@blimu/nestjs 0.1.0

package/README.md

@@ -0,0 +1,543 @@
+# @blimu/nestjs-blimu
+
+NestJS integration library for Blimu authorization and entitlement system. This library provides decorators, guards, and services to easily integrate Blimu's authorization-as-a-service into your NestJS applications.
+
+## Features
+
+- 🔐 **Entitlement-based authorization** - Protect routes with fine-grained entitlement checks
+- 🛡️ **Declarative guards** - Use decorators to protect endpoints
+- 🔧 **Injectable services** - Access Blimu Runtime SDK from your services
+- ⚙️ **Configurable module** - Easy setup with sync/async configuration
+- 🎯 **TypeScript support** - Full type safety and IntelliSense
+- 🚀 **Zero dependencies** - Only peer dependencies on NestJS core
+
+## Installation
+
+```bash
+npm install @blimu/nestjs-blimu @blimu/runtime-sdk
+# or
+yarn add @blimu/nestjs-blimu @blimu/runtime-sdk
+# or
+pnpm add @blimu/nestjs-blimu @blimu/runtime-sdk
+```
+
+**Note:** `@blimu/runtime-sdk` is a peer dependency and must be installed alongside this library.
+
+## Quick Start
+
+### 1. Configure the Module
+
+#### Option A: Static Configuration
+
+```typescript
+import { Module } from '@nestjs/common';
+import { BlimuModule } from '@blimu/nestjs-blimu';
+
+@Module({
+  imports: [
+    BlimuModule.forRoot({
+      apiSecretKey: 'your-blimu-api-secret-key',
+      baseURL: 'https://runtime.blimu.com', // optional
+      environmentId: 'your-environment-id', // optional
+      timeoutMs: 30000, // optional
+      getUserId: (req) => req.user?.id, // Extract user ID from request
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+#### Option B: Async Configuration (Recommended)
+
+```typescript
+import { Module } from '@nestjs/common';
+import { ConfigModule, ConfigService } from '@nestjs/config';
+import { BlimuModule } from '@blimu/nestjs-blimu';
+
+@Module({
+  imports: [
+    ConfigModule.forRoot(),
+    BlimuModule.forRootAsync({
+      useFactory: (configService: ConfigService) => ({
+        apiSecretKey: configService.get('BLIMU_API_SECRET_KEY'),
+        baseURL: configService.get('BLIMU_BASE_URL'),
+        environmentId: configService.get('BLIMU_ENVIRONMENT_ID'),
+        timeoutMs: parseInt(configService.get('BLIMU_TIMEOUT_MS', '30000')),
+        getUserId: (req) => req.user?.id, // Extract user ID from request
+      }),
+      inject: [ConfigService],
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### 2. Protect Routes with Entitlements
+
+```typescript
+import { Controller, Get, Param } from '@nestjs/common';
+import { Entitlement } from '@blimu/nestjs-blimu';
+
+@Controller('workspaces')
+export class WorkspaceController {
+  @Get(':workspaceId')
+  @Entitlement('workspace:read', (req) => req.params.workspaceId)
+  async getWorkspace(@Param('workspaceId') workspaceId: string) {
+    // User is guaranteed to have 'workspace:read' entitlement on this workspace
+    return { id: workspaceId, name: 'My Workspace' };
+  }
+
+  @Delete(':workspaceId')
+  @Entitlement('workspace:delete', (req) => req.params.workspaceId)
+  async deleteWorkspace(@Param('workspaceId') workspaceId: string) {
+    // User is guaranteed to have 'workspace:delete' entitlement on this workspace
+    return { success: true };
+  }
+}
+```
+
+### 3. Use Blimu Runtime SDK in Services
+
+```typescript
+import { Injectable } from '@nestjs/common';
+import { BlimuRuntimeService } from '@blimu/nestjs-blimu';
+
+@Injectable()
+export class UserService {
+  constructor(private readonly blimuRuntime: BlimuRuntimeService) {}
+
+  async assignUserToWorkspace(userId: string, workspaceId: string, role: string) {
+    // Assign a role to a user on a workspace
+    return await this.blimuRuntime.assignRole(userId, role, 'workspace', workspaceId);
+  }
+
+  async checkUserPermission(userId: string, entitlement: string, resourceId: string) {
+    // Check if user has specific entitlement
+    const result = await this.blimuRuntime.checkEntitlement(userId, entitlement, resourceId);
+
+    return result.allowed;
+  }
+
+  async createWorkspaces(workspaces: Array<{ id: string; extraFields?: Record<string, unknown> }>) {
+    // Create workspace resources in bulk
+    return await this.blimuRuntime.bulkCreateWorkspaces(workspaces);
+  }
+
+  async deleteWorkspace(workspaceId: string) {
+    // Delete a workspace resource
+    return await this.blimuRuntime.deleteWorkspace(workspaceId);
+  }
+}
+```
+
+## API Reference
+
+### BlimuModule
+
+The main module that provides Blimu integration.
+
+#### `BlimuModule.forRoot(config: BlimuConfig)`
+
+Configure the module with static configuration.
+
+#### `BlimuModule.forRootAsync(options)`
+
+Configure the module with async configuration.
+
+**Options:**
+
+- `useFactory: (...args) => BlimuConfig | Promise<BlimuConfig>` - Factory function to create config
+- `inject?: Array<InjectionToken>` - Dependencies to inject into factory
+- `imports?: Array<Module>` - Modules to import
+
+### @Entitlement Decorator
+
+Protects routes with entitlement checks.
+
+```typescript
+@Entitlement(entitlementKey, resourceIdExtractor)
+```
+
+**Parameters:**
+
+- `entitlementKey: string` - The entitlement to check (e.g., 'workspace:read')
+- `resourceIdExtractor: (req) => string | Promise<string>` - Function to extract resource ID from request
+
+**Examples:**
+
+```typescript
+// Simple path parameter
+@Entitlement('workspace:read', (req) => req.params.workspaceId)
+
+// Complex extraction
+@Entitlement('organization:create_workspace', (req) => {
+  return req.params.organizationId;
+})
+
+// Async extraction (e.g., from database)
+@Entitlement('workspace:delete_item', async (req) => {
+  const item = await itemService.findById(req.params.itemId);
+  return item.workspaceId;
+})
+```
+
+### BlimuRuntimeService
+
+Injectable service that provides access to Blimu Runtime SDK.
+
+#### Methods
+
+- `getClient(): BlimuRuntime` - Get the configured Blimu Runtime client
+- `checkEntitlement(userId, entitlement, resourceId)` - Check user entitlements
+- `assignRole(userId, role, resourceType, resourceId)` - Assign role to user
+- `removeRole(userId, resourceType, resourceId)` - Remove role from user
+- `bulkCreateWorkspaces(resources)` - Create workspace resources in bulk
+- `deleteWorkspace(resourceId)` - Delete workspace resource
+- `bulkCreateEnvironments(resources)` - Create environment resources in bulk
+- `deleteEnvironment(resourceId)` - Delete environment resource
+
+### Configuration
+
+#### BlimuConfig Interface
+
+```typescript
+interface BlimuConfig<TRequest extends Request = Request> {
+  apiSecretKey: string; // Required: Your Blimu API secret key
+  baseURL?: string; // Optional: Blimu Runtime API URL (default: https://runtime.blimu.com)
+  environmentId?: string; // Optional: Environment ID for future use
+  timeoutMs?: number; // Optional: Request timeout (default: 30000)
+  getUserId: (request: TRequest) => string | Promise<string>; // Required: Function to extract user ID from request
+}
+```
+
+### Types
+
+The library provides several pre-built request interfaces, but you can also define your own:
+
+#### Custom Request Types
+
+You can define your own request interface:
+
+```typescript
+interface MyCustomRequest extends Request {
+  user: {
+    id: string;
+    email: string;
+    roles: string[];
+    organizationId: string;
+  };
+  session: {
+    id: string;
+    expiresAt: Date;
+  };
+}
+```
+
+## Advanced Usage
+
+### Using Custom Request Types
+
+The Blimu module supports generic request types for better type safety. This allows you to define your own request interface and get full TypeScript support throughout the library.
+
+#### Basic Usage with Custom Request Type
+
+```typescript
+import { Request } from 'express';
+import { BlimuModule, Entitlement } from '@blimu/nestjs-blimu';
+
+// Define your custom request interface
+interface MyAuthenticatedRequest extends Request {
+  user: {
+    id: string;
+    email: string;
+    organizationId: string;
+    roles: string[];
+  };
+  sessionId: string;
+}
+
+// Configure the module with your custom type
+@Module({
+  imports: [
+    BlimuModule.forRoot<MyAuthenticatedRequest>({
+      apiSecretKey: 'your-api-secret-key',
+      getUserId: (req) => req.user.id, // req is typed as MyAuthenticatedRequest
+    }),
+  ],
+})
+export class AppModule {}
+
+// Use in controllers with full type safety
+@Controller('workspaces')
+export class WorkspaceController {
+  @Get(':workspaceId')
+  @Entitlement<MyAuthenticatedRequest>('workspace:read', (req) => {
+    // req is properly typed, so you get IntelliSense and type checking
+    console.log(req.user.organizationId); // TypeScript knows this exists
+    console.log(req.sessionId); // This too!
+    return req.params.workspaceId;
+  })
+  async getWorkspace(@Param('workspaceId') workspaceId: string) {
+    return { id: workspaceId, name: 'My Workspace' };
+  }
+}
+```
+
+#### Using Pre-built Request Types
+
+The library provides several pre-built request interfaces:
+
+```typescript
+import {
+  BlimuModule,
+  AuthenticatedRequest,
+  StrictAuthenticatedRequest,
+  Entitlement,
+} from '@blimu/nestjs-blimu';
+
+// Using AuthenticatedRequest (user is optional)
+BlimuModule.forRoot<AuthenticatedRequest>({
+  apiSecretKey: 'your-key',
+  getUserId: (req) => req.user?.id || '', // Need optional chaining
+});
+
+// Using StrictAuthenticatedRequest (user is always present)
+BlimuModule.forRoot<StrictAuthenticatedRequest>({
+  apiSecretKey: 'your-key',
+  getUserId: (req) => req.user.id, // No optional chaining needed
+});
+```
+
+#### Async Configuration with Custom Types
+
+```typescript
+interface MyRequest extends Request {
+  user: { id: string; tenantId: string };
+}
+
+@Module({
+  imports: [
+    BlimuModule.forRootAsync<MyRequest>({
+      useFactory: (configService: ConfigService) => ({
+        apiSecretKey: configService.get('BLIMU_API_SECRET_KEY'),
+        getUserId: (req) => req.user.id, // Fully typed
+      }),
+      inject: [ConfigService],
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### Configuring User ID Extraction
+
+The `getUserId` function is a critical part of the Blimu configuration that determines how user IDs are extracted from incoming requests. This function is called by the `@Entitlement` decorator to identify which user to check entitlements for.
+
+#### Common Patterns
+
+**Passport.js Integration:**
+
+```typescript
+BlimuModule.forRoot({
+  // ... other config
+  getUserId: (req) => {
+    if (!req.user?.id) {
+      throw new Error('User not authenticated');
+    }
+    return req.user.id;
+  },
+});
+```
+
+**JWT Token Extraction:**
+
+```typescript
+import * as jwt from 'jsonwebtoken';
+
+BlimuModule.forRoot({
+  // ... other config
+  getUserId: (req) => {
+    const token = req.headers.authorization?.replace('Bearer ', '');
+    if (!token) {
+      throw new Error('No authorization token provided');
+    }
+
+    const decoded = jwt.verify(token, process.env.JWT_SECRET) as any;
+    return decoded.sub || decoded.userId;
+  },
+});
+```
+
+**Custom Header:**
+
+```typescript
+BlimuModule.forRoot({
+  // ... other config
+  getUserId: (req) => {
+    const userId = req.headers['x-user-id'] as string;
+    if (!userId) {
+      throw new Error('User ID header missing');
+    }
+    return userId;
+  },
+});
+```
+
+**Async Database Lookup:**
+
+```typescript
+BlimuModule.forRootAsync({
+  useFactory: (userService: UserService) => ({
+    // ... other config
+    getUserId: async (req) => {
+      const sessionId = req.headers['x-session-id'] as string;
+      const user = await userService.findBySessionId(sessionId);
+      if (!user) {
+        throw new Error('Invalid session');
+      }
+      return user.id;
+    },
+  }),
+  inject: [UserService],
+});
+```
+
+**API Key Authentication:**
+
+```typescript
+BlimuModule.forRoot({
+  // ... other config
+  getUserId: async (req) => {
+    const apiKey = req.headers['x-api-key'] as string;
+    if (!apiKey) {
+      throw new Error('API key required');
+    }
+
+    // Look up user by API key
+    const user = await apiKeyService.findUserByKey(apiKey);
+    if (!user) {
+      throw new Error('Invalid API key');
+    }
+
+    return user.id;
+  },
+});
+```
+
+#### Error Handling
+
+If the `getUserId` function throws an error or returns a falsy value, the entitlement check will fail with a `ForbiddenException`. Make sure to:
+
+1. **Validate authentication**: Check that the user is properly authenticated
+2. **Handle missing data**: Throw descriptive errors when required data is missing
+3. **Return consistent format**: Always return the user ID as a string
+4. **Consider async operations**: Use `async/await` if you need to perform database lookups
+
+### Custom Resource ID Extraction
+
+For complex scenarios where the resource ID isn't directly in the request parameters:
+
+```typescript
+@Controller('projects')
+export class ProjectController {
+  constructor(private readonly projectService: ProjectService) {}
+
+  @Delete(':projectId/items/:itemId')
+  @Entitlement('project:delete_item', async (req) => {
+    // Extract project ID from item
+    const item = await this.projectService.findItemById(req.params.itemId);
+    return item.projectId;
+  })
+  async deleteItem(@Param('itemId') itemId: string) {
+    // Implementation
+  }
+}
+```
+
+### Using Multiple Entitlements
+
+You can stack multiple entitlement decorators:
+
+```typescript
+@Get(':workspaceId/admin-panel')
+@Entitlement('workspace:admin', (req) => req.params.workspaceId)
+@Entitlement('feature:admin_panel', (req) => req.params.workspaceId)
+async getAdminPanel(@Param('workspaceId') workspaceId: string) {
+  // User needs both entitlements
+}
+```
+
+### Direct SDK Usage
+
+Access the full Blimu Runtime SDK for advanced operations:
+
+```typescript
+@Injectable()
+export class AdvancedService {
+  constructor(private readonly blimuRuntime: BlimuRuntimeService) {}
+
+  async complexOperation() {
+    const client = this.blimuRuntime.getClient();
+
+    // Use any SDK method
+    const users = await client.users.list({ resourceId: 'workspace123' });
+    const roles = await client.roles.list({ userId: 'user456' });
+
+    // Batch operations, etc.
+  }
+}
+```
+
+## Environment Variables
+
+For production deployments, use environment variables:
+
+```bash
+BLIMU_API_SECRET_KEY=your-secret-key
+BLIMU_BASE_URL=https://runtime.blimu.com
+BLIMU_ENVIRONMENT_ID=your-environment-id
+BLIMU_TIMEOUT_MS=30000
+```
+
+## Error Handling
+
+The library throws `ForbiddenException` when:
+
+- User is not authenticated
+- User doesn't have required entitlement
+- Resource ID cannot be extracted
+- Blimu API is unreachable
+
+```typescript
+import { ForbiddenException } from '@nestjs/common';
+
+// This is automatically handled by the @Entitlement decorator
+// But you can catch it in your exception filters if needed
+```
+
+## Migration from Platform-Specific Code
+
+If you're migrating from platform-specific entitlement code:
+
+### Before (Platform-specific)
+
+```typescript
+import { NestBlimuModule } from './entitlement/entitlement.module';
+import { Entitlement } from './entitlement/entitlement.decorator';
+```
+
+### After (Library)
+
+```typescript
+import { BlimuModule, Entitlement } from '@blimu/nestjs-blimu';
+```
+
+The API is identical, just import from the library instead.
+
+## Contributing
+
+This library is part of the Blimu ecosystem. For issues and contributions, please refer to the main Blimu repository.
+
+## License
+
+MIT License - see LICENSE file for details.

package/dist/config/blimu.config.d.ts

@@ -0,0 +1,10 @@
+import type { Request } from 'express';
+export interface BlimuConfig<TRequest extends Request = Request> {
+    apiSecretKey: string;
+    baseURL?: string;
+    environmentId?: string;
+    timeoutMs?: number;
+    getUserId: (request: TRequest) => string | Promise<string>;
+}
+export declare const BLIMU_CONFIG: unique symbol;
+//# sourceMappingURL=blimu.config.d.ts.map

package/dist/config/blimu.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"blimu.config.d.ts","sourceRoot":"","sources":["../../src/config/blimu.config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAKvC,MAAM,WAAW,WAAW,CAAC,QAAQ,SAAS,OAAO,GAAG,OAAO;IAI7D,YAAY,EAAE,MAAM,CAAC;IAMrB,OAAO,CAAC,EAAE,MAAM,CAAC;IAMjB,aAAa,CAAC,EAAE,MAAM,CAAC;IAMvB,SAAS,CAAC,EAAE,MAAM,CAAC;IA2BnB,SAAS,EAAE,CAAC,OAAO,EAAE,QAAQ,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5D;AAKD,eAAO,MAAM,YAAY,eAAyB,CAAC"}

package/dist/config/blimu.config.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BLIMU_CONFIG = void 0;
+exports.BLIMU_CONFIG = Symbol('BLIMU_CONFIG');
+//# sourceMappingURL=blimu.config.js.map

package/dist/config/blimu.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"blimu.config.js","sourceRoot":"","sources":["../../src/config/blimu.config.ts"],"names":[],"mappings":";;;AA4Da,QAAA,YAAY,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC"}

package/dist/decorators/entitlement.decorator.d.ts

@@ -0,0 +1,4 @@
+import { Request } from 'express';
+import { Schema } from '@blimu/runtime-sdk';
+export declare const Entitlement: <TRequest extends Request = Request>(entitlementKey: Schema.EntitlementType, resourceIdExtractor: (request: TRequest) => string | Promise<string>) => <TFunction extends Function, Y>(target: TFunction | object, propertyKey?: string | symbol, descriptor?: TypedPropertyDescriptor<Y>) => void;
+//# sourceMappingURL=entitlement.decorator.d.ts.map

package/dist/decorators/entitlement.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/entitlement.decorator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAMlC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AA4E5C,eAAO,MAAM,WAAW,GAAI,QAAQ,SAAS,OAAO,GAAG,OAAO,EAC5D,gBAAgB,MAAM,CAAC,eAAe,EACtC,qBAAqB,CAAC,OAAO,EAAE,QAAQ,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,gJAMrE,CAAC"}

package/dist/decorators/entitlement.decorator.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Entitlement = void 0;
+const common_1 = require("@nestjs/common");
+const entitlement_guard_1 = require("../guards/entitlement.guard");
+const Entitlement = (entitlementKey, resourceIdExtractor) => {
+    return (0, common_1.applyDecorators)((0, entitlement_guard_1.SetEntitlementMetadata)(entitlementKey, resourceIdExtractor), (0, common_1.UseGuards)(entitlement_guard_1.EntitlementGuard));
+};
+exports.Entitlement = Entitlement;
+//# sourceMappingURL=entitlement.decorator.js.map

package/dist/decorators/entitlement.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement.decorator.js","sourceRoot":"","sources":["../../src/decorators/entitlement.decorator.ts"],"names":[],"mappings":";;;AAAA,2CAA4D;AAE5D,mEAIqC;AA6E9B,MAAM,WAAW,GAAG,CACzB,cAAsC,EACtC,mBAAoE,EACpE,EAAE;IACF,OAAO,IAAA,wBAAe,EACpB,IAAA,0CAAsB,EAAW,cAAc,EAAE,mBAAmB,CAAC,EACrE,IAAA,kBAAS,EAAC,oCAAgB,CAAC,CAC5B,CAAC;AACJ,CAAC,CAAC;AARW,QAAA,WAAW,eAQtB"}

package/dist/guards/entitlement.guard.d.ts

@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { BlimuRuntime, Schema } from '@blimu/runtime-sdk';
+import type { BlimuConfig } from '../config/blimu.config';
+import { Request } from 'express';
+export declare const ENTITLEMENT_KEY = "entitlement";
+export declare const ENTITLEMENT_METADATA_KEY: unique symbol;
+export interface EntitlementMetadata<TRequest extends Request = Request> {
+    entitlementKey: Schema.EntitlementType;
+    resourceIdExtractor: (request: TRequest) => string | Promise<string>;
+}
+export declare const SetEntitlementMetadata: <TRequest extends Request = Request>(entitlementKey: string, resourceIdExtractor: (request: TRequest) => string | Promise<string>) => import("@nestjs/common").CustomDecorator<typeof ENTITLEMENT_METADATA_KEY>;
+export declare class EntitlementGuard<TRequest extends Request = Request> implements CanActivate {
+    private readonly reflector;
+    private readonly config;
+    private readonly runtime;
+    constructor(reflector: Reflector, config: BlimuConfig<TRequest>, runtime: BlimuRuntime);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=entitlement.guard.d.ts.map

package/dist/guards/entitlement.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entitlement.guard.d.ts","sourceRoot":"","sources":["../../src/guards/entitlement.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,gBAAgB,EAKjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAE1D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,eAAO,MAAM,eAAe,gBAAgB,CAAC;AAC7C,eAAO,MAAM,wBAAwB,eAAwB,CAAC;AAK9D,MAAM,WAAW,mBAAmB,CAAC,QAAQ,SAAS,OAAO,GAAG,OAAO;IACrE,cAAc,EAAE,MAAM,CAAC,eAAe,CAAC;IACvC,mBAAmB,EAAE,CAAC,OAAO,EAAE,QAAQ,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACtE;AAMD,eAAO,MAAM,sBAAsB,GAAI,QAAQ,SAAS,OAAO,GAAG,OAAO,EACvE,gBAAgB,MAAM,EACtB,qBAAqB,CAAC,OAAO,EAAE,QAAQ,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,8EAKjC,CAAC;AAWtC,qBACa,gBAAgB,CAAC,QAAQ,SAAS,OAAO,GAAG,OAAO,CAAE,YAAW,WAAW;IAEpF,OAAO,CAAC,QAAQ,CAAC,SAAS;IAE1B,OAAO,CAAC,QAAQ,CAAC,MAAM;IAEvB,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAJP,SAAS,EAAE,SAAS,EAEpB,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,EAE7B,OAAO,EAAE,YAAY;IAGlC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAwD/D"}