@cotal-ai/core 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/dist/channels.d.ts +11 -0
  2. package/dist/channels.d.ts.map +1 -1
  3. package/dist/channels.js +19 -0
  4. package/dist/channels.js.map +1 -1
  5. package/dist/connector.d.ts +20 -0
  6. package/dist/connector.d.ts.map +1 -1
  7. package/dist/endpoint.d.ts +40 -1
  8. package/dist/endpoint.d.ts.map +1 -1
  9. package/dist/endpoint.js +78 -3
  10. package/dist/endpoint.js.map +1 -1
  11. package/dist/fs-safe.d.ts +28 -0
  12. package/dist/fs-safe.d.ts.map +1 -0
  13. package/dist/fs-safe.js +86 -0
  14. package/dist/fs-safe.js.map +1 -0
  15. package/dist/index.d.ts +3 -0
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +3 -0
  18. package/dist/index.js.map +1 -1
  19. package/dist/launch.d.ts +41 -0
  20. package/dist/launch.d.ts.map +1 -0
  21. package/dist/launch.js +10 -0
  22. package/dist/launch.js.map +1 -0
  23. package/dist/membership-feed.d.ts +30 -0
  24. package/dist/membership-feed.d.ts.map +1 -0
  25. package/dist/membership-feed.js +315 -0
  26. package/dist/membership-feed.js.map +1 -0
  27. package/dist/provision.d.ts +14 -11
  28. package/dist/provision.d.ts.map +1 -1
  29. package/dist/provision.js +80 -35
  30. package/dist/provision.js.map +1 -1
  31. package/dist/runtime.d.ts +2 -2
  32. package/dist/runtime.d.ts.map +1 -1
  33. package/dist/streams.d.ts +5 -0
  34. package/dist/streams.d.ts.map +1 -1
  35. package/dist/streams.js +11 -1
  36. package/dist/streams.js.map +1 -1
  37. package/dist/subjects.d.ts +44 -0
  38. package/dist/subjects.d.ts.map +1 -1
  39. package/dist/subjects.js +65 -0
  40. package/dist/subjects.js.map +1 -1
  41. package/dist/terminal.d.ts +10 -3
  42. package/dist/terminal.d.ts.map +1 -1
  43. package/dist/types.d.ts +35 -0
  44. package/dist/types.d.ts.map +1 -1
  45. package/package.json +1 -1
package/dist/membership-feed.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"membership-feed.d.ts","sourceRoot":"","sources":["../src/membership-feed.ts"],"names":[],"mappings":"AA6CA,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,wGAAwG;IACxG,SAAS,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,OAAO,EAAE,MAAM,CAAC;IAChB,kGAAkG;IAClG,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+FAA+F;IAC/F,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uGAAuG;IACvG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qEAAqE;IACrE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,oBAAoB;IACnC,2FAA2F;IAC3F,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB;AAKD,sFAAsF;AACtF,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAwNjG"}
package/dist/membership-feed.js ADDED
@@ -0,0 +1,315 @@
1
+ /**
2
+ * Authoritative channel-membership feed — the broker-sourced "who is subscribed to each channel"
3
+ * the graph view draws (incl. silent readers and `live` channels that keep no enumerable roster).
4
+ *
5
+ * This is the NATS-client layer of the feature (so it lives in core, like `setupSpaceStreams`); the
6
+ * delivery daemon is the thin composition root that loads the two scoped creds + the account id and
7
+ * calls {@link startMembershipFeed}. It owns TWO connections — NATS accounts are a hard isolation
8
+ * boundary, so the `$SYS` CONNZ read (conn A, system account) and the data-account KV (conn B) cannot
9
+ * share a principal — and merges them IN-PROCESS:
10
+ *
11
+ * conn A (SYSTEM) — poll `$SYS.REQ.ACCOUNT.<id>.CONNZ {subscriptions,auth}` (fans out: 1 reply/server
12
+ * → per-server paginate → union-dedupe by nkey); sub CONNECT/DISCONNECT as re-poll triggers.
13
+ * conn B (DATA) — read the members registry (durable arm) + read/write the derived feed bucket.
14
+ * merge — per agent: live (CONNZ patterns, wildcards kept) ∪ durable (members registry);
15
+ * diff-before-put on the normalized {live,durable}; prune departed agents.
16
+ *
17
+ * CONNZ is authoritative for the live half; presence only *enriches* (name/role/status) at the
18
+ * dashboard, never gates here (a momentarily-lapsed heartbeat must not drop a live core-sub). The feed
19
+ * is **display-only** — never an input to delivery/ACL/authorization. Any failure here logs and degrades
20
+ * the graph only; it shares nothing with Plane-3 delivery.
21
+ *
22
+ * Placement note (fowler): every other core connect-site is one-shot (connect → op → drain). This is the
23
+ * FIRST persistently-connected, timer-driven service in core — a new category, deliberately split:
24
+ * **core owns the mechanism + connection lifecycle** (the engine, the two conns, the poll loop), and the
25
+ * **implementation (delivery daemon) owns the DECISION to run it** — creds source, lifetime, N=1, fail-
26
+ * soft. Don't read "it touches NATS → put it in core" and migrate, say, the Plane-3 writer up here; that
27
+ * would undo the daemon's least-privilege extraction. The barrel exports {@link startMembershipFeed}, but
28
+ * the **scoped creds are the real gate**: with no system-account observer cred it simply cannot connect.
29
+ */
30
+ import { connect, credsAuthenticator } from "@nats-io/transport-node";
31
+ import { Kvm } from "@nats-io/kv";
32
+ import { membershipBucket, membershipKey, MEMBERSHIP_FEED_KEY, MEMBERSHIP_INBOX_PREFIX, connzRequestSubject, accountConnectSubject, accountDisconnectSubject, channelFromChatSubscription, } from "./subjects.js";
33
+ import { openMembersRegistry, listMembers } from "./members.js";
34
+ import { idFromCreds } from "./identity.js";
35
+ const enc = (s) => new TextEncoder().encode(s);
36
+ const MAX_PAGES = 64; // fan-out pagination guard (64 × 1024 = 65k conns/server before a loud under-report)
37
+ /** Connect, wire the triggers + safety poll, and run an immediate first reconcile. */
38
+ export async function startMembershipFeed(opts) {
39
+ const log = opts.log ?? ((m) => console.error(`! membership: ${m}`));
40
+ const intervalMs = opts.intervalMs ?? 15_000;
41
+ const debounceMs = opts.debounceMs ?? 400;
42
+ const settleMs = opts.settleMs ?? 250;
43
+ const maxWaitMs = opts.maxWaitMs ?? 1_500;
44
+ const pageLimit = opts.pageLimit ?? 1024;
45
+ const { space, accountId } = opts;
46
+ const connA = await connect({
47
+ servers: opts.servers,
48
+ authenticator: credsAuthenticator(enc(opts.observerCreds)),
49
+ name: "cotal-membership-observer",
50
+ inboxPrefix: MEMBERSHIP_INBOX_PREFIX, // scoped reply inboxes — the cred only allows `<prefix>.>`
51
+ maxReconnectAttempts: -1,
52
+ });
53
+ connA.closed().then((err) => { if (err)
54
+ log(`conn A (system) closed: ${err.message}`); });
55
+ const rwSelfId = idFromCreds(opts.rwCreds); // conn B's own nkey — the data-account self-presence check below
56
+ const connB = await connect({
57
+ servers: opts.servers,
58
+ authenticator: credsAuthenticator(enc(opts.rwCreds)),
59
+ name: "cotal-membership-rw",
60
+ // The rw cred's sub.allow is `_INBOX_<id>.>`, so the connection's inbox prefix MUST match it — else
61
+ // every KV reply / ordered-consumer delivery (kv.get/keys/watch) lands on a subject it can't subscribe.
62
+ inboxPrefix: `_INBOX_${rwSelfId}`,
63
+ maxReconnectAttempts: -1,
64
+ });
65
+ connB.closed().then((err) => { if (err)
66
+ log(`conn B (data) closed: ${err.message}`); });
67
+ const kvm = new Kvm(connB);
68
+ const feedKv = await kvm.open(membershipBucket(space));
69
+ const membersKv = await openMembersRegistry(connB, space);
70
+ let stopped = false;
71
+ let polling = false;
72
+ let rerun = false; // a trigger fired mid-poll → run once more after
73
+ let reqSeq = 0;
74
+ let clusterWarned = false; // log the multi-server completeness limit at most once (never fires at N=1)
75
+ /** One CONNZ round: publish the account request, collect every server's reply within the window. */
76
+ async function connzRound(offset) {
77
+ return new Promise((resolve) => {
78
+ const inbox = `${MEMBERSHIP_INBOX_PREFIX}.${reqSeq++}`;
79
+ const out = [];
80
+ let settle;
81
+ let done = false;
82
+ const finish = () => {
83
+ if (done)
84
+ return;
85
+ done = true;
86
+ if (settle)
87
+ clearTimeout(settle);
88
+ clearTimeout(hard);
89
+ try {
90
+ sub.unsubscribe();
91
+ }
92
+ catch { /* draining */ }
93
+ resolve(out);
94
+ };
95
+ const sub = connA.subscribe(inbox, {
96
+ callback: (err, msg) => {
97
+ if (err)
98
+ return;
99
+ try {
100
+ out.push(msg.json());
101
+ }
102
+ catch { /* skip undecodable */ }
103
+ if (settle)
104
+ clearTimeout(settle);
105
+ settle = setTimeout(finish, settleMs);
106
+ },
107
+ });
108
+ const hard = setTimeout(finish, maxWaitMs);
109
+ connA.publish(connzRequestSubject(accountId), enc(JSON.stringify({ subscriptions: true, auth: true, offset, limit: pageLimit })), { reply: inbox });
110
+ });
111
+ }
112
+ /** Fan-out + per-server pagination + union-dedupe → nkey → live channel-subscription patterns.
113
+ * God-view taps (a connection holding the whole-chat/space wildcard) are excluded entirely. Returns
114
+ * `complete:false` for a sweep that didn't fully drain (zero replies = broker unreachable/denied, or a
115
+ * MAX_PAGES truncation) so the caller can skip the write — a PARTIAL CONNZ read must never prune real
116
+ * members or stamp a fresh heartbeat (truthium). */
117
+ async function liveFromConnz() {
118
+ const live = new Map();
119
+ const serverMore = new Set(); // server ids still reporting a full page this round
120
+ const serversSeen = new Set(); // distinct responders across the whole sweep
121
+ let gotReply = false, exhausted = false, seenSelf = false;
122
+ for (let page = 0; page < MAX_PAGES; page++) {
123
+ const offset = page * pageLimit;
124
+ const replies = await connzRound(offset);
125
+ if (replies.length === 0) {
126
+ if (page === 0)
127
+ log(`CONNZ returned no replies (offset 0) — broker unreachable or cred denied; keeping last membership this tick`);
128
+ break;
129
+ }
130
+ gotReply = true;
131
+ serverMore.clear();
132
+ for (const r of replies) {
133
+ const sid = r.server?.id ?? r.data?.server_id ?? "?";
134
+ serversSeen.add(sid);
135
+ const conns = r.data?.connections ?? [];
136
+ for (const c of conns) {
137
+ if (c.authorized_user === rwSelfId)
138
+ seenSelf = true; // our own conn B must be in a complete read
139
+ addConn(space, live, c);
140
+ }
141
+ const total = r.data?.total ?? conns.length;
142
+ // A server has more ONLY if it returned a FULL page that hasn't reached its total. A short page
143
+ // (len < requested limit) means exhausted regardless of `total` — this is filter-proof: if a
144
+ // server-side filter_subject is ever added, `total` stays the pre-filter account total and
145
+ // `offset+len >= total` would never trip, but the short page still terminates the loop (truthium).
146
+ if (conns.length >= pageLimit && offset + conns.length < total)
147
+ serverMore.add(sid);
148
+ }
149
+ if (serverMore.size === 0) {
150
+ exhausted = true;
151
+ break;
152
+ }
153
+ if (page === MAX_PAGES - 1)
154
+ log(`CONNZ still paginating after ${MAX_PAGES} pages (servers ${[...serverMore].join(",")}) — UNDER-REPORTING; skipping this sweep`);
155
+ }
156
+ // SELF-PRESENCE completeness check (socrates): the data account ALWAYS holds at least conn B, so a
157
+ // sweep that doesn't even include our own rw connection missed connections (a mid-reconnect blip, or
158
+ // the server hosting conn B staying silent) — treat it as incomplete so reconcile() neither prunes nor
159
+ // restamps. 1-BROKER SCOPE (truthium): this is sufficient at N=1 (canary == full coverage), but only
160
+ // NECESSARY at cluster scale — conn B is pinned to ONE server, so a DIFFERENT silent server's agents
161
+ // would still pass this canary. The sufficient multi-server check is `distinct responding server_ids
162
+ // == expected server count` (expected set discovered via $SYS.REQ.SERVER.PING); deferred with the rest
163
+ // of multi-broker support — a conscious deferral, not a single-server bake-in.
164
+ if (gotReply && exhausted && !seenSelf)
165
+ log(`CONNZ sweep omitted our own rw connection — treating as incomplete (keeping last membership)`);
166
+ // NO-SILENT-DEGRADATION (socrates): in a real cluster the conn-B floor only proves conn B's OWN server
167
+ // answered — a DIFFERENT silent server would still pass `complete` yet under-report its agents. Until
168
+ // multi-broker responder-accounting ships, surface that limit LOUDLY (once) rather than degrade quietly.
169
+ if (serversSeen.size > 1 && !clusterWarned) {
170
+ clusterWarned = true;
171
+ log(`multi-server cluster detected (${serversSeen.size} responders) — membership completeness uses the conn-B floor only; a silent peer server can under-report (multi-broker accounting deferred, see core-sub-fabric.md)`);
172
+ }
173
+ return { live, complete: gotReply && exhausted && seenSelf };
174
+ }
175
+ /** The durable arm: open, activated (non-tombstoned) members from the privileged registry. Mirrors
176
+ * endpoint `channelMembers()` so the daemon's union and the manager surface agree. */
177
+ async function durableFromMembers() {
178
+ const durable = new Map();
179
+ for (const r of await listMembers(membersKv)) {
180
+ if (r.leaveCursor !== undefined || r.activated !== true)
181
+ continue;
182
+ (durable.get(r.owner) ?? durable.set(r.owner, new Set()).get(r.owner)).add(r.channel);
183
+ }
184
+ return durable;
185
+ }
186
+ async function reconcile() {
187
+ const { live, complete } = await liveFromConnz();
188
+ // A partial CONNZ sweep (unreachable / truncated) would prune real members and lie about freshness —
189
+ // keep the last good state untouched and don't stamp the heartbeat. Self-heals on the next full poll.
190
+ if (!complete)
191
+ return;
192
+ const durable = await durableFromMembers();
193
+ const observedAt = Date.now();
194
+ // Merge per agent: CONNZ live patterns ∪ durable concrete channels. An agent with neither is omitted.
195
+ const next = new Map();
196
+ for (const id of new Set([...live.keys(), ...durable.keys()])) {
197
+ const liveArr = [...(live.get(id) ?? [])].sort();
198
+ const durableArr = [...(durable.get(id) ?? [])].sort();
199
+ if (liveArr.length === 0 && durableArr.length === 0)
200
+ continue;
201
+ next.set(id, { live: liveArr, durable: durableArr, observedAt });
202
+ }
203
+ // Diff-before-put on the normalized {live,durable} (NOT observedAt), then prune departed agents — so a
204
+ // quiet poll bumps no revision and wakes no watcher. Feed-wide freshness rides the heartbeat key below.
205
+ const existing = new Set();
206
+ for await (const k of await feedKv.keys())
207
+ if (k !== MEMBERSHIP_FEED_KEY)
208
+ existing.add(k);
209
+ for (const [id, rec] of next) {
210
+ const key = membershipKey(id);
211
+ existing.delete(key);
212
+ const cur = await feedKv.get(key);
213
+ let same = false;
214
+ if (cur && cur.operation !== "DEL" && cur.operation !== "PURGE") {
215
+ try {
216
+ same = sameMembership(cur.json(), rec);
217
+ }
218
+ catch { /* re-write on garble */ }
219
+ }
220
+ if (!same)
221
+ await feedKv.put(key, enc(JSON.stringify(rec)));
222
+ }
223
+ for (const stale of existing)
224
+ await feedKv.delete(stale);
225
+ // Heartbeat: re-stamp every successful poll (even with zero membership change) so the dashboard can
226
+ // distinguish "feed is live" from "feed is stale/dead" — the diff-before-put above would otherwise
227
+ // freeze every observedAt and make a healthy feed read stale.
228
+ await feedKv.put(MEMBERSHIP_FEED_KEY, enc(JSON.stringify({ observedAt, count: next.size })));
229
+ }
230
+ async function poll() {
231
+ if (stopped)
232
+ return;
233
+ if (polling) {
234
+ rerun = true;
235
+ return;
236
+ } // a poll is in flight — coalesce, run once more after it
237
+ polling = true;
238
+ try {
239
+ do {
240
+ rerun = false;
241
+ await reconcile();
242
+ } while (rerun && !stopped);
243
+ }
244
+ catch (e) {
245
+ log(`poll failed (graph membership degraded; delivery unaffected): ${e.message}`);
246
+ }
247
+ finally {
248
+ polling = false;
249
+ }
250
+ }
251
+ // Re-poll triggers — debounced. There is NO SUB/UNSUB event, so these only shorten join/leave-the-mesh
252
+ // latency; the interval is the real reconcile. A connect storm coalesces into one debounced poll.
253
+ let debounce;
254
+ const trigger = () => {
255
+ if (stopped)
256
+ return;
257
+ if (debounce)
258
+ clearTimeout(debounce);
259
+ debounce = setTimeout(() => void poll(), debounceMs);
260
+ };
261
+ const subConnect = connA.subscribe(accountConnectSubject(accountId), { callback: () => trigger() });
262
+ const subDisconnect = connA.subscribe(accountDisconnectSubject(accountId), { callback: () => trigger() });
263
+ const timer = setInterval(() => void poll(), intervalMs);
264
+ await poll(); // first reconcile now
265
+ return {
266
+ poll,
267
+ async stop() {
268
+ stopped = true;
269
+ clearInterval(timer);
270
+ if (debounce)
271
+ clearTimeout(debounce);
272
+ try {
273
+ subConnect.unsubscribe();
274
+ subDisconnect.unsubscribe();
275
+ }
276
+ catch { /* draining */ }
277
+ await Promise.allSettled([connA.drain(), connB.drain()]);
278
+ },
279
+ };
280
+ }
281
+ /** Fold one CONNZ connection into the live map: keyed by `authorized_user` (the nkey = `card.id`),
282
+ * unioning its chat-subscription patterns (wildcards kept, e.g. `team.>` or a whole-chat `>`).
283
+ *
284
+ * Infra taps SELF-EXCLUDE — no shape heuristic needed (review-general, socrates): the web dashboard taps
285
+ * `cotal.<space>.>` (spaceWildcard) and `cotal console` taps `cotal.<space>.chat.>` (chatWildcard), both
286
+ * of which {@link channelFromChatSubscription} maps to `null` (the former isn't `.chat.`-prefixed; the
287
+ * latter has no channel token after `chat.`), so they contribute zero channels here; conn B / the
288
+ * delivery cred / the manager hold no chat sub at all. The ONLY subscription that yields the whole-chat
289
+ * `>` pattern is an AGENT's own `chat.*.>` (allowSubscribe `[">"]` — e.g. the default persona), which is
290
+ * a legitimate broad reader the feed MUST surface (the source-of-truth goal), NOT drop. So no shape-based
291
+ * exclusion: a `>` pattern is recorded as-is and the dashboard renders it as a "reads-all" node (a badge,
292
+ * not a spoke to every hub) rather than expanding it. */
293
+ function addConn(space, live, c) {
294
+ const subs = c.subscriptions_list ?? [];
295
+ const id = c.authorized_user;
296
+ if (!id)
297
+ return; // no authenticated identity (open mode) — best-effort handled at the dashboard, not here
298
+ const patterns = subs
299
+ .map((s) => channelFromChatSubscription(space, s))
300
+ .filter((x) => x !== null);
301
+ if (patterns.length === 0)
302
+ return; // connected but subscribed to no channel — member of nothing
303
+ const set = live.get(id) ?? live.set(id, new Set()).get(id);
304
+ for (const p of patterns)
305
+ set.add(p);
306
+ }
307
+ /** Equal on the normalized membership (sorted live + durable), IGNORING `observedAt` — the diff that
308
+ * decides whether a poll re-writes an agent's key (so a quiet poll wakes no watcher). */
309
+ function sameMembership(a, b) {
310
+ return arrEq(a.live, b.live) && arrEq(a.durable, b.durable);
311
+ }
312
+ function arrEq(a, b) {
313
+ return a.length === b.length && a.every((x, i) => x === b[i]);
314
+ }
315
+ //# sourceMappingURL=membership-feed.js.map
package/dist/membership-feed.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"membership-feed.js","sourceRoot":"","sources":["../src/membership-feed.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAuB,MAAM,yBAAyB,CAAC;AAC3F,OAAO,EAAE,GAAG,EAAW,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,mBAAmB,EACnB,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,EACrB,wBAAwB,EACxB,2BAA2B,GAC5B,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAgC5C,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AACvD,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,qFAAqF;AAE3G,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAwB;IAChE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,MAAM,CAAC;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC;IACzC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAElC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC;QAC1B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,aAAa,EAAE,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1D,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,uBAAuB,EAAE,2DAA2D;QACjG,oBAAoB,EAAE,CAAC,CAAC;KACzB,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,GAAG;QAAE,GAAG,CAAC,2BAA2B,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1F,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,iEAAiE;IAC7G,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC;QAC1B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,aAAa,EAAE,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,IAAI,EAAE,qBAAqB;QAC3B,oGAAoG;QACpG,wGAAwG;QACxG,WAAW,EAAE,UAAU,QAAQ,EAAE;QACjC,oBAAoB,EAAE,CAAC,CAAC;KACzB,CAAC,CAAC;IACH,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,GAAG;QAAE,GAAG,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAExF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAO,MAAM,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAO,MAAM,mBAAmB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAE9D,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,KAAK,GAAG,KAAK,CAAC,CAAC,iDAAiD;IACpE,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,aAAa,GAAG,KAAK,CAAC,CAAC,4EAA4E;IAEvG,oGAAoG;IACpG,KAAK,UAAU,UAAU,CAAC,MAAc;QACtC,OAAO,IAAI,OAAO,CAAe,CAAC,OAAO,EAAE,EAAE;YAC3C,MAAM,KAAK,GAAG,GAAG,uBAAuB,IAAI,MAAM,EAAE,EAAE,CAAC;YACvD,MAAM,GAAG,GAAiB,EAAE,CAAC;YAC7B,IAAI,MAAiD,CAAC;YACtD,IAAI,IAAI,GAAG,KAAK,CAAC;YACjB,MAAM,MAAM,GAAG,GAAG,EAAE;gBAClB,IAAI,IAAI;oBAAE,OAAO;gBACjB,IAAI,GAAG,IAAI,CAAC;gBACZ,IAAI,MAAM;oBAAE,YAAY,CAAC,MAAM,CAAC,CAAC;gBACjC,YAAY,CAAC,IAAI,CAAC,CAAC;gBACnB,IAAI,CAAC;oBAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;gBACnD,OAAO,CAAC,GAAG,CAAC,CAAC;YACf,CAAC,CAAC;YACF,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,EAAE;gBACjC,QAAQ,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;oBACrB,IAAI,GAAG;wBAAE,OAAO;oBAChB,IAAI,CAAC;wBAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAc,CAAC,CAAC;oBAAC,CAAC;oBAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;oBAC1E,IAAI,MAAM;wBAAE,YAAY,CAAC,MAAM,CAAC,CAAC;oBACjC,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACxC,CAAC;aACF,CAAC,CAAC;YACH,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC3C,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACtJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;yDAIqD;IACrD,KAAK,UAAU,aAAa;QAC1B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC5C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,oDAAoD;QAC1F,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,6CAA6C;QACpF,IAAI,QAAQ,GAAG,KAAK,EAAE,SAAS,GAAG,KAAK,EAAE,QAAQ,GAAG,KAAK,CAAC;QAC1D,KAAK,IAAI,IAAI,GAAG,CAAC,EAAE,IAAI,GAAG,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;YAChC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;YACzC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,IAAI,IAAI,KAAK,CAAC;oBAAE,GAAG,CAAC,6GAA6G,CAAC,CAAC;gBACnI,MAAM;YACR,CAAC;YACD,QAAQ,GAAG,IAAI,CAAC;YAChB,UAAU,CAAC,KAAK,EAAE,CAAC;YACnB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,SAAS,IAAI,GAAG,CAAC;gBACrD,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACrB,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,WAAW,IAAI,EAAE,CAAC;gBACxC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;oBACtB,IAAI,CAAC,CAAC,eAAe,KAAK,QAAQ;wBAAE,QAAQ,GAAG,IAAI,CAAC,CAAC,4CAA4C;oBACjG,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC1B,CAAC;gBACD,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC;gBAC5C,gGAAgG;gBAChG,6FAA6F;gBAC7F,2FAA2F;gBAC3F,mGAAmG;gBACnG,IAAI,KAAK,CAAC,MAAM,IAAI,SAAS,IAAI,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,KAAK;oBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACtF,CAAC;YACD,IAAI,UAAU,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBAAC,SAAS,GAAG,IAAI,CAAC;gBAAC,MAAM;YAAC,CAAC;YACvD,IAAI,IAAI,KAAK,SAAS,GAAG,CAAC;gBACxB,GAAG,CAAC,gCAAgC,SAAS,mBAAmB,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACzI,CAAC;QACD,mGAAmG;QACnG,qGAAqG;QACrG,uGAAuG;QACvG,qGAAqG;QACrG,qGAAqG;QACrG,qGAAqG;QACrG,uGAAuG;QACvG,+EAA+E;QAC/E,IAAI,QAAQ,IAAI,SAAS,IAAI,CAAC,QAAQ;YACpC,GAAG,CAAC,8FAA8F,CAAC,CAAC;QACtG,uGAAuG;QACvG,sGAAsG;QACtG,yGAAyG;QACzG,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YAC3C,aAAa,GAAG,IAAI,CAAC;YACrB,GAAG,CAAC,kCAAkC,WAAW,CAAC,IAAI,qKAAqK,CAAC,CAAC;QAC/N,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;IAC/D,CAAC;IAED;2FACuF;IACvF,KAAK,UAAU,kBAAkB;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;QAC/C,KAAK,MAAM,CAAC,IAAI,MAAM,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7C,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI;gBAAE,SAAS;YAClE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACzF,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,UAAU,SAAS;QACtB,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,aAAa,EAAE,CAAC;QACjD,qGAAqG;QACrG,sGAAsG;QACtG,IAAI,CAAC,QAAQ;YAAE,OAAO;QACtB,MAAM,OAAO,GAAG,MAAM,kBAAkB,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE9B,sGAAsG;QACtG,MAAM,IAAI,GAAG,IAAI,GAAG,EAA6B,CAAC;QAClD,KAAK,MAAM,EAAE,IAAI,IAAI,GAAG,CAAS,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,EAAE,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;YACtE,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACjD,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACvD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAC9D,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,uGAAuG;QACvG,wGAAwG;QACxG,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;QACnC,IAAI,KAAK,EAAE,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,IAAI,EAAE;YAAE,IAAI,CAAC,KAAK,mBAAmB;gBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC1F,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACrB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,IAAI,GAAG,KAAK,CAAC;YACjB,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,KAAK,KAAK,IAAI,GAAG,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;gBAChE,IAAI,CAAC;oBAAC,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,EAAqB,EAAE,GAAG,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACvG,CAAC;YACD,IAAI,CAAC,IAAI;gBAAE,MAAM,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,QAAQ;YAAE,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEzD,oGAAoG;QACpG,mGAAmG;QACnG,8DAA8D;QAC9D,MAAM,MAAM,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/F,CAAC;IAED,KAAK,UAAU,IAAI;QACjB,IAAI,OAAO;YAAE,OAAO;QACpB,IAAI,OAAO,EAAE,CAAC;YAAC,KAAK,GAAG,IAAI,CAAC;YAAC,OAAO;QAAC,CAAC,CAAC,yDAAyD;QAChG,OAAO,GAAG,IAAI,CAAC;QACf,IAAI,CAAC;YACH,GAAG,CAAC;gBACF,KAAK,GAAG,KAAK,CAAC;gBACd,MAAM,SAAS,EAAE,CAAC;YACpB,CAAC,QAAQ,KAAK,IAAI,CAAC,OAAO,EAAE;QAC9B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,GAAG,CAAC,iEAAkE,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/F,CAAC;gBAAS,CAAC;YACT,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;IACH,CAAC;IAED,uGAAuG;IACvG,kGAAkG;IAClG,IAAI,QAAmD,CAAC;IACxD,MAAM,OAAO,GAAG,GAAG,EAAE;QACnB,IAAI,OAAO;YAAE,OAAO;QACpB,IAAI,QAAQ;YAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QACrC,QAAQ,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,KAAK,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;IACvD,CAAC,CAAC;IACF,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACpG,MAAM,aAAa,GAAG,KAAK,CAAC,SAAS,CAAC,wBAAwB,CAAC,SAAS,CAAC,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAE1G,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,KAAK,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;IACzD,MAAM,IAAI,EAAE,CAAC,CAAC,sBAAsB;IAEpC,OAAO;QACL,IAAI;QACJ,KAAK,CAAC,IAAI;YACR,OAAO,GAAG,IAAI,CAAC;YACf,aAAa,CAAC,KAAK,CAAC,CAAC;YACrB,IAAI,QAAQ;gBAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,CAAC;gBAAC,UAAU,CAAC,WAAW,EAAE,CAAC;gBAAC,aAAa,CAAC,WAAW,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;YACvF,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC3D,CAAC;KACF,CAAC;AACJ,CAAC;AAcD;;;;;;;;;;;0DAW0D;AAC1D,SAAS,OAAO,CAAC,KAAa,EAAE,IAA8B,EAAE,CAAkB;IAChF,MAAM,IAAI,GAAG,CAAC,CAAC,kBAAkB,IAAI,EAAE,CAAC;IACxC,MAAM,EAAE,GAAG,CAAC,CAAC,eAAe,CAAC;IAC7B,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,yFAAyF;IAC1G,MAAM,QAAQ,GAAG,IAAI;SAClB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,2BAA2B,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;SACjD,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;IAC1C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,6DAA6D;IAChG,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;IAC7D,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;0FAC0F;AAC1F,SAAS,cAAc,CAAC,CAAoB,EAAE,CAAoB;IAChE,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;AAC9D,CAAC;AACD,SAAS,KAAK,CAAC,CAAW,EAAE,CAAW;IACrC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAChE,CAAC"}
package/dist/provision.d.ts CHANGED
@@ -3,9 +3,11 @@ import type { Identity } from "./identity.js";
3
3
  * scope each one — at which point the manager MUST already hold its own privileged
4
4
  * profile (broad: pre-create others' DM durables, serve ctl), not "agent", or it
5
5
  * silently loses those powers the moment "agent" is tightened. */
6
- export type Profile = "agent" | "observer" | "admin" | "manager" | "delivery";
6
+ export type Profile = "agent" | "observer" | "admin" | "manager" | "delivery" | "membership-rw";
7
7
  /** A space's persisted trust material. The `signingSeed` is the sensitive provisioner
8
- * secret; everything else is public (JWTs) or recoverable. */
8
+ * secret; everything else is public (JWTs) or recoverable. The system-account `signingSeed` is the ONE
9
+ * field {@link saveSpaceAuth} never writes to disk — it lives only in memory, just long enough at `cotal
10
+ * up` to mint the scoped membership-observer cred (see {@link mintMembershipObserverCreds}). */
9
11
  export interface SpaceAuth {
10
12
  space: string;
11
13
  operator: {
@@ -19,9 +21,12 @@ export interface SpaceAuth {
19
21
  signingSeed: string;
20
22
  signingPub: string;
21
23
  };
24
+ /** `signingSeed` is in-memory only (a fresh {@link createSpaceAuth}); NEVER persisted — minting a
25
+ * system-account user is broker-admin capability, so no standing `$SYS` seed is left on disk. */
22
26
  sys: {
23
27
  pub: string;
24
28
  jwt: string;
29
+ signingSeed?: string;
25
30
  };
26
31
  }
27
32
  /** Reduce a {@link SpaceAuth} to just the material a *minting* host needs: `space`,
@@ -110,6 +115,13 @@ export declare function provisionAgent(provisioner: DurableProvisioner, auth: Sp
110
115
  * `allowSubscribe` (live tail bind-only + per-channel history grants); "manager" and "observer"
111
116
  * stay permissive here and are scoped in steps 6–7. */
112
117
  export declare function mintCreds(auth: SpaceAuth, identity: Identity, profile: Profile, opts?: MintOpts): Promise<string>;
118
+ /** Mint the scoped `membership-observer` creds — a SYSTEM-account user (conn A of the graph feed),
119
+ * signed with the in-memory `auth.sys.signingSeed` from a fresh {@link createSpaceAuth}. THROWS if that
120
+ * seed is absent (a re-`up` of an already-provisioned space, whose `$SYS` seed was discarded at its
121
+ * original `up`): the observer can only be minted at the (re-)provision that creates the account — a
122
+ * documented migration property, not a silent no-op. The CONNZ/event subjects pin the DATA account id
123
+ * (`auth.account.pub`). Mirrors {@link mintCreds} but issues into the system account. */
124
+ export declare function mintMembershipObserverCreds(auth: SpaceAuth, identity: Identity): Promise<string>;
113
125
  /** Render the `nats-server` config that trusts this space's operator and serves its
114
126
  * accounts via the in-config MEMORY resolver. */
115
127
  export declare function serverConfig(auth: SpaceAuth, opts: {
@@ -117,13 +129,4 @@ export declare function serverConfig(auth: SpaceAuth, opts: {
117
129
  host?: string;
118
130
  storeDir: string;
119
131
  }): string;
120
- export declare function authDir(root: string): string;
121
- /** Find the project's `.cotal/` by walking up from `start` (like git finds `.git`), returning the
122
- * directory that *contains* `.cotal/`. Falls back to `start` when none is found up the tree (a
123
- * fresh setup creates `.cotal/` there). Lets `cotal` run from any subdirectory of a project. */
124
- export declare function findCotalRoot(start?: string): string;
125
- /** Persist the space trust material. The file holds the signing seed — treat as a secret. */
126
- export declare function saveSpaceAuth(dir: string, auth: SpaceAuth): void;
127
- /** Load the space trust material, or undefined if auth was never set up here. */
128
- export declare function loadSpaceAuth(dir: string): SpaceAuth | undefined;
129
132
  //# sourceMappingURL=provision.d.ts.map
package/dist/provision.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAsDA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C;;;mEAGmE;AACnE,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,UAAU,CAAC;AAE9E;+DAC+D;AAC/D,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7F,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;CACnC;AAYD;;;;;;;yEAOyE;AACzE,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,SAAS,CAazD;AAED,4FAA4F;AAC5F,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CA6BvE;AAED,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB;;;;;sGAKkG;IAClG,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B;;sFAEkF;IAClF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;2FAGuF;IACvF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;0DAEsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,sFAAsF;AACtF,MAAM,WAAW,aAAc,SAAQ,QAAQ;IAC7C;;0EAEsE;IACtE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB;;;;;;mBAMe;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;;0DAG0D;AAC1D,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C;wGACoG;IACpG,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C;;;;2FAIuF;IACvF,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED;;;;;kGAKkG;AAClG,wBAAsB,cAAc,CAClC,WAAW,EAAE,kBAAkB,EAC/B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,IAAI,GAAE,aAAkB,GACvB,OAAO,CAAC,MAAM,CAAC,CAwBjB;AAED;;;;;;wDAMwD;AACxD,wBAAsB,SAAS,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,IAAI,GAAE,QAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CAYjB;AAgQD;kDACkD;AAClD,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAuB9G;AAMD,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED;;iGAEiG;AACjG,wBAAgB,aAAa,CAAC,KAAK,GAAE,MAAsB,GAAG,MAAM,CAQnE;AAED,6FAA6F;AAC7F,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CAGhE;AAED,iFAAiF;AACjF,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,CAIhE"}
1
+ {"version":3,"file":"provision.d.ts","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AA0DA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9C;;;mEAGmE;AACnE,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,UAAU,GAAG,eAAe,CAAC;AAEhG;;;iGAGiG;AACjG,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC7F;sGACkG;IAClG,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACzD;AAYD;;;;;;;yEAOyE;AACzE,wBAAgB,cAAc,CAAC,IAAI,EAAE,SAAS,GAAG,SAAS,CAazD;AAED,4FAA4F;AAC5F,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CA+BvE;AAED,mDAAmD;AACnD,MAAM,WAAW,QAAQ;IACvB;;;;;sGAKkG;IAClG,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B;;sFAEkF;IAClF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,uEAAuE;IACvE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;2FAGuF;IACvF,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;0DAEsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,sFAAsF;AACtF,MAAM,WAAW,aAAc,SAAQ,QAAQ;IAC7C;;0EAEsE;IACtE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB;;;;;;mBAMe;IACf,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;;0DAG0D;AAC1D,MAAM,WAAW,kBAAkB;IACjC,gBAAgB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C;wGACoG;IACpG,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C;;;;2FAIuF;IACvF,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED;;;;;kGAKkG;AAClG,wBAAsB,cAAc,CAClC,WAAW,EAAE,kBAAkB,EAC/B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,IAAI,GAAE,aAAkB,GACvB,OAAO,CAAC,MAAM,CAAC,CAwBjB;AAED;;;;;;wDAMwD;AACxD,wBAAsB,SAAS,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,OAAO,EAChB,IAAI,GAAE,QAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CAYjB;AA6TD;;;;;0FAK0F;AAC1F,wBAAsB,2BAA2B,CAAC,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAgBtG;AAED;kDACkD;AAClD,wBAAgB,YAAY,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAuB9G"}
package/dist/provision.js CHANGED
@@ -14,11 +14,10 @@
14
14
  * NOT yet provided (our job, not nsc's): credential revocation and an issuance audit
15
15
  * trail. Revocation is deferred past Demo 1; minted creds currently have no TTL.
16
16
  */
17
- import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
18
- import { join, dirname, resolve } from "node:path";
17
+ import { join } from "node:path";
19
18
  import { encodeOperator, encodeAccount, encodeUser, fmtCreds, } from "@nats-io/jwt";
20
19
  import { createOperator, createAccount, fromPublic, fromSeed } from "@nats-io/nkeys";
21
- import { token, spacePrefix, chatSubject, assertValidChannel, channelInAllow, unicastSubject, anycastSubject, controlServiceSubject, CONTROL_PRIVILEGED, CONTROL_SELF_SERVICE, CONTROL_DELIVERY, chatStream, dmStream, taskStream, dlvStream, inboxStream, chatHistDurable, dmDurable, taskDurable, dlvDurable, presenceBucket, channelBucket, membersBucket, aclBucket, deliveryBucket, FANOUT_DURABLE, INBOX_READER_DURABLE, } from "./subjects.js";
20
+ import { token, spacePrefix, chatSubject, assertValidChannel, channelInAllow, unicastSubject, anycastSubject, controlServiceSubject, CONTROL_PRIVILEGED, CONTROL_SELF_SERVICE, CONTROL_DELIVERY, chatStream, dmStream, taskStream, dlvStream, inboxStream, chatHistDurable, dmDurable, taskDurable, dlvDurable, presenceBucket, channelBucket, membersBucket, aclBucket, membershipBucket, deliveryBucket, connzRequestSubject, accountConnectSubject, accountDisconnectSubject, MEMBERSHIP_INBOX_PREFIX, FANOUT_DURABLE, INBOX_READER_DURABLE, } from "./subjects.js";
22
21
  // Unlimited account limits — without explicit limits a JWT account defaults to 0 conns
23
22
  // (every connect denied). JetStream needs storage on the data account but MUST stay off
24
23
  // the system account (the server refuses to start otherwise).
@@ -71,7 +70,9 @@ export async function createSpaceAuth(space) {
71
70
  signingSeed: dec(askp.getSeed()),
72
71
  signingPub: askp.getPublicKey(),
73
72
  },
74
- sys: { pub: sysPub, jwt: sysJwt },
73
+ // `signingSeed` carried in-memory ONLY (stripped by saveSpaceAuth) — the single window in which the
74
+ // scoped membership-observer system-account user can be minted (see mintMembershipObserverCreds).
75
+ sys: { pub: sysPub, jwt: sysJwt, signingSeed: dec(syskp.getSeed()) },
75
76
  };
76
77
  }
77
78
  /** Onboard an agent for launch (auth mode): pre-create its bind-only DM (+ Plane-3 DELIVER + role
@@ -127,11 +128,14 @@ export async function mintCreds(auth, identity, profile, opts = {}) {
127
128
  function permissionsFor(profile, space, id, opts) {
128
129
  if (profile === "delivery")
129
130
  return deliveryPermissions(space, id); // scoped server-side Plane-3 infra
131
+ if (profile === "membership-rw")
132
+ return membershipRwPermissions(space, id); // scoped graph-feed reader/writer
130
133
  if (profile === "manager")
131
134
  return {}; // privileged: allow-all defaults
132
135
  const CHAT = chatStream(space), DM = dmStream(space), TASK = taskStream(space);
133
136
  const KV = `KV_${presenceBucket(space)}`;
134
137
  const CHKV = `KV_${channelBucket(space)}`; // channel registry (read-only for everyone)
138
+ const MEMKV = `KV_${membershipBucket(space)}`; // derived graph membership feed (read-only — dashboard)
135
139
  const DLVKV = `KV_${deliveryBucket(space)}`; // delivery lease/readiness (read-only — Component 6 health)
136
140
  const inbox = `_INBOX_${id}.>`;
137
141
  if (profile === "observer" || profile === "admin") {
@@ -168,6 +172,14 @@ function permissionsFor(profile, space, id, opts) {
168
172
  `$JS.API.CONSUMER.CREATE.${CHKV}.>`,
169
173
  `$JS.API.CONSUMER.INFO.${CHKV}.>`,
170
174
  `$JS.API.CONSUMER.DELETE.${CHKV}.>`, // ephemeral consumer cleanup
175
+ // Derived graph-membership feed (broker-sourced who-is-subscribed) — watch + direct kv.get. The
176
+ // silent-reader set is sensitive, so read is admin/observer-only (this elevated profile), never an
177
+ // agent. Read-only: no `$KV.${membershipBucket}` publish — only the `membership-rw` cred writes it.
178
+ `$JS.API.STREAM.INFO.${MEMKV}`,
179
+ `$JS.API.STREAM.MSG.GET.${MEMKV}`,
180
+ `$JS.API.CONSUMER.CREATE.${MEMKV}.>`,
181
+ `$JS.API.CONSUMER.INFO.${MEMKV}.>`,
182
+ `$JS.API.CONSUMER.DELETE.${MEMKV}.>`,
171
183
  "$JS.FC.>", // ordered-consumer flow control
172
184
  ];
173
185
  if (profile === "admin") {
@@ -355,6 +367,70 @@ function deliveryPermissions(space, id) {
355
367
  ];
356
368
  return { pub: { allow: pub }, sub: { allow: sub } };
357
369
  }
370
+ /** The scoped DATA-account `membership-rw` permission set (the graph feed's conn B; NEVER allow-all,
371
+ * never minted for an agent — `cotal mint` excludes it, like `manager`/`delivery`). Least-privilege:
372
+ * READ the members registry (the durable arm of the merge) + READ/WRITE the one derived membership
373
+ * bucket, and nothing else. It holds NO chat/DM/anycast/ctl grant and never touches `$SYS` (account
374
+ * isolation keeps the system-account CONNZ read on the SEPARATE conn-A cred). A leaked conn-B cred can
375
+ * read durable-membership records and forge the feed — bounded to "dashboard integrity" by the
376
+ * display-only invariant; it reads no message bodies and admins nothing. */
377
+ function membershipRwPermissions(space, id) {
378
+ const MKV = `KV_${membersBucket(space)}`; // durable arm — read
379
+ const MEMKV = `KV_${membershipBucket(space)}`; // derived feed — read (diff/prune) + write
380
+ const kvRead = (bucket) => [
381
+ `$JS.API.STREAM.INFO.${bucket}`,
382
+ `$JS.API.STREAM.MSG.GET.${bucket}`, // kv.get
383
+ `$JS.API.CONSUMER.CREATE.${bucket}.>`, // kv.keys()/kv.watch ordered consumer
384
+ `$JS.API.CONSUMER.INFO.${bucket}.>`,
385
+ `$JS.API.CONSUMER.DELETE.${bucket}.>`,
386
+ ];
387
+ const pub = [
388
+ "$JS.API.INFO",
389
+ ...kvRead(MKV),
390
+ ...kvRead(MEMKV),
391
+ `$KV.${membershipBucket(space)}.>`, // write derived feed (kv.put + kv.delete)
392
+ "$JS.FC.>", // ordered-consumer flow control
393
+ ];
394
+ return { pub: { allow: pub }, sub: { allow: [`_INBOX_${id}.>`] } };
395
+ }
396
+ /** The scoped SYSTEM-account `membership-observer` permission set (the graph feed's conn A). An EXPLICIT
397
+ * block is MANDATORY: a system-account user with NO permissions block defaults to ALLOW-ALL = full
398
+ * `$SYS` = broker admin (verified — pre-flight spike + docs). Least-privilege allowlist:
399
+ * - **pub:** the account-scoped CONNZ request subject ONLY (not server-wide `PING.CONNZ`, not
400
+ * `REQ.SERVER.*`/`REQ.CLAIMS.*`).
401
+ * - **sub:** the scoped reply inbox (`<MEMBERSHIP_INBOX_PREFIX>.>`) + this ONE account's
402
+ * CONNECT/DISCONNECT events (re-poll triggers) — never `$SYS.ACCOUNT.*.…` (cross-tenant) nor
403
+ * `$SYS.ACCOUNT.<id>.>` (pulls in SUBSZ/JSZ/purge).
404
+ * No `$SYS.>` deny that would shadow the allows (deny-beats-allow). A leaked conn-A cred enumerates THIS
405
+ * account's connections (silent readers + nkeys) and can forge the feed; it reads no bodies, touches no
406
+ * other account, and admins no server. */
407
+ function membershipObserverPermissions(accountId) {
408
+ return {
409
+ pub: { allow: [connzRequestSubject(accountId)] },
410
+ sub: {
411
+ allow: [
412
+ `${MEMBERSHIP_INBOX_PREFIX}.>`,
413
+ accountConnectSubject(accountId),
414
+ accountDisconnectSubject(accountId),
415
+ ],
416
+ },
417
+ };
418
+ }
419
+ /** Mint the scoped `membership-observer` creds — a SYSTEM-account user (conn A of the graph feed),
420
+ * signed with the in-memory `auth.sys.signingSeed` from a fresh {@link createSpaceAuth}. THROWS if that
421
+ * seed is absent (a re-`up` of an already-provisioned space, whose `$SYS` seed was discarded at its
422
+ * original `up`): the observer can only be minted at the (re-)provision that creates the account — a
423
+ * documented migration property, not a silent no-op. The CONNZ/event subjects pin the DATA account id
424
+ * (`auth.account.pub`). Mirrors {@link mintCreds} but issues into the system account. */
425
+ export async function mintMembershipObserverCreds(auth, identity) {
426
+ if (!auth.sys.signingSeed)
427
+ throw new Error("mintMembershipObserverCreds: no in-memory system-account signing seed — the observer can only be minted at the `up` that provisions the account (the $SYS seed is never persisted). Re-provision (down/up) to enable broker-sourced membership.");
428
+ const signer = fromSeed(new TextEncoder().encode(auth.sys.signingSeed));
429
+ const perms = membershipObserverPermissions(auth.account.pub);
430
+ const userJwt = await encodeUser("membership-observer", fromPublic(identity.id), fromPublic(auth.sys.pub), perms, { signer });
431
+ const creds = fmtCreds(userJwt, fromSeed(new TextEncoder().encode(identity.seed)));
432
+ return new TextDecoder().decode(creds);
433
+ }
358
434
  /** Render the `nats-server` config that trusts this space's operator and serves its
359
435
  * accounts via the in-config MEMORY resolver. */
360
436
  export function serverConfig(auth, opts) {
@@ -381,35 +457,4 @@ resolver_preload: {
381
457
  }
382
458
  `;
383
459
  }
384
- // ---- persistence (.cotal/auth) ------------------------------------------------
385
- const AUTH_FILE = "auth.json";
386
- export function authDir(root) {
387
- return join(root, ".cotal", "auth");
388
- }
389
- /** Find the project's `.cotal/` by walking up from `start` (like git finds `.git`), returning the
390
- * directory that *contains* `.cotal/`. Falls back to `start` when none is found up the tree (a
391
- * fresh setup creates `.cotal/` there). Lets `cotal` run from any subdirectory of a project. */
392
- export function findCotalRoot(start = process.cwd()) {
393
- let dir = resolve(start);
394
- for (;;) {
395
- if (existsSync(join(dir, ".cotal")))
396
- return dir;
397
- const parent = dirname(dir);
398
- if (parent === dir)
399
- return resolve(start);
400
- dir = parent;
401
- }
402
- }
403
- /** Persist the space trust material. The file holds the signing seed — treat as a secret. */
404
- export function saveSpaceAuth(dir, auth) {
405
- mkdirSync(dir, { recursive: true });
406
- writeFileSync(join(dir, AUTH_FILE), JSON.stringify(auth, null, 2), { mode: 0o600 });
407
- }
408
- /** Load the space trust material, or undefined if auth was never set up here. */
409
- export function loadSpaceAuth(dir) {
410
- const f = join(dir, AUTH_FILE);
411
- if (!existsSync(f))
412
- return undefined;
413
- return JSON.parse(readFileSync(f, "utf8"));
414
- }
415
460
  //# sourceMappingURL=provision.js.map
package/dist/provision.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"provision.js","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EACL,cAAc,EACd,aAAa,EACb,UAAU,EACV,QAAQ,GACT,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EACL,KAAK,EACL,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,cAAc,EACd,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,UAAU,EACV,QAAQ,EACR,UAAU,EACV,SAAS,EACT,WAAW,EACX,eAAe,EACf,SAAS,EACT,WAAW,EACX,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,SAAS,EACT,cAAc,EACd,cAAc,EACd,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAkBvB,uFAAuF;AACvF,wFAAwF;AACxF,8DAA8D;AAC9D,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI;CAC9B,CAAC;AACX,MAAM,WAAW,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC;AAC1E,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AAEvE;;;;;;;yEAOyE;AACzE,MAAM,UAAU,cAAc,CAAC,IAAe;IAC5C,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACrB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,EAAE;YACP,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,UAAU,EAAE,EAAE;SACf;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;KAC1B,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC,CAAC,yCAAyC;IACvE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,SAAS,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC;IACnG,MAAM,UAAU,GAAG,MAAM,aAAa,CACpC,KAAK,CAAC,KAAK,CAAC,EACZ,GAAG,EACH,EAAE,YAAY,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAE1F,MAAM,GAAG,GAAG,CAAC,CAAa,EAAE,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE;QACxD,OAAO,EAAE;YACP,GAAG,EAAE,GAAG,CAAC,YAAY,EAAE;YACvB,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,UAAU,EAAE,IAAI,CAAC,YAAY,EAAE;SAChC;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE;KAClC,CAAC;AACJ,CAAC;AAiED;;;;;kGAKkG;AAClG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAA+B,EAC/B,IAAe,EACf,QAAkB,EAClB,OAAsB,EAAE;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,gGAAgG;IAChG,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,SAAS,EAAE,GAAG,cAAc,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC3E,8FAA8F;IAC9F,4FAA4F;IAC5F,iEAAiE;IACjE,KAAK,MAAM,EAAE,IAAI,SAAS;QACxB,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,8BAA8B,EAAE,mCAAmC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAChG,CAAC;IACN,MAAM,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,WAAW,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACjD,sGAAsG;IACtG,mGAAmG;IACnG,uGAAuG;IACvG,iGAAiG;IACjG,iGAAiG;IACjG,+DAA+D;IAC/D,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK;QAAE,MAAM,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC/F,IAAI,IAAI,CAAC,IAAI;QAAE,MAAM,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,GAAG,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;wDAMwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAe,EACf,QAAkB,EAClB,OAAgB,EAChB,OAAiB,EAAE;IAEnB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,UAAU,CAC9B,OAAO,EACP,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,EACvB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAC5B,KAAK,EACL,EAAE,MAAM,EAAE,CACX,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;4BAG4B;AAC5B,SAAS,cAAc,CACrB,OAAgB,EAChB,KAAa,EACb,EAAU,EACV,IAAc;IAEd,IAAI,OAAO,KAAK,UAAU;QAAE,OAAO,mBAAmB,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,mCAAmC;IACtG,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,iCAAiC;IACvE,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/E,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4CAA4C;IACvF,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4DAA4D;IACzG,MAAM,KAAK,GAAG,UAAU,EAAE,IAAI,CAAC;IAE/B,IAAI,OAAO,KAAK,UAAU,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QAClD,sFAAsF;QACtF,gFAAgF;QAChF,wFAAwF;QACxF,+EAA+E;QAC/E,yFAAyF;QACzF,yFAAyF;QACzF,4FAA4F;QAC5F,yFAAyF;QACzF,8EAA8E;QAC9E,MAAM,GAAG,GACP,OAAO,KAAK,OAAO;YACjB,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YACpC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG;YACZ,cAAc;YACd,uBAAuB,IAAI,EAAE;YAC7B,uBAAuB,EAAE,EAAE;YAC3B,sFAAsF;YACtF,yEAAyE;YACzE,2BAA2B,IAAI,EAAE;YACjC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,6BAA6B,IAAI,IAAI;YACrC,2BAA2B,IAAI,IAAI;YACnC,WAAW,IAAI,IAAI;YACnB,2BAA2B,EAAE,IAAI,EAAE,+CAA+C;YAClF,yBAAyB,EAAE,IAAI;YAC/B,oFAAoF;YACpF,8FAA8F;YAC9F,uBAAuB,IAAI,EAAE;YAC7B,0BAA0B,IAAI,EAAE;YAChC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,2BAA2B,IAAI,IAAI,EAAG,6BAA6B;YACnE,UAAU,EAAE,gCAAgC;SAC7C,CAAC;QACF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;YACxB,sFAAsF;YACtF,sFAAsF;YACtF,KAAK,CAAC,IAAI,CACR,uBAAuB,EAAE,EAAE,EAC3B,2BAA2B,EAAE,EAAE,EAC/B,2BAA2B,EAAE,IAAI,EACjC,yBAAyB,EAAE,IAAI,EAC/B,6BAA6B,EAAE,IAAI,EACnC,2BAA2B,EAAE,IAAI,EACjC,WAAW,EAAE,IAAI,CAClB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,kBAAkB;IAClB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,qDAAqD;IACnG,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;IACnG,mGAAmG;IACnG,sFAAsF;IACtF,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,cAAc,EAAE,GAAG,YAAY,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IACnD,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,0CAA0C;IAC/F,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,MAAM,QAAQ,GAAG;QACf,gGAAgG;QAChG,6EAA6E;QAC7E,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACvD,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,0CAA0C;QAC1E,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,2CAA2C;QAC3E,qBAAqB,CAAC,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC,EAAE,oDAAoD;QAC5G,+FAA+F;QAC/F,iGAAiG;QACjG,gGAAgG;QAChG,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,EAAE,EAAE,CAAC;QAClD,yEAAyE;QACzE,cAAc;QACd,4FAA4F;QAC5F,iGAAiG;QACjG,gGAAgG;QAChG,wFAAwF;QACxF,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,uBAAuB,IAAI,EAAE;QACzF,iGAAiG;QACjG,4FAA4F;QAC5F,4FAA4F;QAC5F,0FAA0F;QAC1F,uEAAuE;QACvE,iGAAiG;QACjG,gGAAgG;QAChG,8FAA8F;QAC9F,8FAA8F;QAC9F,wFAAwF;QACxF,6FAA6F;QAC7F,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,2BAA2B,IAAI,IAAI,SAAS,IAAI,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5G,yBAAyB,IAAI,IAAI,SAAS,EAAE;QAC5C,6BAA6B,IAAI,IAAI,SAAS,EAAE;QAChD,2BAA2B,IAAI,IAAI,SAAS,EAAE;QAC9C,qFAAqF;QACrF,yBAAyB,EAAE,IAAI,GAAG,EAAE;QACpC,6BAA6B,EAAE,IAAI,GAAG,EAAE;QACxC,WAAW,EAAE,IAAI,GAAG,IAAI;QACxB,+FAA+F;QAC/F,8FAA8F;QAC9F,gGAAgG;QAChG,0FAA0F;QAC1F,yBAAyB,GAAG,IAAI,IAAI,EAAE;QACtC,6BAA6B,GAAG,IAAI,IAAI,EAAE;QAC1C,WAAW,GAAG,IAAI,IAAI,IAAI;QAC1B,2EAA2E;QAC3E,2BAA2B,EAAE,IAAI;QACjC,yBAAyB,EAAE,IAAI;QAC/B,UAAU;QACV,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,4CAA4C;QAClF,yFAAyF;QACzF,+FAA+F;QAC/F,0BAA0B,IAAI,EAAE;QAChC,2BAA2B,IAAI,IAAI;QACnC,yBAAyB,IAAI,IAAI;QACjC,mGAAmG;QACnG,oGAAoG;QACpG,uDAAuD;QACvD,uBAAuB,KAAK,EAAE;QAC9B,0BAA0B,KAAK,EAAE;KAClC,CAAC;IACF,IAAI,IAAI,EAAE,CAAC;QACT,yFAAyF;QACzF,oFAAoF;QACpF,wFAAwF;QACxF,QAAQ,CAAC,IAAI,CACX,yBAAyB,IAAI,IAAI,IAAI,EAAE,EACvC,6BAA6B,IAAI,IAAI,IAAI,EAAE,EAC3C,WAAW,IAAI,IAAI,IAAI,IAAI,CAC5B,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,2FAA2F;QAC3F,sFAAsF;QACtF,sFAAsF;QACtF,0FAA0F;QAC1F,6EAA6E;QAC7E,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,qFAAqF;IACrF,mFAAmF;IACnF,sFAAsF;IACtF,iFAAiF;IACjF,MAAM,OAAO,GAAG;QACd,2BAA2B,EAAE,EAAE;QAC/B,2BAA2B,EAAE,IAAI;QACjC,mCAAmC,EAAE,IAAI;QACzC,2BAA2B,IAAI,EAAE;QACjC,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;QAC3C,iGAAiG;QACjG,8EAA8E;QAC9E,2BAA2B,GAAG,EAAE;QAChC,2BAA2B,GAAG,IAAI;QAClC,mCAAmC,GAAG,IAAI;KAC3C,CAAC;IACF,iGAAiG;IACjG,iGAAiG;IACjG,mGAAmG;IACnG,oGAAoG;IACpG,gGAAgG;IAChG,6GAA6G;IAC7G,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IACxE,+FAA+F;IAC/F,wFAAwF;IACxF,MAAM,eAAe,GAAG,GAAG,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,EAAE,EAAE,CAAC,IAAI,CAAC;IAClF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,EAAE,EAAE,CAAC;AAC3G,CAAC;AAED;;;;;;;;6CAQ6C;AAC7C,SAAS,mBAAmB,CAAC,KAAa,EAAE,EAAU;IACpD,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACnF,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IAC9G,MAAM,MAAM,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC;QACjC,uBAAuB,MAAM,EAAE;QAC/B,0BAA0B,MAAM,EAAE,EAAE,SAAS;QAC7C,2BAA2B,MAAM,IAAI,EAAE,4BAA4B;QACnE,yBAAyB,MAAM,IAAI;QACnC,2BAA2B,MAAM,IAAI;KACtC,CAAC;IACF,MAAM,GAAG,GAAG;QACV,cAAc;QACd,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,KAAK,EAAE,EAAE,uBAAuB,GAAG,EAAE;QAC3F,oGAAoG;QACpG,2FAA2F;QAC3F,8FAA8F;QAC9F,0CAA0C;QAC1C,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;QAC3C,yBAAyB,IAAI,IAAI;QACjC,6BAA6B,IAAI,IAAI;QACrC,2BAA2B,IAAI,IAAI;QACnC,WAAW,IAAI,IAAI;QACnB,oGAAoG;QACpG,wEAAwE;QACxE,2BAA2B,KAAK,IAAI,oBAAoB,IAAI;QAC5D,mCAAmC,KAAK,IAAI,oBAAoB,EAAE;QAClE,yBAAyB,KAAK,IAAI,oBAAoB,EAAE;QACxD,6BAA6B,KAAK,IAAI,oBAAoB,EAAE;QAC5D,2BAA2B,KAAK,IAAI,oBAAoB,EAAE;QAC1D,WAAW,KAAK,IAAI,oBAAoB,IAAI;QAC5C,UAAU,EAAE,gCAAgC;QAC5C,oGAAoG;QACpG,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC;QAC/D,oGAAoG;QACpG,OAAO,aAAa,CAAC,KAAK,CAAC,IAAI;QAC/B,oFAAoF;QACpF,uBAAuB,GAAG,EAAE,EAAE,0BAA0B,GAAG,EAAE;QAC7D,OAAO,cAAc,CAAC,KAAK,CAAC,UAAU;QACtC,wFAAwF;QACxF,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ;QAC7B,4FAA4F;QAC5F,4FAA4F;QAC5F,kGAAkG;QAClG,iEAAiE;QACjE,GAAG,CAAC,yBAAyB;KAC9B,CAAC;IACF,MAAM,GAAG,GAAG;QACV,UAAU,EAAE,IAAI;QAChB,GAAG,CAAC,iBAAiB,EAAE,6EAA6E;KACrG,CAAC;IACF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC;AACtD,CAAC;AAED;kDACkD;AAClD,MAAM,UAAU,YAAY,CAAC,IAAe,EAAE,IAAwD;IACpG,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,4FAA4F;IAC5F,8FAA8F;IAC9F,+FAA+F;IAC/F,+FAA+F;IAC/F,gGAAgG;IAChG,iGAAiG;IACjG,kGAAkG;IAClG,OAAO;QACD,IAAI;QACJ,IAAI;;yBAEa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG;kBACX,IAAI,CAAC,GAAG,CAAC,GAAG;;;IAG1B,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG;IACrC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG;;CAEhC,CAAC;AACF,CAAC;AAED,kFAAkF;AAElF,MAAM,SAAS,GAAG,WAAW,CAAC;AAE9B,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;iGAEiG;AACjG,MAAM,UAAU,aAAa,CAAC,QAAgB,OAAO,CAAC,GAAG,EAAE;IACzD,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IACzB,SAAS,CAAC;QACR,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAAE,OAAO,GAAG,CAAC;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1C,GAAG,GAAG,MAAM,CAAC;IACf,CAAC;AACH,CAAC;AAED,6FAA6F;AAC7F,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,IAAe;IACxD,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACtF,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC/B,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,CAAc,CAAC;AAC1D,CAAC"}
1
+ {"version":3,"file":"provision.js","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,cAAc,EACd,aAAa,EACb,UAAU,EACV,QAAQ,GACT,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AACrF,OAAO,EACL,KAAK,EACL,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,cAAc,EACd,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,EAChB,UAAU,EACV,QAAQ,EACR,UAAU,EACV,SAAS,EACT,WAAW,EACX,eAAe,EACf,SAAS,EACT,WAAW,EACX,UAAU,EACV,cAAc,EACd,aAAa,EACb,aAAa,EACb,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,mBAAmB,EACnB,qBAAqB,EACrB,wBAAwB,EACxB,uBAAuB,EACvB,cAAc,EACd,oBAAoB,GACrB,MAAM,eAAe,CAAC;AAsBvB,uFAAuF;AACvF,wFAAwF;AACxF,8DAA8D;AAC9D,MAAM,WAAW,GAAG;IAClB,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI;CAC9B,CAAC;AACX,MAAM,WAAW,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC;AAC1E,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,EAAE,WAAW,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;AAEvE;;;;;;;yEAOyE;AACzE,MAAM,UAAU,cAAc,CAAC,IAAe;IAC5C,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;QAC/B,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;YACrB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,EAAE;YACP,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;YACrC,UAAU,EAAE,EAAE;SACf;QACD,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE;KAC1B,CAAC;AACJ,CAAC;AAED,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAC7B,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC,CAAC,yCAAyC;IACvE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,SAAS,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,CAAC,CAAC;IACnG,MAAM,UAAU,GAAG,MAAM,aAAa,CACpC,KAAK,CAAC,KAAK,CAAC,EACZ,GAAG,EACH,EAAE,YAAY,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAC5D,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IAE1F,MAAM,GAAG,GAAG,CAAC,CAAa,EAAE,EAAE,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO;QACL,KAAK;QACL,QAAQ,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE;QACxD,OAAO,EAAE;YACP,GAAG,EAAE,GAAG,CAAC,YAAY,EAAE;YACvB,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACxB,GAAG,EAAE,UAAU;YACf,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,UAAU,EAAE,IAAI,CAAC,YAAY,EAAE;SAChC;QACD,oGAAoG;QACpG,kGAAkG;QAClG,GAAG,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,EAAE;KACrE,CAAC;AACJ,CAAC;AAiED;;;;;kGAKkG;AAClG,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAA+B,EAC/B,IAAe,EACf,QAAkB,EAClB,OAAsB,EAAE;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACxE,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,gGAAgG;IAChG,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,SAAS,EAAE,GAAG,cAAc,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC3E,8FAA8F;IAC9F,4FAA4F;IAC5F,iEAAiE;IACjE,KAAK,MAAM,EAAE,IAAI,SAAS;QACxB,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,8BAA8B,EAAE,mCAAmC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAChG,CAAC;IACN,MAAM,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAChD,MAAM,WAAW,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACjD,sGAAsG;IACtG,mGAAmG;IACnG,uGAAuG;IACvG,iGAAiG;IACjG,iGAAiG;IACjG,+DAA+D;IAC/D,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK;QAAE,MAAM,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;IAC/F,IAAI,IAAI,CAAC,IAAI;QAAE,MAAM,WAAW,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,OAAO,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,GAAG,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;;;wDAMwD;AACxD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAe,EACf,QAAkB,EAClB,OAAgB,EAChB,OAAiB,EAAE;IAEnB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IAC5E,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,UAAU,CAC9B,OAAO,EACP,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,EACvB,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAC5B,KAAK,EACL,EAAE,MAAM,EAAE,CACX,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;4BAG4B;AAC5B,SAAS,cAAc,CACrB,OAAgB,EAChB,KAAa,EACb,EAAU,EACV,IAAc;IAEd,IAAI,OAAO,KAAK,UAAU;QAAE,OAAO,mBAAmB,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,mCAAmC;IACtG,IAAI,OAAO,KAAK,eAAe;QAAE,OAAO,uBAAuB,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,kCAAkC;IAC9G,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC,CAAC,iCAAiC;IACvE,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAC/E,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4CAA4C;IACvF,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,wDAAwD;IACvG,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,4DAA4D;IACzG,MAAM,KAAK,GAAG,UAAU,EAAE,IAAI,CAAC;IAE/B,IAAI,OAAO,KAAK,UAAU,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QAClD,sFAAsF;QACtF,gFAAgF;QAChF,wFAAwF;QACxF,+EAA+E;QAC/E,yFAAyF;QACzF,yFAAyF;QACzF,4FAA4F;QAC5F,yFAAyF;QACzF,8EAA8E;QAC9E,MAAM,GAAG,GACP,OAAO,KAAK,OAAO;YACjB,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YACpC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG;YACZ,cAAc;YACd,uBAAuB,IAAI,EAAE;YAC7B,uBAAuB,EAAE,EAAE;YAC3B,sFAAsF;YACtF,yEAAyE;YACzE,2BAA2B,IAAI,EAAE;YACjC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,6BAA6B,IAAI,IAAI;YACrC,2BAA2B,IAAI,IAAI;YACnC,WAAW,IAAI,IAAI;YACnB,2BAA2B,EAAE,IAAI,EAAE,+CAA+C;YAClF,yBAAyB,EAAE,IAAI;YAC/B,oFAAoF;YACpF,8FAA8F;YAC9F,uBAAuB,IAAI,EAAE;YAC7B,0BAA0B,IAAI,EAAE;YAChC,2BAA2B,IAAI,IAAI;YACnC,yBAAyB,IAAI,IAAI;YACjC,2BAA2B,IAAI,IAAI,EAAG,6BAA6B;YACnE,gGAAgG;YAChG,mGAAmG;YACnG,oGAAoG;YACpG,uBAAuB,KAAK,EAAE;YAC9B,0BAA0B,KAAK,EAAE;YACjC,2BAA2B,KAAK,IAAI;YACpC,yBAAyB,KAAK,IAAI;YAClC,2BAA2B,KAAK,IAAI;YACpC,UAAU,EAAE,gCAAgC;SAC7C,CAAC;QACF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;YACxB,sFAAsF;YACtF,sFAAsF;YACtF,KAAK,CAAC,IAAI,CACR,uBAAuB,EAAE,EAAE,EAC3B,2BAA2B,EAAE,EAAE,EAC/B,2BAA2B,EAAE,IAAI,EACjC,yBAAyB,EAAE,IAAI,EAC/B,6BAA6B,EAAE,IAAI,EACnC,2BAA2B,EAAE,IAAI,EACjC,WAAW,EAAE,IAAI,CAClB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,kBAAkB;IAClB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,qDAAqD;IACnG,MAAM,cAAc,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;IACnG,mGAAmG;IACnG,sFAAsF;IACtF,KAAK,MAAM,EAAE,IAAI,CAAC,GAAG,cAAc,EAAE,GAAG,YAAY,CAAC;QAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,kBAAkB,CAAC;IACnD,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,IAAI,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,0CAA0C;IAC/F,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5D,MAAM,QAAQ,GAAG;QACf,gGAAgG;QAChG,6EAA6E;QAC7E,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;QACvD,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,0CAA0C;QAC1E,cAAc,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,2CAA2C;QAC3E,qBAAqB,CAAC,KAAK,EAAE,oBAAoB,EAAE,EAAE,CAAC,EAAE,oDAAoD;QAC5G,+FAA+F;QAC/F,iGAAiG;QACjG,gGAAgG;QAChG,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,EAAE,EAAE,CAAC;QAClD,yEAAyE;QACzE,cAAc;QACd,4FAA4F;QAC5F,iGAAiG;QACjG,gGAAgG;QAChG,wFAAwF;QACxF,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE,uBAAuB,IAAI,EAAE;QACzF,iGAAiG;QACjG,4FAA4F;QAC5F,4FAA4F;QAC5F,0FAA0F;QAC1F,uEAAuE;QACvE,iGAAiG;QACjG,gGAAgG;QAChG,8FAA8F;QAC9F,8FAA8F;QAC9F,wFAAwF;QACxF,6FAA6F;QAC7F,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,2BAA2B,IAAI,IAAI,SAAS,IAAI,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5G,yBAAyB,IAAI,IAAI,SAAS,EAAE;QAC5C,6BAA6B,IAAI,IAAI,SAAS,EAAE;QAChD,2BAA2B,IAAI,IAAI,SAAS,EAAE;QAC9C,qFAAqF;QACrF,yBAAyB,EAAE,IAAI,GAAG,EAAE;QACpC,6BAA6B,EAAE,IAAI,GAAG,EAAE;QACxC,WAAW,EAAE,IAAI,GAAG,IAAI;QACxB,+FAA+F;QAC/F,8FAA8F;QAC9F,gGAAgG;QAChG,0FAA0F;QAC1F,yBAAyB,GAAG,IAAI,IAAI,EAAE;QACtC,6BAA6B,GAAG,IAAI,IAAI,EAAE;QAC1C,WAAW,GAAG,IAAI,IAAI,IAAI;QAC1B,2EAA2E;QAC3E,2BAA2B,EAAE,IAAI;QACjC,yBAAyB,EAAE,IAAI;QAC/B,UAAU;QACV,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,EAAE,4CAA4C;QAClF,yFAAyF;QACzF,+FAA+F;QAC/F,0BAA0B,IAAI,EAAE;QAChC,2BAA2B,IAAI,IAAI;QACnC,yBAAyB,IAAI,IAAI;QACjC,mGAAmG;QACnG,oGAAoG;QACpG,uDAAuD;QACvD,uBAAuB,KAAK,EAAE;QAC9B,0BAA0B,KAAK,EAAE;KAClC,CAAC;IACF,IAAI,IAAI,EAAE,CAAC;QACT,yFAAyF;QACzF,oFAAoF;QACpF,wFAAwF;QACxF,QAAQ,CAAC,IAAI,CACX,yBAAyB,IAAI,IAAI,IAAI,EAAE,EACvC,6BAA6B,IAAI,IAAI,IAAI,EAAE,EAC3C,WAAW,IAAI,IAAI,IAAI,IAAI,CAC5B,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,2FAA2F;QAC3F,sFAAsF;QACtF,sFAAsF;QACtF,0FAA0F;QAC1F,6EAA6E;QAC7E,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,qFAAqF;IACrF,mFAAmF;IACnF,sFAAsF;IACtF,iFAAiF;IACjF,MAAM,OAAO,GAAG;QACd,2BAA2B,EAAE,EAAE;QAC/B,2BAA2B,EAAE,IAAI;QACjC,mCAAmC,EAAE,IAAI;QACzC,2BAA2B,IAAI,EAAE;QACjC,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;QAC3C,iGAAiG;QACjG,8EAA8E;QAC9E,2BAA2B,GAAG,EAAE;QAChC,2BAA2B,GAAG,IAAI;QAClC,mCAAmC,GAAG,IAAI;KAC3C,CAAC;IACF,iGAAiG;IACjG,iGAAiG;IACjG,mGAAmG;IACnG,oGAAoG;IACpG,gGAAgG;IAChG,6GAA6G;IAC7G,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IACxE,+FAA+F;IAC/F,wFAAwF;IACxF,MAAM,eAAe,GAAG,GAAG,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,EAAE,EAAE,CAAC,IAAI,CAAC;IAClF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,EAAE,EAAE,CAAC;AAC3G,CAAC;AAED;;;;;;;;6CAQ6C;AAC7C,SAAS,mBAAmB,CAAC,KAAa,EAAE,EAAU;IACpD,MAAM,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,EAAE,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,EAAE,GAAG,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACnF,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;IAC/E,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;IAC9G,MAAM,MAAM,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC;QACjC,uBAAuB,MAAM,EAAE;QAC/B,0BAA0B,MAAM,EAAE,EAAE,SAAS;QAC7C,2BAA2B,MAAM,IAAI,EAAE,4BAA4B;QACnE,yBAAyB,MAAM,IAAI;QACnC,2BAA2B,MAAM,IAAI;KACtC,CAAC;IACF,MAAM,GAAG,GAAG;QACV,cAAc;QACd,uBAAuB,IAAI,EAAE,EAAE,uBAAuB,KAAK,EAAE,EAAE,uBAAuB,GAAG,EAAE;QAC3F,oGAAoG;QACpG,2FAA2F;QAC3F,8FAA8F;QAC9F,0CAA0C;QAC1C,2BAA2B,IAAI,IAAI;QACnC,mCAAmC,IAAI,IAAI;QAC3C,yBAAyB,IAAI,IAAI;QACjC,6BAA6B,IAAI,IAAI;QACrC,2BAA2B,IAAI,IAAI;QACnC,WAAW,IAAI,IAAI;QACnB,oGAAoG;QACpG,wEAAwE;QACxE,2BAA2B,KAAK,IAAI,oBAAoB,IAAI;QAC5D,mCAAmC,KAAK,IAAI,oBAAoB,EAAE;QAClE,yBAAyB,KAAK,IAAI,oBAAoB,EAAE;QACxD,6BAA6B,KAAK,IAAI,oBAAoB,EAAE;QAC5D,2BAA2B,KAAK,IAAI,oBAAoB,EAAE;QAC1D,WAAW,KAAK,IAAI,oBAAoB,IAAI;QAC5C,UAAU,EAAE,gCAAgC;QAC5C,oGAAoG;QACpG,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC;QAC/D,oGAAoG;QACpG,OAAO,aAAa,CAAC,KAAK,CAAC,IAAI;QAC/B,oFAAoF;QACpF,uBAAuB,GAAG,EAAE,EAAE,0BAA0B,GAAG,EAAE;QAC7D,OAAO,cAAc,CAAC,KAAK,CAAC,UAAU;QACtC,wFAAwF;QACxF,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ;QAC7B,4FAA4F;QAC5F,4FAA4F;QAC5F,kGAAkG;QAClG,iEAAiE;QACjE,GAAG,CAAC,yBAAyB;KAC9B,CAAC;IACF,MAAM,GAAG,GAAG;QACV,UAAU,EAAE,IAAI;QAChB,GAAG,CAAC,iBAAiB,EAAE,6EAA6E;KACrG,CAAC;IACF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC;AACtD,CAAC;AAED;;;;;;6EAM6E;AAC7E,SAAS,uBAAuB,CAAC,KAAa,EAAE,EAAU;IACxD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,qBAAqB;IAC/D,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,2CAA2C;IAC1F,MAAM,MAAM,GAAG,CAAC,MAAc,EAAE,EAAE,CAAC;QACjC,uBAAuB,MAAM,EAAE;QAC/B,0BAA0B,MAAM,EAAE,EAAE,SAAS;QAC7C,2BAA2B,MAAM,IAAI,EAAE,sCAAsC;QAC7E,yBAAyB,MAAM,IAAI;QACnC,2BAA2B,MAAM,IAAI;KACtC,CAAC;IACF,MAAM,GAAG,GAAG;QACV,cAAc;QACd,GAAG,MAAM,CAAC,GAAG,CAAC;QACd,GAAG,MAAM,CAAC,KAAK,CAAC;QAChB,OAAO,gBAAgB,CAAC,KAAK,CAAC,IAAI,EAAE,0CAA0C;QAC9E,UAAU,EAAE,gCAAgC;KAC7C,CAAC;IACF,OAAO,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC;AACrE,CAAC;AAED;;;;;;;;;;2CAU2C;AAC3C,SAAS,6BAA6B,CAAC,SAAiB;IACtD,OAAO;QACL,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,EAAE;QAChD,GAAG,EAAE;YACH,KAAK,EAAE;gBACL,GAAG,uBAAuB,IAAI;gBAC9B,qBAAqB,CAAC,SAAS,CAAC;gBAChC,wBAAwB,CAAC,SAAS,CAAC;aACpC;SACF;KACF,CAAC;AACJ,CAAC;AAED;;;;;0FAK0F;AAC1F,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAAC,IAAe,EAAE,QAAkB;IACnF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW;QACvB,MAAM,IAAI,KAAK,CACb,iPAAiP,CAClP,CAAC;IACJ,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IACxE,MAAM,KAAK,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,MAAM,UAAU,CAC9B,qBAAqB,EACrB,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,EACvB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EACxB,KAAK,EACL,EAAE,MAAM,EAAE,CACX,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;kDACkD;AAClD,MAAM,UAAU,YAAY,CAAC,IAAe,EAAE,IAAwD;IACpG,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,4FAA4F;IAC5F,8FAA8F;IAC9F,+FAA+F;IAC/F,+FAA+F;IAC/F,gGAAgG;IAChG,iGAAiG;IACjG,kGAAkG;IAClG,OAAO;QACD,IAAI;QACJ,IAAI;;yBAEa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC1C,IAAI,CAAC,QAAQ,CAAC,GAAG;kBACX,IAAI,CAAC,GAAG,CAAC,GAAG;;;IAG1B,IAAI,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG;IACrC,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG;;CAEhC,CAAC;AACF,CAAC"}