@dupecom/botcha-cloudflare 0.15.0 → 0.18.0

package/dist/tap-routes.js

@@ -7,6 +7,8 @@
 import { extractBearerToken, verifyToken } from './auth.js';
 import { registerTAPAgent, getTAPAgent, listTAPAgents, createTAPSession, getTAPSession, validateCapability, TAP_VALID_ACTIONS } from './tap-agents.js';
 import { parseTAPIntent } from './tap-verify.js';
+import { createInvoice, getInvoice, verifyPaymentContainer, verifyBrowsingIOU, fulfillInvoice, parsePaymentContainer } from './tap-payment.js';
+import { parseAgenticConsumer, verifyAgenticConsumer } from './tap-consumer.js';
 // ============ VALIDATION HELPERS ============
 async function validateAppAccess(c, requireAuth = true) {
     // Extract app_id from query param or JWT
@@ -41,12 +43,15 @@ function validateTAPRegistration(body) {
         if (!body.signature_algorithm) {
             return { valid: false, error: 'signature_algorithm required when public_key provided' };
         }
-        const validAlgorithms = ['ecdsa-p256-sha256', 'rsa-pss-sha256'];
+        const validAlgorithms = ['ecdsa-p256-sha256', 'rsa-pss-sha256', 'ed25519'];
         if (!validAlgorithms.includes(body.signature_algorithm)) {
             return { valid: false, error: `Unsupported algorithm. Supported: ${validAlgorithms.join(', ')}` };
         }
-        if (!body.public_key.includes('BEGIN PUBLIC KEY')) {
-            return { valid: false, error: 'Invalid PEM public key format' };
+        // PEM format or raw Ed25519 key (32-byte base64)
+        const isPEM = body.public_key.includes('BEGIN PUBLIC KEY');
+        const isRawEd25519 = body.signature_algorithm === 'ed25519' && !isPEM;
+        if (!isPEM && !isRawEd25519) {
+            return { valid: false, error: 'Invalid public key format. Provide PEM or raw Ed25519 base64 key.' };
         }
     }
     // Validate capabilities if provided
@@ -361,6 +366,270 @@ export async function getTAPSessionRoute(c) {
         }, 500);
     }
 }
+// ============ TAP KEY ROTATION ============
+/**
+ * POST /v1/agents/:id/tap/rotate-key
+ * Rotate an agent's public key
+ */
+export async function rotateKeyRoute(c) {
+    try {
+        const agentId = c.req.param('id');
+        if (!agentId) {
+            return c.json({ success: false, error: 'MISSING_AGENT_ID', message: 'Agent ID is required' }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({ success: false, error: appAccess.error, message: 'Authentication required' }, (appAccess.status || 401));
+        }
+        const body = await c.req.json().catch(() => ({}));
+        if (!body.public_key || !body.signature_algorithm) {
+            return c.json({ success: false, error: 'MISSING_FIELDS', message: 'public_key and signature_algorithm are required' }, 400);
+        }
+        // Validate algorithm
+        const validAlgorithms = ['ecdsa-p256-sha256', 'rsa-pss-sha256', 'ed25519'];
+        if (!validAlgorithms.includes(body.signature_algorithm)) {
+            return c.json({ success: false, error: 'INVALID_ALGORITHM', message: `Unsupported algorithm. Supported: ${validAlgorithms.join(', ')}` }, 400);
+        }
+        // Get existing agent
+        const agentResult = await getTAPAgent(c.env.AGENTS, agentId);
+        if (!agentResult.success || !agentResult.agent) {
+            return c.json({ success: false, error: 'AGENT_NOT_FOUND', message: 'Agent not found' }, 404);
+        }
+        const agent = agentResult.agent;
+        // Verify agent belongs to this app
+        if (agent.app_id !== appAccess.appId) {
+            return c.json({ success: false, error: 'UNAUTHORIZED', message: 'Agent does not belong to this app' }, 403);
+        }
+        // Update agent with new key
+        agent.public_key = body.public_key;
+        agent.signature_algorithm = body.signature_algorithm;
+        agent.key_created_at = Date.now();
+        agent.key_expires_at = body.key_expires_at ? new Date(body.key_expires_at).getTime() : undefined;
+        agent.tap_enabled = true;
+        await c.env.AGENTS.put(`agent:${agentId}`, JSON.stringify(agent));
+        return c.json({
+            success: true,
+            agent_id: agent.agent_id,
+            message: 'Key rotated successfully',
+            has_public_key: true,
+            signature_algorithm: agent.signature_algorithm,
+            key_created_at: new Date(agent.key_created_at).toISOString(),
+            key_expires_at: agent.key_expires_at ? new Date(agent.key_expires_at).toISOString() : null,
+            key_fingerprint: agent.public_key ? await generateKeyFingerprint(agent.public_key) : undefined
+        });
+    }
+    catch (error) {
+        console.error('Key rotation error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
+// ============ TAP INVOICE ROUTES (402 FLOW) ============
+/**
+ * POST /v1/invoices
+ * Create an invoice for gated content
+ */
+export async function createInvoiceRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({ success: false, error: appAccess.error, message: 'Authentication required' }, (appAccess.status || 401));
+        }
+        const body = await c.req.json().catch(() => ({}));
+        if (!body.resource_uri || !body.amount || !body.currency || !body.card_acceptor_id) {
+            return c.json({
+                success: false,
+                error: 'MISSING_FIELDS',
+                message: 'resource_uri, amount, currency, and card_acceptor_id are required'
+            }, 400);
+        }
+        const result = await createInvoice(c.env.INVOICES, appAccess.appId, {
+            resource_uri: body.resource_uri,
+            amount: body.amount,
+            currency: body.currency,
+            card_acceptor_id: body.card_acceptor_id,
+            description: body.description,
+            ttl_seconds: body.ttl_seconds,
+        });
+        if (!result.success) {
+            return c.json({ success: false, error: 'INVOICE_CREATION_FAILED', message: result.error }, 500);
+        }
+        return c.json({
+            success: true,
+            ...result.invoice,
+            created_at: new Date(result.invoice.created_at).toISOString(),
+            expires_at: new Date(result.invoice.expires_at).toISOString(),
+        }, 201);
+    }
+    catch (error) {
+        console.error('Invoice creation error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
+/**
+ * GET /v1/invoices/:id
+ * Get invoice details
+ */
+export async function getInvoiceRoute(c) {
+    try {
+        const invoiceId = c.req.param('id');
+        if (!invoiceId) {
+            return c.json({ success: false, error: 'MISSING_INVOICE_ID', message: 'Invoice ID is required' }, 400);
+        }
+        const result = await getInvoice(c.env.INVOICES, invoiceId);
+        if (!result.success) {
+            return c.json({ success: false, error: 'INVOICE_NOT_FOUND', message: result.error || 'Invoice not found' }, 404);
+        }
+        return c.json({
+            success: true,
+            ...result.invoice,
+            created_at: new Date(result.invoice.created_at).toISOString(),
+            expires_at: new Date(result.invoice.expires_at).toISOString(),
+        });
+    }
+    catch (error) {
+        console.error('Invoice retrieval error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
+/**
+ * POST /v1/invoices/:id/verify-iou
+ * Verify a Browsing IOU against an invoice
+ */
+export async function verifyIOURoute(c) {
+    try {
+        const invoiceId = c.req.param('id');
+        if (!invoiceId) {
+            return c.json({ success: false, error: 'MISSING_INVOICE_ID', message: 'Invoice ID is required' }, 400);
+        }
+        const body = await c.req.json().catch(() => ({}));
+        if (!body.browsingIOU) {
+            return c.json({ success: false, error: 'MISSING_IOU', message: 'browsingIOU object is required' }, 400);
+        }
+        // Get the invoice
+        const invoiceResult = await getInvoice(c.env.INVOICES, invoiceId);
+        if (!invoiceResult.success || !invoiceResult.invoice) {
+            return c.json({ success: false, error: 'INVOICE_NOT_FOUND', message: 'Invoice not found or expired' }, 404);
+        }
+        // Get the agent's public key for signature verification
+        const agentKeyId = body.browsingIOU.kid;
+        if (!agentKeyId) {
+            return c.json({ success: false, error: 'MISSING_KEY_ID', message: 'browsingIOU must include kid' }, 400);
+        }
+        // For now, try to find the key in our agent registry
+        // Future: also check federated sources
+        let publicKey = null;
+        const agentIndex = await c.env.AGENTS.get(`app_agents:${invoiceResult.invoice.app_id}`, 'text');
+        if (agentIndex) {
+            const agentIds = JSON.parse(agentIndex);
+            for (const agentId of agentIds) {
+                const agentData = await c.env.AGENTS.get(`agent:${agentId}`, 'text');
+                if (agentData) {
+                    const agent = JSON.parse(agentData);
+                    if (agent.public_key) {
+                        publicKey = agent.public_key;
+                        break;
+                    }
+                }
+            }
+        }
+        if (!publicKey) {
+            return c.json({ success: false, error: 'KEY_NOT_FOUND', message: 'Could not resolve public key for verification' }, 404);
+        }
+        // Verify the IOU
+        const iouResult = await verifyBrowsingIOU(body.browsingIOU, invoiceResult.invoice, publicKey, body.browsingIOU.alg || 'ES256');
+        if (!iouResult.valid) {
+            return c.json({ success: false, verified: false, error: iouResult.error }, 400);
+        }
+        // Fulfill the invoice
+        const fulfillResult = await fulfillInvoice(c.env.INVOICES, invoiceId, body.browsingIOU);
+        return c.json({
+            success: true,
+            verified: true,
+            access_token: fulfillResult.access_token,
+            expires_at: fulfillResult.access_token ? new Date(Date.now() + 300000).toISOString() : undefined,
+        });
+    }
+    catch (error) {
+        console.error('IOU verification error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
+// ============ TAP VERIFICATION UTILITY ROUTES ============
+/**
+ * POST /v1/verify/consumer
+ * Verify an Agentic Consumer Recognition Object (utility endpoint)
+ */
+export async function verifyConsumerRoute(c) {
+    try {
+        const body = await c.req.json().catch(() => ({}));
+        const consumer = parseAgenticConsumer(body);
+        if (!consumer) {
+            return c.json({ success: false, error: 'INVALID_CONSUMER_OBJECT', message: 'Invalid or missing agenticConsumer object' }, 400);
+        }
+        // Need header nonce and public key for full verification
+        const headerNonce = body.headerNonce || c.req.header('x-tap-nonce');
+        const publicKey = body.publicKey;
+        const algorithm = body.algorithm || consumer.alg;
+        if (!publicKey) {
+            return c.json({
+                success: true,
+                parsed: true,
+                verified: false,
+                message: 'Consumer object parsed but publicKey required for signature verification',
+                contextualData: consumer.contextualData,
+                hasIdToken: Boolean(consumer.idToken),
+                nonceLinked: headerNonce ? consumer.nonce === headerNonce : null,
+            });
+        }
+        const result = await verifyAgenticConsumer(consumer, headerNonce || '', publicKey, algorithm);
+        return c.json({
+            success: true,
+            ...result,
+        });
+    }
+    catch (error) {
+        console.error('Consumer verification error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
+/**
+ * POST /v1/verify/payment
+ * Verify an Agentic Payment Container (utility endpoint)
+ */
+export async function verifyPaymentRoute(c) {
+    try {
+        const body = await c.req.json().catch(() => ({}));
+        const container = parsePaymentContainer(body);
+        if (!container) {
+            return c.json({ success: false, error: 'INVALID_PAYMENT_CONTAINER', message: 'Invalid or missing agenticPaymentContainer object' }, 400);
+        }
+        const headerNonce = body.headerNonce || c.req.header('x-tap-nonce');
+        const publicKey = body.publicKey;
+        const algorithm = body.algorithm || container.alg;
+        if (!publicKey) {
+            return c.json({
+                success: true,
+                parsed: true,
+                verified: false,
+                message: 'Payment container parsed but publicKey required for signature verification',
+                nonceLinked: headerNonce ? container.nonce === headerNonce : null,
+                hasCardMetadata: Boolean(container.cardMetadata),
+                hasCredentialHash: Boolean(container.credentialHash),
+                hasPayload: Boolean(container.payload),
+                hasBrowsingIOU: Boolean(container.browsingIOU),
+            });
+        }
+        const result = await verifyPaymentContainer(container, headerNonce || '', publicKey, algorithm);
+        return c.json({
+            success: true,
+            ...result,
+        });
+    }
+    catch (error) {
+        console.error('Payment verification error:', error);
+        return c.json({ success: false, error: 'INTERNAL_ERROR', message: 'Internal server error' }, 500);
+    }
+}
 // ============ UTILITY FUNCTIONS ============
 async function generateKeyFingerprint(publicKey) {
     const normalized = publicKey.replace(/\s/g, '').replace(/-----[^-]+-----/g, '');
@@ -375,5 +644,11 @@ export default {
     getTAPAgentRoute,
     listTAPAgentsRoute,
     createTAPSessionRoute,
-    getTAPSessionRoute
+    getTAPSessionRoute,
+    rotateKeyRoute,
+    createInvoiceRoute,
+    getInvoiceRoute,
+    verifyIOURoute,
+    verifyConsumerRoute,
+    verifyPaymentRoute,
 };

package/dist/tap-verify.d.ts

@@ -4,7 +4,15 @@
  *
  * Integrates with existing BOTCHA verification middleware to provide
  * enterprise-grade cryptographic agent authentication
+ *
+ * FEATURES:
+ * - Ed25519, ECDSA P-256, RSA-PSS signature verification
+ * - Full RFC 9421 compliance (sig1/sig2 labels, expires, nonce, tag)
+ * - Nonce replay protection via KV
+ * - TAP timestamp validation (created, expires, 8-minute max window)
+ * - Backward compatible with existing BOTCHA agents
  */
+import type { KVNamespace } from './agents.js';
 export interface TAPVerificationRequest {
     method: string;
     path: string;
@@ -26,6 +34,10 @@ export interface TAPVerificationResult {
         signature_valid?: boolean;
         intent_valid?: boolean;
         capabilities?: string[];
+        tag?: string;
+        nonce?: string;
+        key_id?: string;
+        algorithm?: string;
     };
 }
 export interface TAPHeaders {
@@ -36,12 +48,34 @@ export interface TAPHeaders {
     'signature'?: string;
     'signature-input'?: string;
 }
+export interface ParsedSignatureInput {
+    label: string;
+    components: string[];
+    created: number;
+    expires?: number;
+    keyId: string;
+    algorithm: string;
+    nonce?: string;
+    tag?: string;
+}
 /**
  * Verify HTTP Message Signature according to RFC 9421
  */
-export declare function verifyHTTPMessageSignature(request: TAPVerificationRequest, publicKey: string, algorithm: string): Promise<{
+export declare function verifyHTTPMessageSignature(request: TAPVerificationRequest, publicKey: string, algorithm: string, nonces?: KVNamespace | null): Promise<{
     valid: boolean;
     error?: string;
+    metadata?: {
+        nonce?: string;
+        tag?: string;
+        key_id?: string;
+    };
+}>;
+/**
+ * Check if nonce was already used and store it if new
+ * Returns { replay: true } if nonce was seen before
+ */
+export declare function checkAndStoreNonce(nonces: KVNamespace | null, nonce: string): Promise<{
+    replay: boolean;
 }>;
 /**
  * Parse and validate TAP intent from headers
@@ -58,10 +92,12 @@ export declare function parseTAPIntent(intentString: string): {
 };
 /**
  * Extract TAP-specific headers from request
+ * Supports BOTH standard TAP (sig2 + tag) and BOTCHA extended (x-tap-* headers)
  */
 export declare function extractTAPHeaders(headers: Record<string, string>): {
     hasTAPHeaders: boolean;
     tapHeaders: TAPHeaders;
+    isTAPStandard?: boolean;
 };
 /**
  * Determine appropriate verification mode based on headers
@@ -71,6 +107,10 @@ export declare function getVerificationMode(headers: Record<string, string>): {
     hasTAPHeaders: boolean;
     hasChallenge: boolean;
 };
+/**
+ * Map TAP action to appropriate tag
+ */
+export declare function actionToTag(action: string): 'agent-browser-auth' | 'agent-payer-auth';
 /**
  * Build appropriate challenge response for TAP verification failure
  */
@@ -81,6 +121,8 @@ declare const _default: {
     extractTAPHeaders: typeof extractTAPHeaders;
     getVerificationMode: typeof getVerificationMode;
     buildTAPChallengeResponse: typeof buildTAPChallengeResponse;
+    checkAndStoreNonce: typeof checkAndStoreNonce;
+    actionToTag: typeof actionToTag;
 };
 export default _default;
 //# sourceMappingURL=tap-verify.d.ts.map

package/dist/tap-verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tap-verify.d.ts","sourceRoot":"","sources":["../src/tap-verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,KAAK,GAAG,WAAW,GAAG,gBAAgB,CAAC;IAC5D,iBAAiB,EAAE;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QACT,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;KACzB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAID;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,sBAAsB,EAC/B,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAiD7C;AAkLD;;GAEG;AACH,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG;IACpD,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAyBA;AAID;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG;IAClE,aAAa,EAAE,OAAO,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;CACxB,CAkBA;AAID;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG;IACpE,IAAI,EAAE,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IAClD,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;CACvB,CAkBA;AAID;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,kBAAkB,EAAE,qBAAqB,EACzC,aAAa,CAAC,EAAE,GAAG,OAuCpB;;;;;;;;AAED,wBAME"}
+{"version":3,"file":"tap-verify.d.ts","sourceRoot":"","sources":["../src/tap-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,KAAK,GAAG,WAAW,GAAG,gBAAgB,CAAC;IAC5D,iBAAiB,EAAE;QACjB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QACT,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAID;;GAEG;AACH,wBAAsB,0BAA0B,CAC9C,OAAO,EAAE,sBAAsB,EAC/B,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,WAAW,GAAG,IAAI,GAC1B,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAAC,CA4D3G;AAiTD;;;GAGG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,WAAW,GAAG,IAAI,EAC1B,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;IAAE,MAAM,EAAE,OAAO,CAAA;CAAE,CAAC,CAwB9B;AAID;;GAEG;AACH,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG;IACpD,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IACF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAyBA;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG;IAClE,aAAa,EAAE,OAAO,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;IACvB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CA2BA;AAID;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG;IACpE,IAAI,EAAE,KAAK,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;IAClD,aAAa,EAAE,OAAO,CAAC;IACvB,YAAY,EAAE,OAAO,CAAC;CACvB,CAkBA;AAID;;GAEG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,GAAG,kBAAkB,CAGrF;AAID;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,kBAAkB,EAAE,qBAAqB,EACzC,aAAa,CAAC,EAAE,GAAG,OAwCpB;;;;;;;;;;AAED,wBAQE"}