@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/routes/register.js

@@ -0,0 +1,327 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSignupsEnabled = checkSignupsEnabled;
+exports._resetSignupsCache = _resetSignupsCache;
+exports.handleChallenge = handleChallenge;
+exports.handleRegister = handleRegister;
+const crypto = __importStar(require("crypto"));
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const audit_js_1 = require("./audit.js");
+const client_ssm_1 = require("@aws-sdk/client-ssm");
+const logger_js_1 = require("../logger.js");
+const github_js_1 = require("./github.js");
+const CHALLENGE_EXPIRY_SECONDS = 60;
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+let cachedSignupsEnabled = null;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const ssmClient = new client_ssm_1.SSMClient({});
+async function checkSignupsEnabled(paramName) {
+    const now = Date.now();
+    if (cachedSignupsEnabled && now < cachedSignupsEnabled.expiresAt) {
+        return cachedSignupsEnabled.value;
+    }
+    try {
+        const result = await ssmClient.send(new client_ssm_1.GetParameterCommand({ Name: paramName }));
+        const value = result.Parameter?.Value !== 'false';
+        cachedSignupsEnabled = { value, expiresAt: now + CACHE_TTL_MS };
+        return value;
+    }
+    catch (err) {
+        logger_js_1.logger.error('Failed to fetch signups-enabled parameter', { error: String(err) });
+        // Default to enabled if parameter fetch fails
+        return true;
+    }
+}
+// Exported for testing
+function _resetSignupsCache() {
+    cachedSignupsEnabled = null;
+}
+function tenantIdFromPublicKey(publicKeyBase64) {
+    const hash = crypto.createHash('sha256').update(publicKeyBase64).digest('hex');
+    return hash.slice(0, 32);
+}
+function isValidSSHPublicKey(publicKey) {
+    // Basic validation: must be base64 and reasonable length
+    if (!publicKey || publicKey.length < 16 || publicKey.length > 2048) {
+        return false;
+    }
+    try {
+        const decoded = Buffer.from(publicKey, 'base64');
+        return decoded.length > 0 && publicKey === decoded.toString('base64');
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify an Ed25519 signature of a challenge nonce against a public key.
+ * The signed data is: "chaoskb-register\n" + nonce (base64).
+ */
+function verifyRegistrationSignature(publicKeyBase64, nonce, signatureBase64) {
+    try {
+        const publicKeyBuffer = Buffer.from(publicKeyBase64, 'base64');
+        const signatureBuffer = Buffer.from(signatureBase64, 'base64');
+        const data = Buffer.from(`chaoskb-register\n${nonce}`);
+        const keyObject = crypto.createPublicKey({
+            key: Buffer.concat([
+                // Ed25519 DER prefix for a 32-byte public key
+                Buffer.from('302a300506032b6570032100', 'hex'),
+                publicKeyBuffer,
+            ]),
+            format: 'der',
+            type: 'spki',
+        });
+        return crypto.verify(null, data, keyObject, signatureBuffer);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * GET /v1/register/challenge — generate a registration challenge nonce.
+ *
+ * Returns a 32-byte random nonce (base64-encoded) that must be signed by the
+ * client's SSH private key and submitted with the registration request.
+ * Challenge expires after 60 seconds and is single-use.
+ */
+async function handleChallenge(ddb, tableName) {
+    const nonce = crypto.randomBytes(32).toString('base64');
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = now + CHALLENGE_EXPIRY_SECONDS + 60; // DynamoDB TTL: generous buffer
+    const expiresAt = new Date((now + CHALLENGE_EXPIRY_SECONDS) * 1000).toISOString();
+    await ddb.send(new lib_dynamodb_1.PutCommand({
+        TableName: tableName,
+        Item: {
+            PK: `CHALLENGE#${nonce}`,
+            SK: 'META',
+            expiresAt,
+            ttl,
+        },
+    }));
+    logger_js_1.logger.info('Registration challenge created');
+    return {
+        statusCode: 200,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({ challenge: nonce, expiresAt }),
+    };
+}
+async function handleRegister(body, ddb, tableName, signupsParamName) {
+    // Check if signups are enabled
+    const signupsEnabled = await checkSignupsEnabled(signupsParamName);
+    if (!signupsEnabled) {
+        return {
+            statusCode: 403,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'signups_disabled', message: 'New registrations are currently disabled' }),
+        };
+    }
+    // Parse and validate request body
+    if (!body) {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+        };
+    }
+    let request;
+    try {
+        request = JSON.parse(body);
+    }
+    catch {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+        };
+    }
+    if (!request.publicKey) {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_request', message: 'publicKey is required' }),
+        };
+    }
+    if (!request.signedChallenge || !request.challengeNonce) {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_request', message: 'signedChallenge and challengeNonce are required' }),
+        };
+    }
+    if (!isValidSSHPublicKey(request.publicKey)) {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_request', message: 'Invalid SSH public key format' }),
+        };
+    }
+    // Look up and consume the challenge nonce (single-use)
+    const challengeResult = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: {
+            PK: `CHALLENGE#${request.challengeNonce}`,
+            SK: 'META',
+        },
+    }));
+    if (!challengeResult.Item) {
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_challenge', message: 'Challenge not found or already used' }),
+        };
+    }
+    // Check challenge expiry
+    if (new Date(challengeResult.Item['expiresAt']) < new Date()) {
+        // Clean up expired challenge
+        await ddb.send(new lib_dynamodb_1.DeleteCommand({
+            TableName: tableName,
+            Key: { PK: `CHALLENGE#${request.challengeNonce}`, SK: 'META' },
+        }));
+        return {
+            statusCode: 400,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'challenge_expired', message: 'Challenge has expired' }),
+        };
+    }
+    // Consume the challenge (delete it — single-use)
+    await ddb.send(new lib_dynamodb_1.DeleteCommand({
+        TableName: tableName,
+        Key: { PK: `CHALLENGE#${request.challengeNonce}`, SK: 'META' },
+    }));
+    // Verify the SSH signature of the challenge nonce against the public key
+    const validSignature = verifyRegistrationSignature(request.publicKey, request.challengeNonce, request.signedChallenge);
+    if (!validSignature) {
+        logger_js_1.logger.warn('Registration signature verification failed');
+        return {
+            statusCode: 401,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({ error: 'invalid_signature', message: 'Challenge signature verification failed' }),
+        };
+    }
+    // GitHub verification (if --github was provided)
+    if (request.github) {
+        try {
+            const keyOnGitHub = await (0, github_js_1.verifyKeyOnGitHub)(request.publicKey, request.github);
+            if (!keyOnGitHub) {
+                return {
+                    statusCode: 400,
+                    headers: JSON_HEADERS,
+                    body: JSON.stringify({
+                        error: 'github_key_not_found',
+                        message: `Public key not found on GitHub account "${request.github}"`,
+                    }),
+                };
+            }
+        }
+        catch (err) {
+            if (err instanceof github_js_1.GitHubVerificationError) {
+                return {
+                    statusCode: 400,
+                    headers: JSON_HEADERS,
+                    body: JSON.stringify({ error: err.code, message: err.message }),
+                };
+            }
+            throw err;
+        }
+        // Check if an existing tenant is associated with this GitHub username (auto-link)
+        const existingTenantId = await (0, github_js_1.findTenantByGitHub)(request.github, ddb, tableName);
+        if (existingTenantId) {
+            logger_js_1.logger.info('GitHub auto-link: existing tenant found', {
+                existingTenantId,
+                github: request.github,
+            });
+            return {
+                statusCode: 200,
+                headers: JSON_HEADERS,
+                body: JSON.stringify({
+                    status: 'auto_linked',
+                    tenantId: existingTenantId,
+                    github: request.github,
+                }),
+            };
+        }
+    }
+    const tenantId = tenantIdFromPublicKey(request.publicKey);
+    const now = new Date().toISOString();
+    try {
+        await ddb.send(new lib_dynamodb_1.PutCommand({
+            TableName: tableName,
+            Item: {
+                PK: `TENANT#${tenantId}`,
+                SK: 'META',
+                publicKey: request.publicKey,
+                createdAt: now,
+                updatedAt: now,
+                storageUsedBytes: 0,
+            },
+            ConditionExpression: 'attribute_not_exists(SK)',
+        }));
+        logger_js_1.logger.info('Tenant registered', { tenantId, operation: 'register' });
+        // Store GitHub association if provided
+        if (request.github) {
+            await (0, github_js_1.storeGitHubAssociation)(tenantId, request.github, ddb, tableName);
+            await (0, github_js_1.storeGitHubReverseLookup)(request.github, tenantId, ddb, tableName);
+        }
+        await (0, audit_js_1.logAuditEvent)(ddb, tableName, tenantId, {
+            eventType: 'registered',
+            fingerprint: '',
+            metadata: {
+                publicKey: request.publicKey,
+                ...(request.github && { github: request.github }),
+            },
+        });
+        return {
+            statusCode: 201,
+            headers: JSON_HEADERS,
+            body: JSON.stringify({
+                tenantId,
+                publicKey: request.publicKey,
+                ...(request.github && { github: request.github }),
+            }),
+        };
+    }
+    catch (err) {
+        if (err.name === 'ConditionalCheckFailedException') {
+            return {
+                statusCode: 409,
+                headers: JSON_HEADERS,
+                body: JSON.stringify({ error: 'already_registered', message: 'This public key is already registered' }),
+            };
+        }
+        throw err;
+    }
+}
+//# sourceMappingURL=register.js.map

package/dist/lib/handler/routes/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","sourceRoot":"","sources":["../../../../lib/handler/routes/register.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,kDAkBC;AAGD,gDAEC;AAyDD,0CA4BC;AAED,wCA0NC;AA1WD,+CAAiC;AACjC,wDAAsG;AACtG,yCAA2C;AAC3C,oDAAqE;AACrE,4CAAsC;AACtC,2CAMqB;AAerB,MAAM,wBAAwB,GAAG,EAAE,CAAC;AACpC,MAAM,YAAY,GAAG,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAE5D,IAAI,oBAAoB,GAAiD,IAAI,CAAC;AAC9E,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEhD,MAAM,SAAS,GAAG,IAAI,sBAAS,CAAC,EAAE,CAAC,CAAC;AAE7B,KAAK,UAAU,mBAAmB,CAAC,SAAiB;IACzD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,oBAAoB,IAAI,GAAG,GAAG,oBAAoB,CAAC,SAAS,EAAE,CAAC;QACjE,OAAO,oBAAoB,CAAC,KAAK,CAAC;IACpC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CACjC,IAAI,gCAAmB,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAC7C,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,KAAK,KAAK,OAAO,CAAC;QAClD,oBAAoB,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,GAAG,YAAY,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,kBAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClF,8CAA8C;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,uBAAuB;AACvB,SAAgB,kBAAkB;IAChC,oBAAoB,GAAG,IAAI,CAAC;AAC9B,CAAC;AAED,SAAS,qBAAqB,CAAC,eAAuB;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/E,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,mBAAmB,CAAC,SAAiB;IAC5C,yDAAyD;IACzD,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,IAAI,SAAS,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACjD,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,KAAK,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,2BAA2B,CAClC,eAAuB,EACvB,KAAa,EACb,eAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC/D,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,KAAK,EAAE,CAAC,CAAC;QAEvD,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CAAC;YACvC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC;gBACjB,8CAA8C;gBAC9C,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,KAAK,CAAC;gBAC9C,eAAe;aAChB,CAAC;YACF,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,eAAe,CACnC,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,wBAAwB,GAAG,EAAE,CAAC,CAAC,gCAAgC;IACjF,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,GAAG,GAAG,wBAAwB,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAElF,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE;YACJ,EAAE,EAAE,aAAa,KAAK,EAAE;YACxB,EAAE,EAAE,MAAM;YACV,SAAS;YACT,GAAG;SACJ;KACF,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IAE9C,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;KACtD,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,cAAc,CAClC,IAA+B,EAC/B,GAA2B,EAC3B,SAAiB,EACjB,gBAAwB;IAExB,+BAA+B;IAC/B,MAAM,cAAc,GAAG,MAAM,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IACnE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;SACzG,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;SACxF,CAAC;IACJ,CAAC;IAED,IAAI,OAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SACjF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;SACrF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,eAAe,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QACxD,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,iDAAiD,EAAE,CAAC;SAC/G,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;SAC7F,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,MAAM,eAAe,GAAG,MAAM,GAAG,CAAC,IAAI,CACpC,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,aAAa,OAAO,CAAC,cAAc,EAAE;YACzC,EAAE,EAAE,MAAM;SACX;KACF,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QAC1B,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC;SACrG,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAW,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACvE,6BAA6B;QAC7B,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;YAChB,SAAS,EAAE,SAAS;YACpB,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,OAAO,CAAC,cAAc,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;SAC/D,CAAC,CACH,CAAC;QACF,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;SACvF,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,OAAO,CAAC,cAAc,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;KAC/D,CAAC,CACH,CAAC;IAEF,yEAAyE;IACzE,MAAM,cAAc,GAAG,2BAA2B,CAChD,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,eAAe,CACxB,CAAC;IAEF,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,kBAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;SACzG,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAiB,EAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/E,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,OAAO;oBACL,UAAU,EAAE,GAAG;oBACf,OAAO,EAAE,YAAY;oBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,KAAK,EAAE,sBAAsB;wBAC7B,OAAO,EAAE,2CAA2C,OAAO,CAAC,MAAM,GAAG;qBACtE,CAAC;iBACH,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,mCAAuB,EAAE,CAAC;gBAC3C,OAAO;oBACL,UAAU,EAAE,GAAG;oBACf,OAAO,EAAE,YAAY;oBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC;iBAChE,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,kFAAkF;QAClF,MAAM,gBAAgB,GAAG,MAAM,IAAA,8BAAkB,EAAC,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAClF,IAAI,gBAAgB,EAAE,CAAC;YACrB,kBAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;gBACrD,gBAAgB;gBAChB,MAAM,EAAE,OAAO,CAAC,MAAM;aACvB,CAAC,CAAC;YACH,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,YAAY;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,MAAM,EAAE,aAAa;oBACrB,QAAQ,EAAE,gBAAgB;oBAC1B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC;aACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAqB,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;YACb,SAAS,EAAE,SAAS;YACpB,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;gBACxB,EAAE,EAAE,MAAM;gBACV,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;gBACd,gBAAgB,EAAE,CAAC;aACpB;YACD,mBAAmB,EAAE,0BAA0B;SAChD,CAAC,CACH,CAAC;QAEF,kBAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC;QAEtE,uCAAuC;QACvC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAA,kCAAsB,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;YACvE,MAAM,IAAA,oCAAwB,EAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,IAAA,wBAAa,EAAC,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE;YAC5C,SAAS,EAAE,YAAY;YACvB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE;gBACR,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;aAClD;SACF,CAAC,CAAC;QAEH,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,YAAY;YACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,QAAQ;gBACR,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;aAClD,CAAC;SACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAAyB,CAAC,IAAI,KAAK,iCAAiC,EAAE,CAAC;YAC1E,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,YAAY;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC;aACxG,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}