@chrischall/mcp-utils 0.1.0

package/README.md

@@ -0,0 +1,235 @@
+# @chrischall/mcp-utils
+
+Shared scaffolding for the **chrischall MCP fleet** — the generic MCP glue
+hoisted out of ~19 sibling servers so each one no longer reimplements server
+bootstrap, tool-result formatting, helpful errors, hardened env/config, a bearer
+API-client kit, zod atoms, session registries, a fetchproxy transport adapter,
+auth resolver skeletons, an in-memory test harness, and opt-in HTML helpers.
+
+```sh
+npm install @chrischall/mcp-utils
+```
+
+Peer dependencies: `@modelcontextprotocol/sdk` and `zod`. The `@fetchproxy/server`
+and `node-html-parser` peers are **optional** — only needed if you import the
+`/fetchproxy` or `/html` subpaths respectively. Their declared range is `*` so a
+consumer pinning any version installs cleanly; the real requirement is enforced
+at the subpath: **`/fetchproxy` needs `@fetchproxy/server` >= 0.11** (it
+re-exports APIs added there — `withDeadline`, `backoffDelayMs`, `BRIDGE_CONCURRENCY`,
+the bridge-error classifier). MCPs on older `@fetchproxy/server` can use the core
+barrel freely; adopt `/fetchproxy` only after bumping to 0.11+.
+
+## Entry points
+
+The core building blocks are re-exported from the package root. Heavier or
+optional-dependency modules are published as **subpath entries** to keep the core
+import light:
+
+| Import | Contents |
+| --- | --- |
+| `@chrischall/mcp-utils` | core barrel: `server` + `response` + `errors` + `config` + `http` + `zod` + `auth` |
+| `@chrischall/mcp-utils/session` | session registry, session store, token manager |
+| `@chrischall/mcp-utils/fetchproxy` | fetchproxy transport adapter, bot-wall / retry / concurrency helpers |
+| `@chrischall/mcp-utils/html` | opt-in HTML scraping helpers (needs `node-html-parser`) |
+| `@chrischall/mcp-utils/test` | in-memory test harness for tool registration |
+
+```ts
+import { createMcpServer, textResult, requireEnvVar } from '@chrischall/mcp-utils';
+import { createSessionRegistry } from '@chrischall/mcp-utils/session';
+import { createFetchproxyTransport } from '@chrischall/mcp-utils/fetchproxy';
+```
+
+## Modules
+
+### `server` — bootstrap & lifecycle
+
+`createMcpServer`, `runMcp`, `withGracefulShutdown`.
+
+```ts
+import { runMcp, textResult } from '@chrischall/mcp-utils';
+
+await runMcp({
+  name: 'my-mcp',
+  version: '1.0.0',
+  register: (server) => {
+    server.tool('ping', {}, async () => textResult({ ok: true }));
+  },
+  // shutdown: { onSignal: () => client.close() },
+});
+```
+
+`runMcp` wires the server to a stdio transport and installs `SIGINT`/`SIGTERM`
+handlers via `withGracefulShutdown`. Use `createMcpServer` directly if you need
+the server instance without connecting a transport.
+
+### `response` — tool-result formatting
+
+`textResult` / `jsonResult` (alias), `rawTextResult`, `imageResult`,
+`errorResult`, `flattenJsonApi`.
+
+```ts
+import { textResult, errorResult, flattenJsonApi } from '@chrischall/mcp-utils';
+
+return textResult({ items });                 // pretty-printed JSON
+return errorResult('not found');              // { isError: true }
+return textResult(flattenJsonApi(payload));   // collapse JSON:API envelopes
+```
+
+### `errors` — helpful errors
+
+`McpToolError` and its subclasses (`SessionNotAuthenticatedError`,
+`BotWallError`, `RateLimitError`, `UnreachableError`, `ModeMismatchError`),
+plus `createHelpfulError`, `wrapToolError`, `truncateErrorMessage`, and
+`messageOf`. This core module has **no runtime dependencies** — the fetchproxy
+typed-error hierarchy (`Fetchproxy*Error`) and the `classifyBridgeError`
+discriminator live in the [`/fetchproxy`](#fetchproxy) subpath instead, so
+bearer-only MCPs can import the core barrel without installing
+`@fetchproxy/server`.
+
+```ts
+import { wrapToolError, SessionNotAuthenticatedError } from '@chrischall/mcp-utils';
+
+try {
+  if (!token) throw new SessionNotAuthenticatedError({ hint: 'run the login tool first' });
+} catch (err) {
+  throw wrapToolError('my_tool', err);
+}
+```
+
+Every error carries an optional `hint` — a "here's how to fix it" string the
+tool surface can show the user.
+
+### `config` — hardened env/config
+
+`readEnvVar`, `requireEnvVar`, `parseBoolEnv`, `expandPath`, `loadDotenvSafely`.
+
+```ts
+import { requireEnvVar, parseBoolEnv, expandPath } from '@chrischall/mcp-utils';
+
+const apiKey = requireEnvVar('MY_API_KEY');
+const debug = parseBoolEnv('MY_DEBUG', { default: false });
+const home = expandPath('~/.config/my-mcp');
+```
+
+`loadDotenvSafely` is a no-throw `.env` loader (returns `false` instead of
+failing when the file is absent).
+
+### `http` — bearer API-client kit
+
+`createApiClient` plus building blocks: `buildQueryString`, `buildOptionalBody`,
+`formatApiError`, `parseLinkHeader`, `parseCookieJar`, JWT helpers
+(`decodeJwtExp`, `decodeJwtSessionId`, `validateJwtExpiry`), and the
+`UnauthorizedError` / `RateLimitedError` classes.
+
+```ts
+import { createApiClient } from '@chrischall/mcp-utils';
+
+const api = createApiClient({
+  baseUrl: 'https://api.example.com',
+  getToken: () => store.currentToken(),  // resolved per-request; sync or async
+  serviceName: 'Example',
+  retry: { count: 1, delayMs: 2000 },    // fleet-wide "retry once after 2s" default
+});
+
+const data = await api.get('/v1/things', { query: { page: 2 } });
+```
+
+### `zod` — schema atoms
+
+Reusable schemas (`PositiveInt`, `NonNegInt`, `NonEmptyString`, `IsoDate`,
+`IsoTime`, `schemaOrigin`, `schemaConfirm`), pagination helpers
+(`paginationSchema`, `pageSchema`, `calculateOffset`), tool-annotation builders
+(`toolAnnotations`), and time normalizers (`extractTime`, `normalizeTime`).
+
+```ts
+import { paginationSchema, calculateOffset, toolAnnotations } from '@chrischall/mcp-utils';
+
+const inputSchema = { ...paginationSchema, q: NonEmptyString };
+const offset = calculateOffset(page, size);
+const annotations = toolAnnotations({ readOnly: true });
+```
+
+### `auth` — auth resolver skeletons
+
+`createAuthResolver`, `resolveAuthPattern`, `sessionLoginFlow`,
+`createOAuth2Refresher`, and the supporting `FetchproxySession` /
+`AuthPattern` types.
+
+```ts
+import { createAuthResolver, createOAuth2Refresher } from '@chrischall/mcp-utils';
+
+const resolver = createAuthResolver({ /* ... */ });
+const refresh = createOAuth2Refresher({ /* ... */ });
+```
+
+### `session` — session registry & token manager *(subpath)*
+
+```ts
+import {
+  createSessionRegistry,
+  registerSessionTools,
+  TokenManager,
+} from '@chrischall/mcp-utils/session';
+
+const registry = createSessionRegistry();
+registerSessionTools(server, { registry /* ... */ });
+```
+
+Includes `SessionStore`, `normalizeOrigin`, `AuthMode`, and `TokenManager`
+(with `TOKEN_REFRESH_SKEW_MS` for proactive refresh).
+
+### `fetchproxy` — transport adapter *(subpath, optional peer)*
+
+```ts
+import {
+  createFetchproxyTransport,
+  createBootstrapOpts,
+  mapWithConcurrency,
+  TokenBucket,
+  classifyBotWall,
+} from '@chrischall/mcp-utils/fetchproxy';
+```
+
+Wraps `@fetchproxy/server` with the fleet's transport, bot-wall classification,
+deadline/retry, token-bucket rate limiting, and bounded-concurrency helpers, and
+re-exports the fetchproxy typed-error hierarchy.
+
+### `html` — scraping helpers *(subpath, optional peer)*
+
+```ts
+import {
+  parsePropertyTable,
+  findLinksUnderHeading,
+  extractJsonFromHtml,
+  extractPlainTextFromHtml,
+} from '@chrischall/mcp-utils/html';
+```
+
+Requires the optional `node-html-parser` peer. Also provides `urlToPath`,
+`locationToSlug`, and `buildIdExtractor`.
+
+### `test` — in-memory test harness *(subpath)*
+
+```ts
+import { createTestHarness, parseToolResult } from '@chrischall/mcp-utils/test';
+
+const harness = createTestHarness();
+register(harness.server);
+const result = await harness.call('ping', {});
+expect(parseToolResult(result)).toEqual({ ok: true });
+```
+
+Also includes `versionSyncTest`, `mockFetchproxyBootstrap`, `setupClientMocks`,
+and `makeBootstrapResult`.
+
+## Development
+
+```sh
+npm run build      # tsc -b → dist/
+npm test           # vitest run
+npm run test:watch # vitest (watch mode)
+```
+
+## License
+
+MIT

package/dist/auth/index.d.ts

@@ -0,0 +1,223 @@
+/**
+ * Auth resolver skeletons — the shared *shape* of the credential-resolution
+ * logic duplicated across the fleet (resy / opentable / ofw / zola /
+ * signupgenius / creditkarma / canvas / infinitecampus auth.ts).
+ *
+ * This module owns the **skeleton** only. Per-site parameters (which env var,
+ * which cookies to declare, how to parse the session blob, which CSRF input to
+ * scrape) are *injected*; nothing here branches on site identity. Site-specific
+ * OAuth choreographies (e.g. Skylight's `/auth/session` → `/oauth/authorize` →
+ * `/oauth/token` dance) stay per-MCP — they are not a shared shape.
+ *
+ * Four pieces:
+ *  - {@link createAuthResolver} — the three-path resolver
+ *    (env credential → fetchproxy one-shot read → actionable error).
+ *  - {@link resolveAuthPattern} — the four-path variant
+ *    (token → OAuth → session-scrape → fetchproxy), each path an injected
+ *    resolver tried in priority order.
+ *  - {@link sessionLoginFlow} — CSRF-scrape + cookie POST + success-marker,
+ *    the shared CSRF+cookie login primitive (canvas / IC / ofw / signupgenius).
+ *  - {@link createOAuth2Refresher} — an OAuth2 `refresh_token`-grant refresher
+ *    with optional retry and in-flight race-safety.
+ *
+ * Security posture: env reads go through the hardened {@link readEnvVar}
+ * (placeholder / `'null'` / `'undefined'` suppression); thrown errors never
+ * echo the offending secret value and run upstream bodies through
+ * {@link truncateErrorMessage} (redaction + truncation) before surfacing.
+ */
+import { type EnvSource } from '../config/index.js';
+/** A `@fetchproxy/bootstrap` session blob: declared cookies / storage, by key. */
+export interface FetchproxySession {
+    cookies: Record<string, string>;
+    localStorage?: Record<string, string>;
+    sessionStorage?: Record<string, string>;
+}
+/**
+ * The injected `@fetchproxy/bootstrap`-shaped function. Kept as a parameter (not
+ * a hard import) so the heavy bridge dep stays out of this module and tests can
+ * mock the module boundary, exactly as every fleet `auth.ts` does today.
+ */
+export type BootstrapFn = (opts: unknown) => Promise<FetchproxySession>;
+/** Result of {@link createAuthResolver}'s resolver — opaque credential + provenance. */
+export interface ResolvedCredential {
+    /** The resolved credential (token / cookie header / refresh JWT — opaque). */
+    credential: string;
+    /** Which path produced it. Diagnostics / cache-keying only — do not branch on it. */
+    source: 'env' | 'fetchproxy';
+}
+/** Options for {@link createAuthResolver}. */
+export interface AuthResolverOptions {
+    /** Env var holding the credential when the user supplies it directly (path 1). */
+    envVar: string;
+    /**
+     * Env var that, when truthy, disables the fetchproxy fallback (path 2). When
+     * omitted, the fallback is always attempted. Mirrors `*_DISABLE_FETCHPROXY`.
+     */
+    disableEnvVar?: string;
+    /** Injected `@fetchproxy/bootstrap` function (mocked at the boundary in tests). */
+    bootstrap: BootstrapFn;
+    /** The opts object passed verbatim to {@link bootstrap} (domains, declare, …). */
+    bootstrapOptions: unknown;
+    /**
+     * Lift the credential out of the fetchproxy session blob. Returns the
+     * credential string, or `undefined`/`''` when the signed-in tab didn't carry
+     * it (→ surfaced as a "sign in" error).
+     */
+    parseTokens: (session: FetchproxySession) => string | undefined;
+    /** Human-readable service name for the not-signed-in error (e.g. "Zola"). */
+    serviceName?: string;
+    /** Host to point the user at when the browser session is missing (e.g. "zola.com"). */
+    signInHost?: string;
+    /** Env source. Defaults to {@link process.env}. */
+    env?: EnvSource;
+}
+/**
+ * Build the canonical **three-path** auth resolver:
+ *
+ *  1. **Env credential** — `envVar` set (after hardened {@link readEnvVar}
+ *     sanitization) → returned directly, no network.
+ *  2. **fetchproxy one-shot read** — unless `disableEnvVar` is truthy, call the
+ *     injected `bootstrap` to snapshot the user's signed-in browser session,
+ *     then `parseTokens` to extract the credential. fetchproxy is invoked once;
+ *     it is never in the hot path.
+ *  3. **Actionable error** — nothing configured: an error naming the env var
+ *     and the sign-in fallback so the user can pick a fix.
+ *
+ * The returned `source` is for diagnostics; callers must treat the credential
+ * as opaque and not branch on it.
+ */
+export declare function createAuthResolver(opts: AuthResolverOptions): () => Promise<ResolvedCredential>;
+/** Result of a {@link resolveAuthPattern} path resolver — opaque credential + provenance. */
+export interface PatternResult {
+    /** The resolved credential (bearer / cookie header — opaque to the caller). */
+    credential: string;
+    /** Which path produced it. Diagnostics only — callers should not branch on it. */
+    source: string;
+}
+/** A single path resolver. Returning a value claims the path; throwing aborts. */
+export type PathResolver = () => Promise<PatternResult>;
+/**
+ * The four ordered paths of the "Pattern A template" (canvas / IC). A path is
+ * **configured** iff its resolver is provided; the *first* configured path, in
+ * this fixed priority order, runs. This is the only ordering — it never branches
+ * on which site is calling.
+ */
+export interface AuthPattern {
+    /** Path 1: a stateless personal-access-token credential. */
+    token?: PathResolver;
+    /** Path 2: an OAuth `refresh_token` grant. */
+    oauth?: PathResolver;
+    /** Path 3: a username/password session-scrape (CSRF + cookie login). */
+    sessionScrape?: PathResolver;
+    /** Path 4: a fetchproxy one-shot browser-session read. */
+    fetchproxy?: PathResolver;
+}
+/**
+ * Resolve auth via the four-path priority **token → OAuth → session-scrape →
+ * fetchproxy**. Runs the first *provided* resolver in that order (a missing
+ * resolver = an unconfigured path). A resolver that throws propagates — a
+ * partial-config error (the user's mistake) must surface, not silently fall
+ * through. Throws an actionable error when no path is configured at all.
+ */
+export declare function resolveAuthPattern(pattern: AuthPattern): Promise<PatternResult>;
+/** Options for {@link sessionLoginFlow}. */
+export interface SessionLoginOptions {
+    /** URL of the login page to GET (carries the CSRF input + sets a session cookie). */
+    loginUrl: string;
+    /** URL to POST the credentials to. */
+    postUrl: string;
+    /** Regex with one capture group that extracts the CSRF token from the page HTML. */
+    csrfRegex: RegExp;
+    /** Form field name the CSRF token is submitted under. Defaults to `'csrfToken'`. */
+    csrfField?: string;
+    /**
+     * Cookie name that signals a successful login *and* is returned as `token`.
+     * Its presence after the POST is the success marker.
+     */
+    tokenField: string;
+    /** Form field name the email/username is submitted under. Defaults to `'email'`. */
+    emailField?: string;
+    /** Form field name the password is submitted under. Defaults to `'password'`. */
+    passwordField?: string;
+    /** The user's email / username. */
+    email: string;
+    /** The user's password. */
+    password: string;
+    /** Extra static form fields to include in the POST body (per-site form params). */
+    extraFields?: Record<string, string>;
+    /** Header sent on both requests (e.g. a desktop `User-Agent`). */
+    userAgent?: string;
+    /** Injectable fetch (defaults to global `fetch`) — for tests. */
+    fetchImpl?: typeof fetch;
+}
+/** Result of {@link sessionLoginFlow}. */
+export interface SessionLoginResult {
+    /** Value of the `tokenField` cookie set on a successful login. */
+    token: string;
+    /** Full `Cookie` header (deduped jar) for subsequent authenticated requests. */
+    cookies: string;
+}
+/**
+ * The shared CSRF + cookie login primitive (canvas / IC / ofw / signupgenius):
+ *
+ *  1. GET `loginUrl` — capture the session cookie(s) and scrape the CSRF token
+ *     out of the page with `csrfRegex`.
+ *  2. POST `postUrl` (`application/x-www-form-urlencoded`) with the scraped CSRF
+ *     token, credentials, and any `extraFields`, carrying the GET's cookies.
+ *  3. Merge `Set-Cookie`s from both responses (deduped, deletions dropped) and
+ *     require the `tokenField` cookie as the success marker — its value is the
+ *     returned `token`; its absence means the credentials were rejected.
+ *
+ * Per-site form parameters and the CSRF regex are injected; the flow itself is
+ * site-agnostic.
+ */
+export declare function sessionLoginFlow(opts: SessionLoginOptions): Promise<SessionLoginResult>;
+/** Options for {@link createOAuth2Refresher}. */
+export interface OAuth2RefresherOptions {
+    /** Token endpoint to POST the grant to. */
+    endpoint: string;
+    /** The refresh token to exchange. */
+    refreshToken: string;
+    /** OAuth2 grant type. Defaults to `'refresh_token'`. */
+    grantType?: string;
+    /** Extra form params (e.g. `client_id`, `client_secret`, `scope`). */
+    params?: Record<string, string>;
+    /**
+     * Retry policy for a failed exchange. `count` is *additional* attempts after
+     * the first; `delayMs` is the fixed wait between attempts. Omit to never retry.
+     */
+    retry?: {
+        count: number;
+        delayMs: number;
+    };
+    /** Injectable fetch (defaults to global `fetch`) — for tests. */
+    fetchImpl?: typeof fetch;
+}
+/** Result of an {@link createOAuth2Refresher} exchange. */
+export interface OAuth2RefreshResult {
+    /** The new access token. */
+    accessToken: string;
+    /** A rotated refresh token, when the server returned one. */
+    refreshToken?: string;
+    /** `expires_in` (seconds), when the server returned one. */
+    expiresIn?: number;
+    /** Absolute expiry (`now + expires_in`), when `expires_in` was present. */
+    expiresAt?: Date;
+}
+/**
+ * Build a race-safe OAuth2 `refresh_token`-grant refresher. The returned
+ * function POSTs the form-encoded grant to `endpoint` and parses the standard
+ * `{ access_token, refresh_token?, expires_in? }` body.
+ *
+ * Race-safety: concurrent calls share a single in-flight exchange (the
+ * canonical token-refresh-race guard — `skylight`/`canvas`/`creditkarma`/`zola`
+ * all hand-roll this). The in-flight promise is cleared once it settles, so a
+ * later refresh starts fresh and a *rejected* exchange does not poison the next
+ * caller.
+ *
+ * Errors run through {@link truncateErrorMessage} (redaction + truncation)
+ * before surfacing, so an upstream error body can't leak a bearer token or
+ * blow up a tool result.
+ */
+export declare function createOAuth2Refresher(opts: OAuth2RefresherOptions): () => Promise<OAuth2RefreshResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAA4B,KAAK,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAY9E,kFAAkF;AAClF,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAC;AAExE,wFAAwF;AACxF,MAAM,WAAW,kBAAkB;IACjC,8EAA8E;IAC9E,UAAU,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,MAAM,EAAE,KAAK,GAAG,YAAY,CAAC;CAC9B;AAED,8CAA8C;AAC9C,MAAM,WAAW,mBAAmB;IAClC,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mFAAmF;IACnF,SAAS,EAAE,WAAW,CAAC;IACvB,kFAAkF;IAClF,gBAAgB,EAAE,OAAO,CAAC;IAC1B;;;;OAIG;IACH,WAAW,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,MAAM,GAAG,SAAS,CAAC;IAChE,6EAA6E;IAC7E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uFAAuF;IACvF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,GAAG,CAAC,EAAE,SAAS,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,mBAAmB,GACxB,MAAM,OAAO,CAAC,kBAAkB,CAAC,CAmDnC;AAMD,6FAA6F;AAC7F,MAAM,WAAW,aAAa;IAC5B,+EAA+E;IAC/E,UAAU,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,kFAAkF;AAClF,MAAM,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,CAAC;AAExD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,4DAA4D;IAC5D,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,8CAA8C;IAC9C,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,wEAAwE;IACxE,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,0DAA0D;IAC1D,UAAU,CAAC,EAAE,YAAY,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAerF;AAMD,4CAA4C;AAC5C,MAAM,WAAW,mBAAmB;IAClC,qFAAqF;IACrF,QAAQ,EAAE,MAAM,CAAC;IACjB,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,oFAAoF;IACpF,SAAS,EAAE,MAAM,CAAC;IAClB,oFAAoF;IACpF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,oFAAoF;IACpF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2BAA2B;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,kEAAkE;IAClE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iEAAiE;IACjE,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAED,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,KAAK,EAAE,MAAM,CAAC;IACd,gFAAgF;IAChF,OAAO,EAAE,MAAM,CAAC;CACjB;AAaD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,mBAAmB,GACxB,OAAO,CAAC,kBAAkB,CAAC,CA+D7B;AAMD,iDAAiD;AACjD,MAAM,WAAW,sBAAsB;IACrC,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC;;;OAGG;IACH,KAAK,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3C,iEAAiE;IACjE,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAED,2DAA2D;AAC3D,MAAM,WAAW,mBAAmB;IAClC,4BAA4B;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,IAAI,CAAC;CAClB;AAWD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,sBAAsB,GAC3B,MAAM,OAAO,CAAC,mBAAmB,CAAC,CA0EpC"}