderDiscoveryMetadataSchema } from '../shared/auth.js';\nimport { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from '../shared/auth.js';\nimport { checkResourceAllowed, resourceUrlFromServerUrl } from '../shared/auth-utils.js';\nimport { InvalidClientError, InvalidClientMetadataError, InvalidGrantError, OAUTH_ERRORS, OAuthError, ServerError, UnauthorizedClientError } from '../server/auth/errors.js';\nexport class UnauthorizedError extends Error {\n    constructor(message) {\n        super(message ?? 'Unauthorized');\n    }\n}\nfunction isClientAuthMethod(method) {\n    return ['client_secret_basic', 'client_secret_post', 'none'].includes(method);\n}\nconst AUTHORIZATION_CODE_RESPONSE_TYPE = 'code';\nconst AUTHORIZATION_CODE_CHALLENGE_METHOD = 'S256';\n/**\n * Determines the best client authentication method to use based on server support and client configuration.\n *\n * Priority order (highest to lowest):\n * 1. client_secret_basic (if client secret is available)\n * 2. client_secret_post (if client secret is available)\n * 3. none (for public clients)\n *\n * @param clientInformation - OAuth client information containing credentials\n * @param supportedMethods - Authentication methods supported by the authorization server\n * @returns The selected authentication method\n */\nexport function selectClientAuthMethod(clientInformation, supportedMethods) {\n    const hasClientSecret = clientInformation.client_secret !== undefined;\n    // If server doesn't specify supported methods, use RFC 6749 defaults\n    if (supportedMethods.length === 0) {\n        return hasClientSecret ? 'client_secret_post' : 'none';\n    }\n    // Prefer the method returned by the server during client registration if valid and supported\n    if ('token_endpoint_auth_method' in clientInformation &&\n        clientInformation.token_endpoint_auth_method &&\n        isClientAuthMethod(clientInformation.token_endpoint_auth_method) &&\n        supportedMethods.includes(clientInformation.token_endpoint_auth_method)) {\n        return clientInformation.token_endpoint_auth_method;\n    }\n    // Try methods in priority order (most secure first)\n    if (hasClientSecret && supportedMethods.includes('client_secret_basic')) {\n        return 'client_secret_basic';\n    }\n    if (hasClientSecret && supportedMethods.includes('client_secret_post')) {\n        return 'client_secret_post';\n    }\n    if (supportedMethods.includes('none')) {\n        return 'none';\n    }\n    // Fallback: use what we have\n    return hasClientSecret ? 'client_secret_post' : 'none';\n}\n/**\n * Applies client authentication to the request based on the specified method.\n *\n * Implements OAuth 2.1 client authentication methods:\n * - client_secret_basic: HTTP Basic authentication (RFC 6749 Section 2.3.1)\n * - client_secret_post: Credentials in request body (RFC 6749 Section 2.3.1)\n * - none: Public client authentication (RFC 6749 Section 2.1)\n *\n * @param method - The authentication method to use\n * @param clientInformation - OAuth client information containing credentials\n * @param headers - HTTP headers object to modify\n * @param params - URL search parameters to modify\n * @throws {Error} When required credentials are missing\n */\nfunction applyClientAuthentication(method, clientInformation, headers, params) {\n    const { client_id, client_secret } = clientInformation;\n    switch (method) {\n        case 'client_secret_basic':\n            applyBasicAuth(client_id, client_secret, headers);\n            return;\n        case 'client_secret_post':\n            applyPostAuth(client_id, client_secret, params);\n            return;\n        case 'none':\n            applyPublicAuth(client_id, params);\n            return;\n        default:\n            throw new Error(`Unsupported client authentication method: ${method}`);\n    }\n}\n/**\n * Applies HTTP Basic authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyBasicAuth(clientId, clientSecret, headers) {\n    if (!clientSecret) {\n        throw new Error('client_secret_basic authentication requires a client_secret');\n    }\n    const credentials = btoa(`${clientId}:${clientSecret}`);\n    headers.set('Authorization', `Basic ${credentials}`);\n}\n/**\n * Applies POST body authentication (RFC 6749 Section 2.3.1)\n */\nfunction applyPostAuth(clientId, clientSecret, params) {\n    params.set('client_id', clientId);\n    if (clientSecret) {\n        params.set('client_secret', clientSecret);\n    }\n}\n/**\n * Applies public client authentication (RFC 6749 Section 2.1)\n */\nfunction applyPublicAuth(clientId, params) {\n    params.set('client_id', clientId);\n}\n/**\n * Parses an OAuth error response from a string or Response object.\n *\n * If the input is a standard OAuth2.0 error response, it will be parsed according to the spec\n * and an instance of the appropriate OAuthError subclass will be returned.\n * If parsing fails, it falls back to a generic ServerError that includes\n * the response status (if available) and original content.\n *\n * @param input - A Response object or string containing the error response\n * @returns A Promise that resolves to an OAuthError instance\n */\nexport async function parseErrorResponse(input) {\n    const statusCode = input instanceof Response ? input.status : undefined;\n    const body = input instanceof Response ? await input.text() : input;\n    try {\n        const result = OAuthErrorResponseSchema.parse(JSON.parse(body));\n        const { error, error_description, error_uri } = result;\n        const errorClass = OAUTH_ERRORS[error] || ServerError;\n        return new errorClass(error_description || '', error_uri);\n    }\n    catch (error) {\n        // Not a valid OAuth error response, but try to inform the user of the raw data anyway\n        const errorMessage = `${statusCode ? `HTTP ${statusCode}: ` : ''}Invalid OAuth error response: ${error}. Raw body: ${body}`;\n        return new ServerError(errorMessage);\n    }\n}\n/**\n * Orchestrates the full auth flow with a server.\n *\n * This can be used as a single entry point for all authorization functionality,\n * instead of linking together the other lower-level functions in this module.\n */\nexport async function auth(provider, options) {\n    try {\n        return await authInternal(provider, options);\n    }\n    catch (error) {\n        // Handle recoverable error types by invalidating credentials and retrying\n        if (error instanceof InvalidClientError || error instanceof UnauthorizedClientError) {\n            await provider.invalidateCredentials?.('all');\n            return await authInternal(provider, options);\n        }\n        else if (error instanceof InvalidGrantError) {\n            await provider.invalidateCredentials?.('tokens');\n            return await authInternal(provider, options);\n        }\n        // Throw otherwise\n        throw error;\n    }\n}\nasync function authInternal(provider, { serverUrl, authorizationCode, scope, resourceMetadataUrl, fetchFn }) {\n    let resourceMetadata;\n    let authorizationServerUrl;\n    try {\n        resourceMetadata = await discoverOAuthProtectedResourceMetadata(serverUrl, { resourceMetadataUrl }, fetchFn);\n        if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {\n            authorizationServerUrl = resourceMetadata.authorization_servers[0];\n        }\n    }\n    catch {\n        // Ignore errors and fall back to /.well-known/oauth-authorization-server\n    }\n    /**\n     * If we don't get a valid authorization server metadata from protected resource metadata,\n     * fallback to the legacy MCP spec's implementation (version 2025-03-26): MCP server base URL acts as the Authorization server.\n     */\n    if (!authorizationServerUrl) {\n        authorizationServerUrl = new URL('/', serverUrl);\n    }\n    const resource = await selectResourceURL(serverUrl, provider, resourceMetadata);\n    const metadata = await discoverAuthorizationServerMetadata(authorizationServerUrl, {\n        fetchFn\n    });\n    // Handle client registration if needed\n    let clientInformation = await Promise.resolve(provider.clientInformation());\n    if (!clientInformation) {\n        if (authorizationCode !== undefined) {\n            throw new Error('Existing OAuth client information is required when exchanging an authorization code');\n        }\n        const supportsUrlBasedClientId = metadata?.client_id_metadata_document_supported === true;\n        const clientMetadataUrl = provider.clientMetadataUrl;\n        if (clientMetadataUrl && !isHttpsUrl(clientMetadataUrl)) {\n            throw new InvalidClientMetadataError(`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${clientMetadataUrl}`);\n        }\n        const shouldUseUrlBasedClientId = supportsUrlBasedClientId && clientMetadataUrl;\n        if (shouldUseUrlBasedClientId) {\n            // SEP-991: URL-based Client IDs\n            clientInformation = {\n                client_id: clientMetadataUrl\n            };\n            await provider.saveClientInformation?.(clientInformation);\n        }\n        else {\n            // Fallback to dynamic registration\n            if (!provider.saveClientInformation) {\n                throw new Error('OAuth client information must be saveable for dynamic registration');\n            }\n            const fullInformation = await registerClient(authorizationServerUrl, {\n                metadata,\n                clientMetadata: provider.clientMetadata,\n                fetchFn\n            });\n            await provider.saveClientInformation(fullInformation);\n            clientInformation = fullInformation;\n        }\n    }\n    // Non-interactive flows (e.g., client_credentials, jwt-bearer) don't need a redirect URL\n    const nonInteractiveFlow = !provider.redirectUrl;\n    // Exchange authorization code for tokens, or fetch tokens directly for non-interactive flows\n    if (authorizationCode !== undefined || nonInteractiveFlow) {\n        const tokens = await fetchToken(provider, authorizationServerUrl, {\n            metadata,\n            resource,\n            authorizationCode,\n            fetchFn\n        });\n        await provider.saveTokens(tokens);\n        return 'AUTHORIZED';\n    }\n    const tokens = await provider.tokens();\n    // Handle token refresh or new authorization\n    if (tokens?.refresh_token) {\n        try {\n            // Attempt to refresh the token\n            const newTokens = await refreshAuthorization(authorizationServerUrl, {\n                metadata,\n                clientInformation,\n                refreshToken: tokens.refresh_token,\n                resource,\n                addClientAuthentication: provider.addClientAuthentication,\n                fetchFn\n            });\n            await provider.saveTokens(newTokens);\n            return 'AUTHORIZED';\n        }\n        catch (error) {\n            // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.\n            if (!(error instanceof OAuthError) || error instanceof ServerError) {\n                // Could not refresh OAuth tokens\n            }\n            else {\n                // Refresh failed for another reason, re-throw\n                throw error;\n            }\n        }\n    }\n    const state = provider.state ? await provider.state() : undefined;\n    // Start new authorization flow\n    const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {\n        metadata,\n        clientInformation,\n        state,\n        redirectUrl: provider.redirectUrl,\n        scope: scope || resourceMetadata?.scopes_supported?.join(' ') || provider.clientMetadata.scope,\n        resource\n    });\n    await provider.saveCodeVerifier(codeVerifier);\n    await provider.redirectToAuthorization(authorizationUrl);\n    return 'REDIRECT';\n}\n/**\n * SEP-991: URL-based Client IDs\n * Validate that the client_id is a valid URL with https scheme\n */\nexport function isHttpsUrl(value) {\n    if (!value)\n        return false;\n    try {\n        const url = new URL(value);\n        return url.protocol === 'https:' && url.pathname !== '/';\n    }\n    catch {\n        return false;\n    }\n}\nexport async function selectResourceURL(serverUrl, provider, resourceMetadata) {\n    const defaultResource = resourceUrlFromServerUrl(serverUrl);\n    // If provider has custom validation, delegate to it\n    if (provider.validateResourceURL) {\n        return await provider.validateResourceURL(defaultResource, resourceMetadata?.resource);\n    }\n    // Only include resource parameter when Protected Resource Metadata is present\n    if (!resourceMetadata) {\n        return undefined;\n    }\n    // Validate that the metadata's resource is compatible with our request\n    if (!checkResourceAllowed({ requestedResource: defaultResource, configuredResource: resourceMetadata.resource })) {\n        throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${defaultResource} (or origin)`);\n    }\n    // Prefer the resource from metadata since it's what the server is telling us to request\n    return new URL(resourceMetadata.resource);\n}\n/**\n * Extract resource_metadata, scope, and error from WWW-Authenticate header.\n */\nexport function extractWWWAuthenticateParams(res) {\n    const authenticateHeader = res.headers.get('WWW-Authenticate');\n    if (!authenticateHeader) {\n        return {};\n    }\n    const [type, scheme] = authenticateHeader.split(' ');\n    if (type.toLowerCase() !== 'bearer' || !scheme) {\n        return {};\n    }\n    const resourceMetadataMatch = extractFieldFromWwwAuth(res, 'resource_metadata') || undefined;\n    let resourceMetadataUrl;\n    if (resourceMetadataMatch) {\n        try {\n            resourceMetadataUrl = new URL(resourceMetadataMatch);\n        }\n        catch {\n            // Ignore invalid URL\n        }\n    }\n    const scope = extractFieldFromWwwAuth(res, 'scope') || undefined;\n    const error = extractFieldFromWwwAuth(res, 'error') || undefined;\n    return {\n        resourceMetadataUrl,\n        scope,\n        error\n    };\n}\n/**\n * Extracts a specific field's value from the WWW-Authenticate header string.\n *\n * @param response The HTTP response object containing the headers.\n * @param fieldName The name of the field to extract (e.g., \"realm\", \"nonce\").\n * @returns The field value\n */\nfunction extractFieldFromWwwAuth(response, fieldName) {\n    const wwwAuthHeader = response.headers.get('WWW-Authenticate');\n    if (!wwwAuthHeader) {\n        return null;\n    }\n    const pattern = new RegExp(`${fieldName}=(?:\"([^\"]+)\"|([^\\\\s,]+))`);\n    const match = wwwAuthHeader.match(pattern);\n    if (match) {\n        // Pattern matches: field_name=\"value\" or field_name=value (unquoted)\n        return match[1] || match[2];\n    }\n    return null;\n}\n/**\n * Extract resource_metadata from response header.\n * @deprecated Use `extractWWWAuthenticateParams` instead.\n */\nexport function extractResourceMetadataUrl(res) {\n    const authenticateHeader = res.headers.get('WWW-Authenticate');\n    if (!authenticateHeader) {\n        return undefined;\n    }\n    const [type, scheme] = authenticateHeader.split(' ');\n    if (type.toLowerCase() !== 'bearer' || !scheme) {\n        return undefined;\n    }\n    const regex = /resource_metadata=\"([^\"]*)\"/;\n    const match = regex.exec(authenticateHeader);\n    if (!match) {\n        return undefined;\n    }\n    try {\n        return new URL(match[1]);\n    }\n    catch {\n        return undefined;\n    }\n}\n/**\n * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n */\nexport async function discoverOAuthProtectedResourceMetadata(serverUrl, opts, fetchFn = fetch) {\n    const response = await discoverMetadataWithFallback(serverUrl, 'oauth-protected-resource', fetchFn, {\n        protocolVersion: opts?.protocolVersion,\n        metadataUrl: opts?.resourceMetadataUrl\n    });\n    if (!response || response.status === 404) {\n        await response?.body?.cancel();\n        throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);\n    }\n    if (!response.ok) {\n        await response.body?.cancel();\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`);\n    }\n    return OAuthProtectedResourceMetadataSchema.parse(await response.json());\n}\n/**\n * Helper function to handle fetch with CORS retry logic\n */\nasync function fetchWithCorsRetry(url, headers, fetchFn = fetch) {\n    try {\n        return await fetchFn(url, { headers });\n    }\n    catch (error) {\n        if (error instanceof TypeError) {\n            if (headers) {\n                // CORS errors come back as TypeError, retry without headers\n                return fetchWithCorsRetry(url, undefined, fetchFn);\n            }\n            else {\n                // We're getting CORS errors on retry too, return undefined\n                return undefined;\n            }\n        }\n        throw error;\n    }\n}\n/**\n * Constructs the well-known path for auth-related metadata discovery\n */\nfunction buildWellKnownPath(wellKnownPrefix, pathname = '', options = {}) {\n    // Strip trailing slash from pathname to avoid double slashes\n    if (pathname.endsWith('/')) {\n        pathname = pathname.slice(0, -1);\n    }\n    return options.prependPathname ? `${pathname}/.well-known/${wellKnownPrefix}` : `/.well-known/${wellKnownPrefix}${pathname}`;\n}\n/**\n * Tries to discover OAuth metadata at a specific URL\n */\nasync function tryMetadataDiscovery(url, protocolVersion, fetchFn = fetch) {\n    const headers = {\n        'MCP-Protocol-Version': protocolVersion\n    };\n    return await fetchWithCorsRetry(url, headers, fetchFn);\n}\n/**\n * Determines if fallback to root discovery should be attempted\n */\nfunction shouldAttemptFallback(response, pathname) {\n    return !response || (response.status >= 400 && response.status < 500 && pathname !== '/');\n}\n/**\n * Generic function for discovering OAuth metadata with fallback support\n */\nasync function discoverMetadataWithFallback(serverUrl, wellKnownType, fetchFn, opts) {\n    const issuer = new URL(serverUrl);\n    const protocolVersion = opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION;\n    let url;\n    if (opts?.metadataUrl) {\n        url = new URL(opts.metadataUrl);\n    }\n    else {\n        // Try path-aware discovery first\n        const wellKnownPath = buildWellKnownPath(wellKnownType, issuer.pathname);\n        url = new URL(wellKnownPath, opts?.metadataServerUrl ?? issuer);\n        url.search = issuer.search;\n    }\n    let response = await tryMetadataDiscovery(url, protocolVersion, fetchFn);\n    // If path-aware discovery fails with 404 and we're not already at root, try fallback to root discovery\n    if (!opts?.metadataUrl && shouldAttemptFallback(response, issuer.pathname)) {\n        const rootUrl = new URL(`/.well-known/${wellKnownType}`, issuer);\n        response = await tryMetadataDiscovery(rootUrl, protocolVersion, fetchFn);\n    }\n    return response;\n}\n/**\n * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.\n *\n * If the server returns a 404 for the well-known endpoint, this function will\n * return `undefined`. Any other errors will be thrown as exceptions.\n *\n * @deprecated This function is deprecated in favor of `discoverAuthorizationServerMetadata`.\n */\nexport async function discoverOAuthMetadata(issuer, { authorizationServerUrl, protocolVersion } = {}, fetchFn = fetch) {\n    if (typeof issuer === 'string') {\n        issuer = new URL(issuer);\n    }\n    if (!authorizationServerUrl) {\n        authorizationServerUrl = issuer;\n    }\n    if (typeof authorizationServerUrl === 'string') {\n        authorizationServerUrl = new URL(authorizationServerUrl);\n    }\n    protocolVersion ?? (protocolVersion = LATEST_PROTOCOL_VERSION);\n    const response = await discoverMetadataWithFallback(authorizationServerUrl, 'oauth-authorization-server', fetchFn, {\n        protocolVersion,\n        metadataServerUrl: authorizationServerUrl\n    });\n    if (!response || response.status === 404) {\n        await response?.body?.cancel();\n        return undefined;\n    }\n    if (!response.ok) {\n        await response.body?.cancel();\n        throw new Error(`HTTP ${response.status} trying to load well-known OAuth metadata`);\n    }\n    return OAuthMetadataSchema.parse(await response.json());\n}\n/**\n * Builds a list of discovery URLs to try for authorization server metadata.\n * URLs are returned in priority order:\n * 1. OAuth metadata at the given URL\n * 2. OIDC metadata endpoints at the given URL\n */\nexport function buildDiscoveryUrls(authorizationServerUrl) {\n    const url = typeof authorizationServerUrl === 'string' ? new URL(authorizationServerUrl) : authorizationServerUrl;\n    const hasPath = url.pathname !== '/';\n    const urlsToTry = [];\n    if (!hasPath) {\n        // Root path: https://example.com/.well-known/oauth-authorization-server\n        urlsToTry.push({\n            url: new URL('/.well-known/oauth-authorization-server', url.origin),\n            type: 'oauth'\n        });\n        // OIDC: https://example.com/.well-known/openid-configuration\n        urlsToTry.push({\n            url: new URL(`/.well-known/openid-configuration`, url.origin),\n            type: 'oidc'\n        });\n        return urlsToTry;\n    }\n    // Strip trailing slash from pathname to avoid double slashes\n    let pathname = url.pathname;\n    if (pathname.endsWith('/')) {\n        pathname = pathname.slice(0, -1);\n    }\n    // 1. OAuth metadata at the given URL\n    // Insert well-known before the path: https://example.com/.well-known/oauth-authorization-server/tenant1\n    urlsToTry.push({\n        url: new URL(`/.well-known/oauth-authorization-server${pathname}`, url.origin),\n        type: 'oauth'\n    });\n    // 2. OIDC metadata endpoints\n    // RFC 8414 style: Insert /.well-known/openid-configuration before the path\n    urlsToTry.push({\n        url: new URL(`/.well-known/openid-configuration${pathname}`, url.origin),\n        type: 'oidc'\n    });\n    // OIDC Discovery 1.0 style: Append /.well-known/openid-configuration after the path\n    urlsToTry.push({\n        url: new URL(`${pathname}/.well-known/openid-configuration`, url.origin),\n        type: 'oidc'\n    });\n    return urlsToTry;\n}\n/**\n * Discovers authorization server metadata with support for RFC 8414 OAuth 2.0 Authorization Server Metadata\n * and OpenID Connect Discovery 1.0 specifications.\n *\n * This function implements a fallback strategy for authorization server discovery:\n * 1. Attempts RFC 8414 OAuth metadata discovery first\n * 2. If OAuth discovery fails, falls back to OpenID Connect Discovery\n *\n * @param authorizationServerUrl - The authorization server URL obtained from the MCP Server's\n *                                 protected resource metadata, or the MCP server's URL if the\n *                                 metadata was not found.\n * @param options - Configuration options\n * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch\n * @param options.protocolVersion - MCP protocol version to use, defaults to LATEST_PROTOCOL_VERSION\n * @returns Promise resolving to authorization server metadata, or undefined if discovery fails\n */\nexport async function discoverAuthorizationServerMetadata(authorizationServerUrl, { fetchFn = fetch, protocolVersion = LATEST_PROTOCOL_VERSION } = {}) {\n    const headers = {\n        'MCP-Protocol-Version': protocolVersion,\n        Accept: 'application/json'\n    };\n    // Get the list of URLs to try\n    const urlsToTry = buildDiscoveryUrls(authorizationServerUrl);\n    // Try each URL in order\n    for (const { url: endpointUrl, type } of urlsToTry) {\n        const response = await fetchWithCorsRetry(endpointUrl, headers, fetchFn);\n        if (!response) {\n            /**\n             * CORS error occurred - don't throw as the endpoint may not allow CORS,\n             * continue trying other possible endpoints\n             */\n            continue;\n        }\n        if (!response.ok) {\n            await response.body?.cancel();\n            // Continue looking for any 4xx response code.\n            if (response.status >= 400 && response.status < 500) {\n                continue; // Try next URL\n            }\n            throw new Error(`HTTP ${response.status} trying to load ${type === 'oauth' ? 'OAuth' : 'OpenID provider'} metadata from ${endpointUrl}`);\n        }\n        // Parse and validate based on type\n        if (type === 'oauth') {\n            return OAuthMetadataSchema.parse(await response.json());\n        }\n        else {\n            return OpenIdProviderDiscoveryMetadataSchema.parse(await response.json());\n        }\n    }\n    return undefined;\n}\n/**\n * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.\n */\nexport async function startAuthorization(authorizationServerUrl, { metadata, clientInformation, redirectUrl, scope, state, resource }) {\n    let authorizationUrl;\n    if (metadata) {\n        authorizationUrl = new URL(metadata.authorization_endpoint);\n        if (!metadata.response_types_supported.includes(AUTHORIZATION_CODE_RESPONSE_TYPE)) {\n            throw new Error(`Incompatible auth server: does not support response type ${AUTHORIZATION_CODE_RESPONSE_TYPE}`);\n        }\n        if (metadata.code_challenge_methods_supported &&\n            !metadata.code_challenge_methods_supported.includes(AUTHORIZATION_CODE_CHALLENGE_METHOD)) {\n            throw new Error(`Incompatible auth server: does not support code challenge method ${AUTHORIZATION_CODE_CHALLENGE_METHOD}`);\n        }\n    }\n    else {\n        authorizationUrl = new URL('/authorize', authorizationServerUrl);\n    }\n    // Generate PKCE challenge\n    const challenge = await pkceChallenge();\n    const codeVerifier = challenge.code_verifier;\n    const codeChallenge = challenge.code_challenge;\n    authorizationUrl.searchParams.set('response_type', AUTHORIZATION_CODE_RESPONSE_TYPE);\n    authorizationUrl.searchParams.set('client_id', clientInformation.client_id);\n    authorizationUrl.searchParams.set('code_challenge', codeChallenge);\n    authorizationUrl.searchParams.set('code_challenge_method', AUTHORIZATION_CODE_CHALLENGE_METHOD);\n    authorizationUrl.searchParams.set('redirect_uri', String(redirectUrl));\n    if (state) {\n        authorizationUrl.searchParams.set('state', state);\n    }\n    if (scope) {\n        authorizationUrl.searchParams.set('scope', scope);\n    }\n    if (scope?.includes('offline_access')) {\n        // if the request includes the OIDC-only \"offline_access\" scope,\n        // we need to set the prompt to \"consent\" to ensure the user is prompted to grant offline access\n        // https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess\n        authorizationUrl.searchParams.append('prompt', 'consent');\n    }\n    if (resource) {\n        authorizationUrl.searchParams.set('resource', resource.href);\n    }\n    return { authorizationUrl, codeVerifier };\n}\n/**\n * Prepares token request parameters for an authorization code exchange.\n *\n * This is the default implementation used by fetchToken when the provider\n * doesn't implement prepareTokenRequest.\n *\n * @param authorizationCode - The authorization code received from the authorization endpoint\n * @param codeVerifier - The PKCE code verifier\n * @param redirectUri - The redirect URI used in the authorization request\n * @returns URLSearchParams for the authorization_code grant\n */\nexport function prepareAuthorizationCodeRequest(authorizationCode, codeVerifier, redirectUri) {\n    return new URLSearchParams({\n        grant_type: 'authorization_code',\n        code: authorizationCode,\n        code_verifier: codeVerifier,\n        redirect_uri: String(redirectUri)\n    });\n}\n/**\n * Internal helper to execute a token request with the given parameters.\n * Used by exchangeAuthorization, refreshAuthorization, and fetchToken.\n */\nasync function executeTokenRequest(authorizationServerUrl, { metadata, tokenRequestParams, clientInformation, addClientAuthentication, resource, fetchFn }) {\n    const tokenUrl = metadata?.token_endpoint ? new URL(metadata.token_endpoint) : new URL('/token', authorizationServerUrl);\n    const headers = new Headers({\n        'Content-Type': 'application/x-www-form-urlencoded',\n        Accept: 'application/json'\n    });\n    if (resource) {\n        tokenRequestParams.set('resource', resource.href);\n    }\n    if (addClientAuthentication) {\n        await addClientAuthentication(headers, tokenRequestParams, tokenUrl, metadata);\n    }\n    else if (clientInformation) {\n        const supportedMethods = metadata?.token_endpoint_auth_methods_supported ?? [];\n        const authMethod = selectClientAuthMethod(clientInformation, supportedMethods);\n        applyClientAuthentication(authMethod, clientInformation, headers, tokenRequestParams);\n    }\n    const response = await (fetchFn ?? fetch)(tokenUrl, {\n        method: 'POST',\n        headers,\n        body: tokenRequestParams\n    });\n    if (!response.ok) {\n        throw await parseErrorResponse(response);\n    }\n    return OAuthTokensSchema.parse(await response.json());\n}\n/**\n * Exchanges an authorization code for an access token with the given server.\n *\n * Supports multiple client authentication methods as specified in OAuth 2.1:\n * - Automatically selects the best authentication method based on server support\n * - Falls back to appropriate defaults when server metadata is unavailable\n *\n * @param authorizationServerUrl - The authorization server's base URL\n * @param options - Configuration object containing client info, auth code, etc.\n * @returns Promise resolving to OAuth tokens\n * @throws {Error} When token exchange fails or authentication is invalid\n */\nexport async function exchangeAuthorization(authorizationServerUrl, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication, fetchFn }) {\n    const tokenRequestParams = prepareAuthorizationCodeRequest(authorizationCode, codeVerifier, redirectUri);\n    return executeTokenRequest(authorizationServerUrl, {\n        metadata,\n        tokenRequestParams,\n        clientInformation,\n        addClientAuthentication,\n        resource,\n        fetchFn\n    });\n}\n/**\n * Exchange a refresh token for an updated access token.\n *\n * Supports multiple client authentication methods as specified in OAuth 2.1:\n * - Automatically selects the best authentication method based on server support\n * - Preserves the original refresh token if a new one is not returned\n *\n * @param authorizationServerUrl - The authorization server's base URL\n * @param options - Configuration object containing client info, refresh token, etc.\n * @returns Promise resolving to OAuth tokens (preserves original refresh_token if not replaced)\n * @throws {Error} When token refresh fails or authentication is invalid\n */\nexport async function refreshAuthorization(authorizationServerUrl, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, fetchFn }) {\n    const tokenRequestParams = new URLSearchParams({\n        grant_type: 'refresh_token',\n        refresh_token: refreshToken\n    });\n    const tokens = await executeTokenRequest(authorizationServerUrl, {\n        metadata,\n        tokenRequestParams,\n        clientInformation,\n        addClientAuthentication,\n        resource,\n        fetchFn\n    });\n    // Preserve original refresh token if server didn't return a new one\n    return { refresh_token: refreshToken, ...tokens };\n}\n/**\n * Unified token fetching that works with any grant type via provider.prepareTokenRequest().\n *\n * This function provides a single entry point for obtaining tokens regardless of the\n * OAuth grant type. The provider's prepareTokenRequest() method determines which grant\n * to use and supplies the grant-specific parameters.\n *\n * @param provider - OAuth client provider that implements prepareTokenRequest()\n * @param authorizationServerUrl - The authorization server's base URL\n * @param options - Configuration for the token request\n * @returns Promise resolving to OAuth tokens\n * @throws {Error} When provider doesn't implement prepareTokenRequest or token fetch fails\n *\n * @example\n * // Provider for client_credentials:\n * class MyProvider implements OAuthClientProvider {\n *   prepareTokenRequest(scope) {\n *     const params = new URLSearchParams({ grant_type: 'client_credentials' });\n *     if (scope) params.set('scope', scope);\n *     return params;\n *   }\n *   // ... other methods\n * }\n *\n * const tokens = await fetchToken(provider, authServerUrl, { metadata });\n */\nexport async function fetchToken(provider, authorizationServerUrl, { metadata, resource, authorizationCode, fetchFn } = {}) {\n    const scope = provider.clientMetadata.scope;\n    // Use provider's prepareTokenRequest if available, otherwise fall back to authorization_code\n    let tokenRequestParams;\n    if (provider.prepareTokenRequest) {\n        tokenRequestParams = await provider.prepareTokenRequest(scope);\n    }\n    // Default to authorization_code grant if no custom prepareTokenRequest\n    if (!tokenRequestParams) {\n        if (!authorizationCode) {\n            throw new Error('Either provider.prepareTokenRequest() or authorizationCode is required');\n        }\n        if (!provider.redirectUrl) {\n            throw new Error('redirectUrl is required for authorization_code flow');\n        }\n        const codeVerifier = await provider.codeVerifier();\n        tokenRequestParams = prepareAuthorizationCodeRequest(authorizationCode, codeVerifier, provider.redirectUrl);\n    }\n    const clientInformation = await provider.clientInformation();\n    return executeTokenRequest(authorizationServerUrl, {\n        metadata,\n        tokenRequestParams,\n        clientInformation: clientInformation ?? undefined,\n        addClientAuthentication: provider.addClientAuthentication,\n        resource,\n        fetchFn\n    });\n}\n/**\n * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.\n */\nexport async function registerClient(authorizationServerUrl, { metadata, clientMetadata, fetchFn }) {\n    let registrationUrl;\n    if (metadata) {\n        if (!metadata.registration_endpoint) {\n            throw new Error('Incompatible auth server: does not support dynamic client registration');\n        }\n        registrationUrl = new URL(metadata.registration_endpoint);\n    }\n    else {\n        registrationUrl = new URL('/register', authorizationServerUrl);\n    }\n    const response = await (fetchFn ?? fetch)(registrationUrl, {\n        method: 'POST',\n        headers: {\n            'Content-Type': 'application/json'\n        },\n        body: JSON.stringify(clientMetadata)\n    });\n    if (!response.ok) {\n        throw await parseErrorResponse(response);\n    }\n    return OAuthClientInformationFullSchema.parse(await response.json());\n}\n//# sourceMappingURL=auth.js.map"],"names":[],"mappings":";;;;;;AAMO,MAAM,iBAAiB,SAAS,KAAK,CAAC;AAC7C,IAAI,WAAW,CAAC,OAAO,EAAE;AACzB,QAAQ,KAAK,CAAC,OAAO,IAAI,cAAc,CAAC;AACxC,IAAI;AACJ;AACA,SAAS,kBAAkB,CAAC,MAAM,EAAE;AACpC,IAAI,OAAO,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;AACjF;AACA,MAAM,gCAAgC,GAAG,MAAM;AAC/C,MAAM,mCAAmC,GAAG,MAAM;AAClD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAAS,sBAAsB,CAAC,iBAAiB,EAAE,gBAAgB,EAAE;AAC5E,IAAI,MAAM,eAAe,GAAG,iBAAiB,CAAC,aAAa,KAAK,SAAS;AACzE;AACA,IAAI,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE;AACvC,QAAQ,OAAO,eAAe,GAAG,oBAAoB,GAAG,MAAM;AAC9D,IAAI;AACJ;AACA,IAAI,IAAI,4BAA4B,IAAI,iBAAiB;AACzD,QAAQ,iBAAiB,CAAC,0BAA0B;AACpD,QAAQ,kBAAkB,CAAC,iBAAiB,CAAC,0BAA0B,CAAC;AACxE,QAAQ,gBAAgB,CAAC,QAAQ,CAAC,iBAAiB,CAAC,0BAA0B,CAAC,EAAE;AACjF,QAAQ,OAAO,iBAAiB,CAAC,0BAA0B;AAC3D,IAAI;AACJ;AACA,IAAI,IAAI,eAAe,IAAI,gBAAgB,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE;AAC7E,QAAQ,OAAO,qBAAqB;AACpC,IAAI;AACJ,IAAI,IAAI,eAAe,IAAI,gBAAgB,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE;AAC5E,QAAQ,OAAO,oBAAoB;AACnC,IAAI;AACJ,IAAI,IAAI,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;AAC3C,QAAQ,OAAO,MAAM;AACrB,IAAI;AACJ;AACA,IAAI,OAAO,eAAe,GAAG,oBAAoB,GAAG,MAAM;AAC1D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,yBAAyB,CAAC,MAAM,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,EAAE;AAC/E,IAAI,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,iBAAiB;AAC1D,IAAI,QAAQ,MAAM;AAClB,QAAQ,KAAK,qBAAqB;AAClC,YAAY,cAAc,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,CAAC;AAC7D,YAAY;AACZ,QAAQ,KAAK,oBAAoB;AACjC,YAAY,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC;AAC3D,YAAY;AACZ,QAAQ,KAAK,MAAM;AACnB,YAAY,eAAe,CAAC,SAAS,EAAE,MAAM,CAAC;AAC9C,YAAY;AACZ,QAAQ;AACR,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,0CAA0C,EAAE,MAAM,CAAC,CAAC,CAAC;AAClF;AACA;AACA;AACA;AACA;AACA,SAAS,cAAc,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE;AACzD,IAAI,IAAI,CAAC,YAAY,EAAE;AACvB,QAAQ,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC;AACtF,IAAI;AACJ,IAAI,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;AAC3D,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;AACxD;AACA;AACA;AACA;AACA,SAAS,aAAa,CAAC,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE;AACvD,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;AACrC,IAAI,IAAI,YAAY,EAAE;AACtB,QAAQ,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC;AACjD,IAAI;AACJ;AACA;AACA;AACA;AACA,SAAS,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE;AAC3C,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;AACrC;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,kBAAkB,CAAC,KAAK,EAAE;AAChD,IAAI,MAAM,UAAU,GAAG,KAAK,YAAY,QAAQ,GAAG,KAAK,CAAC,MAAM,GAAG,SAAS;AAC3E,IAAI,MAAM,IAAI,GAAG,KAAK,YAAY,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,GAAG,KAAK;AACvE,IAAI,IAAI;AACR,QAAQ,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AACvE,QAAQ,MAAM,EAAE,KAAK,EAAE,iBAAiB,EAAE,SAAS,EAAE,GAAG,MAAM;AAC9D,QAAQ,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,WAAW;AAC7D,QAAQ,OAAO,IAAI,UAAU,CAAC,iBAAiB,IAAI,EAAE,EAAE,SAAS,CAAC;AACjE,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB;AACA,QAAQ,MAAM,YAAY,GAAG,CAAC,EAAE,UAAU,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,8BAA8B,EAAE,KAAK,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;AACnI,QAAQ,OAAO,IAAI,WAAW,CAAC,YAAY,CAAC;AAC5C,IAAI;AACJ;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE;AAC9C,IAAI,IAAI;AACR,QAAQ,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACpD,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB;AACA,QAAQ,IAAI,KAAK,YAAY,kBAAkB,IAAI,KAAK,YAAY,uBAAuB,EAAE;AAC7F,YAAY,MAAM,QAAQ,CAAC,qBAAqB,GAAG,KAAK,CAAC;AACzD,YAAY,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACxD,QAAQ;AACR,aAAa,IAAI,KAAK,YAAY,iBAAiB,EAAE;AACrD,YAAY,MAAM,QAAQ,CAAC,qBAAqB,GAAG,QAAQ,CAAC;AAC5D,YAAY,OAAO,MAAM,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;AACxD,QAAQ;AACR;AACA,QAAQ,MAAM,KAAK;AACnB,IAAI;AACJ;AACA,eAAe,YAAY,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,EAAE;AAC7G,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,sBAAsB;AAC9B,IAAI,IAAI;AACR,QAAQ,gBAAgB,GAAG,MAAM,sCAAsC,CAAC,SAAS,EAAE,EAAE,mBAAmB,EAAE,EAAE,OAAO,CAAC;AACpH,QAAQ,IAAI,gBAAgB,CAAC,qBAAqB,IAAI,gBAAgB,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE;AACzG,YAAY,sBAAsB,GAAG,gBAAgB,CAAC,qBAAqB,CAAC,CAAC,CAAC;AAC9E,QAAQ;AACR,IAAI;AACJ,IAAI,MAAM;AACV;AACA,IAAI;AACJ;AACA;AACA;AACA;AACA,IAAI,IAAI,CAAC,sBAAsB,EAAE;AACjC,QAAQ,sBAAsB,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC;AACxD,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,CAAC;AACnF,IAAI,MAAM,QAAQ,GAAG,MAAM,mCAAmC,CAAC,sBAAsB,EAAE;AACvF,QAAQ;AACR,KAAK,CAAC;AACN;AACA,IAAI,IAAI,iBAAiB,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;AAC/E,IAAI,IAAI,CAAC,iBAAiB,EAAE;AAC5B,QAAQ,IAAI,iBAAiB,KAAK,SAAS,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,qFAAqF,CAAC;AAClH,QAAQ;AACR,QAAQ,MAAM,wBAAwB,GAAG,QAAQ,EAAE,qCAAqC,KAAK,IAAI;AACjG,QAAQ,MAAM,iBAAiB,GAAG,QAAQ,CAAC,iBAAiB;AAC5D,QAAQ,IAAI,iBAAiB,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE;AACjE,YAAY,MAAM,IAAI,0BAA0B,CAAC,CAAC,2EAA2E,EAAE,iBAAiB,CAAC,CAAC,CAAC;AACnJ,QAAQ;AACR,QAAQ,MAAM,yBAAyB,GAAG,wBAAwB,IAAI,iBAAiB;AACvF,QAAQ,IAAI,yBAAyB,EAAE;AACvC;AACA,YAAY,iBAAiB,GAAG;AAChC,gBAAgB,SAAS,EAAE;AAC3B,aAAa;AACb,YAAY,MAAM,QAAQ,CAAC,qBAAqB,GAAG,iBAAiB,CAAC;AACrE,QAAQ;AACR,aAAa;AACb;AACA,YAAY,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AACjD,gBAAgB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC;AACrG,YAAY;AACZ,YAAY,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,sBAAsB,EAAE;AACjF,gBAAgB,QAAQ;AACxB,gBAAgB,cAAc,EAAE,QAAQ,CAAC,cAAc;AACvD,gBAAgB;AAChB,aAAa,CAAC;AACd,YAAY,MAAM,QAAQ,CAAC,qBAAqB,CAAC,eAAe,CAAC;AACjE,YAAY,iBAAiB,GAAG,eAAe;AAC/C,QAAQ;AACR,IAAI;AACJ;AACA,IAAI,MAAM,kBAAkB,GAAG,CAAC,QAAQ,CAAC,WAAW;AACpD;AACA,IAAI,IAAI,iBAAiB,KAAK,SAAS,IAAI,kBAAkB,EAAE;AAC/D,QAAQ,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,sBAAsB,EAAE;AAC1E,YAAY,QAAQ;AACpB,YAAY,QAAQ;AACpB,YAAY,iBAAiB;AAC7B,YAAY;AACZ,SAAS,CAAC;AACV,QAAQ,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;AACzC,QAAQ,OAAO,YAAY;AAC3B,IAAI;AACJ,IAAI,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE;AAC1C;AACA,IAAI,IAAI,MAAM,EAAE,aAAa,EAAE;AAC/B,QAAQ,IAAI;AACZ;AACA,YAAY,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,sBAAsB,EAAE;AACjF,gBAAgB,QAAQ;AACxB,gBAAgB,iBAAiB;AACjC,gBAAgB,YAAY,EAAE,MAAM,CAAC,aAAa;AAClD,gBAAgB,QAAQ;AACxB,gBAAgB,uBAAuB,EAAE,QAAQ,CAAC,uBAAuB;AACzE,gBAAgB;AAChB,aAAa,CAAC;AACd,YAAY,MAAM,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;AAChD,YAAY,OAAO,YAAY;AAC/B,QAAQ;AACR,QAAQ,OAAO,KAAK,EAAE;AACtB;AACA,YAAY,IAAI,EAAE,KAAK,YAAY,UAAU,CAAC,IAAI,KAAK,YAAY,WAAW,EAAE;AAGhF,iBAAiB;AACjB;AACA,gBAAgB,MAAM,KAAK;AAC3B,YAAY;AACZ,QAAQ;AACR,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,GAAG,SAAS;AACrE;AACA,IAAI,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,MAAM,kBAAkB,CAAC,sBAAsB,EAAE;AAChG,QAAQ,QAAQ;AAChB,QAAQ,iBAAiB;AACzB,QAAQ,KAAK;AACb,QAAQ,WAAW,EAAE,QAAQ,CAAC,WAAW;AACzC,QAAQ,KAAK,EAAE,KAAK,IAAI,gBAAgB,EAAE,gBAAgB,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,cAAc,CAAC,KAAK;AACtG,QAAQ;AACR,KAAK,CAAC;AACN,IAAI,MAAM,QAAQ,CAAC,gBAAgB,CAAC,YAAY,CAAC;AACjD,IAAI,MAAM,QAAQ,CAAC,uBAAuB,CAAC,gBAAgB,CAAC;AAC5D,IAAI,OAAO,UAAU;AACrB;AACA;AACA;AACA;AACA;AACO,SAAS,UAAU,CAAC,KAAK,EAAE;AAClC,IAAI,IAAI,CAAC,KAAK;AACd,QAAQ,OAAO,KAAK;AACpB,IAAI,IAAI;AACR,QAAQ,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC;AAClC,QAAQ,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG;AAChE,IAAI;AACJ,IAAI,MAAM;AACV,QAAQ,OAAO,KAAK;AACpB,IAAI;AACJ;AACO,eAAe,iBAAiB,CAAC,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE;AAC/E,IAAI,MAAM,eAAe,GAAG,wBAAwB,CAAC,SAAS,CAAC;AAC/D;AACA,IAAI,IAAI,QAAQ,CAAC,mBAAmB,EAAE;AACtC,QAAQ,OAAO,MAAM,QAAQ,CAAC,mBAAmB,CAAC,eAAe,EAAE,gBAAgB,EAAE,QAAQ,CAAC;AAC9F,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,gBAAgB,EAAE;AAC3B,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,oBAAoB,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,QAAQ,EAAE,CAAC,EAAE;AACtH,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,mBAAmB,EAAE,gBAAgB,CAAC,QAAQ,CAAC,yBAAyB,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC;AACjI,IAAI;AACJ;AACA,IAAI,OAAO,IAAI,GAAG,CAAC,gBAAgB,CAAC,QAAQ,CAAC;AAC7C;AACA;AACA;AACA;AACO,SAAS,4BAA4B,CAAC,GAAG,EAAE;AAClD,IAAI,MAAM,kBAAkB,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;AAClE,IAAI,IAAI,CAAC,kBAAkB,EAAE;AAC7B,QAAQ,OAAO,EAAE;AACjB,IAAI;AACJ,IAAI,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC;AACxD,IAAI,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE;AACpD,QAAQ,OAAO,EAAE;AACjB,IAAI;AACJ,IAAI,MAAM,qBAAqB,GAAG,uBAAuB,CAAC,GAAG,EAAE,mBAAmB,CAAC,IAAI,SAAS;AAChG,IAAI,IAAI,mBAAmB;AAC3B,IAAI,IAAI,qBAAqB,EAAE;AAC/B,QAAQ,IAAI;AACZ,YAAY,mBAAmB,GAAG,IAAI,GAAG,CAAC,qBAAqB,CAAC;AAChE,QAAQ;AACR,QAAQ,MAAM;AACd;AACA,QAAQ;AACR,IAAI;AACJ,IAAI,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,SAAS;AACpE,IAAI,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,SAAS;AACpE,IAAI,OAAO;AACX,QAAQ,mBAAmB;AAC3B,QAAQ,KAAK;AACb,QAAQ;AACR,KAAK;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,SAAS,uBAAuB,CAAC,QAAQ,EAAE,SAAS,EAAE;AACtD,IAAI,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;AAClE,IAAI,IAAI,CAAC,aAAa,EAAE;AACxB,QAAQ,OAAO,IAAI;AACnB,IAAI;AACJ,IAAI,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,CAAC,EAAE,SAAS,CAAC,yBAAyB,CAAC,CAAC;AACvE,IAAI,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC;AAC9C,IAAI,IAAI,KAAK,EAAE;AACf;AACA,QAAQ,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;AACnC,IAAI;AACJ,IAAI,OAAO,IAAI;AACf;AA0BA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,sCAAsC,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,GAAG,KAAK,EAAE;AAC/F,IAAI,MAAM,QAAQ,GAAG,MAAM,4BAA4B,CAAC,SAAS,EAAE,0BAA0B,EAAE,OAAO,EAAE;AACxG,QAAQ,eAAe,EAAE,IAAI,EAAE,eAAe;AAC9C,QAAQ,WAAW,EAAE,IAAI,EAAE;AAC3B,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;AAC9C,QAAQ,MAAM,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE;AACtC,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,yEAAyE,CAAC,CAAC;AACpG,IAAI;AACJ,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE;AACrC,QAAQ,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,6DAA6D,CAAC,CAAC;AAC/G,IAAI;AACJ,IAAI,OAAO,oCAAoC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC5E;AACA;AACA;AACA;AACA,eAAe,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,GAAG,KAAK,EAAE;AACjE,IAAI,IAAI;AACR,QAAQ,OAAO,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC;AAC9C,IAAI;AACJ,IAAI,OAAO,KAAK,EAAE;AAClB,QAAQ,IAAI,KAAK,YAAY,SAAS,EAAE;AACxC,YAAY,IAAI,OAAO,EAAE;AACzB;AACA,gBAAgB,OAAO,kBAAkB,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,CAAC;AAClE,YAAY;AACZ,iBAAiB;AACjB;AACA,gBAAgB,OAAO,SAAS;AAChC,YAAY;AACZ,QAAQ;AACR,QAAQ,MAAM,KAAK;AACnB,IAAI;AACJ;AACA;AACA;AACA;AACA,SAAS,kBAAkB,CAAC,eAAe,EAAE,QAAQ,GAAG,EAAE,EAAE,OAAO,GAAG,EAAE,EAAE;AAC1E;AACA,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AAChC,QAAQ,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AACxC,IAAI;AACJ,IAAI,OAAO,OAAO,CAAC,eAAe,GAAG,CAAC,EAAE,QAAQ,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,eAAe,CAAC,EAAE,QAAQ,CAAC,CAAC;AAChI;AACA;AACA;AACA;AACA,eAAe,oBAAoB,CAAC,GAAG,EAAE,eAAe,EAAE,OAAO,GAAG,KAAK,EAAE;AAC3E,IAAI,MAAM,OAAO,GAAG;AACpB,QAAQ,sBAAsB,EAAE;AAChC,KAAK;AACL,IAAI,OAAO,MAAM,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC;AAC1D;AACA;AACA;AACA;AACA,SAAS,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE;AACnD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,IAAI,QAAQ,KAAK,GAAG,CAAC;AAC7F;AACA;AACA;AACA;AACA,eAAe,4BAA4B,CAAC,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,IAAI,EAAE;AACrF,IAAI,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC;AACrC,IAAI,MAAM,eAAe,GAAG,IAAI,EAAE,eAAe,IAAI,uBAAuB;AAC5E,IAAI,IAAI,GAAG;AACX,IAAI,IAAI,IAAI,EAAE,WAAW,EAAE;AAC3B,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC;AACvC,IAAI;AACJ,SAAS;AACT;AACA,QAAQ,MAAM,aAAa,GAAG,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,QAAQ,CAAC;AAChF,QAAQ,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,iBAAiB,IAAI,MAAM,CAAC;AACvE,QAAQ,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM;AAClC,IAAI;AACJ,IAAI,IAAI,QAAQ,GAAG,MAAM,oBAAoB,CAAC,GAAG,EAAE,eAAe,EAAE,OAAO,CAAC;AAC5E;AACA,IAAI,IAAI,CAAC,IAAI,EAAE,WAAW,IAAI,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE;AAChF,QAAQ,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC;AACxE,QAAQ,QAAQ,GAAG,MAAM,oBAAoB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC;AAChF,IAAI;AACJ,IAAI,OAAO,QAAQ;AACnB;AAkCA;AACA;AACA;AACA;AACA;AACA;AACO,SAAS,kBAAkB,CAAC,sBAAsB,EAAE;AAC3D,IAAI,MAAM,GAAG,GAAG,OAAO,sBAAsB,KAAK,QAAQ,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC,GAAG,sBAAsB;AACrH,IAAI,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG;AACxC,IAAI,MAAM,SAAS,GAAG,EAAE;AACxB,IAAI,IAAI,CAAC,OAAO,EAAE;AAClB;AACA,QAAQ,SAAS,CAAC,IAAI,CAAC;AACvB,YAAY,GAAG,EAAE,IAAI,GAAG,CAAC,yCAAyC,EAAE,GAAG,CAAC,MAAM,CAAC;AAC/E,YAAY,IAAI,EAAE;AAClB,SAAS,CAAC;AACV;AACA,QAAQ,SAAS,CAAC,IAAI,CAAC;AACvB,YAAY,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,iCAAiC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AACzE,YAAY,IAAI,EAAE;AAClB,SAAS,CAAC;AACV,QAAQ,OAAO,SAAS;AACxB,IAAI;AACJ;AACA,IAAI,IAAI,QAAQ,GAAG,GAAG,CAAC,QAAQ;AAC/B,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;AAChC,QAAQ,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;AACxC,IAAI;AACJ;AACA;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,uCAAuC,EAAE,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AACtF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN;AACA;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,iCAAiC,EAAE,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AAChF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN;AACA,IAAI,SAAS,CAAC,IAAI,CAAC;AACnB,QAAQ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,iCAAiC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC;AAChF,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN,IAAI,OAAO,SAAS;AACpB;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,mCAAmC,CAAC,sBAAsB,EAAE,EAAE,OAAO,GAAG,KAAK,EAAE,eAAe,GAAG,uBAAuB,EAAE,GAAG,EAAE,EAAE;AACvJ,IAAI,MAAM,OAAO,GAAG;AACpB,QAAQ,sBAAsB,EAAE,eAAe;AAC/C,QAAQ,MAAM,EAAE;AAChB,KAAK;AACL;AACA,IAAI,MAAM,SAAS,GAAG,kBAAkB,CAAC,sBAAsB,CAAC;AAChE;AACA,IAAI,KAAK,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,SAAS,EAAE;AACxD,QAAQ,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;AAChF,QAAQ,IAAI,CAAC,QAAQ,EAAE;AACvB;AACA;AACA;AACA;AACA,YAAY;AACZ,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AAC1B,YAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE;AACzC;AACA,YAAY,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE;AACjE,gBAAgB,SAAS;AACzB,YAAY;AACZ,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,gBAAgB,EAAE,IAAI,KAAK,OAAO,GAAG,OAAO,GAAG,iBAAiB,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC,CAAC;AACpJ,QAAQ;AACR;AACA,QAAQ,IAAI,IAAI,KAAK,OAAO,EAAE;AAC9B,YAAY,OAAO,mBAAmB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACnE,QAAQ;AACR,aAAa;AACb,YAAY,OAAO,qCAAqC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACrF,QAAQ;AACR,IAAI;AACJ,IAAI,OAAO,SAAS;AACpB;AACA;AACA;AACA;AACO,eAAe,kBAAkB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;AACvI,IAAI,IAAI,gBAAgB;AACxB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC;AACnE,QAAQ,IAAI,CAAC,QAAQ,CAAC,wBAAwB,CAAC,QAAQ,CAAC,gCAAgC,CAAC,EAAE;AAC3F,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,yDAAyD,EAAE,gCAAgC,CAAC,CAAC,CAAC;AAC3H,QAAQ;AACR,QAAQ,IAAI,QAAQ,CAAC,gCAAgC;AACrD,YAAY,CAAC,QAAQ,CAAC,gCAAgC,CAAC,QAAQ,CAAC,mCAAmC,CAAC,EAAE;AACtG,YAAY,MAAM,IAAI,KAAK,CAAC,CAAC,iEAAiE,EAAE,mCAAmC,CAAC,CAAC,CAAC;AACtI,QAAQ;AACR,IAAI;AACJ,SAAS;AACT,QAAQ,gBAAgB,GAAG,IAAI,GAAG,CAAC,YAAY,EAAE,sBAAsB,CAAC;AACxE,IAAI;AACJ;AACA,IAAI,MAAM,SAAS,GAAG,MAAM,aAAa,EAAE;AAC3C,IAAI,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa;AAChD,IAAI,MAAM,aAAa,GAAG,SAAS,CAAC,cAAc;AAClD,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,gCAAgC,CAAC;AACxF,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,iBAAiB,CAAC,SAAS,CAAC;AAC/E,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC;AACtE,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,mCAAmC,CAAC;AACnG,IAAI,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;AAC1E,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,KAAK,EAAE;AACf,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,KAAK,EAAE,QAAQ,CAAC,gBAAgB,CAAC,EAAE;AAC3C;AACA;AACA;AACA,QAAQ,gBAAgB,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC;AACjE,IAAI;AACJ,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,gBAAgB,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AACpE,IAAI;AACJ,IAAI,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE;AAC7C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAAS,+BAA+B,CAAC,iBAAiB,EAAE,YAAY,EAAE,WAAW,EAAE;AAC9F,IAAI,OAAO,IAAI,eAAe,CAAC;AAC/B,QAAQ,UAAU,EAAE,oBAAoB;AACxC,QAAQ,IAAI,EAAE,iBAAiB;AAC/B,QAAQ,aAAa,EAAE,YAAY;AACnC,QAAQ,YAAY,EAAE,MAAM,CAAC,WAAW;AACxC,KAAK,CAAC;AACN;AACA;AACA;AACA;AACA;AACA,eAAe,mBAAmB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE;AAC5J,IAAI,MAAM,QAAQ,GAAG,QAAQ,EAAE,cAAc,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,sBAAsB,CAAC;AAC5H,IAAI,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;AAChC,QAAQ,cAAc,EAAE,mCAAmC;AAC3D,QAAQ,MAAM,EAAE;AAChB,KAAK,CAAC;AACN,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,kBAAkB,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC;AACzD,IAAI;AACJ,IAAI,IAAI,uBAAuB,EAAE;AACjC,QAAQ,MAAM,uBAAuB,CAAC,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,CAAC;AACtF,IAAI;AACJ,SAAS,IAAI,iBAAiB,EAAE;AAChC,QAAQ,MAAM,gBAAgB,GAAG,QAAQ,EAAE,qCAAqC,IAAI,EAAE;AACtF,QAAQ,MAAM,UAAU,GAAG,sBAAsB,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;AACtF,QAAQ,yBAAyB,CAAC,UAAU,EAAE,iBAAiB,EAAE,OAAO,EAAE,kBAAkB,CAAC;AAC7F,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,EAAE,QAAQ,EAAE;AACxD,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO;AACf,QAAQ,IAAI,EAAE;AACd,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,MAAM,kBAAkB,CAAC,QAAQ,CAAC;AAChD,IAAI;AACJ,IAAI,OAAO,iBAAiB,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzD;AAwBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,oBAAoB,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,EAAE,uBAAuB,EAAE,OAAO,EAAE,EAAE;AAC9J,IAAI,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC;AACnD,QAAQ,UAAU,EAAE,eAAe;AACnC,QAAQ,aAAa,EAAE;AACvB,KAAK,CAAC;AACN,IAAI,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,sBAAsB,EAAE;AACrE,QAAQ,QAAQ;AAChB,QAAQ,kBAAkB;AAC1B,QAAQ,iBAAiB;AACzB,QAAQ,uBAAuB;AAC/B,QAAQ,QAAQ;AAChB,QAAQ;AACR,KAAK,CAAC;AACN;AACA,IAAI,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,MAAM,EAAE;AACrD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,eAAe,UAAU,CAAC,QAAQ,EAAE,sBAAsB,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;AAC5H,IAAI,MAAM,KAAK,GAAG,QAAQ,CAAC,cAAc,CAAC,KAAK;AAC/C;AACA,IAAI,IAAI,kBAAkB;AAC1B,IAAI,IAAI,QAAQ,CAAC,mBAAmB,EAAE;AACtC,QAAQ,kBAAkB,GAAG,MAAM,QAAQ,CAAC,mBAAmB,CAAC,KAAK,CAAC;AACtE,IAAI;AACJ;AACA,IAAI,IAAI,CAAC,kBAAkB,EAAE;AAC7B,QAAQ,IAAI,CAAC,iBAAiB,EAAE;AAChC,YAAY,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC;AACrG,QAAQ;AACR,QAAQ,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE;AACnC,YAAY,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC;AAClF,QAAQ;AACR,QAAQ,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE;AAC1D,QAAQ,kBAAkB,GAAG,+BAA+B,CAAC,iBAAiB,EAAE,YAAY,EAAE,QAAQ,CAAC,WAAW,CAAC;AACnH,IAAI;AACJ,IAAI,MAAM,iBAAiB,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE;AAChE,IAAI,OAAO,mBAAmB,CAAC,sBAAsB,EAAE;AACvD,QAAQ,QAAQ;AAChB,QAAQ,kBAAkB;AAC1B,QAAQ,iBAAiB,EAAE,iBAAiB,IAAI,SAAS;AACzD,QAAQ,uBAAuB,EAAE,QAAQ,CAAC,uBAAuB;AACjE,QAAQ,QAAQ;AAChB,QAAQ;AACR,KAAK,CAAC;AACN;AACA;AACA;AACA;AACO,eAAe,cAAc,CAAC,sBAAsB,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE;AACpG,IAAI,IAAI,eAAe;AACvB,IAAI,IAAI,QAAQ,EAAE;AAClB,QAAQ,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE;AAC7C,YAAY,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC;AACrG,QAAQ;AACR,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC;AACjE,IAAI;AACJ,SAAS;AACT,QAAQ,eAAe,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,sBAAsB,CAAC;AACtE,IAAI;AACJ,IAAI,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,IAAI,KAAK,EAAE,eAAe,EAAE;AAC/D,QAAQ,MAAM,EAAE,MAAM;AACtB,QAAQ,OAAO,EAAE;AACjB,YAAY,cAAc,EAAE;AAC5B,SAAS;AACT,QAAQ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc;AAC3C,KAAK,CAAC;AACN,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;AACtB,QAAQ,MAAM,MAAM,kBAAkB,CAAC,QAAQ,CAAC;AAChD,IAAI;AACJ,IAAI,OAAO,gCAAgC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AACxE;;;;","x_google_ignoreList":[0]}