@aws/nx-plugin 0.46.0 → 0.48.0

package/src/utils/identity-constructs/files/terraform/core/user-identity/add-callback-url/add-callback-url.tf.template

@@ -0,0 +1,123 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Variables
+variable "callback_url" {
+  description = "Callback URL to add (e.g., https://d123456789.cloudfront.net)"
+  type        = string
+}
+
+# Read runtime config to get user pool client details
+module "runtime_config_reader" {
+  source = "../../runtime-config/read"
+}
+
+# Extract cognito details from runtime config
+locals {
+  cognito_props = try(module.runtime_config_reader.config.cognitoProps, null)
+
+  user_pool_id        = local.cognito_props != null ? local.cognito_props.userPoolId : null
+  user_pool_client_id = local.cognito_props != null ? local.cognito_props.userPoolWebClientId : null
+}
+
+# Validation: Ensure cognito props exist in runtime config
+resource "terraform_data" "validate_cognito_props" {
+  lifecycle {
+    precondition {
+      condition     = local.cognito_props != null
+      error_message = "ERROR: cognitoProps not found in runtime config. Ensure user-identity module has been deployed first and has added cognitoProps to the runtime configuration."
+    }
+
+    precondition {
+      condition     = local.user_pool_id != null && local.user_pool_id != ""
+      error_message = "ERROR: cognitoProps.userPoolId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+
+    precondition {
+      condition     = local.user_pool_client_id != null && local.user_pool_client_id != ""
+      error_message = "ERROR: cognitoProps.userPoolWebClientId is missing or empty in runtime config. Check that user-identity module completed successfully."
+    }
+  }
+}
+
+
+# Update the user pool client with additional callback URL
+resource "null_resource" "add_callback_url" {
+  triggers = {
+    callback_url        = var.callback_url
+    user_pool_id        = local.user_pool_id
+    user_pool_client_id = local.user_pool_client_id
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      uv run --with boto3 python -c "
+import boto3
+import sys
+
+# Configuration
+user_pool_id = '${local.user_pool_id}'
+client_id = '${local.user_pool_client_id}'
+new_callback_url = '${var.callback_url}'
+
+# Initialize Cognito client
+cognito = boto3.client('cognito-idp')
+
+try:
+    # Get current user pool client configuration
+    response = cognito.describe_user_pool_client(
+        UserPoolId=user_pool_id,
+        ClientId=client_id
+    )
+
+    client_config = response['UserPoolClient']
+    current_callback_urls = client_config.get('CallbackURLs', [])
+    current_logout_urls = client_config.get('LogoutURLs', [])
+
+    # Check if URL already exists
+    if new_callback_url in current_callback_urls:
+        print(f'Callback URL {new_callback_url} already exists')
+    else:
+        # Add new URL to both callback and logout URLs
+        updated_callback_urls = current_callback_urls + [new_callback_url]
+        updated_logout_urls = current_logout_urls + [new_callback_url]
+
+        # Update the user pool client
+        # Only include valid update parameters (exclude read-only fields and ones we're setting)
+        valid_update_params = [
+            'ClientName', 'RefreshTokenValidity', 'AccessTokenValidity', 'IdTokenValidity',
+            'TokenValidityUnits', 'ReadAttributes', 'WriteAttributes', 'ExplicitAuthFlows',
+            'SupportedIdentityProviders', 'DefaultRedirectURI', 'AllowedOAuthFlows',
+            'AllowedOAuthScopes', 'AllowedOAuthFlowsUserPoolClient', 'AnalyticsConfiguration',
+            'PreventUserExistenceErrors', 'EnableTokenRevocation',
+            'EnablePropagateAdditionalUserContextData', 'AuthSessionValidity', 'RefreshTokenRotation'
+        ]
+
+        update_config = {k: v for k, v in client_config.items() if k in valid_update_params}
+
+        cognito.update_user_pool_client(
+            UserPoolId=user_pool_id,
+            ClientId=client_id,
+            CallbackURLs=updated_callback_urls,
+            LogoutURLs=updated_logout_urls,
+            **update_config
+        )
+
+        print(f'Successfully added callback URL: {new_callback_url}')
+
+except Exception as e:
+    print(f'Error updating callback URLs: {e}')
+    sys.exit(1)
+"
+    EOT
+  }
+
+  depends_on = [terraform_data.validate_cognito_props]
+}
+

package/src/utils/identity-constructs/files/terraform/core/user-identity/identity/identity.tf.template

@@ -0,0 +1,421 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.1"
+    }
+  }
+}
+
+# Variables
+variable "user_pool_domain_prefix" {
+  description = "Prefix for the Cognito User Pool domain"
+  type        = string
+}
+
+variable "allow_signup" {
+  description = "Set to true to allow users to sign themselves up"
+  type        = bool
+}
+
+variable "callback_urls" {
+  description = "Additional callback URLs for the user pool client"
+  type        = list(string)
+  default     = []
+}
+
+variable "logout_urls" {
+  description = "Additional logout URLs for the user pool client"
+  type        = list(string)
+  default     = []
+}
+
+# Data sources
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+# Random suffix for resource names
+resource "random_id" "unique_suffix" {
+  byte_length = 4
+}
+
+# Generate a random external ID for SMS role security
+resource "random_uuid" "sms_external_id" {}
+
+# IAM role for SMS MFA
+resource "aws_iam_role" "cognito_sms_role" {
+  name = "cognito-sms-role-${random_id.unique_suffix.hex}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "cognito-idp.amazonaws.com"
+        }
+        Condition = {
+          StringEquals = {
+            "sts:ExternalId" = random_uuid.sms_external_id.result
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+          ArnLike = {
+            "aws:SourceArn" = "arn:aws:cognito-idp:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:userpool/*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "cognito_sms_policy" {
+  # checkov:skip=CKV_AWS_290:Cognito SMS requires sns:Publish with wildcard resource
+  # checkov:skip=CKV_AWS_355:Cognito SMS requires sns:Publish with wildcard resource
+  name = "cognito-sms-policy-${random_id.unique_suffix.hex}"
+  role = aws_iam_role.cognito_sms_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sns:Publish"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# Cognito User Pool
+resource "aws_cognito_user_pool" "user_pool" {
+  name                = "UserPool-${random_id.unique_suffix.hex}"
+  deletion_protection = "ACTIVE"
+
+  admin_create_user_config {
+    allow_admin_create_user_only = !var.allow_signup
+  }
+
+  # Password policy
+  password_policy {
+    minimum_length                   = 8
+    require_lowercase                = true
+    require_uppercase                = true
+    require_numbers                  = true
+    require_symbols                  = true
+    temporary_password_validity_days = 3
+  }
+
+  # MFA configuration
+  mfa_configuration = "ON"
+
+  # Software token MFA configuration
+  software_token_mfa_configuration {
+    enabled = true
+  }
+
+  # SMS MFA configuration
+  sms_configuration {
+    external_id    = random_uuid.sms_external_id.result
+    sns_caller_arn = aws_iam_role.cognito_sms_role.arn
+    sns_region     = data.aws_region.current.name
+  }
+
+  depends_on = [aws_iam_role_policy.cognito_sms_policy]
+
+  # Sign-in configuration
+  username_configuration {
+    case_sensitive = false
+  }
+
+  alias_attributes = ["email"]
+
+  # Account recovery
+  account_recovery_setting {
+    recovery_mechanism {
+      name     = "verified_email"
+      priority = 1
+    }
+  }
+
+  # Auto verification
+  auto_verified_attributes = ["email", "phone_number"]
+
+  # User pool add-ons (equivalent to FeaturePlan.ESSENTIALS)
+  user_pool_add_ons {
+    advanced_security_mode = "ENFORCED"
+  }
+
+  # Schema attributes
+  schema {
+    attribute_data_type = "String"
+    name                = "email"
+    required            = true
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 1
+      max_length = 256
+    }
+  }
+
+  schema {
+    attribute_data_type = "String"
+    name                = "given_name"
+    required            = true
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 1
+      max_length = 256
+    }
+  }
+
+  schema {
+    attribute_data_type = "String"
+    name                = "family_name"
+    required            = true
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 1
+      max_length = 256
+    }
+  }
+
+  schema {
+    attribute_data_type = "String"
+    name                = "phone_number"
+    required            = false
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 1
+      max_length = 256
+    }
+  }
+
+  # User attribute update settings - require verification before update
+  user_attribute_update_settings {
+    attributes_require_verification_before_update = ["email", "phone_number"]
+  }
+
+  # Verification message templates
+  verification_message_template {
+    default_email_option = "CONFIRM_WITH_CODE"
+    email_message         = "The verification code to your new account is {####}"
+    email_subject         = "Verify your new account"
+    sms_message          = "The verification code to your new account is {####}"
+  }
+
+  tags = {
+    Name = "UserPool-${random_id.unique_suffix.hex}"
+  }
+}
+
+# User Pool Domain - temporarily commented out to resolve domain conflicts
+# Will be re-enabled after User Pool Client OAuth configuration is fixed
+resource "aws_cognito_user_pool_domain" "user_pool_domain" {
+  domain                   = "${var.user_pool_domain_prefix}-${data.aws_caller_identity.current.account_id}-${random_id.unique_suffix.hex}"
+  user_pool_id            = aws_cognito_user_pool.user_pool.id
+  managed_login_version   = 2
+}
+
+# User Pool Client
+resource "aws_cognito_user_pool_client" "web_client" {
+  name         = "WebClient-${random_id.unique_suffix.hex}"
+  user_pool_id = aws_cognito_user_pool.user_pool.id
+
+  # Auth flows - match CDK implementation (order matches CloudFormation)
+  explicit_auth_flows = [
+    "ALLOW_REFRESH_TOKEN_AUTH",
+    "ALLOW_USER_AUTH",
+    "ALLOW_USER_PASSWORD_AUTH",
+    "ALLOW_USER_SRP_AUTH"
+  ]
+
+  # Supported identity providers
+  supported_identity_providers = ["COGNITO"]
+
+  # OAuth configuration - MUST be set before callback/logout URLs
+  allowed_oauth_flows_user_pool_client = true
+  allowed_oauth_flows = ["code"]
+  allowed_oauth_scopes = ["email", "openid", "profile"]
+
+  # OAuth-dependent URLs - set after OAuth configuration
+  callback_urls = concat([
+    "http://localhost:4200",
+    "http://localhost:4300",
+    "https://${data.aws_region.current.name}.console.aws.amazon.com"
+  ], var.callback_urls)
+
+  logout_urls = concat([
+    "http://localhost:4200",
+    "http://localhost:4300",
+    "https://${data.aws_region.current.name}.console.aws.amazon.com"
+  ], var.logout_urls)
+
+  # Security settings
+  prevent_user_existence_errors = "ENABLED"
+  enable_token_revocation = true
+  enable_propagate_additional_user_context_data = false
+
+  # Token validity - ONLY refresh token to match CloudFormation exactly
+  refresh_token_validity = 30
+
+  # Auth session validity
+  auth_session_validity = 3
+
+}
+
+# Identity Pool
+resource "aws_cognito_identity_pool" "identity_pool" {
+  identity_pool_name               = "IdentityPool-${random_id.unique_suffix.hex}"
+  allow_unauthenticated_identities = false
+
+  cognito_identity_providers {
+    client_id               = aws_cognito_user_pool_client.web_client.id
+    provider_name           = aws_cognito_user_pool.user_pool.endpoint
+    server_side_token_check = true
+  }
+
+  tags = {
+    Name = "IdentityPool-${random_id.unique_suffix.hex}"
+  }
+}
+
+# IAM roles for identity pool
+resource "aws_iam_role" "authenticated_role" {
+  name = "cognito-authenticated-role-${random_id.unique_suffix.hex}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = "cognito-identity.amazonaws.com"
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.identity_pool.id
+          }
+          "ForAnyValue:StringLike" = {
+            "cognito-identity.amazonaws.com:amr" = "authenticated"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "unauthenticated_role" {
+  name = "cognito-unauthenticated-role-${random_id.unique_suffix.hex}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = "cognito-identity.amazonaws.com"
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.identity_pool.id
+          }
+          "ForAnyValue:StringLike" = {
+            "cognito-identity.amazonaws.com:amr" = "unauthenticated"
+          }
+        }
+      }
+    ]
+  })
+}
+
+# Attach roles to identity pool
+resource "aws_cognito_identity_pool_roles_attachment" "identity_pool_roles" {
+  identity_pool_id = aws_cognito_identity_pool.identity_pool.id
+
+  roles = {
+    "authenticated"   = aws_iam_role.authenticated_role.arn
+    "unauthenticated" = aws_iam_role.unauthenticated_role.arn
+  }
+}
+
+# Managed Login Branding - temporarily commented out to resolve state conflicts
+# Will be re-enabled after User Pool Client OAuth configuration is fixed
+resource "aws_cognito_managed_login_branding" "managed_login_branding" {
+  user_pool_id                = aws_cognito_user_pool.user_pool.id
+  client_id                   = aws_cognito_user_pool_client.web_client.id
+  use_cognito_provided_values = true
+
+  depends_on = [
+    aws_cognito_user_pool.user_pool,
+    aws_cognito_user_pool_client.web_client,
+    aws_cognito_user_pool_domain.user_pool_domain  # commented out with domain
+  ]
+
+}
+
+# Always add cognito props to runtime config
+module "add_cognito_to_runtime_config" {
+  source = "../../runtime-config/entry"
+
+  key_path = "cognitoProps"
+  value = {
+    region              = data.aws_region.current.name
+    identityPoolId      = aws_cognito_identity_pool.identity_pool.id
+    userPoolId          = aws_cognito_user_pool.user_pool.id
+    userPoolWebClientId = aws_cognito_user_pool_client.web_client.id
+  }
+}
+
+# Outputs
+output "region" {
+  description = "AWS region"
+  value       = data.aws_region.current.name
+}
+
+output "user_pool_id" {
+  description = "ID of the Cognito User Pool"
+  value       = aws_cognito_user_pool.user_pool.id
+}
+
+output "user_pool_arn" {
+  description = "ARN of the Cognito User Pool"
+  value       = aws_cognito_user_pool.user_pool.arn
+}
+
+output "user_pool_client_id" {
+  description = "ID of the Cognito User Pool Client"
+  value       = aws_cognito_user_pool_client.web_client.id
+}
+
+output "identity_pool_id" {
+  description = "ID of the Cognito Identity Pool"
+  value       = aws_cognito_identity_pool.identity_pool.id
+}
+
+output "authenticated_role_name" {
+  description = "Name of the authenticated IAM role"
+  value       = aws_iam_role.authenticated_role.name
+}
+
+output "authenticated_role_arn" {
+  description = "ARN of the authenticated IAM role"
+  value       = aws_iam_role.authenticated_role.arn
+}
+
+output "user_pool_domain" {
+  description = "Domain of the Cognito User Pool"
+  value       = aws_cognito_user_pool_domain.user_pool_domain.domain
+}

package/src/utils/identity-constructs/files/terraform/core/user-identity/main.tf.template

@@ -0,0 +1,47 @@
+module "identity" {
+  source = "./identity"
+
+  user_pool_domain_prefix = "<%= cognitoDomain %>"
+  allow_signup = <%= allowSignup %>
+}
+
+# Outputs
+output "region" {
+  description = "AWS region"
+  value       = module.identity.region
+}
+
+output "user_pool_id" {
+  description = "ID of the Cognito User Pool"
+  value       = module.identity.user_pool_id
+}
+
+output "user_pool_arn" {
+  description = "ARN of the Cognito User Pool"
+  value       = module.identity.user_pool_arn
+}
+
+output "user_pool_client_id" {
+  description = "ID of the Cognito User Pool Client"
+  value       = module.identity.user_pool_client_id
+}
+
+output "identity_pool_id" {
+  description = "ID of the Cognito Identity Pool"
+  value       = module.identity.identity_pool_id
+}
+
+output "authenticated_role_name" {
+  description = "Name of the authenticated IAM role"
+  value       = module.identity.authenticated_role_name
+}
+
+output "authenticated_role_arn" {
+  description = "ARN of the authenticated IAM role"
+  value       = module.identity.authenticated_role_arn
+}
+
+output "user_pool_domain" {
+  description = "Domain of the Cognito User Pool"
+  value       = module.identity.user_pool_domain
+}

package/src/utils/identity-constructs/identity-constructs.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { Tree } from '@nx/devkit';
+import { IacProvider } from '../iac';
+export interface AddIdentityInfraOptions {
+    cognitoDomain: string;
+    allowSignup: boolean;
+}
+/**
+ * Add infrastructure for a static website
+ */
+export declare const addIdentityInfra: (tree: Tree, options: AddIdentityInfraOptions & {
+    iacProvider: IacProvider;
+}) => void;

package/src/utils/identity-constructs/identity-constructs.js

@@ -0,0 +1,84 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addIdentityInfra = void 0;
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+const devkit_1 = require("@nx/devkit");
+const shared_constructs_constants_1 = require("../shared-constructs-constants");
+const ast_1 = require("../ast");
+/**
+ * Add infrastructure for a static website
+ */
+const addIdentityInfra = (tree, options) => {
+    if (options.iacProvider === 'CDK') {
+        addIdentityCdkConstructs(tree, options);
+    }
+    else if (options.iacProvider === 'Terraform') {
+        addIdentityTerraformModules(tree, options);
+    }
+    else {
+        throw new Error(`Unsupported iacProvider ${options.iacProvider}`);
+    }
+};
+exports.addIdentityInfra = addIdentityInfra;
+const addIdentityCdkConstructs = (tree, options) => {
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'cdk', 'core'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'core'), options, {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+    (0, ast_1.addStarExport)(tree, (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_CONSTRUCTS_DIR, 'src', 'core', 'index.ts'), './user-identity.js');
+};
+const addIdentityTerraformModules = (tree, options) => {
+    (0, devkit_1.generateFiles)(tree, (0, devkit_1.joinPathFragments)(__dirname, 'files', 'terraform', 'core'), (0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'src', 'core'), options, {
+        overwriteStrategy: devkit_1.OverwriteStrategy.KeepExisting,
+    });
+    // Update the static website module to add the callback url
+    const staticWebsiteModule = tree.read((0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'src', 'core', 'static-website', 'static-website.tf'), 'utf-8');
+    if (staticWebsiteModule &&
+        !staticWebsiteModule.includes('source = "../user-identity/add-callback-url"')) {
+        // Find the aws_cloudfront_distribution.website resource and add the callback URL module after it
+        const callbackUrlModule = `
+
+# Add CloudFront domain to user pool client callback URLs
+module "add_callback_url" {
+  source = "../user-identity/add-callback-url"
+
+  callback_url = "https://\${aws_cloudfront_distribution.website.domain_name}"
+
+  depends_on = [aws_cloudfront_distribution.website]
+}`;
+        // Find the CloudFront distribution resource using proper brace counting
+        // This handles deeply nested structures correctly
+        const resourceStartPattern = /resource\s+"aws_cloudfront_distribution"\s+"website"\s*\{/;
+        const resourceStartMatch = staticWebsiteModule.match(resourceStartPattern);
+        if (resourceStartMatch) {
+            const startIndex = resourceStartMatch.index + resourceStartMatch[0].length - 1; // Position at opening brace
+            let braceCount = 0;
+            let insertionPoint = -1;
+            // Count braces to find the end of the resource block
+            for (let i = startIndex; i < staticWebsiteModule.length; i++) {
+                const char = staticWebsiteModule[i];
+                if (char === '{') {
+                    braceCount++;
+                }
+                else if (char === '}') {
+                    braceCount--;
+                    if (braceCount === 0) {
+                        // Found the closing brace of the CloudFront resource
+                        insertionPoint = i + 1;
+                        break;
+                    }
+                }
+            }
+            if (insertionPoint !== -1) {
+                // Insert the callback URL module right after the CloudFront distribution
+                const beforeInsertion = staticWebsiteModule.substring(0, insertionPoint);
+                const afterInsertion = staticWebsiteModule.substring(insertionPoint);
+                const updatedContent = beforeInsertion + callbackUrlModule + afterInsertion;
+                tree.write((0, devkit_1.joinPathFragments)(shared_constructs_constants_1.PACKAGES_DIR, shared_constructs_constants_1.SHARED_TERRAFORM_DIR, 'src', 'core', 'static-website', 'static-website.tf'), updatedContent);
+            }
+        }
+    }
+};
+//# sourceMappingURL=identity-constructs.js.map

package/src/utils/identity-constructs/identity-constructs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-constructs.js","sourceRoot":"","sources":["../../../../../../packages/nx-plugin/src/utils/identity-constructs/identity-constructs.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,uCAKoB;AACpB,gFAIwC;AACxC,gCAAuC;AAQvC;;GAEG;AACI,MAAM,gBAAgB,GAAG,CAC9B,IAAU,EACV,OAA+D,EAC/D,EAAE;IACF,IAAI,OAAO,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;QAClC,wBAAwB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;SAAM,IAAI,OAAO,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;QAC/C,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC7C,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IACpE,CAAC;AACH,CAAC,CAAC;AAXW,QAAA,gBAAgB,oBAW3B;AAEF,MAAM,wBAAwB,GAAG,CAC/B,IAAU,EACV,OAAgC,EAChC,EAAE;IACF,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,EACpD,IAAA,0BAAiB,EAAC,0CAAY,EAAE,mDAAqB,EAAE,KAAK,EAAE,MAAM,CAAC,EACrE,OAAO,EACP;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;IAEF,IAAA,mBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EACf,0CAAY,EACZ,mDAAqB,EACrB,KAAK,EACL,MAAM,EACN,UAAU,CACX,EACD,oBAAoB,CACrB,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,2BAA2B,GAAG,CAClC,IAAU,EACV,OAAgC,EAChC,EAAE;IACF,IAAA,sBAAa,EACX,IAAI,EACJ,IAAA,0BAAiB,EAAC,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,EAC1D,IAAA,0BAAiB,EAAC,0CAAY,EAAE,kDAAoB,EAAE,KAAK,EAAE,MAAM,CAAC,EACpE,OAAO,EACP;QACE,iBAAiB,EAAE,0BAAiB,CAAC,YAAY;KAClD,CACF,CAAC;IAEF,2DAA2D;IAC3D,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CACnC,IAAA,0BAAiB,EACf,0CAAY,EACZ,kDAAoB,EACpB,KAAK,EACL,MAAM,EACN,gBAAgB,EAChB,mBAAmB,CACpB,EACD,OAAO,CACR,CAAC;IACF,IACE,mBAAmB;QACnB,CAAC,mBAAmB,CAAC,QAAQ,CAC3B,8CAA8C,CAC/C,EACD,CAAC;QACD,iGAAiG;QACjG,MAAM,iBAAiB,GAAG;;;;;;;;;EAS5B,CAAC;QAEC,wEAAwE;QACxE,kDAAkD;QAClD,MAAM,oBAAoB,GACxB,2DAA2D,CAAC;QAC9D,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAE3E,IAAI,kBAAkB,EAAE,CAAC;YACvB,MAAM,UAAU,GACd,kBAAkB,CAAC,KAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,4BAA4B;YAC5F,IAAI,UAAU,GAAG,CAAC,CAAC;YACnB,IAAI,cAAc,GAAG,CAAC,CAAC,CAAC;YAExB,qDAAqD;YACrD,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,GAAG,mBAAmB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC7D,MAAM,IAAI,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;gBACpC,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACjB,UAAU,EAAE,CAAC;gBACf,CAAC;qBAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;oBACxB,UAAU,EAAE,CAAC;oBACb,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;wBACrB,qDAAqD;wBACrD,cAAc,GAAG,CAAC,GAAG,CAAC,CAAC;wBACvB,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;gBAC1B,yEAAyE;gBACzE,MAAM,eAAe,GAAG,mBAAmB,CAAC,SAAS,CACnD,CAAC,EACD,cAAc,CACf,CAAC;gBACF,MAAM,cAAc,GAAG,mBAAmB,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;gBACrE,MAAM,cAAc,GAClB,eAAe,GAAG,iBAAiB,GAAG,cAAc,CAAC;gBAEvD,IAAI,CAAC,KAAK,CACR,IAAA,0BAAiB,EACf,0CAAY,EACZ,kDAAoB,EACpB,KAAK,EACL,MAAM,EACN,gBAAgB,EAChB,mBAAmB,CACpB,EACD,cAAc,CACf,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC,CAAC"}