@codemation/host 0.8.0 → 0.9.1

package/dist/{InternalPingRegistrar-DY3kSfxP.js → InternalPingRegistrar-BavAAnvk.js}

@@ -9,10 +9,11 @@ const PairingConfigToken = Symbol.for("codemation.pairing.PairingConfig");
 //#endregion
 //#region src/pairing/HmacRequestSigner.ts
 let HmacRequestSigner = class HmacRequestSigner$1 {
-	constructor(config) {
+	constructor(config = null) {
 		this.config = config;
 	}
 	sign(method, urlOrPath, body) {
+		if (this.config === null) throw new Error("HmacRequestSigner.sign called without a registered PairingConfig — workspace is not in managed mode.");
 		const ts = Math.floor(Date.now() / 1e3);
 		const nonce = randomBytes(16).toString("base64");
 		const parsed = new URL(urlOrPath, "http://placeholder");
@@ -31,7 +32,7 @@ let HmacRequestSigner = class HmacRequestSigner$1 {
 };
 HmacRequestSigner = __decorate([
 	injectable(),
-	__decorateParam(0, inject(PairingConfigToken)),
+	__decorateParam(0, inject(PairingConfigToken, { isOptional: true })),
 	__decorateMetadata("design:paramtypes", [Object])
 ], HmacRequestSigner);
 
@@ -104,15 +105,20 @@ var PairingConfigFactory = class {
 	}
 };
 
+//#endregion
+//#region src/pairing/HmacNonceStoreToken.ts
+const HmacNonceStoreToken = Symbol.for("codemation.pairing.HmacNonceStore");
+
 //#endregion
 //#region src/pairing/IncomingHmacVerifier.ts
 let IncomingHmacVerifier = class IncomingHmacVerifier$1 {
-	usedNonces = /* @__PURE__ */ new Map();
 	nonceTtlSeconds = 600;
-	constructor(config) {
+	constructor(config = null, nonceStore) {
 		this.config = config;
+		this.nonceStore = nonceStore;
 	}
-	verify(method, url, body, authHeader) {
+	async verify(method, url, body, authHeader) {
+		if (this.config === null) throw new Error("IncomingHmacVerifier.verify called without a registered PairingConfig — workspace is not in managed mode.");
 		if (!this.config.pairingSecret || this.config.pairingSecret.trim().length === 0) throw new Error("IncomingHmacVerifier: pairingSecret is not configured — cannot verify HMAC requests.");
 		if (!authHeader?.startsWith("Codemation-Hmac ")) return { failure: "missing" };
 		const parts = this.parseHeader(authHeader);
@@ -135,10 +141,9 @@ let IncomingHmacVerifier = class IncomingHmacVerifier$1 {
 		const expectedBuf = Buffer.from(expected);
 		const actualBuf = Buffer.from(parts.sig);
 		if (expectedBuf.length !== actualBuf.length || !timingSafeEqual(expectedBuf, actualBuf)) return { failure: "signature" };
-		this.pruneExpiredNonces(nowSec);
 		const nonceKey = `${parts.workspaceId}:${parts.nonce}`;
-		if (this.usedNonces.has(nonceKey)) return { failure: "replay" };
-		this.usedNonces.set(nonceKey, nowSec + this.nonceTtlSeconds);
+		const nonceExpiresAt = /* @__PURE__ */ new Date((nowSec + this.nonceTtlSeconds) * 1e3);
+		if (!await this.nonceStore.recordIfNew(nonceKey, nonceExpiresAt)) return { failure: "replay" };
 		return { workspaceId: parts.workspaceId };
 	}
 	parseHeader(header) {
@@ -159,14 +164,12 @@ let IncomingHmacVerifier = class IncomingHmacVerifier$1 {
 			sig
 		};
 	}
-	pruneExpiredNonces(nowSec) {
-		for (const [key, expiry] of this.usedNonces.entries()) if (expiry <= nowSec) this.usedNonces.delete(key);
-	}
 };
 IncomingHmacVerifier = __decorate([
 	injectable(),
-	__decorateParam(0, inject(PairingConfigToken)),
-	__decorateMetadata("design:paramtypes", [Object])
+	__decorateParam(0, inject(PairingConfigToken, { isOptional: true })),
+	__decorateParam(1, inject(HmacNonceStoreToken)),
+	__decorateMetadata("design:paramtypes", [Object, Object])
 ], IncomingHmacVerifier);
 
 //#endregion
@@ -179,7 +182,7 @@ let InternalHmacAuthMiddleware = class InternalHmacAuthMiddleware$1 {
 	handle() {
 		return async (c, next) => {
 			const body = c.req.method === "GET" || c.req.method === "HEAD" ? "" : await c.req.text();
-			if ("failure" in this.verifier.verify(c.req.method, c.req.url, body, c.req.header("authorization") ?? null)) return c.json({ error: "Unauthorized" }, 401);
+			if ("failure" in await this.verifier.verify(c.req.method, c.req.url, body, c.req.header("authorization") ?? null)) return c.json({ error: "Unauthorized" }, 401);
 			c.set("body", body);
 			await next();
 		};
@@ -217,5 +220,5 @@ InternalPingRegistrar = __decorate([
 ], InternalPingRegistrar);
 
 //#endregion
-export { PairedFetch as a, PairingConfigFactory as i, InternalHmacAuthMiddleware as n, HmacRequestSigner as o, IncomingHmacVerifier as r, PairingConfigToken as s, InternalPingRegistrar as t };
-//# sourceMappingURL=InternalPingRegistrar-DY3kSfxP.js.map
+export { PairingConfigFactory as a, PairingConfigToken as c, HmacNonceStoreToken as i, InternalHmacAuthMiddleware as n, PairedFetch as o, IncomingHmacVerifier as r, HmacRequestSigner as s, InternalPingRegistrar as t };
+//# sourceMappingURL=InternalPingRegistrar-BavAAnvk.js.map

package/dist/InternalPingRegistrar-BavAAnvk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"InternalPingRegistrar-BavAAnvk.js","names":["HmacRequestSigner","config: PairingConfig | null","PairedFetch","signer: HmacRequestSigner","IncomingHmacVerifier","config: PairingConfig | null","nonceStore: HmacNonceStore","fields: Record<string, string>","InternalHmacAuthMiddleware","verifier: IncomingHmacVerifier","InternalPingRegistrar","hmacMiddleware: InternalHmacAuthMiddleware","pairingConfig: PairingConfig"],"sources":["../src/pairing/PairingConfigToken.ts","../src/pairing/HmacRequestSigner.ts","../src/pairing/PairedFetch.ts","../src/pairing/PairingConfigFactory.ts","../src/pairing/HmacNonceStoreToken.ts","../src/pairing/IncomingHmacVerifier.ts","../src/pairing/InternalHmacAuthMiddleware.ts","../src/pairing/InternalPingRegistrar.ts"],"sourcesContent":["import type { TypeToken } from \"@codemation/core\";\nimport type { PairingConfig } from \"./pairing.types\";\n\n// Symbol token so the DI container can inject PairingConfig.\n// Registered by PairingConfigFactory in the composition root.\nexport const PairingConfigToken = Symbol.for(\"codemation.pairing.PairingConfig\") as TypeToken<PairingConfig>;\n","import { createHmac, createHash, randomBytes } from \"node:crypto\";\nimport { inject, injectable } from \"@codemation/core\";\nimport type { PairingConfig } from \"./pairing.types\";\nimport { PairingConfigToken } from \"./PairingConfigToken\";\n\nexport interface SignedHeaders {\n  readonly Authorization: string;\n}\n\n@injectable()\nexport class HmacRequestSigner {\n  constructor(@inject(PairingConfigToken, { isOptional: true }) private readonly config: PairingConfig | null = null) {}\n\n  sign(method: string, urlOrPath: string, body: string): SignedHeaders {\n    if (this.config === null) {\n      // Should never happen in managed mode (PairingConfig is registered then). In non-managed\n      // mode this signer should never be called — callers like `PairedFetch` are themselves\n      // only reachable via `ControlPlaneCatalogFetcher` whose poll loop checks `pairingConfig`.\n      // If we land here, a CP-bound call escaped that guard.\n      throw new Error(\n        \"HmacRequestSigner.sign called without a registered PairingConfig — workspace is not in managed mode.\",\n      );\n    }\n    const ts = Math.floor(Date.now() / 1000);\n    const nonce = randomBytes(16).toString(\"base64\");\n\n    const parsed = new URL(urlOrPath, \"http://placeholder\");\n    const path = (parsed.pathname + parsed.search).toLowerCase();\n\n    const bodyHash = createHash(\"sha256\").update(body, \"utf8\").digest(\"hex\");\n    const baseString = [method.toUpperCase(), path, ts, nonce, bodyHash].join(\"\\n\");\n\n    // eslint-disable-next-line codemation/no-buffer-everything -- pairing secret is 32 bytes, never large\n    const secretBytes = Buffer.from(this.config.pairingSecret, \"base64\");\n    const sig = createHmac(\"sha256\", secretBytes).update(baseString, \"utf8\").digest(\"base64\");\n\n    return {\n      Authorization: `Codemation-Hmac v=1,workspaceId=${this.config.workspaceId},ts=${ts},nonce=${nonce},sig=${sig}`,\n    };\n  }\n}\n","import { inject, injectable } from \"@codemation/core\";\nimport { HmacRequestSigner } from \"./HmacRequestSigner\";\n\n/**\n * Thin fetch wrapper that automatically HMAC-signs outgoing requests\n * to the control plane using the workspace's pairing secret.\n *\n * Use this for any server-to-server request from the installation to the CP.\n */\n@injectable()\nexport class PairedFetch {\n  constructor(@inject(HmacRequestSigner) private readonly signer: HmacRequestSigner) {}\n\n  async get(url: string): Promise<Response> {\n    const headers = this.signer.sign(\"GET\", url, \"\");\n    return fetch(url, { method: \"GET\", headers: { ...headers } });\n  }\n\n  async post(url: string, body: unknown): Promise<Response> {\n    const bodyString = JSON.stringify(body);\n    const headers = this.signer.sign(\"POST\", url, bodyString);\n    return fetch(url, {\n      method: \"POST\",\n      headers: { ...headers, \"Content-Type\": \"application/json\" },\n      body: bodyString,\n    });\n  }\n\n  async delete(url: string): Promise<Response> {\n    const headers = this.signer.sign(\"DELETE\", url, \"\");\n    return fetch(url, { method: \"DELETE\", headers: { ...headers } });\n  }\n}\n","import type { PairingConfig } from \"./pairing.types\";\n\n/**\n * Reads pairing configuration from environment variables.\n *\n * Required env vars when pairing is enabled:\n *   WORKSPACE_ID               — the workspace's database ID\n *   WORKSPACE_PAIRING_SECRET   — base64-encoded 32-byte shared secret\n *   CONTROL_PLANE_URL          — base URL of the control plane API\n *\n * Returns null if any required variable is absent (pairing disabled).\n * See docs/pairing-protocol.md for full bootstrap instructions.\n */\nexport class PairingConfigFactory {\n  create(env: Readonly<NodeJS.ProcessEnv>): PairingConfig | null {\n    const workspaceId = env[\"WORKSPACE_ID\"];\n    const pairingSecret = env[\"WORKSPACE_PAIRING_SECRET\"];\n    const controlPlaneUrl = env[\"CONTROL_PLANE_URL\"];\n\n    if (!workspaceId || !pairingSecret || !controlPlaneUrl) {\n      return null;\n    }\n\n    // eslint-disable-next-line codemation/no-buffer-everything -- pairing secret is always 32 bytes; bounded by validation below.\n    const decoded = Buffer.from(pairingSecret, \"base64\");\n    if (decoded.length !== 32) {\n      throw new Error(\n        `WORKSPACE_PAIRING_SECRET must be a base64-encoded 32-byte value (got ${decoded.length} bytes). ` +\n          `Generate a valid secret with: openssl rand -base64 32`,\n      );\n    }\n\n    return { workspaceId, pairingSecret, controlPlaneUrl };\n  }\n}\n","import type { TypeToken } from \"@codemation/core\";\nimport type { HmacNonceStore } from \"./HmacNonceStore\";\n\nexport const HmacNonceStoreToken = Symbol.for(\"codemation.pairing.HmacNonceStore\") as TypeToken<HmacNonceStore>;\n","import { createHmac, createHash, timingSafeEqual } from \"node:crypto\";\nimport { inject, injectable } from \"@codemation/core\";\nimport type { PairingConfig, PairingVerificationResult } from \"./pairing.types\";\nimport { PairingConfigToken } from \"./PairingConfigToken\";\nimport type { HmacNonceStore } from \"./HmacNonceStore\";\nimport { HmacNonceStoreToken } from \"./HmacNonceStoreToken\";\n\n/**\n * Verifies incoming HMAC-signed requests from the control plane.\n * Mirrors the control-plane HmacVerifier — both sides follow docs/pairing-protocol.md.\n *\n * Security (T6): The nonce store is injected and defaults to PrismaHmacNonceStore in\n * managed mode so replay protection survives process restarts within the 300-second\n * timestamp window.\n */\n@injectable()\nexport class IncomingHmacVerifier {\n  private readonly nonceTtlSeconds = 600; // 10 minutes\n\n  constructor(\n    @inject(PairingConfigToken, { isOptional: true }) private readonly config: PairingConfig | null = null,\n    @inject(HmacNonceStoreToken) private readonly nonceStore: HmacNonceStore,\n  ) {}\n\n  async verify(\n    method: string,\n    url: string,\n    body: string,\n    authHeader: string | null,\n  ): Promise<PairingVerificationResult> {\n    if (this.config === null) {\n      // Same shape as HmacRequestSigner — verifier is reachable via the DI graph even in\n      // non-managed mode (lazy CodemationHonoApiApp construction pulls every registered handler).\n      // We accept construction without PairingConfig and throw only when verify() is actually\n      // called, which shouldn't happen in non-managed mode (internal HMAC routes aren't mounted).\n      throw new Error(\n        \"IncomingHmacVerifier.verify called without a registered PairingConfig — workspace is not in managed mode.\",\n      );\n    }\n    if (!this.config.pairingSecret || this.config.pairingSecret.trim().length === 0) {\n      throw new Error(\"IncomingHmacVerifier: pairingSecret is not configured — cannot verify HMAC requests.\");\n    }\n\n    if (!authHeader?.startsWith(\"Codemation-Hmac \")) {\n      return { failure: \"missing\" };\n    }\n\n    const parts = this.parseHeader(authHeader);\n    if (!parts) return { failure: \"missing\" };\n    if (parts.v !== \"1\") return { failure: \"version\" };\n\n    const nowSec = Math.floor(Date.now() / 1000);\n    if (Math.abs(nowSec - parts.ts) > 300) return { failure: \"expired\" };\n\n    if (parts.workspaceId !== this.config.workspaceId) return { failure: \"workspace\" };\n\n    const parsed = new URL(url, \"http://placeholder\");\n    const path = (parsed.pathname + parsed.search).toLowerCase();\n    const bodyHash = createHash(\"sha256\").update(body, \"utf8\").digest(\"hex\");\n    const baseString = [method.toUpperCase(), path, parts.ts, parts.nonce, bodyHash].join(\"\\n\");\n\n    // eslint-disable-next-line codemation/no-buffer-everything -- pairing secret is 32 bytes, never large\n    const secretBytes = Buffer.from(this.config.pairingSecret, \"base64\");\n    const expected = createHmac(\"sha256\", secretBytes).update(baseString, \"utf8\").digest(\"base64\");\n\n    const expectedBuf = Buffer.from(expected);\n    const actualBuf = Buffer.from(parts.sig);\n    if (expectedBuf.length !== actualBuf.length || !timingSafeEqual(expectedBuf, actualBuf)) {\n      return { failure: \"signature\" };\n    }\n\n    const nonceKey = `${parts.workspaceId}:${parts.nonce}`;\n    const nonceExpiresAt = new Date((nowSec + this.nonceTtlSeconds) * 1000);\n    const isNew = await this.nonceStore.recordIfNew(nonceKey, nonceExpiresAt);\n    if (!isNew) return { failure: \"replay\" };\n\n    return { workspaceId: parts.workspaceId };\n  }\n\n  private parseHeader(header: string): {\n    v: string;\n    workspaceId: string;\n    ts: number;\n    nonce: string;\n    sig: string;\n  } | null {\n    const payload = header.slice(\"Codemation-Hmac \".length);\n    const fields: Record<string, string> = {};\n    for (const part of payload.split(\",\")) {\n      const eq = part.indexOf(\"=\");\n      if (eq === -1) return null;\n      fields[part.slice(0, eq).trim()] = part.slice(eq + 1).trim();\n    }\n    const { v, workspaceId, ts, nonce, sig } = fields;\n    if (!v || !workspaceId || !ts || !nonce || !sig) return null;\n    return { v, workspaceId, ts: Number(ts), nonce, sig };\n  }\n}\n","import { inject, injectable } from \"@codemation/core\";\nimport type { Context, MiddlewareHandler, Next } from \"hono\";\nimport { IncomingHmacVerifier } from \"./IncomingHmacVerifier\";\n\n/**\n * Hono middleware that verifies HMAC-signed requests on /internal/* routes.\n * Rejects with 401 on any auth failure (failure mode is never leaked).\n *\n * Downstream handlers read the consumed body from `c.get(\"body\")` when needed —\n * do NOT call `c.req.text()` again after this middleware runs.\n */\n@injectable()\nexport class InternalHmacAuthMiddleware {\n  constructor(@inject(IncomingHmacVerifier) private readonly verifier: IncomingHmacVerifier) {}\n\n  handle(): MiddlewareHandler {\n    return async (c: Context, next: Next) => {\n      const body = c.req.method === \"GET\" || c.req.method === \"HEAD\" ? \"\" : await c.req.text();\n\n      const result = await this.verifier.verify(c.req.method, c.req.url, body, c.req.header(\"authorization\") ?? null);\n\n      if (\"failure\" in result) {\n        return c.json({ error: \"Unauthorized\" }, 401);\n      }\n\n      // Body stored for downstream handlers that need it (e.g., credential push).\n      // Access via c.get(\"body\") — do NOT call c.req.text() again.\n      // workspaceId is available from PairingConfig since installation has a single workspace.\n      c.set(\"body\" as never, body);\n      await next();\n    };\n  }\n}\n","import { inject, injectable } from \"@codemation/core\";\nimport type { Hono } from \"hono\";\nimport { InternalHmacAuthMiddleware } from \"./InternalHmacAuthMiddleware\";\nimport type { InternalHonoApiRouteRegistrar } from \"../presentation/http/hono/InternalHonoApiRouteRegistrar\";\nimport type { PairingConfig } from \"./pairing.types\";\nimport { PairingConfigToken } from \"./PairingConfigToken\";\n\n/**\n * Registers GET /internal/ping — a smoke-test endpoint for verifying workspace pairing.\n * Returns { pong: true, workspaceId } when the HMAC signature validates correctly.\n */\n@injectable()\nexport class InternalPingRegistrar implements InternalHonoApiRouteRegistrar {\n  constructor(\n    @inject(InternalHmacAuthMiddleware) private readonly hmacMiddleware: InternalHmacAuthMiddleware,\n    @inject(PairingConfigToken) private readonly pairingConfig: PairingConfig,\n  ) {}\n\n  register(app: Hono): void {\n    const { workspaceId } = this.pairingConfig;\n    app.get(\"/internal/ping\", this.hmacMiddleware.handle(), (c) => {\n      return c.json({ pong: true, workspaceId });\n    });\n  }\n}\n"],"mappings":";;;;;;AAKA,MAAa,qBAAqB,OAAO,IAAI,mCAAmC;;;;ACKzE,8BAAMA,oBAAkB;CAC7B,YAAY,AAAmEC,SAA+B,MAAM;EAArC;;CAE/E,KAAK,QAAgB,WAAmB,MAA6B;AACnE,MAAI,KAAK,WAAW,KAKlB,OAAM,IAAI,MACR,uGACD;EAEH,MAAM,KAAK,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EACxC,MAAM,QAAQ,YAAY,GAAG,CAAC,SAAS,SAAS;EAEhD,MAAM,SAAS,IAAI,IAAI,WAAW,qBAAqB;EACvD,MAAM,QAAQ,OAAO,WAAW,OAAO,QAAQ,aAAa;EAE5D,MAAM,WAAW,WAAW,SAAS,CAAC,OAAO,MAAM,OAAO,CAAC,OAAO,MAAM;EACxE,MAAM,aAAa;GAAC,OAAO,aAAa;GAAE;GAAM;GAAI;GAAO;GAAS,CAAC,KAAK,KAAK;EAI/E,MAAM,MAAM,WAAW,UADH,OAAO,KAAK,KAAK,OAAO,eAAe,SAAS,CACvB,CAAC,OAAO,YAAY,OAAO,CAAC,OAAO,SAAS;AAEzF,SAAO,EACL,eAAe,mCAAmC,KAAK,OAAO,YAAY,MAAM,GAAG,SAAS,MAAM,OAAO,OAC1G;;;;CA7BJ,YAAY;oBAEE,OAAO,oBAAoB,EAAE,YAAY,MAAM,CAAC;;;;;;;ACDxD,wBAAMC,cAAY;CACvB,YAAY,AAA4CC,QAA2B;EAA3B;;CAExD,MAAM,IAAI,KAAgC;EACxC,MAAM,UAAU,KAAK,OAAO,KAAK,OAAO,KAAK,GAAG;AAChD,SAAO,MAAM,KAAK;GAAE,QAAQ;GAAO,SAAS,EAAE,GAAG,SAAS;GAAE,CAAC;;CAG/D,MAAM,KAAK,KAAa,MAAkC;EACxD,MAAM,aAAa,KAAK,UAAU,KAAK;EACvC,MAAM,UAAU,KAAK,OAAO,KAAK,QAAQ,KAAK,WAAW;AACzD,SAAO,MAAM,KAAK;GAChB,QAAQ;GACR,SAAS;IAAE,GAAG;IAAS,gBAAgB;IAAoB;GAC3D,MAAM;GACP,CAAC;;CAGJ,MAAM,OAAO,KAAgC;EAC3C,MAAM,UAAU,KAAK,OAAO,KAAK,UAAU,KAAK,GAAG;AACnD,SAAO,MAAM,KAAK;GAAE,QAAQ;GAAU,SAAS,EAAE,GAAG,SAAS;GAAE,CAAC;;;;CArBnE,YAAY;oBAEE,OAAO,kBAAkB;;;;;;;;;;;;;;;;;ACExC,IAAa,uBAAb,MAAkC;CAChC,OAAO,KAAwD;EAC7D,MAAM,cAAc,IAAI;EACxB,MAAM,gBAAgB,IAAI;EAC1B,MAAM,kBAAkB,IAAI;AAE5B,MAAI,CAAC,eAAe,CAAC,iBAAiB,CAAC,gBACrC,QAAO;EAIT,MAAM,UAAU,OAAO,KAAK,eAAe,SAAS;AACpD,MAAI,QAAQ,WAAW,GACrB,OAAM,IAAI,MACR,wEAAwE,QAAQ,OAAO,gEAExF;AAGH,SAAO;GAAE;GAAa;GAAe;GAAiB;;;;;;AC7B1D,MAAa,sBAAsB,OAAO,IAAI,oCAAoC;;;;ACa3E,iCAAMC,uBAAqB;CAChC,AAAiB,kBAAkB;CAEnC,YACE,AAAmEC,SAA+B,MAClG,AAA8CC,YAC9C;EAFmE;EACrB;;CAGhD,MAAM,OACJ,QACA,KACA,MACA,YACoC;AACpC,MAAI,KAAK,WAAW,KAKlB,OAAM,IAAI,MACR,4GACD;AAEH,MAAI,CAAC,KAAK,OAAO,iBAAiB,KAAK,OAAO,cAAc,MAAM,CAAC,WAAW,EAC5E,OAAM,IAAI,MAAM,uFAAuF;AAGzG,MAAI,CAAC,YAAY,WAAW,mBAAmB,CAC7C,QAAO,EAAE,SAAS,WAAW;EAG/B,MAAM,QAAQ,KAAK,YAAY,WAAW;AAC1C,MAAI,CAAC,MAAO,QAAO,EAAE,SAAS,WAAW;AACzC,MAAI,MAAM,MAAM,IAAK,QAAO,EAAE,SAAS,WAAW;EAElD,MAAM,SAAS,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AAC5C,MAAI,KAAK,IAAI,SAAS,MAAM,GAAG,GAAG,IAAK,QAAO,EAAE,SAAS,WAAW;AAEpE,MAAI,MAAM,gBAAgB,KAAK,OAAO,YAAa,QAAO,EAAE,SAAS,aAAa;EAElF,MAAM,SAAS,IAAI,IAAI,KAAK,qBAAqB;EACjD,MAAM,QAAQ,OAAO,WAAW,OAAO,QAAQ,aAAa;EAC5D,MAAM,WAAW,WAAW,SAAS,CAAC,OAAO,MAAM,OAAO,CAAC,OAAO,MAAM;EACxE,MAAM,aAAa;GAAC,OAAO,aAAa;GAAE;GAAM,MAAM;GAAI,MAAM;GAAO;GAAS,CAAC,KAAK,KAAK;EAI3F,MAAM,WAAW,WAAW,UADR,OAAO,KAAK,KAAK,OAAO,eAAe,SAAS,CAClB,CAAC,OAAO,YAAY,OAAO,CAAC,OAAO,SAAS;EAE9F,MAAM,cAAc,OAAO,KAAK,SAAS;EACzC,MAAM,YAAY,OAAO,KAAK,MAAM,IAAI;AACxC,MAAI,YAAY,WAAW,UAAU,UAAU,CAAC,gBAAgB,aAAa,UAAU,CACrF,QAAO,EAAE,SAAS,aAAa;EAGjC,MAAM,WAAW,GAAG,MAAM,YAAY,GAAG,MAAM;EAC/C,MAAM,iCAAiB,IAAI,MAAM,SAAS,KAAK,mBAAmB,IAAK;AAEvE,MAAI,CADU,MAAM,KAAK,WAAW,YAAY,UAAU,eAAe,CAC7D,QAAO,EAAE,SAAS,UAAU;AAExC,SAAO,EAAE,aAAa,MAAM,aAAa;;CAG3C,AAAQ,YAAY,QAMX;EACP,MAAM,UAAU,OAAO,MAAM,GAA0B;EACvD,MAAMC,SAAiC,EAAE;AACzC,OAAK,MAAM,QAAQ,QAAQ,MAAM,IAAI,EAAE;GACrC,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC5B,OAAI,OAAO,GAAI,QAAO;AACtB,UAAO,KAAK,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,MAAM,KAAK,EAAE,CAAC,MAAM;;EAE9D,MAAM,EAAE,GAAG,aAAa,IAAI,OAAO,QAAQ;AAC3C,MAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,IAAK,QAAO;AACxD,SAAO;GAAE;GAAG;GAAa,IAAI,OAAO,GAAG;GAAE;GAAO;GAAK;;;;CAhFxD,YAAY;oBAKR,OAAO,oBAAoB,EAAE,YAAY,MAAM,CAAC;oBAChD,OAAO,oBAAoB;;;;;;;ACTzB,uCAAMC,6BAA2B;CACtC,YAAY,AAA+CC,UAAgC;EAAhC;;CAE3D,SAA4B;AAC1B,SAAO,OAAO,GAAY,SAAe;GACvC,MAAM,OAAO,EAAE,IAAI,WAAW,SAAS,EAAE,IAAI,WAAW,SAAS,KAAK,MAAM,EAAE,IAAI,MAAM;AAIxF,OAAI,aAFW,MAAM,KAAK,SAAS,OAAO,EAAE,IAAI,QAAQ,EAAE,IAAI,KAAK,MAAM,EAAE,IAAI,OAAO,gBAAgB,IAAI,KAAK,CAG7G,QAAO,EAAE,KAAK,EAAE,OAAO,gBAAgB,EAAE,IAAI;AAM/C,KAAE,IAAI,QAAiB,KAAK;AAC5B,SAAM,MAAM;;;;;CAlBjB,YAAY;oBAEE,OAAO,qBAAqB;;;;;;;ACDpC,kCAAMC,wBAA+D;CAC1E,YACE,AAAqDC,gBACrD,AAA6CC,eAC7C;EAFqD;EACR;;CAG/C,SAAS,KAAiB;EACxB,MAAM,EAAE,gBAAgB,KAAK;AAC7B,MAAI,IAAI,kBAAkB,KAAK,eAAe,QAAQ,GAAG,MAAM;AAC7D,UAAO,EAAE,KAAK;IAAE,MAAM;IAAM;IAAa,CAAC;IAC1C;;;;CAXL,YAAY;oBAGR,OAAO,2BAA2B;oBAClC,OAAO,mBAAmB"}