@classytic/arc 1.1.0 → 2.1.2

package/dist/sessionManager-jPKLbHE0.d.mts

@@ -0,0 +1,187 @@
+import { FastifyPluginAsync, FastifyReply, FastifyRequest } from "fastify";
+
+//#region src/auth/sessionManager.d.ts
+/**
+ * Session data stored in the session store.
+ */
+interface SessionData {
+  /** User ID associated with this session */
+  userId: string;
+  /** Timestamp (ms since epoch) when session was created */
+  createdAt: number;
+  /** Timestamp (ms since epoch) when session was last refreshed */
+  updatedAt: number;
+  /** Timestamp (ms since epoch) when session expires */
+  expiresAt: number;
+  /** Optional metadata attached to the session */
+  metadata?: Record<string, unknown>;
+}
+/**
+ * Session store interface.
+ * Implement this for custom storage backends (Redis, database, etc.).
+ */
+interface SessionStore {
+  /** Retrieve a session by ID. Returns null if not found or expired. */
+  get(sessionId: string): Promise<SessionData | null>;
+  /** Create or update a session. */
+  set(sessionId: string, data: SessionData): Promise<void>;
+  /** Delete a single session. */
+  delete(sessionId: string): Promise<void>;
+  /** Delete all sessions for a user. */
+  deleteAll(userId: string): Promise<void>;
+  /** Delete all sessions for a user except the specified one. */
+  deleteAllExcept(userId: string, currentSessionId: string): Promise<void>;
+}
+/**
+ * Cookie configuration options.
+ */
+interface SessionCookieOptions {
+  /** Send cookie only over HTTPS (default: true in production) */
+  secure?: boolean;
+  /** Prevent client-side JavaScript access (default: true) */
+  httpOnly?: boolean;
+  /** SameSite attribute (default: 'lax') */
+  sameSite?: 'strict' | 'lax' | 'none';
+  /** Cookie path (default: '/') */
+  path?: string;
+  /** Cookie domain */
+  domain?: string;
+}
+/**
+ * Options for creating a session manager.
+ */
+interface SessionManagerOptions {
+  /** Session store implementation */
+  store: SessionStore;
+  /** Secret for signing session cookies (min 32 characters) */
+  secret: string;
+  /** Session max age in seconds (default: 604800 = 7 days) */
+  maxAge?: number;
+  /** Minimum interval between session updates in seconds (default: 86400 = 24h) */
+  updateAge?: number;
+  /** Time in seconds after which a session is no longer "fresh" (default: 600 = 10 min) */
+  freshAge?: number;
+  /** Cookie name (default: 'arc.session') */
+  cookieName?: string;
+  /** Cookie options */
+  cookie?: SessionCookieOptions;
+}
+/**
+ * Return type from createSessionManager.
+ */
+interface SessionManagerResult {
+  /** Fastify plugin that adds session middleware */
+  plugin: FastifyPluginAsync;
+  /** PreHandler that rejects requests without a fresh session */
+  requireFresh: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+}
+declare module 'fastify' {
+  interface FastifyInstance {
+    /** Authenticate middleware — validates session and sets request.user */
+    authenticate: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+    /** Session management helpers */
+    sessionManager: {
+      /** Create a new session for a user */createSession: (userId: string, metadata?: Record<string, unknown>) => Promise<{
+        sessionId: string;
+        cookie: string;
+      }>; /** Revoke a specific session */
+      revokeSession: (sessionId: string) => Promise<void>; /** Revoke all sessions for a user */
+      revokeAllSessions: (userId: string) => Promise<void>; /** Revoke all sessions except the current one */
+      revokeOtherSessions: (userId: string, currentSessionId: string) => Promise<void>; /** Refresh a session (reset updatedAt, extend expiry if needed) */
+      refreshSession: (sessionId: string) => Promise<SessionData | null>;
+    };
+  }
+  interface FastifyRequest {
+    /** Current session data (set by session plugin) */
+    session?: SessionData & {
+      id: string;
+    };
+  }
+}
+interface MemorySessionStoreOptions {
+  /** Cleanup interval in milliseconds (default: 60000 = 1 min) */
+  cleanupIntervalMs?: number;
+}
+/**
+ * In-memory session store for development and single-instance deployments.
+ * NOT suitable for multi-instance/clustered deployments — use Redis or similar.
+ */
+declare class MemorySessionStore implements SessionStore {
+  private sessions;
+  /** Reverse index: userId -> Set<sessionId> for efficient bulk operations */
+  private userIndex;
+  private cleanupInterval;
+  constructor(options?: MemorySessionStoreOptions);
+  get(sessionId: string): Promise<SessionData | null>;
+  set(sessionId: string, data: SessionData): Promise<void>;
+  delete(sessionId: string): Promise<void>;
+  deleteAll(userId: string): Promise<void>;
+  deleteAllExcept(userId: string, currentSessionId: string): Promise<void>;
+  /**
+   * Close the store and clean up resources.
+   */
+  close(): void;
+  /**
+   * Get current stats (for debugging/monitoring).
+   */
+  getStats(): {
+    sessions: number;
+    users: number;
+  };
+  /**
+   * Remove expired sessions.
+   */
+  private cleanup;
+}
+/**
+ * Create a session manager for Arc.
+ *
+ * Returns a Fastify plugin and a `requireFresh` preHandler.
+ *
+ * The plugin:
+ * - Parses session cookie on each request
+ * - Validates session against the store
+ * - Sets `request.user` and `request.session` from session data
+ * - Refreshes session token if older than `updateAge`
+ * - Provides `fastify.authenticate` decorator
+ * - Provides `fastify.sessionManager` decorator for session CRUD
+ *
+ * @example
+ * ```typescript
+ * import { createSessionManager, MemorySessionStore } from '@classytic/arc/auth';
+ *
+ * const sessions = createSessionManager({
+ *   store: new MemorySessionStore(),
+ *   secret: process.env.SESSION_SECRET!,
+ *   maxAge: 7 * 24 * 60 * 60,
+ *   updateAge: 24 * 60 * 60,
+ *   freshAge: 10 * 60,
+ * });
+ *
+ * await fastify.register(sessions.plugin);
+ *
+ * // Login route
+ * fastify.post('/login', async (request, reply) => {
+ *   const user = await authenticateUser(request.body);
+ *   const { cookie } = await fastify.sessionManager.createSession(user.id);
+ *   reply.header('Set-Cookie', cookie);
+ *   return { success: true, user };
+ * });
+ *
+ * // Protected route
+ * fastify.get('/me', {
+ *   preHandler: [fastify.authenticate],
+ * }, async (request) => {
+ *   return { user: request.user };
+ * });
+ *
+ * // Sensitive route (requires fresh session)
+ * fastify.post('/change-password', {
+ *   preHandler: [fastify.authenticate, sessions.requireFresh],
+ * }, handler);
+ * ```
+ */
+declare function createSessionManager(options: SessionManagerOptions): SessionManagerResult;
+//#endregion
+export { SessionManagerOptions as a, createSessionManager as c, SessionData as i, MemorySessionStoreOptions as n, SessionManagerResult as o, SessionCookieOptions as r, SessionStore as s, MemorySessionStore as t };
+//# sourceMappingURL=sessionManager-jPKLbHE0.d.mts.map

package/dist/sessionManager-jPKLbHE0.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessionManager-jPKLbHE0.d.mts","names":[],"sources":["../src/auth/sessionManager.ts"],"mappings":";;;;;;UA+CiB,WAAA;EAyBL;EAvBV,MAAA;EAyBA;EAvBA,SAAA;EAuBgC;EArBhC,SAAA;EAqBkE;EAnBlE,SAAA;EAyBe;EAvBf,QAAA,GAAW,MAAA;AAAA;;;;;UAOI,YAAA;EA0Bf;EAxBA,GAAA,CAAI,SAAA,WAAoB,OAAA,CAAQ,WAAA;EAwB1B;EAtBN,GAAA,CAAI,SAAA,UAAmB,IAAA,EAAM,WAAA,GAAc,OAAA;EA4BP;EA1BpC,MAAA,CAAO,SAAA,WAAoB,OAAA;EAwCE;EAtC7B,SAAA,CAAU,MAAA,WAAiB,OAAA;EA0BpB;EAxBP,eAAA,CAAgB,MAAA,UAAgB,gBAAA,WAA2B,OAAA;AAAA;;;;UAM5C,oBAAA;EA8BN;EA5BT,MAAA;EA4B6B;EA1B7B,QAAA;EAgCmC;EA9BnC,QAAA;EAgCQ;EA9BR,IAAA;EAgC+C;EA9B/C,MAAA;AAAA;;;;UAMe,qBAAA;EAwBS;EAtBxB,KAAA,EAAO,YAAA;EAsBwC;EApB/C,MAAA;EAoBgE;EAlBhE,MAAA;EAkBuE;EAhBvE,SAAA;EAiBD;EAfC,QAAA;EAwB0B;EAtB1B,UAAA;EAsBkE;EApBlE,MAAA,GAAS,oBAAA;AAAA;;;;UAMM,oBAAA;EA6B4B;EA3B3C,MAAA,EAAQ,kBAAA;EAiCe;EA/BvB,YAAA,GAAe,OAAA,EAAS,cAAA,EAAgB,KAAA,EAAO,YAAA,KAAiB,OAAA;AAAA;AAAA;EAAA,UAQtD,eAAA;IAEO;IAAf,YAAA,GAAe,OAAA,EAAS,cAAA,EAAgB,KAAA,EAAO,YAAA,KAAiB,OAAA;IAAxB;IAExC,cAAA;MAAA,sCAEE,aAAA,GACE,MAAA,UACA,QAAA,GAAW,MAAA,sBACR,OAAA;QAAU,SAAA;QAAmB,MAAA;MAAA,IAA7B;MAEL,aAAA,GAAgB,SAAA,aAAsB,OAAA,QAFJ;MAIlC,iBAAA,GAAoB,MAAA,aAAmB,OAAA,QAFvB;MAIhB,mBAAA,GAAsB,MAAA,UAAgB,gBAAA,aAA6B,OAAA,QAFnE;MAIA,cAAA,GAAiB,SAAA,aAAsB,OAAA,CAAQ,WAAA;IAAA;EAAA;EAAA,UAIzC,cAAA;IANgC;IAQxC,OAAA,GAAU,WAAA;MAAgB,EAAA;IAAA;EAAA;AAAA;AAAA,UAuHb,yBAAA;EAvHb;EAyHF,iBAAA;AAAA;;;;AAFF;cASa,kBAAA,YAA8B,YAAA;EAAA,QACjC,QAAA;EARR;EAAA,QAUQ,SAAA;EAAA,QACA,eAAA;cAEI,OAAA,GAAS,yBAAA;EAYf,GAAA,CAAI,SAAA,WAAoB,OAAA,CAAQ,WAAA;EAahC,GAAA,CAAI,SAAA,UAAmB,IAAA,EAAM,WAAA,GAAc,OAAA;EAY3C,MAAA,CAAO,SAAA,WAAoB,OAAA;EAe3B,SAAA,CAAU,MAAA,WAAiB,OAAA;EAU3B,eAAA,CAAgB,MAAA,UAAgB,gBAAA,WAA2B,OAAA;EArChB;;;EA0DjD,KAAA,CAAA;EAzFyC;;;EAqGzC,QAAA,CAAA;IAAc,QAAA;IAAkB,KAAA;EAAA;;;;UAUxB,OAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;AAuEV;;;;;;;;;;;;;;;;;;;;;;;;iBAAgB,oBAAA,CAAqB,OAAA,EAAS,qBAAA,GAAwB,oBAAA"}

package/dist/sse-B3c3_yZp.mjs

@@ -0,0 +1,124 @@
+import { t as __exportAll } from "./chunk-C7Uep-_p.mjs";
+import { n as PUBLIC_SCOPE, r as getOrgId } from "./types-Beqn1Un7.mjs";
+import { t as arcLog } from "./logger-Df2O2WsW.mjs";
+import fp from "fastify-plugin";
+
+//#region src/plugins/sse.ts
+/**
+* SSE Plugin (Server-Sent Events)
+*
+* Streams domain events to clients over HTTP using Server-Sent Events.
+* Requires the events plugin (`arc-events`) to be registered first.
+*
+* @example
+* import { ssePlugin } from '@classytic/arc/plugins';
+*
+* // Basic — stream all events at /events/stream
+* await fastify.register(ssePlugin);
+*
+* // Filtered + org-scoped
+* await fastify.register(ssePlugin, {
+*   path: '/api/events',
+*   patterns: ['order.*', 'product.*'],
+*   orgScoped: true,
+* });
+*/
+var sse_exports = /* @__PURE__ */ __exportAll({
+	default: () => sse_default,
+	ssePlugin: () => ssePlugin
+});
+const log = arcLog("sse");
+const ssePlugin = async (fastify, opts = {}) => {
+	const { path = "/events/stream", requireAuth = true, patterns = ["*"], heartbeat = 3e4, orgScoped = false, filter: customFilter } = opts;
+	if (!fastify.hasDecorator("events")) {
+		log.warn("Events plugin (arc-events) not registered. SSE plugin will not function. Register eventPlugin before ssePlugin.");
+		return;
+	}
+	const activeConnections = /* @__PURE__ */ new Set();
+	const routeOpts = {
+		method: "GET",
+		url: path,
+		schema: {
+			tags: ["Events"],
+			summary: "SSE event stream",
+			description: "Server-Sent Events stream for real-time domain events",
+			response: { 200: {
+				type: "string",
+				description: "text/event-stream"
+			} }
+		},
+		handler: async (request, reply) => {
+			reply.hijack();
+			reply.raw.writeHead(200, {
+				"content-type": "text/event-stream",
+				"cache-control": "no-cache",
+				connection: "keep-alive",
+				"x-accel-buffering": "no"
+			});
+			reply.raw.flushHeaders();
+			const unsubscribers = [];
+			const requestOrgId = getOrgId(request.scope ?? PUBLIC_SCOPE);
+			const dropOrgEvents = orgScoped && !requestOrgId;
+			for (const pattern of patterns) {
+				const unsub = await fastify.events.subscribe(pattern, async (event) => {
+					if (orgScoped) {
+						const eventOrgId = event.meta?.organizationId;
+						if (dropOrgEvents && eventOrgId) return;
+						if (requestOrgId && eventOrgId && eventOrgId !== requestOrgId) return;
+					}
+					if (customFilter && !customFilter(event, request)) return;
+					const data = JSON.stringify({
+						type: event.type,
+						payload: event.payload,
+						meta: {
+							id: event.meta.id,
+							timestamp: event.meta.timestamp
+						}
+					});
+					if (!reply.raw.write(`event: ${event.type}\ndata: ${data}\n\n`)) {
+						request.raw.destroy(/* @__PURE__ */ new Error("SSE connection terminated: slow client backpressure"));
+						cleanup();
+					}
+				});
+				unsubscribers.push(unsub);
+			}
+			const heartbeatTimer = setInterval(() => {
+				if (!reply.raw.write(": heartbeat\n\n")) {
+					request.raw.destroy(/* @__PURE__ */ new Error("SSE connection terminated: heartbeat backpressure"));
+					cleanup();
+				}
+			}, heartbeat);
+			const cleanup = () => {
+				clearInterval(heartbeatTimer);
+				for (const unsub of unsubscribers) unsub();
+				if (!reply.raw.writableEnded) reply.raw.end();
+				activeConnections.delete(cleanup);
+			};
+			activeConnections.add(cleanup);
+			request.raw.on("close", cleanup);
+		}
+	};
+	if (requireAuth) {
+		if (!fastify.hasDecorator("authenticate")) throw new Error("[arc-sse] requireAuth is true but fastify.authenticate is not registered. Register an auth plugin before SSE, or set requireAuth: false.");
+		routeOpts.preHandler = fastify.authenticate;
+	}
+	fastify.route(routeOpts);
+	fastify.addHook("onClose", async () => {
+		for (const cleanup of activeConnections) cleanup();
+		activeConnections.clear();
+	});
+	log.debug("Plugin registered", {
+		path,
+		patterns,
+		orgScoped
+	});
+};
+var sse_default = fp(ssePlugin, {
+	name: "arc-sse",
+	fastify: "5.x",
+	dependencies: ["arc-events"]
+});
+
+//#endregion
+export { sse_default as n, sse_exports as r, ssePlugin as t };
+//# sourceMappingURL=sse-B3c3_yZp.mjs.map

package/dist/sse-B3c3_yZp.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"sse-B3c3_yZp.mjs","names":[],"sources":["../src/plugins/sse.ts"],"sourcesContent":["/**\n * SSE Plugin (Server-Sent Events)\n *\n * Streams domain events to clients over HTTP using Server-Sent Events.\n * Requires the events plugin (`arc-events`) to be registered first.\n *\n * @example\n * import { ssePlugin } from '@classytic/arc/plugins';\n *\n * // Basic — stream all events at /events/stream\n * await fastify.register(ssePlugin);\n *\n * // Filtered + org-scoped\n * await fastify.register(ssePlugin, {\n *   path: '/api/events',\n *   patterns: ['order.*', 'product.*'],\n *   orgScoped: true,\n * });\n */\n\nimport fp from \"fastify-plugin\";\nimport type {\n  FastifyInstance,\n  FastifyPluginAsync,\n  FastifyRequest,\n  FastifyReply,\n} from \"fastify\";\nimport type { DomainEvent } from \"../events/EventTransport.js\";\nimport { getOrgId, PUBLIC_SCOPE } from \"../scope/types.js\";\nimport type { RequestScope } from \"../scope/types.js\";\nimport { arcLog } from \"../logger/index.js\";\n\nconst log = arcLog(\"sse\");\n\nexport interface SSEOptions {\n  /** SSE endpoint path (default: '/events/stream') */\n  path?: string;\n  /** Require authentication (default: true) */\n  requireAuth?: boolean;\n  /** Event patterns to stream (default: ['*'] = all) */\n  patterns?: string[];\n  /** Heartbeat interval in ms (default: 30000) */\n  heartbeat?: number;\n  /** Filter events by organizationId from request.scope (default: false) */\n  orgScoped?: boolean;\n  /** Custom event filter function */\n  filter?: (event: DomainEvent<unknown>, request: FastifyRequest) => boolean;\n}\n\n// ============================================================================\n// Plugin\n// ============================================================================\n\nconst ssePlugin: FastifyPluginAsync<SSEOptions> = async (\n  fastify: FastifyInstance,\n  opts: SSEOptions = {},\n) => {\n  const {\n    path = \"/events/stream\",\n    requireAuth = true,\n    patterns = [\"*\"],\n    heartbeat = 30000,\n    orgScoped = false,\n    filter: customFilter,\n  } = opts;\n\n  // Check that events plugin is registered\n  if (!fastify.hasDecorator(\"events\")) {\n    log.warn(\n      \"Events plugin (arc-events) not registered. SSE plugin will not function. \" +\n        \"Register eventPlugin before ssePlugin.\",\n    );\n    return;\n  }\n\n  // Track active connections for cleanup\n  const activeConnections = new Set<() => void>();\n\n  // Build route options\n  const routeOpts: {\n    method: \"GET\";\n    url: string;\n    schema: Record<string, unknown>;\n    preHandler?: (\n      request: FastifyRequest,\n      reply: FastifyReply,\n    ) => Promise<void>;\n    handler: (request: FastifyRequest, reply: FastifyReply) => Promise<void>;\n  } = {\n    method: \"GET\",\n    url: path,\n    schema: {\n      tags: [\"Events\"],\n      summary: \"SSE event stream\",\n      description: \"Server-Sent Events stream for real-time domain events\",\n      response: {\n        200: {\n          type: \"string\",\n          description: \"text/event-stream\",\n        },\n      },\n    },\n    handler: async (\n      request: FastifyRequest,\n      reply: FastifyReply,\n    ): Promise<void> => {\n      // 1. Tell Fastify we are taking over the socket\n      reply.hijack();\n\n      // Set SSE headers and flush immediately so clients detect the connection\n      reply.raw.writeHead(200, {\n        \"content-type\": \"text/event-stream\",\n        \"cache-control\": \"no-cache\",\n        connection: \"keep-alive\",\n        \"x-accel-buffering\": \"no\", // Disable nginx buffering\n      });\n      reply.raw.flushHeaders();\n\n      // Track unsubscribers for cleanup\n      const unsubscribers: (() => void)[] = [];\n\n      // Get org context from request.scope for filtering\n      const scope: RequestScope = request.scope ?? PUBLIC_SCOPE;\n      const requestOrgId = getOrgId(scope);\n\n      // Subscribe to each pattern\n      // If orgScoped is enabled but caller has no org context, drop all org events\n      // to prevent leaking data across organizations\n      const dropOrgEvents = orgScoped && !requestOrgId;\n\n      for (const pattern of patterns) {\n        const unsub = await fastify.events.subscribe(\n          pattern,\n          async (event: DomainEvent<unknown>) => {\n            // Org-scoped filtering: only forward events for the user's org\n            if (orgScoped) {\n              const eventOrgId = (event.meta as Record<string, unknown>)\n                ?.organizationId;\n              // If caller has no org, drop any event that carries an orgId\n              if (dropOrgEvents && eventOrgId) return;\n              // If caller has an org, only forward events matching their org\n              if (requestOrgId && eventOrgId && eventOrgId !== requestOrgId)\n                return;\n            }\n\n            // Custom filter\n            if (customFilter && !customFilter(event, request)) return;\n\n            // Write SSE event\n            const data = JSON.stringify({\n              type: event.type,\n              payload: event.payload,\n              meta: { id: event.meta.id, timestamp: event.meta.timestamp },\n            });\n            const success = reply.raw.write(\n              `event: ${event.type}\\ndata: ${data}\\n\\n`,\n            );\n            if (!success) {\n              // TCP Backpressure / Slow Client Check:\n              // Terminate connection if buffer is full to prevent unbounded memory leaks via L7 proxies\n              request.raw.destroy(\n                new Error(\n                  \"SSE connection terminated: slow client backpressure\",\n                ),\n              );\n              cleanup();\n            }\n          },\n        );\n        unsubscribers.push(unsub);\n      }\n\n      // Heartbeat to keep connection alive\n      const heartbeatTimer = setInterval(() => {\n        const success = reply.raw.write(\": heartbeat\\n\\n\");\n        if (!success) {\n          request.raw.destroy(\n            new Error(\"SSE connection terminated: heartbeat backpressure\"),\n          );\n          cleanup();\n        }\n      }, heartbeat);\n\n      // Cleanup function\n      const cleanup = () => {\n        clearInterval(heartbeatTimer);\n        for (const unsub of unsubscribers) {\n          unsub();\n        }\n        // End the response to release the connection\n        if (!reply.raw.writableEnded) {\n          reply.raw.end();\n        }\n        activeConnections.delete(cleanup);\n      };\n\n      activeConnections.add(cleanup);\n\n      // Cleanup on client disconnect\n      request.raw.on(\"close\", cleanup);\n    },\n  };\n\n  // Add auth preHandler if required — fail-closed: throw if decorator missing\n  if (requireAuth) {\n    if (!fastify.hasDecorator(\"authenticate\")) {\n      throw new Error(\n        \"[arc-sse] requireAuth is true but fastify.authenticate is not registered. \" +\n          \"Register an auth plugin before SSE, or set requireAuth: false.\",\n      );\n    }\n    routeOpts.preHandler = fastify.authenticate;\n  }\n\n  fastify.route(routeOpts);\n\n  // Cleanup all connections on server close\n  fastify.addHook(\"onClose\", async () => {\n    for (const cleanup of activeConnections) {\n      cleanup();\n    }\n    activeConnections.clear();\n  });\n\n  log.debug(\"Plugin registered\", { path, patterns, orgScoped });\n};\n\nexport default fp(ssePlugin, {\n  name: \"arc-sse\",\n  fastify: \"5.x\",\n  dependencies: [\"arc-events\"],\n});\n\nexport { ssePlugin };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,MAAM,MAAM,OAAO,MAAM;AAqBzB,MAAM,YAA4C,OAChD,SACA,OAAmB,EAAE,KAClB;CACH,MAAM,EACJ,OAAO,kBACP,cAAc,MACd,WAAW,CAAC,IAAI,EAChB,YAAY,KACZ,YAAY,OACZ,QAAQ,iBACN;AAGJ,KAAI,CAAC,QAAQ,aAAa,SAAS,EAAE;AACnC,MAAI,KACF,kHAED;AACD;;CAIF,MAAM,oCAAoB,IAAI,KAAiB;CAG/C,MAAM,YASF;EACF,QAAQ;EACR,KAAK;EACL,QAAQ;GACN,MAAM,CAAC,SAAS;GAChB,SAAS;GACT,aAAa;GACb,UAAU,EACR,KAAK;IACH,MAAM;IACN,aAAa;IACd,EACF;GACF;EACD,SAAS,OACP,SACA,UACkB;AAElB,SAAM,QAAQ;AAGd,SAAM,IAAI,UAAU,KAAK;IACvB,gBAAgB;IAChB,iBAAiB;IACjB,YAAY;IACZ,qBAAqB;IACtB,CAAC;AACF,SAAM,IAAI,cAAc;GAGxB,MAAM,gBAAgC,EAAE;GAIxC,MAAM,eAAe,SADO,QAAQ,SAAS,aACT;GAKpC,MAAM,gBAAgB,aAAa,CAAC;AAEpC,QAAK,MAAM,WAAW,UAAU;IAC9B,MAAM,QAAQ,MAAM,QAAQ,OAAO,UACjC,SACA,OAAO,UAAgC;AAErC,SAAI,WAAW;MACb,MAAM,aAAc,MAAM,MACtB;AAEJ,UAAI,iBAAiB,WAAY;AAEjC,UAAI,gBAAgB,cAAc,eAAe,aAC/C;;AAIJ,SAAI,gBAAgB,CAAC,aAAa,OAAO,QAAQ,CAAE;KAGnD,MAAM,OAAO,KAAK,UAAU;MAC1B,MAAM,MAAM;MACZ,SAAS,MAAM;MACf,MAAM;OAAE,IAAI,MAAM,KAAK;OAAI,WAAW,MAAM,KAAK;OAAW;MAC7D,CAAC;AAIF,SAAI,CAHY,MAAM,IAAI,MACxB,UAAU,MAAM,KAAK,UAAU,KAAK,MACrC,EACa;AAGZ,cAAQ,IAAI,wBACV,IAAI,MACF,sDACD,CACF;AACD,eAAS;;MAGd;AACD,kBAAc,KAAK,MAAM;;GAI3B,MAAM,iBAAiB,kBAAkB;AAEvC,QAAI,CADY,MAAM,IAAI,MAAM,kBAAkB,EACpC;AACZ,aAAQ,IAAI,wBACV,IAAI,MAAM,oDAAoD,CAC/D;AACD,cAAS;;MAEV,UAAU;GAGb,MAAM,gBAAgB;AACpB,kBAAc,eAAe;AAC7B,SAAK,MAAM,SAAS,cAClB,QAAO;AAGT,QAAI,CAAC,MAAM,IAAI,cACb,OAAM,IAAI,KAAK;AAEjB,sBAAkB,OAAO,QAAQ;;AAGnC,qBAAkB,IAAI,QAAQ;AAG9B,WAAQ,IAAI,GAAG,SAAS,QAAQ;;EAEnC;AAGD,KAAI,aAAa;AACf,MAAI,CAAC,QAAQ,aAAa,eAAe,CACvC,OAAM,IAAI,MACR,2IAED;AAEH,YAAU,aAAa,QAAQ;;AAGjC,SAAQ,MAAM,UAAU;AAGxB,SAAQ,QAAQ,WAAW,YAAY;AACrC,OAAK,MAAM,WAAW,kBACpB,UAAS;AAEX,oBAAkB,OAAO;GACzB;AAEF,KAAI,MAAM,qBAAqB;EAAE;EAAM;EAAU;EAAW,CAAC;;AAG/D,kBAAe,GAAG,WAAW;CAC3B,MAAM;CACN,SAAS;CACT,cAAc,CAAC,aAAa;CAC7B,CAAC"}