@chaaskit/server 0.1.0

package/dist/api/oauth.js

@@ -0,0 +1,366 @@
+/**
+ * OAuth 2.1 API Routes
+ *
+ * Implements OAuth 2.1 endpoints for MCP client authentication.
+ *
+ * Endpoints:
+ * - GET /.well-known/oauth-authorization-server - RFC 8414 metadata
+ * - POST /oauth/register - RFC 7591 dynamic client registration
+ * - GET/POST /oauth/authorize - Authorization endpoint
+ * - POST /oauth/token - Token endpoint
+ * - POST /oauth/revoke - Token revocation
+ * - GET /api/oauth/apps - List authorized apps
+ * - DELETE /api/oauth/apps/:clientId - Revoke app access
+ */
+import { Router } from 'express';
+import { HTTP_STATUS } from '@chaaskit/shared';
+import { getConfig } from '../config/loader.js';
+import { requireAuth } from '../middleware/auth.js';
+import { registerClient, generateAuthorizationCode, exchangeCodeForTokens, refreshAccessToken, revokeToken, revokeAllTokensForClient, getAuthorizedApps, getAuthorizationServerMetadata, } from '../oauth/server.js';
+export const oauthRouter = Router();
+// =============================================================================
+// Well-Known Endpoint
+// =============================================================================
+/**
+ * OAuth 2.0 Authorization Server Metadata (RFC 8414)
+ */
+oauthRouter.get('/.well-known/oauth-authorization-server', (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    res.json(getAuthorizationServerMetadata());
+});
+/**
+ * OAuth 2.0 Protected Resource Metadata (RFC 9728)
+ *
+ * This endpoint tells MCP clients where the authorization server is located.
+ * Supports both root-level and resource-specific paths per RFC 9728.
+ */
+function handleProtectedResourceMetadata(req, res) {
+    const config = getConfig();
+    const serverConfig = config.mcp?.server;
+    if (!serverConfig?.enabled) {
+        res.status(404).json({ error: 'MCP server is not enabled' });
+        return;
+    }
+    const apiUrl = process.env.API_URL || 'http://localhost:3000';
+    // Build the resource metadata
+    const metadata = {
+        resource: `${apiUrl}/mcp`,
+        authorization_servers: [`${apiUrl}`],
+    };
+    // Add bearer methods supported
+    if (serverConfig.oauth?.enabled) {
+        metadata.bearer_methods_supported = ['header'];
+        metadata.scopes_supported = ['mcp:tools', 'mcp:resources'];
+    }
+    res.json(metadata);
+}
+// Root-level protected resource metadata
+oauthRouter.get('/.well-known/oauth-protected-resource', handleProtectedResourceMetadata);
+// Resource-specific path (RFC 9728 allows appending resource path)
+oauthRouter.get('/.well-known/oauth-protected-resource/mcp', handleProtectedResourceMetadata);
+// =============================================================================
+// Dynamic Client Registration
+// =============================================================================
+/**
+ * RFC 7591 Dynamic Client Registration
+ */
+oauthRouter.post('/oauth/register', async (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    if (!config.mcp.server.oauth.allowDynamicRegistration) {
+        res.status(403).json({
+            error: 'invalid_request',
+            error_description: 'Dynamic client registration is not enabled',
+        });
+        return;
+    }
+    try {
+        const { client_name, redirect_uris, grant_types, response_types, token_endpoint_auth_method, client_uri } = req.body;
+        // Validate required fields
+        if (!client_name || typeof client_name !== 'string') {
+            res.status(400).json({
+                error: 'invalid_client_metadata',
+                error_description: 'client_name is required',
+            });
+            return;
+        }
+        if (!redirect_uris || !Array.isArray(redirect_uris) || redirect_uris.length === 0) {
+            res.status(400).json({
+                error: 'invalid_client_metadata',
+                error_description: 'redirect_uris is required and must be a non-empty array',
+            });
+            return;
+        }
+        // Validate redirect URIs
+        for (const uri of redirect_uris) {
+            try {
+                new URL(uri);
+            }
+            catch {
+                res.status(400).json({
+                    error: 'invalid_redirect_uri',
+                    error_description: `Invalid redirect URI: ${uri}`,
+                });
+                return;
+            }
+        }
+        const client = await registerClient({
+            client_name,
+            redirect_uris,
+            grant_types,
+            response_types,
+            token_endpoint_auth_method,
+            client_uri,
+        });
+        res.status(201).json(client);
+    }
+    catch (error) {
+        console.error('[OAuth] Registration error:', error);
+        res.status(400).json({
+            error: 'invalid_client_metadata',
+            error_description: error instanceof Error ? error.message : 'Registration failed',
+        });
+    }
+});
+// =============================================================================
+// Authorization Endpoint
+// =============================================================================
+/**
+ * Authorization endpoint - GET shows consent page, POST processes consent
+ */
+oauthRouter.get('/oauth/authorize', requireAuth, async (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    const { client_id, redirect_uri, response_type, scope, state, code_challenge, code_challenge_method, } = req.query;
+    // Validate required parameters
+    if (response_type !== 'code') {
+        res.status(400).json({
+            error: 'unsupported_response_type',
+            error_description: 'Only response_type=code is supported',
+        });
+        return;
+    }
+    if (!client_id || typeof client_id !== 'string') {
+        res.status(400).json({
+            error: 'invalid_request',
+            error_description: 'client_id is required',
+        });
+        return;
+    }
+    if (!redirect_uri || typeof redirect_uri !== 'string') {
+        res.status(400).json({
+            error: 'invalid_request',
+            error_description: 'redirect_uri is required',
+        });
+        return;
+    }
+    if (!code_challenge || typeof code_challenge !== 'string') {
+        res.status(400).json({
+            error: 'invalid_request',
+            error_description: 'code_challenge is required (PKCE)',
+        });
+        return;
+    }
+    // Redirect to frontend consent page with query params
+    const appUrl = process.env.APP_URL || 'http://localhost:5173';
+    const basePath = config.app?.basePath || '';
+    const consentPath = basePath ? `${basePath}/oauth/consent` : '/oauth/consent';
+    const consentUrl = new URL(consentPath, appUrl);
+    consentUrl.searchParams.set('client_id', client_id);
+    consentUrl.searchParams.set('redirect_uri', redirect_uri);
+    if (scope)
+        consentUrl.searchParams.set('scope', scope);
+    if (state)
+        consentUrl.searchParams.set('state', state);
+    consentUrl.searchParams.set('code_challenge', code_challenge);
+    if (code_challenge_method) {
+        consentUrl.searchParams.set('code_challenge_method', code_challenge_method);
+    }
+    res.redirect(consentUrl.toString());
+});
+/**
+ * Authorization endpoint - POST processes consent decision
+ */
+oauthRouter.post('/oauth/authorize', requireAuth, async (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    const { client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, consent, } = req.body;
+    // Validate consent
+    if (consent !== 'approve') {
+        // User denied - redirect with error
+        const redirectUrl = new URL(redirect_uri);
+        redirectUrl.searchParams.set('error', 'access_denied');
+        redirectUrl.searchParams.set('error_description', 'User denied the request');
+        if (state)
+            redirectUrl.searchParams.set('state', state);
+        res.json({ redirect: redirectUrl.toString() });
+        return;
+    }
+    try {
+        // Generate authorization code
+        const code = await generateAuthorizationCode({
+            clientId: client_id,
+            userId: req.user.id,
+            redirectUri: redirect_uri,
+            scope,
+            codeChallenge: code_challenge,
+            codeChallengeMethod: code_challenge_method || 'S256',
+        });
+        // Build redirect URL with code
+        const redirectUrl = new URL(redirect_uri);
+        redirectUrl.searchParams.set('code', code);
+        if (state)
+            redirectUrl.searchParams.set('state', state);
+        res.json({ redirect: redirectUrl.toString() });
+    }
+    catch (error) {
+        console.error('[OAuth] Authorization error:', error);
+        const redirectUrl = new URL(redirect_uri);
+        redirectUrl.searchParams.set('error', 'server_error');
+        redirectUrl.searchParams.set('error_description', error instanceof Error ? error.message : 'Authorization failed');
+        if (state)
+            redirectUrl.searchParams.set('state', state);
+        res.json({ redirect: redirectUrl.toString() });
+    }
+});
+// =============================================================================
+// Token Endpoint
+// =============================================================================
+/**
+ * Token endpoint - exchange code for tokens or refresh tokens
+ */
+oauthRouter.post('/oauth/token', async (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    const { grant_type, code, redirect_uri, client_id, code_verifier, refresh_token } = req.body;
+    try {
+        if (grant_type === 'authorization_code') {
+            // Validate required parameters
+            if (!code || !redirect_uri || !client_id || !code_verifier) {
+                res.status(400).json({
+                    error: 'invalid_request',
+                    error_description: 'Missing required parameters: code, redirect_uri, client_id, code_verifier',
+                });
+                return;
+            }
+            const tokens = await exchangeCodeForTokens({
+                code,
+                clientId: client_id,
+                redirectUri: redirect_uri,
+                codeVerifier: code_verifier,
+            });
+            res.json(tokens);
+        }
+        else if (grant_type === 'refresh_token') {
+            if (!refresh_token || !client_id) {
+                res.status(400).json({
+                    error: 'invalid_request',
+                    error_description: 'Missing required parameters: refresh_token, client_id',
+                });
+                return;
+            }
+            const tokens = await refreshAccessToken({
+                refreshToken: refresh_token,
+                clientId: client_id,
+            });
+            res.json(tokens);
+        }
+        else {
+            res.status(400).json({
+                error: 'unsupported_grant_type',
+                error_description: 'Only authorization_code and refresh_token grant types are supported',
+            });
+        }
+    }
+    catch (error) {
+        console.error('[OAuth] Token error:', error);
+        res.status(400).json({
+            error: 'invalid_grant',
+            error_description: error instanceof Error ? error.message : 'Token exchange failed',
+        });
+    }
+});
+// =============================================================================
+// Token Revocation
+// =============================================================================
+/**
+ * Token revocation endpoint (RFC 7009)
+ */
+oauthRouter.post('/oauth/revoke', async (req, res) => {
+    const config = getConfig();
+    if (!config.mcp?.server?.oauth?.enabled) {
+        res.status(404).json({ error: 'OAuth is not enabled' });
+        return;
+    }
+    const { token, token_type_hint } = req.body;
+    if (!token) {
+        res.status(400).json({
+            error: 'invalid_request',
+            error_description: 'token is required',
+        });
+        return;
+    }
+    try {
+        await revokeToken({
+            token,
+            tokenTypeHint: token_type_hint,
+        });
+        // Always return 200 OK per RFC 7009
+        res.status(200).end();
+    }
+    catch (error) {
+        console.error('[OAuth] Revocation error:', error);
+        res.status(200).end(); // Still return 200 per spec
+    }
+});
+// =============================================================================
+// User App Management API
+// =============================================================================
+/**
+ * List OAuth apps authorized by the current user
+ */
+oauthRouter.get('/api/oauth/apps', requireAuth, async (req, res) => {
+    try {
+        const apps = await getAuthorizedApps(req.user.id);
+        res.json({ apps });
+    }
+    catch (error) {
+        console.error('[OAuth] Error listing apps:', error);
+        res.status(HTTP_STATUS.INTERNAL_SERVER_ERROR).json({
+            error: 'Failed to list authorized apps',
+        });
+    }
+});
+/**
+ * Revoke access for an OAuth app
+ */
+oauthRouter.delete('/api/oauth/apps/:clientId', requireAuth, async (req, res) => {
+    const { clientId } = req.params;
+    try {
+        await revokeAllTokensForClient(clientId, req.user.id);
+        res.status(204).end();
+    }
+    catch (error) {
+        console.error('[OAuth] Error revoking app:', error);
+        res.status(HTTP_STATUS.INTERNAL_SERVER_ERROR).json({
+            error: 'Failed to revoke app access',
+        });
+    }
+});
+//# sourceMappingURL=oauth.js.map

package/dist/api/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../../src/api/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EACL,cAAc,EACd,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,EAClB,WAAW,EACX,wBAAwB,EACxB,iBAAiB,EACjB,8BAA8B,GAC/B,MAAM,oBAAoB,CAAC;AAE5B,MAAM,CAAC,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC;AAEpC,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;IACzF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,8BAA8B,EAAE,CAAC,CAAC;AAC7C,CAAC,CAAC,CAAC;AAEH;;;;;GAKG;AACH,SAAS,+BAA+B,CAAC,GAAY,EAAE,GAAa;IAClE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;IAExC,IAAI,CAAC,YAAY,EAAE,OAAO,EAAE,CAAC;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;QAC7D,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAuB,CAAC;IAE9D,8BAA8B;IAC9B,MAAM,QAAQ,GAA4B;QACxC,QAAQ,EAAE,GAAG,MAAM,MAAM;QACzB,qBAAqB,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC;KACrC,CAAC;IAEF,+BAA+B;IAC/B,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAChC,QAAQ,CAAC,wBAAwB,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,QAAQ,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC7D,CAAC;IAED,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAED,yCAAyC;AACzC,WAAW,CAAC,GAAG,CAAC,uCAAuC,EAAE,+BAA+B,CAAC,CAAC;AAE1F,mEAAmE;AACnE,WAAW,CAAC,GAAG,CAAC,2CAA2C,EAAE,+BAA+B,CAAC,CAAC;AAE9F,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACxE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,4CAA4C;SAChE,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,cAAc,EAAE,0BAA0B,EAAE,UAAU,EAAE,GACvG,GAAG,CAAC,IAAI,CAAC;QAEX,2BAA2B;QAC3B,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,yBAAyB;aAC7C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,yBAAyB;gBAChC,iBAAiB,EAAE,yDAAyD;aAC7E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,yBAAyB;QACzB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACf,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,sBAAsB;oBAC7B,iBAAiB,EAAE,yBAAyB,GAAG,EAAE;iBAClD,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC;YAClC,WAAW;YACX,aAAa;YACb,WAAW;YACX,cAAc;YACd,0BAA0B;YAC1B,UAAU;SACX,CAAC,CAAC;QAEH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,yBAAyB;YAChC,iBAAiB,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;SAClF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,GAAG,CAAC,kBAAkB,EAAE,WAAW,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACrF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,EACJ,SAAS,EACT,YAAY,EACZ,aAAa,EACb,KAAK,EACL,KAAK,EACL,cAAc,EACd,qBAAqB,GACtB,GAAG,GAAG,CAAC,KAAK,CAAC;IAEd,+BAA+B;IAC/B,IAAI,aAAa,KAAK,MAAM,EAAE,CAAC;QAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,2BAA2B;YAClC,iBAAiB,EAAE,sCAAsC;SAC1D,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,uBAAuB;SAC3C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,0BAA0B;SAC9C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC,cAAc,IAAI,OAAO,cAAc,KAAK,QAAQ,EAAE,CAAC;QAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,mCAAmC;SACvD,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,sDAAsD;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAuB,CAAC;IAC9D,MAAM,QAAQ,GAAI,MAAM,CAAC,GAA6B,EAAE,QAAQ,IAAI,EAAE,CAAC;IACvE,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,gBAAgB,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAChD,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACpD,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;IAC1D,IAAI,KAAK;QAAE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAe,CAAC,CAAC;IACjE,IAAI,KAAK;QAAE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAe,CAAC,CAAC;IACjE,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAC9D,IAAI,qBAAqB,EAAE,CAAC;QAC1B,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,qBAA+B,CAAC,CAAC;IACxF,CAAC;IAED,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,WAAW,CAAC,IAAI,CAAC,kBAAkB,EAAE,WAAW,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACtF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,EACJ,SAAS,EACT,YAAY,EACZ,KAAK,EACL,KAAK,EACL,cAAc,EACd,qBAAqB,EACrB,OAAO,GACR,GAAG,GAAG,CAAC,IAAI,CAAC;IAEb,mBAAmB;IACnB,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,oCAAoC;QACpC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1C,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACvD,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,yBAAyB,CAAC,CAAC;QAC7E,IAAI,KAAK;YAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACxD,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC/C,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,IAAI,GAAG,MAAM,yBAAyB,CAAC;YAC3C,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,GAAG,CAAC,IAAK,CAAC,EAAE;YACpB,WAAW,EAAE,YAAY;YACzB,KAAK;YACL,aAAa,EAAE,cAAc;YAC7B,mBAAmB,EAAE,qBAAqB,IAAI,MAAM;SACrD,CAAC,CAAC;QAEH,+BAA+B;QAC/B,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1C,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,KAAK;YAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAExD,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,8BAA8B,EAAE,KAAK,CAAC,CAAC;QACrD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1C,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QACtD,WAAW,CAAC,YAAY,CAAC,GAAG,CAC1B,mBAAmB,EACnB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,CAChE,CAAC;QACF,IAAI,KAAK;YAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACxD,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACjD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACrE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;IAE7F,IAAI,CAAC;QACH,IAAI,UAAU,KAAK,oBAAoB,EAAE,CAAC;YACxC,+BAA+B;YAC/B,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,2EAA2E;iBAC/F,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC;gBACzC,IAAI;gBACJ,QAAQ,EAAE,SAAS;gBACnB,WAAW,EAAE,YAAY;gBACzB,YAAY,EAAE,aAAa;aAC5B,CAAC,CAAC;YAEH,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;aAAM,IAAI,UAAU,KAAK,eAAe,EAAE,CAAC;YAC1C,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS,EAAE,CAAC;gBACjC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,iBAAiB;oBACxB,iBAAiB,EAAE,uDAAuD;iBAC3E,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;gBACtC,YAAY,EAAE,aAAa;gBAC3B,QAAQ,EAAE,SAAS;aACpB,CAAC,CAAC;YAEH,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,wBAAwB;gBAC/B,iBAAiB,EAAE,qEAAqE;aACzF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;QAC7C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,eAAe;YACtB,iBAAiB,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB;SACpF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,IAAI,CAAC,eAAe,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACtE,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACxC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACxD,OAAO;IACT,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC;IAE5C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,iBAAiB;YACxB,iBAAiB,EAAE,mBAAmB;SACvC,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,WAAW,CAAC;YAChB,KAAK;YACL,aAAa,EAAE,eAAe;SAC/B,CAAC,CAAC;QAEH,oCAAoC;QACpC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IACxB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,4BAA4B;IACrD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;GAEG;AACH,WAAW,CAAC,GAAG,CAAC,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACpF,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,IAAK,CAAC,EAAE,CAAC,CAAC;QACnD,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACrB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC;YACjD,KAAK,EAAE,gCAAgC;SACxC,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAEH;;GAEG;AACH,WAAW,CAAC,MAAM,CAAC,2BAA2B,EAAE,WAAW,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;IACjG,MAAM,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;IAEhC,IAAI,CAAC;QACH,MAAM,wBAAwB,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAK,CAAC,EAAE,CAAC,CAAC;QACvD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IACxB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC;YACjD,KAAK,EAAE,6BAA6B;SACrC,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC"}