@did-btcr2/method 0.29.0 → 0.32.0

package/dist/esm/core/aggregation/transport/http/nonce-cache.js

@@ -0,0 +1,38 @@
+/**
+ * Bounded anti-replay cache for `(did, nonce)` pairs.
+ *
+ * Replay windowing is the caller's responsibility — this cache only detects
+ * duplicates. Callers are expected to reject envelopes/headers whose timestamp
+ * is outside the clock-skew window *before* consulting the cache, so entries
+ * here are always within the protocol's acceptable window.
+ *
+ * Eviction is strict-FIFO (Map insertion order) once `maxEntries` is reached.
+ */
+export class NonceCache {
+    #maxEntries;
+    #entries = new Map();
+    constructor(config = {}) {
+        this.#maxEntries = config.maxEntries ?? 10_000;
+    }
+    /**
+     * Record a nonce. Returns `true` if it was novel (caller should accept the
+     * request) or `false` if it was a replay (caller should reject).
+     */
+    store(did, nonce, timestampSec) {
+        const key = `${did}:${nonce}`;
+        if (this.#entries.has(key))
+            return false;
+        this.#entries.set(key, timestampSec);
+        if (this.#entries.size > this.#maxEntries) {
+            const oldest = this.#entries.keys().next();
+            if (!oldest.done)
+                this.#entries.delete(oldest.value);
+        }
+        return true;
+    }
+    /** Current cache size. Exposed for observability and tests. */
+    size() {
+        return this.#entries.size;
+    }
+}
+//# sourceMappingURL=nonce-cache.js.map

package/dist/esm/core/aggregation/transport/http/nonce-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-cache.js","sourceRoot":"","sources":["../../../../../../src/core/aggregation/transport/http/nonce-cache.ts"],"names":[],"mappings":"AAKA;;;;;;;;;GASG;AACH,MAAM,OAAO,UAAU;IACZ,WAAW,CAAS;IACpB,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE9C,YAAY,SAA2B,EAAE;QACvC,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC;IACjD,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,GAAW,EAAE,KAAa,EAAE,YAAoB;QACpD,MAAM,GAAG,GAAG,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC9B,IAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACrC,IAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;YAC3C,IAAG,CAAC,MAAM,CAAC,IAAI;gBAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+DAA+D;IAC/D,IAAI;QACF,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF"}

package/dist/esm/core/aggregation/transport/http/protocol.js

@@ -0,0 +1,28 @@
+/**
+ * On-the-wire version of the HTTP transport envelope. Separate from
+ * {@link AGGREGATION_WIRE_VERSION} (which versions the aggregation protocol
+ * payloads) so transport-layer changes don't force a protocol bump.
+ */
+export const HTTP_ENVELOPE_VERSION = 1;
+/**
+ * HTTP routes served by {@link HttpServerTransport}. The `{did}` placeholder
+ * in {@link HTTP_ROUTE.ACTOR_INBOX} is substituted with a URL-safe DID at
+ * request time.
+ */
+export const HTTP_ROUTE = {
+    ADVERTS: '/v1/adverts',
+    MESSAGES: '/v1/messages',
+    ACTOR_INBOX: '/v1/actors/{did}/inbox',
+    WELL_KNOWN: '/v1/.well-known/aggregation',
+};
+/** Server-Sent Events event names used by the broadcast + inbox streams. */
+export const SSE_EVENT = {
+    ADVERT: 'advert',
+    MESSAGE: 'message',
+    HEARTBEAT: 'heartbeat',
+};
+/** Default clock-skew tolerance for envelope timestamps (seconds). */
+export const DEFAULT_CLOCK_SKEW_SEC = 60;
+/** Default length of the per-envelope anti-replay nonce (bytes). */
+export const DEFAULT_NONCE_LEN_BYTES = 16;
+//# sourceMappingURL=protocol.js.map

package/dist/esm/core/aggregation/transport/http/protocol.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protocol.js","sourceRoot":"","sources":["../../../../../../src/core/aggregation/transport/http/protocol.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAEvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,OAAO,EAAO,aAAa;IAC3B,QAAQ,EAAM,cAAc;IAC5B,WAAW,EAAG,wBAAwB;IACtC,UAAU,EAAI,6BAA6B;CACnC,CAAC;AAEX,4EAA4E;AAC5E,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,MAAM,EAAM,QAAQ;IACpB,OAAO,EAAK,SAAS;IACrB,SAAS,EAAG,WAAW;CACf,CAAC;AAEX,sEAAsE;AACtE,MAAM,CAAC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAEzC,oEAAoE;AACpE,MAAM,CAAC,MAAM,uBAAuB,GAAG,EAAE,CAAC"}

package/dist/esm/core/aggregation/transport/http/rate-limiter.js

@@ -0,0 +1,45 @@
+export class InMemoryRateLimitStore {
+    #buckets = new Map();
+    get(key) {
+        return this.#buckets.get(key);
+    }
+    set(key, state) {
+        this.#buckets.set(key, state);
+    }
+}
+/**
+ * Token-bucket rate limiter keyed by an opaque string (typically a verified
+ * sender DID). Tokens refill linearly at `rps` up to `burst`. Each `consume`
+ * call atomically debits one token or returns `false` to reject.
+ *
+ * The limiter is synchronous and deterministic given `nowMs` — tests can
+ * drive it with a fixed clock to exercise exact boundaries.
+ */
+export class RateLimiter {
+    #rps;
+    #burst;
+    #store;
+    constructor(config = {}) {
+        this.#rps = config.rps ?? 10;
+        this.#burst = config.burst ?? 30;
+        this.#store = config.store ?? new InMemoryRateLimitStore();
+    }
+    /** Consume one token for `key`. Returns `true` if accepted, `false` if throttled. */
+    consume(key, nowMs) {
+        const existing = this.#store.get(key);
+        const state = existing ?? { tokens: this.#burst, lastRefillMs: nowMs };
+        if (existing) {
+            const elapsedSec = Math.max(0, (nowMs - existing.lastRefillMs) / 1000);
+            state.tokens = Math.min(this.#burst, existing.tokens + elapsedSec * this.#rps);
+            state.lastRefillMs = nowMs;
+        }
+        if (state.tokens < 1) {
+            this.#store.set(key, state);
+            return false;
+        }
+        state.tokens -= 1;
+        this.#store.set(key, state);
+        return true;
+    }
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/esm/core/aggregation/transport/http/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../../../../../src/core/aggregation/transport/http/rate-limiter.ts"],"names":[],"mappings":"AAeA,MAAM,OAAO,sBAAsB;IACxB,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEnD,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,GAAG,CAAC,GAAW,EAAE,KAAkB;QACjC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAChC,CAAC;CACF;AAWD;;;;;;;GAOG;AACH,MAAM,OAAO,WAAW;IACb,IAAI,CAAS;IACb,MAAM,CAAS;IACf,MAAM,CAAiB;IAEhC,YAAY,SAA4B,EAAE;QACxC,IAAI,CAAC,IAAI,GAAK,MAAM,CAAC,GAAG,IAAM,EAAE,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,sBAAsB,EAAE,CAAC;IAC7D,CAAC;IAED,qFAAqF;IACrF,OAAO,CAAC,GAAW,EAAE,KAAa;QAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,KAAK,GAAgB,QAAQ,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QAEpF,IAAG,QAAQ,EAAE,CAAC;YACZ,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;YACvE,KAAK,CAAC,MAAM,GAAS,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;YACrF,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC;QAC7B,CAAC;QAED,IAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/esm/core/aggregation/transport/http/request-auth.js

@@ -0,0 +1,100 @@
+import { canonicalHashBytes } from '@did-btcr2/common';
+import { bytesToHex, hexToBytes, randomBytes } from '@noble/hashes/utils';
+import { HttpTransportError } from './errors.js';
+import { DEFAULT_CLOCK_SKEW_SEC, DEFAULT_NONCE_LEN_BYTES, HTTP_ENVELOPE_VERSION } from './protocol.js';
+/**
+ * `Authorization`-header scheme used to authenticate SSE subscription
+ * requests. The header value takes the form
+ * `BTCR2-Sig v=<n>,did=<did>,ts=<unix>,nonce=<hex>,sig=<hex>`.
+ *
+ * Used only for GET endpoints (SSE inbox subscribe). POST endpoints carry a
+ * full {@link SignedEnvelope} in the request body instead.
+ */
+export const REQUEST_AUTH_SCHEME = 'BTCR2-Sig';
+/**
+ * Build an `Authorization` header value proving the caller controls the
+ * private key for `did`. Covers a specific request path so the signature
+ * can't be replayed against a different endpoint.
+ */
+export function buildRequestAuth(did, keys, path, opts = {}) {
+    const ts = opts.timestamp ?? Math.floor(Date.now() / 1000);
+    const nonce = opts.nonce ?? bytesToHex(randomBytes(DEFAULT_NONCE_LEN_BYTES));
+    const digest = canonicalHashBytes({
+        v: HTTP_ENVELOPE_VERSION,
+        did,
+        ts,
+        nonce,
+        path,
+    });
+    const sig = keys.secretKey.sign(digest, { scheme: 'schnorr' });
+    return `${REQUEST_AUTH_SCHEME} v=${HTTP_ENVELOPE_VERSION},did=${did},ts=${ts},nonce=${nonce},sig=${bytesToHex(sig)}`;
+}
+/**
+ * Parse a `BTCR2-Sig` auth header value into its structured fields. Does NOT
+ * verify the signature — call {@link verifyRequestAuth} for that.
+ */
+export function parseRequestAuth(headerValue) {
+    const prefix = `${REQUEST_AUTH_SCHEME} `;
+    if (!headerValue.startsWith(prefix)) {
+        throw new HttpTransportError(`Unexpected auth scheme (want ${REQUEST_AUTH_SCHEME})`, 'REQUEST_AUTH_SCHEME');
+    }
+    const params = {};
+    for (const piece of headerValue.slice(prefix.length).split(',')) {
+        const eq = piece.indexOf('=');
+        if (eq === -1)
+            continue;
+        const key = piece.slice(0, eq).trim();
+        const val = piece.slice(eq + 1).trim();
+        if (key.length > 0)
+            params[key] = val;
+    }
+    const v = Number(params.v);
+    const ts = Number(params.ts);
+    if (!Number.isInteger(v) || !Number.isInteger(ts) || !params.did || !params.nonce || !params.sig) {
+        throw new HttpTransportError('Malformed auth header (missing or invalid field)', 'REQUEST_AUTH_MALFORMED', { received: Object.keys(params) });
+    }
+    return { v, did: params.did, ts, nonce: params.nonce, sig: params.sig };
+}
+/**
+ * Parse + verify an auth header. Throws {@link HttpTransportError} on any
+ * failure; returns the parsed fields on success.
+ *
+ * `expectedPath` must match the path the signature commits to. `senderPk`
+ * must correspond to the DID the signer claims.
+ */
+export function verifyRequestAuth(headerValue, expectedPath, senderPk, opts = {}) {
+    const parsed = parseRequestAuth(headerValue);
+    if (parsed.v !== HTTP_ENVELOPE_VERSION) {
+        throw new HttpTransportError(`Unsupported auth version: ${parsed.v}`, 'REQUEST_AUTH_VERSION_MISMATCH', { version: parsed.v, expected: HTTP_ENVELOPE_VERSION });
+    }
+    const skewSec = opts.clockSkewSec ?? DEFAULT_CLOCK_SKEW_SEC;
+    const nowMs = opts.now ? opts.now() : Date.now();
+    const nowSec = Math.floor(nowMs / 1000);
+    const diff = Math.abs(nowSec - parsed.ts);
+    if (diff > skewSec) {
+        throw new HttpTransportError(`Auth timestamp out of skew: ${diff}s > ${skewSec}s`, 'REQUEST_AUTH_TIMESTAMP_SKEW', { diff, skewSec });
+    }
+    let sigBytes;
+    try {
+        sigBytes = hexToBytes(parsed.sig);
+    }
+    catch {
+        throw new HttpTransportError('Auth signature is not valid hex', 'REQUEST_AUTH_SIG_HEX');
+    }
+    if (sigBytes.length !== 64) {
+        throw new HttpTransportError(`Invalid auth signature length: ${sigBytes.length}`, 'REQUEST_AUTH_SIG_LENGTH', { length: sigBytes.length });
+    }
+    const digest = canonicalHashBytes({
+        v: parsed.v,
+        did: parsed.did,
+        ts: parsed.ts,
+        nonce: parsed.nonce,
+        path: expectedPath,
+    });
+    const ok = senderPk.verify(sigBytes, digest, { scheme: 'schnorr' });
+    if (!ok) {
+        throw new HttpTransportError('Auth signature verification failed', 'REQUEST_AUTH_SIG_INVALID');
+    }
+    return parsed;
+}
+//# sourceMappingURL=request-auth.js.map

package/dist/esm/core/aggregation/transport/http/request-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-auth.js","sourceRoot":"","sources":["../../../../../../src/core/aggregation/transport/http/request-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAE1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEvG;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;AAoB/C;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,GAAY,EACZ,IAAoB,EACpB,IAAY,EACZ,OAAgC,EAAE;IAElC,MAAM,EAAE,GAAM,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,WAAW,CAAC,uBAAuB,CAAC,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,kBAAkB,CAAC;QAChC,CAAC,EAAG,qBAAqB;QACzB,GAAG;QACH,EAAE;QACF,KAAK;QACL,IAAI;KACL,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAE/D,OAAO,GAAG,mBAAmB,MAAM,qBAAqB,QAAQ,GAAG,OAAO,EAAE,UAAU,KAAK,QAAQ,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;AACvH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAmB;IAClD,MAAM,MAAM,GAAG,GAAG,mBAAmB,GAAG,CAAC;IACzC,IAAG,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,kBAAkB,CAC1B,gCAAgC,mBAAmB,GAAG,EACtD,qBAAqB,CACtB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAI,MAAM,KAAK,IAAI,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/D,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAG,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACvB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvC,IAAG,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACvC,CAAC;IAED,MAAM,CAAC,GAAI,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7B,IAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChG,MAAM,IAAI,kBAAkB,CAC1B,kDAAkD,EAClD,wBAAwB,EACxB,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAClC,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;AAC1E,CAAC;AAOD;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,WAAoB,EACpB,YAAoB,EACpB,QAA0C,EAC1C,OAAyC,EAAE;IAE3C,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IAE7C,IAAG,MAAM,CAAC,CAAC,KAAK,qBAAqB,EAAE,CAAC;QACtC,MAAM,IAAI,kBAAkB,CAC1B,6BAA6B,MAAM,CAAC,CAAC,EAAE,EACvC,+BAA+B,EAC/B,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,EAAE,QAAQ,EAAE,qBAAqB,EAAE,CACvD,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,IAAI,sBAAsB,CAAC;IAC5D,MAAM,KAAK,GAAK,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IACnD,MAAM,MAAM,GAAI,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IACzC,MAAM,IAAI,GAAM,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7C,IAAG,IAAI,GAAG,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,kBAAkB,CAC1B,+BAA+B,IAAI,OAAO,OAAO,GAAG,EACpD,6BAA6B,EAC7B,EAAE,IAAI,EAAE,OAAO,EAAE,CAClB,CAAC;IACJ,CAAC;IAED,IAAI,QAAoB,CAAC;IACzB,IAAI,CAAC;QACH,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,kBAAkB,CAAC,iCAAiC,EAAE,sBAAsB,CAAC,CAAC;IAC1F,CAAC;IACD,IAAG,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,kBAAkB,CAC1B,kCAAkC,QAAQ,CAAC,MAAM,EAAE,EACnD,yBAAyB,EACzB,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAC5B,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC;QAChC,CAAC,EAAO,MAAM,CAAC,CAAC;QAChB,GAAG,EAAK,MAAM,CAAC,GAAG;QAClB,EAAE,EAAM,MAAM,CAAC,EAAE;QACjB,KAAK,EAAG,MAAM,CAAC,KAAK;QACpB,IAAI,EAAI,YAAY;KACrB,CAAC,CAAC;IAEH,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IACpE,IAAG,CAAC,EAAE,EAAE,CAAC;QACP,MAAM,IAAI,kBAAkB,CAAC,oCAAoC,EAAE,0BAA0B,CAAC,CAAC;IACjG,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}