npm - @emdash-cms/auth - Versions diffs - 0.0.1 - Mend

@emdash-cms/auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/dist/adapters/kysely.d.mts +62 -0
package/dist/adapters/kysely.d.mts.map +1 -0
package/dist/adapters/kysely.mjs +379 -0
package/dist/adapters/kysely.mjs.map +1 -0
package/dist/authenticate-D5UgaoTH.d.mts +124 -0
package/dist/authenticate-D5UgaoTH.d.mts.map +1 -0
package/dist/authenticate-j5GayLXB.mjs +373 -0
package/dist/authenticate-j5GayLXB.mjs.map +1 -0
package/dist/index.d.mts +444 -0
package/dist/index.d.mts.map +1 -0
package/dist/index.mjs +728 -0
package/dist/index.mjs.map +1 -0
package/dist/oauth/providers/github.d.mts +12 -0
package/dist/oauth/providers/github.d.mts.map +1 -0
package/dist/oauth/providers/github.mjs +55 -0
package/dist/oauth/providers/github.mjs.map +1 -0
package/dist/oauth/providers/google.d.mts +7 -0
package/dist/oauth/providers/google.d.mts.map +1 -0
package/dist/oauth/providers/google.mjs +38 -0
package/dist/oauth/providers/google.mjs.map +1 -0
package/dist/passkey/index.d.mts +2 -0
package/dist/passkey/index.mjs +3 -0
package/dist/types-Bu4irX9A.d.mts +35 -0
package/dist/types-Bu4irX9A.d.mts.map +1 -0
package/dist/types-CiSNpRI9.mjs +60 -0
package/dist/types-CiSNpRI9.mjs.map +1 -0
package/dist/types-HtRc90Wi.d.mts +208 -0
package/dist/types-HtRc90Wi.d.mts.map +1 -0
package/package.json +72 -0
package/src/adapters/kysely.ts +715 -0
package/src/config.ts +214 -0
package/src/index.ts +135 -0
package/src/invite.ts +205 -0
package/src/magic-link/index.ts +150 -0
package/src/oauth/consumer.ts +324 -0
package/src/oauth/providers/github.ts +68 -0
package/src/oauth/providers/google.ts +34 -0
package/src/oauth/types.ts +36 -0
package/src/passkey/authenticate.ts +183 -0
package/src/passkey/index.ts +27 -0
package/src/passkey/register.ts +232 -0
package/src/passkey/types.ts +120 -0
package/src/rbac.test.ts +141 -0
package/src/rbac.ts +205 -0
package/src/signup.ts +210 -0
package/src/tokens.test.ts +141 -0
package/src/tokens.ts +238 -0
package/src/types.ts +352 -0

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,444 @@
+import { A as toDeviceType, C as TokenType, D as UserWithDetails, E as UserListItem, M as toTokenType, O as roleFromLevel, S as SessionData, T as User, _ as OAuthConnection, a as AuthToken, b as RoleName, c as DeviceType, d as NewAuthToken, f as NewCredential, g as OAuthClient, h as OAuthAccount, i as AuthErrorCode, j as toRoleLevel, k as roleToLevel, l as EmailAdapter, m as NewUser, n as AuthAdapter, o as AuthenticatorTransport, p as NewOAuthAccount, r as AuthError, s as Credential, t as AllowedDomain, u as EmailMessage, v as Role, w as UpdateUser, x as Session, y as RoleLevel } from "./types-HtRc90Wi.mjs";
+import { a as registerPasskey, c as AuthenticationResponse, d as PasskeyConfig, f as RegistrationOptions, h as VerifiedRegistration, i as generateRegistrationOptions, l as ChallengeData, m as VerifiedAuthentication, n as generateAuthenticationOptions, o as verifyRegistrationResponse, p as RegistrationResponse, r as verifyAuthenticationResponse, s as AuthenticationOptions, t as authenticateWithPasskey, u as ChallengeStore } from "./authenticate-D5UgaoTH.mjs";
+import { i as OAuthState, n as OAuthProfile, r as OAuthProvider, t as OAuthConfig } from "./types-Bu4irX9A.mjs";
+import { github } from "./oauth/providers/github.mjs";
+import { google } from "./oauth/providers/google.mjs";
+import { z } from "zod";
+//#region src/config.d.ts
+/**
+ * Full auth configuration schema
+ */
+declare const authConfigSchema: z.ZodObject<{
+  secret: z.ZodString;
+  passkeys: z.ZodOptional<z.ZodObject<{
+    rpName: z.ZodString;
+    rpId: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  selfSignup: z.ZodOptional<z.ZodObject<{
+    domains: z.ZodArray<z.ZodString>;
+    defaultRole: z.ZodDefault<z.ZodEnum<{
+      subscriber: "subscriber";
+      contributor: "contributor";
+      author: "author";
+    }>>;
+  }, z.core.$strip>>;
+  oauth: z.ZodOptional<z.ZodObject<{
+    github: z.ZodOptional<z.ZodObject<{
+      clientId: z.ZodString;
+      clientSecret: z.ZodString;
+    }, z.core.$strip>>;
+    google: z.ZodOptional<z.ZodObject<{
+      clientId: z.ZodString;
+      clientSecret: z.ZodString;
+    }, z.core.$strip>>;
+  }, z.core.$strip>>;
+  provider: z.ZodOptional<z.ZodObject<{
+    enabled: z.ZodBoolean;
+    issuer: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  sso: z.ZodOptional<z.ZodObject<{
+    enabled: z.ZodBoolean;
+  }, z.core.$strip>>;
+  session: z.ZodOptional<z.ZodObject<{
+    maxAge: z.ZodDefault<z.ZodNumber>;
+    sliding: z.ZodDefault<z.ZodBoolean>;
+  }, z.core.$strip>>;
+}, z.core.$strip>;
+type AuthConfig = z.infer<typeof authConfigSchema>;
+/**
+ * Validated and resolved auth configuration
+ */
+interface ResolvedAuthConfig {
+  secret: string;
+  baseUrl: string;
+  siteName: string;
+  passkeys: {
+    rpName: string;
+    rpId: string;
+    origin: string;
+  };
+  selfSignup?: {
+    domains: string[];
+    defaultRole: RoleName;
+  };
+  oauth?: {
+    github?: {
+      clientId: string;
+      clientSecret: string;
+    };
+    google?: {
+      clientId: string;
+      clientSecret: string;
+    };
+  };
+  provider?: {
+    enabled: boolean;
+    issuer: string;
+  };
+  sso?: {
+    enabled: boolean;
+  };
+  session: {
+    maxAge: number;
+    sliding: boolean;
+  };
+}
+/**
+ * Resolve auth configuration with defaults
+ */
+declare function resolveConfig(config: AuthConfig, baseUrl: string, siteName: string): ResolvedAuthConfig;
+//#endregion
+//#region src/tokens.d.ts
+/**
+ * Secure token utilities
+ *
+ * Crypto via Oslo.js (@oslojs/crypto). Base64url via @oslojs/encoding.
+ *
+ * Tokens are opaque random values. We store only the SHA-256 hash in the database.
+ */
+/** Valid API token prefixes */
+declare const TOKEN_PREFIXES: {
+  readonly PAT: "ec_pat_";
+  readonly OAUTH_ACCESS: "ec_oat_";
+  readonly OAUTH_REFRESH: "ec_ort_";
+};
+/** All valid API token scopes */
+declare const VALID_SCOPES: readonly ["content:read", "content:write", "media:read", "media:write", "schema:read", "schema:write", "admin"];
+type ApiTokenScope = (typeof VALID_SCOPES)[number];
+/**
+ * Validate that scopes are all valid.
+ * Returns the invalid scopes, or empty array if all valid.
+ */
+declare function validateScopes(scopes: string[]): string[];
+/**
+ * Check if a set of scopes includes a required scope.
+ * The `admin` scope grants access to everything.
+ */
+declare function hasScope(scopes: string[], required: string): boolean;
+/**
+ * Generate a cryptographically secure random token
+ * Returns base64url-encoded string (URL-safe)
+ */
+declare function generateToken(): string;
+/**
+ * Hash a token for storage
+ * We never store raw tokens - only their SHA-256 hash
+ */
+declare function hashToken(token: string): string;
+/**
+ * Generate a token and its hash together
+ */
+declare function generateTokenWithHash(): {
+  token: string;
+  hash: string;
+};
+/**
+ * Generate a session ID (shorter, for cookie storage)
+ */
+declare function generateSessionId(): string;
+/**
+ * Generate an auth secret for configuration
+ */
+declare function generateAuthSecret(): string;
+/**
+ * Generate a prefixed API token and its hash.
+ * Returns the raw token (shown once to the user), the hash (stored server-side),
+ * and a display prefix (for identification in UIs/logs).
+ *
+ * Uses oslo/crypto for SHA-256 hashing.
+ */
+declare function generatePrefixedToken(prefix: string): {
+  raw: string;
+  hash: string;
+  prefix: string;
+};
+/**
+ * Hash a prefixed API token for storage/lookup.
+ * Hashes the full prefixed token string via SHA-256, returns base64url (no padding).
+ */
+declare function hashPrefixedToken(token: string): string;
+/**
+ * Compute an S256 PKCE code challenge from a code verifier.
+ * Used server-side to verify that code_verifier matches the stored code_challenge.
+ *
+ * Equivalent to: BASE64URL(SHA256(ASCII(code_verifier)))
+ */
+declare function computeS256Challenge(codeVerifier: string): string;
+/**
+ * Constant-time comparison to prevent timing attacks
+ */
+declare function secureCompare(a: string, b: string): boolean;
+/**
+ * Encrypt a value using AES-GCM
+ */
+declare function encrypt(plaintext: string, secret: string): Promise<string>;
+/**
+ * Decrypt a value encrypted with encrypt()
+ */
+declare function decrypt(encrypted: string, secret: string): Promise<string>;
+//#endregion
+//#region src/rbac.d.ts
+/**
+ * Permission definitions with minimum role required
+ */
+declare const Permissions: {
+  readonly "content:read": 10;
+  readonly "content:create": 20;
+  readonly "content:edit_own": 30;
+  readonly "content:edit_any": 40;
+  readonly "content:delete_own": 30;
+  readonly "content:delete_any": 40;
+  readonly "content:publish_own": 30;
+  readonly "content:publish_any": 40;
+  readonly "media:read": 10;
+  readonly "media:upload": 20;
+  readonly "media:edit_own": 30;
+  readonly "media:edit_any": 40;
+  readonly "media:delete_own": 30;
+  readonly "media:delete_any": 40;
+  readonly "taxonomies:read": 10;
+  readonly "taxonomies:manage": 40;
+  readonly "comments:read": 10;
+  readonly "comments:moderate": 40;
+  readonly "comments:delete": 50;
+  readonly "comments:settings": 50;
+  readonly "menus:read": 10;
+  readonly "menus:manage": 40;
+  readonly "widgets:read": 10;
+  readonly "widgets:manage": 40;
+  readonly "sections:read": 10;
+  readonly "sections:manage": 40;
+  readonly "redirects:read": 40;
+  readonly "redirects:manage": 50;
+  readonly "users:read": 50;
+  readonly "users:invite": 50;
+  readonly "users:manage": 50;
+  readonly "settings:read": 40;
+  readonly "settings:manage": 50;
+  readonly "schema:read": 40;
+  readonly "schema:manage": 50;
+  readonly "plugins:read": 40;
+  readonly "plugins:manage": 50;
+  readonly "import:execute": 50;
+  readonly "search:read": 10;
+  readonly "search:manage": 50;
+  readonly "auth:manage_own_credentials": 10;
+  readonly "auth:manage_connections": 50;
+};
+type Permission = keyof typeof Permissions;
+/**
+ * Check if a user has a specific permission
+ */
+declare function hasPermission(user: {
+  role: RoleLevel;
+} | null | undefined, permission: Permission): boolean;
+/**
+ * Require a permission, throwing if not met
+ */
+declare function requirePermission(user: {
+  role: RoleLevel;
+} | null | undefined, permission: Permission): asserts user is {
+  role: RoleLevel;
+};
+/**
+ * Check if user can perform action on a resource they own
+ */
+declare function canActOnOwn(user: {
+  role: RoleLevel;
+  id: string;
+} | null | undefined, ownerId: string, ownPermission: Permission, anyPermission: Permission): boolean;
+/**
+ * Require permission on a resource, checking ownership
+ */
+declare function requirePermissionOnResource(user: {
+  role: RoleLevel;
+  id: string;
+} | null | undefined, ownerId: string, ownPermission: Permission, anyPermission: Permission): asserts user is {
+  role: RoleLevel;
+  id: string;
+};
+declare class PermissionError extends Error {
+  code: "unauthorized" | "forbidden";
+  constructor(code: "unauthorized" | "forbidden", message: string);
+}
+/**
+ * Return the maximum set of API token scopes a given role level may hold.
+ *
+ * Used at token issuance time (device flow, authorization code exchange)
+ * to enforce: effective_scopes = requested_scopes ∩ scopesForRole(role).
+ */
+declare function scopesForRole(role: RoleLevel): ApiTokenScope[];
+/**
+ * Clamp a set of requested scopes to those permitted by a user's role.
+ *
+ * Returns the intersection of `requested` and the scopes the role allows.
+ * This is the central policy enforcement point: effective permissions =
+ * role permissions ∩ token scopes.
+ */
+declare function clampScopes(requested: string[], role: RoleLevel): string[];
+//#endregion
+//#region src/magic-link/index.d.ts
+/** Function that sends an email (matches the EmailPipeline.send signature) */
+type EmailSendFn$2 = (message: EmailMessage) => Promise<void>;
+interface MagicLinkConfig {
+  baseUrl: string;
+  siteName: string;
+  /** Optional email sender. When omitted, magic links cannot be sent. */
+  email?: EmailSendFn$2;
+}
+/**
+ * Send a magic link to a user's email.
+ *
+ * Requires `config.email` to be set. Throws if no email sender is configured.
+ */
+declare function sendMagicLink(config: MagicLinkConfig, adapter: AuthAdapter, email: string, type?: "magic_link" | "recovery"): Promise<void>;
+/**
+ * Verify a magic link token and return the user
+ */
+declare function verifyMagicLink(adapter: AuthAdapter, token: string): Promise<User>;
+declare class MagicLinkError extends Error {
+  code: "invalid_token" | "token_expired" | "user_not_found" | "email_not_configured";
+  constructor(code: "invalid_token" | "token_expired" | "user_not_found" | "email_not_configured", message: string);
+}
+//#endregion
+//#region src/invite.d.ts
+/** Escape HTML special characters to prevent injection in email templates */
+declare function escapeHtml(s: string): string;
+/** Function that sends an email (matches the EmailPipeline.send signature) */
+type EmailSendFn = (message: EmailMessage) => Promise<void>;
+interface InviteConfig {
+  baseUrl: string;
+  siteName: string;
+  /** Optional email sender. When omitted, invite URL is returned without sending. */
+  email?: EmailSendFn;
+}
+/** Result of creating an invite token (without sending email) */
+interface InviteTokenResult {
+  /** The complete invite URL */
+  url: string;
+  /** The invite email address */
+  email: string;
+}
+/**
+ * Create an invite token and URL without sending email.
+ *
+ * Validates the user doesn't already exist, generates a token, stores it,
+ * and returns the invite URL. Callers decide whether to send email or
+ * display the URL as a copy-link fallback.
+ */
+declare function createInviteToken(config: Pick<InviteConfig, "baseUrl">, adapter: AuthAdapter, email: string, role: RoleLevel, invitedBy: string): Promise<InviteTokenResult>;
+/**
+ * Create and send an invite to a new user.
+ *
+ * When `config.email` is provided, sends the invite email.
+ * When omitted, creates the token and returns the invite URL
+ * without sending (for the copy-link fallback).
+ */
+declare function createInvite(config: InviteConfig, adapter: AuthAdapter, email: string, role: RoleLevel, invitedBy: string): Promise<InviteTokenResult>;
+/**
+ * Validate an invite token and return the invite data
+ */
+declare function validateInvite(adapter: AuthAdapter, token: string): Promise<{
+  email: string;
+  role: RoleLevel;
+}>;
+/**
+ * Complete the invite process (after passkey registration)
+ */
+declare function completeInvite(adapter: AuthAdapter, token: string, userData: {
+  name?: string;
+  avatarUrl?: string;
+}): Promise<User>;
+declare class InviteError extends Error {
+  code: "invalid_token" | "token_expired" | "user_exists";
+  constructor(code: "invalid_token" | "token_expired" | "user_exists", message: string);
+}
+//#endregion
+//#region src/signup.d.ts
+/** Function that sends an email (matches the EmailPipeline.send signature) */
+type EmailSendFn$1 = (message: EmailMessage) => Promise<void>;
+interface SignupConfig {
+  baseUrl: string;
+  siteName: string;
+  /** Optional email sender. When omitted, signup verification cannot be sent. */
+  email?: EmailSendFn$1;
+}
+/**
+ * Check if an email domain is allowed for self-signup
+ */
+declare function canSignup(adapter: AuthAdapter, email: string): Promise<{
+  allowed: boolean;
+  role: RoleLevel;
+} | null>;
+/**
+ * Request self-signup (sends verification email).
+ *
+ * Requires `config.email` to be set. Throws if no email sender is configured.
+ */
+declare function requestSignup(config: SignupConfig, adapter: AuthAdapter, email: string): Promise<void>;
+/**
+ * Validate a signup verification token
+ */
+declare function validateSignupToken(adapter: AuthAdapter, token: string): Promise<{
+  email: string;
+  role: RoleLevel;
+}>;
+/**
+ * Complete signup process (after passkey registration)
+ */
+declare function completeSignup(adapter: AuthAdapter, token: string, userData: {
+  name?: string;
+  avatarUrl?: string;
+}): Promise<User>;
+declare class SignupError extends Error {
+  code: "invalid_token" | "token_expired" | "user_exists" | "domain_not_allowed" | "email_not_configured";
+  constructor(code: "invalid_token" | "token_expired" | "user_exists" | "domain_not_allowed" | "email_not_configured", message: string);
+}
+//#endregion
+//#region src/oauth/consumer.d.ts
+interface OAuthConsumerConfig {
+  baseUrl: string;
+  providers: {
+    github?: OAuthConfig;
+    google?: OAuthConfig;
+  };
+  /**
+   * Check if self-signup is allowed for this email domain
+   */
+  canSelfSignup?: (email: string) => Promise<{
+    allowed: boolean;
+    role: RoleLevel;
+  } | null>;
+}
+/**
+ * Generate an OAuth authorization URL
+ */
+declare function createAuthorizationUrl(config: OAuthConsumerConfig, providerName: "github" | "google", stateStore: StateStore): Promise<{
+  url: string;
+  state: string;
+}>;
+/**
+ * Handle OAuth callback
+ */
+declare function handleOAuthCallback(config: OAuthConsumerConfig, adapter: AuthAdapter, providerName: "github" | "google", code: string, state: string, stateStore: StateStore): Promise<User>;
+interface StateStore {
+  set(state: string, data: OAuthState): Promise<void>;
+  get(state: string): Promise<OAuthState | null>;
+  delete(state: string): Promise<void>;
+}
+declare class OAuthError extends Error {
+  code: "invalid_state" | "token_exchange_failed" | "profile_fetch_failed" | "user_not_found" | "signup_not_allowed";
+  constructor(code: "invalid_state" | "token_exchange_failed" | "profile_fetch_failed" | "user_not_found" | "signup_not_allowed", message: string);
+}
+//#endregion
+//#region src/index.d.ts
+/**
+ * Create an auth configuration
+ *
+ * This is a helper function that validates the config at runtime.
+ */
+declare function auth(config: AuthConfig): AuthConfig;
+//#endregion
+export { AllowedDomain, type ApiTokenScope, AuthAdapter, type AuthConfig, AuthError, AuthErrorCode, AuthToken, AuthenticationOptions, AuthenticationResponse, AuthenticatorTransport, ChallengeData, ChallengeStore, Credential, DeviceType, type EmailAdapter, type EmailMessage, type EmailSendFn, type InviteConfig, InviteError, type InviteTokenResult, type MagicLinkConfig, MagicLinkError, NewAuthToken, NewCredential, NewOAuthAccount, NewUser, OAuthAccount, OAuthClient, type OAuthConfig, OAuthConnection, type OAuthConsumerConfig, OAuthError, type OAuthProfile, type OAuthProvider, type OAuthState, PasskeyConfig, type Permission, PermissionError, Permissions, RegistrationOptions, RegistrationResponse, type ResolvedAuthConfig, Role, RoleLevel, RoleName, Session, SessionData, type SignupConfig, SignupError, type StateStore, TOKEN_PREFIXES, TokenType, UpdateUser, User, UserListItem, UserWithDetails, VALID_SCOPES, VerifiedAuthentication, VerifiedRegistration, auth, authConfigSchema, authenticateWithPasskey, canActOnOwn, canSignup, clampScopes, completeInvite, completeSignup, computeS256Challenge, createAuthorizationUrl, createInvite, createInviteToken, decrypt, encrypt, escapeHtml, generateAuthSecret, generateAuthenticationOptions, generatePrefixedToken, generateRegistrationOptions, generateSessionId, generateToken, generateTokenWithHash, github, google, handleOAuthCallback, hasPermission, hasScope, hashPrefixedToken, hashToken, registerPasskey, requestSignup, requirePermission, requirePermissionOnResource, resolveConfig, roleFromLevel, roleToLevel, scopesForRole, secureCompare, sendMagicLink, toDeviceType, toRoleLevel, toTokenType, validateInvite, validateScopes, validateSignupToken, verifyAuthenticationResponse, verifyMagicLink, verifyRegistrationResponse };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.mts","names":[],"sources":["../src/config.ts","../src/tokens.ts","../src/rbac.ts","../src/magic-link/index.ts","../src/invite.ts","../src/signup.ts","../src/oauth/consumer.ts","../src/index.ts"],"mappings":";;;;;;;;;;;cA4Ba,gBAAA,EAAgB,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAwFjB,UAAA,GAAa,CAAA,CAAE,KAAA,QAAa,gBAAA;;;;UAKvB,kBAAA;EAChB,MAAA;EACA,OAAA;EACA,QAAA;EAEA,QAAA;IACC,MAAA;IACA,IAAA;IACA,MAAA;EAAA;EAGD,UAAA;IACC,OAAA;IACA,WAAA,EAAa,QAAA;EAAA;EAGd,KAAA;IACC,MAAA;MACC,QAAA;MACA,YAAA;IAAA;IAED,MAAA;MACC,QAAA;MACA,YAAA;IAAA;EAAA;EAIF,QAAA;IACC,OAAA;IACA,MAAA;EAAA;EAGD,GAAA;IACC,OAAA;EAAA;EAGD,OAAA;IACC,MAAA;IACA,OAAA;EAAA;AAAA;;;;iBAac,aAAA,CACf,MAAA,EAAQ,UAAA,EACR,OAAA,UACA,QAAA,WACE,kBAAA;;;;;;;;;;;cC9JU,cAAA;EAAA;;;;;cAWA,YAAA;AAAA,KAUD,aAAA,WAAwB,YAAA;;;;;iBAMpB,cAAA,CAAe,MAAA;;;;;iBASf,QAAA,CAAS,MAAA,YAAkB,QAAA;;;;;iBAS3B,aAAA,CAAA;;;;;iBAUA,SAAA,CAAU,KAAA;;;;iBASV,qBAAA,CAAA;EAA2B,KAAA;EAAe,IAAA;AAAA;;;;iBAS1C,iBAAA,CAAA;;;;iBASA,kBAAA,CAAA;;;;;;;;iBAiBA,qBAAA,CAAsB,MAAA;EACrC,GAAA;EACA,IAAA;EACA,MAAA;AAAA;;;;;iBAmBe,iBAAA,CAAkB,KAAA;;;;;;;iBAgBlB,oBAAA,CAAqB,YAAA;;;;iBAQrB,aAAA,CAAc,CAAA,UAAW,CAAA;;;;iBA8CnB,OAAA,CAAQ,SAAA,UAAmB,MAAA,WAAiB,OAAA;;;;iBAkB5C,OAAA,CAAQ,SAAA,UAAmB,MAAA,WAAiB,OAAA;;;;;;cCzNrD,WAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KA0ED,UAAA,gBAA0B,WAAA;;;;iBAKtB,aAAA,CACf,IAAA;EAAQ,IAAA,EAAM,SAAA;AAAA,sBACd,UAAA,EAAY,UAAA;;;;iBASG,iBAAA,CACf,IAAA;EAAQ,IAAA,EAAM,SAAA;AAAA,sBACd,UAAA,EAAY,UAAA,WACF,IAAA;EAAU,IAAA,EAAM,SAAA;AAAA;;;;iBAYX,WAAA,CACf,IAAA;EAAQ,IAAA,EAAM,SAAA;EAAW,EAAA;AAAA,sBACzB,OAAA,UACA,aAAA,EAAe,UAAA,EACf,aAAA,EAAe,UAAA;;;;iBAYA,2BAAA,CACf,IAAA;EAAQ,IAAA,EAAM,SAAA;EAAW,EAAA;AAAA,sBACzB,OAAA,UACA,aAAA,EAAe,UAAA,EACf,aAAA,EAAe,UAAA,WACL,IAAA;EAAU,IAAA,EAAM,SAAA;EAAW,EAAA;AAAA;AAAA,cASzB,eAAA,SAAwB,KAAA;EAE5B,IAAA;cAAA,IAAA,gCACP,OAAA;AAAA;;;;;;;iBAqCc,aAAA,CAAc,IAAA,EAAM,SAAA,GAAY,aAAA;;;;;;;;iBAgBhC,WAAA,CAAY,SAAA,YAAqB,IAAA,EAAM,SAAA;;;;KC9L3C,aAAA,IAAe,OAAA,EAAS,YAAA,KAAiB,OAAA;AAAA,UAEpC,eAAA;EAChB,OAAA;EACA,QAAA;EHmGC;EGjGD,KAAA,GAAQ,aAAA;AAAA;;;;;;iBAiBa,aAAA,CACrB,MAAA,EAAQ,eAAA,EACR,OAAA,EAAS,WAAA,EACT,KAAA,UACA,IAAA,+BACE,OAAA;;;;iBA0DmB,eAAA,CAAgB,OAAA,EAAS,WAAA,EAAa,KAAA,WAAgB,OAAA,CAAQ,IAAA;AAAA,cA4CvE,cAAA,SAAuB,KAAA;EAE3B,IAAA;cAAA,IAAA,iFACP,OAAA;AAAA;;;;iBCxIc,UAAA,CAAW,CAAA;;KAWf,WAAA,IAAe,OAAA,EAAS,YAAA,KAAiB,OAAA;AAAA,UAEpC,YAAA;EAChB,OAAA;EACA,QAAA;;EAEA,KAAA,GAAQ,WAAA;AAAA;;UAIQ,iBAAA;;EAEhB,GAAA;;EAEA,KAAA;AAAA;;;;;;;;iBAUqB,iBAAA,CACrB,MAAA,EAAQ,IAAA,CAAK,YAAA,cACb,OAAA,EAAS,WAAA,EACT,KAAA,UACA,IAAA,EAAM,SAAA,EACN,SAAA,WACE,OAAA,CAAQ,iBAAA;;;;;;;;iBA8DW,YAAA,CACrB,MAAA,EAAQ,YAAA,EACR,OAAA,EAAS,WAAA,EACT,KAAA,UACA,IAAA,EAAM,SAAA,EACN,SAAA,WACE,OAAA,CAAQ,iBAAA;;;;iBAeW,cAAA,CACrB,OAAA,EAAS,WAAA,EACT,KAAA,WACE,OAAA;EAAU,KAAA;EAAe,IAAA,EAAM,SAAA;AAAA;;;;iBA0BZ,cAAA,CACrB,OAAA,EAAS,WAAA,EACT,KAAA,UACA,QAAA;EACC,IAAA;EACA,SAAA;AAAA,IAEC,OAAA,CAAQ,IAAA;AAAA,cA4BE,WAAA,SAAoB,KAAA;EAExB,IAAA;cAAA,IAAA,qDACP,OAAA;AAAA;;;;KC5LU,aAAA,IAAe,OAAA,EAAS,YAAA,KAAiB,OAAA;AAAA,UAWpC,YAAA;EAChB,OAAA;EACA,QAAA;EL0FC;EKxFD,KAAA,GAAQ,aAAA;AAAA;;;;iBAMa,SAAA,CACrB,OAAA,EAAS,WAAA,EACT,KAAA,WACE,OAAA;EAAU,OAAA;EAAkB,IAAA,EAAM,SAAA;AAAA;;;;;;iBAoBf,aAAA,CACrB,MAAA,EAAQ,YAAA,EACR,OAAA,EAAS,WAAA,EACT,KAAA,WACE,OAAA;;;;iBAkEmB,mBAAA,CACrB,OAAA,EAAS,WAAA,EACT,KAAA,WACE,OAAA;EAAU,KAAA;EAAe,IAAA,EAAM,SAAA;AAAA;;;;iBA0BZ,cAAA,CACrB,OAAA,EAAS,WAAA,EACT,KAAA,UACA,QAAA;EACC,IAAA;EACA,SAAA;AAAA,IAEC,OAAA,CAAQ,IAAA;AAAA,cAmCE,WAAA,SAAoB,KAAA;EAExB,IAAA;cAAA,IAAA,qGAMP,OAAA;AAAA;;;UC7Le,mBAAA;EAChB,OAAA;EACA,SAAA;IACC,MAAA,GAAS,WAAA;IACT,MAAA,GAAS,WAAA;EAAA;;;;EAKV,aAAA,IAAiB,KAAA,aAAkB,OAAA;IAAU,OAAA;IAAkB,IAAA,EAAM,SAAA;EAAA;AAAA;;;;iBAMhD,sBAAA,CACrB,MAAA,EAAQ,mBAAA,EACR,YAAA,uBACA,UAAA,EAAY,UAAA,GACV,OAAA;EAAU,GAAA;EAAa,KAAA;AAAA;;;;iBAuCJ,mBAAA,CACrB,MAAA,EAAQ,mBAAA,EACR,OAAA,EAAS,WAAA,EACT,YAAA,uBACA,IAAA,UACA,KAAA,UACA,UAAA,EAAY,UAAA,GACV,OAAA,CAAQ,IAAA;AAAA,UA4NM,UAAA;EAChB,GAAA,CAAI,KAAA,UAAe,IAAA,EAAM,UAAA,GAAa,OAAA;EACtC,GAAA,CAAI,KAAA,WAAgB,OAAA,CAAQ,UAAA;EAC5B,MAAA,CAAO,KAAA,WAAgB,OAAA;AAAA;AAAA,cAOX,UAAA,SAAmB,KAAA;EAEvB,IAAA;cAAA,IAAA,gHAMP,OAAA;AAAA;;;;;;;;iBC/Lc,IAAA,CAAK,MAAA,EAAD,UAAA,GAAyC,UAAA"}