@dupecom/botcha-cloudflare 0.16.0 → 0.18.0

package/dist/tap-attestation-routes.js

@@ -0,0 +1,396 @@
+/**
+ * TAP Capability Attestation API Routes
+ *
+ * Endpoints for issuing, retrieving, revoking, and verifying
+ * capability attestation tokens for TAP agents.
+ *
+ * Routes:
+ *   POST   /v1/attestations              — Issue attestation token
+ *   GET    /v1/attestations/:id          — Get attestation details
+ *   GET    /v1/attestations              — List attestations for agent
+ *   POST   /v1/attestations/:id/revoke   — Revoke attestation
+ *   POST   /v1/verify/attestation        — Verify attestation + check capability
+ */
+import { extractBearerToken, verifyToken } from './auth.js';
+import { issueAttestation, getAttestation, revokeAttestation, verifyAttestationToken, verifyAndCheckCapability, isValidCapabilityPattern, } from './tap-attestation.js';
+// ============ VALIDATION HELPERS ============
+async function validateAppAccess(c, requireAuth = true) {
+    const queryAppId = c.req.query('app_id');
+    let jwtAppId;
+    const authHeader = c.req.header('authorization');
+    const token = extractBearerToken(authHeader);
+    if (token) {
+        const result = await verifyToken(token, c.env.JWT_SECRET, c.env);
+        if (result.valid && result.payload) {
+            jwtAppId = result.payload.app_id;
+        }
+    }
+    const appId = queryAppId || jwtAppId;
+    if (requireAuth && !appId) {
+        return { valid: false, error: 'MISSING_APP_ID', status: 401 };
+    }
+    return { valid: true, appId };
+}
+// ============ ROUTE HANDLERS ============
+/**
+ * POST /v1/attestations
+ * Issue a capability attestation token for an agent
+ */
+export async function issueAttestationRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const body = await c.req.json().catch(() => ({}));
+        // Validate required fields
+        if (!body.agent_id) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'agent_id is required'
+            }, 400);
+        }
+        if (!body.can || !Array.isArray(body.can) || body.can.length === 0) {
+            return c.json({
+                success: false,
+                error: 'MISSING_CAPABILITIES',
+                message: 'At least one "can" rule is required (e.g. ["read:invoices", "browse:*"])'
+            }, 400);
+        }
+        // Validate capability patterns
+        for (const rule of body.can) {
+            if (!isValidCapabilityPattern(rule)) {
+                return c.json({
+                    success: false,
+                    error: 'INVALID_CAPABILITY_PATTERN',
+                    message: `Invalid capability pattern in "can": ${rule}. Use "action:resource" format.`
+                }, 400);
+            }
+        }
+        if (body.cannot && Array.isArray(body.cannot)) {
+            for (const rule of body.cannot) {
+                if (!isValidCapabilityPattern(rule)) {
+                    return c.json({
+                        success: false,
+                        error: 'INVALID_CAPABILITY_PATTERN',
+                        message: `Invalid capability pattern in "cannot": ${rule}. Use "action:resource" format.`
+                    }, 400);
+                }
+            }
+        }
+        const options = {
+            agent_id: body.agent_id,
+            can: body.can,
+            cannot: body.cannot,
+            restrictions: body.restrictions,
+            duration_seconds: body.duration_seconds,
+            delegation_id: body.delegation_id,
+            metadata: body.metadata,
+        };
+        const result = await issueAttestation(c.env.AGENTS, c.env.SESSIONS, appAccess.appId, c.env.JWT_SECRET, options);
+        if (!result.success) {
+            const status = result.error?.includes('not found') ? 404
+                : result.error?.includes('does not belong') ? 403
+                    : result.error?.includes('Too many rules') ? 400
+                        : 400;
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_ISSUANCE_FAILED',
+                message: result.error
+            }, status);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            agent_id: att.agent_id,
+            app_id: att.app_id,
+            token: att.token,
+            can: att.can,
+            cannot: att.cannot,
+            restrictions: att.restrictions || null,
+            delegation_id: att.delegation_id || null,
+            metadata: att.metadata || null,
+            created_at: new Date(att.created_at).toISOString(),
+            expires_at: new Date(att.expires_at).toISOString(),
+        }, 201);
+    }
+    catch (error) {
+        console.error('Attestation issuance error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * GET /v1/attestations/:id
+ * Get attestation details
+ */
+export async function getAttestationRoute(c) {
+    try {
+        const attestationId = c.req.param('id');
+        if (!attestationId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_ATTESTATION_ID',
+                message: 'Attestation ID is required'
+            }, 400);
+        }
+        const result = await getAttestation(c.env.SESSIONS, attestationId);
+        if (!result.success || !result.attestation) {
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_NOT_FOUND',
+                message: result.error || 'Attestation not found or expired'
+            }, 404);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            agent_id: att.agent_id,
+            app_id: att.app_id,
+            can: att.can,
+            cannot: att.cannot,
+            restrictions: att.restrictions || null,
+            delegation_id: att.delegation_id || null,
+            metadata: att.metadata || null,
+            created_at: new Date(att.created_at).toISOString(),
+            expires_at: new Date(att.expires_at).toISOString(),
+            revoked: att.revoked,
+            revoked_at: att.revoked_at ? new Date(att.revoked_at).toISOString() : null,
+            revocation_reason: att.revocation_reason || null,
+            time_remaining: Math.max(0, att.expires_at - Date.now()),
+        });
+    }
+    catch (error) {
+        console.error('Attestation retrieval error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * GET /v1/attestations
+ * List attestations for an agent
+ *
+ * Query params:
+ *   agent_id — required, the agent to list attestations for
+ */
+export async function listAttestationsRoute(c) {
+    try {
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        const agentId = c.req.query('agent_id');
+        if (!agentId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_AGENT_ID',
+                message: 'agent_id query parameter is required'
+            }, 400);
+        }
+        // Get the attestation index for this agent
+        const indexKey = `agent_attestations:${agentId}`;
+        const indexData = await c.env.SESSIONS.get(indexKey, 'text');
+        const attestationIds = indexData ? JSON.parse(indexData) : [];
+        // Fetch each attestation (filter out expired/missing)
+        const attestations = [];
+        for (const id of attestationIds) {
+            const result = await getAttestation(c.env.SESSIONS, id);
+            if (result.success && result.attestation) {
+                const att = result.attestation;
+                // Only include attestations for this app
+                if (att.app_id === appAccess.appId) {
+                    attestations.push({
+                        attestation_id: att.attestation_id,
+                        agent_id: att.agent_id,
+                        can: att.can,
+                        cannot: att.cannot,
+                        created_at: new Date(att.created_at).toISOString(),
+                        expires_at: new Date(att.expires_at).toISOString(),
+                        revoked: att.revoked,
+                        delegation_id: att.delegation_id || null,
+                    });
+                }
+            }
+        }
+        return c.json({
+            success: true,
+            attestations,
+            count: attestations.length,
+            agent_id: agentId,
+        });
+    }
+    catch (error) {
+        console.error('Attestation listing error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/attestations/:id/revoke
+ * Revoke an attestation
+ */
+export async function revokeAttestationRoute(c) {
+    try {
+        const attestationId = c.req.param('id');
+        if (!attestationId) {
+            return c.json({
+                success: false,
+                error: 'MISSING_ATTESTATION_ID',
+                message: 'Attestation ID is required'
+            }, 400);
+        }
+        const appAccess = await validateAppAccess(c, true);
+        if (!appAccess.valid) {
+            return c.json({
+                success: false,
+                error: appAccess.error,
+                message: 'Authentication required'
+            }, (appAccess.status || 401));
+        }
+        // Verify attestation exists and belongs to this app
+        const existing = await getAttestation(c.env.SESSIONS, attestationId);
+        if (!existing.success || !existing.attestation) {
+            return c.json({
+                success: false,
+                error: 'ATTESTATION_NOT_FOUND',
+                message: 'Attestation not found or expired'
+            }, 404);
+        }
+        if (existing.attestation.app_id !== appAccess.appId) {
+            return c.json({
+                success: false,
+                error: 'UNAUTHORIZED',
+                message: 'Attestation does not belong to this app'
+            }, 403);
+        }
+        const body = await c.req.json().catch(() => ({}));
+        const reason = body.reason || undefined;
+        const result = await revokeAttestation(c.env.SESSIONS, attestationId, reason);
+        if (!result.success) {
+            return c.json({
+                success: false,
+                error: 'REVOCATION_FAILED',
+                message: result.error
+            }, 500);
+        }
+        const att = result.attestation;
+        return c.json({
+            success: true,
+            attestation_id: att.attestation_id,
+            revoked: true,
+            revoked_at: att.revoked_at ? new Date(att.revoked_at).toISOString() : null,
+            revocation_reason: att.revocation_reason || null,
+            message: 'Attestation revoked. Token will be rejected on verification.',
+        });
+    }
+    catch (error) {
+        console.error('Attestation revocation error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+/**
+ * POST /v1/verify/attestation
+ * Verify an attestation token and optionally check a specific capability
+ *
+ * Body:
+ *   token     — required, the attestation JWT token
+ *   action    — optional, capability action to check (e.g. "read")
+ *   resource  — optional, capability resource to check (e.g. "invoices")
+ */
+export async function verifyAttestationRoute(c) {
+    try {
+        const body = await c.req.json().catch(() => ({}));
+        if (!body.token) {
+            return c.json({
+                success: false,
+                error: 'MISSING_TOKEN',
+                message: 'Attestation token is required'
+            }, 400);
+        }
+        // If action specified, do full verify+check
+        if (body.action) {
+            const result = await verifyAndCheckCapability(c.env.SESSIONS, body.token, c.env.JWT_SECRET, body.action, body.resource);
+            if (!result.allowed) {
+                return c.json({
+                    success: false,
+                    valid: false,
+                    allowed: false,
+                    agent_id: result.agent_id || null,
+                    error: result.error || result.reason,
+                    matched_rule: result.matched_rule || null,
+                    checked_capability: body.resource ? `${body.action}:${body.resource}` : body.action,
+                }, result.error ? 401 : 403);
+            }
+            return c.json({
+                success: true,
+                valid: true,
+                allowed: true,
+                agent_id: result.agent_id,
+                reason: result.reason,
+                matched_rule: result.matched_rule,
+                checked_capability: body.resource ? `${body.action}:${body.resource}` : body.action,
+            });
+        }
+        // Otherwise just verify the token
+        const verification = await verifyAttestationToken(c.env.SESSIONS, body.token, c.env.JWT_SECRET);
+        if (!verification.valid || !verification.payload) {
+            return c.json({
+                success: false,
+                valid: false,
+                error: verification.error,
+            }, 401);
+        }
+        const payload = verification.payload;
+        return c.json({
+            success: true,
+            valid: true,
+            agent_id: payload.sub,
+            issuer: payload.iss,
+            can: payload.can,
+            cannot: payload.cannot,
+            restrictions: payload.restrictions || null,
+            delegation_id: payload.delegation_id || null,
+            issued_at: new Date(payload.iat * 1000).toISOString(),
+            expires_at: new Date(payload.exp * 1000).toISOString(),
+        });
+    }
+    catch (error) {
+        console.error('Attestation verification error:', error);
+        return c.json({
+            success: false,
+            error: 'INTERNAL_ERROR',
+            message: 'Internal server error'
+        }, 500);
+    }
+}
+export default {
+    issueAttestationRoute,
+    getAttestationRoute,
+    listAttestationsRoute,
+    revokeAttestationRoute,
+    verifyAttestationRoute,
+};

package/dist/tap-attestation.d.ts

@@ -0,0 +1,178 @@
+/**
+ * TAP Capability Attestation
+ *
+ * Signed JWT tokens that cryptographically bind:
+ *   WHO (agent_id) can do WHAT (can/cannot rules) on WHICH resources,
+ *   attested by WHOM (app authority), until WHEN (expiration).
+ *
+ * Permission model: "action:resource" patterns with explicit deny.
+ *   - Allow: { can: ["read:invoices", "write:orders", "browse:*"] }
+ *   - Deny:  { cannot: ["write:transfers", "purchase:*"] }
+ *   - Deny takes precedence over allow
+ *   - Wildcards: "*:*" (all), "read:*" (read anything), "*:invoices" (any action on invoices)
+ *   - Backward compatible: bare actions like "browse" expand to "browse:*"
+ *
+ * Attestation tokens are signed JWTs (HS256) with type 'botcha-attestation'.
+ * They can be verified offline (signature check) or online (revocation check via KV).
+ */
+import type { KVNamespace } from './agents.js';
+export interface AttestationPayload {
+    sub: string;
+    iss: string;
+    type: 'botcha-attestation';
+    jti: string;
+    iat: number;
+    exp: number;
+    can: string[];
+    cannot: string[];
+    restrictions?: {
+        max_amount?: number;
+        rate_limit?: number;
+        [key: string]: any;
+    };
+    delegation_id?: string;
+    metadata?: Record<string, string>;
+}
+export interface Attestation {
+    attestation_id: string;
+    agent_id: string;
+    app_id: string;
+    can: string[];
+    cannot: string[];
+    restrictions?: {
+        max_amount?: number;
+        rate_limit?: number;
+        [key: string]: any;
+    };
+    delegation_id?: string;
+    metadata?: Record<string, string>;
+    token: string;
+    created_at: number;
+    expires_at: number;
+    revoked: boolean;
+    revoked_at?: number;
+    revocation_reason?: string;
+}
+export interface IssueAttestationOptions {
+    agent_id: string;
+    can: string[];
+    cannot?: string[];
+    restrictions?: {
+        max_amount?: number;
+        rate_limit?: number;
+        [key: string]: any;
+    };
+    duration_seconds?: number;
+    delegation_id?: string;
+    metadata?: Record<string, string>;
+}
+export interface AttestationResult {
+    success: boolean;
+    attestation?: Attestation;
+    token?: string;
+    error?: string;
+}
+export interface CapabilityCheckResult {
+    allowed: boolean;
+    reason?: string;
+    matched_rule?: string;
+}
+/**
+ * Normalize a capability string to "action:resource" format.
+ * Bare actions like "browse" expand to "browse:*".
+ */
+export declare function normalizeCapability(cap: string): string;
+/**
+ * Check if a pattern matches a target.
+ * Supports wildcards: "*:*", "read:*", "*:invoices", "read:invoices"
+ */
+export declare function matchesPattern(pattern: string, target: string): boolean;
+/**
+ * Check if a specific action:resource is allowed by the can/cannot rules.
+ *
+ * Rules:
+ * 1. Check "cannot" list first — any match means DENIED (deny takes precedence)
+ * 2. Check "can" list — any match means ALLOWED
+ * 3. If no match in either list — DENIED (default deny)
+ */
+export declare function checkCapability(can: string[], cannot: string[], action: string, resource?: string): CapabilityCheckResult;
+/**
+ * Validate capability pattern syntax.
+ * Valid: "action:resource", "action", "*:*", "read:*", "*:invoices"
+ */
+export declare function isValidCapabilityPattern(pattern: string): boolean;
+/**
+ * Issue a capability attestation token for an agent.
+ *
+ * Validates:
+ * - Agent exists and belongs to the app
+ * - All capability patterns are syntactically valid
+ * - Total rules don't exceed limit
+ *
+ * Signs a JWT with the attestation payload.
+ */
+export declare function issueAttestation(agents: KVNamespace, sessions: KVNamespace, appId: string, secret: string, options: IssueAttestationOptions): Promise<AttestationResult>;
+/**
+ * Get an attestation by ID (from KV, not from JWT)
+ */
+export declare function getAttestation(sessions: KVNamespace, attestationId: string): Promise<AttestationResult>;
+/**
+ * Revoke an attestation.
+ */
+export declare function revokeAttestation(sessions: KVNamespace, attestationId: string, reason?: string): Promise<AttestationResult>;
+/**
+ * Verify an attestation JWT token.
+ *
+ * Checks:
+ * 1. JWT signature and expiration (cryptographic)
+ * 2. Token type is 'botcha-attestation'
+ * 3. Revocation status (via KV, fail-open)
+ *
+ * Returns the parsed attestation payload if valid.
+ */
+export declare function verifyAttestationToken(sessions: KVNamespace, token: string, secret: string): Promise<{
+    valid: boolean;
+    payload?: AttestationPayload;
+    error?: string;
+}>;
+/**
+ * Full capability check: verify attestation token + check specific action:resource.
+ *
+ * Combines token verification with permission checking in one call.
+ */
+export declare function verifyAndCheckCapability(sessions: KVNamespace, token: string, secret: string, action: string, resource?: string): Promise<{
+    allowed: boolean;
+    agent_id?: string;
+    reason?: string;
+    matched_rule?: string;
+    error?: string;
+}>;
+/**
+ * Create a Hono middleware that enforces capability attestation.
+ *
+ * Usage:
+ *   app.get('/api/invoices', requireCapability('read:invoices'), handler);
+ *   app.post('/api/transfers', requireCapability('write:transfers'), handler);
+ *
+ * Extracts attestation token from:
+ *   1. X-Botcha-Attestation header
+ *   2. Authorization: Bearer header (if token type is attestation)
+ *
+ * On failure: returns 403 with capability denial details.
+ * On missing token: returns 401 requesting attestation.
+ */
+export declare function requireCapability(capability: string): (c: any, next: () => Promise<void>) => Promise<any>;
+declare const _default: {
+    issueAttestation: typeof issueAttestation;
+    getAttestation: typeof getAttestation;
+    revokeAttestation: typeof revokeAttestation;
+    verifyAttestationToken: typeof verifyAttestationToken;
+    verifyAndCheckCapability: typeof verifyAndCheckCapability;
+    checkCapability: typeof checkCapability;
+    matchesPattern: typeof matchesPattern;
+    normalizeCapability: typeof normalizeCapability;
+    isValidCapabilityPattern: typeof isValidCapabilityPattern;
+    requireCapability: typeof requireCapability;
+};
+export default _default;
+//# sourceMappingURL=tap-attestation.d.ts.map

package/dist/tap-attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-attestation.d.ts","sourceRoot":"","sources":["../src/tap-attestation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK/C,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,oBAAoB,CAAC;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,WAAW;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;IACF,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,YAAY,CAAC,EAAE;QACb,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;KACpB,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAUD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGvD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAWvE;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,MAAM,EAAE,MAAM,EAAE,EAChB,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,qBAAqB,CA8BvB;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAID;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CA6G5B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,WAAW,EACrB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,iBAAiB,CAAC,CAc5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,WAAW,EACrB,aAAa,EAAE,MAAM,EACrB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,iBAAiB,CAAC,CAqC5B;AAED;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CAoDD;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CA2BD;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,IACpC,GAAG,GAAG,EAAE,MAAM,MAAM,OAAO,CAAC,IAAI,CAAC,kBA4ChD;;;;;;;;;;;;;AAiCD,wBAWE"}