@cello-protocol/client 0.0.2

package/dist/s3-cloud-storage-provider.d.ts

@@ -0,0 +1,54 @@
+/**
+ * S3CloudStorageProvider — AWS S3-backed CloudStorageProvider for CELLO_ENV != local.
+ *
+ * PERSIST-022: Implements the CloudStorageProvider interface using AWS S3.
+ * Used for encrypted backup upload/download when BACKUP_S3_BUCKET is configured.
+ *
+ * Pseudocode:
+ *   constructor({ bucket, region }):
+ *     1. Store bucket and region.
+ *     2. Create S3Client with the provided region.
+ *        The S3Client uses the AWS SDK's default credential chain
+ *        (IAM role in ECS, ~/.aws credentials locally, etc.).
+ *
+ *   upload(key, data):
+ *     1. Send PutObjectCommand({ Bucket: bucket, Key: key, Body: data }).
+ *     2. On success: return void.
+ *     3. On error: throw (caller — ClientBackup — handles it via client.backup.upload.failed).
+ *
+ *   download(key):
+ *     1. Send GetObjectCommand({ Bucket: bucket, Key: key }).
+ *     2. On success: stream Body to a Uint8Array and return it.
+ *     3. On NoSuchKey (S3 error code): return undefined (key not found is not an error).
+ *     4. On other errors: throw (caller handles it).
+ *
+ * Security notes:
+ *   - This class never touches encryption keys. ClientBackup handles all crypto.
+ *   - No logging in this class — ClientBackup is the observable layer.
+ *   - Constructor takes a plain config object (not an S3Client) so the interface stays clean.
+ */
+import type { CloudStorageProvider } from "@cello-protocol/interfaces";
+/** Configuration for S3CloudStorageProvider. Provided by the composition root. */
+export interface S3CloudStorageConfig {
+    /** S3 bucket name. Comes from BACKUP_S3_BUCKET env var, read at composition root. */
+    bucket: string;
+    /** AWS region. Comes from CELLO_AWS_REGION env var (falls back to AWS_REGION), read at composition root. */
+    region: string;
+}
+export declare class S3CloudStorageProvider implements CloudStorageProvider {
+    #private;
+    constructor(config: S3CloudStorageConfig);
+    /**
+     * Upload data to the given key in S3.
+     * Overwrites if the object already exists.
+     * Throws on any S3 error — ClientBackup handles the error and logs it.
+     */
+    upload(key: string, data: Uint8Array): Promise<void>;
+    /**
+     * Download data from the given key in S3.
+     * Returns undefined if the object does not exist (NoSuchKey).
+     * Throws on any other S3 error.
+     */
+    download(key: string): Promise<Uint8Array | undefined>;
+}
+//# sourceMappingURL=s3-cloud-storage-provider.d.ts.map

package/dist/s3-cloud-storage-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3-cloud-storage-provider.d.ts","sourceRoot":"","sources":["../src/s3-cloud-storage-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAEvE,kFAAkF;AAClF,MAAM,WAAW,oBAAoB;IACnC,qFAAqF;IACrF,MAAM,EAAE,MAAM,CAAC;IACf,4GAA4G;IAC5G,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,sBAAuB,YAAW,oBAAoB;;gBAIrD,MAAM,EAAE,oBAAoB;IAKxC;;;;OAIG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAU1D;;;;OAIG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;CAyB7D"}

package/dist/s3-cloud-storage-provider.js

@@ -0,0 +1,78 @@
+/**
+ * S3CloudStorageProvider — AWS S3-backed CloudStorageProvider for CELLO_ENV != local.
+ *
+ * PERSIST-022: Implements the CloudStorageProvider interface using AWS S3.
+ * Used for encrypted backup upload/download when BACKUP_S3_BUCKET is configured.
+ *
+ * Pseudocode:
+ *   constructor({ bucket, region }):
+ *     1. Store bucket and region.
+ *     2. Create S3Client with the provided region.
+ *        The S3Client uses the AWS SDK's default credential chain
+ *        (IAM role in ECS, ~/.aws credentials locally, etc.).
+ *
+ *   upload(key, data):
+ *     1. Send PutObjectCommand({ Bucket: bucket, Key: key, Body: data }).
+ *     2. On success: return void.
+ *     3. On error: throw (caller — ClientBackup — handles it via client.backup.upload.failed).
+ *
+ *   download(key):
+ *     1. Send GetObjectCommand({ Bucket: bucket, Key: key }).
+ *     2. On success: stream Body to a Uint8Array and return it.
+ *     3. On NoSuchKey (S3 error code): return undefined (key not found is not an error).
+ *     4. On other errors: throw (caller handles it).
+ *
+ * Security notes:
+ *   - This class never touches encryption keys. ClientBackup handles all crypto.
+ *   - No logging in this class — ClientBackup is the observable layer.
+ *   - Constructor takes a plain config object (not an S3Client) so the interface stays clean.
+ */
+import { S3Client, PutObjectCommand, GetObjectCommand, NoSuchKey } from "@aws-sdk/client-s3";
+export class S3CloudStorageProvider {
+    #client;
+    #bucket;
+    constructor(config) {
+        this.#bucket = config.bucket;
+        this.#client = new S3Client({ region: config.region });
+    }
+    /**
+     * Upload data to the given key in S3.
+     * Overwrites if the object already exists.
+     * Throws on any S3 error — ClientBackup handles the error and logs it.
+     */
+    async upload(key, data) {
+        await this.#client.send(new PutObjectCommand({
+            Bucket: this.#bucket,
+            Key: key,
+            Body: data,
+        }));
+    }
+    /**
+     * Download data from the given key in S3.
+     * Returns undefined if the object does not exist (NoSuchKey).
+     * Throws on any other S3 error.
+     */
+    async download(key) {
+        try {
+            const response = await this.#client.send(new GetObjectCommand({
+                Bucket: this.#bucket,
+                Key: key,
+            }));
+            // Body is a Readable stream from the SDK; collect into a Uint8Array
+            if (!response.Body) {
+                return new Uint8Array(0);
+            }
+            // @aws-sdk/client-s3 v3: Body has transformToByteArray() in Node.js environments
+            const bytes = await response.Body.transformToByteArray();
+            return bytes;
+        }
+        catch (err) {
+            // Return undefined for the key-not-found case (AC-003)
+            if (err instanceof NoSuchKey) {
+                return undefined;
+            }
+            throw err;
+        }
+    }
+}
+//# sourceMappingURL=s3-cloud-storage-provider.js.map

package/dist/s3-cloud-storage-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3-cloud-storage-provider.js","sourceRoot":"","sources":["../src/s3-cloud-storage-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAW7F,MAAM,OAAO,sBAAsB;IACxB,OAAO,CAAW;IAClB,OAAO,CAAS;IAEzB,YAAY,MAA4B;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,IAAI,QAAQ,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,IAAgB;QACxC,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACrB,IAAI,gBAAgB,CAAC;YACnB,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,GAAG,EAAE,GAAG;YACR,IAAI,EAAE,IAAI;SACX,CAAC,CACH,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,QAAQ,CAAC,GAAW;QACxB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACtC,IAAI,gBAAgB,CAAC;gBACnB,MAAM,EAAE,IAAI,CAAC,OAAO;gBACpB,GAAG,EAAE,GAAG;aACT,CAAC,CACH,CAAC;YAEF,oEAAoE;YACpE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnB,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,CAAC;YAED,iFAAiF;YACjF,MAAM,KAAK,GAAG,MAAO,QAAQ,CAAC,IAAwD,CAAC,oBAAoB,EAAE,CAAC;YAC9G,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,uDAAuD;YACvD,IAAI,GAAG,YAAY,SAAS,EAAE,CAAC;gBAC7B,OAAO,SAAS,CAAC;YACnB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF"}

package/dist/sqlcipher-client-store.d.ts

@@ -0,0 +1,68 @@
+/**
+ * SQLCipherClientStore — SQLCipher-encrypted ClientStore for CELLO_ENV=dev+.
+ *
+ * PERSIST-009: Implements the ClientStore interface backed by SQLCipher-encrypted SQLite.
+ * Used only by the composition root. Never exported from packages/client/src/index.ts.
+ *
+ * Security invariants (PERSIST-009):
+ *   SI-001: db_key is NEVER logged, serialized, or included in any error message.
+ *   SI-002: Constructor takes db_key (Uint8Array), NOT identity_key. The caller
+ *           must derive db_key via deriveDbKey() before constructing this store.
+ *   SI-003: No PRAGMA cipher_* commands that would weaken AES-256-CBC defaults.
+ *
+ * Degraded behavior (DB-001):
+ *   On corrupt file or wrong key, logs client.store.open.failed and throws.
+ *   Never creates a new empty database over a corrupt file.
+ */
+import type { ClientStore, Logger } from "@cello-protocol/interfaces";
+export interface SQLCipherClientStoreOptions {
+    /** Absolute path to the SQLite database file. */
+    dbPath: string;
+    /** Stable agent identifier — included in log events. */
+    agentId: string;
+    /** CELLO_ENV value — included in client.store.opened log event. */
+    env?: string;
+    /**
+     * @internal test seam — defaults to packages/client/db/migrations/
+     */
+    migrationsPath?: string;
+    /** Structured logger injected at the composition root. */
+    logger: Logger;
+}
+/**
+ * ClientStore backed by a SQLCipher-encrypted SQLite database.
+ *
+ * Lifecycle: construct → open() → (use) → close().
+ *
+ * IMPORTANT: only import this from the composition root. The ESLint
+ * no-restricted-imports rule enforces this at compile time.
+ */
+export declare class SQLCipherClientStore implements ClientStore {
+    #private;
+    /**
+     * @param dbKey   - 32-byte database encryption key derived from identity_key via HKDF.
+     *                  NEVER pass identity_key here — only the derived db_key (SI-002).
+     * @param options - Store configuration including dbPath, agentId, and logger.
+     */
+    constructor(dbKey: Uint8Array, options: SQLCipherClientStoreOptions);
+    /**
+     * Open the encrypted database, verify the key, and apply pending migrations.
+     * Must be called before any read/write operations.
+     *
+     * Throws on:
+     *   - corrupt file (file exists but is not a valid SQLCipher database)
+     *   - wrong key (PRAGMA key does not decrypt the file)
+     *   - migration failure
+     *
+     * On any throw, logs client.store.open.failed and does NOT create a new empty
+     * database over the corrupt file (DB-001).
+     */
+    open(): Promise<void>;
+    /** Close the database. Idempotent — safe to call multiple times. */
+    close(): Promise<void>;
+    set(key: string, value: Uint8Array): Promise<void>;
+    get(key: string): Promise<Uint8Array | undefined>;
+    delete(key: string): Promise<void>;
+    has(key: string): Promise<boolean>;
+}
+//# sourceMappingURL=sqlcipher-client-store.d.ts.map

package/dist/sqlcipher-client-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlcipher-client-store.d.ts","sourceRoot":"","sources":["../src/sqlcipher-client-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AAkCtE,MAAM,WAAW,2BAA2B;IAC1C,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;CAChB;AAID;;;;;;;GAOG;AACH,qBAAa,oBAAqB,YAAW,WAAW;;IAWtD;;;;OAIG;gBACS,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,2BAA2B;IAkBnE;;;;;;;;;;;OAWG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAmD3B,oEAAoE;IAC9D,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IActB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBlD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,SAAS,CAAC;IAsBjD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAWlC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAwNzC"}

package/dist/sqlcipher-client-store.js

@@ -0,0 +1,382 @@
+/**
+ * SQLCipherClientStore — SQLCipher-encrypted ClientStore for CELLO_ENV=dev+.
+ *
+ * PERSIST-009: Implements the ClientStore interface backed by SQLCipher-encrypted SQLite.
+ * Used only by the composition root. Never exported from packages/client/src/index.ts.
+ *
+ * Security invariants (PERSIST-009):
+ *   SI-001: db_key is NEVER logged, serialized, or included in any error message.
+ *   SI-002: Constructor takes db_key (Uint8Array), NOT identity_key. The caller
+ *           must derive db_key via deriveDbKey() before constructing this store.
+ *   SI-003: No PRAGMA cipher_* commands that would weaken AES-256-CBC defaults.
+ *
+ * Degraded behavior (DB-001):
+ *   On corrupt file or wrong key, logs client.store.open.failed and throws.
+ *   Never creates a new empty database over a corrupt file.
+ */
+import { createRequire } from "node:module";
+import { readFileSync, readdirSync } from "node:fs";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+// ─── SQLCipherClientStore ────────────────────────────────────────────────────
+/**
+ * ClientStore backed by a SQLCipher-encrypted SQLite database.
+ *
+ * Lifecycle: construct → open() → (use) → close().
+ *
+ * IMPORTANT: only import this from the composition root. The ESLint
+ * no-restricted-imports rule enforces this at compile time.
+ */
+export class SQLCipherClientStore {
+    #dbKey;
+    #dbPath;
+    #agentId;
+    #env;
+    #migrationsPath;
+    #logger;
+    // Mutable state set during open()
+    #db = null;
+    /**
+     * @param dbKey   - 32-byte database encryption key derived from identity_key via HKDF.
+     *                  NEVER pass identity_key here — only the derived db_key (SI-002).
+     * @param options - Store configuration including dbPath, agentId, and logger.
+     */
+    constructor(dbKey, options) {
+        this.#dbKey = dbKey;
+        this.#dbPath = options.dbPath;
+        this.#agentId = options.agentId;
+        this.#env = options.env ?? "unknown";
+        this.#logger = options.logger;
+        if (options.migrationsPath !== undefined) {
+            this.#migrationsPath = options.migrationsPath;
+        }
+        else {
+            // Resolve default migrations path relative to this module file.
+            // Works for both the TypeScript source (packages/client/src/) and
+            // the compiled output (packages/client/dist/), since db/ is a sibling of both.
+            const moduleDir = dirname(fileURLToPath(import.meta.url));
+            this.#migrationsPath = resolve(moduleDir, "../db/migrations");
+        }
+    }
+    /**
+     * Open the encrypted database, verify the key, and apply pending migrations.
+     * Must be called before any read/write operations.
+     *
+     * Throws on:
+     *   - corrupt file (file exists but is not a valid SQLCipher database)
+     *   - wrong key (PRAGMA key does not decrypt the file)
+     *   - migration failure
+     *
+     * On any throw, logs client.store.open.failed and does NOT create a new empty
+     * database over the corrupt file (DB-001).
+     */
+    async open() {
+        // Load the native module. Using createRequire because @journeyapps/sqlcipher
+        // is a CJS module and this file is ESM.
+        const require = createRequire(import.meta.url);
+        let sqlite3Module;
+        try {
+            sqlite3Module = require("@journeyapps/sqlcipher");
+        }
+        catch (loadErr) {
+            const reason = loadErr instanceof Error ? loadErr.message : String(loadErr);
+            this.#logger.error("client.store.open.failed", { reason: `SQLCipher native module unavailable: ${reason}`, agentId: this.#agentId });
+            throw new Error(`SQLCipher native module unavailable: ${reason}`);
+        }
+        const db = await this.#openDatabase(sqlite3Module);
+        // NOTE: do not assign this.#db yet — #applyKey and #verifyKey must succeed first.
+        try {
+            // Apply PRAGMA key (SI-003: only the key PRAGMA — no weakening cipher settings)
+            await this.#applyKey(db);
+            // Verify the key is correct by reading the sqlite_master table.
+            // If the key is wrong or the file is corrupt, this will fail.
+            await this.#verifyKey(db);
+            // Key is verified — safe to make the database accessible to other methods.
+            this.#db = db;
+            // Run migration runner — applies pending V{n}__*.sql files
+            await this.#runMigrations(db);
+            this.#logger.info("client.store.opened", {
+                env: this.#env,
+                dbPath: this.#dbPath,
+                agentId: this.#agentId,
+            });
+        }
+        catch (err) {
+            const reason = err instanceof Error ? err.message : String(err);
+            // SI-001: never include key material in the error log
+            this.#logger.error("client.store.open.failed", {
+                reason,
+                agentId: this.#agentId,
+            });
+            // Close the DB to release the file handle
+            await new Promise((resolve) => {
+                db.close(() => resolve());
+            });
+            this.#db = null;
+            throw err;
+        }
+    }
+    /** Close the database. Idempotent — safe to call multiple times. */
+    async close() {
+        if (this.#db === null)
+            return;
+        const db = this.#db;
+        this.#db = null;
+        await new Promise((resolve, reject) => {
+            db.close((err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    // ─── ClientStore interface ─────────────────────────────────────────────────
+    async set(key, value) {
+        this.#assertOpen();
+        const db = this.#db;
+        return new Promise((resolve, reject) => {
+            db.run(`INSERT INTO client_store (key, value, updated_at)
+         VALUES (?, ?, datetime('now'))
+         ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at`, [key, Buffer.from(value)], function (err) {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    async get(key) {
+        this.#assertOpen();
+        const db = this.#db;
+        return new Promise((resolve, reject) => {
+            db.get(`SELECT value FROM client_store WHERE key = ?`, [key], (err, row) => {
+                if (err)
+                    return reject(err);
+                if (row === undefined)
+                    return resolve(undefined);
+                // SQLite BLOB comes back as a Node.js Buffer.
+                // Buffer is a Uint8Array subclass, but callers expect a plain Uint8Array.
+                // Use the copy constructor `new Uint8Array(raw)` — NOT the ArrayBuffer view
+                // form `new Uint8Array(raw.buffer, byteOffset, byteLength)` which shares the
+                // underlying memory. A copy is required so callers cannot mutate stored data.
+                const raw = row.value;
+                resolve(new Uint8Array(raw));
+            });
+        });
+    }
+    async delete(key) {
+        this.#assertOpen();
+        const db = this.#db;
+        return new Promise((resolve, reject) => {
+            db.run(`DELETE FROM client_store WHERE key = ?`, [key], function (err) {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    async has(key) {
+        this.#assertOpen();
+        const db = this.#db;
+        return new Promise((resolve, reject) => {
+            db.get(`SELECT 1 as exists_flag FROM client_store WHERE key = ? LIMIT 1`, [key], (err, row) => {
+                if (err)
+                    return reject(err);
+                resolve(row !== undefined);
+            });
+        });
+    }
+    // ─── Private helpers ───────────────────────────────────────────────────────
+    #assertOpen() {
+        if (this.#db === null) {
+            throw new Error("SQLCipherClientStore: database is not open. Call open() first.");
+        }
+    }
+    /** Open the SQLite database file. Returns the Database instance on success. */
+    async #openDatabase(sqlite3Module) {
+        return new Promise((resolve, reject) => {
+            // OPEN_CREATE creates the file if absent (first run). On an existing corrupt file,
+            // SQLite opens it without error at the OS level; #verifyKey detects the corruption
+            // and throws without writing to the file — satisfying DB-001 (never overwrite a
+            // corrupt database).
+            const mode = sqlite3Module.OPEN_READWRITE | sqlite3Module.OPEN_CREATE;
+            const db = new sqlite3Module.Database(this.#dbPath, mode, (err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve(db);
+            });
+        });
+    }
+    /**
+     * Apply the SQLCipher PRAGMA key using the raw hex format.
+     * The key is passed as x'<hex>' which is the SQLCipher raw key format.
+     * SI-001: The key hex is used only in the PRAGMA string and never logged.
+     * SI-003: Only the `key` PRAGMA is set — no cipher_* weakening PRAGMAs.
+     */
+    async #applyKey(db) {
+        const keyHex = Buffer.from(this.#dbKey).toString("hex");
+        const pragmaSql = `PRAGMA key = "x'${keyHex}'"`;
+        // SI-001: keyHex is used only in the PRAGMA string and is never logged.
+        // SI-003: only the `key` PRAGMA is issued — no cipher_* weakening PRAGMAs.
+        return new Promise((resolve, reject) => {
+            db.run(pragmaSql, [], function (err) {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    /**
+     * Verify the PRAGMA key is correct by executing a test query.
+     * If the key is wrong or the file is corrupt, this will throw with
+     * an error like "SQLITE_NOTADB: file is not a database".
+     *
+     * DB-001: We do NOT catch and recover here — the error propagates to open()
+     * which logs client.store.open.failed and throws, halting the client.
+     */
+    async #verifyKey(db) {
+        return new Promise((resolve, reject) => {
+            db.get(`SELECT count(*) as c FROM sqlite_master`, [], (err, _row) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+    /**
+     * Run the custom migration runner.
+     *
+     * Algorithm:
+     *   1. Ensure schema_migrations table exists.
+     *   2. Read migration files from migrationsPath matching V{n}__*.sql.
+     *   3. Sort by version number.
+     *   4. For each file not yet in schema_migrations, run it in a transaction.
+     *   5. Record the version in schema_migrations.
+     *   6. Log client.store.migration.applied for each applied migration.
+     */
+    async #runMigrations(db) {
+        // Bootstrap the migrations table before any migration runs — this is not a migration
+        // itself and must not be inside a migration transaction.
+        // Step 1: bootstrap the schema_migrations table itself
+        await this.#execSql(db, `CREATE TABLE IF NOT EXISTS schema_migrations (
+         version    TEXT PRIMARY KEY,
+         applied_at TEXT NOT NULL DEFAULT (datetime('now'))
+       )`);
+        // Step 2: read migration files
+        const migrationFiles = this.#readMigrationFiles();
+        // Step 3: find already-applied migrations
+        const appliedVersions = await this.#queryAppliedVersions(db);
+        // Step 4-6: apply pending migrations in order
+        for (const { filename, version, description } of migrationFiles) {
+            if (appliedVersions.has(version))
+                continue;
+            const sql = readFileSync(filename, "utf-8");
+            const startTime = Date.now();
+            try {
+                await this.#applyMigration(db, sql, version);
+                const executionTime = Date.now() - startTime;
+                this.#logger.info("client.store.migration.applied", {
+                    version,
+                    description,
+                    executionTime,
+                });
+            }
+            catch (err) {
+                const reason = err instanceof Error ? err.message : String(err);
+                this.#logger.error("client.store.migration.failed", {
+                    version,
+                    description,
+                    reason,
+                });
+                throw err;
+            }
+        }
+    }
+    /** Read and sort migration files from the migrations directory. */
+    #readMigrationFiles() {
+        let files;
+        try {
+            files = readdirSync(this.#migrationsPath);
+        }
+        catch (err) {
+            const reason = err instanceof Error ? err.message : String(err);
+            throw new Error(`Cannot read migrations directory '${this.#migrationsPath}': ${reason}`);
+        }
+        const migrations = files
+            .filter((f) => /^V\d+__.*\.sql$/.test(f))
+            .map((f) => {
+            const match = /^(V(\d+)__(.+))\.sql$/.exec(f);
+            if (!match)
+                throw new Error(`Unexpected migration filename: ${f}`);
+            return {
+                filename: resolve(this.#migrationsPath, f),
+                version: match[1], // e.g. "V1__client_schema"
+                versionNum: parseInt(match[2], 10),
+                description: match[3].replaceAll("_", " "), // e.g. "client schema"
+            };
+        })
+            .sort((a, b) => a.versionNum - b.versionNum);
+        return migrations;
+    }
+    /** Query the schema_migrations table and return the set of applied version strings. */
+    async #queryAppliedVersions(db) {
+        return new Promise((resolve, reject) => {
+            db.all(`SELECT version FROM schema_migrations`, [], (err, rows) => {
+                if (err)
+                    return reject(err);
+                const versions = new Set((rows ?? []).map((r) => String(r.version)));
+                resolve(versions);
+            });
+        });
+    }
+    /**
+     * Apply a single migration SQL within a transaction and record it in schema_migrations.
+     *
+     * Implementation note: db.serialize() enqueues all db.run/db.exec calls synchronously
+     * before any callbacks fire, so error recovery inside serialize() is broken — the INSERT
+     * and COMMIT are already queued when a ROLLBACK fires. This method uses a linear await
+     * chain instead, which gives correct sequencing with real error propagation.
+     */
+    async #applyMigration(db, sql, version) {
+        const run = (stmt, params = []) => new Promise((res, rej) => db.run(stmt, params, function (err) {
+            if (err)
+                rej(err);
+            else
+                res();
+        }));
+        const exec = (stmt) => new Promise((res, rej) => db.exec(stmt, (err) => {
+            if (err)
+                rej(err);
+            else
+                res();
+        }));
+        await run("BEGIN");
+        try {
+            await exec(sql);
+            await run(`INSERT OR IGNORE INTO schema_migrations (version, applied_at) VALUES (?, datetime('now'))`, [version]);
+            await run("COMMIT");
+        }
+        catch (err) {
+            // Best-effort rollback — if ROLLBACK itself fails we still re-throw the original error.
+            await run("ROLLBACK").catch(() => { });
+            throw err;
+        }
+    }
+    /** Execute a SQL statement with no parameters. */
+    async #execSql(db, sql) {
+        return new Promise((resolve, reject) => {
+            db.exec(sql, (err) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve();
+            });
+        });
+    }
+}
+//# sourceMappingURL=sqlcipher-client-store.js.map

package/dist/sqlcipher-client-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlcipher-client-store.js","sourceRoot":"","sources":["../src/sqlcipher-client-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAkDzC,gFAAgF;AAEhF;;;;;;;GAOG;AACH,MAAM,OAAO,oBAAoB;IACtB,MAAM,CAAa;IACnB,OAAO,CAAS;IAChB,QAAQ,CAAS;IACjB,IAAI,CAAS;IACb,eAAe,CAAS;IACxB,OAAO,CAAS;IAEzB,kCAAkC;IAClC,GAAG,GAA6B,IAAI,CAAC;IAErC;;;;OAIG;IACH,YAAY,KAAiB,EAAE,OAAoC;QACjE,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,IAAI,SAAS,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,IAAI,OAAO,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACzC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,gEAAgE;YAChE,kEAAkE;YAClE,+EAA+E;YAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,IAAI;QACR,6EAA6E;QAC7E,wCAAwC;QACxC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/C,IAAI,aAA8B,CAAC;QACnC,IAAI,CAAC;YACH,aAAa,GAAG,OAAO,CAAC,wBAAwB,CAAoB,CAAC;QACvE,CAAC;QAAC,OAAO,OAAgB,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC5E,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,EAAE,MAAM,EAAE,wCAAwC,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrI,MAAM,IAAI,KAAK,CAAC,wCAAwC,MAAM,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;QACnD,kFAAkF;QAElF,IAAI,CAAC;YACH,gFAAgF;YAChF,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAEzB,gEAAgE;YAChE,8DAA8D;YAC9D,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAE1B,2EAA2E;YAC3E,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;YAEd,2DAA2D;YAC3D,MAAM,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;YAE9B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE;gBACvC,GAAG,EAAE,IAAI,CAAC,IAAI;gBACd,MAAM,EAAE,IAAI,CAAC,OAAO;gBACpB,OAAO,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,sDAAsD;YACtD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE;gBAC7C,MAAM;gBACN,OAAO,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CAAC;YACH,0CAA0C;YAC1C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;gBAClC,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5B,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;YAChB,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI;YAAE,OAAO;QAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC;QACpB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;QAChB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACf,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAE9E,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAiB;QACtC,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAI,CAAC;QACrB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,GAAG,CACJ;;iGAEyF,EACzF,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EACzB,UAAU,GAAG;gBACX,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAI,CAAC;QACrB,OAAO,IAAI,OAAO,CAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC7D,EAAE,CAAC,GAAG,CACJ,8CAA8C,EAC9C,CAAC,GAAG,CAAC,EACL,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACX,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,IAAI,GAAG,KAAK,SAAS;oBAAE,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC;gBACjD,8CAA8C;gBAC9C,0EAA0E;gBAC1E,4EAA4E;gBAC5E,6EAA6E;gBAC7E,8EAA8E;gBAC9E,MAAM,GAAG,GAAI,GAAsC,CAAC,KAAK,CAAC;gBAC1D,OAAO,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/B,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAI,CAAC;QACrB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,GAAG,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,EAAE,UAAU,GAAG;gBACnE,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAI,CAAC;QACrB,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC9C,EAAE,CAAC,GAAG,CACJ,iEAAiE,EACjE,CAAC,GAAG,CAAC,EACL,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACX,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC;YAC7B,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAE9E,WAAW;QACT,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,aAAa,CAAC,aAA8B;QAChD,OAAO,IAAI,OAAO,CAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxD,mFAAmF;YACnF,mFAAmF;YACnF,gFAAgF;YAChF,qBAAqB;YACrB,MAAM,IAAI,GAAG,aAAa,CAAC,cAAc,GAAG,aAAa,CAAC,WAAW,CAAC;YACtE,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;gBAChE,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,EAAqB;QACnC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,mBAAmB,MAAM,IAAI,CAAC;QAChD,wEAAwE;QACxE,2EAA2E;QAE3E,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,EAAE,UAAU,GAAG;gBACjC,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,UAAU,CAAC,EAAqB;QACpC,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,GAAG,CAAC,yCAAyC,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;gBAClE,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,cAAc,CAAC,EAAqB;QACxC,qFAAqF;QACrF,yDAAyD;QACzD,uDAAuD;QACvD,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,EACpB;;;SAGG,CACJ,CAAC;QAEF,+BAA+B;QAC/B,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAElD,0CAA0C;QAC1C,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;QAE7D,8CAA8C;QAC9C,KAAK,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,cAAc,EAAE,CAAC;YAChE,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE3C,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;gBAC7C,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAC7C,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,gCAAgC,EAAE;oBAClD,OAAO;oBACP,WAAW;oBACX,aAAa;iBACd,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE;oBAClD,OAAO;oBACP,WAAW;oBACX,MAAM;iBACP,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,mBAAmB;QACjB,IAAI,KAAe,CAAC;QACpB,IAAI,CAAC;YACH,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,CAAC,eAAe,MAAM,MAAM,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,MAAM,UAAU,GAAG,KAAK;aACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;aACxC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC9C,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO;gBACL,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;gBAC1C,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAW,2BAA2B;gBACvD,UAAU,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;gBAClC,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,uBAAuB;aACpE,CAAC;QACJ,CAAC,CAAC;aACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;QAE/C,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,uFAAuF;IACvF,KAAK,CAAC,qBAAqB,CAAC,EAAqB;QAC/C,OAAO,IAAI,OAAO,CAAc,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAClD,EAAE,CAAC,GAAG,CAAC,uCAAuC,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;gBAChE,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAS,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAE,CAAyB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBACtG,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CAAC,EAAqB,EAAE,GAAW,EAAE,OAAe;QACvE,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,SAAoB,EAAE,EAAiB,EAAE,CAClE,IAAI,OAAO,CAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC7B,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,GAAG;YAChC,IAAI,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC;;gBACb,GAAG,EAAE,CAAC;QACb,CAAC,CAAC,CACH,CAAC;QACJ,MAAM,IAAI,GAAG,CAAC,IAAY,EAAiB,EAAE,CAC3C,IAAI,OAAO,CAAO,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAC7B,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;YACpB,IAAI,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC;;gBACb,GAAG,EAAE,CAAC;QACb,CAAC,CAAC,CACH,CAAC;QAEJ,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;YAChB,MAAM,GAAG,CACP,2FAA2F,EAC3F,CAAC,OAAO,CAAC,CACV,CAAC;YACF,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,wFAAwF;YACxF,MAAM,GAAG,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;YACtC,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,KAAK,CAAC,QAAQ,CAAC,EAAqB,EAAE,GAAW;QAC/C,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;gBACnB,IAAI,GAAG;oBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;oBAChB,OAAO,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}