@emulators/okta 0.4.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/fonts/favicon.ico +0 -0
- package/dist/index.js +215 -73
- package/dist/index.js.map +1 -1
- package/package.json +5 -3
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/helpers.ts","../../core/src/store.ts","../../core/src/server.ts","../../core/src/webhooks.ts","../../core/src/middleware/error-handler.ts","../../core/src/middleware/auth.ts","../../core/src/debug.ts","../../core/src/fonts.ts","../../core/src/middleware/pagination.ts","../../core/src/ui.ts","../../core/src/oauth-helpers.ts","../../core/src/persistence.ts","../src/route-helpers.ts","../src/store.ts","../src/routes/apps.ts","../src/routes/auth-servers.ts","../src/routes/groups.ts","../src/routes/oauth.ts","../src/routes/users.ts","../src/index.ts"],"sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport type {\n OktaAuthorizationServer,\n OktaAuthorizationServerStatus,\n OktaApp,\n OktaAppStatus,\n OktaGroup,\n OktaGroupType,\n OktaUser,\n OktaUserStatus,\n} from \"./entities.js\";\n\nexport const ORG_AUTH_SERVER_ID = \"org\";\nexport const DEFAULT_AUTH_SERVER_ID = \"default\";\nexport const DEFAULT_AUDIENCE = \"api://default\";\nexport const DEFAULT_EVERYONE_GROUP_NAME = \"Everyone\";\nexport const DEFAULT_EVERYONE_GROUP_ID = \"00g_everyone\";\n\nexport function nowIso(): string {\n return new Date().toISOString();\n}\n\nexport function generateOktaId(prefix: string): string {\n const compact = randomUUID().replace(/-/g, \"\");\n return `${prefix}${compact.slice(0, 17)}`;\n}\n\nexport function normalizeStatus(status: string | undefined, fallback: OktaUserStatus): OktaUserStatus {\n if (\n status === \"STAGED\" ||\n status === \"PROVISIONED\" ||\n status === \"ACTIVE\" ||\n status === \"SUSPENDED\" ||\n status === \"DEPROVISIONED\"\n ) {\n return status;\n }\n return fallback;\n}\n\nexport function normalizeAppStatus(status: string | undefined, fallback: OktaAppStatus): OktaAppStatus {\n if (status === \"ACTIVE\" || status === \"INACTIVE\") return status;\n return fallback;\n}\n\nexport function normalizeAuthServerStatus(\n status: string | undefined,\n fallback: OktaAuthorizationServerStatus,\n): OktaAuthorizationServerStatus {\n if (status === \"ACTIVE\" || status === \"INACTIVE\") return status;\n return fallback;\n}\n\nexport function normalizeGroupType(type: string | undefined, fallback: OktaGroupType): OktaGroupType {\n if (type === \"OKTA_GROUP\" || type === \"BUILT_IN\") return type;\n return fallback;\n}\n\nexport function boolFromQuery(value: string | undefined, fallback: boolean): boolean {\n if (value == null) return fallback;\n const lowered = value.toLowerCase();\n if (lowered === \"true\" || lowered === \"1\") return true;\n if (lowered === \"false\" || lowered === \"0\") return false;\n return fallback;\n}\n\nexport function resolveOktaIssuer(baseUrl: string, authServerId: string): string {\n if (authServerId === ORG_AUTH_SERVER_ID) return baseUrl;\n return `${baseUrl}/oauth2/${authServerId}`;\n}\n\nexport function userDisplayName(user: Pick<OktaUser, \"display_name\" | \"first_name\" | \"last_name\" | \"login\">): string {\n if (user.display_name) return user.display_name;\n const combined = `${user.first_name} ${user.last_name}`.trim();\n return combined || user.login;\n}\n\nexport function createDefaultUser(): Omit<OktaUser, \"id\" | \"created_at\" | \"updated_at\"> {\n const now = nowIso();\n return {\n okta_id: generateOktaId(\"00u\"),\n status: \"ACTIVE\",\n activated_at: now,\n status_changed_at: now,\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login: \"testuser@okta.local\",\n email: \"testuser@okta.local\",\n first_name: \"Test\",\n last_name: \"User\",\n display_name: \"Test User\",\n locale: \"en-US\",\n time_zone: \"UTC\",\n };\n}\n\nexport function createDefaultGroup(): Omit<OktaGroup, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n okta_id: DEFAULT_EVERYONE_GROUP_ID,\n type: \"BUILT_IN\",\n name: DEFAULT_EVERYONE_GROUP_NAME,\n description: \"All users in the organization\",\n };\n}\n\nexport function createDefaultAuthorizationServer(): Omit<OktaAuthorizationServer, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n server_id: DEFAULT_AUTH_SERVER_ID,\n name: \"default\",\n description: \"Default custom authorization server\",\n audiences: [DEFAULT_AUDIENCE],\n status: \"ACTIVE\",\n };\n}\n\nexport function createDefaultApp(): Omit<OktaApp, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n okta_id: generateOktaId(\"0oa\"),\n name: \"oidc_client\",\n label: \"Sample OIDC App\",\n status: \"ACTIVE\",\n sign_on_mode: \"OPENID_CONNECT\",\n settings: {\n oauthClient: {\n redirect_uris: [\"http://localhost:3000/callback\"],\n },\n },\n credentials: {},\n };\n}\n","export interface Entity {\n id: number;\n created_at: string;\n updated_at: string;\n}\n\nexport type InsertInput<T extends Entity> = Omit<T, \"id\" | \"created_at\" | \"updated_at\"> & { id?: number };\n\nexport type FilterFn<T> = (item: T) => boolean;\nexport type SortFn<T> = (a: T, b: T) => number;\n\nexport interface QueryOptions<T> {\n filter?: FilterFn<T>;\n sort?: SortFn<T>;\n page?: number;\n per_page?: number;\n}\n\nexport interface PaginatedResult<T> {\n items: T[];\n total_count: number;\n page: number;\n per_page: number;\n has_next: boolean;\n has_prev: boolean;\n}\n\nexport interface CollectionSnapshot<T extends Entity = Entity> {\n items: T[];\n autoId: number;\n indexFields: string[];\n}\n\nexport interface StoreSnapshot {\n collections: Record<string, CollectionSnapshot>;\n data: Record<string, unknown>;\n}\n\nexport function serializeValue(value: unknown): unknown {\n if (value instanceof Map) {\n return { __type: \"Map\" as const, entries: [...value.entries()].map(([k, v]) => [k, serializeValue(v)]) };\n }\n if (value instanceof Set) {\n return { __type: \"Set\" as const, values: [...value.values()] };\n }\n return value;\n}\n\nexport function deserializeValue(value: unknown): unknown {\n if (value !== null && typeof value === \"object\" && \"__type\" in value) {\n const tagged = value as Record<string, unknown>;\n if (tagged.__type === \"Map\") {\n const entries = tagged.entries as [unknown, unknown][];\n return new Map(entries.map(([k, v]) => [k, deserializeValue(v)]));\n }\n if (tagged.__type === \"Set\") {\n return new Set(tagged.values as unknown[]);\n }\n }\n return value;\n}\n\nexport class Collection<T extends Entity> {\n private items = new Map<number, T>();\n private indexes = new Map<string, Map<string | number, Set<number>>>();\n private autoId = 1;\n readonly fieldNames: string[];\n\n constructor(private indexFields: (keyof T)[] = []) {\n this.fieldNames = indexFields.map(String).sort();\n for (const field of indexFields) {\n this.indexes.set(String(field), new Map());\n }\n }\n\n private addToIndex(item: T): void {\n for (const field of this.indexFields) {\n const value = item[field];\n if (value === undefined || value === null) continue;\n const indexMap = this.indexes.get(String(field))!;\n const key = String(value);\n if (!indexMap.has(key)) {\n indexMap.set(key, new Set());\n }\n indexMap.get(key)!.add(item.id);\n }\n }\n\n private removeFromIndex(item: T): void {\n for (const field of this.indexFields) {\n const value = item[field];\n if (value === undefined || value === null) continue;\n const indexMap = this.indexes.get(String(field))!;\n const key = String(value);\n indexMap.get(key)?.delete(item.id);\n }\n }\n\n insert(data: InsertInput<T>): T {\n const now = new Date().toISOString();\n const explicitId = data.id != null && data.id > 0 ? data.id : undefined;\n const id = explicitId ?? this.autoId++;\n if (id >= this.autoId) {\n this.autoId = id + 1;\n }\n const item = {\n ...data,\n id,\n created_at: now,\n updated_at: now,\n } as unknown as T;\n this.items.set(id, item);\n this.addToIndex(item);\n return item;\n }\n\n get(id: number): T | undefined {\n return this.items.get(id);\n }\n\n findBy(field: keyof T, value: T[keyof T] | string | number): T[] {\n if (this.indexes.has(String(field))) {\n const ids = this.indexes.get(String(field))!.get(String(value));\n if (!ids) return [];\n return Array.from(ids).map((id) => this.items.get(id)!).filter(Boolean);\n }\n return this.all().filter((item) => item[field] === value);\n }\n\n findOneBy(field: keyof T, value: T[keyof T] | string | number): T | undefined {\n return this.findBy(field, value)[0];\n }\n\n update(id: number, data: Partial<T>): T | undefined {\n const existing = this.items.get(id);\n if (!existing) return undefined;\n this.removeFromIndex(existing);\n const updated = {\n ...existing,\n ...data,\n id,\n updated_at: new Date().toISOString(),\n } as T;\n this.items.set(id, updated);\n this.addToIndex(updated);\n return updated;\n }\n\n delete(id: number): boolean {\n const existing = this.items.get(id);\n if (!existing) return false;\n this.removeFromIndex(existing);\n return this.items.delete(id);\n }\n\n all(): T[] {\n return Array.from(this.items.values());\n }\n\n query(options: QueryOptions<T> = {}): PaginatedResult<T> {\n let results = this.all();\n\n if (options.filter) {\n results = results.filter(options.filter);\n }\n\n const total_count = results.length;\n\n if (options.sort) {\n results.sort(options.sort);\n }\n\n const page = options.page ?? 1;\n const per_page = Math.min(options.per_page ?? 30, 100);\n const start = (page - 1) * per_page;\n const paged = results.slice(start, start + per_page);\n\n return {\n items: paged,\n total_count,\n page,\n per_page,\n has_next: start + per_page < total_count,\n has_prev: page > 1,\n };\n }\n\n count(filter?: FilterFn<T>): number {\n if (!filter) return this.items.size;\n return this.all().filter(filter).length;\n }\n\n clear(): void {\n this.items.clear();\n for (const indexMap of this.indexes.values()) {\n indexMap.clear();\n }\n this.autoId = 1;\n }\n\n snapshot(): CollectionSnapshot<T> {\n return {\n items: this.all(),\n autoId: this.autoId,\n indexFields: this.fieldNames,\n };\n }\n\n restore(snap: CollectionSnapshot<T>): void {\n this.clear();\n this.autoId = snap.autoId;\n for (const item of snap.items) {\n this.items.set(item.id, item);\n this.addToIndex(item);\n }\n }\n}\n\nexport class Store {\n private collections = new Map<string, Collection<any>>();\n private _data = new Map<string, unknown>();\n\n collection<T extends Entity>(name: string, indexFields: (keyof T)[] = []): Collection<T> {\n const existing = this.collections.get(name);\n if (existing) {\n if (indexFields.length > 0) {\n const requested = indexFields.map(String).sort();\n if (existing.fieldNames.length !== requested.length || existing.fieldNames.some((f, i) => f !== requested[i])) {\n throw new Error(\n `Collection \"${name}\" already exists with indexes [${existing.fieldNames}] but was requested with [${requested}]`\n );\n }\n }\n return existing as Collection<T>;\n }\n const col = new Collection<T>(indexFields);\n this.collections.set(name, col);\n return col;\n }\n\n getData<V>(key: string): V | undefined {\n return this._data.get(key) as V | undefined;\n }\n\n setData<V>(key: string, value: V): void {\n this._data.set(key, value);\n }\n\n reset(): void {\n for (const collection of this.collections.values()) {\n collection.clear();\n }\n this._data.clear();\n }\n\n snapshot(): StoreSnapshot {\n const collections: Record<string, CollectionSnapshot> = {};\n for (const [name, col] of this.collections) {\n collections[name] = col.snapshot();\n }\n const data: Record<string, unknown> = {};\n for (const [key, value] of this._data) {\n data[key] = serializeValue(value);\n }\n return { collections, data };\n }\n\n restore(snap: StoreSnapshot): void {\n const snapshotNames = new Set(Object.keys(snap.collections));\n for (const name of this.collections.keys()) {\n if (!snapshotNames.has(name)) {\n this.collections.delete(name);\n }\n }\n for (const [name, colSnap] of Object.entries(snap.collections)) {\n const indexFields = colSnap.indexFields as (keyof Entity)[];\n const col = this.collection(name, indexFields);\n col.restore(colSnap as CollectionSnapshot<any>);\n }\n this._data.clear();\n for (const [key, value] of Object.entries(snap.data)) {\n this._data.set(key, deserializeValue(value));\n }\n }\n}\n","import { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { Store } from \"./store.js\";\nimport { WebhookDispatcher } from \"./webhooks.js\";\nimport { createApiErrorHandler, createErrorHandler } from \"./middleware/error-handler.js\";\nimport { authMiddleware, type AuthFallback, type TokenMap, type AppKeyResolver, type AppEnv } from \"./middleware/auth.js\";\nimport type { ServicePlugin } from \"./plugin.js\";\nimport { registerFontRoutes } from \"./fonts.js\";\n\nexport interface ServerOptions {\n port?: number;\n baseUrl?: string;\n docsUrl?: string;\n tokens?: Record<string, { login: string; id: number; scopes?: string[] }>;\n appKeyResolver?: AppKeyResolver;\n fallbackUser?: AuthFallback;\n}\n\nexport function createServer(plugin: ServicePlugin, options: ServerOptions = {}) {\n const port = options.port ?? 4000;\n const baseUrl = options.baseUrl ?? `http://localhost:${port}`;\n\n const app = new Hono<AppEnv>();\n const store = new Store();\n const webhooks = new WebhookDispatcher();\n\n const tokenMap: TokenMap = new Map();\n if (options.tokens) {\n for (const [token, user] of Object.entries(options.tokens)) {\n tokenMap.set(token, {\n login: user.login,\n id: user.id,\n scopes: user.scopes ?? [\"repo\", \"user\", \"admin:org\", \"admin:repo_hook\"],\n });\n }\n }\n\n const docsUrl = options.docsUrl ?? `https://emulate.dev/${plugin.name}`;\n\n registerFontRoutes(app);\n\n app.onError(createApiErrorHandler(docsUrl));\n app.use(\"*\", cors());\n app.use(\"*\", createErrorHandler(docsUrl));\n app.use(\"*\", authMiddleware(tokenMap, options.appKeyResolver, options.fallbackUser));\n\n const rateLimitCounters = new Map<string, { remaining: number; resetAt: number }>();\n let lastPruneAt = Math.floor(Date.now() / 1000);\n\n app.use(\"*\", async (c, next) => {\n const token = c.get(\"authToken\") ?? \"__anonymous__\";\n const now = Math.floor(Date.now() / 1000);\n\n if (now - lastPruneAt > 3600) {\n for (const [key, val] of rateLimitCounters) {\n if (val.resetAt <= now) rateLimitCounters.delete(key);\n }\n lastPruneAt = now;\n }\n\n let counter = rateLimitCounters.get(token);\n if (!counter || counter.resetAt <= now) {\n counter = { remaining: 5000, resetAt: now + 3600 };\n rateLimitCounters.set(token, counter);\n }\n\n counter.remaining = Math.max(0, counter.remaining - 1);\n\n c.header(\"X-RateLimit-Limit\", \"5000\");\n c.header(\"X-RateLimit-Remaining\", String(counter.remaining));\n c.header(\"X-RateLimit-Reset\", String(counter.resetAt));\n c.header(\"X-RateLimit-Resource\", \"core\");\n\n if (counter.remaining === 0) {\n return c.json(\n {\n message: \"API rate limit exceeded\",\n documentation_url: docsUrl,\n },\n 403\n );\n }\n\n await next();\n });\n\n plugin.register(app, store, webhooks, baseUrl, tokenMap);\n\n app.notFound((c) =>\n c.json(\n {\n message: \"Not Found\",\n documentation_url: docsUrl,\n },\n 404\n )\n );\n\n return { app, store, webhooks, port, baseUrl, tokenMap };\n}\n","import { createHmac } from \"crypto\";\n\nexport interface WebhookSubscription {\n id: number;\n url: string;\n events: string[];\n active: boolean;\n secret?: string;\n owner: string;\n repo?: string;\n}\n\nexport interface WebhookDelivery {\n id: number;\n hook_id: number;\n event: string;\n action?: string;\n payload: unknown;\n status_code: number | null;\n delivered_at: string;\n duration: number | null;\n success: boolean;\n}\n\nconst MAX_DELIVERIES = 1000;\n\nexport class WebhookDispatcher {\n private subscriptions: WebhookSubscription[] = [];\n private deliveries: WebhookDelivery[] = [];\n private subscriptionIdCounter = 1;\n private deliveryIdCounter = 1;\n\n register(sub: Omit<WebhookSubscription, \"id\"> & { id?: number }): WebhookSubscription {\n const { id: explicitId, ...rest } = sub;\n const id = explicitId !== undefined ? explicitId : this.subscriptionIdCounter++;\n if (id >= this.subscriptionIdCounter) {\n this.subscriptionIdCounter = id + 1;\n }\n const subscription: WebhookSubscription = { ...rest, id };\n this.subscriptions.push(subscription);\n return subscription;\n }\n\n unregister(id: number): boolean {\n const idx = this.subscriptions.findIndex((s) => s.id === id);\n if (idx === -1) return false;\n this.subscriptions.splice(idx, 1);\n return true;\n }\n\n getSubscription(id: number): WebhookSubscription | undefined {\n return this.subscriptions.find((s) => s.id === id);\n }\n\n getSubscriptions(owner?: string, repo?: string): WebhookSubscription[] {\n return this.subscriptions.filter((s) => {\n if (owner && s.owner !== owner) return false;\n if (repo !== undefined && s.repo !== repo) return false;\n return true;\n });\n }\n\n updateSubscription(\n id: number,\n data: Partial<Pick<WebhookSubscription, \"url\" | \"events\" | \"active\" | \"secret\">>\n ): WebhookSubscription | undefined {\n const sub = this.subscriptions.find((s) => s.id === id);\n if (!sub) return undefined;\n Object.assign(sub, data);\n return sub;\n }\n\n async dispatch(event: string, action: string | undefined, payload: unknown, owner: string, repo?: string): Promise<void> {\n const matchingSubs = this.subscriptions.filter((s) => {\n if (!s.active) return false;\n if (s.owner !== owner) return false;\n if (repo !== undefined) {\n if (s.repo !== repo) return false;\n } else if (s.repo !== undefined) {\n return false;\n }\n return (\n event === \"ping\" ||\n s.events.includes(\"*\") ||\n s.events.includes(event)\n );\n });\n\n for (const sub of matchingSubs) {\n const delivery: WebhookDelivery = {\n id: this.deliveryIdCounter++,\n hook_id: sub.id,\n event,\n action,\n payload,\n status_code: null,\n delivered_at: new Date().toISOString(),\n duration: null,\n success: false,\n };\n\n const body = JSON.stringify(payload);\n\n const signatureHeaders: Record<string, string> = {};\n if (sub.secret) {\n const hmac = createHmac(\"sha256\", sub.secret).update(body).digest(\"hex\");\n signatureHeaders[\"X-Hub-Signature-256\"] = `sha256=${hmac}`;\n }\n\n try {\n const start = Date.now();\n const response = await fetch(sub.url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"X-GitHub-Event\": event,\n \"X-GitHub-Delivery\": String(delivery.id),\n ...signatureHeaders,\n },\n body,\n signal: AbortSignal.timeout(10000),\n });\n delivery.duration = Date.now() - start;\n delivery.status_code = response.status;\n delivery.success = response.ok;\n } catch {\n delivery.duration = 0;\n delivery.success = false;\n }\n\n this.deliveries.push(delivery);\n if (this.deliveries.length > MAX_DELIVERIES) {\n this.deliveries.splice(0, this.deliveries.length - MAX_DELIVERIES);\n }\n }\n }\n\n getDeliveries(hookId?: number): WebhookDelivery[] {\n if (hookId !== undefined) {\n return this.deliveries.filter((d) => d.hook_id === hookId);\n }\n return [...this.deliveries];\n }\n\n clear(): void {\n this.subscriptions.length = 0;\n this.deliveries.length = 0;\n this.subscriptionIdCounter = 1;\n this.deliveryIdCounter = 1;\n }\n}\n","import type { Context, ErrorHandler, MiddlewareHandler } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\n\nconst DEFAULT_DOCS_URL = \"https://emulate.dev\";\n\nfunction getDocsUrl(c: Context): string {\n return (c.get(\"docsUrl\") as string | undefined) ?? DEFAULT_DOCS_URL;\n}\n\nfunction errorStatus(err: unknown): number {\n if (err && typeof err === \"object\" && \"status\" in err) {\n const s = (err as { status: unknown }).status;\n if (typeof s === \"number\" && Number.isFinite(s)) return s;\n }\n return 500;\n}\n\n/**\n * Use with `app.onError(...)`. Hono routes handler throws to the app error handler, not to outer middleware try/catch.\n */\nexport function createApiErrorHandler(documentationUrl?: string): ErrorHandler {\n return (err, c) => {\n if (documentationUrl) {\n c.set(\"docsUrl\", documentationUrl);\n }\n const status = errorStatus(err);\n const message = err instanceof Error ? err.message : \"Internal Server Error\";\n return c.json(\n {\n message,\n documentation_url: getDocsUrl(c),\n },\n status as ContentfulStatusCode\n );\n };\n}\n\n/** Sets `docsUrl` on the context for successful responses; register `createApiErrorHandler` for thrown `ApiError`s. */\nexport function createErrorHandler(documentationUrl?: string): MiddlewareHandler {\n return async (c, next) => {\n if (documentationUrl) {\n c.set(\"docsUrl\", documentationUrl);\n }\n await next();\n };\n}\n\nexport const errorHandler: MiddlewareHandler = createErrorHandler();\n\nexport class ApiError extends Error {\n constructor(\n public status: number,\n message: string,\n public errors?: Array<{ resource: string; field: string; code: string }>\n ) {\n super(message);\n this.name = \"ApiError\";\n }\n}\n\nexport function notFound(resource?: string): ApiError {\n return new ApiError(404, resource ? `${resource} not found` : \"Not Found\");\n}\n\nexport function validationError(message: string, errors?: ApiError[\"errors\"]): ApiError {\n return new ApiError(422, message, errors);\n}\n\nexport function unauthorized(): ApiError {\n return new ApiError(401, \"Requires authentication\");\n}\n\nexport function forbidden(): ApiError {\n return new ApiError(403, \"Forbidden\");\n}\n\nexport async function parseJsonBody(c: Context): Promise<Record<string, unknown>> {\n try {\n const body = await c.req.json();\n if (body && typeof body === \"object\" && !Array.isArray(body)) {\n return body as Record<string, unknown>;\n }\n return {};\n } catch {\n throw new ApiError(400, \"Problems parsing JSON\");\n }\n}\n","import type { Context, Next } from \"hono\";\nimport { jwtVerify, importPKCS8 } from \"jose\";\nimport { debug } from \"../debug.js\";\n\nexport interface AuthUser {\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport interface AuthApp {\n appId: number;\n slug: string;\n name: string;\n}\n\nexport interface AuthInstallation {\n installationId: number;\n appId: number;\n permissions: Record<string, string>;\n repositoryIds: number[];\n repositorySelection: \"all\" | \"selected\";\n}\n\nexport type TokenMap = Map<string, AuthUser>;\n\nexport interface TokenEntry {\n token: string;\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport function serializeTokenMap(tokenMap: TokenMap): TokenEntry[] {\n return [...tokenMap.entries()].map(([token, user]) => ({\n token,\n login: user.login,\n id: user.id,\n scopes: user.scopes,\n }));\n}\n\nexport function restoreTokenMap(tokenMap: TokenMap, tokens: TokenEntry[]): void {\n tokenMap.clear();\n for (const t of tokens) {\n tokenMap.set(t.token, { login: t.login, id: t.id, scopes: t.scopes });\n }\n}\n\nexport type AppEnv = {\n Variables: {\n authUser?: AuthUser;\n authApp?: AuthApp;\n authToken?: string;\n authScopes?: string[];\n docsUrl?: string;\n };\n};\n\nexport interface AppKeyResolver {\n (appId: number): { privateKey: string; slug: string; name: string } | null;\n}\n\nexport interface AuthFallback {\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport function authMiddleware(tokens: TokenMap, appKeyResolver?: AppKeyResolver, fallbackUser?: AuthFallback) {\n return async (c: Context, next: Next) => {\n const authHeader = c.req.header(\"Authorization\");\n if (authHeader) {\n const token = authHeader.replace(/^(Bearer|token)\\s+/i, \"\").trim();\n\n if (token.startsWith(\"eyJ\") && appKeyResolver) {\n try {\n const [, payloadB64] = token.split(\".\");\n const payload = JSON.parse(\n Buffer.from(payloadB64, \"base64url\").toString()\n );\n const appId = typeof payload.iss === \"string\" ? parseInt(payload.iss, 10) : payload.iss;\n\n if (typeof appId === \"number\" && !isNaN(appId)) {\n const appInfo = appKeyResolver(appId);\n if (appInfo) {\n const key = await importPKCS8(appInfo.privateKey, \"RS256\");\n await jwtVerify(token, key, { algorithms: [\"RS256\"] });\n c.set(\"authApp\", {\n appId,\n slug: appInfo.slug,\n name: appInfo.name,\n } satisfies AuthApp);\n }\n }\n } catch {\n // JWT verification failed\n }\n } else {\n let user = tokens.get(token);\n if (!user && fallbackUser && token.length > 0) {\n debug(\"auth\", \"fallback user for unknown token\", { login: fallbackUser.login, id: fallbackUser.id });\n user = { login: fallbackUser.login, id: fallbackUser.id, scopes: fallbackUser.scopes };\n }\n if (user) {\n c.set(\"authUser\", user);\n c.set(\"authToken\", token);\n c.set(\"authScopes\", user.scopes);\n }\n }\n }\n await next();\n };\n}\n\nexport function requireAuth() {\n return async (c: Context, next: Next) => {\n if (!c.get(\"authUser\")) {\n const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n return c.json(\n {\n message: \"Requires authentication\",\n documentation_url: docsUrl,\n },\n 401\n );\n }\n await next();\n };\n}\n\nexport function requireAppAuth() {\n return async (c: Context, next: Next) => {\n if (!c.get(\"authApp\")) {\n const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n return c.json(\n {\n message: \"A JSON web token could not be decoded\",\n documentation_url: docsUrl,\n },\n 401\n );\n }\n await next();\n };\n}\n","const isDebug = typeof process !== \"undefined\" && (process.env.DEBUG === \"1\" || process.env.DEBUG === \"true\" || process.env.EMULATE_DEBUG === \"1\");\n\nexport function debug(label: string, ...args: unknown[]): void {\n if (isDebug) {\n console.log(`[${label}]`, ...args);\n }\n}\n","import { readFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\nimport { dirname, join } from \"node:path\";\nimport type { Hono } from \"hono\";\nimport type { AppEnv } from \"./middleware/auth.js\";\n\nconst __dirname = dirname(fileURLToPath(import.meta.url));\n\nconst FONTS: Record<string, Buffer> = {\n \"geist-sans.woff2\": readFileSync(join(__dirname, \"fonts\", \"geist-sans.woff2\")),\n \"GeistPixel-Square.woff2\": readFileSync(join(__dirname, \"fonts\", \"GeistPixel-Square.woff2\")),\n};\n\nexport function registerFontRoutes(app: Hono<AppEnv>): void {\n app.get(\"/_emulate/fonts/:name\", (c) => {\n const name = c.req.param(\"name\");\n const buf = FONTS[name];\n if (!buf) return c.notFound();\n return new Response(buf, {\n headers: {\n \"Content-Type\": \"font/woff2\",\n \"Cache-Control\": \"public, max-age=31536000, immutable\",\n \"Access-Control-Allow-Origin\": \"*\",\n },\n });\n });\n}\n","import type { Context } from \"hono\";\n\nexport interface PaginationParams {\n page: number;\n per_page: number;\n}\n\nexport function parsePagination(c: Context): PaginationParams {\n const page = Math.max(1, parseInt(c.req.query(\"page\") ?? \"1\", 10) || 1);\n const per_page = Math.min(100, Math.max(1, parseInt(c.req.query(\"per_page\") ?? \"30\", 10) || 30));\n return { page, per_page };\n}\n\nexport function setLinkHeader(\n c: Context,\n totalCount: number,\n page: number,\n perPage: number\n): void {\n const lastPage = Math.max(1, Math.ceil(totalCount / perPage));\n const baseUrl = new URL(c.req.url);\n const links: string[] = [];\n\n const makeLink = (p: number, rel: string) => {\n baseUrl.searchParams.set(\"page\", String(p));\n baseUrl.searchParams.set(\"per_page\", String(perPage));\n return `<${baseUrl.toString()}>; rel=\"${rel}\"`;\n };\n\n if (page < lastPage) {\n links.push(makeLink(page + 1, \"next\"));\n links.push(makeLink(lastPage, \"last\"));\n }\n if (page > 1) {\n links.push(makeLink(1, \"first\"));\n links.push(makeLink(page - 1, \"prev\"));\n }\n\n if (links.length > 0) {\n c.header(\"Link\", links.join(\", \"));\n }\n}\n","export function escapeHtml(s: string): string {\n return s\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\")\n .replace(/\"/g, \""\");\n}\n\nexport function escapeAttr(s: string): string {\n return escapeHtml(s).replace(/'/g, \"'\");\n}\n\nconst CSS = `\n@font-face{\n font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;\n src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');\n}\n@font-face{\n font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;\n src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');\n}\n*{box-sizing:border-box;margin:0;padding:0}\nbody{\n font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;\n background:#000;color:#33ff00;min-height:100vh;\n -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;\n}\n.emu-bar{\n border-bottom:1px solid #0a3300;padding:10px 20px;\n display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;\n}\n.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}\n.emu-bar-links{margin-left:auto;display:flex;gap:16px;}\n.emu-bar-links a{\n color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;\n}\n.emu-bar-links a:hover{color:#33ff00;}\n.emu-bar-links a .full{display:inline;}\n.emu-bar-links a .short{display:none;}\n@media(max-width:600px){\n .emu-bar-links a .full{display:none;}\n .emu-bar-links a .short{display:inline;}\n}\n\n.content{\n display:flex;align-items:center;justify-content:center;\n min-height:calc(100vh - 42px);padding:24px 16px;\n}\n.content-inner{width:100%;max-width:420px;}\n.card-title{\n font-family:'Geist Pixel',monospace;\n font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;\n}\n.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}\n.powered-by{\n position:fixed;bottom:0;left:0;right:0;\n text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;\n font-family:'Geist Pixel',monospace;\n}\n.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}\n.powered-by a:hover{color:#33ff00;}\n\n.error-title{\n font-family:'Geist Pixel',monospace;\n color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;\n}\n.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}\n.error-card{text-align:center;}\n\n.user-form{margin-bottom:8px;}\n.user-form:last-of-type{margin-bottom:0;}\n.user-btn{\n width:100%;display:flex;align-items:center;gap:12px;\n padding:10px 12px;border:1px solid #0a3300;border-radius:8px;\n background:#000;color:inherit;cursor:pointer;text-align:left;\n font:inherit;transition:border-color .15s;\n}\n.user-btn:hover{border-color:#33ff00;}\n.avatar{\n width:36px;height:36px;border-radius:50%;\n background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;\n display:flex;align-items:center;justify-content:center;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.user-text{min-width:0;}\n.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}\n.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}\n.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}\n\n.settings-layout{\n max-width:920px;margin:0 auto;padding:28px 20px;\n display:flex;gap:28px;\n}\n.settings-sidebar{width:200px;flex-shrink:0;}\n.settings-sidebar a{\n display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;\n text-decoration:none;font-size:.8125rem;transition:color .15s;\n}\n.settings-sidebar a:hover{color:#33ff00;}\n.settings-sidebar a.active{color:#33ff00;font-weight:600;}\n.settings-main{flex:1;min-width:0;}\n\n.s-card{\n padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;\n}\n.s-card:last-child{border-bottom:none;}\n.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}\n.s-icon{\n width:42px;height:42px;border-radius:8px;\n background:#0a3300;display:flex;align-items:center;justify-content:center;\n font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.s-title{\n font-family:'Geist Pixel',monospace;\n font-size:1.25rem;font-weight:600;color:#33ff00;\n}\n.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}\n.section-heading{\n font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;\n display:flex;align-items:center;justify-content:space-between;\n}\n.perm-list{list-style:none;}\n.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}\n.check{color:#33ff00;}\n.org-row{\n display:flex;align-items:center;gap:8px;padding:7px 0;\n border-bottom:1px solid #0a3300;font-size:.8125rem;\n}\n.org-row:last-child{border-bottom:none;}\n.org-icon{\n width:22px;height:22px;border-radius:4px;background:#0a3300;\n display:flex;align-items:center;justify-content:center;\n font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.org-name{font-weight:600;color:#33ff00;}\n.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}\n.badge-granted{background:#0a3300;color:#33ff00;}\n.badge-denied{background:#1a0a0a;color:#ff4444;}\n.badge-requested{background:#0a3300;color:#1a8c00;}\n.btn-revoke{\n display:inline-block;padding:5px 14px;border-radius:6px;\n border:1px solid #0a3300;background:transparent;color:#ff4444;\n font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;\n}\n.btn-revoke:hover{border-color:#ff4444;}\n.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}\n.app-link{\n display:flex;align-items:center;gap:12px;padding:12px;\n border:1px solid #0a3300;border-radius:8px;background:#000;\n text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;\n}\n.app-link:hover{border-color:#33ff00;}\n.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}\n.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}\n.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}\n`;\n\nconst POWERED_BY = `<div class=\"powered-by\">Powered by <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\">emulate</a></div>`;\n\nfunction emuBar(service?: string): string {\n const title = service ? `${escapeHtml(service)} Emulator` : \"Emulator\";\n return `<div class=\"emu-bar\">\n <span class=\"emu-bar-title\">${title}</span>\n <nav class=\"emu-bar-links\">\n <a href=\"https://github.com/vercel-labs/emulate/issues\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Report Issue</span><span class=\"short\">Report</span></a>\n <a href=\"https://github.com/vercel-labs/emulate\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Source Code</span><span class=\"short\">Source</span></a>\n <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Learn More</span><span class=\"short\">Learn</span></a>\n </nav>\n</div>`;\n}\n\nfunction head(title: string): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\"/>\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n<title>${escapeHtml(title)} | emulate</title>\n<style>${CSS}</style>\n</head>`;\n}\n\nexport function renderCardPage(\n title: string,\n subtitle: string,\n body: string,\n service?: string\n): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n <div class=\"content-inner\">\n <div class=\"card-title\">${escapeHtml(title)}</div>\n <div class=\"card-subtitle\">${subtitle}</div>\n ${body}\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderErrorPage(title: string, message: string, service?: string): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n <div class=\"content-inner error-card\">\n <div class=\"error-title\">${escapeHtml(title)}</div>\n <div class=\"error-msg\">${escapeHtml(message)}</div>\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderSettingsPage(\n title: string,\n sidebarHtml: string,\n bodyHtml: string,\n service?: string\n): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"settings-layout\">\n <nav class=\"settings-sidebar\">${sidebarHtml}</nav>\n <div class=\"settings-main\">${bodyHtml}</div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface UserButtonOptions {\n letter: string;\n login: string;\n name?: string;\n email?: string;\n formAction: string;\n hiddenFields: Record<string, string>;\n}\n\nexport function renderUserButton(opts: UserButtonOptions): string {\n const hiddens = Object.entries(opts.hiddenFields)\n .map(([k, v]) => `<input type=\"hidden\" name=\"${escapeAttr(k)}\" value=\"${escapeAttr(v)}\"/>`)\n .join(\"\");\n\n const nameLine = opts.name\n ? `<div class=\"user-meta\">${escapeHtml(opts.name)}</div>`\n : \"\";\n const emailLine = opts.email\n ? `<div class=\"user-email\">${escapeHtml(opts.email)}</div>`\n : \"\";\n\n return `<form class=\"user-form\" method=\"post\" action=\"${escapeAttr(opts.formAction)}\">\n${hiddens}\n<button type=\"submit\" class=\"user-btn\">\n <span class=\"avatar\">${escapeHtml(opts.letter)}</span>\n <span class=\"user-text\">\n <span class=\"user-login\">${escapeHtml(opts.login)}</span>\n ${nameLine}${emailLine}\n </span>\n</button>\n</form>`;\n}\n","import { timingSafeEqual } from \"crypto\";\n\nexport function normalizeUri(uri: string): string {\n try {\n const u = new URL(uri);\n return `${u.origin}${u.pathname.replace(/\\/+$/, \"\")}`;\n } catch {\n return uri.replace(/\\/+$/, \"\").split(\"?\")[0];\n }\n}\n\nexport function matchesRedirectUri(incoming: string, registered: string[]): boolean {\n const normalized = normalizeUri(incoming);\n return registered.some((r) => normalizeUri(r) === normalized);\n}\n\nexport function constantTimeSecretEqual(a: string, b: string): boolean {\n const bufA = Buffer.from(a, \"utf-8\");\n const bufB = Buffer.from(b, \"utf-8\");\n if (bufA.length !== bufB.length) return false;\n return timingSafeEqual(bufA, bufB);\n}\n\nexport function bodyStr(v: unknown): string {\n if (typeof v === \"string\") return v;\n if (Array.isArray(v) && typeof v[0] === \"string\") return v[0];\n return \"\";\n}\n\nexport function parseCookies(header: string): Record<string, string> {\n const cookies: Record<string, string> = {};\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.split(\"=\");\n if (k) cookies[k.trim()] = v.join(\"=\").trim();\n }\n return cookies;\n}\n","import { readFile, writeFile, mkdir } from \"node:fs/promises\";\nimport { dirname } from \"node:path\";\n\nexport interface PersistenceAdapter {\n load(): Promise<string | null>;\n save(data: string): Promise<void>;\n}\n\nexport function filePersistence(path: string): PersistenceAdapter {\n return {\n async load() {\n try {\n return await readFile(path, \"utf-8\");\n } catch {\n return null;\n }\n },\n async save(data: string) {\n await mkdir(dirname(path), { recursive: true });\n await writeFile(path, data, \"utf-8\");\n },\n };\n}\n","import type { Context } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\nimport type { AuthUser, TokenMap, AppEnv } from \"@emulators/core\";\nimport type {\n OktaApp,\n OktaAuthorizationServer,\n OktaGroup,\n OktaUser,\n} from \"./entities.js\";\nimport type { OktaStore } from \"./store.js\";\nimport { resolveOktaIssuer, userDisplayName } from \"./helpers.js\";\n\ntype OktaErrorCause = { errorSummary: string };\n\nfunction createErrorBody(\n status: number,\n errorCode: string,\n errorSummary: string,\n errorCauses: OktaErrorCause[] = [],\n): Record<string, unknown> {\n return {\n errorCode,\n errorSummary,\n errorLink: errorCode,\n errorId: `${errorCode}-${Date.now()}`,\n errorCauses,\n status,\n };\n}\n\nexport function oktaError(\n c: Context<AppEnv>,\n status: number,\n errorCode: string,\n errorSummary: string,\n errorCauses: OktaErrorCause[] = [],\n): Response {\n const body = createErrorBody(status, errorCode, errorSummary, errorCauses);\n return c.json(body, status as ContentfulStatusCode);\n}\n\nexport async function readJsonObject(c: Context<AppEnv>): Promise<Record<string, unknown>> {\n try {\n const body = await c.req.json();\n if (body && typeof body === \"object\") {\n return body as Record<string, unknown>;\n }\n return {};\n } catch {\n return {};\n }\n}\n\nexport function requireManagementAuth(c: Context<AppEnv>, tokenMap?: TokenMap): AuthUser | Response {\n const existing = c.get(\"authUser\");\n if (existing) return existing;\n\n const authHeader = c.req.header(\"Authorization\") ?? \"\";\n if (authHeader.toLowerCase().startsWith(\"ssws \")) {\n const token = authHeader.slice(5).trim();\n const mapped = tokenMap?.get(token);\n if (mapped) {\n c.set(\"authUser\", mapped);\n c.set(\"authToken\", token);\n c.set(\"authScopes\", mapped.scopes);\n return mapped;\n }\n }\n\n return oktaError(c, 401, \"E0000004\", \"Authentication failed\");\n}\n\nexport function findUserByRef(os: OktaStore, userRef: string): OktaUser | undefined {\n const decoded = decodeURIComponent(userRef);\n return (\n os.users.findOneBy(\"okta_id\", decoded) ??\n os.users.findOneBy(\"login\", decoded) ??\n os.users.findOneBy(\"email\", decoded)\n );\n}\n\nexport function findGroupByRef(os: OktaStore, groupRef: string): OktaGroup | undefined {\n const decoded = decodeURIComponent(groupRef);\n return os.groups.findOneBy(\"okta_id\", decoded);\n}\n\nexport function findAppByRef(os: OktaStore, appRef: string): OktaApp | undefined {\n const decoded = decodeURIComponent(appRef);\n return os.apps.findOneBy(\"okta_id\", decoded);\n}\n\nexport function findAuthorizationServerByRef(\n os: OktaStore,\n serverRef: string,\n): OktaAuthorizationServer | undefined {\n const decoded = decodeURIComponent(serverRef);\n return os.authorizationServers.findOneBy(\"server_id\", decoded);\n}\n\nexport function userResponse(baseUrl: string, user: OktaUser): Record<string, unknown> {\n return {\n id: user.okta_id,\n status: user.status,\n created: user.created_at,\n activated: user.activated_at,\n statusChanged: user.status_changed_at,\n lastLogin: user.last_login_at,\n lastUpdated: user.updated_at,\n passwordChanged: user.password_changed_at,\n profile: {\n login: user.login,\n email: user.email,\n firstName: user.first_name,\n lastName: user.last_name,\n displayName: userDisplayName(user),\n locale: user.locale,\n timeZone: user.time_zone,\n },\n _links: {\n self: {\n href: `${baseUrl}/api/v1/users/${encodeURIComponent(user.okta_id)}`,\n },\n },\n };\n}\n\nexport function groupResponse(baseUrl: string, group: OktaGroup): Record<string, unknown> {\n return {\n id: group.okta_id,\n created: group.created_at,\n lastUpdated: group.updated_at,\n lastMembershipUpdated: group.updated_at,\n objectClass: [\"okta:user_group\"],\n type: group.type,\n profile: {\n name: group.name,\n description: group.description,\n },\n _links: {\n self: {\n href: `${baseUrl}/api/v1/groups/${encodeURIComponent(group.okta_id)}`,\n },\n },\n };\n}\n\nexport function appResponse(baseUrl: string, app: OktaApp): Record<string, unknown> {\n return {\n id: app.okta_id,\n name: app.name,\n label: app.label,\n status: app.status,\n created: app.created_at,\n lastUpdated: app.updated_at,\n signOnMode: app.sign_on_mode,\n credentials: app.credentials,\n settings: app.settings,\n _links: {\n self: {\n href: `${baseUrl}/api/v1/apps/${encodeURIComponent(app.okta_id)}`,\n },\n },\n };\n}\n\nexport function authorizationServerResponse(\n baseUrl: string,\n server: OktaAuthorizationServer,\n): Record<string, unknown> {\n return {\n id: server.server_id,\n name: server.name,\n description: server.description,\n audiences: server.audiences,\n issuer: resolveOktaIssuer(baseUrl, server.server_id),\n status: server.status,\n created: server.created_at,\n lastUpdated: server.updated_at,\n _links: {\n self: {\n href: `${baseUrl}/api/v1/authorizationServers/${encodeURIComponent(server.server_id)}`,\n },\n },\n };\n}\n","import { Store, type Collection } from \"@emulators/core\";\nimport type {\n OktaUser,\n OktaGroup,\n OktaApp,\n OktaOAuthClient,\n OktaAuthorizationServer,\n OktaGroupMembership,\n OktaAppAssignment,\n} from \"./entities.js\";\n\nexport interface OktaStore {\n users: Collection<OktaUser>;\n groups: Collection<OktaGroup>;\n apps: Collection<OktaApp>;\n oauthClients: Collection<OktaOAuthClient>;\n authorizationServers: Collection<OktaAuthorizationServer>;\n groupMemberships: Collection<OktaGroupMembership>;\n appAssignments: Collection<OktaAppAssignment>;\n}\n\nexport function getOktaStore(store: Store): OktaStore {\n return {\n users: store.collection<OktaUser>(\"okta.users\", [\"okta_id\", \"login\", \"email\"]),\n groups: store.collection<OktaGroup>(\"okta.groups\", [\"okta_id\", \"name\"]),\n apps: store.collection<OktaApp>(\"okta.apps\", [\"okta_id\", \"name\"]),\n oauthClients: store.collection<OktaOAuthClient>(\"okta.oauth_clients\", [\"client_id\", \"auth_server_id\"]),\n authorizationServers: store.collection<OktaAuthorizationServer>(\"okta.auth_servers\", [\"server_id\"]),\n groupMemberships: store.collection<OktaGroupMembership>(\"okta.group_memberships\", [\"group_okta_id\", \"user_okta_id\"]),\n appAssignments: store.collection<OktaAppAssignment>(\"okta.app_assignments\", [\"app_okta_id\", \"user_okta_id\"]),\n };\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { generateOktaId, normalizeAppStatus } from \"../helpers.js\";\nimport {\n appResponse,\n findAppByRef,\n findUserByRef,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n userResponse,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nexport function appRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/apps\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n let apps = oktaStore.apps.all();\n if (q) {\n apps = apps.filter((entry) =>\n `${entry.name} ${entry.label}`.toLowerCase().includes(q),\n );\n }\n const { page, per_page } = parsePagination(c);\n const total = apps.length;\n const start = (page - 1) * per_page;\n const paged = apps.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((entry) => appResponse(baseUrl, entry)));\n });\n\n app.post(\"/api/v1/apps\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const name = typeof body.name === \"string\" ? body.name : \"oidc_client\";\n const label = typeof body.label === \"string\" ? body.label : \"Okta App\";\n const signOnMode = typeof body.signOnMode === \"string\" ? body.signOnMode : \"OPENID_CONNECT\";\n const settings = body.settings && typeof body.settings === \"object\"\n ? (body.settings as Record<string, unknown>)\n : {};\n const credentials = body.credentials && typeof body.credentials === \"object\"\n ? (body.credentials as Record<string, unknown>)\n : {};\n\n const created = oktaStore.apps.insert({\n okta_id: generateOktaId(\"0oa\"),\n name,\n label,\n status: normalizeAppStatus(typeof body.status === \"string\" ? body.status : undefined, \"ACTIVE\"),\n sign_on_mode: signOnMode,\n settings,\n credentials,\n });\n\n return c.json(appResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/apps/:appId/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const assignments = oktaStore.appAssignments.findBy(\"app_okta_id\", appEntity.okta_id);\n const users = assignments\n .map((assignment) => oktaStore.users.findOneBy(\"okta_id\", assignment.user_okta_id))\n .filter((user): user is NonNullable<typeof user> => Boolean(user));\n\n return c.json(\n users.map((user) => ({\n id: user.okta_id,\n scope: \"USER\",\n credentials: { userName: user.login },\n profile: (userResponse(baseUrl, user).profile as Record<string, unknown>),\n })),\n );\n });\n\n app.put(\"/api/v1/apps/:appId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.appAssignments\n .findBy(\"app_okta_id\", appEntity.okta_id)\n .find((assignment) => assignment.user_okta_id === user.okta_id);\n if (!existing) {\n oktaStore.appAssignments.insert({\n app_okta_id: appEntity.okta_id,\n user_okta_id: user.okta_id,\n });\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.delete(\"/api/v1/apps/:appId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.appAssignments\n .findBy(\"app_okta_id\", appEntity.okta_id)\n .find((assignment) => assignment.user_okta_id === user.okta_id);\n if (existing) oktaStore.appAssignments.delete(existing.id);\n return new Response(null, { status: 204 });\n });\n\n app.post(\"/api/v1/apps/:appId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const updated = oktaStore.apps.update(appEntity.id, { status: \"ACTIVE\" });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.post(\"/api/v1/apps/:appId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const updated = oktaStore.apps.update(appEntity.id, { status: \"INACTIVE\" });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.get(\"/api/v1/apps/:appId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n return c.json(appResponse(baseUrl, appEntity));\n });\n\n app.put(\"/api/v1/apps/:appId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const body = await readJsonObject(c);\n const updated = oktaStore.apps.update(appEntity.id, {\n name: typeof body.name === \"string\" ? body.name : appEntity.name,\n label: typeof body.label === \"string\" ? body.label : appEntity.label,\n status: normalizeAppStatus(typeof body.status === \"string\" ? body.status : undefined, appEntity.status),\n sign_on_mode: typeof body.signOnMode === \"string\" ? body.signOnMode : appEntity.sign_on_mode,\n settings: body.settings && typeof body.settings === \"object\"\n ? (body.settings as Record<string, unknown>)\n : appEntity.settings,\n credentials: body.credentials && typeof body.credentials === \"object\"\n ? (body.credentials as Record<string, unknown>)\n : appEntity.credentials,\n });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.delete(\"/api/v1/apps/:appId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n if (appEntity.status !== \"INACTIVE\") {\n return oktaError(c, 400, \"E0000001\", \"App must be INACTIVE before deletion\");\n }\n\n for (const assignment of oktaStore.appAssignments.findBy(\"app_okta_id\", appEntity.okta_id)) {\n oktaStore.appAssignments.delete(assignment.id);\n }\n oktaStore.apps.delete(appEntity.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { DEFAULT_AUDIENCE, generateOktaId, normalizeAuthServerStatus } from \"../helpers.js\";\nimport {\n authorizationServerResponse,\n findAuthorizationServerByRef,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nfunction normalizeServerId(name: string): string {\n const compact = name.trim().toLowerCase().replace(/[^a-z0-9_-]+/g, \"-\");\n if (compact.length > 0) return compact;\n return generateOktaId(\"as\");\n}\n\nexport function authorizationServerRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/authorizationServers\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const servers = oktaStore.authorizationServers.all();\n const { page, per_page } = parsePagination(c);\n const total = servers.length;\n const start = (page - 1) * per_page;\n const paged = servers.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((server) => authorizationServerResponse(baseUrl, server)));\n });\n\n app.post(\"/api/v1/authorizationServers\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name) return oktaError(c, 400, \"E0000001\", \"name is required\");\n\n const serverId = typeof body.id === \"string\" ? body.id : normalizeServerId(name);\n if (oktaStore.authorizationServers.findOneBy(\"server_id\", serverId)) {\n return oktaError(c, 400, \"E0000001\", `Authorization server '${serverId}' already exists`);\n }\n\n const audiences = Array.isArray(body.audiences)\n ? body.audiences.filter((entry): entry is string => typeof entry === \"string\")\n : [DEFAULT_AUDIENCE];\n\n const created = oktaStore.authorizationServers.insert({\n server_id: serverId,\n name,\n description: typeof body.description === \"string\" ? body.description : \"\",\n audiences: audiences.length > 0 ? audiences : [DEFAULT_AUDIENCE],\n status: normalizeAuthServerStatus(typeof body.status === \"string\" ? body.status : undefined, \"ACTIVE\"),\n });\n\n return c.json(authorizationServerResponse(baseUrl, created), 201);\n });\n\n app.post(\"/api/v1/authorizationServers/:authServerId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n const updated = oktaStore.authorizationServers.update(server.id, { status: \"ACTIVE\" });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.post(\"/api/v1/authorizationServers/:authServerId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n const updated = oktaStore.authorizationServers.update(server.id, { status: \"INACTIVE\" });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.get(\"/api/v1/authorizationServers/:authServerId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n return c.json(authorizationServerResponse(baseUrl, server));\n });\n\n app.put(\"/api/v1/authorizationServers/:authServerId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n\n const body = await readJsonObject(c);\n const audiences = Array.isArray(body.audiences)\n ? body.audiences.filter((entry): entry is string => typeof entry === \"string\")\n : server.audiences;\n\n const updated = oktaStore.authorizationServers.update(server.id, {\n name: typeof body.name === \"string\" ? body.name : server.name,\n description: typeof body.description === \"string\" ? body.description : server.description,\n audiences: audiences.length > 0 ? audiences : server.audiences,\n status: normalizeAuthServerStatus(typeof body.status === \"string\" ? body.status : undefined, server.status),\n });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.delete(\"/api/v1/authorizationServers/:authServerId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n\n for (const client of oktaStore.oauthClients.findBy(\"auth_server_id\", server.server_id)) {\n oktaStore.oauthClients.delete(client.id);\n }\n oktaStore.authorizationServers.delete(server.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { generateOktaId, normalizeGroupType } from \"../helpers.js\";\nimport {\n findGroupByRef,\n findUserByRef,\n groupResponse,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n userResponse,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nexport function groupRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/groups\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n let groups = oktaStore.groups.all();\n if (q) {\n groups = groups.filter((group) =>\n `${group.name} ${group.description ?? \"\"}`.toLowerCase().includes(q),\n );\n }\n const { page, per_page } = parsePagination(c);\n const total = groups.length;\n const start = (page - 1) * per_page;\n const paged = groups.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((group) => groupResponse(baseUrl, group)));\n });\n\n app.post(\"/api/v1/groups\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const name = typeof profile.name === \"string\" ? profile.name.trim() : \"\";\n\n if (!name) {\n return oktaError(c, 400, \"E0000001\", \"profile.name is required\");\n }\n\n if (oktaStore.groups.findOneBy(\"name\", name)) {\n return oktaError(c, 400, \"E0000001\", \"A group with the same name already exists\");\n }\n\n const created = oktaStore.groups.insert({\n okta_id: generateOktaId(\"00g\"),\n type: normalizeGroupType(typeof body.type === \"string\" ? body.type : undefined, \"OKTA_GROUP\"),\n name,\n description: typeof profile.description === \"string\" ? profile.description : null,\n });\n\n return c.json(groupResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/groups/:groupId/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n const memberships = oktaStore.groupMemberships.findBy(\"group_okta_id\", group.okta_id);\n const users = memberships\n .map((membership) => oktaStore.users.findOneBy(\"okta_id\", membership.user_okta_id))\n .filter((user): user is NonNullable<typeof user> => Boolean(user));\n\n return c.json(users.map((user) => userResponse(baseUrl, user)));\n });\n\n app.put(\"/api/v1/groups/:groupId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.groupMemberships\n .findBy(\"group_okta_id\", group.okta_id)\n .find((membership) => membership.user_okta_id === user.okta_id);\n if (!existing) {\n oktaStore.groupMemberships.insert({\n group_okta_id: group.okta_id,\n user_okta_id: user.okta_id,\n });\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.delete(\"/api/v1/groups/:groupId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.groupMemberships\n .findBy(\"group_okta_id\", group.okta_id)\n .find((membership) => membership.user_okta_id === user.okta_id);\n if (existing) {\n oktaStore.groupMemberships.delete(existing.id);\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.get(\"/api/v1/groups/:groupId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n return c.json(groupResponse(baseUrl, group));\n });\n\n app.put(\"/api/v1/groups/:groupId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const nextName = typeof profile.name === \"string\" ? profile.name.trim() : group.name;\n\n if (nextName !== group.name) {\n const existing = oktaStore.groups.findOneBy(\"name\", nextName);\n if (existing && existing.okta_id !== group.okta_id) {\n return oktaError(c, 400, \"E0000001\", \"A group with the same name already exists\");\n }\n }\n\n const updated = oktaStore.groups.update(group.id, {\n name: nextName,\n description: typeof profile.description === \"string\" ? profile.description : group.description,\n type: normalizeGroupType(typeof body.type === \"string\" ? body.type : undefined, group.type),\n });\n return c.json(groupResponse(baseUrl, updated ?? group));\n });\n\n app.delete(\"/api/v1/groups/:groupId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n for (const membership of oktaStore.groupMemberships.findBy(\"group_okta_id\", group.okta_id)) {\n oktaStore.groupMemberships.delete(membership.id);\n }\n\n oktaStore.groups.delete(group.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { createHash, randomBytes } from \"node:crypto\";\nimport { SignJWT, exportJWK, generateKeyPair } from \"jose\";\nimport type { Context } from \"hono\";\nimport type { AppEnv, RouteContext, Store } from \"@emulators/core\";\nimport {\n bodyStr,\n constantTimeSecretEqual,\n debug,\n escapeAttr,\n escapeHtml,\n matchesRedirectUri,\n renderCardPage,\n renderErrorPage,\n renderUserButton,\n} from \"@emulators/core\";\nimport type { OktaOAuthClient, OktaUser } from \"../entities.js\";\nimport {\n DEFAULT_AUDIENCE,\n DEFAULT_AUTH_SERVER_ID,\n ORG_AUTH_SERVER_ID,\n resolveOktaIssuer,\n userDisplayName,\n} from \"../helpers.js\";\nimport {\n findUserByRef,\n oktaError,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nconst keyPairPromise = generateKeyPair(\"RS256\");\nconst KID = \"emulate-okta-1\";\n\nconst CODE_TTL_MS = 10 * 60 * 1000;\n\ntype PendingCode = {\n userRef: string;\n scope: string;\n redirectUri: string;\n clientId: string;\n nonce: string | null;\n codeChallenge: string | null;\n codeChallengeMethod: string | null;\n authServerId: string;\n createdAt: number;\n};\n\ntype StoredAccessToken = {\n authServerId: string;\n clientId: string;\n scope: string;\n issuedAt: number;\n expiresAt: number;\n userOktaId: string | null;\n username: string | null;\n};\n\ntype StoredRefreshToken = {\n authServerId: string;\n clientId: string;\n scope: string;\n userOktaId: string;\n username: string;\n nonce: string | null;\n};\n\ntype ResolvedServer = {\n authServerId: string;\n issuer: string;\n audiences: string[];\n};\n\nfunction getPendingCodes(store: Store): Map<string, PendingCode> {\n let map = store.getData<Map<string, PendingCode>>(\"okta.oauth.pendingCodes\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.pendingCodes\", map);\n }\n return map;\n}\n\nfunction getAccessTokens(store: Store): Map<string, StoredAccessToken> {\n let map = store.getData<Map<string, StoredAccessToken>>(\"okta.oauth.accessTokens\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.accessTokens\", map);\n }\n return map;\n}\n\nfunction getRefreshTokens(store: Store): Map<string, StoredRefreshToken> {\n let map = store.getData<Map<string, StoredRefreshToken>>(\"okta.oauth.refreshTokens\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.refreshTokens\", map);\n }\n return map;\n}\n\nfunction isCodeExpired(code: PendingCode): boolean {\n return Date.now() - code.createdAt > CODE_TTL_MS;\n}\n\nfunction buildOAuthBasePath(authServerId: string): string {\n if (authServerId === ORG_AUTH_SERVER_ID) return \"/oauth2/v1\";\n return `/oauth2/${encodeURIComponent(authServerId)}/v1`;\n}\n\nfunction getClientsForServer(\n clients: OktaOAuthClient[],\n authServerId: string,\n): OktaOAuthClient[] {\n return clients.filter((client) => client.auth_server_id === authServerId);\n}\n\nfunction resolveServer(\n authServerId: string,\n baseUrl: string,\n store: ReturnType<typeof getOktaStore>,\n): ResolvedServer | null {\n if (authServerId === ORG_AUTH_SERVER_ID) {\n return {\n authServerId,\n issuer: baseUrl,\n audiences: [DEFAULT_AUDIENCE],\n };\n }\n\n const server = store.authorizationServers.findOneBy(\"server_id\", authServerId);\n if (!server) return null;\n return {\n authServerId,\n issuer: resolveOktaIssuer(baseUrl, authServerId),\n audiences: server.audiences.length > 0 ? server.audiences : [DEFAULT_AUDIENCE],\n };\n}\n\nfunction buildOidcConfiguration(baseUrl: string, server: ResolvedServer): Record<string, unknown> {\n const oauthBase = buildOAuthBasePath(server.authServerId);\n const oauthUrlBase = `${baseUrl}${oauthBase}`;\n const tokenEndpointAuthMethods = [\"client_secret_post\", \"client_secret_basic\", \"none\"];\n return {\n issuer: server.issuer,\n authorization_endpoint: `${oauthUrlBase}/authorize`,\n token_endpoint: `${oauthUrlBase}/token`,\n userinfo_endpoint: `${oauthUrlBase}/userinfo`,\n jwks_uri: `${oauthUrlBase}/keys`,\n end_session_endpoint: `${oauthUrlBase}/logout`,\n revocation_endpoint: `${oauthUrlBase}/revoke`,\n introspection_endpoint: `${oauthUrlBase}/introspect`,\n registration_endpoint: `${oauthUrlBase}/clients`,\n response_types_supported: [\"code\"],\n response_modes_supported: [\"query\", \"fragment\", \"form_post\"],\n grant_types_supported: [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n subject_types_supported: [\"public\"],\n id_token_signing_alg_values_supported: [\"RS256\"],\n scopes_supported: [\"openid\", \"profile\", \"email\", \"offline_access\", \"groups\"],\n token_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n revocation_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n introspection_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n request_parameter_supported: false,\n request_uri_parameter_supported: false,\n claims_parameter_supported: false,\n request_object_signing_alg_values_supported: [\"RS256\"],\n claims_supported: [\n \"sub\",\n \"iss\",\n \"aud\",\n \"exp\",\n \"iat\",\n \"auth_time\",\n \"nonce\",\n \"name\",\n \"preferred_username\",\n \"email\",\n \"email_verified\",\n \"locale\",\n \"zoneinfo\",\n \"groups\",\n ],\n code_challenge_methods_supported: [\"plain\", \"S256\"],\n };\n}\n\nasync function parseTokenLikeBody(c: Context<AppEnv>): Promise<Record<string, string>> {\n const contentType = c.req.header(\"Content-Type\") ?? \"\";\n const raw = await c.req.text();\n\n if (contentType.includes(\"application/json\")) {\n try {\n const parsed = JSON.parse(raw) as Record<string, unknown>;\n const out: Record<string, string> = {};\n for (const [key, value] of Object.entries(parsed)) {\n if (typeof value === \"string\") out[key] = value;\n }\n return out;\n } catch {\n return {};\n }\n }\n\n return Object.fromEntries(new URLSearchParams(raw));\n}\n\nfunction parseClientCredentials(\n c: Context<AppEnv>,\n body: Record<string, string>,\n): { clientId: string; clientSecret: string } {\n let clientId = body.client_id ?? \"\";\n let clientSecret = body.client_secret ?? \"\";\n\n const authHeader = c.req.header(\"Authorization\") ?? \"\";\n if (authHeader.startsWith(\"Basic \")) {\n const decoded = Buffer.from(authHeader.slice(6), \"base64\").toString(\"utf8\");\n const sep = decoded.indexOf(\":\");\n if (sep !== -1) {\n const headerId = decodeURIComponent(decoded.slice(0, sep));\n const headerSecret = decodeURIComponent(decoded.slice(sep + 1));\n if (!clientId) clientId = headerId;\n if (!clientSecret) clientSecret = headerSecret;\n }\n }\n\n return { clientId, clientSecret };\n}\n\ninterface ClientValidationError {\n body: { error: string; error_description: string };\n status: number;\n}\n\nfunction validateClient(\n clients: OktaOAuthClient[],\n authServerId: string,\n clientId: string,\n clientSecret: string,\n): { client: OktaOAuthClient | null; error: ClientValidationError | null } {\n const scopedClients = getClientsForServer(clients, authServerId);\n if (scopedClients.length === 0) {\n return { client: null, error: null };\n }\n\n const client = scopedClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return {\n client: null,\n error: {\n body: { error: \"invalid_client\", error_description: \"Unknown client.\" },\n status: 401,\n },\n };\n }\n\n if (client.token_endpoint_auth_method === \"none\") {\n return { client, error: null };\n }\n\n if (!constantTimeSecretEqual(client.client_secret ?? \"\", clientSecret)) {\n return {\n client: null,\n error: {\n body: { error: \"invalid_client\", error_description: \"Invalid client credentials.\" },\n status: 401,\n },\n };\n }\n\n return { client, error: null };\n}\n\nfunction parseScope(scope: string): string[] {\n return scope.split(/\\s+/).map((part) => part.trim()).filter(Boolean);\n}\n\nfunction collectUserGroups(\n oktaStore: ReturnType<typeof getOktaStore>,\n user: OktaUser,\n): string[] {\n const memberships = oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id);\n const names: string[] = [];\n for (const membership of memberships) {\n const group = oktaStore.groups.findOneBy(\"okta_id\", membership.group_okta_id);\n if (group) names.push(group.name);\n }\n return names;\n}\n\nasync function createIdToken(\n oktaStore: ReturnType<typeof getOktaStore>,\n user: OktaUser,\n clientId: string,\n nonce: string | null,\n issuer: string,\n scope: string,\n): Promise<string> {\n const { privateKey } = await keyPairPromise;\n const now = Math.floor(Date.now() / 1000);\n const scopes = parseScope(scope);\n\n const claims: Record<string, unknown> = {\n sub: user.okta_id,\n name: userDisplayName(user),\n preferred_username: user.login,\n email: user.email,\n email_verified: true,\n locale: user.locale,\n zoneinfo: user.time_zone,\n auth_time: now,\n };\n\n if (nonce) claims.nonce = nonce;\n if (scopes.includes(\"groups\")) {\n claims.groups = collectUserGroups(oktaStore, user);\n }\n\n return new SignJWT(claims)\n .setProtectedHeader({ alg: \"RS256\", kid: KID, typ: \"JWT\" })\n .setIssuer(issuer)\n .setAudience(clientId)\n .setIssuedAt(now)\n .setExpirationTime(\"1h\")\n .sign(privateKey);\n}\n\nfunction unauthorizedOAuthError(): Response {\n return new Response(\n JSON.stringify({ error: \"invalid_token\", error_description: \"The access token is invalid.\" }),\n { status: 401, headers: { \"Content-Type\": \"application/json\" } },\n );\n}\n\nexport function oauthRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n const SERVICE_LABEL = \"Okta\";\n\n app.get(\"/.well-known/openid-configuration\", (c) => {\n const server = resolveServer(ORG_AUTH_SERVER_ID, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: org authorization server\");\n return c.json(buildOidcConfiguration(baseUrl, server));\n });\n\n app.get(\"/oauth2/:authServerId/.well-known/openid-configuration\", (c) => {\n const authServerId = c.req.param(\"authServerId\");\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n return c.json(buildOidcConfiguration(baseUrl, server));\n });\n\n app.get(\"/oauth2/v1/keys\", async (c) => {\n const { publicKey } = await keyPairPromise;\n const jwk = await exportJWK(publicKey);\n return c.json({\n keys: [{ ...jwk, kid: KID, use: \"sig\", alg: \"RS256\" }],\n });\n });\n\n app.get(\"/oauth2/:authServerId/v1/keys\", async (c) => {\n const authServerId = c.req.param(\"authServerId\");\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const { publicKey } = await keyPairPromise;\n const jwk = await exportJWK(publicKey);\n return c.json({\n keys: [{ ...jwk, kid: KID, use: \"sig\", alg: \"RS256\" }],\n });\n });\n\n const renderAuthorizePage = (\n c: Context<AppEnv>,\n authServerId: string,\n ): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const clientId = c.req.query(\"client_id\") ?? \"\";\n const redirectUri = c.req.query(\"redirect_uri\") ?? \"\";\n const scope = c.req.query(\"scope\") ?? \"openid profile email\";\n const state = c.req.query(\"state\") ?? \"\";\n const nonce = c.req.query(\"nonce\") ?? \"\";\n const responseMode = c.req.query(\"response_mode\") ?? \"query\";\n const responseType = c.req.query(\"response_type\") ?? \"code\";\n const codeChallenge = c.req.query(\"code_challenge\") ?? \"\";\n const codeChallengeMethod = c.req.query(\"code_challenge_method\") ?? \"\";\n\n if (responseType !== \"code\") {\n return c.html(\n renderErrorPage(\"Unsupported response_type\", \"Only response_type=code is supported.\", SERVICE_LABEL),\n 400,\n );\n }\n\n if (!redirectUri) {\n return c.html(\n renderErrorPage(\"Missing redirect URI\", \"The redirect_uri parameter is required.\", SERVICE_LABEL),\n 400,\n );\n }\n\n const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n let clientName = \"\";\n if (configuredClients.length > 0) {\n const client = configuredClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return c.html(\n renderErrorPage(\"Application not found\", `The client_id '${clientId}' is not registered.`, SERVICE_LABEL),\n 400,\n );\n }\n if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {\n return c.html(\n renderErrorPage(\"Redirect URI mismatch\", \"The redirect_uri is not registered for this application.\", SERVICE_LABEL),\n 400,\n );\n }\n clientName = client.name;\n }\n\n const users = oktaStore.users.all();\n const callbackPath = `${buildOAuthBasePath(authServerId)}/authorize/callback`;\n const buttons = users\n .map((user) => renderUserButton({\n letter: (user.login[0] ?? \"?\").toUpperCase(),\n login: user.login,\n name: userDisplayName(user),\n email: user.email,\n formAction: callbackPath,\n hiddenFields: {\n user_ref: user.okta_id,\n redirect_uri: redirectUri,\n scope,\n state,\n nonce,\n client_id: clientId,\n response_mode: responseMode,\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n auth_server_id: authServerId,\n },\n }))\n .join(\"\\n\");\n\n const subtitle = clientName\n ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Okta account.`\n : \"Choose a seeded user to continue.\";\n\n return c.html(\n renderCardPage(\n \"Sign in with Okta\",\n subtitle,\n users.length > 0 ? buttons : '<p class=\"empty\">No users in the emulator store.</p>',\n SERVICE_LABEL,\n ),\n );\n };\n\n app.get(\"/oauth2/v1/authorize\", (c) => renderAuthorizePage(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/authorize\", (c) => renderAuthorizePage(c, c.req.param(\"authServerId\")));\n\n const handleAuthorizeCallback = async (\n c: Context<AppEnv>,\n authServerId: string,\n ): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await c.req.parseBody();\n const userRef = bodyStr(body.user_ref);\n const redirectUri = bodyStr(body.redirect_uri);\n const scope = bodyStr(body.scope) || \"openid profile email\";\n const state = bodyStr(body.state);\n const nonce = bodyStr(body.nonce);\n const clientId = bodyStr(body.client_id);\n const responseMode = bodyStr(body.response_mode) || \"query\";\n const codeChallenge = bodyStr(body.code_challenge);\n const codeChallengeMethod = bodyStr(body.code_challenge_method);\n\n if (!redirectUri) {\n return c.html(\n renderErrorPage(\"Missing redirect URI\", \"The redirect_uri parameter is required.\", SERVICE_LABEL),\n 400,\n );\n }\n\n const user = findUserByRef(oktaStore, userRef);\n if (!user) {\n return c.html(\n renderErrorPage(\"Unknown user\", \"The selected user is not available.\", SERVICE_LABEL),\n 400,\n );\n }\n\n const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n if (configuredClients.length > 0) {\n const client = configuredClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return c.html(\n renderErrorPage(\"Application not found\", `The client_id '${clientId}' is not registered.`, SERVICE_LABEL),\n 400,\n );\n }\n if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {\n return c.html(\n renderErrorPage(\"Redirect URI mismatch\", \"The redirect_uri is not registered for this application.\", SERVICE_LABEL),\n 400,\n );\n }\n }\n\n const code = randomBytes(20).toString(\"hex\");\n getPendingCodes(store).set(code, {\n userRef: user.okta_id,\n scope,\n redirectUri,\n clientId,\n nonce: nonce || null,\n codeChallenge: codeChallenge || null,\n codeChallengeMethod: codeChallengeMethod || null,\n authServerId,\n createdAt: Date.now(),\n });\n\n debug(\"okta.oauth\", `[callback] code=${code.slice(0, 8)}... user=${user.login} server=${authServerId}`);\n\n if (responseMode === \"form_post\") {\n const html = `<!DOCTYPE html>\n<html>\n<head><title>Submit</title></head>\n<body onload=\"document.forms[0].submit()\">\n<form method=\"POST\" action=\"${escapeAttr(redirectUri)}\">\n<input type=\"hidden\" name=\"code\" value=\"${escapeAttr(code)}\" />\n<input type=\"hidden\" name=\"state\" value=\"${escapeAttr(state)}\" />\n</form>\n</body>\n</html>`;\n return c.html(html);\n }\n\n const url = new URL(redirectUri);\n url.searchParams.set(\"code\", code);\n if (state) url.searchParams.set(\"state\", state);\n return c.redirect(url.toString(), 302);\n };\n\n app.post(\"/oauth2/v1/authorize/callback\", (c) => handleAuthorizeCallback(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/authorize/callback\", (c) => handleAuthorizeCallback(c, c.req.param(\"authServerId\")));\n\n const handleToken = async (\n c: Context<AppEnv>,\n authServerId: string,\n ): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const grantType = body.grant_type ?? \"\";\n const code = body.code ?? \"\";\n const redirectUri = body.redirect_uri ?? \"\";\n const codeVerifier = body.code_verifier;\n const refreshToken = body.refresh_token ?? \"\";\n const requestedScope = body.scope ?? \"\";\n\n const creds = parseClientCredentials(c, body);\n const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);\n if (validation.error) {\n return c.json(validation.error.body, validation.error.status as 401);\n }\n const validatedClient = validation.client;\n\n if (grantType === \"authorization_code\") {\n const pending = getPendingCodes(store).get(code);\n if (!pending || isCodeExpired(pending)) {\n if (pending) getPendingCodes(store).delete(code);\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization code is invalid or expired.\" }, 400);\n }\n if (pending.authServerId !== authServerId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization server mismatch.\" }, 400);\n }\n if (redirectUri && redirectUri !== pending.redirectUri) {\n return c.json({ error: \"invalid_grant\", error_description: \"redirect_uri does not match.\" }, 400);\n }\n if (validatedClient && validatedClient.client_id !== pending.clientId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization code was not issued to this client.\" }, 400);\n }\n\n if (pending.codeChallenge !== null) {\n if (!codeVerifier) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n const method = (pending.codeChallengeMethod ?? \"plain\").toLowerCase();\n if (method === \"s256\") {\n const expected = createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n if (expected !== pending.codeChallenge) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n } else if (method === \"plain\") {\n if (codeVerifier !== pending.codeChallenge) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n } else {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n }\n\n const user = findUserByRef(oktaStore, pending.userRef);\n if (!user) return c.json({ error: \"invalid_grant\", error_description: \"Unknown user.\" }, 400);\n getPendingCodes(store).delete(code);\n\n const now = Math.floor(Date.now() / 1000);\n const audienceClient = pending.clientId || creds.clientId || \"okta-client\";\n const scope = pending.scope || \"openid profile email\";\n const accessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const newRefreshToken = `r_okta_${randomBytes(20).toString(\"base64url\")}`;\n\n getAccessTokens(store).set(accessToken, {\n authServerId,\n clientId: audienceClient,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: user.okta_id,\n username: user.login,\n });\n getRefreshTokens(store).set(newRefreshToken, {\n authServerId,\n clientId: audienceClient,\n scope,\n userOktaId: user.okta_id,\n username: user.login,\n nonce: pending.nonce,\n });\n\n tokenMap?.set(accessToken, {\n login: user.login,\n id: user.id,\n scopes: parseScope(scope),\n });\n\n const idToken = await createIdToken(\n oktaStore,\n user,\n audienceClient,\n pending.nonce,\n server.issuer,\n scope,\n );\n\n return c.json({\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: accessToken,\n refresh_token: newRefreshToken,\n id_token: idToken,\n scope,\n });\n }\n\n if (grantType === \"refresh_token\") {\n const existing = getRefreshTokens(store).get(refreshToken);\n if (!existing) {\n return c.json({ error: \"invalid_grant\", error_description: \"Invalid refresh token.\" }, 400);\n }\n if (existing.authServerId !== authServerId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization server mismatch.\" }, 400);\n }\n if (validatedClient && validatedClient.client_id !== existing.clientId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Refresh token was not issued to this client.\" }, 400);\n }\n\n const user = oktaStore.users.findOneBy(\"okta_id\", existing.userOktaId);\n if (!user) return c.json({ error: \"invalid_grant\", error_description: \"Unknown user.\" }, 400);\n getRefreshTokens(store).delete(refreshToken);\n\n const now = Math.floor(Date.now() / 1000);\n const nextAccessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const nextRefreshToken = `r_okta_${randomBytes(20).toString(\"base64url\")}`;\n const scope = requestedScope || existing.scope;\n\n getAccessTokens(store).set(nextAccessToken, {\n authServerId,\n clientId: existing.clientId,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: user.okta_id,\n username: user.login,\n });\n getRefreshTokens(store).set(nextRefreshToken, {\n ...existing,\n scope,\n });\n\n tokenMap?.set(nextAccessToken, {\n login: user.login,\n id: user.id,\n scopes: parseScope(scope),\n });\n\n const response: Record<string, unknown> = {\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: nextAccessToken,\n refresh_token: nextRefreshToken,\n scope,\n };\n\n if (parseScope(scope).includes(\"openid\")) {\n response.id_token = await createIdToken(\n oktaStore,\n user,\n existing.clientId,\n existing.nonce,\n server.issuer,\n scope,\n );\n }\n\n return c.json(response);\n }\n\n if (grantType === \"client_credentials\") {\n if (oktaStore.oauthClients.all().length > 0 && !validatedClient) {\n return c.json({ error: \"invalid_client\", error_description: \"Unknown client.\" }, 401);\n }\n\n const scope = requestedScope || \".default\";\n const now = Math.floor(Date.now() / 1000);\n const accessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const clientId = validatedClient?.client_id ?? creds.clientId;\n\n if (!clientId) {\n return c.json({ error: \"invalid_client\", error_description: \"client_id is required.\" }, 401);\n }\n\n getAccessTokens(store).set(accessToken, {\n authServerId,\n clientId,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: null,\n username: null,\n });\n\n tokenMap?.set(accessToken, {\n login: clientId,\n id: 0,\n scopes: parseScope(scope),\n });\n\n return c.json({\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: accessToken,\n scope,\n });\n }\n\n return c.json({ error: \"unsupported_grant_type\" }, 400);\n };\n\n app.post(\"/oauth2/v1/token\", (c) => handleToken(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/token\", (c) => handleToken(c, c.req.param(\"authServerId\")));\n\n const handleUserInfo = (c: Context<AppEnv>, authServerId: string): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const token = c.get(\"authToken\") ?? \"\";\n const access = getAccessTokens(store).get(token);\n if (!access || access.authServerId !== authServerId || !access.userOktaId) {\n return unauthorizedOAuthError();\n }\n\n const user = oktaStore.users.findOneBy(\"okta_id\", access.userOktaId);\n if (!user) return unauthorizedOAuthError();\n\n const claims: Record<string, unknown> = {\n sub: user.okta_id,\n name: userDisplayName(user),\n preferred_username: user.login,\n email: user.email,\n email_verified: true,\n locale: user.locale,\n zoneinfo: user.time_zone,\n };\n\n if (parseScope(access.scope).includes(\"groups\")) {\n claims.groups = collectUserGroups(oktaStore, user);\n }\n\n return c.json(claims);\n };\n\n app.get(\"/oauth2/v1/userinfo\", (c) => handleUserInfo(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/userinfo\", (c) => handleUserInfo(c, c.req.param(\"authServerId\")));\n\n const handleRevoke = async (\n c: Context<AppEnv>,\n authServerId: string,\n ): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const token = body.token ?? \"\";\n getAccessTokens(store).delete(token);\n getRefreshTokens(store).delete(token);\n tokenMap?.delete(token);\n return c.body(\"\", 200);\n };\n\n app.post(\"/oauth2/v1/revoke\", (c) => handleRevoke(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/revoke\", (c) => handleRevoke(c, c.req.param(\"authServerId\")));\n\n const handleIntrospect = async (\n c: Context<AppEnv>,\n authServerId: string,\n ): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const token = body.token ?? \"\";\n const creds = parseClientCredentials(c, body);\n\n const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);\n if (validation.error) {\n return c.json(validation.error.body, validation.error.status as 401);\n }\n\n const now = Math.floor(Date.now() / 1000);\n const access = getAccessTokens(store).get(token);\n if (access && access.authServerId === authServerId && access.expiresAt > now) {\n return c.json({\n active: true,\n token_type: \"Bearer\",\n scope: access.scope,\n client_id: access.clientId,\n username: access.username,\n sub: access.userOktaId,\n aud: server.audiences,\n iss: server.issuer,\n exp: access.expiresAt,\n iat: access.issuedAt,\n });\n }\n\n const refresh = getRefreshTokens(store).get(token);\n if (refresh && refresh.authServerId === authServerId) {\n return c.json({\n active: true,\n token_type: \"refresh_token\",\n scope: refresh.scope,\n client_id: refresh.clientId,\n username: refresh.username,\n sub: refresh.userOktaId,\n aud: server.audiences,\n iss: server.issuer,\n });\n }\n\n return c.json({ active: false });\n };\n\n app.post(\"/oauth2/v1/introspect\", (c) => handleIntrospect(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/introspect\", (c) => handleIntrospect(c, c.req.param(\"authServerId\")));\n\n const handleLogout = (\n c: Context<AppEnv>,\n authServerId: string,\n ): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const postLogoutRedirectUri = c.req.query(\"post_logout_redirect_uri\");\n if (!postLogoutRedirectUri) return c.text(\"Logged out\");\n\n const scopedClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n if (scopedClients.length > 0) {\n const isAllowed = scopedClients.some((client) =>\n matchesRedirectUri(postLogoutRedirectUri, client.redirect_uris),\n );\n if (!isAllowed) return c.text(\"Invalid post_logout_redirect_uri\", 400);\n }\n\n return c.redirect(postLogoutRedirectUri, 302);\n };\n\n app.get(\"/oauth2/v1/logout\", (c) => handleLogout(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/logout\", (c) => handleLogout(c, c.req.param(\"authServerId\")));\n}\n\nexport { DEFAULT_AUTH_SERVER_ID };\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { boolFromQuery, generateOktaId, nowIso, userDisplayName } from \"../helpers.js\";\nimport { findUserByRef, oktaError, readJsonObject, requireManagementAuth, userResponse } from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\nimport type { OktaUser, OktaUserStatus } from \"../entities.js\";\n\nfunction updateUserProfile(user: OktaUser, profile: Record<string, unknown>): Partial<OktaUser> {\n const nextFirstName = typeof profile.firstName === \"string\" ? profile.firstName : user.first_name;\n const nextLastName = typeof profile.lastName === \"string\" ? profile.lastName : user.last_name;\n const nextDisplayName =\n typeof profile.displayName === \"string\"\n ? profile.displayName\n : typeof profile.nickName === \"string\"\n ? profile.nickName\n : user.display_name;\n\n return {\n login: typeof profile.login === \"string\" ? profile.login : user.login,\n email: typeof profile.email === \"string\" ? profile.email : user.email,\n first_name: nextFirstName,\n last_name: nextLastName,\n display_name: nextDisplayName || `${nextFirstName} ${nextLastName}`.trim(),\n locale: typeof profile.locale === \"string\" ? profile.locale : user.locale,\n time_zone: typeof profile.timeZone === \"string\" ? profile.timeZone : user.time_zone,\n };\n}\n\nfunction setLifecycleStatus(user: OktaUser, target: OktaUserStatus): Partial<OktaUser> {\n const now = nowIso();\n const activatedAt = target === \"ACTIVE\" ? (user.activated_at ?? now) : user.activated_at;\n return {\n status: target,\n transitioning_to_status: null,\n status_changed_at: now,\n activated_at: activatedAt,\n };\n}\n\nexport function userRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n const search = (c.req.query(\"search\") ?? \"\").toLowerCase();\n const filter = c.req.query(\"filter\") ?? \"\";\n\n let users = oktaStore.users.all();\n\n if (q) {\n users = users.filter((user) =>\n [user.login, user.email, user.first_name, user.last_name, user.display_name]\n .join(\" \")\n .toLowerCase()\n .includes(q),\n );\n }\n\n if (search) {\n users = users.filter((user) =>\n [user.login, user.email, user.first_name, user.last_name, user.display_name]\n .join(\" \")\n .toLowerCase()\n .includes(search),\n );\n }\n\n if (filter) {\n const statusMatch = filter.match(/status\\s+eq\\s+\"?([A-Z_]+)\"?/i);\n if (statusMatch?.[1]) {\n users = users.filter((user) => user.status === statusMatch[1]);\n }\n }\n\n const { page, per_page } = parsePagination(c);\n const total = users.length;\n const start = (page - 1) * per_page;\n const paged = users.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((user) => userResponse(baseUrl, user)));\n });\n\n app.post(\"/api/v1/users\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const login = typeof profile.login === \"string\" ? profile.login.trim() : \"\";\n const email = typeof profile.email === \"string\" ? profile.email.trim() : login;\n\n if (!login || !email) {\n return oktaError(c, 400, \"E0000001\", \"profile.login and profile.email are required\");\n }\n\n if (oktaStore.users.findOneBy(\"login\", login) || oktaStore.users.findOneBy(\"email\", email)) {\n return oktaError(c, 400, \"E0000001\", \"A user with the same login or email already exists\");\n }\n\n const activate = boolFromQuery(c.req.query(\"activate\"), true);\n const now = nowIso();\n const firstName = typeof profile.firstName === \"string\" ? profile.firstName : \"Test\";\n const lastName = typeof profile.lastName === \"string\" ? profile.lastName : \"User\";\n const displayName =\n typeof profile.displayName === \"string\"\n ? profile.displayName\n : `${firstName} ${lastName}`.trim() || login;\n\n const created = oktaStore.users.insert({\n okta_id: generateOktaId(\"00u\"),\n status: activate ? \"ACTIVE\" : \"STAGED\",\n activated_at: activate ? now : null,\n status_changed_at: now,\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login,\n email,\n first_name: firstName,\n last_name: lastName,\n display_name: displayName,\n locale: typeof profile.locale === \"string\" ? profile.locale : \"en-US\",\n time_zone: typeof profile.timeZone === \"string\" ? profile.timeZone : \"UTC\",\n });\n\n return c.json(userResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/users/me\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = oktaStore.users.findOneBy(\"login\", auth.login) ?? oktaStore.users.all()[0];\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const response = userResponse(baseUrl, user);\n return c.json({\n ...response,\n profile: {\n ...(response.profile as Record<string, unknown>),\n displayName: userDisplayName(user),\n },\n });\n });\n\n app.get(\"/api/v1/users/:userId/groups\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const memberships = oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id);\n const groups = memberships\n .map((membership) => oktaStore.groups.findOneBy(\"okta_id\", membership.group_okta_id))\n .filter((group): group is NonNullable<typeof group> => Boolean(group));\n\n return c.json(groups.map((group) => ({\n id: group.okta_id,\n profile: {\n name: group.name,\n description: group.description,\n },\n type: group.type,\n })));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"ACTIVE\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"DEPROVISIONED\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/suspend\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"SUSPENDED\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/unsuspend\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"ACTIVE\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.get(\"/api/v1/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n return c.json(userResponse(baseUrl, user));\n });\n\n app.put(\"/api/v1/users/:userId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n\n const updates = updateUserProfile(user, profile);\n if (\n (updates.login !== user.login && oktaStore.users.findOneBy(\"login\", updates.login ?? \"\")) ||\n (updates.email !== user.email && oktaStore.users.findOneBy(\"email\", updates.email ?? \"\"))\n ) {\n return oktaError(c, 400, \"E0000001\", \"A user with the same login or email already exists\");\n }\n\n const updated = oktaStore.users.update(user.id, updates);\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const updates = updateUserProfile(user, profile);\n const updated = oktaStore.users.update(user.id, updates);\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.delete(\"/api/v1/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n // Match Okta behavior: first delete request deactivates, second removes.\n if (user.status !== \"DEPROVISIONED\") {\n oktaStore.users.update(user.id, setLifecycleStatus(user, \"DEPROVISIONED\"));\n return new Response(null, { status: 204 });\n }\n\n for (const membership of oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id)) {\n oktaStore.groupMemberships.delete(membership.id);\n }\n for (const assignment of oktaStore.appAssignments.findBy(\"user_okta_id\", user.okta_id)) {\n oktaStore.appAssignments.delete(assignment.id);\n }\n\n oktaStore.users.delete(user.id);\n return new Response(null, { status: 204 });\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/reactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, {\n status: \"PROVISIONED\",\n status_changed_at: nowIso(),\n transitioning_to_status: null,\n });\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n}\n","import type { Hono } from \"hono\";\nimport type {\n AppEnv,\n RouteContext,\n ServicePlugin,\n Store,\n TokenMap,\n WebhookDispatcher,\n} from \"@emulators/core\";\nimport type { OktaAuthorizationServerStatus, OktaGroupType, OktaUserStatus } from \"./entities.js\";\nimport {\n createDefaultApp,\n createDefaultAuthorizationServer,\n createDefaultGroup,\n createDefaultUser,\n DEFAULT_AUTH_SERVER_ID,\n DEFAULT_EVERYONE_GROUP_ID,\n generateOktaId,\n normalizeAppStatus,\n normalizeAuthServerStatus,\n normalizeGroupType,\n normalizeStatus,\n} from \"./helpers.js\";\nimport { appRoutes } from \"./routes/apps.js\";\nimport { authorizationServerRoutes } from \"./routes/auth-servers.js\";\nimport { groupRoutes } from \"./routes/groups.js\";\nimport { oauthRoutes } from \"./routes/oauth.js\";\nimport { userRoutes } from \"./routes/users.js\";\nimport { getOktaStore } from \"./store.js\";\n\nexport { getOktaStore, type OktaStore } from \"./store.js\";\nexport * from \"./entities.js\";\n\nexport interface OktaSeedConfig {\n users?: Array<{\n okta_id?: string;\n status?: OktaUserStatus;\n login: string;\n email?: string;\n first_name?: string;\n last_name?: string;\n display_name?: string;\n locale?: string;\n time_zone?: string;\n }>;\n groups?: Array<{\n okta_id?: string;\n type?: OktaGroupType;\n name: string;\n description?: string;\n }>;\n apps?: Array<{\n okta_id?: string;\n name: string;\n label?: string;\n status?: \"ACTIVE\" | \"INACTIVE\";\n sign_on_mode?: string;\n settings?: Record<string, unknown>;\n credentials?: Record<string, unknown>;\n }>;\n oauth_clients?: Array<{\n client_id: string;\n client_secret?: string;\n name: string;\n redirect_uris: string[];\n response_types?: string[];\n grant_types?: string[];\n token_endpoint_auth_method?: \"client_secret_post\" | \"client_secret_basic\" | \"none\";\n auth_server_id?: string;\n }>;\n authorization_servers?: Array<{\n id: string;\n name: string;\n description?: string;\n audiences?: string[];\n status?: OktaAuthorizationServerStatus;\n }>;\n group_memberships?: Array<{\n group_okta_id: string;\n user_okta_id: string;\n }>;\n app_assignments?: Array<{\n app_okta_id: string;\n user_okta_id: string;\n }>;\n}\n\nfunction ensureMembership(store: ReturnType<typeof getOktaStore>, groupOktaId: string, userOktaId: string): void {\n const existing = store.groupMemberships\n .findBy(\"group_okta_id\", groupOktaId)\n .find((entry) => entry.user_okta_id === userOktaId);\n if (!existing) {\n store.groupMemberships.insert({\n group_okta_id: groupOktaId,\n user_okta_id: userOktaId,\n });\n }\n}\n\nfunction ensureAppAssignment(store: ReturnType<typeof getOktaStore>, appOktaId: string, userOktaId: string): void {\n const existing = store.appAssignments\n .findBy(\"app_okta_id\", appOktaId)\n .find((entry) => entry.user_okta_id === userOktaId);\n if (!existing) {\n store.appAssignments.insert({\n app_okta_id: appOktaId,\n user_okta_id: userOktaId,\n });\n }\n}\n\nfunction seedDefaults(store: Store, _baseUrl: string): void {\n const okta = getOktaStore(store);\n\n const defaultServer = okta.authorizationServers.findOneBy(\"server_id\", DEFAULT_AUTH_SERVER_ID);\n if (!defaultServer) {\n okta.authorizationServers.insert(createDefaultAuthorizationServer());\n }\n\n let everyone = okta.groups.findOneBy(\"okta_id\", DEFAULT_EVERYONE_GROUP_ID);\n if (!everyone) {\n everyone = okta.groups.insert(createDefaultGroup());\n }\n\n let user = okta.users.findOneBy(\"login\", \"testuser@okta.local\");\n if (!user) {\n user = okta.users.insert(createDefaultUser());\n }\n\n if (!okta.oauthClients.findOneBy(\"client_id\", \"okta-test-client\")) {\n okta.oauthClients.insert({\n client_id: \"okta-test-client\",\n client_secret: \"okta-test-secret\",\n name: \"Sample OIDC Client\",\n redirect_uris: [\"http://localhost:3000/callback\"],\n response_types: [\"code\"],\n grant_types: [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n token_endpoint_auth_method: \"client_secret_post\",\n auth_server_id: DEFAULT_AUTH_SERVER_ID,\n });\n }\n\n if (!okta.oauthClients.findOneBy(\"client_id\", \"okta-test-app\")) {\n okta.oauthClients.insert({\n client_id: \"okta-test-app\",\n client_secret: \"\",\n name: \"Sample Public PKCE Client\",\n redirect_uris: [\n \"http://localhost:3000/official-sdk/callback\",\n \"http://localhost:3000/official-sdk\",\n ],\n response_types: [\"code\"],\n grant_types: [\"authorization_code\", \"refresh_token\"],\n token_endpoint_auth_method: \"none\",\n auth_server_id: DEFAULT_AUTH_SERVER_ID,\n });\n }\n\n if (okta.apps.all().length === 0) {\n okta.apps.insert(createDefaultApp());\n }\n\n ensureMembership(okta, everyone.okta_id, user.okta_id);\n}\n\nexport function seedFromConfig(store: Store, _baseUrl: string, config: OktaSeedConfig): void {\n const okta = getOktaStore(store);\n\n if (config.authorization_servers) {\n for (const server of config.authorization_servers) {\n const existing = okta.authorizationServers.findOneBy(\"server_id\", server.id);\n if (existing) continue;\n okta.authorizationServers.insert({\n server_id: server.id,\n name: server.name,\n description: server.description ?? \"\",\n audiences: server.audiences ?? [\"api://default\"],\n status: normalizeAuthServerStatus(server.status, \"ACTIVE\"),\n });\n }\n }\n\n if (config.users) {\n for (const user of config.users) {\n const byLogin = okta.users.findOneBy(\"login\", user.login);\n if (byLogin) continue;\n const resolvedStatus = normalizeStatus(user.status, \"ACTIVE\");\n okta.users.insert({\n okta_id: user.okta_id ?? generateOktaId(\"00u\"),\n status: resolvedStatus,\n activated_at: resolvedStatus === \"ACTIVE\" ? new Date().toISOString() : null,\n status_changed_at: new Date().toISOString(),\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login: user.login,\n email: user.email ?? user.login,\n first_name: user.first_name ?? \"Test\",\n last_name: user.last_name ?? \"User\",\n display_name: user.display_name ?? `${user.first_name ?? \"Test\"} ${user.last_name ?? \"User\"}`.trim(),\n locale: user.locale ?? \"en-US\",\n time_zone: user.time_zone ?? \"UTC\",\n });\n }\n }\n\n if (config.groups) {\n for (const group of config.groups) {\n const byName = okta.groups.findOneBy(\"name\", group.name);\n if (byName) continue;\n okta.groups.insert({\n okta_id: group.okta_id ?? generateOktaId(\"00g\"),\n type: normalizeGroupType(group.type, \"OKTA_GROUP\"),\n name: group.name,\n description: group.description ?? null,\n });\n }\n }\n\n if (config.apps) {\n for (const app of config.apps) {\n const byName = okta.apps.findOneBy(\"name\", app.name);\n if (byName) continue;\n okta.apps.insert({\n okta_id: app.okta_id ?? generateOktaId(\"0oa\"),\n name: app.name,\n label: app.label ?? app.name,\n status: normalizeAppStatus(app.status, \"ACTIVE\"),\n sign_on_mode: app.sign_on_mode ?? \"OPENID_CONNECT\",\n settings: app.settings ?? {},\n credentials: app.credentials ?? {},\n });\n }\n }\n\n if (config.oauth_clients) {\n for (const client of config.oauth_clients) {\n const existing = okta.oauthClients.findOneBy(\"client_id\", client.client_id);\n if (existing) continue;\n const tokenEndpointAuthMethod = client.token_endpoint_auth_method ?? \"client_secret_post\";\n okta.oauthClients.insert({\n client_id: client.client_id,\n client_secret: client.client_secret ?? \"\",\n name: client.name,\n redirect_uris: client.redirect_uris,\n response_types: client.response_types ?? [\"code\"],\n grant_types: client.grant_types ?? [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n token_endpoint_auth_method: tokenEndpointAuthMethod,\n auth_server_id: client.auth_server_id ?? DEFAULT_AUTH_SERVER_ID,\n });\n }\n }\n\n if (config.group_memberships) {\n for (const membership of config.group_memberships) {\n const group = okta.groups.findOneBy(\"okta_id\", membership.group_okta_id);\n const user = okta.users.findOneBy(\"okta_id\", membership.user_okta_id);\n if (!group || !user) continue;\n ensureMembership(okta, group.okta_id, user.okta_id);\n }\n }\n\n if (config.app_assignments) {\n for (const assignment of config.app_assignments) {\n const app = okta.apps.findOneBy(\"okta_id\", assignment.app_okta_id);\n const user = okta.users.findOneBy(\"okta_id\", assignment.user_okta_id);\n if (!app || !user) continue;\n ensureAppAssignment(okta, app.okta_id, user.okta_id);\n }\n }\n}\n\nexport const oktaPlugin: ServicePlugin = {\n name: \"okta\",\n register(\n app: Hono<AppEnv>,\n store: Store,\n webhooks: WebhookDispatcher,\n baseUrl: string,\n tokenMap?: TokenMap,\n ): void {\n const ctx: RouteContext = { app, store, webhooks, baseUrl, tokenMap };\n oauthRoutes(ctx);\n userRoutes(ctx);\n groupRoutes(ctx);\n appRoutes(ctx);\n authorizationServerRoutes(ctx);\n },\n seed(store: Store, baseUrl: string): void {\n seedDefaults(store, baseUrl);\n },\n};\n\nexport default oktaPlugin;\n"],"mappings":";AAAA,SAAS,kBAAkB;AAYpB,IAAM,qBAAqB;AAC3B,IAAM,yBAAyB;AAC/B,IAAM,mBAAmB;AACzB,IAAM,8BAA8B;AACpC,IAAM,4BAA4B;AAElC,SAAS,SAAiB;AAC/B,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;AAEO,SAAS,eAAe,QAAwB;AACrD,QAAM,UAAU,WAAW,EAAE,QAAQ,MAAM,EAAE;AAC7C,SAAO,GAAG,MAAM,GAAG,QAAQ,MAAM,GAAG,EAAE,CAAC;AACzC;AAEO,SAAS,gBAAgB,QAA4B,UAA0C;AACpG,MACE,WAAW,YACX,WAAW,iBACX,WAAW,YACX,WAAW,eACX,WAAW,iBACX;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,mBAAmB,QAA4B,UAAwC;AACrG,MAAI,WAAW,YAAY,WAAW,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,0BACd,QACA,UAC+B;AAC/B,MAAI,WAAW,YAAY,WAAW,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,mBAAmB,MAA0B,UAAwC;AACnG,MAAI,SAAS,gBAAgB,SAAS,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,cAAc,OAA2B,UAA4B;AACnF,MAAI,SAAS,KAAM,QAAO;AAC1B,QAAM,UAAU,MAAM,YAAY;AAClC,MAAI,YAAY,UAAU,YAAY,IAAK,QAAO;AAClD,MAAI,YAAY,WAAW,YAAY,IAAK,QAAO;AACnD,SAAO;AACT;AAEO,SAAS,kBAAkB,SAAiB,cAA8B;AAC/E,MAAI,iBAAiB,mBAAoB,QAAO;AAChD,SAAO,GAAG,OAAO,WAAW,YAAY;AAC1C;AAEO,SAAS,gBAAgB,MAAqF;AACnH,MAAI,KAAK,aAAc,QAAO,KAAK;AACnC,QAAM,WAAW,GAAG,KAAK,UAAU,IAAI,KAAK,SAAS,GAAG,KAAK;AAC7D,SAAO,YAAY,KAAK;AAC1B;AAEO,SAAS,oBAAwE;AACtF,QAAM,MAAM,OAAO;AACnB,SAAO;AAAA,IACL,SAAS,eAAe,KAAK;AAAA,IAC7B,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,mBAAmB;AAAA,IACnB,eAAe;AAAA,IACf,qBAAqB;AAAA,IACrB,yBAAyB;AAAA,IACzB,OAAO;AAAA,IACP,OAAO;AAAA,IACP,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,cAAc;AAAA,IACd,QAAQ;AAAA,IACR,WAAW;AAAA,EACb;AACF;AAEO,SAAS,qBAA0E;AACxF,SAAO;AAAA,IACL,SAAS;AAAA,IACT,MAAM;AAAA,IACN,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEO,SAAS,mCAAsG;AACpH,SAAO;AAAA,IACL,WAAW;AAAA,IACX,MAAM;AAAA,IACN,aAAa;AAAA,IACb,WAAW,CAAC,gBAAgB;AAAA,IAC5B,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,mBAAsE;AACpF,SAAO;AAAA,IACL,SAAS,eAAe,KAAK;AAAA,IAC7B,MAAM;AAAA,IACN,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,UAAU;AAAA,MACR,aAAa;AAAA,QACX,eAAe,CAAC,gCAAgC;AAAA,MAClD;AAAA,IACF;AAAA,IACA,aAAa,CAAC;AAAA,EAChB;AACF;;;AElIA,SAAS,YAAY;AACrB,SAAS,YAAY;AGArB,SAAS,WAAW,mBAAmB;AEDvC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,YAAY;AGF9B,SAAS,uBAAuB;ANsCzB,SAAS,mBAAmB,kBAA8C;AAC/E,SAAO,OAAO,GAAG,SAAS;AACxB,QAAI,kBAAkB;AACpB,QAAE,IAAI,WAAW,gBAAgB;IACnC;AACA,UAAM,KAAK;EACb;AACF;AAEO,IAAM,eAAkC,mBAAmB;AE/ClE,IAAM,UAAU,OAAO,YAAY,gBAAgB,QAAQ,IAAI,UAAU,OAAO,QAAQ,IAAI,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AAEvI,SAAS,MAAM,UAAkB,MAAuB;AAC7D,MAAI,SAAS;AACX,YAAQ,IAAI,IAAI,KAAK,KAAK,GAAG,IAAI;EACnC;AACF;ACAA,IAAM,YAAY,QAAQ,cAAc,YAAY,GAAG,CAAC;AAExD,IAAM,QAAgC;EACpC,oBAAoB,aAAa,KAAK,WAAW,SAAS,kBAAkB,CAAC;EAC7E,2BAA2B,aAAa,KAAK,WAAW,SAAS,yBAAyB,CAAC;AAC7F;ACJO,SAAS,gBAAgB,GAA8B;AAC5D,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,EAAE,IAAI,MAAM,MAAM,KAAK,KAAK,EAAE,KAAK,CAAC;AACtE,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,EAAE,IAAI,MAAM,UAAU,KAAK,MAAM,EAAE,KAAK,EAAE,CAAC;AAC/F,SAAO,EAAE,MAAM,SAAS;AAC1B;AAEO,SAAS,cACd,GACA,YACA,MACA,SACM;AACN,QAAM,WAAW,KAAK,IAAI,GAAG,KAAK,KAAK,aAAa,OAAO,CAAC;AAC5D,QAAM,UAAU,IAAI,IAAI,EAAE,IAAI,GAAG;AACjC,QAAM,QAAkB,CAAC;AAEzB,QAAM,WAAW,CAAC,GAAW,QAAgB;AAC3C,YAAQ,aAAa,IAAI,QAAQ,OAAO,CAAC,CAAC;AAC1C,YAAQ,aAAa,IAAI,YAAY,OAAO,OAAO,CAAC;AACpD,WAAO,IAAI,QAAQ,SAAS,CAAC,WAAW,GAAG;EAC7C;AAEA,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,SAAS,OAAO,GAAG,MAAM,CAAC;AACrC,UAAM,KAAK,SAAS,UAAU,MAAM,CAAC;EACvC;AACA,MAAI,OAAO,GAAG;AACZ,UAAM,KAAK,SAAS,GAAG,OAAO,CAAC;AAC/B,UAAM,KAAK,SAAS,OAAO,GAAG,MAAM,CAAC;EACvC;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,MAAE,OAAO,QAAQ,MAAM,KAAK,IAAI,CAAC;EACnC;AACF;ACzCO,SAAS,WAAW,GAAmB;AAC5C,SAAO,EACJ,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,QAAQ;AAC3B;AAEO,SAAS,WAAW,GAAmB;AAC5C,SAAO,WAAW,CAAC,EAAE,QAAQ,MAAM,OAAO;AAC5C;AAEA,IAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmJZ,IAAM,aAAa;AAEnB,SAAS,OAAO,SAA0B;AACxC,QAAM,QAAQ,UAAU,GAAG,WAAW,OAAO,CAAC,cAAc;AAC5D,SAAO;gCACuB,KAAK;;;;;;;AAOrC;AAEA,SAAS,KAAK,OAAuB;AACnC,SAAO;;;;;SAKA,WAAW,KAAK,CAAC;SACjB,GAAG;;AAEZ;AAEO,SAAS,eACd,OACA,UACA,MACA,SACQ;AACR,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;8BAGa,WAAW,KAAK,CAAC;iCACd,QAAQ;MACnC,IAAI;;;EAGR,UAAU;;AAEZ;AAEO,SAAS,gBAAgB,OAAe,SAAiB,SAA0B;AACxF,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;+BAGc,WAAW,KAAK,CAAC;6BACnB,WAAW,OAAO,CAAC;;;EAG9C,UAAU;;AAEZ;AA4BO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU,OAAO,QAAQ,KAAK,YAAY,EAC7C,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,8BAA8B,WAAW,CAAC,CAAC,YAAY,WAAW,CAAC,CAAC,KAAK,EACzF,KAAK,EAAE;AAEV,QAAM,WAAW,KAAK,OAClB,0BAA0B,WAAW,KAAK,IAAI,CAAC,WAC/C;AACJ,QAAM,YAAY,KAAK,QACnB,2BAA2B,WAAW,KAAK,KAAK,CAAC,WACjD;AAEJ,SAAO,iDAAiD,WAAW,KAAK,UAAU,CAAC;EACnF,OAAO;;yBAEgB,WAAW,KAAK,MAAM,CAAC;;+BAEjB,WAAW,KAAK,KAAK,CAAC;MAC/C,QAAQ,GAAG,SAAS;;;;AAI1B;ACxQO,SAAS,aAAa,KAAqB;AAChD,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,GAAG;AACrB,WAAO,GAAG,EAAE,MAAM,GAAG,EAAE,SAAS,QAAQ,QAAQ,EAAE,CAAC;EACrD,QAAQ;AACN,WAAO,IAAI,QAAQ,QAAQ,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;EAC7C;AACF;AAEO,SAAS,mBAAmB,UAAkB,YAA+B;AAClF,QAAM,aAAa,aAAa,QAAQ;AACxC,SAAO,WAAW,KAAK,CAAC,MAAM,aAAa,CAAC,MAAM,UAAU;AAC9D;AAEO,SAAS,wBAAwB,GAAW,GAAoB;AACrE,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAEO,SAAS,QAAQ,GAAoB;AAC1C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,MAAM,QAAQ,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,SAAU,QAAO,EAAE,CAAC;AAC5D,SAAO;AACT;;;AEbA,SAAS,gBACP,QACA,WACA,cACA,cAAgC,CAAC,GACR;AACzB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,SAAS,GAAG,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,IACnC;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,UACd,GACA,QACA,WACA,cACA,cAAgC,CAAC,GACvB;AACV,QAAM,OAAO,gBAAgB,QAAQ,WAAW,cAAc,WAAW;AACzE,SAAO,EAAE,KAAK,MAAM,MAA8B;AACpD;AAEA,eAAsB,eAAe,GAAsD;AACzF,MAAI;AACF,UAAM,OAAO,MAAM,EAAE,IAAI,KAAK;AAC9B,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,aAAO;AAAA,IACT;AACA,WAAO,CAAC;AAAA,EACV,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,sBAAsB,GAAoB,UAA0C;AAClG,QAAM,WAAW,EAAE,IAAI,UAAU;AACjC,MAAI,SAAU,QAAO;AAErB,QAAM,aAAa,EAAE,IAAI,OAAO,eAAe,KAAK;AACpD,MAAI,WAAW,YAAY,EAAE,WAAW,OAAO,GAAG;AAChD,UAAM,QAAQ,WAAW,MAAM,CAAC,EAAE,KAAK;AACvC,UAAM,SAAS,UAAU,IAAI,KAAK;AAClC,QAAI,QAAQ;AACV,QAAE,IAAI,YAAY,MAAM;AACxB,QAAE,IAAI,aAAa,KAAK;AACxB,QAAE,IAAI,cAAc,OAAO,MAAM;AACjC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,UAAU,GAAG,KAAK,YAAY,uBAAuB;AAC9D;AAEO,SAAS,cAAc,IAAe,SAAuC;AAClF,QAAM,UAAU,mBAAmB,OAAO;AAC1C,SACE,GAAG,MAAM,UAAU,WAAW,OAAO,KACrC,GAAG,MAAM,UAAU,SAAS,OAAO,KACnC,GAAG,MAAM,UAAU,SAAS,OAAO;AAEvC;AAEO,SAAS,eAAe,IAAe,UAAyC;AACrF,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,SAAO,GAAG,OAAO,UAAU,WAAW,OAAO;AAC/C;AAEO,SAAS,aAAa,IAAe,QAAqC;AAC/E,QAAM,UAAU,mBAAmB,MAAM;AACzC,SAAO,GAAG,KAAK,UAAU,WAAW,OAAO;AAC7C;AAEO,SAAS,6BACd,IACA,WACqC;AACrC,QAAM,UAAU,mBAAmB,SAAS;AAC5C,SAAO,GAAG,qBAAqB,UAAU,aAAa,OAAO;AAC/D;AAEO,SAAS,aAAa,SAAiB,MAAyC;AACrF,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,QAAQ,KAAK;AAAA,IACb,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,eAAe,KAAK;AAAA,IACpB,WAAW,KAAK;AAAA,IAChB,aAAa,KAAK;AAAA,IAClB,iBAAiB,KAAK;AAAA,IACtB,SAAS;AAAA,MACP,OAAO,KAAK;AAAA,MACZ,OAAO,KAAK;AAAA,MACZ,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,aAAa,gBAAgB,IAAI;AAAA,MACjC,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK;AAAA,IACjB;AAAA,IACA,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,iBAAiB,mBAAmB,KAAK,OAAO,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,cAAc,SAAiB,OAA2C;AACxF,SAAO;AAAA,IACL,IAAI,MAAM;AAAA,IACV,SAAS,MAAM;AAAA,IACf,aAAa,MAAM;AAAA,IACnB,uBAAuB,MAAM;AAAA,IAC7B,aAAa,CAAC,iBAAiB;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,SAAS;AAAA,MACP,MAAM,MAAM;AAAA,MACZ,aAAa,MAAM;AAAA,IACrB;AAAA,IACA,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,kBAAkB,mBAAmB,MAAM,OAAO,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,YAAY,SAAiB,KAAuC;AAClF,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,MAAM,IAAI;AAAA,IACV,OAAO,IAAI;AAAA,IACX,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,aAAa,IAAI;AAAA,IACjB,YAAY,IAAI;AAAA,IAChB,aAAa,IAAI;AAAA,IACjB,UAAU,IAAI;AAAA,IACd,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,gBAAgB,mBAAmB,IAAI,OAAO,CAAC;AAAA,MACjE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,4BACd,SACA,QACyB;AACzB,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IACX,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO;AAAA,IAClB,QAAQ,kBAAkB,SAAS,OAAO,SAAS;AAAA,IACnD,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,aAAa,OAAO;AAAA,IACpB,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,gCAAgC,mBAAmB,OAAO,SAAS,CAAC;AAAA,MACtF;AAAA,IACF;AAAA,EACF;AACF;;;ACnKO,SAAS,aAAa,OAAyB;AACpD,SAAO;AAAA,IACL,OAAO,MAAM,WAAqB,cAAc,CAAC,WAAW,SAAS,OAAO,CAAC;AAAA,IAC7E,QAAQ,MAAM,WAAsB,eAAe,CAAC,WAAW,MAAM,CAAC;AAAA,IACtE,MAAM,MAAM,WAAoB,aAAa,CAAC,WAAW,MAAM,CAAC;AAAA,IAChE,cAAc,MAAM,WAA4B,sBAAsB,CAAC,aAAa,gBAAgB,CAAC;AAAA,IACrG,sBAAsB,MAAM,WAAoC,qBAAqB,CAAC,WAAW,CAAC;AAAA,IAClG,kBAAkB,MAAM,WAAgC,0BAA0B,CAAC,iBAAiB,cAAc,CAAC;AAAA,IACnH,gBAAgB,MAAM,WAA8B,wBAAwB,CAAC,eAAe,cAAc,CAAC;AAAA,EAC7G;AACF;;;AClBO,SAAS,UAAU,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAC/E,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,gBAAgB,CAAC,MAAM;AAC7B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,QAAI,OAAO,UAAU,KAAK,IAAI;AAC9B,QAAI,GAAG;AACL,aAAO,KAAK;AAAA,QAAO,CAAC,UAClB,GAAG,MAAM,IAAI,IAAI,MAAM,KAAK,GAAG,YAAY,EAAE,SAAS,CAAC;AAAA,MACzD;AAAA,IACF;AACA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,KAAK;AACnB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,KAAK,MAAM,OAAO,QAAQ,QAAQ;AAChD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,UAAU,YAAY,SAAS,KAAK,CAAC,CAAC;AAAA,EACjE,CAAC;AAED,MAAI,KAAK,gBAAgB,OAAO,MAAM;AACpC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,OAAO,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AACzD,UAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAC5D,UAAM,aAAa,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa;AAC3E,UAAM,WAAW,KAAK,YAAY,OAAO,KAAK,aAAa,WACtD,KAAK,WACN,CAAC;AACL,UAAM,cAAc,KAAK,eAAe,OAAO,KAAK,gBAAgB,WAC/D,KAAK,cACN,CAAC;AAEL,UAAM,UAAU,UAAU,KAAK,OAAO;AAAA,MACpC,SAAS,eAAe,KAAK;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,QAAQ,mBAAmB,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,QAAQ;AAAA,MAC9F,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO,EAAE,KAAK,YAAY,SAAS,OAAO,GAAG,GAAG;AAAA,EAClD,CAAC;AAED,MAAI,IAAI,6BAA6B,CAAC,MAAM;AAC1C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,cAAc,UAAU,eAAe,OAAO,eAAe,UAAU,OAAO;AACpF,UAAM,QAAQ,YACX,IAAI,CAAC,eAAe,UAAU,MAAM,UAAU,WAAW,WAAW,YAAY,CAAC,EACjF,OAAO,CAAC,SAA2C,QAAQ,IAAI,CAAC;AAEnE,WAAO,EAAE;AAAA,MACP,MAAM,IAAI,CAAC,UAAU;AAAA,QACnB,IAAI,KAAK;AAAA,QACT,OAAO;AAAA,QACP,aAAa,EAAE,UAAU,KAAK,MAAM;AAAA,QACpC,SAAU,aAAa,SAAS,IAAI,EAAE;AAAA,MACxC,EAAE;AAAA,IACJ;AAAA,EACF,CAAC;AAED,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,eACxB,OAAO,eAAe,UAAU,OAAO,EACvC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,CAAC,UAAU;AACb,gBAAU,eAAe,OAAO;AAAA,QAC9B,aAAa,UAAU;AAAA,QACvB,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,OAAO,qCAAqC,CAAC,MAAM;AACrD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,eACxB,OAAO,eAAe,UAAU,OAAO,EACvC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,SAAU,WAAU,eAAe,OAAO,SAAS,EAAE;AACzD,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,KAAK,0CAA0C,CAAC,MAAM;AACxD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI,EAAE,QAAQ,SAAS,CAAC;AACxE,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,KAAK,4CAA4C,CAAC,MAAM;AAC1D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI,EAAE,QAAQ,WAAW,CAAC;AAC1E,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,IAAI,uBAAuB,CAAC,MAAM;AACpC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,WAAO,EAAE,KAAK,YAAY,SAAS,SAAS,CAAC;AAAA,EAC/C,CAAC;AAED,MAAI,IAAI,uBAAuB,OAAO,MAAM;AAC1C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI;AAAA,MAClD,MAAM,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,UAAU;AAAA,MAC5D,OAAO,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,UAAU;AAAA,MAC/D,QAAQ,mBAAmB,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,UAAU,MAAM;AAAA,MACtG,cAAc,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa,UAAU;AAAA,MAChF,UAAU,KAAK,YAAY,OAAO,KAAK,aAAa,WAC/C,KAAK,WACN,UAAU;AAAA,MACd,aAAa,KAAK,eAAe,OAAO,KAAK,gBAAgB,WACxD,KAAK,cACN,UAAU;AAAA,IAChB,CAAC;AACD,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,OAAO,uBAAuB,CAAC,MAAM;AACvC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,QAAI,UAAU,WAAW,YAAY;AACnC,aAAO,UAAU,GAAG,KAAK,YAAY,sCAAsC;AAAA,IAC7E;AAEA,eAAW,cAAc,UAAU,eAAe,OAAO,eAAe,UAAU,OAAO,GAAG;AAC1F,gBAAU,eAAe,OAAO,WAAW,EAAE;AAAA,IAC/C;AACA,cAAU,KAAK,OAAO,UAAU,EAAE;AAClC,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACtLA,SAAS,kBAAkB,MAAsB;AAC/C,QAAM,UAAU,KAAK,KAAK,EAAE,YAAY,EAAE,QAAQ,iBAAiB,GAAG;AACtE,MAAI,QAAQ,SAAS,EAAG,QAAO;AAC/B,SAAO,eAAe,IAAI;AAC5B;AAEO,SAAS,0BAA0B,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAC/F,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,gCAAgC,CAAC,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,UAAU,UAAU,qBAAqB,IAAI;AACnD,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,QAAQ;AACtB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,QAAQ,MAAM,OAAO,QAAQ,QAAQ;AACnD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,WAAW,4BAA4B,SAAS,MAAM,CAAC,CAAC;AAAA,EACnF,CAAC;AAED,MAAI,KAAK,gCAAgC,OAAO,MAAM;AACpD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,OAAO,OAAO,KAAK,SAAS,WAAW,KAAK,KAAK,KAAK,IAAI;AAChE,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAElE,UAAM,WAAW,OAAO,KAAK,OAAO,WAAW,KAAK,KAAK,kBAAkB,IAAI;AAC/E,QAAI,UAAU,qBAAqB,UAAU,aAAa,QAAQ,GAAG;AACnE,aAAO,UAAU,GAAG,KAAK,YAAY,yBAAyB,QAAQ,kBAAkB;AAAA,IAC1F;AAEA,UAAM,YAAY,MAAM,QAAQ,KAAK,SAAS,IAC1C,KAAK,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,IAC3E,CAAC,gBAAgB;AAErB,UAAM,UAAU,UAAU,qBAAqB,OAAO;AAAA,MACpD,WAAW;AAAA,MACX;AAAA,MACA,aAAa,OAAO,KAAK,gBAAgB,WAAW,KAAK,cAAc;AAAA,MACvE,WAAW,UAAU,SAAS,IAAI,YAAY,CAAC,gBAAgB;AAAA,MAC/D,QAAQ,0BAA0B,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,QAAQ;AAAA,IACvG,CAAC;AAED,WAAO,EAAE,KAAK,4BAA4B,SAAS,OAAO,GAAG,GAAG;AAAA,EAClE,CAAC;AAED,MAAI,KAAK,iEAAiE,CAAC,MAAM;AAC/E,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI,EAAE,QAAQ,SAAS,CAAC;AACrF,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,KAAK,mEAAmE,CAAC,MAAM;AACjF,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI,EAAE,QAAQ,WAAW,CAAC;AACvF,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,IAAI,8CAA8C,CAAC,MAAM;AAC3D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,WAAO,EAAE,KAAK,4BAA4B,SAAS,MAAM,CAAC;AAAA,EAC5D,CAAC;AAED,MAAI,IAAI,8CAA8C,OAAO,MAAM;AACjE,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AAEnF,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,YAAY,MAAM,QAAQ,KAAK,SAAS,IAC1C,KAAK,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,IAC3E,OAAO;AAEX,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI;AAAA,MAC/D,MAAM,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,OAAO;AAAA,MACzD,aAAa,OAAO,KAAK,gBAAgB,WAAW,KAAK,cAAc,OAAO;AAAA,MAC9E,WAAW,UAAU,SAAS,IAAI,YAAY,OAAO;AAAA,MACrD,QAAQ,0BAA0B,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,OAAO,MAAM;AAAA,IAC5G,CAAC;AACD,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,OAAO,8CAA8C,CAAC,MAAM;AAC9D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AAEnF,eAAW,UAAU,UAAU,aAAa,OAAO,kBAAkB,OAAO,SAAS,GAAG;AACtF,gBAAU,aAAa,OAAO,OAAO,EAAE;AAAA,IACzC;AACA,cAAU,qBAAqB,OAAO,OAAO,EAAE;AAC/C,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACjHO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,kBAAkB,CAAC,MAAM;AAC/B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,QAAI,SAAS,UAAU,OAAO,IAAI;AAClC,QAAI,GAAG;AACL,eAAS,OAAO;AAAA,QAAO,CAAC,UACtB,GAAG,MAAM,IAAI,IAAI,MAAM,eAAe,EAAE,GAAG,YAAY,EAAE,SAAS,CAAC;AAAA,MACrE;AAAA,IACF;AACA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,OAAO;AACrB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,QAAQ;AAClD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,UAAU,cAAc,SAAS,KAAK,CAAC,CAAC;AAAA,EACnE,CAAC;AAED,MAAI,KAAK,kBAAkB,OAAO,MAAM;AACtC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,KAAK,KAAK,IAAI;AAEtE,QAAI,CAAC,MAAM;AACT,aAAO,UAAU,GAAG,KAAK,YAAY,0BAA0B;AAAA,IACjE;AAEA,QAAI,UAAU,OAAO,UAAU,QAAQ,IAAI,GAAG;AAC5C,aAAO,UAAU,GAAG,KAAK,YAAY,2CAA2C;AAAA,IAClF;AAEA,UAAM,UAAU,UAAU,OAAO,OAAO;AAAA,MACtC,SAAS,eAAe,KAAK;AAAA,MAC7B,MAAM,mBAAmB,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,QAAW,YAAY;AAAA,MAC5F;AAAA,MACA,aAAa,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc;AAAA,IAC/E,CAAC;AAED,WAAO,EAAE,KAAK,cAAc,SAAS,OAAO,GAAG,GAAG;AAAA,EACpD,CAAC;AAED,MAAI,IAAI,iCAAiC,CAAC,MAAM;AAC9C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,UAAM,cAAc,UAAU,iBAAiB,OAAO,iBAAiB,MAAM,OAAO;AACpF,UAAM,QAAQ,YACX,IAAI,CAAC,eAAe,UAAU,MAAM,UAAU,WAAW,WAAW,YAAY,CAAC,EACjF,OAAO,CAAC,SAA2C,QAAQ,IAAI,CAAC;AAEnE,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,SAAS,aAAa,SAAS,IAAI,CAAC,CAAC;AAAA,EAChE,CAAC;AAED,MAAI,IAAI,yCAAyC,CAAC,MAAM;AACtD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,iBACxB,OAAO,iBAAiB,MAAM,OAAO,EACrC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,CAAC,UAAU;AACb,gBAAU,iBAAiB,OAAO;AAAA,QAChC,eAAe,MAAM;AAAA,QACrB,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,OAAO,yCAAyC,CAAC,MAAM;AACzD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,iBACxB,OAAO,iBAAiB,MAAM,OAAO,EACrC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,UAAU;AACZ,gBAAU,iBAAiB,OAAO,SAAS,EAAE;AAAA,IAC/C;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,IAAI,2BAA2B,CAAC,MAAM;AACxC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,WAAO,EAAE,KAAK,cAAc,SAAS,KAAK,CAAC;AAAA,EAC7C,CAAC;AAED,MAAI,IAAI,2BAA2B,OAAO,MAAM;AAC9C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,WAAW,OAAO,QAAQ,SAAS,WAAW,QAAQ,KAAK,KAAK,IAAI,MAAM;AAEhF,QAAI,aAAa,MAAM,MAAM;AAC3B,YAAM,WAAW,UAAU,OAAO,UAAU,QAAQ,QAAQ;AAC5D,UAAI,YAAY,SAAS,YAAY,MAAM,SAAS;AAClD,eAAO,UAAU,GAAG,KAAK,YAAY,2CAA2C;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,UAAU,UAAU,OAAO,OAAO,MAAM,IAAI;AAAA,MAChD,MAAM;AAAA,MACN,aAAa,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc,MAAM;AAAA,MACnF,MAAM,mBAAmB,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,QAAW,MAAM,IAAI;AAAA,IAC5F,CAAC;AACD,WAAO,EAAE,KAAK,cAAc,SAAS,WAAW,KAAK,CAAC;AAAA,EACxD,CAAC;AAED,MAAI,OAAO,2BAA2B,CAAC,MAAM;AAC3C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,eAAW,cAAc,UAAU,iBAAiB,OAAO,iBAAiB,MAAM,OAAO,GAAG;AAC1F,gBAAU,iBAAiB,OAAO,WAAW,EAAE;AAAA,IACjD;AAEA,cAAU,OAAO,OAAO,MAAM,EAAE;AAChC,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACxKA,SAAS,YAAY,mBAAmB;AACxC,SAAS,SAAS,WAAW,uBAAuB;AA4BpD,IAAM,iBAAiB,gBAAgB,OAAO;AAC9C,IAAM,MAAM;AAEZ,IAAM,cAAc,KAAK,KAAK;AAuC9B,SAAS,gBAAgB,OAAwC;AAC/D,MAAI,MAAM,MAAM,QAAkC,yBAAyB;AAC3E,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,2BAA2B,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAA8C;AACrE,MAAI,MAAM,MAAM,QAAwC,yBAAyB;AACjF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,2BAA2B,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA+C;AACvE,MAAI,MAAM,MAAM,QAAyC,0BAA0B;AACnF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,4BAA4B,GAAG;AAAA,EAC/C;AACA,SAAO;AACT;AAEA,SAAS,cAAc,MAA4B;AACjD,SAAO,KAAK,IAAI,IAAI,KAAK,YAAY;AACvC;AAEA,SAAS,mBAAmB,cAA8B;AACxD,MAAI,iBAAiB,mBAAoB,QAAO;AAChD,SAAO,WAAW,mBAAmB,YAAY,CAAC;AACpD;AAEA,SAAS,oBACP,SACA,cACmB;AACnB,SAAO,QAAQ,OAAO,CAAC,WAAW,OAAO,mBAAmB,YAAY;AAC1E;AAEA,SAAS,cACP,cACA,SACA,OACuB;AACvB,MAAI,iBAAiB,oBAAoB;AACvC,WAAO;AAAA,MACL;AAAA,MACA,QAAQ;AAAA,MACR,WAAW,CAAC,gBAAgB;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,qBAAqB,UAAU,aAAa,YAAY;AAC7E,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,kBAAkB,SAAS,YAAY;AAAA,IAC/C,WAAW,OAAO,UAAU,SAAS,IAAI,OAAO,YAAY,CAAC,gBAAgB;AAAA,EAC/E;AACF;AAEA,SAAS,uBAAuB,SAAiB,QAAiD;AAChG,QAAM,YAAY,mBAAmB,OAAO,YAAY;AACxD,QAAM,eAAe,GAAG,OAAO,GAAG,SAAS;AAC3C,QAAM,2BAA2B,CAAC,sBAAsB,uBAAuB,MAAM;AACrF,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,wBAAwB,GAAG,YAAY;AAAA,IACvC,gBAAgB,GAAG,YAAY;AAAA,IAC/B,mBAAmB,GAAG,YAAY;AAAA,IAClC,UAAU,GAAG,YAAY;AAAA,IACzB,sBAAsB,GAAG,YAAY;AAAA,IACrC,qBAAqB,GAAG,YAAY;AAAA,IACpC,wBAAwB,GAAG,YAAY;AAAA,IACvC,uBAAuB,GAAG,YAAY;AAAA,IACtC,0BAA0B,CAAC,MAAM;AAAA,IACjC,0BAA0B,CAAC,SAAS,YAAY,WAAW;AAAA,IAC3D,uBAAuB,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,IACnF,yBAAyB,CAAC,QAAQ;AAAA,IAClC,uCAAuC,CAAC,OAAO;AAAA,IAC/C,kBAAkB,CAAC,UAAU,WAAW,SAAS,kBAAkB,QAAQ;AAAA,IAC3E,uCAAuC;AAAA,IACvC,4CAA4C;AAAA,IAC5C,+CAA+C;AAAA,IAC/C,6BAA6B;AAAA,IAC7B,iCAAiC;AAAA,IACjC,4BAA4B;AAAA,IAC5B,6CAA6C,CAAC,OAAO;AAAA,IACrD,kBAAkB;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,kCAAkC,CAAC,SAAS,MAAM;AAAA,EACpD;AACF;AAEA,eAAe,mBAAmB,GAAqD;AACrF,QAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,QAAM,MAAM,MAAM,EAAE,IAAI,KAAK;AAE7B,MAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,QAAI;AACF,YAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,YAAM,MAA8B,CAAC;AACrC,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAI,OAAO,UAAU,SAAU,KAAI,GAAG,IAAI;AAAA,MAC5C;AACA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,SAAO,OAAO,YAAY,IAAI,gBAAgB,GAAG,CAAC;AACpD;AAEA,SAAS,uBACP,GACA,MAC4C;AAC5C,MAAI,WAAW,KAAK,aAAa;AACjC,MAAI,eAAe,KAAK,iBAAiB;AAEzC,QAAM,aAAa,EAAE,IAAI,OAAO,eAAe,KAAK;AACpD,MAAI,WAAW,WAAW,QAAQ,GAAG;AACnC,UAAM,UAAU,OAAO,KAAK,WAAW,MAAM,CAAC,GAAG,QAAQ,EAAE,SAAS,MAAM;AAC1E,UAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,QAAI,QAAQ,IAAI;AACd,YAAM,WAAW,mBAAmB,QAAQ,MAAM,GAAG,GAAG,CAAC;AACzD,YAAM,eAAe,mBAAmB,QAAQ,MAAM,MAAM,CAAC,CAAC;AAC9D,UAAI,CAAC,SAAU,YAAW;AAC1B,UAAI,CAAC,aAAc,gBAAe;AAAA,IACpC;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,aAAa;AAClC;AAOA,SAAS,eACP,SACA,cACA,UACA,cACyE;AACzE,QAAM,gBAAgB,oBAAoB,SAAS,YAAY;AAC/D,MAAI,cAAc,WAAW,GAAG;AAC9B,WAAO,EAAE,QAAQ,MAAM,OAAO,KAAK;AAAA,EACrC;AAEA,QAAM,SAAS,cAAc,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AACzE,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,QACL,MAAM,EAAE,OAAO,kBAAkB,mBAAmB,kBAAkB;AAAA,QACtE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,MAAI,OAAO,+BAA+B,QAAQ;AAChD,WAAO,EAAE,QAAQ,OAAO,KAAK;AAAA,EAC/B;AAEA,MAAI,CAAC,wBAAwB,OAAO,iBAAiB,IAAI,YAAY,GAAG;AACtE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,QACL,MAAM,EAAE,OAAO,kBAAkB,mBAAmB,8BAA8B;AAAA,QAClF,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,OAAO,KAAK;AAC/B;AAEA,SAAS,WAAW,OAAyB;AAC3C,SAAO,MAAM,MAAM,KAAK,EAAE,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EAAE,OAAO,OAAO;AACrE;AAEA,SAAS,kBACP,WACA,MACU;AACV,QAAM,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO;AAClF,QAAM,QAAkB,CAAC;AACzB,aAAW,cAAc,aAAa;AACpC,UAAM,QAAQ,UAAU,OAAO,UAAU,WAAW,WAAW,aAAa;AAC5E,QAAI,MAAO,OAAM,KAAK,MAAM,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,eAAe,cACb,WACA,MACA,UACA,OACA,QACA,OACiB;AACjB,QAAM,EAAE,WAAW,IAAI,MAAM;AAC7B,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,SAAS,WAAW,KAAK;AAE/B,QAAM,SAAkC;AAAA,IACtC,KAAK,KAAK;AAAA,IACV,MAAM,gBAAgB,IAAI;AAAA,IAC1B,oBAAoB,KAAK;AAAA,IACzB,OAAO,KAAK;AAAA,IACZ,gBAAgB;AAAA,IAChB,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb;AAEA,MAAI,MAAO,QAAO,QAAQ;AAC1B,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO,SAAS,kBAAkB,WAAW,IAAI;AAAA,EACnD;AAEA,SAAO,IAAI,QAAQ,MAAM,EACtB,mBAAmB,EAAE,KAAK,SAAS,KAAK,KAAK,KAAK,MAAM,CAAC,EACzD,UAAU,MAAM,EAChB,YAAY,QAAQ,EACpB,YAAY,GAAG,EACf,kBAAkB,IAAI,EACtB,KAAK,UAAU;AACpB;AAEA,SAAS,yBAAmC;AAC1C,SAAO,IAAI;AAAA,IACT,KAAK,UAAU,EAAE,OAAO,iBAAiB,mBAAmB,+BAA+B,CAAC;AAAA,IAC5F,EAAE,QAAQ,KAAK,SAAS,EAAE,gBAAgB,mBAAmB,EAAE;AAAA,EACjE;AACF;AAEO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,YAAY,aAAa,KAAK;AACpC,QAAM,gBAAgB;AAEtB,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,UAAM,SAAS,cAAc,oBAAoB,SAAS,SAAS;AACnE,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,qCAAqC;AACvF,WAAO,EAAE,KAAK,uBAAuB,SAAS,MAAM,CAAC;AAAA,EACvD,CAAC;AAED,MAAI,IAAI,0DAA0D,CAAC,MAAM;AACvE,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc;AAC/C,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AACrG,WAAO,EAAE,KAAK,uBAAuB,SAAS,MAAM,CAAC;AAAA,EACvD,CAAC;AAED,MAAI,IAAI,mBAAmB,OAAO,MAAM;AACtC,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC,EAAE,GAAG,KAAK,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,CAAC;AAAA,IACvD,CAAC;AAAA,EACH,CAAC;AAED,MAAI,IAAI,iCAAiC,OAAO,MAAM;AACpD,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc;AAC/C,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC,EAAE,GAAG,KAAK,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,CAAC;AAAA,IACvD,CAAC;AAAA,EACH,CAAC;AAED,QAAM,sBAAsB,CAC1B,GACA,iBACa;AACb,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,WAAW,EAAE,IAAI,MAAM,WAAW,KAAK;AAC7C,UAAM,cAAc,EAAE,IAAI,MAAM,cAAc,KAAK;AACnD,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,eAAe,EAAE,IAAI,MAAM,eAAe,KAAK;AACrD,UAAM,eAAe,EAAE,IAAI,MAAM,eAAe,KAAK;AACrD,UAAM,gBAAgB,EAAE,IAAI,MAAM,gBAAgB,KAAK;AACvD,UAAM,sBAAsB,EAAE,IAAI,MAAM,uBAAuB,KAAK;AAEpE,QAAI,iBAAiB,QAAQ;AAC3B,aAAO,EAAE;AAAA,QACP,gBAAgB,6BAA6B,yCAAyC,aAAa;AAAA,QACnG;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE;AAAA,QACP,gBAAgB,wBAAwB,2CAA2C,aAAa;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACxF,QAAI,aAAa;AACjB,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,SAAS,kBAAkB,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AAC7E,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,QAAQ,wBAAwB,aAAa;AAAA,UACxG;AAAA,QACF;AAAA,MACF;AACA,UAAI,CAAC,mBAAmB,aAAa,OAAO,aAAa,GAAG;AAC1D,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,4DAA4D,aAAa;AAAA,UAClH;AAAA,QACF;AAAA,MACF;AACA,mBAAa,OAAO;AAAA,IACtB;AAEA,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,UAAM,eAAe,GAAG,mBAAmB,YAAY,CAAC;AACxD,UAAM,UAAU,MACb,IAAI,CAAC,SAAS,iBAAiB;AAAA,MAC9B,SAAS,KAAK,MAAM,CAAC,KAAK,KAAK,YAAY;AAAA,MAC3C,OAAO,KAAK;AAAA,MACZ,MAAM,gBAAgB,IAAI;AAAA,MAC1B,OAAO,KAAK;AAAA,MACZ,YAAY;AAAA,MACZ,cAAc;AAAA,QACZ,UAAU,KAAK;AAAA,QACf,cAAc;AAAA,QACd;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW;AAAA,QACX,eAAe;AAAA,QACf,gBAAgB;AAAA,QAChB,uBAAuB;AAAA,QACvB,gBAAgB;AAAA,MAClB;AAAA,IACF,CAAC,CAAC,EACD,KAAK,IAAI;AAEZ,UAAM,WAAW,aACb,sBAAsB,WAAW,UAAU,CAAC,sCAC5C;AAEJ,WAAO,EAAE;AAAA,MACP;AAAA,QACE;AAAA,QACA;AAAA,QACA,MAAM,SAAS,IAAI,UAAU;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,IAAI,wBAAwB,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACjF,MAAI,IAAI,sCAAsC,CAAC,MAAM,oBAAoB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAExG,QAAM,0BAA0B,OAC9B,GACA,iBACsB;AACtB,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,EAAE,IAAI,UAAU;AACnC,UAAM,UAAU,QAAQ,KAAK,QAAQ;AACrC,UAAM,cAAc,QAAQ,KAAK,YAAY;AAC7C,UAAM,QAAQ,QAAQ,KAAK,KAAK,KAAK;AACrC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,WAAW,QAAQ,KAAK,SAAS;AACvC,UAAM,eAAe,QAAQ,KAAK,aAAa,KAAK;AACpD,UAAM,gBAAgB,QAAQ,KAAK,cAAc;AACjD,UAAM,sBAAsB,QAAQ,KAAK,qBAAqB;AAE9D,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE;AAAA,QACP,gBAAgB,wBAAwB,2CAA2C,aAAa;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,cAAc,WAAW,OAAO;AAC7C,QAAI,CAAC,MAAM;AACT,aAAO,EAAE;AAAA,QACP,gBAAgB,gBAAgB,uCAAuC,aAAa;AAAA,QACpF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACxF,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,SAAS,kBAAkB,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AAC7E,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,QAAQ,wBAAwB,aAAa;AAAA,UACxG;AAAA,QACF;AAAA,MACF;AACA,UAAI,CAAC,mBAAmB,aAAa,OAAO,aAAa,GAAG;AAC1D,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,4DAA4D,aAAa;AAAA,UAClH;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC3C,oBAAgB,KAAK,EAAE,IAAI,MAAM;AAAA,MAC/B,SAAS,KAAK;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,SAAS;AAAA,MAChB,eAAe,iBAAiB;AAAA,MAChC,qBAAqB,uBAAuB;AAAA,MAC5C;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACtB,CAAC;AAED,UAAM,cAAc,mBAAmB,KAAK,MAAM,GAAG,CAAC,CAAC,YAAY,KAAK,KAAK,WAAW,YAAY,EAAE;AAEtG,QAAI,iBAAiB,aAAa;AAChC,YAAM,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIW,WAAW,WAAW,CAAC;AAAA,0CACX,WAAW,IAAI,CAAC;AAAA,2CACf,WAAW,KAAK,CAAC;AAAA;AAAA;AAAA;AAItD,aAAO,EAAE,KAAK,IAAI;AAAA,IACpB;AAEA,UAAM,MAAM,IAAI,IAAI,WAAW;AAC/B,QAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,QAAI,MAAO,KAAI,aAAa,IAAI,SAAS,KAAK;AAC9C,WAAO,EAAE,SAAS,IAAI,SAAS,GAAG,GAAG;AAAA,EACvC;AAEA,MAAI,KAAK,iCAAiC,CAAC,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAC/F,MAAI,KAAK,+CAA+C,CAAC,MAAM,wBAAwB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAEtH,QAAM,cAAc,OAClB,GACA,iBACsB;AACtB,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,YAAY,KAAK,cAAc;AACrC,UAAM,OAAO,KAAK,QAAQ;AAC1B,UAAM,cAAc,KAAK,gBAAgB;AACzC,UAAM,eAAe,KAAK;AAC1B,UAAM,eAAe,KAAK,iBAAiB;AAC3C,UAAM,iBAAiB,KAAK,SAAS;AAErC,UAAM,QAAQ,uBAAuB,GAAG,IAAI;AAC5C,UAAM,aAAa,eAAe,UAAU,aAAa,IAAI,GAAG,cAAc,MAAM,UAAU,MAAM,YAAY;AAChH,QAAI,WAAW,OAAO;AACpB,aAAO,EAAE,KAAK,WAAW,MAAM,MAAM,WAAW,MAAM,MAAa;AAAA,IACrE;AACA,UAAM,kBAAkB,WAAW;AAEnC,QAAI,cAAc,sBAAsB;AACtC,YAAM,UAAU,gBAAgB,KAAK,EAAE,IAAI,IAAI;AAC/C,UAAI,CAAC,WAAW,cAAc,OAAO,GAAG;AACtC,YAAI,QAAS,iBAAgB,KAAK,EAAE,OAAO,IAAI;AAC/C,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4CAA4C,GAAG,GAAG;AAAA,MAC/G;AACA,UAAI,QAAQ,iBAAiB,cAAc;AACzC,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,iCAAiC,GAAG,GAAG;AAAA,MACpG;AACA,UAAI,eAAe,gBAAgB,QAAQ,aAAa;AACtD,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,+BAA+B,GAAG,GAAG;AAAA,MAClG;AACA,UAAI,mBAAmB,gBAAgB,cAAc,QAAQ,UAAU;AACrE,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,oDAAoD,GAAG,GAAG;AAAA,MACvH;AAEA,UAAI,QAAQ,kBAAkB,MAAM;AAClC,YAAI,CAAC,cAAc;AACjB,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AACA,cAAM,UAAU,QAAQ,uBAAuB,SAAS,YAAY;AACpE,YAAI,WAAW,QAAQ;AACrB,gBAAM,WAAW,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AAC7E,cAAI,aAAa,QAAQ,eAAe;AACtC,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,WAAW,WAAW,SAAS;AAC7B,cAAI,iBAAiB,QAAQ,eAAe;AAC1C,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,OAAO;AACL,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AAAA,MACF;AAEA,YAAM,OAAO,cAAc,WAAW,QAAQ,OAAO;AACrD,UAAI,CAAC,KAAM,QAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gBAAgB,GAAG,GAAG;AAC5F,sBAAgB,KAAK,EAAE,OAAO,IAAI;AAElC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,iBAAiB,QAAQ,YAAY,MAAM,YAAY;AAC7D,YAAM,QAAQ,QAAQ,SAAS;AAC/B,YAAM,cAAc,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACjE,YAAM,kBAAkB,UAAU,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AAEvE,sBAAgB,KAAK,EAAE,IAAI,aAAa;AAAA,QACtC;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,MACjB,CAAC;AACD,uBAAiB,KAAK,EAAE,IAAI,iBAAiB;AAAA,QAC3C;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,QACf,OAAO,QAAQ;AAAA,MACjB,CAAC;AAED,gBAAU,IAAI,aAAa;AAAA,QACzB,OAAO,KAAK;AAAA,QACZ,IAAI,KAAK;AAAA,QACT,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,YAAM,UAAU,MAAM;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ;AAAA,QACR,OAAO;AAAA,QACP;AAAA,MACF;AAEA,aAAO,EAAE,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,eAAe;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,cAAc,iBAAiB;AACjC,YAAM,WAAW,iBAAiB,KAAK,EAAE,IAAI,YAAY;AACzD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,yBAAyB,GAAG,GAAG;AAAA,MAC5F;AACA,UAAI,SAAS,iBAAiB,cAAc;AAC1C,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,iCAAiC,GAAG,GAAG;AAAA,MACpG;AACA,UAAI,mBAAmB,gBAAgB,cAAc,SAAS,UAAU;AACtE,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,+CAA+C,GAAG,GAAG;AAAA,MAClH;AAEA,YAAM,OAAO,UAAU,MAAM,UAAU,WAAW,SAAS,UAAU;AACrE,UAAI,CAAC,KAAM,QAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gBAAgB,GAAG,GAAG;AAC5F,uBAAiB,KAAK,EAAE,OAAO,YAAY;AAE3C,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,kBAAkB,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACrE,YAAM,mBAAmB,UAAU,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACxE,YAAM,QAAQ,kBAAkB,SAAS;AAEzC,sBAAgB,KAAK,EAAE,IAAI,iBAAiB;AAAA,QAC1C;AAAA,QACA,UAAU,SAAS;AAAA,QACnB;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,MACjB,CAAC;AACD,uBAAiB,KAAK,EAAE,IAAI,kBAAkB;AAAA,QAC5C,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAED,gBAAU,IAAI,iBAAiB;AAAA,QAC7B,OAAO,KAAK;AAAA,QACZ,IAAI,KAAK;AAAA,QACT,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,YAAM,WAAoC;AAAA,QACxC,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,eAAe;AAAA,QACf;AAAA,MACF;AAEA,UAAI,WAAW,KAAK,EAAE,SAAS,QAAQ,GAAG;AACxC,iBAAS,WAAW,MAAM;AAAA,UACxB;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT,SAAS;AAAA,UACT,OAAO;AAAA,UACP;AAAA,QACF;AAAA,MACF;AAEA,aAAO,EAAE,KAAK,QAAQ;AAAA,IACxB;AAEA,QAAI,cAAc,sBAAsB;AACtC,UAAI,UAAU,aAAa,IAAI,EAAE,SAAS,KAAK,CAAC,iBAAiB;AAC/D,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACtF;AAEA,YAAM,QAAQ,kBAAkB;AAChC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,cAAc,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACjE,YAAM,WAAW,iBAAiB,aAAa,MAAM;AAErD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,yBAAyB,GAAG,GAAG;AAAA,MAC7F;AAEA,sBAAgB,KAAK,EAAE,IAAI,aAAa;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY;AAAA,QACZ,UAAU;AAAA,MACZ,CAAC;AAED,gBAAU,IAAI,aAAa;AAAA,QACzB,OAAO;AAAA,QACP,IAAI;AAAA,QACJ,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,aAAO,EAAE,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd;AAAA,MACF,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,GAAG,GAAG;AAAA,EACxD;AAEA,MAAI,KAAK,oBAAoB,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AACtE,MAAI,KAAK,kCAAkC,CAAC,MAAM,YAAY,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAE7F,QAAM,iBAAiB,CAAC,GAAoB,iBAAmC;AAC7E,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,QAAQ,EAAE,IAAI,WAAW,KAAK;AACpC,UAAM,SAAS,gBAAgB,KAAK,EAAE,IAAI,KAAK;AAC/C,QAAI,CAAC,UAAU,OAAO,iBAAiB,gBAAgB,CAAC,OAAO,YAAY;AACzE,aAAO,uBAAuB;AAAA,IAChC;AAEA,UAAM,OAAO,UAAU,MAAM,UAAU,WAAW,OAAO,UAAU;AACnE,QAAI,CAAC,KAAM,QAAO,uBAAuB;AAEzC,UAAM,SAAkC;AAAA,MACtC,KAAK,KAAK;AAAA,MACV,MAAM,gBAAgB,IAAI;AAAA,MAC1B,oBAAoB,KAAK;AAAA,MACzB,OAAO,KAAK;AAAA,MACZ,gBAAgB;AAAA,MAChB,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK;AAAA,IACjB;AAEA,QAAI,WAAW,OAAO,KAAK,EAAE,SAAS,QAAQ,GAAG;AAC/C,aAAO,SAAS,kBAAkB,WAAW,IAAI;AAAA,IACnD;AAEA,WAAO,EAAE,KAAK,MAAM;AAAA,EACtB;AAEA,MAAI,IAAI,uBAAuB,CAAC,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAC3E,MAAI,IAAI,qCAAqC,CAAC,MAAM,eAAe,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAElG,QAAM,eAAe,OACnB,GACA,iBACsB;AACtB,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,QAAQ,KAAK,SAAS;AAC5B,oBAAgB,KAAK,EAAE,OAAO,KAAK;AACnC,qBAAiB,KAAK,EAAE,OAAO,KAAK;AACpC,cAAU,OAAO,KAAK;AACtB,WAAO,EAAE,KAAK,IAAI,GAAG;AAAA,EACvB;AAEA,MAAI,KAAK,qBAAqB,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AACxE,MAAI,KAAK,mCAAmC,CAAC,MAAM,aAAa,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAE/F,QAAM,mBAAmB,OACvB,GACA,iBACsB;AACtB,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,QAAQ,uBAAuB,GAAG,IAAI;AAE5C,UAAM,aAAa,eAAe,UAAU,aAAa,IAAI,GAAG,cAAc,MAAM,UAAU,MAAM,YAAY;AAChH,QAAI,WAAW,OAAO;AACpB,aAAO,EAAE,KAAK,WAAW,MAAM,MAAM,WAAW,MAAM,MAAa;AAAA,IACrE;AAEA,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,SAAS,gBAAgB,KAAK,EAAE,IAAI,KAAK;AAC/C,QAAI,UAAU,OAAO,iBAAiB,gBAAgB,OAAO,YAAY,KAAK;AAC5E,aAAO,EAAE,KAAK;AAAA,QACZ,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,WAAW,OAAO;AAAA,QAClB,UAAU,OAAO;AAAA,QACjB,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAEA,UAAM,UAAU,iBAAiB,KAAK,EAAE,IAAI,KAAK;AACjD,QAAI,WAAW,QAAQ,iBAAiB,cAAc;AACpD,aAAO,EAAE,KAAK;AAAA,QACZ,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,OAAO,QAAQ;AAAA,QACf,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,QAClB,KAAK,QAAQ;AAAA,QACb,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,QAAQ,MAAM,CAAC;AAAA,EACjC;AAEA,MAAI,KAAK,yBAAyB,CAAC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAChF,MAAI,KAAK,uCAAuC,CAAC,MAAM,iBAAiB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAEvG,QAAM,eAAe,CACnB,GACA,iBACa;AACb,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,wBAAwB,EAAE,IAAI,MAAM,0BAA0B;AACpE,QAAI,CAAC,sBAAuB,QAAO,EAAE,KAAK,YAAY;AAEtD,UAAM,gBAAgB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACpF,QAAI,cAAc,SAAS,GAAG;AAC5B,YAAM,YAAY,cAAc;AAAA,QAAK,CAAC,WACpC,mBAAmB,uBAAuB,OAAO,aAAa;AAAA,MAChE;AACA,UAAI,CAAC,UAAW,QAAO,EAAE,KAAK,oCAAoC,GAAG;AAAA,IACvE;AAEA,WAAO,EAAE,SAAS,uBAAuB,GAAG;AAAA,EAC9C;AAEA,MAAI,IAAI,qBAAqB,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AACvE,MAAI,IAAI,mCAAmC,CAAC,MAAM,aAAa,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAChG;;;ACp3BA,SAAS,kBAAkB,MAAgB,SAAqD;AAC9F,QAAM,gBAAgB,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY,KAAK;AACvF,QAAM,eAAe,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW,KAAK;AACpF,QAAM,kBACJ,OAAO,QAAQ,gBAAgB,WAC3B,QAAQ,cACR,OAAO,QAAQ,aAAa,WAC1B,QAAQ,WACR,KAAK;AAEb,SAAO;AAAA,IACL,OAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,KAAK;AAAA,IAChE,OAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,KAAK;AAAA,IAChE,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,cAAc,mBAAmB,GAAG,aAAa,IAAI,YAAY,GAAG,KAAK;AAAA,IACzE,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ,SAAS,KAAK;AAAA,IACnE,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW,KAAK;AAAA,EAC5E;AACF;AAEA,SAAS,mBAAmB,MAAgB,QAA2C;AACrF,QAAM,MAAM,OAAO;AACnB,QAAM,cAAc,WAAW,WAAY,KAAK,gBAAgB,MAAO,KAAK;AAC5E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,yBAAyB;AAAA,IACzB,mBAAmB;AAAA,IACnB,cAAc;AAAA,EAChB;AACF;AAEO,SAAS,WAAW,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAChF,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,iBAAiB,CAAC,MAAM;AAC9B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,UAAM,UAAU,EAAE,IAAI,MAAM,QAAQ,KAAK,IAAI,YAAY;AACzD,UAAM,SAAS,EAAE,IAAI,MAAM,QAAQ,KAAK;AAExC,QAAI,QAAQ,UAAU,MAAM,IAAI;AAEhC,QAAI,GAAG;AACL,cAAQ,MAAM;AAAA,QAAO,CAAC,SACpB,CAAC,KAAK,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK,YAAY,EACxE,KAAK,GAAG,EACR,YAAY,EACZ,SAAS,CAAC;AAAA,MACf;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,cAAQ,MAAM;AAAA,QAAO,CAAC,SACpB,CAAC,KAAK,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK,YAAY,EACxE,KAAK,GAAG,EACR,YAAY,EACZ,SAAS,MAAM;AAAA,MACpB;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,YAAM,cAAc,OAAO,MAAM,8BAA8B;AAC/D,UAAI,cAAc,CAAC,GAAG;AACpB,gBAAQ,MAAM,OAAO,CAAC,SAAS,KAAK,WAAW,YAAY,CAAC,CAAC;AAAA,MAC/D;AAAA,IACF;AAEA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,MAAM;AACpB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,MAAM,MAAM,OAAO,QAAQ,QAAQ;AACjD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,SAAS,aAAa,SAAS,IAAI,CAAC,CAAC;AAAA,EAChE,CAAC;AAED,MAAI,KAAK,iBAAiB,OAAO,MAAM;AACrC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,KAAK,IAAI;AACzE,UAAM,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,KAAK,IAAI;AAEzE,QAAI,CAAC,SAAS,CAAC,OAAO;AACpB,aAAO,UAAU,GAAG,KAAK,YAAY,8CAA8C;AAAA,IACrF;AAEA,QAAI,UAAU,MAAM,UAAU,SAAS,KAAK,KAAK,UAAU,MAAM,UAAU,SAAS,KAAK,GAAG;AAC1F,aAAO,UAAU,GAAG,KAAK,YAAY,oDAAoD;AAAA,IAC3F;AAEA,UAAM,WAAW,cAAc,EAAE,IAAI,MAAM,UAAU,GAAG,IAAI;AAC5D,UAAM,MAAM,OAAO;AACnB,UAAM,YAAY,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY;AAC9E,UAAM,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW;AAC3E,UAAM,cACJ,OAAO,QAAQ,gBAAgB,WAC3B,QAAQ,cACR,GAAG,SAAS,IAAI,QAAQ,GAAG,KAAK,KAAK;AAE3C,UAAM,UAAU,UAAU,MAAM,OAAO;AAAA,MACrC,SAAS,eAAe,KAAK;AAAA,MAC7B,QAAQ,WAAW,WAAW;AAAA,MAC9B,cAAc,WAAW,MAAM;AAAA,MAC/B,mBAAmB;AAAA,MACnB,eAAe;AAAA,MACf,qBAAqB;AAAA,MACrB,yBAAyB;AAAA,MACzB;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,cAAc;AAAA,MACd,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ,SAAS;AAAA,MAC9D,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW;AAAA,IACvE,CAAC;AAED,WAAO,EAAE,KAAK,aAAa,SAAS,OAAO,GAAG,GAAG;AAAA,EACnD,CAAC;AAED,MAAI,IAAI,oBAAoB,CAAC,MAAM;AACjC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,UAAU,MAAM,UAAU,SAAS,KAAK,KAAK,KAAK,UAAU,MAAM,IAAI,EAAE,CAAC;AACtF,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,aAAa,SAAS,IAAI;AAC3C,WAAO,EAAE,KAAK;AAAA,MACZ,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAI,SAAS;AAAA,QACb,aAAa,gBAAgB,IAAI;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAED,MAAI,IAAI,gCAAgC,CAAC,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO;AAClF,UAAM,SAAS,YACZ,IAAI,CAAC,eAAe,UAAU,OAAO,UAAU,WAAW,WAAW,aAAa,CAAC,EACnF,OAAO,CAAC,UAA8C,QAAQ,KAAK,CAAC;AAEvE,WAAO,EAAE,KAAK,OAAO,IAAI,CAAC,WAAW;AAAA,MACnC,IAAI,MAAM;AAAA,MACV,SAAS;AAAA,QACP,MAAM,MAAM;AAAA,QACZ,aAAa,MAAM;AAAA,MACrB;AAAA,MACA,MAAM,MAAM;AAAA,IACd,EAAE,CAAC;AAAA,EACL,CAAC;AAED,MAAI,KAAK,4CAA4C,CAAC,MAAM;AAC1D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,QAAQ,CAAC;AAClF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,8CAA8C,CAAC,MAAM;AAC5D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,eAAe,CAAC;AACzF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,2CAA2C,CAAC,MAAM;AACzD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,WAAW,CAAC;AACrF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,6CAA6C,CAAC,MAAM;AAC3D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,QAAQ,CAAC;AAClF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,IAAI,yBAAyB,CAAC,MAAM;AACtC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,WAAO,EAAE,KAAK,aAAa,SAAS,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,IAAI,yBAAyB,OAAO,MAAM;AAC5C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AAEpF,UAAM,UAAU,kBAAkB,MAAM,OAAO;AAC/C,QACG,QAAQ,UAAU,KAAK,SAAS,UAAU,MAAM,UAAU,SAAS,QAAQ,SAAS,EAAE,KACtF,QAAQ,UAAU,KAAK,SAAS,UAAU,MAAM,UAAU,SAAS,QAAQ,SAAS,EAAE,GACvF;AACA,aAAO,UAAU,GAAG,KAAK,YAAY,oDAAoD;AAAA,IAC3F;AAEA,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,OAAO;AACvD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,yBAAyB,OAAO,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,UAAU,kBAAkB,MAAM,OAAO;AAC/C,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,OAAO;AACvD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,OAAO,yBAAyB,CAAC,MAAM;AACzC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAGjE,QAAI,KAAK,WAAW,iBAAiB;AACnC,gBAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,eAAe,CAAC;AACzE,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C;AAEA,eAAW,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO,GAAG;AACxF,gBAAU,iBAAiB,OAAO,WAAW,EAAE;AAAA,IACjD;AACA,eAAW,cAAc,UAAU,eAAe,OAAO,gBAAgB,KAAK,OAAO,GAAG;AACtF,gBAAU,eAAe,OAAO,WAAW,EAAE;AAAA,IAC/C;AAEA,cAAU,MAAM,OAAO,KAAK,EAAE;AAC9B,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,KAAK,8CAA8C,CAAC,MAAM;AAC5D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI;AAAA,MAC9C,QAAQ;AAAA,MACR,mBAAmB,OAAO;AAAA,MAC1B,yBAAyB;AAAA,IAC3B,CAAC;AACD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AACH;;;ACxMA,SAAS,iBAAiB,OAAwC,aAAqB,YAA0B;AAC/G,QAAM,WAAW,MAAM,iBACpB,OAAO,iBAAiB,WAAW,EACnC,KAAK,CAAC,UAAU,MAAM,iBAAiB,UAAU;AACpD,MAAI,CAAC,UAAU;AACb,UAAM,iBAAiB,OAAO;AAAA,MAC5B,eAAe;AAAA,MACf,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AACF;AAEA,SAAS,oBAAoB,OAAwC,WAAmB,YAA0B;AAChH,QAAM,WAAW,MAAM,eACpB,OAAO,eAAe,SAAS,EAC/B,KAAK,CAAC,UAAU,MAAM,iBAAiB,UAAU;AACpD,MAAI,CAAC,UAAU;AACb,UAAM,eAAe,OAAO;AAAA,MAC1B,aAAa;AAAA,MACb,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AACF;AAEA,SAAS,aAAa,OAAc,UAAwB;AAC1D,QAAM,OAAO,aAAa,KAAK;AAE/B,QAAM,gBAAgB,KAAK,qBAAqB,UAAU,aAAa,sBAAsB;AAC7F,MAAI,CAAC,eAAe;AAClB,SAAK,qBAAqB,OAAO,iCAAiC,CAAC;AAAA,EACrE;AAEA,MAAI,WAAW,KAAK,OAAO,UAAU,WAAW,yBAAyB;AACzE,MAAI,CAAC,UAAU;AACb,eAAW,KAAK,OAAO,OAAO,mBAAmB,CAAC;AAAA,EACpD;AAEA,MAAI,OAAO,KAAK,MAAM,UAAU,SAAS,qBAAqB;AAC9D,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,MAAM,OAAO,kBAAkB,CAAC;AAAA,EAC9C;AAEA,MAAI,CAAC,KAAK,aAAa,UAAU,aAAa,kBAAkB,GAAG;AACjE,SAAK,aAAa,OAAO;AAAA,MACvB,WAAW;AAAA,MACX,eAAe;AAAA,MACf,MAAM;AAAA,MACN,eAAe,CAAC,gCAAgC;AAAA,MAChD,gBAAgB,CAAC,MAAM;AAAA,MACvB,aAAa,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,MACzE,4BAA4B;AAAA,MAC5B,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,aAAa,UAAU,aAAa,eAAe,GAAG;AAC9D,SAAK,aAAa,OAAO;AAAA,MACvB,WAAW;AAAA,MACX,eAAe;AAAA,MACf,MAAM;AAAA,MACN,eAAe;AAAA,QACb;AAAA,QACA;AAAA,MACF;AAAA,MACA,gBAAgB,CAAC,MAAM;AAAA,MACvB,aAAa,CAAC,sBAAsB,eAAe;AAAA,MACnD,4BAA4B;AAAA,MAC5B,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,KAAK,KAAK,IAAI,EAAE,WAAW,GAAG;AAChC,SAAK,KAAK,OAAO,iBAAiB,CAAC;AAAA,EACrC;AAEA,mBAAiB,MAAM,SAAS,SAAS,KAAK,OAAO;AACvD;AAEO,SAAS,eAAe,OAAc,UAAkB,QAA8B;AAC3F,QAAM,OAAO,aAAa,KAAK;AAE/B,MAAI,OAAO,uBAAuB;AAChC,eAAW,UAAU,OAAO,uBAAuB;AACjD,YAAM,WAAW,KAAK,qBAAqB,UAAU,aAAa,OAAO,EAAE;AAC3E,UAAI,SAAU;AACd,WAAK,qBAAqB,OAAO;AAAA,QAC/B,WAAW,OAAO;AAAA,QAClB,MAAM,OAAO;AAAA,QACb,aAAa,OAAO,eAAe;AAAA,QACnC,WAAW,OAAO,aAAa,CAAC,eAAe;AAAA,QAC/C,QAAQ,0BAA0B,OAAO,QAAQ,QAAQ;AAAA,MAC3D,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,OAAO;AAChB,eAAW,QAAQ,OAAO,OAAO;AAC/B,YAAM,UAAU,KAAK,MAAM,UAAU,SAAS,KAAK,KAAK;AACxD,UAAI,QAAS;AACb,YAAM,iBAAiB,gBAAgB,KAAK,QAAQ,QAAQ;AAC5D,WAAK,MAAM,OAAO;AAAA,QAChB,SAAS,KAAK,WAAW,eAAe,KAAK;AAAA,QAC7C,QAAQ;AAAA,QACR,cAAc,mBAAmB,YAAW,oBAAI,KAAK,GAAE,YAAY,IAAI;AAAA,QACvE,oBAAmB,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC1C,eAAe;AAAA,QACf,qBAAqB;AAAA,QACrB,yBAAyB;AAAA,QACzB,OAAO,KAAK;AAAA,QACZ,OAAO,KAAK,SAAS,KAAK;AAAA,QAC1B,YAAY,KAAK,cAAc;AAAA,QAC/B,WAAW,KAAK,aAAa;AAAA,QAC7B,cAAc,KAAK,gBAAgB,GAAG,KAAK,cAAc,MAAM,IAAI,KAAK,aAAa,MAAM,GAAG,KAAK;AAAA,QACnG,QAAQ,KAAK,UAAU;AAAA,QACvB,WAAW,KAAK,aAAa;AAAA,MAC/B,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ;AACjB,eAAW,SAAS,OAAO,QAAQ;AACjC,YAAM,SAAS,KAAK,OAAO,UAAU,QAAQ,MAAM,IAAI;AACvD,UAAI,OAAQ;AACZ,WAAK,OAAO,OAAO;AAAA,QACjB,SAAS,MAAM,WAAW,eAAe,KAAK;AAAA,QAC9C,MAAM,mBAAmB,MAAM,MAAM,YAAY;AAAA,QACjD,MAAM,MAAM;AAAA,QACZ,aAAa,MAAM,eAAe;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,MAAM;AACf,eAAW,OAAO,OAAO,MAAM;AAC7B,YAAM,SAAS,KAAK,KAAK,UAAU,QAAQ,IAAI,IAAI;AACnD,UAAI,OAAQ;AACZ,WAAK,KAAK,OAAO;AAAA,QACf,SAAS,IAAI,WAAW,eAAe,KAAK;AAAA,QAC5C,MAAM,IAAI;AAAA,QACV,OAAO,IAAI,SAAS,IAAI;AAAA,QACxB,QAAQ,mBAAmB,IAAI,QAAQ,QAAQ;AAAA,QAC/C,cAAc,IAAI,gBAAgB;AAAA,QAClC,UAAU,IAAI,YAAY,CAAC;AAAA,QAC3B,aAAa,IAAI,eAAe,CAAC;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,eAAe;AACxB,eAAW,UAAU,OAAO,eAAe;AACzC,YAAM,WAAW,KAAK,aAAa,UAAU,aAAa,OAAO,SAAS;AAC1E,UAAI,SAAU;AACd,YAAM,0BAA0B,OAAO,8BAA8B;AACrE,WAAK,aAAa,OAAO;AAAA,QACvB,WAAW,OAAO;AAAA,QAClB,eAAe,OAAO,iBAAiB;AAAA,QACvC,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,QACtB,gBAAgB,OAAO,kBAAkB,CAAC,MAAM;AAAA,QAChD,aAAa,OAAO,eAAe,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,QAC/F,4BAA4B;AAAA,QAC5B,gBAAgB,OAAO,kBAAkB;AAAA,MAC3C,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,mBAAmB;AAC5B,eAAW,cAAc,OAAO,mBAAmB;AACjD,YAAM,QAAQ,KAAK,OAAO,UAAU,WAAW,WAAW,aAAa;AACvE,YAAM,OAAO,KAAK,MAAM,UAAU,WAAW,WAAW,YAAY;AACpE,UAAI,CAAC,SAAS,CAAC,KAAM;AACrB,uBAAiB,MAAM,MAAM,SAAS,KAAK,OAAO;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,OAAO,iBAAiB;AAC1B,eAAW,cAAc,OAAO,iBAAiB;AAC/C,YAAM,MAAM,KAAK,KAAK,UAAU,WAAW,WAAW,WAAW;AACjE,YAAM,OAAO,KAAK,MAAM,UAAU,WAAW,WAAW,YAAY;AACpE,UAAI,CAAC,OAAO,CAAC,KAAM;AACnB,0BAAoB,MAAM,IAAI,SAAS,KAAK,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAEO,IAAM,aAA4B;AAAA,EACvC,MAAM;AAAA,EACN,SACE,KACA,OACA,UACA,SACA,UACM;AACN,UAAM,MAAoB,EAAE,KAAK,OAAO,UAAU,SAAS,SAAS;AACpE,gBAAY,GAAG;AACf,eAAW,GAAG;AACd,gBAAY,GAAG;AACf,cAAU,GAAG;AACb,8BAA0B,GAAG;AAAA,EAC/B;AAAA,EACA,KAAK,OAAc,SAAuB;AACxC,iBAAa,OAAO,OAAO;AAAA,EAC7B;AACF;AAEA,IAAO,gBAAQ;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../src/helpers.ts","../../core/src/store.ts","../../core/src/server.ts","../../core/src/webhooks.ts","../../core/src/middleware/error-handler.ts","../../core/src/middleware/auth.ts","../../core/src/debug.ts","../../core/src/fonts.ts","../../core/src/middleware/pagination.ts","../../core/src/ui.ts","../../core/src/oauth-helpers.ts","../../core/src/persistence.ts","../src/route-helpers.ts","../src/store.ts","../src/routes/apps.ts","../src/routes/auth-servers.ts","../src/routes/groups.ts","../src/routes/oauth.ts","../src/routes/users.ts","../src/index.ts"],"sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport type {\n OktaAuthorizationServer,\n OktaAuthorizationServerStatus,\n OktaApp,\n OktaAppStatus,\n OktaGroup,\n OktaGroupType,\n OktaUser,\n OktaUserStatus,\n} from \"./entities.js\";\n\nexport const ORG_AUTH_SERVER_ID = \"org\";\nexport const DEFAULT_AUTH_SERVER_ID = \"default\";\nexport const DEFAULT_AUDIENCE = \"api://default\";\nexport const DEFAULT_EVERYONE_GROUP_NAME = \"Everyone\";\nexport const DEFAULT_EVERYONE_GROUP_ID = \"00g_everyone\";\n\nexport function nowIso(): string {\n return new Date().toISOString();\n}\n\nexport function generateOktaId(prefix: string): string {\n const compact = randomUUID().replace(/-/g, \"\");\n return `${prefix}${compact.slice(0, 17)}`;\n}\n\nexport function normalizeStatus(status: string | undefined, fallback: OktaUserStatus): OktaUserStatus {\n if (\n status === \"STAGED\" ||\n status === \"PROVISIONED\" ||\n status === \"ACTIVE\" ||\n status === \"SUSPENDED\" ||\n status === \"DEPROVISIONED\"\n ) {\n return status;\n }\n return fallback;\n}\n\nexport function normalizeAppStatus(status: string | undefined, fallback: OktaAppStatus): OktaAppStatus {\n if (status === \"ACTIVE\" || status === \"INACTIVE\") return status;\n return fallback;\n}\n\nexport function normalizeAuthServerStatus(\n status: string | undefined,\n fallback: OktaAuthorizationServerStatus,\n): OktaAuthorizationServerStatus {\n if (status === \"ACTIVE\" || status === \"INACTIVE\") return status;\n return fallback;\n}\n\nexport function normalizeGroupType(type: string | undefined, fallback: OktaGroupType): OktaGroupType {\n if (type === \"OKTA_GROUP\" || type === \"BUILT_IN\") return type;\n return fallback;\n}\n\nexport function boolFromQuery(value: string | undefined, fallback: boolean): boolean {\n if (value == null) return fallback;\n const lowered = value.toLowerCase();\n if (lowered === \"true\" || lowered === \"1\") return true;\n if (lowered === \"false\" || lowered === \"0\") return false;\n return fallback;\n}\n\nexport function resolveOktaIssuer(baseUrl: string, authServerId: string): string {\n if (authServerId === ORG_AUTH_SERVER_ID) return baseUrl;\n return `${baseUrl}/oauth2/${authServerId}`;\n}\n\nexport function userDisplayName(user: Pick<OktaUser, \"display_name\" | \"first_name\" | \"last_name\" | \"login\">): string {\n if (user.display_name) return user.display_name;\n const combined = `${user.first_name} ${user.last_name}`.trim();\n return combined || user.login;\n}\n\nexport function createDefaultUser(): Omit<OktaUser, \"id\" | \"created_at\" | \"updated_at\"> {\n const now = nowIso();\n return {\n okta_id: generateOktaId(\"00u\"),\n status: \"ACTIVE\",\n activated_at: now,\n status_changed_at: now,\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login: \"testuser@okta.local\",\n email: \"testuser@okta.local\",\n first_name: \"Test\",\n last_name: \"User\",\n display_name: \"Test User\",\n locale: \"en-US\",\n time_zone: \"UTC\",\n };\n}\n\nexport function createDefaultGroup(): Omit<OktaGroup, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n okta_id: DEFAULT_EVERYONE_GROUP_ID,\n type: \"BUILT_IN\",\n name: DEFAULT_EVERYONE_GROUP_NAME,\n description: \"All users in the organization\",\n };\n}\n\nexport function createDefaultAuthorizationServer(): Omit<OktaAuthorizationServer, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n server_id: DEFAULT_AUTH_SERVER_ID,\n name: \"default\",\n description: \"Default custom authorization server\",\n audiences: [DEFAULT_AUDIENCE],\n status: \"ACTIVE\",\n };\n}\n\nexport function createDefaultApp(): Omit<OktaApp, \"id\" | \"created_at\" | \"updated_at\"> {\n return {\n okta_id: generateOktaId(\"0oa\"),\n name: \"oidc_client\",\n label: \"Sample OIDC App\",\n status: \"ACTIVE\",\n sign_on_mode: \"OPENID_CONNECT\",\n settings: {\n oauthClient: {\n redirect_uris: [\"http://localhost:3000/callback\"],\n },\n },\n credentials: {},\n };\n}\n","export interface Entity {\n id: number;\n created_at: string;\n updated_at: string;\n}\n\nexport type InsertInput<T extends Entity> = Omit<T, \"id\" | \"created_at\" | \"updated_at\"> & { id?: number };\n\nexport type FilterFn<T> = (item: T) => boolean;\nexport type SortFn<T> = (a: T, b: T) => number;\n\nexport interface QueryOptions<T> {\n filter?: FilterFn<T>;\n sort?: SortFn<T>;\n page?: number;\n per_page?: number;\n}\n\nexport interface PaginatedResult<T> {\n items: T[];\n total_count: number;\n page: number;\n per_page: number;\n has_next: boolean;\n has_prev: boolean;\n}\n\nexport interface CollectionSnapshot<T extends Entity = Entity> {\n items: T[];\n autoId: number;\n indexFields: string[];\n}\n\nexport interface StoreSnapshot {\n collections: Record<string, CollectionSnapshot>;\n data: Record<string, unknown>;\n}\n\nexport function serializeValue(value: unknown): unknown {\n if (value instanceof Map) {\n return { __type: \"Map\" as const, entries: [...value.entries()].map(([k, v]) => [k, serializeValue(v)]) };\n }\n if (value instanceof Set) {\n return { __type: \"Set\" as const, values: [...value.values()] };\n }\n return value;\n}\n\nexport function deserializeValue(value: unknown): unknown {\n if (value !== null && typeof value === \"object\" && \"__type\" in value) {\n const tagged = value as Record<string, unknown>;\n if (tagged.__type === \"Map\") {\n const entries = tagged.entries as [unknown, unknown][];\n return new Map(entries.map(([k, v]) => [k, deserializeValue(v)]));\n }\n if (tagged.__type === \"Set\") {\n return new Set(tagged.values as unknown[]);\n }\n }\n return value;\n}\n\nexport class Collection<T extends Entity> {\n private items = new Map<number, T>();\n private indexes = new Map<string, Map<string | number, Set<number>>>();\n private autoId = 1;\n readonly fieldNames: string[];\n\n constructor(private indexFields: (keyof T)[] = []) {\n this.fieldNames = indexFields.map(String).sort();\n for (const field of indexFields) {\n this.indexes.set(String(field), new Map());\n }\n }\n\n private addToIndex(item: T): void {\n for (const field of this.indexFields) {\n const value = item[field];\n if (value === undefined || value === null) continue;\n const indexMap = this.indexes.get(String(field))!;\n const key = String(value);\n if (!indexMap.has(key)) {\n indexMap.set(key, new Set());\n }\n indexMap.get(key)!.add(item.id);\n }\n }\n\n private removeFromIndex(item: T): void {\n for (const field of this.indexFields) {\n const value = item[field];\n if (value === undefined || value === null) continue;\n const indexMap = this.indexes.get(String(field))!;\n const key = String(value);\n indexMap.get(key)?.delete(item.id);\n }\n }\n\n insert(data: InsertInput<T>): T {\n const now = new Date().toISOString();\n const explicitId = data.id != null && data.id > 0 ? data.id : undefined;\n const id = explicitId ?? this.autoId++;\n if (id >= this.autoId) {\n this.autoId = id + 1;\n }\n const item = {\n ...data,\n id,\n created_at: now,\n updated_at: now,\n } as unknown as T;\n this.items.set(id, item);\n this.addToIndex(item);\n return item;\n }\n\n get(id: number): T | undefined {\n return this.items.get(id);\n }\n\n findBy(field: keyof T, value: T[keyof T] | string | number): T[] {\n if (this.indexes.has(String(field))) {\n const ids = this.indexes.get(String(field))!.get(String(value));\n if (!ids) return [];\n return Array.from(ids)\n .map((id) => this.items.get(id)!)\n .filter(Boolean);\n }\n return this.all().filter((item) => item[field] === value);\n }\n\n findOneBy(field: keyof T, value: T[keyof T] | string | number): T | undefined {\n return this.findBy(field, value)[0];\n }\n\n update(id: number, data: Partial<T>): T | undefined {\n const existing = this.items.get(id);\n if (!existing) return undefined;\n this.removeFromIndex(existing);\n const updated = {\n ...existing,\n ...data,\n id,\n updated_at: new Date().toISOString(),\n } as T;\n this.items.set(id, updated);\n this.addToIndex(updated);\n return updated;\n }\n\n delete(id: number): boolean {\n const existing = this.items.get(id);\n if (!existing) return false;\n this.removeFromIndex(existing);\n return this.items.delete(id);\n }\n\n all(): T[] {\n return Array.from(this.items.values());\n }\n\n query(options: QueryOptions<T> = {}): PaginatedResult<T> {\n let results = this.all();\n\n if (options.filter) {\n results = results.filter(options.filter);\n }\n\n const total_count = results.length;\n\n if (options.sort) {\n results.sort(options.sort);\n }\n\n const page = options.page ?? 1;\n const per_page = Math.min(options.per_page ?? 30, 100);\n const start = (page - 1) * per_page;\n const paged = results.slice(start, start + per_page);\n\n return {\n items: paged,\n total_count,\n page,\n per_page,\n has_next: start + per_page < total_count,\n has_prev: page > 1,\n };\n }\n\n count(filter?: FilterFn<T>): number {\n if (!filter) return this.items.size;\n return this.all().filter(filter).length;\n }\n\n clear(): void {\n this.items.clear();\n for (const indexMap of this.indexes.values()) {\n indexMap.clear();\n }\n this.autoId = 1;\n }\n\n snapshot(): CollectionSnapshot<T> {\n return {\n items: this.all(),\n autoId: this.autoId,\n indexFields: this.fieldNames,\n };\n }\n\n restore(snap: CollectionSnapshot<T>): void {\n this.clear();\n this.autoId = snap.autoId;\n for (const item of snap.items) {\n this.items.set(item.id, item);\n this.addToIndex(item);\n }\n }\n}\n\nexport class Store {\n private collections = new Map<string, Collection<any>>();\n private _data = new Map<string, unknown>();\n\n collection<T extends Entity>(name: string, indexFields: (keyof T)[] = []): Collection<T> {\n const existing = this.collections.get(name);\n if (existing) {\n if (indexFields.length > 0) {\n const requested = indexFields.map(String).sort();\n if (existing.fieldNames.length !== requested.length || existing.fieldNames.some((f, i) => f !== requested[i])) {\n throw new Error(\n `Collection \"${name}\" already exists with indexes [${existing.fieldNames}] but was requested with [${requested}]`,\n );\n }\n }\n return existing as Collection<T>;\n }\n const col = new Collection<T>(indexFields);\n this.collections.set(name, col);\n return col;\n }\n\n getData<V>(key: string): V | undefined {\n return this._data.get(key) as V | undefined;\n }\n\n setData<V>(key: string, value: V): void {\n this._data.set(key, value);\n }\n\n reset(): void {\n for (const collection of this.collections.values()) {\n collection.clear();\n }\n this._data.clear();\n }\n\n snapshot(): StoreSnapshot {\n const collections: Record<string, CollectionSnapshot> = {};\n for (const [name, col] of this.collections) {\n collections[name] = col.snapshot();\n }\n const data: Record<string, unknown> = {};\n for (const [key, value] of this._data) {\n data[key] = serializeValue(value);\n }\n return { collections, data };\n }\n\n restore(snap: StoreSnapshot): void {\n const snapshotNames = new Set(Object.keys(snap.collections));\n for (const name of this.collections.keys()) {\n if (!snapshotNames.has(name)) {\n this.collections.delete(name);\n }\n }\n for (const [name, colSnap] of Object.entries(snap.collections)) {\n const indexFields = colSnap.indexFields as (keyof Entity)[];\n const col = this.collection(name, indexFields);\n col.restore(colSnap as CollectionSnapshot<any>);\n }\n this._data.clear();\n for (const [key, value] of Object.entries(snap.data)) {\n this._data.set(key, deserializeValue(value));\n }\n }\n}\n","import { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport { Store } from \"./store.js\";\nimport { WebhookDispatcher } from \"./webhooks.js\";\nimport { createApiErrorHandler, createErrorHandler } from \"./middleware/error-handler.js\";\nimport {\n authMiddleware,\n type AuthFallback,\n type TokenMap,\n type AppKeyResolver,\n type AppEnv,\n} from \"./middleware/auth.js\";\nimport type { ServicePlugin } from \"./plugin.js\";\nimport { registerFontRoutes } from \"./fonts.js\";\n\nexport interface ServerOptions {\n port?: number;\n baseUrl?: string;\n docsUrl?: string;\n tokens?: Record<string, { login: string; id: number; scopes?: string[] }>;\n appKeyResolver?: AppKeyResolver;\n fallbackUser?: AuthFallback;\n}\n\nexport function createServer(plugin: ServicePlugin, options: ServerOptions = {}) {\n const port = options.port ?? 4000;\n const baseUrl = options.baseUrl ?? `http://localhost:${port}`;\n\n const app = new Hono<AppEnv>();\n const store = new Store();\n const webhooks = new WebhookDispatcher();\n\n const tokenMap: TokenMap = new Map();\n if (options.tokens) {\n for (const [token, user] of Object.entries(options.tokens)) {\n tokenMap.set(token, {\n login: user.login,\n id: user.id,\n scopes: user.scopes ?? [\"repo\", \"user\", \"admin:org\", \"admin:repo_hook\"],\n });\n }\n }\n\n const docsUrl = options.docsUrl ?? `https://emulate.dev/${plugin.name}`;\n\n registerFontRoutes(app);\n\n app.onError(createApiErrorHandler(docsUrl));\n app.use(\"*\", cors());\n app.use(\"*\", createErrorHandler(docsUrl));\n app.use(\"*\", authMiddleware(tokenMap, options.appKeyResolver, options.fallbackUser));\n\n const rateLimitCounters = new Map<string, { remaining: number; resetAt: number }>();\n let lastPruneAt = Math.floor(Date.now() / 1000);\n\n app.use(\"*\", async (c, next) => {\n const token = c.get(\"authToken\") ?? \"__anonymous__\";\n const now = Math.floor(Date.now() / 1000);\n\n if (now - lastPruneAt > 3600) {\n for (const [key, val] of rateLimitCounters) {\n if (val.resetAt <= now) rateLimitCounters.delete(key);\n }\n lastPruneAt = now;\n }\n\n let counter = rateLimitCounters.get(token);\n if (!counter || counter.resetAt <= now) {\n counter = { remaining: 5000, resetAt: now + 3600 };\n rateLimitCounters.set(token, counter);\n }\n\n counter.remaining = Math.max(0, counter.remaining - 1);\n\n c.header(\"X-RateLimit-Limit\", \"5000\");\n c.header(\"X-RateLimit-Remaining\", String(counter.remaining));\n c.header(\"X-RateLimit-Reset\", String(counter.resetAt));\n c.header(\"X-RateLimit-Resource\", \"core\");\n\n if (counter.remaining === 0) {\n return c.json(\n {\n message: \"API rate limit exceeded\",\n documentation_url: docsUrl,\n },\n 403,\n );\n }\n\n await next();\n });\n\n plugin.register(app, store, webhooks, baseUrl, tokenMap);\n\n app.notFound((c) =>\n c.json(\n {\n message: \"Not Found\",\n documentation_url: docsUrl,\n },\n 404,\n ),\n );\n\n return { app, store, webhooks, port, baseUrl, tokenMap };\n}\n","import { createHmac } from \"crypto\";\n\nexport interface WebhookSubscription {\n id: number;\n url: string;\n events: string[];\n active: boolean;\n secret?: string;\n owner: string;\n repo?: string;\n}\n\nexport interface WebhookDelivery {\n id: number;\n hook_id: number;\n event: string;\n action?: string;\n payload: unknown;\n status_code: number | null;\n delivered_at: string;\n duration: number | null;\n success: boolean;\n}\n\nconst MAX_DELIVERIES = 1000;\n\nexport class WebhookDispatcher {\n private subscriptions: WebhookSubscription[] = [];\n private deliveries: WebhookDelivery[] = [];\n private subscriptionIdCounter = 1;\n private deliveryIdCounter = 1;\n\n register(sub: Omit<WebhookSubscription, \"id\"> & { id?: number }): WebhookSubscription {\n const { id: explicitId, ...rest } = sub;\n const id = explicitId !== undefined ? explicitId : this.subscriptionIdCounter++;\n if (id >= this.subscriptionIdCounter) {\n this.subscriptionIdCounter = id + 1;\n }\n const subscription: WebhookSubscription = { ...rest, id };\n this.subscriptions.push(subscription);\n return subscription;\n }\n\n unregister(id: number): boolean {\n const idx = this.subscriptions.findIndex((s) => s.id === id);\n if (idx === -1) return false;\n this.subscriptions.splice(idx, 1);\n return true;\n }\n\n getSubscription(id: number): WebhookSubscription | undefined {\n return this.subscriptions.find((s) => s.id === id);\n }\n\n getSubscriptions(owner?: string, repo?: string): WebhookSubscription[] {\n return this.subscriptions.filter((s) => {\n if (owner && s.owner !== owner) return false;\n if (repo !== undefined && s.repo !== repo) return false;\n return true;\n });\n }\n\n updateSubscription(\n id: number,\n data: Partial<Pick<WebhookSubscription, \"url\" | \"events\" | \"active\" | \"secret\">>,\n ): WebhookSubscription | undefined {\n const sub = this.subscriptions.find((s) => s.id === id);\n if (!sub) return undefined;\n Object.assign(sub, data);\n return sub;\n }\n\n async dispatch(\n event: string,\n action: string | undefined,\n payload: unknown,\n owner: string,\n repo?: string,\n ): Promise<void> {\n const matchingSubs = this.subscriptions.filter((s) => {\n if (!s.active) return false;\n if (s.owner !== owner) return false;\n if (repo !== undefined) {\n if (s.repo !== repo) return false;\n } else if (s.repo !== undefined) {\n return false;\n }\n return event === \"ping\" || s.events.includes(\"*\") || s.events.includes(event);\n });\n\n for (const sub of matchingSubs) {\n const delivery: WebhookDelivery = {\n id: this.deliveryIdCounter++,\n hook_id: sub.id,\n event,\n action,\n payload,\n status_code: null,\n delivered_at: new Date().toISOString(),\n duration: null,\n success: false,\n };\n\n const body = JSON.stringify(payload);\n\n const signatureHeaders: Record<string, string> = {};\n if (sub.secret) {\n const hmac = createHmac(\"sha256\", sub.secret).update(body).digest(\"hex\");\n signatureHeaders[\"X-Hub-Signature-256\"] = `sha256=${hmac}`;\n }\n\n try {\n const start = Date.now();\n const response = await fetch(sub.url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n \"X-GitHub-Event\": event,\n \"X-GitHub-Delivery\": String(delivery.id),\n ...signatureHeaders,\n },\n body,\n signal: AbortSignal.timeout(10000),\n });\n delivery.duration = Date.now() - start;\n delivery.status_code = response.status;\n delivery.success = response.ok;\n } catch {\n delivery.duration = 0;\n delivery.success = false;\n }\n\n this.deliveries.push(delivery);\n if (this.deliveries.length > MAX_DELIVERIES) {\n this.deliveries.splice(0, this.deliveries.length - MAX_DELIVERIES);\n }\n }\n }\n\n getDeliveries(hookId?: number): WebhookDelivery[] {\n if (hookId !== undefined) {\n return this.deliveries.filter((d) => d.hook_id === hookId);\n }\n return [...this.deliveries];\n }\n\n clear(): void {\n this.subscriptions.length = 0;\n this.deliveries.length = 0;\n this.subscriptionIdCounter = 1;\n this.deliveryIdCounter = 1;\n }\n}\n","import type { Context, ErrorHandler, MiddlewareHandler } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\n\nconst DEFAULT_DOCS_URL = \"https://emulate.dev\";\n\nfunction getDocsUrl(c: Context): string {\n return (c.get(\"docsUrl\") as string | undefined) ?? DEFAULT_DOCS_URL;\n}\n\nfunction errorStatus(err: unknown): number {\n if (err && typeof err === \"object\" && \"status\" in err) {\n const s = (err as { status: unknown }).status;\n if (typeof s === \"number\" && Number.isFinite(s)) return s;\n }\n return 500;\n}\n\n/**\n * Use with `app.onError(...)`. Hono routes handler throws to the app error handler, not to outer middleware try/catch.\n */\nexport function createApiErrorHandler(documentationUrl?: string): ErrorHandler {\n return (err, c) => {\n if (documentationUrl) {\n c.set(\"docsUrl\", documentationUrl);\n }\n const status = errorStatus(err);\n const message = err instanceof Error ? err.message : \"Internal Server Error\";\n return c.json(\n {\n message,\n documentation_url: getDocsUrl(c),\n },\n status as ContentfulStatusCode,\n );\n };\n}\n\n/** Sets `docsUrl` on the context for successful responses; register `createApiErrorHandler` for thrown `ApiError`s. */\nexport function createErrorHandler(documentationUrl?: string): MiddlewareHandler {\n return async (c, next) => {\n if (documentationUrl) {\n c.set(\"docsUrl\", documentationUrl);\n }\n await next();\n };\n}\n\nexport const errorHandler: MiddlewareHandler = createErrorHandler();\n\nexport class ApiError extends Error {\n constructor(\n public status: number,\n message: string,\n public errors?: Array<{ resource: string; field: string; code: string }>,\n ) {\n super(message);\n this.name = \"ApiError\";\n }\n}\n\nexport function notFound(resource?: string): ApiError {\n return new ApiError(404, resource ? `${resource} not found` : \"Not Found\");\n}\n\nexport function validationError(message: string, errors?: ApiError[\"errors\"]): ApiError {\n return new ApiError(422, message, errors);\n}\n\nexport function unauthorized(): ApiError {\n return new ApiError(401, \"Requires authentication\");\n}\n\nexport function forbidden(): ApiError {\n return new ApiError(403, \"Forbidden\");\n}\n\nexport async function parseJsonBody(c: Context): Promise<Record<string, unknown>> {\n try {\n const body = await c.req.json();\n if (body && typeof body === \"object\" && !Array.isArray(body)) {\n return body as Record<string, unknown>;\n }\n return {};\n } catch {\n throw new ApiError(400, \"Problems parsing JSON\");\n }\n}\n","import type { Context, Next } from \"hono\";\nimport { jwtVerify, importPKCS8 } from \"jose\";\nimport { debug } from \"../debug.js\";\n\nexport interface AuthUser {\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport interface AuthApp {\n appId: number;\n slug: string;\n name: string;\n}\n\nexport interface AuthInstallation {\n installationId: number;\n appId: number;\n permissions: Record<string, string>;\n repositoryIds: number[];\n repositorySelection: \"all\" | \"selected\";\n}\n\nexport type TokenMap = Map<string, AuthUser>;\n\nexport interface TokenEntry {\n token: string;\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport function serializeTokenMap(tokenMap: TokenMap): TokenEntry[] {\n return [...tokenMap.entries()].map(([token, user]) => ({\n token,\n login: user.login,\n id: user.id,\n scopes: user.scopes,\n }));\n}\n\nexport function restoreTokenMap(tokenMap: TokenMap, tokens: TokenEntry[]): void {\n tokenMap.clear();\n for (const t of tokens) {\n tokenMap.set(t.token, { login: t.login, id: t.id, scopes: t.scopes });\n }\n}\n\nexport type AppEnv = {\n Variables: {\n authUser?: AuthUser;\n authApp?: AuthApp;\n authToken?: string;\n authScopes?: string[];\n docsUrl?: string;\n };\n};\n\nexport interface AppKeyResolver {\n (appId: number): { privateKey: string; slug: string; name: string } | null;\n}\n\nexport interface AuthFallback {\n login: string;\n id: number;\n scopes: string[];\n}\n\nexport function authMiddleware(tokens: TokenMap, appKeyResolver?: AppKeyResolver, fallbackUser?: AuthFallback) {\n return async (c: Context, next: Next) => {\n const authHeader = c.req.header(\"Authorization\");\n if (authHeader) {\n const token = authHeader.replace(/^(Bearer|token)\\s+/i, \"\").trim();\n\n if (token.startsWith(\"eyJ\") && appKeyResolver) {\n try {\n const [, payloadB64] = token.split(\".\");\n const payload = JSON.parse(Buffer.from(payloadB64, \"base64url\").toString());\n const appId = typeof payload.iss === \"string\" ? parseInt(payload.iss, 10) : payload.iss;\n\n if (typeof appId === \"number\" && !isNaN(appId)) {\n const appInfo = appKeyResolver(appId);\n if (appInfo) {\n const key = await importPKCS8(appInfo.privateKey, \"RS256\");\n await jwtVerify(token, key, { algorithms: [\"RS256\"] });\n c.set(\"authApp\", {\n appId,\n slug: appInfo.slug,\n name: appInfo.name,\n } satisfies AuthApp);\n }\n }\n } catch {\n // JWT verification failed\n }\n } else {\n let user = tokens.get(token);\n if (!user && fallbackUser && token.length > 0) {\n debug(\"auth\", \"fallback user for unknown token\", { login: fallbackUser.login, id: fallbackUser.id });\n user = { login: fallbackUser.login, id: fallbackUser.id, scopes: fallbackUser.scopes };\n }\n if (user) {\n c.set(\"authUser\", user);\n c.set(\"authToken\", token);\n c.set(\"authScopes\", user.scopes);\n }\n }\n }\n await next();\n };\n}\n\nexport function requireAuth() {\n return async (c: Context, next: Next) => {\n if (!c.get(\"authUser\")) {\n const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n return c.json(\n {\n message: \"Requires authentication\",\n documentation_url: docsUrl,\n },\n 401,\n );\n }\n await next();\n };\n}\n\nexport function requireAppAuth() {\n return async (c: Context, next: Next) => {\n if (!c.get(\"authApp\")) {\n const docsUrl = (c.get(\"docsUrl\") as string | undefined) ?? \"https://emulate.dev\";\n return c.json(\n {\n message: \"A JSON web token could not be decoded\",\n documentation_url: docsUrl,\n },\n 401,\n );\n }\n await next();\n };\n}\n","const isDebug =\n typeof process !== \"undefined\" &&\n (process.env.DEBUG === \"1\" || process.env.DEBUG === \"true\" || process.env.EMULATE_DEBUG === \"1\");\n\nexport function debug(label: string, ...args: unknown[]): void {\n if (isDebug) {\n console.log(`[${label}]`, ...args);\n }\n}\n","import { readFileSync } from \"node:fs\";\nimport { fileURLToPath } from \"node:url\";\nimport { dirname, join } from \"node:path\";\nimport type { Hono } from \"hono\";\nimport type { AppEnv } from \"./middleware/auth.js\";\n\nconst __dirname = dirname(fileURLToPath(import.meta.url));\n\nconst FONTS: Record<string, Buffer> = {\n \"geist-sans.woff2\": readFileSync(join(__dirname, \"fonts\", \"geist-sans.woff2\")),\n \"GeistPixel-Square.woff2\": readFileSync(join(__dirname, \"fonts\", \"GeistPixel-Square.woff2\")),\n};\n\nconst FAVICON = readFileSync(join(__dirname, \"fonts\", \"favicon.ico\"));\n\nexport function registerFontRoutes(app: Hono<AppEnv>): void {\n app.get(\"/_emulate/fonts/:name\", (c) => {\n const name = c.req.param(\"name\");\n const buf = FONTS[name];\n if (!buf) return c.notFound();\n return new Response(buf, {\n headers: {\n \"Content-Type\": \"font/woff2\",\n \"Cache-Control\": \"public, max-age=31536000, immutable\",\n \"Access-Control-Allow-Origin\": \"*\",\n },\n });\n });\n\n app.get(\"/_emulate/favicon.ico\", (c) => {\n return new Response(FAVICON, {\n headers: {\n \"Content-Type\": \"image/x-icon\",\n \"Cache-Control\": \"public, max-age=31536000, immutable\",\n },\n });\n });\n}\n","import type { Context } from \"hono\";\n\nexport interface PaginationParams {\n page: number;\n per_page: number;\n}\n\nexport function parsePagination(c: Context): PaginationParams {\n const page = Math.max(1, parseInt(c.req.query(\"page\") ?? \"1\", 10) || 1);\n const per_page = Math.min(100, Math.max(1, parseInt(c.req.query(\"per_page\") ?? \"30\", 10) || 30));\n return { page, per_page };\n}\n\nexport function setLinkHeader(c: Context, totalCount: number, page: number, perPage: number): void {\n const lastPage = Math.max(1, Math.ceil(totalCount / perPage));\n const baseUrl = new URL(c.req.url);\n const links: string[] = [];\n\n const makeLink = (p: number, rel: string) => {\n baseUrl.searchParams.set(\"page\", String(p));\n baseUrl.searchParams.set(\"per_page\", String(perPage));\n return `<${baseUrl.toString()}>; rel=\"${rel}\"`;\n };\n\n if (page < lastPage) {\n links.push(makeLink(page + 1, \"next\"));\n links.push(makeLink(lastPage, \"last\"));\n }\n if (page > 1) {\n links.push(makeLink(1, \"first\"));\n links.push(makeLink(page - 1, \"prev\"));\n }\n\n if (links.length > 0) {\n c.header(\"Link\", links.join(\", \"));\n }\n}\n","export function escapeHtml(s: string): string {\n return s.replace(/&/g, \"&\").replace(/</g, \"<\").replace(/>/g, \">\").replace(/\"/g, \""\");\n}\n\nexport function escapeAttr(s: string): string {\n return escapeHtml(s).replace(/'/g, \"'\");\n}\n\nconst CSS = `\n@font-face{\n font-family:'Geist';font-style:normal;font-weight:100 900;font-display:swap;\n src:url('/_emulate/fonts/geist-sans.woff2') format('woff2');\n}\n@font-face{\n font-family:'Geist Pixel';font-style:normal;font-weight:400;font-display:swap;\n src:url('/_emulate/fonts/GeistPixel-Square.woff2') format('woff2');\n}\n*{box-sizing:border-box;margin:0;padding:0}\nbody{\n font-family:'Geist',-apple-system,BlinkMacSystemFont,sans-serif;\n background:#000;color:#33ff00;min-height:100vh;\n -webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;\n}\n.emu-bar{\n border-bottom:1px solid #0a3300;padding:10px 20px;\n display:flex;align-items:center;gap:10px;font-size:.8125rem;color:#1a8c00;\n}\n.emu-bar-title{font-weight:600;color:#33ff00;font-family:'Geist Pixel',monospace;}\n.emu-bar-links{margin-left:auto;display:flex;gap:16px;}\n.emu-bar-links a{\n color:#1a8c00;font-size:.75rem;text-decoration:none;transition:color .15s;\n}\n.emu-bar-links a:hover{color:#33ff00;}\n.emu-bar-links a .full{display:inline;}\n.emu-bar-links a .short{display:none;}\n@media(max-width:600px){\n .emu-bar-links a .full{display:none;}\n .emu-bar-links a .short{display:inline;}\n}\n\n.content{\n display:flex;align-items:center;justify-content:center;\n min-height:calc(100vh - 42px);padding:24px 16px;\n}\n.content-inner{width:100%;max-width:420px;}\n.card-title{\n font-family:'Geist Pixel',monospace;\n font-size:1.125rem;font-weight:600;margin-bottom:4px;color:#33ff00;\n}\n.card-subtitle{color:#1a8c00;font-size:.8125rem;margin-bottom:18px;line-height:1.45;}\n.powered-by{\n position:fixed;bottom:0;left:0;right:0;\n text-align:center;padding:12px;font-size:.6875rem;color:#0a3300;\n font-family:'Geist Pixel',monospace;\n}\n.powered-by a{color:#1a8c00;text-decoration:none;transition:color .15s;}\n.powered-by a:hover{color:#33ff00;}\n\n.error-title{\n font-family:'Geist Pixel',monospace;\n color:#ff4444;font-size:1.125rem;font-weight:600;margin-bottom:8px;\n}\n.error-msg{color:#1a8c00;font-size:.875rem;line-height:1.5;}\n.error-card{text-align:center;}\n\n.user-form{margin-bottom:8px;}\n.user-form:last-of-type{margin-bottom:0;}\n.user-btn{\n width:100%;display:flex;align-items:center;gap:12px;\n padding:10px 12px;border:1px solid #0a3300;border-radius:8px;\n background:#000;color:inherit;cursor:pointer;text-align:left;\n font:inherit;transition:border-color .15s;\n}\n.user-btn:hover{border-color:#33ff00;}\n.avatar{\n width:36px;height:36px;border-radius:50%;\n background:#0a3300;color:#33ff00;font-weight:600;font-size:.875rem;\n display:flex;align-items:center;justify-content:center;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.user-text{min-width:0;}\n.user-login{font-weight:600;font-size:.875rem;display:block;color:#33ff00;}\n.user-meta{color:#1a8c00;font-size:.75rem;margin-top:1px;}\n.user-email{font-size:.6875rem;color:#116600;word-break:break-all;margin-top:1px;}\n\n.settings-layout{\n max-width:920px;margin:0 auto;padding:28px 20px;\n display:flex;gap:28px;\n}\n.settings-sidebar{width:200px;flex-shrink:0;}\n.settings-sidebar a{\n display:block;padding:6px 10px;border-radius:6px;color:#1a8c00;\n text-decoration:none;font-size:.8125rem;transition:color .15s;\n}\n.settings-sidebar a:hover{color:#33ff00;}\n.settings-sidebar a.active{color:#33ff00;font-weight:600;}\n.settings-main{flex:1;min-width:0;}\n\n.s-card{\n padding:18px 0;margin-bottom:14px;border-bottom:1px solid #0a3300;\n}\n.s-card:last-child{border-bottom:none;}\n.s-card-header{display:flex;align-items:center;gap:14px;margin-bottom:14px;}\n.s-icon{\n width:42px;height:42px;border-radius:8px;\n background:#0a3300;display:flex;align-items:center;justify-content:center;\n font-size:1.125rem;font-weight:700;color:#116600;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.s-title{\n font-family:'Geist Pixel',monospace;\n font-size:1.25rem;font-weight:600;color:#33ff00;\n}\n.s-subtitle{font-size:.75rem;color:#1a8c00;margin-top:2px;}\n.section-heading{\n font-size:.9375rem;font-weight:600;margin-bottom:10px;color:#33ff00;\n display:flex;align-items:center;justify-content:space-between;\n}\n.perm-list{list-style:none;}\n.perm-list li{padding:5px 0;font-size:.8125rem;display:flex;align-items:center;gap:6px;color:#1a8c00;}\n.check{color:#33ff00;}\n.org-row{\n display:flex;align-items:center;gap:8px;padding:7px 0;\n border-bottom:1px solid #0a3300;font-size:.8125rem;\n}\n.org-row:last-child{border-bottom:none;}\n.org-icon{\n width:22px;height:22px;border-radius:4px;background:#0a3300;\n display:flex;align-items:center;justify-content:center;\n font-size:.625rem;font-weight:700;color:#116600;flex-shrink:0;\n font-family:'Geist Pixel',monospace;\n}\n.org-name{font-weight:600;color:#33ff00;}\n.badge{font-size:.6875rem;padding:1px 7px;border-radius:999px;font-weight:500;}\n.badge-granted{background:#0a3300;color:#33ff00;}\n.badge-denied{background:#1a0a0a;color:#ff4444;}\n.badge-requested{background:#0a3300;color:#1a8c00;}\n.btn-revoke{\n display:inline-block;padding:5px 14px;border-radius:6px;\n border:1px solid #0a3300;background:transparent;color:#ff4444;\n font-size:.75rem;font-weight:600;cursor:pointer;transition:border-color .15s;\n}\n.btn-revoke:hover{border-color:#ff4444;}\n.info-text{color:#1a8c00;font-size:.75rem;line-height:1.5;margin-top:10px;}\n.app-link{\n display:flex;align-items:center;gap:12px;padding:12px;\n border:1px solid #0a3300;border-radius:8px;background:#000;\n text-decoration:none;color:inherit;margin-bottom:8px;transition:border-color .15s;\n}\n.app-link:hover{border-color:#33ff00;}\n.app-link-name{font-weight:600;font-size:.875rem;color:#33ff00;}\n.app-link-scopes{font-size:.6875rem;color:#1a8c00;margin-top:1px;}\n.empty{color:#1a8c00;text-align:center;padding:28px 0;font-size:.875rem;}\n\n.inspector-layout{max-width:960px;margin:0 auto;padding:28px 20px;}\n.inspector-tabs{display:flex;gap:4px;margin-bottom:20px;}\n.inspector-tabs a{\n padding:7px 16px;border-radius:6px;text-decoration:none;\n font-size:.8125rem;color:#1a8c00;border:1px solid transparent;\n transition:color .15s,border-color .15s;\n}\n.inspector-tabs a:hover{color:#33ff00;}\n.inspector-tabs a.active{color:#33ff00;font-weight:600;border-color:#0a3300;background:#0a3300;}\n.inspector-section{margin-bottom:24px;}\n.inspector-section h2{\n font-family:'Geist Pixel',monospace;\n font-size:1rem;font-weight:600;color:#33ff00;margin-bottom:10px;\n}\n.inspector-section h3{\n font-family:'Geist Pixel',monospace;\n font-size:.875rem;font-weight:600;color:#1a8c00;margin:16px 0 8px;\n}\n.inspector-table{width:100%;border-collapse:collapse;margin-bottom:12px;}\n.inspector-table th,.inspector-table td{\n text-align:left;padding:8px 12px;border-bottom:1px solid #0a3300;\n font-size:.8125rem;\n}\n.inspector-table th{color:#1a8c00;font-weight:600;font-size:.75rem;text-transform:uppercase;letter-spacing:.04em;}\n.inspector-table td{color:#33ff00;}\n.inspector-table tbody tr{transition:background .1s;}\n.inspector-table tbody tr:hover{background:#0a3300;}\n.inspector-empty{color:#1a8c00;text-align:center;padding:20px 0;font-size:.8125rem;}\n\n.checkout-layout{\n display:flex;min-height:calc(100vh - 42px);\n}\n.checkout-summary{\n flex:1;background:#020;padding:48px 40px 48px 10%;\n display:flex;flex-direction:column;justify-content:center;\n border-right:1px solid #0a3300;\n}\n.checkout-form-side{\n flex:1;background:#000;padding:48px 10% 48px 40px;\n display:flex;flex-direction:column;justify-content:center;\n}\n.checkout-merchant{\n display:flex;align-items:center;gap:10px;margin-bottom:6px;\n}\n.checkout-merchant-name{\n font-family:'Geist Pixel',monospace;\n font-size:.9375rem;font-weight:600;color:#33ff00;\n}\n.checkout-test-badge{\n font-size:.625rem;font-weight:700;letter-spacing:.04em;text-transform:uppercase;\n background:#0a3300;color:#1a8c00;padding:2px 8px;border-radius:4px;\n}\n.checkout-total{\n font-family:'Geist Pixel',monospace;\n font-size:2rem;font-weight:700;color:#33ff00;margin:8px 0 28px;\n}\n.checkout-line-item{\n display:flex;align-items:center;gap:14px;padding:14px 0;\n border-bottom:1px solid #0a3300;\n}\n.checkout-line-item:first-child{border-top:1px solid #0a3300;}\n.checkout-item-icon{\n width:42px;height:42px;border-radius:6px;background:#0a3300;\n display:flex;align-items:center;justify-content:center;flex-shrink:0;\n font-family:'Geist Pixel',monospace;font-size:.875rem;font-weight:700;color:#116600;\n}\n.checkout-item-details{flex:1;min-width:0;}\n.checkout-item-name{font-size:.875rem;font-weight:600;color:#33ff00;}\n.checkout-item-qty{font-size:.75rem;color:#1a8c00;margin-top:2px;}\n.checkout-item-price{\n font-size:.875rem;font-weight:600;color:#33ff00;text-align:right;white-space:nowrap;\n}\n.checkout-item-unit{font-size:.6875rem;color:#1a8c00;text-align:right;margin-top:2px;}\n.checkout-totals{margin-top:20px;}\n.checkout-totals-row{\n display:flex;justify-content:space-between;padding:6px 0;\n font-size:.8125rem;color:#1a8c00;\n}\n.checkout-totals-row.total{\n border-top:1px solid #0a3300;margin-top:8px;padding-top:14px;\n font-size:.9375rem;font-weight:600;color:#33ff00;\n}\n.checkout-form-section{margin-bottom:24px;}\n.checkout-form-label{\n font-size:.8125rem;font-weight:600;color:#33ff00;margin-bottom:8px;display:block;\n}\n.checkout-input{\n width:100%;padding:10px 12px;border:1px solid #0a3300;border-radius:6px;\n background:#020;color:#33ff00;font:inherit;font-size:.875rem;\n transition:border-color .15s;outline:none;\n}\n.checkout-input:focus{border-color:#33ff00;}\n.checkout-input::placeholder{color:#116600;}\n.checkout-card-box{\n border:1px solid #0a3300;border-radius:6px;padding:14px;\n background:#020;\n}\n.checkout-card-row{\n display:flex;gap:12px;margin-top:10px;\n}\n.checkout-card-row .checkout-input{flex:1;}\n.checkout-sim-note{\n font-size:.6875rem;color:#1a8c00;margin-top:10px;text-align:center;\n font-style:italic;\n}\n.checkout-pay-btn{\n width:100%;padding:14px;border:none;border-radius:8px;\n background:#33ff00;color:#000;font:inherit;font-size:.9375rem;font-weight:700;\n cursor:pointer;transition:background .15s;\n font-family:'Geist Pixel',monospace;\n}\n.checkout-pay-btn:hover{background:#44ff22;}\n.checkout-cancel{\n text-align:center;margin-top:14px;\n}\n.checkout-cancel a{\n color:#1a8c00;text-decoration:none;font-size:.8125rem;\n transition:color .15s;\n}\n.checkout-cancel a:hover{color:#33ff00;}\n@media(max-width:768px){\n .checkout-layout{flex-direction:column;}\n .checkout-summary{padding:32px 20px;border-right:none;border-bottom:1px solid #0a3300;}\n .checkout-form-side{padding:32px 20px;}\n}\n`;\n\nconst POWERED_BY = `<div class=\"powered-by\">Powered by <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\">emulate</a></div>`;\n\nfunction emuBar(service?: string): string {\n const title = service ? `${escapeHtml(service)} Emulator` : \"Emulator\";\n return `<div class=\"emu-bar\">\n <span class=\"emu-bar-title\">${title}</span>\n <nav class=\"emu-bar-links\">\n <a href=\"https://github.com/vercel-labs/emulate/issues\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Report Issue</span><span class=\"short\">Report</span></a>\n <a href=\"https://github.com/vercel-labs/emulate\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Source Code</span><span class=\"short\">Source</span></a>\n <a href=\"https://emulate.dev\" target=\"_blank\" rel=\"noopener\"><span class=\"full\">Learn More</span><span class=\"short\">Learn</span></a>\n </nav>\n</div>`;\n}\n\nfunction head(title: string): string {\n return `<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\"/>\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"/>\n<link rel=\"icon\" href=\"/_emulate/favicon.ico\"/>\n<title>${escapeHtml(title)} | emulate</title>\n<style>${CSS}</style>\n</head>`;\n}\n\nexport function renderCardPage(title: string, subtitle: string, body: string, service?: string): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n <div class=\"content-inner\">\n <div class=\"card-title\">${escapeHtml(title)}</div>\n <div class=\"card-subtitle\">${subtitle}</div>\n ${body}\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderErrorPage(title: string, message: string, service?: string): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"content\">\n <div class=\"content-inner error-card\">\n <div class=\"error-title\">${escapeHtml(title)}</div>\n <div class=\"error-msg\">${escapeHtml(message)}</div>\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderSettingsPage(title: string, sidebarHtml: string, bodyHtml: string, service?: string): string {\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"settings-layout\">\n <nav class=\"settings-sidebar\">${sidebarHtml}</nav>\n <div class=\"settings-main\">${bodyHtml}</div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface InspectorTab {\n id: string;\n label: string;\n href: string;\n}\n\nexport function renderInspectorPage(\n title: string,\n tabs: InspectorTab[],\n activeTab: string,\n body: string,\n service?: string,\n): string {\n const tabLinks = tabs\n .map(\n (t) => `<a href=\"${escapeAttr(t.href)}\" class=\"${t.id === activeTab ? \"active\" : \"\"}\">${escapeHtml(t.label)}</a>`,\n )\n .join(\"\");\n\n return `${head(title)}\n<body>\n${emuBar(service)}\n<div class=\"inspector-layout\">\n <nav class=\"inspector-tabs\">${tabLinks}</nav>\n ${body}\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport function renderFormPostPage(action: string, fields: Record<string, string>, service?: string): string {\n const hiddens = Object.entries(fields)\n .filter(([, v]) => v != null)\n .map(([k, v]) => `<input type=\"hidden\" name=\"${escapeAttr(k)}\" value=\"${escapeAttr(v)}\"/>`)\n .join(\"\\n\");\n\n return `${head(\"Redirecting\")}\n<body onload=\"document.forms[0].submit()\">\n${emuBar(service)}\n<div class=\"content\">\n <div class=\"content-inner\" style=\"text-align:center\">\n <div class=\"card-subtitle\">Redirecting…</div>\n <form method=\"POST\" action=\"${escapeAttr(action)}\">\n${hiddens}\n <noscript><button type=\"submit\" class=\"user-btn\" style=\"margin-top:12px;justify-content:center\">\n <span class=\"user-login\">Continue</span>\n </button></noscript>\n </form>\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface CheckoutLineItem {\n name: string;\n quantity: number;\n unitPrice: number;\n totalPrice: number;\n currency: string;\n}\n\nexport interface CheckoutPageOptions {\n merchantName?: string;\n lineItems: CheckoutLineItem[];\n subtotal: number;\n total: number;\n currency: string;\n sessionId: string;\n cancelUrl?: string | null;\n}\n\nexport function renderCheckoutPage(opts: CheckoutPageOptions, service?: string): string {\n const fmt = (cents: number, cur: string) => `$${(cents / 100).toFixed(2)} ${cur.toUpperCase()}`;\n const fmtShort = (cents: number) => `$${(cents / 100).toFixed(2)}`;\n\n const itemsHtml =\n opts.lineItems.length > 0\n ? opts.lineItems\n .map((li) => {\n const initial = li.name.charAt(0).toUpperCase();\n const unitNote =\n li.quantity > 1 ? `<div class=\"checkout-item-unit\">${fmtShort(li.unitPrice)} each</div>` : \"\";\n return `<div class=\"checkout-line-item\">\n <div class=\"checkout-item-icon\">${escapeHtml(initial)}</div>\n <div class=\"checkout-item-details\">\n <div class=\"checkout-item-name\">${escapeHtml(li.name)}</div>\n <div class=\"checkout-item-qty\">Qty ${li.quantity}</div>\n </div>\n <div>\n <div class=\"checkout-item-price\">${fmtShort(li.totalPrice)}</div>\n ${unitNote}\n </div>\n</div>`;\n })\n .join(\"\")\n : '<p class=\"empty\">No line items</p>';\n\n const totalsHtml = `<div class=\"checkout-totals\">\n <div class=\"checkout-totals-row\">\n <span>Subtotal</span><span>${fmtShort(opts.subtotal)}</span>\n </div>\n <div class=\"checkout-totals-row total\">\n <span>Total due</span><span>${fmt(opts.total, opts.currency)}</span>\n </div>\n</div>`;\n\n const cancelHtml = opts.cancelUrl\n ? `<div class=\"checkout-cancel\"><a href=\"${escapeAttr(opts.cancelUrl)}\">Cancel</a></div>`\n : \"\";\n\n const merchant = opts.merchantName ? escapeHtml(opts.merchantName) : \"Checkout\";\n\n return `${head(\"Checkout\")}\n<body>\n${emuBar(service)}\n<div class=\"checkout-layout\">\n <div class=\"checkout-summary\">\n <div class=\"checkout-merchant\">\n <span class=\"checkout-merchant-name\">${merchant}</span>\n <span class=\"checkout-test-badge\">Test Mode</span>\n </div>\n <div class=\"checkout-total\">${fmtShort(opts.total)}</div>\n ${itemsHtml}\n ${totalsHtml}\n </div>\n <div class=\"checkout-form-side\">\n <form method=\"post\" action=\"/checkout/${escapeAttr(opts.sessionId)}/complete\">\n <div class=\"checkout-form-section\">\n <label class=\"checkout-form-label\">Email</label>\n <input type=\"email\" name=\"email\" class=\"checkout-input\" placeholder=\"you@example.com\"/>\n </div>\n <div class=\"checkout-form-section\">\n <label class=\"checkout-form-label\">Card information</label>\n <div class=\"checkout-card-box\">\n <input type=\"text\" class=\"checkout-input\" placeholder=\"1234 1234 1234 1234\" disabled/>\n <div class=\"checkout-card-row\">\n <input type=\"text\" class=\"checkout-input\" placeholder=\"MM / YY\" disabled/>\n <input type=\"text\" class=\"checkout-input\" placeholder=\"CVC\" disabled/>\n </div>\n </div>\n <div class=\"checkout-sim-note\">Card fields are simulated. Payment will be auto-approved.</div>\n </div>\n <button type=\"submit\" class=\"checkout-pay-btn\">Pay ${fmtShort(opts.total)}</button>\n </form>\n ${cancelHtml}\n </div>\n</div>\n${POWERED_BY}\n</body></html>`;\n}\n\nexport interface UserButtonOptions {\n letter: string;\n login: string;\n name?: string;\n email?: string;\n formAction: string;\n hiddenFields: Record<string, string>;\n}\n\nexport function renderUserButton(opts: UserButtonOptions): string {\n const hiddens = Object.entries(opts.hiddenFields)\n .map(([k, v]) => `<input type=\"hidden\" name=\"${escapeAttr(k)}\" value=\"${escapeAttr(v)}\"/>`)\n .join(\"\");\n\n const nameLine = opts.name ? `<div class=\"user-meta\">${escapeHtml(opts.name)}</div>` : \"\";\n const emailLine = opts.email ? `<div class=\"user-email\">${escapeHtml(opts.email)}</div>` : \"\";\n\n return `<form class=\"user-form\" method=\"post\" action=\"${escapeAttr(opts.formAction)}\">\n${hiddens}\n<button type=\"submit\" class=\"user-btn\">\n <span class=\"avatar\">${escapeHtml(opts.letter)}</span>\n <span class=\"user-text\">\n <span class=\"user-login\">${escapeHtml(opts.login)}</span>\n ${nameLine}${emailLine}\n </span>\n</button>\n</form>`;\n}\n","import { timingSafeEqual } from \"crypto\";\n\nexport function normalizeUri(uri: string): string {\n try {\n const u = new URL(uri);\n return `${u.origin}${u.pathname.replace(/\\/+$/, \"\")}`;\n } catch {\n return uri.replace(/\\/+$/, \"\").split(\"?\")[0];\n }\n}\n\nexport function matchesRedirectUri(incoming: string, registered: string[]): boolean {\n const normalized = normalizeUri(incoming);\n return registered.some((r) => normalizeUri(r) === normalized);\n}\n\nexport function constantTimeSecretEqual(a: string, b: string): boolean {\n const bufA = Buffer.from(a, \"utf-8\");\n const bufB = Buffer.from(b, \"utf-8\");\n if (bufA.length !== bufB.length) return false;\n return timingSafeEqual(bufA, bufB);\n}\n\nexport function bodyStr(v: unknown): string {\n if (typeof v === \"string\") return v;\n if (Array.isArray(v) && typeof v[0] === \"string\") return v[0];\n return \"\";\n}\n\nexport function parseCookies(header: string): Record<string, string> {\n const cookies: Record<string, string> = {};\n for (const part of header.split(\";\")) {\n const [k, ...v] = part.split(\"=\");\n if (k) cookies[k.trim()] = v.join(\"=\").trim();\n }\n return cookies;\n}\n","import { readFile, writeFile, mkdir } from \"node:fs/promises\";\nimport { dirname } from \"node:path\";\n\nexport interface PersistenceAdapter {\n load(): Promise<string | null>;\n save(data: string): Promise<void>;\n}\n\nexport function filePersistence(path: string): PersistenceAdapter {\n return {\n async load() {\n try {\n return await readFile(path, \"utf-8\");\n } catch {\n return null;\n }\n },\n async save(data: string) {\n await mkdir(dirname(path), { recursive: true });\n await writeFile(path, data, \"utf-8\");\n },\n };\n}\n","import type { Context } from \"hono\";\nimport type { ContentfulStatusCode } from \"hono/utils/http-status\";\nimport type { AuthUser, TokenMap, AppEnv } from \"@emulators/core\";\nimport type { OktaApp, OktaAuthorizationServer, OktaGroup, OktaUser } from \"./entities.js\";\nimport type { OktaStore } from \"./store.js\";\nimport { resolveOktaIssuer, userDisplayName } from \"./helpers.js\";\n\ntype OktaErrorCause = { errorSummary: string };\n\nfunction createErrorBody(\n status: number,\n errorCode: string,\n errorSummary: string,\n errorCauses: OktaErrorCause[] = [],\n): Record<string, unknown> {\n return {\n errorCode,\n errorSummary,\n errorLink: errorCode,\n errorId: `${errorCode}-${Date.now()}`,\n errorCauses,\n status,\n };\n}\n\nexport function oktaError(\n c: Context<AppEnv>,\n status: number,\n errorCode: string,\n errorSummary: string,\n errorCauses: OktaErrorCause[] = [],\n): Response {\n const body = createErrorBody(status, errorCode, errorSummary, errorCauses);\n return c.json(body, status as ContentfulStatusCode);\n}\n\nexport async function readJsonObject(c: Context<AppEnv>): Promise<Record<string, unknown>> {\n try {\n const body = await c.req.json();\n if (body && typeof body === \"object\") {\n return body as Record<string, unknown>;\n }\n return {};\n } catch {\n return {};\n }\n}\n\nexport function requireManagementAuth(c: Context<AppEnv>, tokenMap?: TokenMap): AuthUser | Response {\n const existing = c.get(\"authUser\");\n if (existing) return existing;\n\n const authHeader = c.req.header(\"Authorization\") ?? \"\";\n if (authHeader.toLowerCase().startsWith(\"ssws \")) {\n const token = authHeader.slice(5).trim();\n const mapped = tokenMap?.get(token);\n if (mapped) {\n c.set(\"authUser\", mapped);\n c.set(\"authToken\", token);\n c.set(\"authScopes\", mapped.scopes);\n return mapped;\n }\n }\n\n return oktaError(c, 401, \"E0000004\", \"Authentication failed\");\n}\n\nexport function findUserByRef(os: OktaStore, userRef: string): OktaUser | undefined {\n const decoded = decodeURIComponent(userRef);\n return (\n os.users.findOneBy(\"okta_id\", decoded) ??\n os.users.findOneBy(\"login\", decoded) ??\n os.users.findOneBy(\"email\", decoded)\n );\n}\n\nexport function findGroupByRef(os: OktaStore, groupRef: string): OktaGroup | undefined {\n const decoded = decodeURIComponent(groupRef);\n return os.groups.findOneBy(\"okta_id\", decoded);\n}\n\nexport function findAppByRef(os: OktaStore, appRef: string): OktaApp | undefined {\n const decoded = decodeURIComponent(appRef);\n return os.apps.findOneBy(\"okta_id\", decoded);\n}\n\nexport function findAuthorizationServerByRef(os: OktaStore, serverRef: string): OktaAuthorizationServer | undefined {\n const decoded = decodeURIComponent(serverRef);\n return os.authorizationServers.findOneBy(\"server_id\", decoded);\n}\n\nexport function userResponse(baseUrl: string, user: OktaUser): Record<string, unknown> {\n return {\n id: user.okta_id,\n status: user.status,\n created: user.created_at,\n activated: user.activated_at,\n statusChanged: user.status_changed_at,\n lastLogin: user.last_login_at,\n lastUpdated: user.updated_at,\n passwordChanged: user.password_changed_at,\n profile: {\n login: user.login,\n email: user.email,\n firstName: user.first_name,\n lastName: user.last_name,\n displayName: userDisplayName(user),\n locale: user.locale,\n timeZone: user.time_zone,\n },\n _links: {\n self: {\n href: `${baseUrl}/api/v1/users/${encodeURIComponent(user.okta_id)}`,\n },\n },\n };\n}\n\nexport function groupResponse(baseUrl: string, group: OktaGroup): Record<string, unknown> {\n return {\n id: group.okta_id,\n created: group.created_at,\n lastUpdated: group.updated_at,\n lastMembershipUpdated: group.updated_at,\n objectClass: [\"okta:user_group\"],\n type: group.type,\n profile: {\n name: group.name,\n description: group.description,\n },\n _links: {\n self: {\n href: `${baseUrl}/api/v1/groups/${encodeURIComponent(group.okta_id)}`,\n },\n },\n };\n}\n\nexport function appResponse(baseUrl: string, app: OktaApp): Record<string, unknown> {\n return {\n id: app.okta_id,\n name: app.name,\n label: app.label,\n status: app.status,\n created: app.created_at,\n lastUpdated: app.updated_at,\n signOnMode: app.sign_on_mode,\n credentials: app.credentials,\n settings: app.settings,\n _links: {\n self: {\n href: `${baseUrl}/api/v1/apps/${encodeURIComponent(app.okta_id)}`,\n },\n },\n };\n}\n\nexport function authorizationServerResponse(baseUrl: string, server: OktaAuthorizationServer): Record<string, unknown> {\n return {\n id: server.server_id,\n name: server.name,\n description: server.description,\n audiences: server.audiences,\n issuer: resolveOktaIssuer(baseUrl, server.server_id),\n status: server.status,\n created: server.created_at,\n lastUpdated: server.updated_at,\n _links: {\n self: {\n href: `${baseUrl}/api/v1/authorizationServers/${encodeURIComponent(server.server_id)}`,\n },\n },\n };\n}\n","import { Store, type Collection } from \"@emulators/core\";\nimport type {\n OktaUser,\n OktaGroup,\n OktaApp,\n OktaOAuthClient,\n OktaAuthorizationServer,\n OktaGroupMembership,\n OktaAppAssignment,\n} from \"./entities.js\";\n\nexport interface OktaStore {\n users: Collection<OktaUser>;\n groups: Collection<OktaGroup>;\n apps: Collection<OktaApp>;\n oauthClients: Collection<OktaOAuthClient>;\n authorizationServers: Collection<OktaAuthorizationServer>;\n groupMemberships: Collection<OktaGroupMembership>;\n appAssignments: Collection<OktaAppAssignment>;\n}\n\nexport function getOktaStore(store: Store): OktaStore {\n return {\n users: store.collection<OktaUser>(\"okta.users\", [\"okta_id\", \"login\", \"email\"]),\n groups: store.collection<OktaGroup>(\"okta.groups\", [\"okta_id\", \"name\"]),\n apps: store.collection<OktaApp>(\"okta.apps\", [\"okta_id\", \"name\"]),\n oauthClients: store.collection<OktaOAuthClient>(\"okta.oauth_clients\", [\"client_id\", \"auth_server_id\"]),\n authorizationServers: store.collection<OktaAuthorizationServer>(\"okta.auth_servers\", [\"server_id\"]),\n groupMemberships: store.collection<OktaGroupMembership>(\"okta.group_memberships\", [\n \"group_okta_id\",\n \"user_okta_id\",\n ]),\n appAssignments: store.collection<OktaAppAssignment>(\"okta.app_assignments\", [\"app_okta_id\", \"user_okta_id\"]),\n };\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { generateOktaId, normalizeAppStatus } from \"../helpers.js\";\nimport {\n appResponse,\n findAppByRef,\n findUserByRef,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n userResponse,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nexport function appRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/apps\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n let apps = oktaStore.apps.all();\n if (q) {\n apps = apps.filter((entry) => `${entry.name} ${entry.label}`.toLowerCase().includes(q));\n }\n const { page, per_page } = parsePagination(c);\n const total = apps.length;\n const start = (page - 1) * per_page;\n const paged = apps.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((entry) => appResponse(baseUrl, entry)));\n });\n\n app.post(\"/api/v1/apps\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const name = typeof body.name === \"string\" ? body.name : \"oidc_client\";\n const label = typeof body.label === \"string\" ? body.label : \"Okta App\";\n const signOnMode = typeof body.signOnMode === \"string\" ? body.signOnMode : \"OPENID_CONNECT\";\n const settings =\n body.settings && typeof body.settings === \"object\" ? (body.settings as Record<string, unknown>) : {};\n const credentials =\n body.credentials && typeof body.credentials === \"object\" ? (body.credentials as Record<string, unknown>) : {};\n\n const created = oktaStore.apps.insert({\n okta_id: generateOktaId(\"0oa\"),\n name,\n label,\n status: normalizeAppStatus(typeof body.status === \"string\" ? body.status : undefined, \"ACTIVE\"),\n sign_on_mode: signOnMode,\n settings,\n credentials,\n });\n\n return c.json(appResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/apps/:appId/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const assignments = oktaStore.appAssignments.findBy(\"app_okta_id\", appEntity.okta_id);\n const users = assignments\n .map((assignment) => oktaStore.users.findOneBy(\"okta_id\", assignment.user_okta_id))\n .filter((user): user is NonNullable<typeof user> => Boolean(user));\n\n return c.json(\n users.map((user) => ({\n id: user.okta_id,\n scope: \"USER\",\n credentials: { userName: user.login },\n profile: userResponse(baseUrl, user).profile as Record<string, unknown>,\n })),\n );\n });\n\n app.put(\"/api/v1/apps/:appId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.appAssignments\n .findBy(\"app_okta_id\", appEntity.okta_id)\n .find((assignment) => assignment.user_okta_id === user.okta_id);\n if (!existing) {\n oktaStore.appAssignments.insert({\n app_okta_id: appEntity.okta_id,\n user_okta_id: user.okta_id,\n });\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.delete(\"/api/v1/apps/:appId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.appAssignments\n .findBy(\"app_okta_id\", appEntity.okta_id)\n .find((assignment) => assignment.user_okta_id === user.okta_id);\n if (existing) oktaStore.appAssignments.delete(existing.id);\n return new Response(null, { status: 204 });\n });\n\n app.post(\"/api/v1/apps/:appId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const updated = oktaStore.apps.update(appEntity.id, { status: \"ACTIVE\" });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.post(\"/api/v1/apps/:appId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const updated = oktaStore.apps.update(appEntity.id, { status: \"INACTIVE\" });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.get(\"/api/v1/apps/:appId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n return c.json(appResponse(baseUrl, appEntity));\n });\n\n app.put(\"/api/v1/apps/:appId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n\n const body = await readJsonObject(c);\n const updated = oktaStore.apps.update(appEntity.id, {\n name: typeof body.name === \"string\" ? body.name : appEntity.name,\n label: typeof body.label === \"string\" ? body.label : appEntity.label,\n status: normalizeAppStatus(typeof body.status === \"string\" ? body.status : undefined, appEntity.status),\n sign_on_mode: typeof body.signOnMode === \"string\" ? body.signOnMode : appEntity.sign_on_mode,\n settings:\n body.settings && typeof body.settings === \"object\"\n ? (body.settings as Record<string, unknown>)\n : appEntity.settings,\n credentials:\n body.credentials && typeof body.credentials === \"object\"\n ? (body.credentials as Record<string, unknown>)\n : appEntity.credentials,\n });\n return c.json(appResponse(baseUrl, updated ?? appEntity));\n });\n\n app.delete(\"/api/v1/apps/:appId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const appEntity = findAppByRef(oktaStore, c.req.param(\"appId\"));\n if (!appEntity) return oktaError(c, 404, \"E0000007\", \"Not found: app\");\n if (appEntity.status !== \"INACTIVE\") {\n return oktaError(c, 400, \"E0000001\", \"App must be INACTIVE before deletion\");\n }\n\n for (const assignment of oktaStore.appAssignments.findBy(\"app_okta_id\", appEntity.okta_id)) {\n oktaStore.appAssignments.delete(assignment.id);\n }\n oktaStore.apps.delete(appEntity.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { DEFAULT_AUDIENCE, generateOktaId, normalizeAuthServerStatus } from \"../helpers.js\";\nimport {\n authorizationServerResponse,\n findAuthorizationServerByRef,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nfunction normalizeServerId(name: string): string {\n const compact = name\n .trim()\n .toLowerCase()\n .replace(/[^a-z0-9_-]+/g, \"-\");\n if (compact.length > 0) return compact;\n return generateOktaId(\"as\");\n}\n\nexport function authorizationServerRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/authorizationServers\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const servers = oktaStore.authorizationServers.all();\n const { page, per_page } = parsePagination(c);\n const total = servers.length;\n const start = (page - 1) * per_page;\n const paged = servers.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((server) => authorizationServerResponse(baseUrl, server)));\n });\n\n app.post(\"/api/v1/authorizationServers\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const name = typeof body.name === \"string\" ? body.name.trim() : \"\";\n if (!name) return oktaError(c, 400, \"E0000001\", \"name is required\");\n\n const serverId = typeof body.id === \"string\" ? body.id : normalizeServerId(name);\n if (oktaStore.authorizationServers.findOneBy(\"server_id\", serverId)) {\n return oktaError(c, 400, \"E0000001\", `Authorization server '${serverId}' already exists`);\n }\n\n const audiences = Array.isArray(body.audiences)\n ? body.audiences.filter((entry): entry is string => typeof entry === \"string\")\n : [DEFAULT_AUDIENCE];\n\n const created = oktaStore.authorizationServers.insert({\n server_id: serverId,\n name,\n description: typeof body.description === \"string\" ? body.description : \"\",\n audiences: audiences.length > 0 ? audiences : [DEFAULT_AUDIENCE],\n status: normalizeAuthServerStatus(typeof body.status === \"string\" ? body.status : undefined, \"ACTIVE\"),\n });\n\n return c.json(authorizationServerResponse(baseUrl, created), 201);\n });\n\n app.post(\"/api/v1/authorizationServers/:authServerId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n const updated = oktaStore.authorizationServers.update(server.id, { status: \"ACTIVE\" });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.post(\"/api/v1/authorizationServers/:authServerId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n const updated = oktaStore.authorizationServers.update(server.id, { status: \"INACTIVE\" });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.get(\"/api/v1/authorizationServers/:authServerId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n return c.json(authorizationServerResponse(baseUrl, server));\n });\n\n app.put(\"/api/v1/authorizationServers/:authServerId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n\n const body = await readJsonObject(c);\n const audiences = Array.isArray(body.audiences)\n ? body.audiences.filter((entry): entry is string => typeof entry === \"string\")\n : server.audiences;\n\n const updated = oktaStore.authorizationServers.update(server.id, {\n name: typeof body.name === \"string\" ? body.name : server.name,\n description: typeof body.description === \"string\" ? body.description : server.description,\n audiences: audiences.length > 0 ? audiences : server.audiences,\n status: normalizeAuthServerStatus(typeof body.status === \"string\" ? body.status : undefined, server.status),\n });\n return c.json(authorizationServerResponse(baseUrl, updated ?? server));\n });\n\n app.delete(\"/api/v1/authorizationServers/:authServerId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const server = findAuthorizationServerByRef(oktaStore, c.req.param(\"authServerId\"));\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: authorization server\");\n\n for (const client of oktaStore.oauthClients.findBy(\"auth_server_id\", server.server_id)) {\n oktaStore.oauthClients.delete(client.id);\n }\n oktaStore.authorizationServers.delete(server.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { generateOktaId, normalizeGroupType } from \"../helpers.js\";\nimport {\n findGroupByRef,\n findUserByRef,\n groupResponse,\n oktaError,\n readJsonObject,\n requireManagementAuth,\n userResponse,\n} from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nexport function groupRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/groups\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n let groups = oktaStore.groups.all();\n if (q) {\n groups = groups.filter((group) => `${group.name} ${group.description ?? \"\"}`.toLowerCase().includes(q));\n }\n const { page, per_page } = parsePagination(c);\n const total = groups.length;\n const start = (page - 1) * per_page;\n const paged = groups.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((group) => groupResponse(baseUrl, group)));\n });\n\n app.post(\"/api/v1/groups\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const name = typeof profile.name === \"string\" ? profile.name.trim() : \"\";\n\n if (!name) {\n return oktaError(c, 400, \"E0000001\", \"profile.name is required\");\n }\n\n if (oktaStore.groups.findOneBy(\"name\", name)) {\n return oktaError(c, 400, \"E0000001\", \"A group with the same name already exists\");\n }\n\n const created = oktaStore.groups.insert({\n okta_id: generateOktaId(\"00g\"),\n type: normalizeGroupType(typeof body.type === \"string\" ? body.type : undefined, \"OKTA_GROUP\"),\n name,\n description: typeof profile.description === \"string\" ? profile.description : null,\n });\n\n return c.json(groupResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/groups/:groupId/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n const memberships = oktaStore.groupMemberships.findBy(\"group_okta_id\", group.okta_id);\n const users = memberships\n .map((membership) => oktaStore.users.findOneBy(\"okta_id\", membership.user_okta_id))\n .filter((user): user is NonNullable<typeof user> => Boolean(user));\n\n return c.json(users.map((user) => userResponse(baseUrl, user)));\n });\n\n app.put(\"/api/v1/groups/:groupId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.groupMemberships\n .findBy(\"group_okta_id\", group.okta_id)\n .find((membership) => membership.user_okta_id === user.okta_id);\n if (!existing) {\n oktaStore.groupMemberships.insert({\n group_okta_id: group.okta_id,\n user_okta_id: user.okta_id,\n });\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.delete(\"/api/v1/groups/:groupId/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const existing = oktaStore.groupMemberships\n .findBy(\"group_okta_id\", group.okta_id)\n .find((membership) => membership.user_okta_id === user.okta_id);\n if (existing) {\n oktaStore.groupMemberships.delete(existing.id);\n }\n\n return new Response(null, { status: 204 });\n });\n\n app.get(\"/api/v1/groups/:groupId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n return c.json(groupResponse(baseUrl, group));\n });\n\n app.put(\"/api/v1/groups/:groupId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const nextName = typeof profile.name === \"string\" ? profile.name.trim() : group.name;\n\n if (nextName !== group.name) {\n const existing = oktaStore.groups.findOneBy(\"name\", nextName);\n if (existing && existing.okta_id !== group.okta_id) {\n return oktaError(c, 400, \"E0000001\", \"A group with the same name already exists\");\n }\n }\n\n const updated = oktaStore.groups.update(group.id, {\n name: nextName,\n description: typeof profile.description === \"string\" ? profile.description : group.description,\n type: normalizeGroupType(typeof body.type === \"string\" ? body.type : undefined, group.type),\n });\n return c.json(groupResponse(baseUrl, updated ?? group));\n });\n\n app.delete(\"/api/v1/groups/:groupId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const group = findGroupByRef(oktaStore, c.req.param(\"groupId\"));\n if (!group) return oktaError(c, 404, \"E0000007\", \"Not found: group\");\n\n for (const membership of oktaStore.groupMemberships.findBy(\"group_okta_id\", group.okta_id)) {\n oktaStore.groupMemberships.delete(membership.id);\n }\n\n oktaStore.groups.delete(group.id);\n return new Response(null, { status: 204 });\n });\n}\n","import { createHash, randomBytes } from \"node:crypto\";\nimport { SignJWT, exportJWK, generateKeyPair } from \"jose\";\nimport type { Context } from \"hono\";\nimport type { AppEnv, RouteContext, Store } from \"@emulators/core\";\nimport {\n bodyStr,\n constantTimeSecretEqual,\n debug,\n escapeAttr,\n escapeHtml,\n matchesRedirectUri,\n renderCardPage,\n renderErrorPage,\n renderFormPostPage,\n renderUserButton,\n} from \"@emulators/core\";\nimport type { OktaOAuthClient, OktaUser } from \"../entities.js\";\nimport {\n DEFAULT_AUDIENCE,\n DEFAULT_AUTH_SERVER_ID,\n ORG_AUTH_SERVER_ID,\n resolveOktaIssuer,\n userDisplayName,\n} from \"../helpers.js\";\nimport { findUserByRef, oktaError } from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\n\nconst keyPairPromise = generateKeyPair(\"RS256\");\nconst KID = \"emulate-okta-1\";\n\nconst CODE_TTL_MS = 10 * 60 * 1000;\n\ntype PendingCode = {\n userRef: string;\n scope: string;\n redirectUri: string;\n clientId: string;\n nonce: string | null;\n codeChallenge: string | null;\n codeChallengeMethod: string | null;\n authServerId: string;\n createdAt: number;\n};\n\ntype StoredAccessToken = {\n authServerId: string;\n clientId: string;\n scope: string;\n issuedAt: number;\n expiresAt: number;\n userOktaId: string | null;\n username: string | null;\n};\n\ntype StoredRefreshToken = {\n authServerId: string;\n clientId: string;\n scope: string;\n userOktaId: string;\n username: string;\n nonce: string | null;\n};\n\ntype ResolvedServer = {\n authServerId: string;\n issuer: string;\n audiences: string[];\n};\n\nfunction getPendingCodes(store: Store): Map<string, PendingCode> {\n let map = store.getData<Map<string, PendingCode>>(\"okta.oauth.pendingCodes\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.pendingCodes\", map);\n }\n return map;\n}\n\nfunction getAccessTokens(store: Store): Map<string, StoredAccessToken> {\n let map = store.getData<Map<string, StoredAccessToken>>(\"okta.oauth.accessTokens\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.accessTokens\", map);\n }\n return map;\n}\n\nfunction getRefreshTokens(store: Store): Map<string, StoredRefreshToken> {\n let map = store.getData<Map<string, StoredRefreshToken>>(\"okta.oauth.refreshTokens\");\n if (!map) {\n map = new Map();\n store.setData(\"okta.oauth.refreshTokens\", map);\n }\n return map;\n}\n\nfunction isCodeExpired(code: PendingCode): boolean {\n return Date.now() - code.createdAt > CODE_TTL_MS;\n}\n\nfunction buildOAuthBasePath(authServerId: string): string {\n if (authServerId === ORG_AUTH_SERVER_ID) return \"/oauth2/v1\";\n return `/oauth2/${encodeURIComponent(authServerId)}/v1`;\n}\n\nfunction getClientsForServer(clients: OktaOAuthClient[], authServerId: string): OktaOAuthClient[] {\n return clients.filter((client) => client.auth_server_id === authServerId);\n}\n\nfunction resolveServer(\n authServerId: string,\n baseUrl: string,\n store: ReturnType<typeof getOktaStore>,\n): ResolvedServer | null {\n if (authServerId === ORG_AUTH_SERVER_ID) {\n return {\n authServerId,\n issuer: baseUrl,\n audiences: [DEFAULT_AUDIENCE],\n };\n }\n\n const server = store.authorizationServers.findOneBy(\"server_id\", authServerId);\n if (!server) return null;\n return {\n authServerId,\n issuer: resolveOktaIssuer(baseUrl, authServerId),\n audiences: server.audiences.length > 0 ? server.audiences : [DEFAULT_AUDIENCE],\n };\n}\n\nfunction buildOidcConfiguration(baseUrl: string, server: ResolvedServer): Record<string, unknown> {\n const oauthBase = buildOAuthBasePath(server.authServerId);\n const oauthUrlBase = `${baseUrl}${oauthBase}`;\n const tokenEndpointAuthMethods = [\"client_secret_post\", \"client_secret_basic\", \"none\"];\n return {\n issuer: server.issuer,\n authorization_endpoint: `${oauthUrlBase}/authorize`,\n token_endpoint: `${oauthUrlBase}/token`,\n userinfo_endpoint: `${oauthUrlBase}/userinfo`,\n jwks_uri: `${oauthUrlBase}/keys`,\n end_session_endpoint: `${oauthUrlBase}/logout`,\n revocation_endpoint: `${oauthUrlBase}/revoke`,\n introspection_endpoint: `${oauthUrlBase}/introspect`,\n registration_endpoint: `${oauthUrlBase}/clients`,\n response_types_supported: [\"code\"],\n response_modes_supported: [\"query\", \"fragment\", \"form_post\"],\n grant_types_supported: [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n subject_types_supported: [\"public\"],\n id_token_signing_alg_values_supported: [\"RS256\"],\n scopes_supported: [\"openid\", \"profile\", \"email\", \"offline_access\", \"groups\"],\n token_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n revocation_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n introspection_endpoint_auth_methods_supported: tokenEndpointAuthMethods,\n request_parameter_supported: false,\n request_uri_parameter_supported: false,\n claims_parameter_supported: false,\n request_object_signing_alg_values_supported: [\"RS256\"],\n claims_supported: [\n \"sub\",\n \"iss\",\n \"aud\",\n \"exp\",\n \"iat\",\n \"auth_time\",\n \"nonce\",\n \"name\",\n \"preferred_username\",\n \"email\",\n \"email_verified\",\n \"locale\",\n \"zoneinfo\",\n \"groups\",\n ],\n code_challenge_methods_supported: [\"plain\", \"S256\"],\n };\n}\n\nasync function parseTokenLikeBody(c: Context<AppEnv>): Promise<Record<string, string>> {\n const contentType = c.req.header(\"Content-Type\") ?? \"\";\n const raw = await c.req.text();\n\n if (contentType.includes(\"application/json\")) {\n try {\n const parsed = JSON.parse(raw) as Record<string, unknown>;\n const out: Record<string, string> = {};\n for (const [key, value] of Object.entries(parsed)) {\n if (typeof value === \"string\") out[key] = value;\n }\n return out;\n } catch {\n return {};\n }\n }\n\n return Object.fromEntries(new URLSearchParams(raw));\n}\n\nfunction parseClientCredentials(\n c: Context<AppEnv>,\n body: Record<string, string>,\n): { clientId: string; clientSecret: string } {\n let clientId = body.client_id ?? \"\";\n let clientSecret = body.client_secret ?? \"\";\n\n const authHeader = c.req.header(\"Authorization\") ?? \"\";\n if (authHeader.startsWith(\"Basic \")) {\n const decoded = Buffer.from(authHeader.slice(6), \"base64\").toString(\"utf8\");\n const sep = decoded.indexOf(\":\");\n if (sep !== -1) {\n const headerId = decodeURIComponent(decoded.slice(0, sep));\n const headerSecret = decodeURIComponent(decoded.slice(sep + 1));\n if (!clientId) clientId = headerId;\n if (!clientSecret) clientSecret = headerSecret;\n }\n }\n\n return { clientId, clientSecret };\n}\n\ninterface ClientValidationError {\n body: { error: string; error_description: string };\n status: number;\n}\n\nfunction validateClient(\n clients: OktaOAuthClient[],\n authServerId: string,\n clientId: string,\n clientSecret: string,\n): { client: OktaOAuthClient | null; error: ClientValidationError | null } {\n const scopedClients = getClientsForServer(clients, authServerId);\n if (scopedClients.length === 0) {\n return { client: null, error: null };\n }\n\n const client = scopedClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return {\n client: null,\n error: {\n body: { error: \"invalid_client\", error_description: \"Unknown client.\" },\n status: 401,\n },\n };\n }\n\n if (client.token_endpoint_auth_method === \"none\") {\n return { client, error: null };\n }\n\n if (!constantTimeSecretEqual(client.client_secret ?? \"\", clientSecret)) {\n return {\n client: null,\n error: {\n body: { error: \"invalid_client\", error_description: \"Invalid client credentials.\" },\n status: 401,\n },\n };\n }\n\n return { client, error: null };\n}\n\nfunction parseScope(scope: string): string[] {\n return scope\n .split(/\\s+/)\n .map((part) => part.trim())\n .filter(Boolean);\n}\n\nfunction collectUserGroups(oktaStore: ReturnType<typeof getOktaStore>, user: OktaUser): string[] {\n const memberships = oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id);\n const names: string[] = [];\n for (const membership of memberships) {\n const group = oktaStore.groups.findOneBy(\"okta_id\", membership.group_okta_id);\n if (group) names.push(group.name);\n }\n return names;\n}\n\nasync function createIdToken(\n oktaStore: ReturnType<typeof getOktaStore>,\n user: OktaUser,\n clientId: string,\n nonce: string | null,\n issuer: string,\n scope: string,\n): Promise<string> {\n const { privateKey } = await keyPairPromise;\n const now = Math.floor(Date.now() / 1000);\n const scopes = parseScope(scope);\n\n const claims: Record<string, unknown> = {\n sub: user.okta_id,\n name: userDisplayName(user),\n preferred_username: user.login,\n email: user.email,\n email_verified: true,\n locale: user.locale,\n zoneinfo: user.time_zone,\n auth_time: now,\n };\n\n if (nonce) claims.nonce = nonce;\n if (scopes.includes(\"groups\")) {\n claims.groups = collectUserGroups(oktaStore, user);\n }\n\n return new SignJWT(claims)\n .setProtectedHeader({ alg: \"RS256\", kid: KID, typ: \"JWT\" })\n .setIssuer(issuer)\n .setAudience(clientId)\n .setIssuedAt(now)\n .setExpirationTime(\"1h\")\n .sign(privateKey);\n}\n\nfunction unauthorizedOAuthError(): Response {\n return new Response(JSON.stringify({ error: \"invalid_token\", error_description: \"The access token is invalid.\" }), {\n status: 401,\n headers: { \"Content-Type\": \"application/json\" },\n });\n}\n\nexport function oauthRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n const SERVICE_LABEL = \"Okta\";\n\n app.get(\"/.well-known/openid-configuration\", (c) => {\n const server = resolveServer(ORG_AUTH_SERVER_ID, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", \"Not found: org authorization server\");\n return c.json(buildOidcConfiguration(baseUrl, server));\n });\n\n app.get(\"/oauth2/:authServerId/.well-known/openid-configuration\", (c) => {\n const authServerId = c.req.param(\"authServerId\");\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n return c.json(buildOidcConfiguration(baseUrl, server));\n });\n\n app.get(\"/oauth2/v1/keys\", async (c) => {\n const { publicKey } = await keyPairPromise;\n const jwk = await exportJWK(publicKey);\n return c.json({\n keys: [{ ...jwk, kid: KID, use: \"sig\", alg: \"RS256\" }],\n });\n });\n\n app.get(\"/oauth2/:authServerId/v1/keys\", async (c) => {\n const authServerId = c.req.param(\"authServerId\");\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const { publicKey } = await keyPairPromise;\n const jwk = await exportJWK(publicKey);\n return c.json({\n keys: [{ ...jwk, kid: KID, use: \"sig\", alg: \"RS256\" }],\n });\n });\n\n const renderAuthorizePage = (c: Context<AppEnv>, authServerId: string): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const clientId = c.req.query(\"client_id\") ?? \"\";\n const redirectUri = c.req.query(\"redirect_uri\") ?? \"\";\n const scope = c.req.query(\"scope\") ?? \"openid profile email\";\n const state = c.req.query(\"state\") ?? \"\";\n const nonce = c.req.query(\"nonce\") ?? \"\";\n const responseMode = c.req.query(\"response_mode\") ?? \"query\";\n const responseType = c.req.query(\"response_type\") ?? \"code\";\n const codeChallenge = c.req.query(\"code_challenge\") ?? \"\";\n const codeChallengeMethod = c.req.query(\"code_challenge_method\") ?? \"\";\n\n if (responseType !== \"code\") {\n return c.html(\n renderErrorPage(\"Unsupported response_type\", \"Only response_type=code is supported.\", SERVICE_LABEL),\n 400,\n );\n }\n\n if (!redirectUri) {\n return c.html(\n renderErrorPage(\"Missing redirect URI\", \"The redirect_uri parameter is required.\", SERVICE_LABEL),\n 400,\n );\n }\n\n const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n let clientName = \"\";\n if (configuredClients.length > 0) {\n const client = configuredClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return c.html(\n renderErrorPage(\"Application not found\", `The client_id '${clientId}' is not registered.`, SERVICE_LABEL),\n 400,\n );\n }\n if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {\n return c.html(\n renderErrorPage(\n \"Redirect URI mismatch\",\n \"The redirect_uri is not registered for this application.\",\n SERVICE_LABEL,\n ),\n 400,\n );\n }\n clientName = client.name;\n }\n\n const users = oktaStore.users.all();\n const callbackPath = `${buildOAuthBasePath(authServerId)}/authorize/callback`;\n const buttons = users\n .map((user) =>\n renderUserButton({\n letter: (user.login[0] ?? \"?\").toUpperCase(),\n login: user.login,\n name: userDisplayName(user),\n email: user.email,\n formAction: callbackPath,\n hiddenFields: {\n user_ref: user.okta_id,\n redirect_uri: redirectUri,\n scope,\n state,\n nonce,\n client_id: clientId,\n response_mode: responseMode,\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n auth_server_id: authServerId,\n },\n }),\n )\n .join(\"\\n\");\n\n const subtitle = clientName\n ? `Sign in to <strong>${escapeHtml(clientName)}</strong> with your Okta account.`\n : \"Choose a seeded user to continue.\";\n\n return c.html(\n renderCardPage(\n \"Sign in with Okta\",\n subtitle,\n users.length > 0 ? buttons : '<p class=\"empty\">No users in the emulator store.</p>',\n SERVICE_LABEL,\n ),\n );\n };\n\n app.get(\"/oauth2/v1/authorize\", (c) => renderAuthorizePage(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/authorize\", (c) => renderAuthorizePage(c, c.req.param(\"authServerId\")));\n\n const handleAuthorizeCallback = async (c: Context<AppEnv>, authServerId: string): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await c.req.parseBody();\n const userRef = bodyStr(body.user_ref);\n const redirectUri = bodyStr(body.redirect_uri);\n const scope = bodyStr(body.scope) || \"openid profile email\";\n const state = bodyStr(body.state);\n const nonce = bodyStr(body.nonce);\n const clientId = bodyStr(body.client_id);\n const responseMode = bodyStr(body.response_mode) || \"query\";\n const codeChallenge = bodyStr(body.code_challenge);\n const codeChallengeMethod = bodyStr(body.code_challenge_method);\n\n if (!redirectUri) {\n return c.html(\n renderErrorPage(\"Missing redirect URI\", \"The redirect_uri parameter is required.\", SERVICE_LABEL),\n 400,\n );\n }\n\n const user = findUserByRef(oktaStore, userRef);\n if (!user) {\n return c.html(renderErrorPage(\"Unknown user\", \"The selected user is not available.\", SERVICE_LABEL), 400);\n }\n\n const configuredClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n if (configuredClients.length > 0) {\n const client = configuredClients.find((entry) => entry.client_id === clientId);\n if (!client) {\n return c.html(\n renderErrorPage(\"Application not found\", `The client_id '${clientId}' is not registered.`, SERVICE_LABEL),\n 400,\n );\n }\n if (!matchesRedirectUri(redirectUri, client.redirect_uris)) {\n return c.html(\n renderErrorPage(\n \"Redirect URI mismatch\",\n \"The redirect_uri is not registered for this application.\",\n SERVICE_LABEL,\n ),\n 400,\n );\n }\n }\n\n const code = randomBytes(20).toString(\"hex\");\n getPendingCodes(store).set(code, {\n userRef: user.okta_id,\n scope,\n redirectUri,\n clientId,\n nonce: nonce || null,\n codeChallenge: codeChallenge || null,\n codeChallengeMethod: codeChallengeMethod || null,\n authServerId,\n createdAt: Date.now(),\n });\n\n debug(\"okta.oauth\", `[callback] code=${code.slice(0, 8)}... user=${user.login} server=${authServerId}`);\n\n if (responseMode === \"form_post\") {\n return c.html(renderFormPostPage(redirectUri, { code, state }, SERVICE_LABEL));\n }\n\n const url = new URL(redirectUri);\n url.searchParams.set(\"code\", code);\n if (state) url.searchParams.set(\"state\", state);\n return c.redirect(url.toString(), 302);\n };\n\n app.post(\"/oauth2/v1/authorize/callback\", (c) => handleAuthorizeCallback(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/authorize/callback\", (c) =>\n handleAuthorizeCallback(c, c.req.param(\"authServerId\")),\n );\n\n const handleToken = async (c: Context<AppEnv>, authServerId: string): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const grantType = body.grant_type ?? \"\";\n const code = body.code ?? \"\";\n const redirectUri = body.redirect_uri ?? \"\";\n const codeVerifier = body.code_verifier;\n const refreshToken = body.refresh_token ?? \"\";\n const requestedScope = body.scope ?? \"\";\n\n const creds = parseClientCredentials(c, body);\n const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);\n if (validation.error) {\n return c.json(validation.error.body, validation.error.status as 401);\n }\n const validatedClient = validation.client;\n\n if (grantType === \"authorization_code\") {\n const pending = getPendingCodes(store).get(code);\n if (!pending || isCodeExpired(pending)) {\n if (pending) getPendingCodes(store).delete(code);\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization code is invalid or expired.\" }, 400);\n }\n if (pending.authServerId !== authServerId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization server mismatch.\" }, 400);\n }\n if (redirectUri && redirectUri !== pending.redirectUri) {\n return c.json({ error: \"invalid_grant\", error_description: \"redirect_uri does not match.\" }, 400);\n }\n if (validatedClient && validatedClient.client_id !== pending.clientId) {\n return c.json(\n { error: \"invalid_grant\", error_description: \"Authorization code was not issued to this client.\" },\n 400,\n );\n }\n\n if (pending.codeChallenge !== null) {\n if (!codeVerifier) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n const method = (pending.codeChallengeMethod ?? \"plain\").toLowerCase();\n if (method === \"s256\") {\n const expected = createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n if (expected !== pending.codeChallenge) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n } else if (method === \"plain\") {\n if (codeVerifier !== pending.codeChallenge) {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n } else {\n return c.json({ error: \"invalid_grant\", error_description: \"PKCE verification failed.\" }, 400);\n }\n }\n\n const user = findUserByRef(oktaStore, pending.userRef);\n if (!user) return c.json({ error: \"invalid_grant\", error_description: \"Unknown user.\" }, 400);\n getPendingCodes(store).delete(code);\n\n const now = Math.floor(Date.now() / 1000);\n const audienceClient = pending.clientId || creds.clientId || \"okta-client\";\n const scope = pending.scope || \"openid profile email\";\n const accessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const newRefreshToken = `r_okta_${randomBytes(20).toString(\"base64url\")}`;\n\n getAccessTokens(store).set(accessToken, {\n authServerId,\n clientId: audienceClient,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: user.okta_id,\n username: user.login,\n });\n getRefreshTokens(store).set(newRefreshToken, {\n authServerId,\n clientId: audienceClient,\n scope,\n userOktaId: user.okta_id,\n username: user.login,\n nonce: pending.nonce,\n });\n\n tokenMap?.set(accessToken, {\n login: user.login,\n id: user.id,\n scopes: parseScope(scope),\n });\n\n const idToken = await createIdToken(oktaStore, user, audienceClient, pending.nonce, server.issuer, scope);\n\n return c.json({\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: accessToken,\n refresh_token: newRefreshToken,\n id_token: idToken,\n scope,\n });\n }\n\n if (grantType === \"refresh_token\") {\n const existing = getRefreshTokens(store).get(refreshToken);\n if (!existing) {\n return c.json({ error: \"invalid_grant\", error_description: \"Invalid refresh token.\" }, 400);\n }\n if (existing.authServerId !== authServerId) {\n return c.json({ error: \"invalid_grant\", error_description: \"Authorization server mismatch.\" }, 400);\n }\n if (validatedClient && validatedClient.client_id !== existing.clientId) {\n return c.json(\n { error: \"invalid_grant\", error_description: \"Refresh token was not issued to this client.\" },\n 400,\n );\n }\n\n const user = oktaStore.users.findOneBy(\"okta_id\", existing.userOktaId);\n if (!user) return c.json({ error: \"invalid_grant\", error_description: \"Unknown user.\" }, 400);\n getRefreshTokens(store).delete(refreshToken);\n\n const now = Math.floor(Date.now() / 1000);\n const nextAccessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const nextRefreshToken = `r_okta_${randomBytes(20).toString(\"base64url\")}`;\n const scope = requestedScope || existing.scope;\n\n getAccessTokens(store).set(nextAccessToken, {\n authServerId,\n clientId: existing.clientId,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: user.okta_id,\n username: user.login,\n });\n getRefreshTokens(store).set(nextRefreshToken, {\n ...existing,\n scope,\n });\n\n tokenMap?.set(nextAccessToken, {\n login: user.login,\n id: user.id,\n scopes: parseScope(scope),\n });\n\n const response: Record<string, unknown> = {\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: nextAccessToken,\n refresh_token: nextRefreshToken,\n scope,\n };\n\n if (parseScope(scope).includes(\"openid\")) {\n response.id_token = await createIdToken(\n oktaStore,\n user,\n existing.clientId,\n existing.nonce,\n server.issuer,\n scope,\n );\n }\n\n return c.json(response);\n }\n\n if (grantType === \"client_credentials\") {\n if (oktaStore.oauthClients.all().length > 0 && !validatedClient) {\n return c.json({ error: \"invalid_client\", error_description: \"Unknown client.\" }, 401);\n }\n\n const scope = requestedScope || \".default\";\n const now = Math.floor(Date.now() / 1000);\n const accessToken = `okta_${randomBytes(20).toString(\"base64url\")}`;\n const clientId = validatedClient?.client_id ?? creds.clientId;\n\n if (!clientId) {\n return c.json({ error: \"invalid_client\", error_description: \"client_id is required.\" }, 401);\n }\n\n getAccessTokens(store).set(accessToken, {\n authServerId,\n clientId,\n scope,\n issuedAt: now,\n expiresAt: now + 3600,\n userOktaId: null,\n username: null,\n });\n\n tokenMap?.set(accessToken, {\n login: clientId,\n id: 0,\n scopes: parseScope(scope),\n });\n\n return c.json({\n token_type: \"Bearer\",\n expires_in: 3600,\n access_token: accessToken,\n scope,\n });\n }\n\n return c.json({ error: \"unsupported_grant_type\" }, 400);\n };\n\n app.post(\"/oauth2/v1/token\", (c) => handleToken(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/token\", (c) => handleToken(c, c.req.param(\"authServerId\")));\n\n const handleUserInfo = (c: Context<AppEnv>, authServerId: string): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const token = c.get(\"authToken\") ?? \"\";\n const access = getAccessTokens(store).get(token);\n if (!access || access.authServerId !== authServerId || !access.userOktaId) {\n return unauthorizedOAuthError();\n }\n\n const user = oktaStore.users.findOneBy(\"okta_id\", access.userOktaId);\n if (!user) return unauthorizedOAuthError();\n\n const claims: Record<string, unknown> = {\n sub: user.okta_id,\n name: userDisplayName(user),\n preferred_username: user.login,\n email: user.email,\n email_verified: true,\n locale: user.locale,\n zoneinfo: user.time_zone,\n };\n\n if (parseScope(access.scope).includes(\"groups\")) {\n claims.groups = collectUserGroups(oktaStore, user);\n }\n\n return c.json(claims);\n };\n\n app.get(\"/oauth2/v1/userinfo\", (c) => handleUserInfo(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/userinfo\", (c) => handleUserInfo(c, c.req.param(\"authServerId\")));\n\n const handleRevoke = async (c: Context<AppEnv>, authServerId: string): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const token = body.token ?? \"\";\n getAccessTokens(store).delete(token);\n getRefreshTokens(store).delete(token);\n tokenMap?.delete(token);\n return c.body(\"\", 200);\n };\n\n app.post(\"/oauth2/v1/revoke\", (c) => handleRevoke(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/revoke\", (c) => handleRevoke(c, c.req.param(\"authServerId\")));\n\n const handleIntrospect = async (c: Context<AppEnv>, authServerId: string): Promise<Response> => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const body = await parseTokenLikeBody(c);\n const token = body.token ?? \"\";\n const creds = parseClientCredentials(c, body);\n\n const validation = validateClient(oktaStore.oauthClients.all(), authServerId, creds.clientId, creds.clientSecret);\n if (validation.error) {\n return c.json(validation.error.body, validation.error.status as 401);\n }\n\n const now = Math.floor(Date.now() / 1000);\n const access = getAccessTokens(store).get(token);\n if (access && access.authServerId === authServerId && access.expiresAt > now) {\n return c.json({\n active: true,\n token_type: \"Bearer\",\n scope: access.scope,\n client_id: access.clientId,\n username: access.username,\n sub: access.userOktaId,\n aud: server.audiences,\n iss: server.issuer,\n exp: access.expiresAt,\n iat: access.issuedAt,\n });\n }\n\n const refresh = getRefreshTokens(store).get(token);\n if (refresh && refresh.authServerId === authServerId) {\n return c.json({\n active: true,\n token_type: \"refresh_token\",\n scope: refresh.scope,\n client_id: refresh.clientId,\n username: refresh.username,\n sub: refresh.userOktaId,\n aud: server.audiences,\n iss: server.issuer,\n });\n }\n\n return c.json({ active: false });\n };\n\n app.post(\"/oauth2/v1/introspect\", (c) => handleIntrospect(c, ORG_AUTH_SERVER_ID));\n app.post(\"/oauth2/:authServerId/v1/introspect\", (c) => handleIntrospect(c, c.req.param(\"authServerId\")));\n\n const handleLogout = (c: Context<AppEnv>, authServerId: string): Response => {\n const server = resolveServer(authServerId, baseUrl, oktaStore);\n if (!server) return oktaError(c, 404, \"E0000007\", `Not found: authorization server '${authServerId}'`);\n\n const postLogoutRedirectUri = c.req.query(\"post_logout_redirect_uri\");\n if (!postLogoutRedirectUri) return c.text(\"Logged out\");\n\n const scopedClients = getClientsForServer(oktaStore.oauthClients.all(), authServerId);\n if (scopedClients.length > 0) {\n const isAllowed = scopedClients.some((client) => matchesRedirectUri(postLogoutRedirectUri, client.redirect_uris));\n if (!isAllowed) return c.text(\"Invalid post_logout_redirect_uri\", 400);\n }\n\n return c.redirect(postLogoutRedirectUri, 302);\n };\n\n app.get(\"/oauth2/v1/logout\", (c) => handleLogout(c, ORG_AUTH_SERVER_ID));\n app.get(\"/oauth2/:authServerId/v1/logout\", (c) => handleLogout(c, c.req.param(\"authServerId\")));\n}\n\nexport { DEFAULT_AUTH_SERVER_ID };\n","import { parsePagination, setLinkHeader, type RouteContext } from \"@emulators/core\";\nimport { boolFromQuery, generateOktaId, nowIso, userDisplayName } from \"../helpers.js\";\nimport { findUserByRef, oktaError, readJsonObject, requireManagementAuth, userResponse } from \"../route-helpers.js\";\nimport { getOktaStore } from \"../store.js\";\nimport type { OktaUser, OktaUserStatus } from \"../entities.js\";\n\nfunction updateUserProfile(user: OktaUser, profile: Record<string, unknown>): Partial<OktaUser> {\n const nextFirstName = typeof profile.firstName === \"string\" ? profile.firstName : user.first_name;\n const nextLastName = typeof profile.lastName === \"string\" ? profile.lastName : user.last_name;\n const nextDisplayName =\n typeof profile.displayName === \"string\"\n ? profile.displayName\n : typeof profile.nickName === \"string\"\n ? profile.nickName\n : user.display_name;\n\n return {\n login: typeof profile.login === \"string\" ? profile.login : user.login,\n email: typeof profile.email === \"string\" ? profile.email : user.email,\n first_name: nextFirstName,\n last_name: nextLastName,\n display_name: nextDisplayName || `${nextFirstName} ${nextLastName}`.trim(),\n locale: typeof profile.locale === \"string\" ? profile.locale : user.locale,\n time_zone: typeof profile.timeZone === \"string\" ? profile.timeZone : user.time_zone,\n };\n}\n\nfunction setLifecycleStatus(user: OktaUser, target: OktaUserStatus): Partial<OktaUser> {\n const now = nowIso();\n const activatedAt = target === \"ACTIVE\" ? (user.activated_at ?? now) : user.activated_at;\n return {\n status: target,\n transitioning_to_status: null,\n status_changed_at: now,\n activated_at: activatedAt,\n };\n}\n\nexport function userRoutes({ app, store, baseUrl, tokenMap }: RouteContext): void {\n const oktaStore = getOktaStore(store);\n\n app.get(\"/api/v1/users\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const q = (c.req.query(\"q\") ?? \"\").toLowerCase();\n const search = (c.req.query(\"search\") ?? \"\").toLowerCase();\n const filter = c.req.query(\"filter\") ?? \"\";\n\n let users = oktaStore.users.all();\n\n if (q) {\n users = users.filter((user) =>\n [user.login, user.email, user.first_name, user.last_name, user.display_name]\n .join(\" \")\n .toLowerCase()\n .includes(q),\n );\n }\n\n if (search) {\n users = users.filter((user) =>\n [user.login, user.email, user.first_name, user.last_name, user.display_name]\n .join(\" \")\n .toLowerCase()\n .includes(search),\n );\n }\n\n if (filter) {\n const statusMatch = filter.match(/status\\s+eq\\s+\"?([A-Z_]+)\"?/i);\n if (statusMatch?.[1]) {\n users = users.filter((user) => user.status === statusMatch[1]);\n }\n }\n\n const { page, per_page } = parsePagination(c);\n const total = users.length;\n const start = (page - 1) * per_page;\n const paged = users.slice(start, start + per_page);\n setLinkHeader(c, total, page, per_page);\n c.header(\"X-Total-Count\", String(total));\n\n return c.json(paged.map((user) => userResponse(baseUrl, user)));\n });\n\n app.post(\"/api/v1/users\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const login = typeof profile.login === \"string\" ? profile.login.trim() : \"\";\n const email = typeof profile.email === \"string\" ? profile.email.trim() : login;\n\n if (!login || !email) {\n return oktaError(c, 400, \"E0000001\", \"profile.login and profile.email are required\");\n }\n\n if (oktaStore.users.findOneBy(\"login\", login) || oktaStore.users.findOneBy(\"email\", email)) {\n return oktaError(c, 400, \"E0000001\", \"A user with the same login or email already exists\");\n }\n\n const activate = boolFromQuery(c.req.query(\"activate\"), true);\n const now = nowIso();\n const firstName = typeof profile.firstName === \"string\" ? profile.firstName : \"Test\";\n const lastName = typeof profile.lastName === \"string\" ? profile.lastName : \"User\";\n const displayName =\n typeof profile.displayName === \"string\" ? profile.displayName : `${firstName} ${lastName}`.trim() || login;\n\n const created = oktaStore.users.insert({\n okta_id: generateOktaId(\"00u\"),\n status: activate ? \"ACTIVE\" : \"STAGED\",\n activated_at: activate ? now : null,\n status_changed_at: now,\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login,\n email,\n first_name: firstName,\n last_name: lastName,\n display_name: displayName,\n locale: typeof profile.locale === \"string\" ? profile.locale : \"en-US\",\n time_zone: typeof profile.timeZone === \"string\" ? profile.timeZone : \"UTC\",\n });\n\n return c.json(userResponse(baseUrl, created), 201);\n });\n\n app.get(\"/api/v1/users/me\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = oktaStore.users.findOneBy(\"login\", auth.login) ?? oktaStore.users.all()[0];\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const response = userResponse(baseUrl, user);\n return c.json({\n ...response,\n profile: {\n ...(response.profile as Record<string, unknown>),\n displayName: userDisplayName(user),\n },\n });\n });\n\n app.get(\"/api/v1/users/:userId/groups\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const memberships = oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id);\n const groups = memberships\n .map((membership) => oktaStore.groups.findOneBy(\"okta_id\", membership.group_okta_id))\n .filter((group): group is NonNullable<typeof group> => Boolean(group));\n\n return c.json(\n groups.map((group) => ({\n id: group.okta_id,\n profile: {\n name: group.name,\n description: group.description,\n },\n type: group.type,\n })),\n );\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/activate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"ACTIVE\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/deactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"DEPROVISIONED\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/suspend\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"SUSPENDED\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/unsuspend\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, setLifecycleStatus(user, \"ACTIVE\"));\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.get(\"/api/v1/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n return c.json(userResponse(baseUrl, user));\n });\n\n app.put(\"/api/v1/users/:userId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n\n const updates = updateUserProfile(user, profile);\n if (\n (updates.login !== user.login && oktaStore.users.findOneBy(\"login\", updates.login ?? \"\")) ||\n (updates.email !== user.email && oktaStore.users.findOneBy(\"email\", updates.email ?? \"\"))\n ) {\n return oktaError(c, 400, \"E0000001\", \"A user with the same login or email already exists\");\n }\n\n const updated = oktaStore.users.update(user.id, updates);\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.post(\"/api/v1/users/:userId\", async (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n const body = await readJsonObject(c);\n const profile = (body.profile && typeof body.profile === \"object\" ? body.profile : {}) as Record<string, unknown>;\n const updates = updateUserProfile(user, profile);\n const updated = oktaStore.users.update(user.id, updates);\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n\n app.delete(\"/api/v1/users/:userId\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n\n // Match Okta behavior: first delete request deactivates, second removes.\n if (user.status !== \"DEPROVISIONED\") {\n oktaStore.users.update(user.id, setLifecycleStatus(user, \"DEPROVISIONED\"));\n return new Response(null, { status: 204 });\n }\n\n for (const membership of oktaStore.groupMemberships.findBy(\"user_okta_id\", user.okta_id)) {\n oktaStore.groupMemberships.delete(membership.id);\n }\n for (const assignment of oktaStore.appAssignments.findBy(\"user_okta_id\", user.okta_id)) {\n oktaStore.appAssignments.delete(assignment.id);\n }\n\n oktaStore.users.delete(user.id);\n return new Response(null, { status: 204 });\n });\n\n app.post(\"/api/v1/users/:userId/lifecycle/reactivate\", (c) => {\n const auth = requireManagementAuth(c, tokenMap);\n if (auth instanceof Response) return auth;\n const user = findUserByRef(oktaStore, c.req.param(\"userId\"));\n if (!user) return oktaError(c, 404, \"E0000007\", \"Not found: user\");\n const updated = oktaStore.users.update(user.id, {\n status: \"PROVISIONED\",\n status_changed_at: nowIso(),\n transitioning_to_status: null,\n });\n return c.json(userResponse(baseUrl, updated ?? user));\n });\n}\n","import type { Hono } from \"hono\";\nimport type { AppEnv, RouteContext, ServicePlugin, Store, TokenMap, WebhookDispatcher } from \"@emulators/core\";\nimport type { OktaAuthorizationServerStatus, OktaGroupType, OktaUserStatus } from \"./entities.js\";\nimport {\n createDefaultApp,\n createDefaultAuthorizationServer,\n createDefaultGroup,\n createDefaultUser,\n DEFAULT_AUTH_SERVER_ID,\n DEFAULT_EVERYONE_GROUP_ID,\n generateOktaId,\n normalizeAppStatus,\n normalizeAuthServerStatus,\n normalizeGroupType,\n normalizeStatus,\n} from \"./helpers.js\";\nimport { appRoutes } from \"./routes/apps.js\";\nimport { authorizationServerRoutes } from \"./routes/auth-servers.js\";\nimport { groupRoutes } from \"./routes/groups.js\";\nimport { oauthRoutes } from \"./routes/oauth.js\";\nimport { userRoutes } from \"./routes/users.js\";\nimport { getOktaStore } from \"./store.js\";\n\nexport { getOktaStore, type OktaStore } from \"./store.js\";\nexport * from \"./entities.js\";\n\nexport interface OktaSeedConfig {\n users?: Array<{\n okta_id?: string;\n status?: OktaUserStatus;\n login: string;\n email?: string;\n first_name?: string;\n last_name?: string;\n display_name?: string;\n locale?: string;\n time_zone?: string;\n }>;\n groups?: Array<{\n okta_id?: string;\n type?: OktaGroupType;\n name: string;\n description?: string;\n }>;\n apps?: Array<{\n okta_id?: string;\n name: string;\n label?: string;\n status?: \"ACTIVE\" | \"INACTIVE\";\n sign_on_mode?: string;\n settings?: Record<string, unknown>;\n credentials?: Record<string, unknown>;\n }>;\n oauth_clients?: Array<{\n client_id: string;\n client_secret?: string;\n name: string;\n redirect_uris: string[];\n response_types?: string[];\n grant_types?: string[];\n token_endpoint_auth_method?: \"client_secret_post\" | \"client_secret_basic\" | \"none\";\n auth_server_id?: string;\n }>;\n authorization_servers?: Array<{\n id: string;\n name: string;\n description?: string;\n audiences?: string[];\n status?: OktaAuthorizationServerStatus;\n }>;\n group_memberships?: Array<{\n group_okta_id: string;\n user_okta_id: string;\n }>;\n app_assignments?: Array<{\n app_okta_id: string;\n user_okta_id: string;\n }>;\n}\n\nfunction ensureMembership(store: ReturnType<typeof getOktaStore>, groupOktaId: string, userOktaId: string): void {\n const existing = store.groupMemberships\n .findBy(\"group_okta_id\", groupOktaId)\n .find((entry) => entry.user_okta_id === userOktaId);\n if (!existing) {\n store.groupMemberships.insert({\n group_okta_id: groupOktaId,\n user_okta_id: userOktaId,\n });\n }\n}\n\nfunction ensureAppAssignment(store: ReturnType<typeof getOktaStore>, appOktaId: string, userOktaId: string): void {\n const existing = store.appAssignments\n .findBy(\"app_okta_id\", appOktaId)\n .find((entry) => entry.user_okta_id === userOktaId);\n if (!existing) {\n store.appAssignments.insert({\n app_okta_id: appOktaId,\n user_okta_id: userOktaId,\n });\n }\n}\n\nfunction seedDefaults(store: Store, _baseUrl: string): void {\n const okta = getOktaStore(store);\n\n const defaultServer = okta.authorizationServers.findOneBy(\"server_id\", DEFAULT_AUTH_SERVER_ID);\n if (!defaultServer) {\n okta.authorizationServers.insert(createDefaultAuthorizationServer());\n }\n\n let everyone = okta.groups.findOneBy(\"okta_id\", DEFAULT_EVERYONE_GROUP_ID);\n if (!everyone) {\n everyone = okta.groups.insert(createDefaultGroup());\n }\n\n let user = okta.users.findOneBy(\"login\", \"testuser@okta.local\");\n if (!user) {\n user = okta.users.insert(createDefaultUser());\n }\n\n if (!okta.oauthClients.findOneBy(\"client_id\", \"okta-test-client\")) {\n okta.oauthClients.insert({\n client_id: \"okta-test-client\",\n client_secret: \"okta-test-secret\",\n name: \"Sample OIDC Client\",\n redirect_uris: [\"http://localhost:3000/callback\"],\n response_types: [\"code\"],\n grant_types: [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n token_endpoint_auth_method: \"client_secret_post\",\n auth_server_id: DEFAULT_AUTH_SERVER_ID,\n });\n }\n\n if (!okta.oauthClients.findOneBy(\"client_id\", \"okta-test-app\")) {\n okta.oauthClients.insert({\n client_id: \"okta-test-app\",\n client_secret: \"\",\n name: \"Sample Public PKCE Client\",\n redirect_uris: [\"http://localhost:3000/official-sdk/callback\", \"http://localhost:3000/official-sdk\"],\n response_types: [\"code\"],\n grant_types: [\"authorization_code\", \"refresh_token\"],\n token_endpoint_auth_method: \"none\",\n auth_server_id: DEFAULT_AUTH_SERVER_ID,\n });\n }\n\n if (okta.apps.all().length === 0) {\n okta.apps.insert(createDefaultApp());\n }\n\n ensureMembership(okta, everyone.okta_id, user.okta_id);\n}\n\nexport function seedFromConfig(store: Store, _baseUrl: string, config: OktaSeedConfig): void {\n const okta = getOktaStore(store);\n\n if (config.authorization_servers) {\n for (const server of config.authorization_servers) {\n const existing = okta.authorizationServers.findOneBy(\"server_id\", server.id);\n if (existing) continue;\n okta.authorizationServers.insert({\n server_id: server.id,\n name: server.name,\n description: server.description ?? \"\",\n audiences: server.audiences ?? [\"api://default\"],\n status: normalizeAuthServerStatus(server.status, \"ACTIVE\"),\n });\n }\n }\n\n if (config.users) {\n for (const user of config.users) {\n const byLogin = okta.users.findOneBy(\"login\", user.login);\n if (byLogin) continue;\n const resolvedStatus = normalizeStatus(user.status, \"ACTIVE\");\n okta.users.insert({\n okta_id: user.okta_id ?? generateOktaId(\"00u\"),\n status: resolvedStatus,\n activated_at: resolvedStatus === \"ACTIVE\" ? new Date().toISOString() : null,\n status_changed_at: new Date().toISOString(),\n last_login_at: null,\n password_changed_at: null,\n transitioning_to_status: null,\n login: user.login,\n email: user.email ?? user.login,\n first_name: user.first_name ?? \"Test\",\n last_name: user.last_name ?? \"User\",\n display_name: user.display_name ?? `${user.first_name ?? \"Test\"} ${user.last_name ?? \"User\"}`.trim(),\n locale: user.locale ?? \"en-US\",\n time_zone: user.time_zone ?? \"UTC\",\n });\n }\n }\n\n if (config.groups) {\n for (const group of config.groups) {\n const byName = okta.groups.findOneBy(\"name\", group.name);\n if (byName) continue;\n okta.groups.insert({\n okta_id: group.okta_id ?? generateOktaId(\"00g\"),\n type: normalizeGroupType(group.type, \"OKTA_GROUP\"),\n name: group.name,\n description: group.description ?? null,\n });\n }\n }\n\n if (config.apps) {\n for (const app of config.apps) {\n const byName = okta.apps.findOneBy(\"name\", app.name);\n if (byName) continue;\n okta.apps.insert({\n okta_id: app.okta_id ?? generateOktaId(\"0oa\"),\n name: app.name,\n label: app.label ?? app.name,\n status: normalizeAppStatus(app.status, \"ACTIVE\"),\n sign_on_mode: app.sign_on_mode ?? \"OPENID_CONNECT\",\n settings: app.settings ?? {},\n credentials: app.credentials ?? {},\n });\n }\n }\n\n if (config.oauth_clients) {\n for (const client of config.oauth_clients) {\n const existing = okta.oauthClients.findOneBy(\"client_id\", client.client_id);\n if (existing) continue;\n const tokenEndpointAuthMethod = client.token_endpoint_auth_method ?? \"client_secret_post\";\n okta.oauthClients.insert({\n client_id: client.client_id,\n client_secret: client.client_secret ?? \"\",\n name: client.name,\n redirect_uris: client.redirect_uris,\n response_types: client.response_types ?? [\"code\"],\n grant_types: client.grant_types ?? [\"authorization_code\", \"refresh_token\", \"client_credentials\"],\n token_endpoint_auth_method: tokenEndpointAuthMethod,\n auth_server_id: client.auth_server_id ?? DEFAULT_AUTH_SERVER_ID,\n });\n }\n }\n\n if (config.group_memberships) {\n for (const membership of config.group_memberships) {\n const group = okta.groups.findOneBy(\"okta_id\", membership.group_okta_id);\n const user = okta.users.findOneBy(\"okta_id\", membership.user_okta_id);\n if (!group || !user) continue;\n ensureMembership(okta, group.okta_id, user.okta_id);\n }\n }\n\n if (config.app_assignments) {\n for (const assignment of config.app_assignments) {\n const app = okta.apps.findOneBy(\"okta_id\", assignment.app_okta_id);\n const user = okta.users.findOneBy(\"okta_id\", assignment.user_okta_id);\n if (!app || !user) continue;\n ensureAppAssignment(okta, app.okta_id, user.okta_id);\n }\n }\n}\n\nexport const oktaPlugin: ServicePlugin = {\n name: \"okta\",\n register(app: Hono<AppEnv>, store: Store, webhooks: WebhookDispatcher, baseUrl: string, tokenMap?: TokenMap): void {\n const ctx: RouteContext = { app, store, webhooks, baseUrl, tokenMap };\n oauthRoutes(ctx);\n userRoutes(ctx);\n groupRoutes(ctx);\n appRoutes(ctx);\n authorizationServerRoutes(ctx);\n },\n seed(store: Store, baseUrl: string): void {\n seedDefaults(store, baseUrl);\n },\n};\n\nexport default oktaPlugin;\n"],"mappings":";AAAA,SAAS,kBAAkB;AAYpB,IAAM,qBAAqB;AAC3B,IAAM,yBAAyB;AAC/B,IAAM,mBAAmB;AACzB,IAAM,8BAA8B;AACpC,IAAM,4BAA4B;AAElC,SAAS,SAAiB;AAC/B,UAAO,oBAAI,KAAK,GAAE,YAAY;AAChC;AAEO,SAAS,eAAe,QAAwB;AACrD,QAAM,UAAU,WAAW,EAAE,QAAQ,MAAM,EAAE;AAC7C,SAAO,GAAG,MAAM,GAAG,QAAQ,MAAM,GAAG,EAAE,CAAC;AACzC;AAEO,SAAS,gBAAgB,QAA4B,UAA0C;AACpG,MACE,WAAW,YACX,WAAW,iBACX,WAAW,YACX,WAAW,eACX,WAAW,iBACX;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,mBAAmB,QAA4B,UAAwC;AACrG,MAAI,WAAW,YAAY,WAAW,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,0BACd,QACA,UAC+B;AAC/B,MAAI,WAAW,YAAY,WAAW,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,mBAAmB,MAA0B,UAAwC;AACnG,MAAI,SAAS,gBAAgB,SAAS,WAAY,QAAO;AACzD,SAAO;AACT;AAEO,SAAS,cAAc,OAA2B,UAA4B;AACnF,MAAI,SAAS,KAAM,QAAO;AAC1B,QAAM,UAAU,MAAM,YAAY;AAClC,MAAI,YAAY,UAAU,YAAY,IAAK,QAAO;AAClD,MAAI,YAAY,WAAW,YAAY,IAAK,QAAO;AACnD,SAAO;AACT;AAEO,SAAS,kBAAkB,SAAiB,cAA8B;AAC/E,MAAI,iBAAiB,mBAAoB,QAAO;AAChD,SAAO,GAAG,OAAO,WAAW,YAAY;AAC1C;AAEO,SAAS,gBAAgB,MAAqF;AACnH,MAAI,KAAK,aAAc,QAAO,KAAK;AACnC,QAAM,WAAW,GAAG,KAAK,UAAU,IAAI,KAAK,SAAS,GAAG,KAAK;AAC7D,SAAO,YAAY,KAAK;AAC1B;AAEO,SAAS,oBAAwE;AACtF,QAAM,MAAM,OAAO;AACnB,SAAO;AAAA,IACL,SAAS,eAAe,KAAK;AAAA,IAC7B,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,mBAAmB;AAAA,IACnB,eAAe;AAAA,IACf,qBAAqB;AAAA,IACrB,yBAAyB;AAAA,IACzB,OAAO;AAAA,IACP,OAAO;AAAA,IACP,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,cAAc;AAAA,IACd,QAAQ;AAAA,IACR,WAAW;AAAA,EACb;AACF;AAEO,SAAS,qBAA0E;AACxF,SAAO;AAAA,IACL,SAAS;AAAA,IACT,MAAM;AAAA,IACN,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEO,SAAS,mCAAsG;AACpH,SAAO;AAAA,IACL,WAAW;AAAA,IACX,MAAM;AAAA,IACN,aAAa;AAAA,IACb,WAAW,CAAC,gBAAgB;AAAA,IAC5B,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,mBAAsE;AACpF,SAAO;AAAA,IACL,SAAS,eAAe,KAAK;AAAA,IAC7B,MAAM;AAAA,IACN,OAAO;AAAA,IACP,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,UAAU;AAAA,MACR,aAAa;AAAA,QACX,eAAe,CAAC,gCAAgC;AAAA,MAClD;AAAA,IACF;AAAA,IACA,aAAa,CAAC;AAAA,EAChB;AACF;;;AElIA,SAAS,YAAY;AACrB,SAAS,YAAY;AGArB,SAAS,WAAW,mBAAmB;AEDvC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,SAAS,YAAY;AGF9B,SAAS,uBAAuB;ANsCzB,SAAS,mBAAmB,kBAA8C;AAC/E,SAAO,OAAO,GAAG,SAAS;AACxB,QAAI,kBAAkB;AACpB,QAAE,IAAI,WAAW,gBAAgB;IACnC;AACA,UAAM,KAAK;EACb;AACF;AAEO,IAAM,eAAkC,mBAAmB;AE/ClE,IAAM,UACJ,OAAO,YAAY,gBAClB,QAAQ,IAAI,UAAU,OAAO,QAAQ,IAAI,UAAU,UAAU,QAAQ,IAAI,kBAAkB;AAEvF,SAAS,MAAM,UAAkB,MAAuB;AAC7D,MAAI,SAAS;AACX,YAAQ,IAAI,IAAI,KAAK,KAAK,GAAG,IAAI;EACnC;AACF;ACFA,IAAM,YAAY,QAAQ,cAAc,YAAY,GAAG,CAAC;AAExD,IAAM,QAAgC;EACpC,oBAAoB,aAAa,KAAK,WAAW,SAAS,kBAAkB,CAAC;EAC7E,2BAA2B,aAAa,KAAK,WAAW,SAAS,yBAAyB,CAAC;AAC7F;AAEA,IAAM,UAAU,aAAa,KAAK,WAAW,SAAS,aAAa,CAAC;ACN7D,SAAS,gBAAgB,GAA8B;AAC5D,QAAM,OAAO,KAAK,IAAI,GAAG,SAAS,EAAE,IAAI,MAAM,MAAM,KAAK,KAAK,EAAE,KAAK,CAAC;AACtE,QAAM,WAAW,KAAK,IAAI,KAAK,KAAK,IAAI,GAAG,SAAS,EAAE,IAAI,MAAM,UAAU,KAAK,MAAM,EAAE,KAAK,EAAE,CAAC;AAC/F,SAAO,EAAE,MAAM,SAAS;AAC1B;AAEO,SAAS,cAAc,GAAY,YAAoB,MAAc,SAAuB;AACjG,QAAM,WAAW,KAAK,IAAI,GAAG,KAAK,KAAK,aAAa,OAAO,CAAC;AAC5D,QAAM,UAAU,IAAI,IAAI,EAAE,IAAI,GAAG;AACjC,QAAM,QAAkB,CAAC;AAEzB,QAAM,WAAW,CAAC,GAAW,QAAgB;AAC3C,YAAQ,aAAa,IAAI,QAAQ,OAAO,CAAC,CAAC;AAC1C,YAAQ,aAAa,IAAI,YAAY,OAAO,OAAO,CAAC;AACpD,WAAO,IAAI,QAAQ,SAAS,CAAC,WAAW,GAAG;EAC7C;AAEA,MAAI,OAAO,UAAU;AACnB,UAAM,KAAK,SAAS,OAAO,GAAG,MAAM,CAAC;AACrC,UAAM,KAAK,SAAS,UAAU,MAAM,CAAC;EACvC;AACA,MAAI,OAAO,GAAG;AACZ,UAAM,KAAK,SAAS,GAAG,OAAO,CAAC;AAC/B,UAAM,KAAK,SAAS,OAAO,GAAG,MAAM,CAAC;EACvC;AAEA,MAAI,MAAM,SAAS,GAAG;AACpB,MAAE,OAAO,QAAQ,MAAM,KAAK,IAAI,CAAC;EACnC;AACF;ACpCO,SAAS,WAAW,GAAmB;AAC5C,SAAO,EAAE,QAAQ,MAAM,OAAO,EAAE,QAAQ,MAAM,MAAM,EAAE,QAAQ,MAAM,MAAM,EAAE,QAAQ,MAAM,QAAQ;AACpG;AAEO,SAAS,WAAW,GAAmB;AAC5C,SAAO,WAAW,CAAC,EAAE,QAAQ,MAAM,OAAO;AAC5C;AAEA,IAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiRZ,IAAM,aAAa;AAEnB,SAAS,OAAO,SAA0B;AACxC,QAAM,QAAQ,UAAU,GAAG,WAAW,OAAO,CAAC,cAAc;AAC5D,SAAO;gCACuB,KAAK;;;;;;;AAOrC;AAEA,SAAS,KAAK,OAAuB;AACnC,SAAO;;;;;;SAMA,WAAW,KAAK,CAAC;SACjB,GAAG;;AAEZ;AAEO,SAAS,eAAe,OAAe,UAAkB,MAAc,SAA0B;AACtG,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;8BAGa,WAAW,KAAK,CAAC;iCACd,QAAQ;MACnC,IAAI;;;EAGR,UAAU;;AAEZ;AAEO,SAAS,gBAAgB,OAAe,SAAiB,SAA0B;AACxF,SAAO,GAAG,KAAK,KAAK,CAAC;;EAErB,OAAO,OAAO,CAAC;;;+BAGc,WAAW,KAAK,CAAC;6BACnB,WAAW,OAAO,CAAC;;;EAG9C,UAAU;;AAEZ;AA4CO,SAAS,mBAAmB,QAAgB,QAAgC,SAA0B;AAC3G,QAAM,UAAU,OAAO,QAAQ,MAAM,EAClC,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,KAAK,IAAI,EAC3B,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,8BAA8B,WAAW,CAAC,CAAC,YAAY,WAAW,CAAC,CAAC,KAAK,EACzF,KAAK,IAAI;AAEZ,SAAO,GAAG,KAAK,aAAa,CAAC;;EAE7B,OAAO,OAAO,CAAC;;;;kCAIiB,WAAW,MAAM,CAAC;EAClD,OAAO;;;;;;;EAOP,UAAU;;AAEZ;AA6GO,SAAS,iBAAiB,MAAiC;AAChE,QAAM,UAAU,OAAO,QAAQ,KAAK,YAAY,EAC7C,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,8BAA8B,WAAW,CAAC,CAAC,YAAY,WAAW,CAAC,CAAC,KAAK,EACzF,KAAK,EAAE;AAEV,QAAM,WAAW,KAAK,OAAO,0BAA0B,WAAW,KAAK,IAAI,CAAC,WAAW;AACvF,QAAM,YAAY,KAAK,QAAQ,2BAA2B,WAAW,KAAK,KAAK,CAAC,WAAW;AAE3F,SAAO,iDAAiD,WAAW,KAAK,UAAU,CAAC;EACnF,OAAO;;yBAEgB,WAAW,KAAK,MAAM,CAAC;;+BAEjB,WAAW,KAAK,KAAK,CAAC;MAC/C,QAAQ,GAAG,SAAS;;;;AAI1B;AC7gBO,SAAS,aAAa,KAAqB;AAChD,MAAI;AACF,UAAM,IAAI,IAAI,IAAI,GAAG;AACrB,WAAO,GAAG,EAAE,MAAM,GAAG,EAAE,SAAS,QAAQ,QAAQ,EAAE,CAAC;EACrD,QAAQ;AACN,WAAO,IAAI,QAAQ,QAAQ,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC;EAC7C;AACF;AAEO,SAAS,mBAAmB,UAAkB,YAA+B;AAClF,QAAM,aAAa,aAAa,QAAQ;AACxC,SAAO,WAAW,KAAK,CAAC,MAAM,aAAa,CAAC,MAAM,UAAU;AAC9D;AAEO,SAAS,wBAAwB,GAAW,GAAoB;AACrE,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAEO,SAAS,QAAQ,GAAoB;AAC1C,MAAI,OAAO,MAAM,SAAU,QAAO;AAClC,MAAI,MAAM,QAAQ,CAAC,KAAK,OAAO,EAAE,CAAC,MAAM,SAAU,QAAO,EAAE,CAAC;AAC5D,SAAO;AACT;;;AElBA,SAAS,gBACP,QACA,WACA,cACA,cAAgC,CAAC,GACR;AACzB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,WAAW;AAAA,IACX,SAAS,GAAG,SAAS,IAAI,KAAK,IAAI,CAAC;AAAA,IACnC;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,UACd,GACA,QACA,WACA,cACA,cAAgC,CAAC,GACvB;AACV,QAAM,OAAO,gBAAgB,QAAQ,WAAW,cAAc,WAAW;AACzE,SAAO,EAAE,KAAK,MAAM,MAA8B;AACpD;AAEA,eAAsB,eAAe,GAAsD;AACzF,MAAI;AACF,UAAM,OAAO,MAAM,EAAE,IAAI,KAAK;AAC9B,QAAI,QAAQ,OAAO,SAAS,UAAU;AACpC,aAAO;AAAA,IACT;AACA,WAAO,CAAC;AAAA,EACV,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEO,SAAS,sBAAsB,GAAoB,UAA0C;AAClG,QAAM,WAAW,EAAE,IAAI,UAAU;AACjC,MAAI,SAAU,QAAO;AAErB,QAAM,aAAa,EAAE,IAAI,OAAO,eAAe,KAAK;AACpD,MAAI,WAAW,YAAY,EAAE,WAAW,OAAO,GAAG;AAChD,UAAM,QAAQ,WAAW,MAAM,CAAC,EAAE,KAAK;AACvC,UAAM,SAAS,UAAU,IAAI,KAAK;AAClC,QAAI,QAAQ;AACV,QAAE,IAAI,YAAY,MAAM;AACxB,QAAE,IAAI,aAAa,KAAK;AACxB,QAAE,IAAI,cAAc,OAAO,MAAM;AACjC,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO,UAAU,GAAG,KAAK,YAAY,uBAAuB;AAC9D;AAEO,SAAS,cAAc,IAAe,SAAuC;AAClF,QAAM,UAAU,mBAAmB,OAAO;AAC1C,SACE,GAAG,MAAM,UAAU,WAAW,OAAO,KACrC,GAAG,MAAM,UAAU,SAAS,OAAO,KACnC,GAAG,MAAM,UAAU,SAAS,OAAO;AAEvC;AAEO,SAAS,eAAe,IAAe,UAAyC;AACrF,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,SAAO,GAAG,OAAO,UAAU,WAAW,OAAO;AAC/C;AAEO,SAAS,aAAa,IAAe,QAAqC;AAC/E,QAAM,UAAU,mBAAmB,MAAM;AACzC,SAAO,GAAG,KAAK,UAAU,WAAW,OAAO;AAC7C;AAEO,SAAS,6BAA6B,IAAe,WAAwD;AAClH,QAAM,UAAU,mBAAmB,SAAS;AAC5C,SAAO,GAAG,qBAAqB,UAAU,aAAa,OAAO;AAC/D;AAEO,SAAS,aAAa,SAAiB,MAAyC;AACrF,SAAO;AAAA,IACL,IAAI,KAAK;AAAA,IACT,QAAQ,KAAK;AAAA,IACb,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,eAAe,KAAK;AAAA,IACpB,WAAW,KAAK;AAAA,IAChB,aAAa,KAAK;AAAA,IAClB,iBAAiB,KAAK;AAAA,IACtB,SAAS;AAAA,MACP,OAAO,KAAK;AAAA,MACZ,OAAO,KAAK;AAAA,MACZ,WAAW,KAAK;AAAA,MAChB,UAAU,KAAK;AAAA,MACf,aAAa,gBAAgB,IAAI;AAAA,MACjC,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK;AAAA,IACjB;AAAA,IACA,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,iBAAiB,mBAAmB,KAAK,OAAO,CAAC;AAAA,MACnE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,cAAc,SAAiB,OAA2C;AACxF,SAAO;AAAA,IACL,IAAI,MAAM;AAAA,IACV,SAAS,MAAM;AAAA,IACf,aAAa,MAAM;AAAA,IACnB,uBAAuB,MAAM;AAAA,IAC7B,aAAa,CAAC,iBAAiB;AAAA,IAC/B,MAAM,MAAM;AAAA,IACZ,SAAS;AAAA,MACP,MAAM,MAAM;AAAA,MACZ,aAAa,MAAM;AAAA,IACrB;AAAA,IACA,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,kBAAkB,mBAAmB,MAAM,OAAO,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,YAAY,SAAiB,KAAuC;AAClF,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,MAAM,IAAI;AAAA,IACV,OAAO,IAAI;AAAA,IACX,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,aAAa,IAAI;AAAA,IACjB,YAAY,IAAI;AAAA,IAChB,aAAa,IAAI;AAAA,IACjB,UAAU,IAAI;AAAA,IACd,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,gBAAgB,mBAAmB,IAAI,OAAO,CAAC;AAAA,MACjE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,4BAA4B,SAAiB,QAA0D;AACrH,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IACX,MAAM,OAAO;AAAA,IACb,aAAa,OAAO;AAAA,IACpB,WAAW,OAAO;AAAA,IAClB,QAAQ,kBAAkB,SAAS,OAAO,SAAS;AAAA,IACnD,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO;AAAA,IAChB,aAAa,OAAO;AAAA,IACpB,QAAQ;AAAA,MACN,MAAM;AAAA,QACJ,MAAM,GAAG,OAAO,gCAAgC,mBAAmB,OAAO,SAAS,CAAC;AAAA,MACtF;AAAA,IACF;AAAA,EACF;AACF;;;ACxJO,SAAS,aAAa,OAAyB;AACpD,SAAO;AAAA,IACL,OAAO,MAAM,WAAqB,cAAc,CAAC,WAAW,SAAS,OAAO,CAAC;AAAA,IAC7E,QAAQ,MAAM,WAAsB,eAAe,CAAC,WAAW,MAAM,CAAC;AAAA,IACtE,MAAM,MAAM,WAAoB,aAAa,CAAC,WAAW,MAAM,CAAC;AAAA,IAChE,cAAc,MAAM,WAA4B,sBAAsB,CAAC,aAAa,gBAAgB,CAAC;AAAA,IACrG,sBAAsB,MAAM,WAAoC,qBAAqB,CAAC,WAAW,CAAC;AAAA,IAClG,kBAAkB,MAAM,WAAgC,0BAA0B;AAAA,MAChF;AAAA,MACA;AAAA,IACF,CAAC;AAAA,IACD,gBAAgB,MAAM,WAA8B,wBAAwB,CAAC,eAAe,cAAc,CAAC;AAAA,EAC7G;AACF;;;ACrBO,SAAS,UAAU,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAC/E,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,gBAAgB,CAAC,MAAM;AAC7B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,QAAI,OAAO,UAAU,KAAK,IAAI;AAC9B,QAAI,GAAG;AACL,aAAO,KAAK,OAAO,CAAC,UAAU,GAAG,MAAM,IAAI,IAAI,MAAM,KAAK,GAAG,YAAY,EAAE,SAAS,CAAC,CAAC;AAAA,IACxF;AACA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,KAAK;AACnB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,KAAK,MAAM,OAAO,QAAQ,QAAQ;AAChD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,UAAU,YAAY,SAAS,KAAK,CAAC,CAAC;AAAA,EACjE,CAAC;AAED,MAAI,KAAK,gBAAgB,OAAO,MAAM;AACpC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,OAAO,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO;AACzD,UAAM,QAAQ,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ;AAC5D,UAAM,aAAa,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa;AAC3E,UAAM,WACJ,KAAK,YAAY,OAAO,KAAK,aAAa,WAAY,KAAK,WAAuC,CAAC;AACrG,UAAM,cACJ,KAAK,eAAe,OAAO,KAAK,gBAAgB,WAAY,KAAK,cAA0C,CAAC;AAE9G,UAAM,UAAU,UAAU,KAAK,OAAO;AAAA,MACpC,SAAS,eAAe,KAAK;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,QAAQ,mBAAmB,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,QAAQ;AAAA,MAC9F,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO,EAAE,KAAK,YAAY,SAAS,OAAO,GAAG,GAAG;AAAA,EAClD,CAAC;AAED,MAAI,IAAI,6BAA6B,CAAC,MAAM;AAC1C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,cAAc,UAAU,eAAe,OAAO,eAAe,UAAU,OAAO;AACpF,UAAM,QAAQ,YACX,IAAI,CAAC,eAAe,UAAU,MAAM,UAAU,WAAW,WAAW,YAAY,CAAC,EACjF,OAAO,CAAC,SAA2C,QAAQ,IAAI,CAAC;AAEnE,WAAO,EAAE;AAAA,MACP,MAAM,IAAI,CAAC,UAAU;AAAA,QACnB,IAAI,KAAK;AAAA,QACT,OAAO;AAAA,QACP,aAAa,EAAE,UAAU,KAAK,MAAM;AAAA,QACpC,SAAS,aAAa,SAAS,IAAI,EAAE;AAAA,MACvC,EAAE;AAAA,IACJ;AAAA,EACF,CAAC;AAED,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,eACxB,OAAO,eAAe,UAAU,OAAO,EACvC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,CAAC,UAAU;AACb,gBAAU,eAAe,OAAO;AAAA,QAC9B,aAAa,UAAU;AAAA,QACvB,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,OAAO,qCAAqC,CAAC,MAAM;AACrD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,eACxB,OAAO,eAAe,UAAU,OAAO,EACvC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,SAAU,WAAU,eAAe,OAAO,SAAS,EAAE;AACzD,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,KAAK,0CAA0C,CAAC,MAAM;AACxD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI,EAAE,QAAQ,SAAS,CAAC;AACxE,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,KAAK,4CAA4C,CAAC,MAAM;AAC1D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI,EAAE,QAAQ,WAAW,CAAC;AAC1E,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,IAAI,uBAAuB,CAAC,MAAM;AACpC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,WAAO,EAAE,KAAK,YAAY,SAAS,SAAS,CAAC;AAAA,EAC/C,CAAC;AAED,MAAI,IAAI,uBAAuB,OAAO,MAAM;AAC1C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AAErE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAU,UAAU,KAAK,OAAO,UAAU,IAAI;AAAA,MAClD,MAAM,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,UAAU;AAAA,MAC5D,OAAO,OAAO,KAAK,UAAU,WAAW,KAAK,QAAQ,UAAU;AAAA,MAC/D,QAAQ,mBAAmB,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,UAAU,MAAM;AAAA,MACtG,cAAc,OAAO,KAAK,eAAe,WAAW,KAAK,aAAa,UAAU;AAAA,MAChF,UACE,KAAK,YAAY,OAAO,KAAK,aAAa,WACrC,KAAK,WACN,UAAU;AAAA,MAChB,aACE,KAAK,eAAe,OAAO,KAAK,gBAAgB,WAC3C,KAAK,cACN,UAAU;AAAA,IAClB,CAAC;AACD,WAAO,EAAE,KAAK,YAAY,SAAS,WAAW,SAAS,CAAC;AAAA,EAC1D,CAAC;AAED,MAAI,OAAO,uBAAuB,CAAC,MAAM;AACvC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,YAAY,aAAa,WAAW,EAAE,IAAI,MAAM,OAAO,CAAC;AAC9D,QAAI,CAAC,UAAW,QAAO,UAAU,GAAG,KAAK,YAAY,gBAAgB;AACrE,QAAI,UAAU,WAAW,YAAY;AACnC,aAAO,UAAU,GAAG,KAAK,YAAY,sCAAsC;AAAA,IAC7E;AAEA,eAAW,cAAc,UAAU,eAAe,OAAO,eAAe,UAAU,OAAO,GAAG;AAC1F,gBAAU,eAAe,OAAO,WAAW,EAAE;AAAA,IAC/C;AACA,cAAU,KAAK,OAAO,UAAU,EAAE;AAClC,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACpLA,SAAS,kBAAkB,MAAsB;AAC/C,QAAM,UAAU,KACb,KAAK,EACL,YAAY,EACZ,QAAQ,iBAAiB,GAAG;AAC/B,MAAI,QAAQ,SAAS,EAAG,QAAO;AAC/B,SAAO,eAAe,IAAI;AAC5B;AAEO,SAAS,0BAA0B,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAC/F,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,gCAAgC,CAAC,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,UAAU,UAAU,qBAAqB,IAAI;AACnD,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,QAAQ;AACtB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,QAAQ,MAAM,OAAO,QAAQ,QAAQ;AACnD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,WAAW,4BAA4B,SAAS,MAAM,CAAC,CAAC;AAAA,EACnF,CAAC;AAED,MAAI,KAAK,gCAAgC,OAAO,MAAM;AACpD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,OAAO,OAAO,KAAK,SAAS,WAAW,KAAK,KAAK,KAAK,IAAI;AAChE,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAElE,UAAM,WAAW,OAAO,KAAK,OAAO,WAAW,KAAK,KAAK,kBAAkB,IAAI;AAC/E,QAAI,UAAU,qBAAqB,UAAU,aAAa,QAAQ,GAAG;AACnE,aAAO,UAAU,GAAG,KAAK,YAAY,yBAAyB,QAAQ,kBAAkB;AAAA,IAC1F;AAEA,UAAM,YAAY,MAAM,QAAQ,KAAK,SAAS,IAC1C,KAAK,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,IAC3E,CAAC,gBAAgB;AAErB,UAAM,UAAU,UAAU,qBAAqB,OAAO;AAAA,MACpD,WAAW;AAAA,MACX;AAAA,MACA,aAAa,OAAO,KAAK,gBAAgB,WAAW,KAAK,cAAc;AAAA,MACvE,WAAW,UAAU,SAAS,IAAI,YAAY,CAAC,gBAAgB;AAAA,MAC/D,QAAQ,0BAA0B,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,QAAQ;AAAA,IACvG,CAAC;AAED,WAAO,EAAE,KAAK,4BAA4B,SAAS,OAAO,GAAG,GAAG;AAAA,EAClE,CAAC;AAED,MAAI,KAAK,iEAAiE,CAAC,MAAM;AAC/E,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI,EAAE,QAAQ,SAAS,CAAC;AACrF,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,KAAK,mEAAmE,CAAC,MAAM;AACjF,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI,EAAE,QAAQ,WAAW,CAAC;AACvF,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,IAAI,8CAA8C,CAAC,MAAM;AAC3D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AACnF,WAAO,EAAE,KAAK,4BAA4B,SAAS,MAAM,CAAC;AAAA,EAC5D,CAAC;AAED,MAAI,IAAI,8CAA8C,OAAO,MAAM;AACjE,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AAEnF,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,YAAY,MAAM,QAAQ,KAAK,SAAS,IAC1C,KAAK,UAAU,OAAO,CAAC,UAA2B,OAAO,UAAU,QAAQ,IAC3E,OAAO;AAEX,UAAM,UAAU,UAAU,qBAAqB,OAAO,OAAO,IAAI;AAAA,MAC/D,MAAM,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,OAAO;AAAA,MACzD,aAAa,OAAO,KAAK,gBAAgB,WAAW,KAAK,cAAc,OAAO;AAAA,MAC9E,WAAW,UAAU,SAAS,IAAI,YAAY,OAAO;AAAA,MACrD,QAAQ,0BAA0B,OAAO,KAAK,WAAW,WAAW,KAAK,SAAS,QAAW,OAAO,MAAM;AAAA,IAC5G,CAAC;AACD,WAAO,EAAE,KAAK,4BAA4B,SAAS,WAAW,MAAM,CAAC;AAAA,EACvE,CAAC;AAED,MAAI,OAAO,8CAA8C,CAAC,MAAM;AAC9D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,SAAS,6BAA6B,WAAW,EAAE,IAAI,MAAM,cAAc,CAAC;AAClF,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,iCAAiC;AAEnF,eAAW,UAAU,UAAU,aAAa,OAAO,kBAAkB,OAAO,SAAS,GAAG;AACtF,gBAAU,aAAa,OAAO,OAAO,EAAE;AAAA,IACzC;AACA,cAAU,qBAAqB,OAAO,OAAO,EAAE;AAC/C,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACpHO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,kBAAkB,CAAC,MAAM;AAC/B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,QAAI,SAAS,UAAU,OAAO,IAAI;AAClC,QAAI,GAAG;AACL,eAAS,OAAO,OAAO,CAAC,UAAU,GAAG,MAAM,IAAI,IAAI,MAAM,eAAe,EAAE,GAAG,YAAY,EAAE,SAAS,CAAC,CAAC;AAAA,IACxG;AACA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,OAAO;AACrB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,OAAO,MAAM,OAAO,QAAQ,QAAQ;AAClD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,UAAU,cAAc,SAAS,KAAK,CAAC,CAAC;AAAA,EACnE,CAAC;AAED,MAAI,KAAK,kBAAkB,OAAO,MAAM;AACtC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,KAAK,KAAK,IAAI;AAEtE,QAAI,CAAC,MAAM;AACT,aAAO,UAAU,GAAG,KAAK,YAAY,0BAA0B;AAAA,IACjE;AAEA,QAAI,UAAU,OAAO,UAAU,QAAQ,IAAI,GAAG;AAC5C,aAAO,UAAU,GAAG,KAAK,YAAY,2CAA2C;AAAA,IAClF;AAEA,UAAM,UAAU,UAAU,OAAO,OAAO;AAAA,MACtC,SAAS,eAAe,KAAK;AAAA,MAC7B,MAAM,mBAAmB,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,QAAW,YAAY;AAAA,MAC5F;AAAA,MACA,aAAa,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc;AAAA,IAC/E,CAAC;AAED,WAAO,EAAE,KAAK,cAAc,SAAS,OAAO,GAAG,GAAG;AAAA,EACpD,CAAC;AAED,MAAI,IAAI,iCAAiC,CAAC,MAAM;AAC9C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,UAAM,cAAc,UAAU,iBAAiB,OAAO,iBAAiB,MAAM,OAAO;AACpF,UAAM,QAAQ,YACX,IAAI,CAAC,eAAe,UAAU,MAAM,UAAU,WAAW,WAAW,YAAY,CAAC,EACjF,OAAO,CAAC,SAA2C,QAAQ,IAAI,CAAC;AAEnE,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,SAAS,aAAa,SAAS,IAAI,CAAC,CAAC;AAAA,EAChE,CAAC;AAED,MAAI,IAAI,yCAAyC,CAAC,MAAM;AACtD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,iBACxB,OAAO,iBAAiB,MAAM,OAAO,EACrC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,CAAC,UAAU;AACb,gBAAU,iBAAiB,OAAO;AAAA,QAChC,eAAe,MAAM;AAAA,QACrB,cAAc,KAAK;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,OAAO,yCAAyC,CAAC,MAAM;AACzD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,UAAU,iBACxB,OAAO,iBAAiB,MAAM,OAAO,EACrC,KAAK,CAAC,eAAe,WAAW,iBAAiB,KAAK,OAAO;AAChE,QAAI,UAAU;AACZ,gBAAU,iBAAiB,OAAO,SAAS,EAAE;AAAA,IAC/C;AAEA,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,IAAI,2BAA2B,CAAC,MAAM;AACxC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AACnE,WAAO,EAAE,KAAK,cAAc,SAAS,KAAK,CAAC;AAAA,EAC7C,CAAC;AAED,MAAI,IAAI,2BAA2B,OAAO,MAAM;AAC9C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,WAAW,OAAO,QAAQ,SAAS,WAAW,QAAQ,KAAK,KAAK,IAAI,MAAM;AAEhF,QAAI,aAAa,MAAM,MAAM;AAC3B,YAAM,WAAW,UAAU,OAAO,UAAU,QAAQ,QAAQ;AAC5D,UAAI,YAAY,SAAS,YAAY,MAAM,SAAS;AAClD,eAAO,UAAU,GAAG,KAAK,YAAY,2CAA2C;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,UAAU,UAAU,OAAO,OAAO,MAAM,IAAI;AAAA,MAChD,MAAM;AAAA,MACN,aAAa,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc,MAAM;AAAA,MACnF,MAAM,mBAAmB,OAAO,KAAK,SAAS,WAAW,KAAK,OAAO,QAAW,MAAM,IAAI;AAAA,IAC5F,CAAC;AACD,WAAO,EAAE,KAAK,cAAc,SAAS,WAAW,KAAK,CAAC;AAAA,EACxD,CAAC;AAED,MAAI,OAAO,2BAA2B,CAAC,MAAM;AAC3C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,QAAQ,eAAe,WAAW,EAAE,IAAI,MAAM,SAAS,CAAC;AAC9D,QAAI,CAAC,MAAO,QAAO,UAAU,GAAG,KAAK,YAAY,kBAAkB;AAEnE,eAAW,cAAc,UAAU,iBAAiB,OAAO,iBAAiB,MAAM,OAAO,GAAG;AAC1F,gBAAU,iBAAiB,OAAO,WAAW,EAAE;AAAA,IACjD;AAEA,cAAU,OAAO,OAAO,MAAM,EAAE;AAChC,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AACH;;;ACtKA,SAAS,YAAY,mBAAmB;AACxC,SAAS,SAAS,WAAW,uBAAuB;AA0BpD,IAAM,iBAAiB,gBAAgB,OAAO;AAC9C,IAAM,MAAM;AAEZ,IAAM,cAAc,KAAK,KAAK;AAuC9B,SAAS,gBAAgB,OAAwC;AAC/D,MAAI,MAAM,MAAM,QAAkC,yBAAyB;AAC3E,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,2BAA2B,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAA8C;AACrE,MAAI,MAAM,MAAM,QAAwC,yBAAyB;AACjF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,2BAA2B,GAAG;AAAA,EAC9C;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA+C;AACvE,MAAI,MAAM,MAAM,QAAyC,0BAA0B;AACnF,MAAI,CAAC,KAAK;AACR,UAAM,oBAAI,IAAI;AACd,UAAM,QAAQ,4BAA4B,GAAG;AAAA,EAC/C;AACA,SAAO;AACT;AAEA,SAAS,cAAc,MAA4B;AACjD,SAAO,KAAK,IAAI,IAAI,KAAK,YAAY;AACvC;AAEA,SAAS,mBAAmB,cAA8B;AACxD,MAAI,iBAAiB,mBAAoB,QAAO;AAChD,SAAO,WAAW,mBAAmB,YAAY,CAAC;AACpD;AAEA,SAAS,oBAAoB,SAA4B,cAAyC;AAChG,SAAO,QAAQ,OAAO,CAAC,WAAW,OAAO,mBAAmB,YAAY;AAC1E;AAEA,SAAS,cACP,cACA,SACA,OACuB;AACvB,MAAI,iBAAiB,oBAAoB;AACvC,WAAO;AAAA,MACL;AAAA,MACA,QAAQ;AAAA,MACR,WAAW,CAAC,gBAAgB;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,qBAAqB,UAAU,aAAa,YAAY;AAC7E,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO;AAAA,IACL;AAAA,IACA,QAAQ,kBAAkB,SAAS,YAAY;AAAA,IAC/C,WAAW,OAAO,UAAU,SAAS,IAAI,OAAO,YAAY,CAAC,gBAAgB;AAAA,EAC/E;AACF;AAEA,SAAS,uBAAuB,SAAiB,QAAiD;AAChG,QAAM,YAAY,mBAAmB,OAAO,YAAY;AACxD,QAAM,eAAe,GAAG,OAAO,GAAG,SAAS;AAC3C,QAAM,2BAA2B,CAAC,sBAAsB,uBAAuB,MAAM;AACrF,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,wBAAwB,GAAG,YAAY;AAAA,IACvC,gBAAgB,GAAG,YAAY;AAAA,IAC/B,mBAAmB,GAAG,YAAY;AAAA,IAClC,UAAU,GAAG,YAAY;AAAA,IACzB,sBAAsB,GAAG,YAAY;AAAA,IACrC,qBAAqB,GAAG,YAAY;AAAA,IACpC,wBAAwB,GAAG,YAAY;AAAA,IACvC,uBAAuB,GAAG,YAAY;AAAA,IACtC,0BAA0B,CAAC,MAAM;AAAA,IACjC,0BAA0B,CAAC,SAAS,YAAY,WAAW;AAAA,IAC3D,uBAAuB,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,IACnF,yBAAyB,CAAC,QAAQ;AAAA,IAClC,uCAAuC,CAAC,OAAO;AAAA,IAC/C,kBAAkB,CAAC,UAAU,WAAW,SAAS,kBAAkB,QAAQ;AAAA,IAC3E,uCAAuC;AAAA,IACvC,4CAA4C;AAAA,IAC5C,+CAA+C;AAAA,IAC/C,6BAA6B;AAAA,IAC7B,iCAAiC;AAAA,IACjC,4BAA4B;AAAA,IAC5B,6CAA6C,CAAC,OAAO;AAAA,IACrD,kBAAkB;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA,kCAAkC,CAAC,SAAS,MAAM;AAAA,EACpD;AACF;AAEA,eAAe,mBAAmB,GAAqD;AACrF,QAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,QAAM,MAAM,MAAM,EAAE,IAAI,KAAK;AAE7B,MAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,QAAI;AACF,YAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,YAAM,MAA8B,CAAC;AACrC,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,GAAG;AACjD,YAAI,OAAO,UAAU,SAAU,KAAI,GAAG,IAAI;AAAA,MAC5C;AACA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO,CAAC;AAAA,IACV;AAAA,EACF;AAEA,SAAO,OAAO,YAAY,IAAI,gBAAgB,GAAG,CAAC;AACpD;AAEA,SAAS,uBACP,GACA,MAC4C;AAC5C,MAAI,WAAW,KAAK,aAAa;AACjC,MAAI,eAAe,KAAK,iBAAiB;AAEzC,QAAM,aAAa,EAAE,IAAI,OAAO,eAAe,KAAK;AACpD,MAAI,WAAW,WAAW,QAAQ,GAAG;AACnC,UAAM,UAAU,OAAO,KAAK,WAAW,MAAM,CAAC,GAAG,QAAQ,EAAE,SAAS,MAAM;AAC1E,UAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,QAAI,QAAQ,IAAI;AACd,YAAM,WAAW,mBAAmB,QAAQ,MAAM,GAAG,GAAG,CAAC;AACzD,YAAM,eAAe,mBAAmB,QAAQ,MAAM,MAAM,CAAC,CAAC;AAC9D,UAAI,CAAC,SAAU,YAAW;AAC1B,UAAI,CAAC,aAAc,gBAAe;AAAA,IACpC;AAAA,EACF;AAEA,SAAO,EAAE,UAAU,aAAa;AAClC;AAOA,SAAS,eACP,SACA,cACA,UACA,cACyE;AACzE,QAAM,gBAAgB,oBAAoB,SAAS,YAAY;AAC/D,MAAI,cAAc,WAAW,GAAG;AAC9B,WAAO,EAAE,QAAQ,MAAM,OAAO,KAAK;AAAA,EACrC;AAEA,QAAM,SAAS,cAAc,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AACzE,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,QACL,MAAM,EAAE,OAAO,kBAAkB,mBAAmB,kBAAkB;AAAA,QACtE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,MAAI,OAAO,+BAA+B,QAAQ;AAChD,WAAO,EAAE,QAAQ,OAAO,KAAK;AAAA,EAC/B;AAEA,MAAI,CAAC,wBAAwB,OAAO,iBAAiB,IAAI,YAAY,GAAG;AACtE,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,OAAO;AAAA,QACL,MAAM,EAAE,OAAO,kBAAkB,mBAAmB,8BAA8B;AAAA,QAClF,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,QAAQ,OAAO,KAAK;AAC/B;AAEA,SAAS,WAAW,OAAyB;AAC3C,SAAO,MACJ,MAAM,KAAK,EACX,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,OAAO;AACnB;AAEA,SAAS,kBAAkB,WAA4C,MAA0B;AAC/F,QAAM,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO;AAClF,QAAM,QAAkB,CAAC;AACzB,aAAW,cAAc,aAAa;AACpC,UAAM,QAAQ,UAAU,OAAO,UAAU,WAAW,WAAW,aAAa;AAC5E,QAAI,MAAO,OAAM,KAAK,MAAM,IAAI;AAAA,EAClC;AACA,SAAO;AACT;AAEA,eAAe,cACb,WACA,MACA,UACA,OACA,QACA,OACiB;AACjB,QAAM,EAAE,WAAW,IAAI,MAAM;AAC7B,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAM,SAAS,WAAW,KAAK;AAE/B,QAAM,SAAkC;AAAA,IACtC,KAAK,KAAK;AAAA,IACV,MAAM,gBAAgB,IAAI;AAAA,IAC1B,oBAAoB,KAAK;AAAA,IACzB,OAAO,KAAK;AAAA,IACZ,gBAAgB;AAAA,IAChB,QAAQ,KAAK;AAAA,IACb,UAAU,KAAK;AAAA,IACf,WAAW;AAAA,EACb;AAEA,MAAI,MAAO,QAAO,QAAQ;AAC1B,MAAI,OAAO,SAAS,QAAQ,GAAG;AAC7B,WAAO,SAAS,kBAAkB,WAAW,IAAI;AAAA,EACnD;AAEA,SAAO,IAAI,QAAQ,MAAM,EACtB,mBAAmB,EAAE,KAAK,SAAS,KAAK,KAAK,KAAK,MAAM,CAAC,EACzD,UAAU,MAAM,EAChB,YAAY,QAAQ,EACpB,YAAY,GAAG,EACf,kBAAkB,IAAI,EACtB,KAAK,UAAU;AACpB;AAEA,SAAS,yBAAmC;AAC1C,SAAO,IAAI,SAAS,KAAK,UAAU,EAAE,OAAO,iBAAiB,mBAAmB,+BAA+B,CAAC,GAAG;AAAA,IACjH,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAEO,SAAS,YAAY,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AACjF,QAAM,YAAY,aAAa,KAAK;AACpC,QAAM,gBAAgB;AAEtB,MAAI,IAAI,qCAAqC,CAAC,MAAM;AAClD,UAAM,SAAS,cAAc,oBAAoB,SAAS,SAAS;AACnE,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,qCAAqC;AACvF,WAAO,EAAE,KAAK,uBAAuB,SAAS,MAAM,CAAC;AAAA,EACvD,CAAC;AAED,MAAI,IAAI,0DAA0D,CAAC,MAAM;AACvE,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc;AAC/C,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AACrG,WAAO,EAAE,KAAK,uBAAuB,SAAS,MAAM,CAAC;AAAA,EACvD,CAAC;AAED,MAAI,IAAI,mBAAmB,OAAO,MAAM;AACtC,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC,EAAE,GAAG,KAAK,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,CAAC;AAAA,IACvD,CAAC;AAAA,EACH,CAAC;AAED,MAAI,IAAI,iCAAiC,OAAO,MAAM;AACpD,UAAM,eAAe,EAAE,IAAI,MAAM,cAAc;AAC/C,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,EAAE,UAAU,IAAI,MAAM;AAC5B,UAAM,MAAM,MAAM,UAAU,SAAS;AACrC,WAAO,EAAE,KAAK;AAAA,MACZ,MAAM,CAAC,EAAE,GAAG,KAAK,KAAK,KAAK,KAAK,OAAO,KAAK,QAAQ,CAAC;AAAA,IACvD,CAAC;AAAA,EACH,CAAC;AAED,QAAM,sBAAsB,CAAC,GAAoB,iBAAmC;AAClF,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,WAAW,EAAE,IAAI,MAAM,WAAW,KAAK;AAC7C,UAAM,cAAc,EAAE,IAAI,MAAM,cAAc,KAAK;AACnD,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,QAAQ,EAAE,IAAI,MAAM,OAAO,KAAK;AACtC,UAAM,eAAe,EAAE,IAAI,MAAM,eAAe,KAAK;AACrD,UAAM,eAAe,EAAE,IAAI,MAAM,eAAe,KAAK;AACrD,UAAM,gBAAgB,EAAE,IAAI,MAAM,gBAAgB,KAAK;AACvD,UAAM,sBAAsB,EAAE,IAAI,MAAM,uBAAuB,KAAK;AAEpE,QAAI,iBAAiB,QAAQ;AAC3B,aAAO,EAAE;AAAA,QACP,gBAAgB,6BAA6B,yCAAyC,aAAa;AAAA,QACnG;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE;AAAA,QACP,gBAAgB,wBAAwB,2CAA2C,aAAa;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AAEA,UAAM,oBAAoB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACxF,QAAI,aAAa;AACjB,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,SAAS,kBAAkB,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AAC7E,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,QAAQ,wBAAwB,aAAa;AAAA,UACxG;AAAA,QACF;AAAA,MACF;AACA,UAAI,CAAC,mBAAmB,aAAa,OAAO,aAAa,GAAG;AAC1D,eAAO,EAAE;AAAA,UACP;AAAA,YACE;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,UACA;AAAA,QACF;AAAA,MACF;AACA,mBAAa,OAAO;AAAA,IACtB;AAEA,UAAM,QAAQ,UAAU,MAAM,IAAI;AAClC,UAAM,eAAe,GAAG,mBAAmB,YAAY,CAAC;AACxD,UAAM,UAAU,MACb;AAAA,MAAI,CAAC,SACJ,iBAAiB;AAAA,QACf,SAAS,KAAK,MAAM,CAAC,KAAK,KAAK,YAAY;AAAA,QAC3C,OAAO,KAAK;AAAA,QACZ,MAAM,gBAAgB,IAAI;AAAA,QAC1B,OAAO,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,UACZ,UAAU,KAAK;AAAA,UACf,cAAc;AAAA,UACd;AAAA,UACA;AAAA,UACA;AAAA,UACA,WAAW;AAAA,UACX,eAAe;AAAA,UACf,gBAAgB;AAAA,UAChB,uBAAuB;AAAA,UACvB,gBAAgB;AAAA,QAClB;AAAA,MACF,CAAC;AAAA,IACH,EACC,KAAK,IAAI;AAEZ,UAAM,WAAW,aACb,sBAAsB,WAAW,UAAU,CAAC,sCAC5C;AAEJ,WAAO,EAAE;AAAA,MACP;AAAA,QACE;AAAA,QACA;AAAA,QACA,MAAM,SAAS,IAAI,UAAU;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,IAAI,wBAAwB,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACjF,MAAI,IAAI,sCAAsC,CAAC,MAAM,oBAAoB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAExG,QAAM,0BAA0B,OAAO,GAAoB,iBAA4C;AACrG,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,EAAE,IAAI,UAAU;AACnC,UAAM,UAAU,QAAQ,KAAK,QAAQ;AACrC,UAAM,cAAc,QAAQ,KAAK,YAAY;AAC7C,UAAM,QAAQ,QAAQ,KAAK,KAAK,KAAK;AACrC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,QAAQ,QAAQ,KAAK,KAAK;AAChC,UAAM,WAAW,QAAQ,KAAK,SAAS;AACvC,UAAM,eAAe,QAAQ,KAAK,aAAa,KAAK;AACpD,UAAM,gBAAgB,QAAQ,KAAK,cAAc;AACjD,UAAM,sBAAsB,QAAQ,KAAK,qBAAqB;AAE9D,QAAI,CAAC,aAAa;AAChB,aAAO,EAAE;AAAA,QACP,gBAAgB,wBAAwB,2CAA2C,aAAa;AAAA,QAChG;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,cAAc,WAAW,OAAO;AAC7C,QAAI,CAAC,MAAM;AACT,aAAO,EAAE,KAAK,gBAAgB,gBAAgB,uCAAuC,aAAa,GAAG,GAAG;AAAA,IAC1G;AAEA,UAAM,oBAAoB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACxF,QAAI,kBAAkB,SAAS,GAAG;AAChC,YAAM,SAAS,kBAAkB,KAAK,CAAC,UAAU,MAAM,cAAc,QAAQ;AAC7E,UAAI,CAAC,QAAQ;AACX,eAAO,EAAE;AAAA,UACP,gBAAgB,yBAAyB,kBAAkB,QAAQ,wBAAwB,aAAa;AAAA,UACxG;AAAA,QACF;AAAA,MACF;AACA,UAAI,CAAC,mBAAmB,aAAa,OAAO,aAAa,GAAG;AAC1D,eAAO,EAAE;AAAA,UACP;AAAA,YACE;AAAA,YACA;AAAA,YACA;AAAA,UACF;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,OAAO,YAAY,EAAE,EAAE,SAAS,KAAK;AAC3C,oBAAgB,KAAK,EAAE,IAAI,MAAM;AAAA,MAC/B,SAAS,KAAK;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA,OAAO,SAAS;AAAA,MAChB,eAAe,iBAAiB;AAAA,MAChC,qBAAqB,uBAAuB;AAAA,MAC5C;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,IACtB,CAAC;AAED,UAAM,cAAc,mBAAmB,KAAK,MAAM,GAAG,CAAC,CAAC,YAAY,KAAK,KAAK,WAAW,YAAY,EAAE;AAEtG,QAAI,iBAAiB,aAAa;AAChC,aAAO,EAAE,KAAK,mBAAmB,aAAa,EAAE,MAAM,MAAM,GAAG,aAAa,CAAC;AAAA,IAC/E;AAEA,UAAM,MAAM,IAAI,IAAI,WAAW;AAC/B,QAAI,aAAa,IAAI,QAAQ,IAAI;AACjC,QAAI,MAAO,KAAI,aAAa,IAAI,SAAS,KAAK;AAC9C,WAAO,EAAE,SAAS,IAAI,SAAS,GAAG,GAAG;AAAA,EACvC;AAEA,MAAI,KAAK,iCAAiC,CAAC,MAAM,wBAAwB,GAAG,kBAAkB,CAAC;AAC/F,MAAI;AAAA,IAAK;AAAA,IAA+C,CAAC,MACvD,wBAAwB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC;AAAA,EACxD;AAEA,QAAM,cAAc,OAAO,GAAoB,iBAA4C;AACzF,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,YAAY,KAAK,cAAc;AACrC,UAAM,OAAO,KAAK,QAAQ;AAC1B,UAAM,cAAc,KAAK,gBAAgB;AACzC,UAAM,eAAe,KAAK;AAC1B,UAAM,eAAe,KAAK,iBAAiB;AAC3C,UAAM,iBAAiB,KAAK,SAAS;AAErC,UAAM,QAAQ,uBAAuB,GAAG,IAAI;AAC5C,UAAM,aAAa,eAAe,UAAU,aAAa,IAAI,GAAG,cAAc,MAAM,UAAU,MAAM,YAAY;AAChH,QAAI,WAAW,OAAO;AACpB,aAAO,EAAE,KAAK,WAAW,MAAM,MAAM,WAAW,MAAM,MAAa;AAAA,IACrE;AACA,UAAM,kBAAkB,WAAW;AAEnC,QAAI,cAAc,sBAAsB;AACtC,YAAM,UAAU,gBAAgB,KAAK,EAAE,IAAI,IAAI;AAC/C,UAAI,CAAC,WAAW,cAAc,OAAO,GAAG;AACtC,YAAI,QAAS,iBAAgB,KAAK,EAAE,OAAO,IAAI;AAC/C,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4CAA4C,GAAG,GAAG;AAAA,MAC/G;AACA,UAAI,QAAQ,iBAAiB,cAAc;AACzC,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,iCAAiC,GAAG,GAAG;AAAA,MACpG;AACA,UAAI,eAAe,gBAAgB,QAAQ,aAAa;AACtD,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,+BAA+B,GAAG,GAAG;AAAA,MAClG;AACA,UAAI,mBAAmB,gBAAgB,cAAc,QAAQ,UAAU;AACrE,eAAO,EAAE;AAAA,UACP,EAAE,OAAO,iBAAiB,mBAAmB,oDAAoD;AAAA,UACjG;AAAA,QACF;AAAA,MACF;AAEA,UAAI,QAAQ,kBAAkB,MAAM;AAClC,YAAI,CAAC,cAAc;AACjB,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AACA,cAAM,UAAU,QAAQ,uBAAuB,SAAS,YAAY;AACpE,YAAI,WAAW,QAAQ;AACrB,gBAAM,WAAW,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AAC7E,cAAI,aAAa,QAAQ,eAAe;AACtC,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,WAAW,WAAW,SAAS;AAC7B,cAAI,iBAAiB,QAAQ,eAAe;AAC1C,mBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,UAC/F;AAAA,QACF,OAAO;AACL,iBAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,4BAA4B,GAAG,GAAG;AAAA,QAC/F;AAAA,MACF;AAEA,YAAM,OAAO,cAAc,WAAW,QAAQ,OAAO;AACrD,UAAI,CAAC,KAAM,QAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gBAAgB,GAAG,GAAG;AAC5F,sBAAgB,KAAK,EAAE,OAAO,IAAI;AAElC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,iBAAiB,QAAQ,YAAY,MAAM,YAAY;AAC7D,YAAM,QAAQ,QAAQ,SAAS;AAC/B,YAAM,cAAc,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACjE,YAAM,kBAAkB,UAAU,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AAEvE,sBAAgB,KAAK,EAAE,IAAI,aAAa;AAAA,QACtC;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,MACjB,CAAC;AACD,uBAAiB,KAAK,EAAE,IAAI,iBAAiB;AAAA,QAC3C;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,QACf,OAAO,QAAQ;AAAA,MACjB,CAAC;AAED,gBAAU,IAAI,aAAa;AAAA,QACzB,OAAO,KAAK;AAAA,QACZ,IAAI,KAAK;AAAA,QACT,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,YAAM,UAAU,MAAM,cAAc,WAAW,MAAM,gBAAgB,QAAQ,OAAO,OAAO,QAAQ,KAAK;AAExG,aAAO,EAAE,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,eAAe;AAAA,QACf,UAAU;AAAA,QACV;AAAA,MACF,CAAC;AAAA,IACH;AAEA,QAAI,cAAc,iBAAiB;AACjC,YAAM,WAAW,iBAAiB,KAAK,EAAE,IAAI,YAAY;AACzD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,yBAAyB,GAAG,GAAG;AAAA,MAC5F;AACA,UAAI,SAAS,iBAAiB,cAAc;AAC1C,eAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,iCAAiC,GAAG,GAAG;AAAA,MACpG;AACA,UAAI,mBAAmB,gBAAgB,cAAc,SAAS,UAAU;AACtE,eAAO,EAAE;AAAA,UACP,EAAE,OAAO,iBAAiB,mBAAmB,+CAA+C;AAAA,UAC5F;AAAA,QACF;AAAA,MACF;AAEA,YAAM,OAAO,UAAU,MAAM,UAAU,WAAW,SAAS,UAAU;AACrE,UAAI,CAAC,KAAM,QAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,mBAAmB,gBAAgB,GAAG,GAAG;AAC5F,uBAAiB,KAAK,EAAE,OAAO,YAAY;AAE3C,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,kBAAkB,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACrE,YAAM,mBAAmB,UAAU,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACxE,YAAM,QAAQ,kBAAkB,SAAS;AAEzC,sBAAgB,KAAK,EAAE,IAAI,iBAAiB;AAAA,QAC1C;AAAA,QACA,UAAU,SAAS;AAAA,QACnB;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY,KAAK;AAAA,QACjB,UAAU,KAAK;AAAA,MACjB,CAAC;AACD,uBAAiB,KAAK,EAAE,IAAI,kBAAkB;AAAA,QAC5C,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAED,gBAAU,IAAI,iBAAiB;AAAA,QAC7B,OAAO,KAAK;AAAA,QACZ,IAAI,KAAK;AAAA,QACT,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,YAAM,WAAoC;AAAA,QACxC,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,eAAe;AAAA,QACf;AAAA,MACF;AAEA,UAAI,WAAW,KAAK,EAAE,SAAS,QAAQ,GAAG;AACxC,iBAAS,WAAW,MAAM;AAAA,UACxB;AAAA,UACA;AAAA,UACA,SAAS;AAAA,UACT,SAAS;AAAA,UACT,OAAO;AAAA,UACP;AAAA,QACF;AAAA,MACF;AAEA,aAAO,EAAE,KAAK,QAAQ;AAAA,IACxB;AAEA,QAAI,cAAc,sBAAsB;AACtC,UAAI,UAAU,aAAa,IAAI,EAAE,SAAS,KAAK,CAAC,iBAAiB;AAC/D,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,kBAAkB,GAAG,GAAG;AAAA,MACtF;AAEA,YAAM,QAAQ,kBAAkB;AAChC,YAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,YAAM,cAAc,QAAQ,YAAY,EAAE,EAAE,SAAS,WAAW,CAAC;AACjE,YAAM,WAAW,iBAAiB,aAAa,MAAM;AAErD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,mBAAmB,yBAAyB,GAAG,GAAG;AAAA,MAC7F;AAEA,sBAAgB,KAAK,EAAE,IAAI,aAAa;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU;AAAA,QACV,WAAW,MAAM;AAAA,QACjB,YAAY;AAAA,QACZ,UAAU;AAAA,MACZ,CAAC;AAED,gBAAU,IAAI,aAAa;AAAA,QACzB,OAAO;AAAA,QACP,IAAI;AAAA,QACJ,QAAQ,WAAW,KAAK;AAAA,MAC1B,CAAC;AAED,aAAO,EAAE,KAAK;AAAA,QACZ,YAAY;AAAA,QACZ,YAAY;AAAA,QACZ,cAAc;AAAA,QACd;AAAA,MACF,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,GAAG,GAAG;AAAA,EACxD;AAEA,MAAI,KAAK,oBAAoB,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC;AACtE,MAAI,KAAK,kCAAkC,CAAC,MAAM,YAAY,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAE7F,QAAM,iBAAiB,CAAC,GAAoB,iBAAmC;AAC7E,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,QAAQ,EAAE,IAAI,WAAW,KAAK;AACpC,UAAM,SAAS,gBAAgB,KAAK,EAAE,IAAI,KAAK;AAC/C,QAAI,CAAC,UAAU,OAAO,iBAAiB,gBAAgB,CAAC,OAAO,YAAY;AACzE,aAAO,uBAAuB;AAAA,IAChC;AAEA,UAAM,OAAO,UAAU,MAAM,UAAU,WAAW,OAAO,UAAU;AACnE,QAAI,CAAC,KAAM,QAAO,uBAAuB;AAEzC,UAAM,SAAkC;AAAA,MACtC,KAAK,KAAK;AAAA,MACV,MAAM,gBAAgB,IAAI;AAAA,MAC1B,oBAAoB,KAAK;AAAA,MACzB,OAAO,KAAK;AAAA,MACZ,gBAAgB;AAAA,MAChB,QAAQ,KAAK;AAAA,MACb,UAAU,KAAK;AAAA,IACjB;AAEA,QAAI,WAAW,OAAO,KAAK,EAAE,SAAS,QAAQ,GAAG;AAC/C,aAAO,SAAS,kBAAkB,WAAW,IAAI;AAAA,IACnD;AAEA,WAAO,EAAE,KAAK,MAAM;AAAA,EACtB;AAEA,MAAI,IAAI,uBAAuB,CAAC,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAC3E,MAAI,IAAI,qCAAqC,CAAC,MAAM,eAAe,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAElG,QAAM,eAAe,OAAO,GAAoB,iBAA4C;AAC1F,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,QAAQ,KAAK,SAAS;AAC5B,oBAAgB,KAAK,EAAE,OAAO,KAAK;AACnC,qBAAiB,KAAK,EAAE,OAAO,KAAK;AACpC,cAAU,OAAO,KAAK;AACtB,WAAO,EAAE,KAAK,IAAI,GAAG;AAAA,EACvB;AAEA,MAAI,KAAK,qBAAqB,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AACxE,MAAI,KAAK,mCAAmC,CAAC,MAAM,aAAa,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAE/F,QAAM,mBAAmB,OAAO,GAAoB,iBAA4C;AAC9F,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,OAAO,MAAM,mBAAmB,CAAC;AACvC,UAAM,QAAQ,KAAK,SAAS;AAC5B,UAAM,QAAQ,uBAAuB,GAAG,IAAI;AAE5C,UAAM,aAAa,eAAe,UAAU,aAAa,IAAI,GAAG,cAAc,MAAM,UAAU,MAAM,YAAY;AAChH,QAAI,WAAW,OAAO;AACpB,aAAO,EAAE,KAAK,WAAW,MAAM,MAAM,WAAW,MAAM,MAAa;AAAA,IACrE;AAEA,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,SAAS,gBAAgB,KAAK,EAAE,IAAI,KAAK;AAC/C,QAAI,UAAU,OAAO,iBAAiB,gBAAgB,OAAO,YAAY,KAAK;AAC5E,aAAO,EAAE,KAAK;AAAA,QACZ,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,OAAO,OAAO;AAAA,QACd,WAAW,OAAO;AAAA,QAClB,UAAU,OAAO;AAAA,QACjB,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAEA,UAAM,UAAU,iBAAiB,KAAK,EAAE,IAAI,KAAK;AACjD,QAAI,WAAW,QAAQ,iBAAiB,cAAc;AACpD,aAAO,EAAE,KAAK;AAAA,QACZ,QAAQ;AAAA,QACR,YAAY;AAAA,QACZ,OAAO,QAAQ;AAAA,QACf,WAAW,QAAQ;AAAA,QACnB,UAAU,QAAQ;AAAA,QAClB,KAAK,QAAQ;AAAA,QACb,KAAK,OAAO;AAAA,QACZ,KAAK,OAAO;AAAA,MACd,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,KAAK,EAAE,QAAQ,MAAM,CAAC;AAAA,EACjC;AAEA,MAAI,KAAK,yBAAyB,CAAC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC;AAChF,MAAI,KAAK,uCAAuC,CAAC,MAAM,iBAAiB,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAEvG,QAAM,eAAe,CAAC,GAAoB,iBAAmC;AAC3E,UAAM,SAAS,cAAc,cAAc,SAAS,SAAS;AAC7D,QAAI,CAAC,OAAQ,QAAO,UAAU,GAAG,KAAK,YAAY,oCAAoC,YAAY,GAAG;AAErG,UAAM,wBAAwB,EAAE,IAAI,MAAM,0BAA0B;AACpE,QAAI,CAAC,sBAAuB,QAAO,EAAE,KAAK,YAAY;AAEtD,UAAM,gBAAgB,oBAAoB,UAAU,aAAa,IAAI,GAAG,YAAY;AACpF,QAAI,cAAc,SAAS,GAAG;AAC5B,YAAM,YAAY,cAAc,KAAK,CAAC,WAAW,mBAAmB,uBAAuB,OAAO,aAAa,CAAC;AAChH,UAAI,CAAC,UAAW,QAAO,EAAE,KAAK,oCAAoC,GAAG;AAAA,IACvE;AAEA,WAAO,EAAE,SAAS,uBAAuB,GAAG;AAAA,EAC9C;AAEA,MAAI,IAAI,qBAAqB,CAAC,MAAM,aAAa,GAAG,kBAAkB,CAAC;AACvE,MAAI,IAAI,mCAAmC,CAAC,MAAM,aAAa,GAAG,EAAE,IAAI,MAAM,cAAc,CAAC,CAAC;AAChG;;;ACz1BA,SAAS,kBAAkB,MAAgB,SAAqD;AAC9F,QAAM,gBAAgB,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY,KAAK;AACvF,QAAM,eAAe,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW,KAAK;AACpF,QAAM,kBACJ,OAAO,QAAQ,gBAAgB,WAC3B,QAAQ,cACR,OAAO,QAAQ,aAAa,WAC1B,QAAQ,WACR,KAAK;AAEb,SAAO;AAAA,IACL,OAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,KAAK;AAAA,IAChE,OAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ,KAAK;AAAA,IAChE,YAAY;AAAA,IACZ,WAAW;AAAA,IACX,cAAc,mBAAmB,GAAG,aAAa,IAAI,YAAY,GAAG,KAAK;AAAA,IACzE,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ,SAAS,KAAK;AAAA,IACnE,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW,KAAK;AAAA,EAC5E;AACF;AAEA,SAAS,mBAAmB,MAAgB,QAA2C;AACrF,QAAM,MAAM,OAAO;AACnB,QAAM,cAAc,WAAW,WAAY,KAAK,gBAAgB,MAAO,KAAK;AAC5E,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,yBAAyB;AAAA,IACzB,mBAAmB;AAAA,IACnB,cAAc;AAAA,EAChB;AACF;AAEO,SAAS,WAAW,EAAE,KAAK,OAAO,SAAS,SAAS,GAAuB;AAChF,QAAM,YAAY,aAAa,KAAK;AAEpC,MAAI,IAAI,iBAAiB,CAAC,MAAM;AAC9B,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,KAAK,EAAE,IAAI,MAAM,GAAG,KAAK,IAAI,YAAY;AAC/C,UAAM,UAAU,EAAE,IAAI,MAAM,QAAQ,KAAK,IAAI,YAAY;AACzD,UAAM,SAAS,EAAE,IAAI,MAAM,QAAQ,KAAK;AAExC,QAAI,QAAQ,UAAU,MAAM,IAAI;AAEhC,QAAI,GAAG;AACL,cAAQ,MAAM;AAAA,QAAO,CAAC,SACpB,CAAC,KAAK,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK,YAAY,EACxE,KAAK,GAAG,EACR,YAAY,EACZ,SAAS,CAAC;AAAA,MACf;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,cAAQ,MAAM;AAAA,QAAO,CAAC,SACpB,CAAC,KAAK,OAAO,KAAK,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK,YAAY,EACxE,KAAK,GAAG,EACR,YAAY,EACZ,SAAS,MAAM;AAAA,MACpB;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,YAAM,cAAc,OAAO,MAAM,8BAA8B;AAC/D,UAAI,cAAc,CAAC,GAAG;AACpB,gBAAQ,MAAM,OAAO,CAAC,SAAS,KAAK,WAAW,YAAY,CAAC,CAAC;AAAA,MAC/D;AAAA,IACF;AAEA,UAAM,EAAE,MAAM,SAAS,IAAI,gBAAgB,CAAC;AAC5C,UAAM,QAAQ,MAAM;AACpB,UAAM,SAAS,OAAO,KAAK;AAC3B,UAAM,QAAQ,MAAM,MAAM,OAAO,QAAQ,QAAQ;AACjD,kBAAc,GAAG,OAAO,MAAM,QAAQ;AACtC,MAAE,OAAO,iBAAiB,OAAO,KAAK,CAAC;AAEvC,WAAO,EAAE,KAAK,MAAM,IAAI,CAAC,SAAS,aAAa,SAAS,IAAI,CAAC,CAAC;AAAA,EAChE,CAAC;AAED,MAAI,KAAK,iBAAiB,OAAO,MAAM;AACrC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,KAAK,IAAI;AACzE,UAAM,QAAQ,OAAO,QAAQ,UAAU,WAAW,QAAQ,MAAM,KAAK,IAAI;AAEzE,QAAI,CAAC,SAAS,CAAC,OAAO;AACpB,aAAO,UAAU,GAAG,KAAK,YAAY,8CAA8C;AAAA,IACrF;AAEA,QAAI,UAAU,MAAM,UAAU,SAAS,KAAK,KAAK,UAAU,MAAM,UAAU,SAAS,KAAK,GAAG;AAC1F,aAAO,UAAU,GAAG,KAAK,YAAY,oDAAoD;AAAA,IAC3F;AAEA,UAAM,WAAW,cAAc,EAAE,IAAI,MAAM,UAAU,GAAG,IAAI;AAC5D,UAAM,MAAM,OAAO;AACnB,UAAM,YAAY,OAAO,QAAQ,cAAc,WAAW,QAAQ,YAAY;AAC9E,UAAM,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW;AAC3E,UAAM,cACJ,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc,GAAG,SAAS,IAAI,QAAQ,GAAG,KAAK,KAAK;AAEvG,UAAM,UAAU,UAAU,MAAM,OAAO;AAAA,MACrC,SAAS,eAAe,KAAK;AAAA,MAC7B,QAAQ,WAAW,WAAW;AAAA,MAC9B,cAAc,WAAW,MAAM;AAAA,MAC/B,mBAAmB;AAAA,MACnB,eAAe;AAAA,MACf,qBAAqB;AAAA,MACrB,yBAAyB;AAAA,MACzB;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,WAAW;AAAA,MACX,cAAc;AAAA,MACd,QAAQ,OAAO,QAAQ,WAAW,WAAW,QAAQ,SAAS;AAAA,MAC9D,WAAW,OAAO,QAAQ,aAAa,WAAW,QAAQ,WAAW;AAAA,IACvE,CAAC;AAED,WAAO,EAAE,KAAK,aAAa,SAAS,OAAO,GAAG,GAAG;AAAA,EACnD,CAAC;AAED,MAAI,IAAI,oBAAoB,CAAC,MAAM;AACjC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,UAAU,MAAM,UAAU,SAAS,KAAK,KAAK,KAAK,UAAU,MAAM,IAAI,EAAE,CAAC;AACtF,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,WAAW,aAAa,SAAS,IAAI;AAC3C,WAAO,EAAE,KAAK;AAAA,MACZ,GAAG;AAAA,MACH,SAAS;AAAA,QACP,GAAI,SAAS;AAAA,QACb,aAAa,gBAAgB,IAAI;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AAED,MAAI,IAAI,gCAAgC,CAAC,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO;AAClF,UAAM,SAAS,YACZ,IAAI,CAAC,eAAe,UAAU,OAAO,UAAU,WAAW,WAAW,aAAa,CAAC,EACnF,OAAO,CAAC,UAA8C,QAAQ,KAAK,CAAC;AAEvE,WAAO,EAAE;AAAA,MACP,OAAO,IAAI,CAAC,WAAW;AAAA,QACrB,IAAI,MAAM;AAAA,QACV,SAAS;AAAA,UACP,MAAM,MAAM;AAAA,UACZ,aAAa,MAAM;AAAA,QACrB;AAAA,QACA,MAAM,MAAM;AAAA,MACd,EAAE;AAAA,IACJ;AAAA,EACF,CAAC;AAED,MAAI,KAAK,4CAA4C,CAAC,MAAM;AAC1D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,QAAQ,CAAC;AAClF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,8CAA8C,CAAC,MAAM;AAC5D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,eAAe,CAAC;AACzF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,2CAA2C,CAAC,MAAM;AACzD,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,WAAW,CAAC;AACrF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,6CAA6C,CAAC,MAAM;AAC3D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,QAAQ,CAAC;AAClF,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,IAAI,yBAAyB,CAAC,MAAM;AACtC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,WAAO,EAAE,KAAK,aAAa,SAAS,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,IAAI,yBAAyB,OAAO,MAAM;AAC5C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AAEpF,UAAM,UAAU,kBAAkB,MAAM,OAAO;AAC/C,QACG,QAAQ,UAAU,KAAK,SAAS,UAAU,MAAM,UAAU,SAAS,QAAQ,SAAS,EAAE,KACtF,QAAQ,UAAU,KAAK,SAAS,UAAU,MAAM,UAAU,SAAS,QAAQ,SAAS,EAAE,GACvF;AACA,aAAO,UAAU,GAAG,KAAK,YAAY,oDAAoD;AAAA,IAC3F;AAEA,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,OAAO;AACvD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,KAAK,yBAAyB,OAAO,MAAM;AAC7C,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAEjE,UAAM,OAAO,MAAM,eAAe,CAAC;AACnC,UAAM,UAAW,KAAK,WAAW,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU,CAAC;AACpF,UAAM,UAAU,kBAAkB,MAAM,OAAO;AAC/C,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI,OAAO;AACvD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,OAAO,yBAAyB,CAAC,MAAM;AACzC,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AAErC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AAGjE,QAAI,KAAK,WAAW,iBAAiB;AACnC,gBAAU,MAAM,OAAO,KAAK,IAAI,mBAAmB,MAAM,eAAe,CAAC;AACzE,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C;AAEA,eAAW,cAAc,UAAU,iBAAiB,OAAO,gBAAgB,KAAK,OAAO,GAAG;AACxF,gBAAU,iBAAiB,OAAO,WAAW,EAAE;AAAA,IACjD;AACA,eAAW,cAAc,UAAU,eAAe,OAAO,gBAAgB,KAAK,OAAO,GAAG;AACtF,gBAAU,eAAe,OAAO,WAAW,EAAE;AAAA,IAC/C;AAEA,cAAU,MAAM,OAAO,KAAK,EAAE;AAC9B,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C,CAAC;AAED,MAAI,KAAK,8CAA8C,CAAC,MAAM;AAC5D,UAAM,OAAO,sBAAsB,GAAG,QAAQ;AAC9C,QAAI,gBAAgB,SAAU,QAAO;AACrC,UAAM,OAAO,cAAc,WAAW,EAAE,IAAI,MAAM,QAAQ,CAAC;AAC3D,QAAI,CAAC,KAAM,QAAO,UAAU,GAAG,KAAK,YAAY,iBAAiB;AACjE,UAAM,UAAU,UAAU,MAAM,OAAO,KAAK,IAAI;AAAA,MAC9C,QAAQ;AAAA,MACR,mBAAmB,OAAO;AAAA,MAC1B,yBAAyB;AAAA,IAC3B,CAAC;AACD,WAAO,EAAE,KAAK,aAAa,SAAS,WAAW,IAAI,CAAC;AAAA,EACtD,CAAC;AACH;;;AC/MA,SAAS,iBAAiB,OAAwC,aAAqB,YAA0B;AAC/G,QAAM,WAAW,MAAM,iBACpB,OAAO,iBAAiB,WAAW,EACnC,KAAK,CAAC,UAAU,MAAM,iBAAiB,UAAU;AACpD,MAAI,CAAC,UAAU;AACb,UAAM,iBAAiB,OAAO;AAAA,MAC5B,eAAe;AAAA,MACf,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AACF;AAEA,SAAS,oBAAoB,OAAwC,WAAmB,YAA0B;AAChH,QAAM,WAAW,MAAM,eACpB,OAAO,eAAe,SAAS,EAC/B,KAAK,CAAC,UAAU,MAAM,iBAAiB,UAAU;AACpD,MAAI,CAAC,UAAU;AACb,UAAM,eAAe,OAAO;AAAA,MAC1B,aAAa;AAAA,MACb,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AACF;AAEA,SAAS,aAAa,OAAc,UAAwB;AAC1D,QAAM,OAAO,aAAa,KAAK;AAE/B,QAAM,gBAAgB,KAAK,qBAAqB,UAAU,aAAa,sBAAsB;AAC7F,MAAI,CAAC,eAAe;AAClB,SAAK,qBAAqB,OAAO,iCAAiC,CAAC;AAAA,EACrE;AAEA,MAAI,WAAW,KAAK,OAAO,UAAU,WAAW,yBAAyB;AACzE,MAAI,CAAC,UAAU;AACb,eAAW,KAAK,OAAO,OAAO,mBAAmB,CAAC;AAAA,EACpD;AAEA,MAAI,OAAO,KAAK,MAAM,UAAU,SAAS,qBAAqB;AAC9D,MAAI,CAAC,MAAM;AACT,WAAO,KAAK,MAAM,OAAO,kBAAkB,CAAC;AAAA,EAC9C;AAEA,MAAI,CAAC,KAAK,aAAa,UAAU,aAAa,kBAAkB,GAAG;AACjE,SAAK,aAAa,OAAO;AAAA,MACvB,WAAW;AAAA,MACX,eAAe;AAAA,MACf,MAAM;AAAA,MACN,eAAe,CAAC,gCAAgC;AAAA,MAChD,gBAAgB,CAAC,MAAM;AAAA,MACvB,aAAa,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,MACzE,4BAA4B;AAAA,MAC5B,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK,aAAa,UAAU,aAAa,eAAe,GAAG;AAC9D,SAAK,aAAa,OAAO;AAAA,MACvB,WAAW;AAAA,MACX,eAAe;AAAA,MACf,MAAM;AAAA,MACN,eAAe,CAAC,+CAA+C,oCAAoC;AAAA,MACnG,gBAAgB,CAAC,MAAM;AAAA,MACvB,aAAa,CAAC,sBAAsB,eAAe;AAAA,MACnD,4BAA4B;AAAA,MAC5B,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,MAAI,KAAK,KAAK,IAAI,EAAE,WAAW,GAAG;AAChC,SAAK,KAAK,OAAO,iBAAiB,CAAC;AAAA,EACrC;AAEA,mBAAiB,MAAM,SAAS,SAAS,KAAK,OAAO;AACvD;AAEO,SAAS,eAAe,OAAc,UAAkB,QAA8B;AAC3F,QAAM,OAAO,aAAa,KAAK;AAE/B,MAAI,OAAO,uBAAuB;AAChC,eAAW,UAAU,OAAO,uBAAuB;AACjD,YAAM,WAAW,KAAK,qBAAqB,UAAU,aAAa,OAAO,EAAE;AAC3E,UAAI,SAAU;AACd,WAAK,qBAAqB,OAAO;AAAA,QAC/B,WAAW,OAAO;AAAA,QAClB,MAAM,OAAO;AAAA,QACb,aAAa,OAAO,eAAe;AAAA,QACnC,WAAW,OAAO,aAAa,CAAC,eAAe;AAAA,QAC/C,QAAQ,0BAA0B,OAAO,QAAQ,QAAQ;AAAA,MAC3D,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,OAAO;AAChB,eAAW,QAAQ,OAAO,OAAO;AAC/B,YAAM,UAAU,KAAK,MAAM,UAAU,SAAS,KAAK,KAAK;AACxD,UAAI,QAAS;AACb,YAAM,iBAAiB,gBAAgB,KAAK,QAAQ,QAAQ;AAC5D,WAAK,MAAM,OAAO;AAAA,QAChB,SAAS,KAAK,WAAW,eAAe,KAAK;AAAA,QAC7C,QAAQ;AAAA,QACR,cAAc,mBAAmB,YAAW,oBAAI,KAAK,GAAE,YAAY,IAAI;AAAA,QACvE,oBAAmB,oBAAI,KAAK,GAAE,YAAY;AAAA,QAC1C,eAAe;AAAA,QACf,qBAAqB;AAAA,QACrB,yBAAyB;AAAA,QACzB,OAAO,KAAK;AAAA,QACZ,OAAO,KAAK,SAAS,KAAK;AAAA,QAC1B,YAAY,KAAK,cAAc;AAAA,QAC/B,WAAW,KAAK,aAAa;AAAA,QAC7B,cAAc,KAAK,gBAAgB,GAAG,KAAK,cAAc,MAAM,IAAI,KAAK,aAAa,MAAM,GAAG,KAAK;AAAA,QACnG,QAAQ,KAAK,UAAU;AAAA,QACvB,WAAW,KAAK,aAAa;AAAA,MAC/B,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,QAAQ;AACjB,eAAW,SAAS,OAAO,QAAQ;AACjC,YAAM,SAAS,KAAK,OAAO,UAAU,QAAQ,MAAM,IAAI;AACvD,UAAI,OAAQ;AACZ,WAAK,OAAO,OAAO;AAAA,QACjB,SAAS,MAAM,WAAW,eAAe,KAAK;AAAA,QAC9C,MAAM,mBAAmB,MAAM,MAAM,YAAY;AAAA,QACjD,MAAM,MAAM;AAAA,QACZ,aAAa,MAAM,eAAe;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,MAAM;AACf,eAAW,OAAO,OAAO,MAAM;AAC7B,YAAM,SAAS,KAAK,KAAK,UAAU,QAAQ,IAAI,IAAI;AACnD,UAAI,OAAQ;AACZ,WAAK,KAAK,OAAO;AAAA,QACf,SAAS,IAAI,WAAW,eAAe,KAAK;AAAA,QAC5C,MAAM,IAAI;AAAA,QACV,OAAO,IAAI,SAAS,IAAI;AAAA,QACxB,QAAQ,mBAAmB,IAAI,QAAQ,QAAQ;AAAA,QAC/C,cAAc,IAAI,gBAAgB;AAAA,QAClC,UAAU,IAAI,YAAY,CAAC;AAAA,QAC3B,aAAa,IAAI,eAAe,CAAC;AAAA,MACnC,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,eAAe;AACxB,eAAW,UAAU,OAAO,eAAe;AACzC,YAAM,WAAW,KAAK,aAAa,UAAU,aAAa,OAAO,SAAS;AAC1E,UAAI,SAAU;AACd,YAAM,0BAA0B,OAAO,8BAA8B;AACrE,WAAK,aAAa,OAAO;AAAA,QACvB,WAAW,OAAO;AAAA,QAClB,eAAe,OAAO,iBAAiB;AAAA,QACvC,MAAM,OAAO;AAAA,QACb,eAAe,OAAO;AAAA,QACtB,gBAAgB,OAAO,kBAAkB,CAAC,MAAM;AAAA,QAChD,aAAa,OAAO,eAAe,CAAC,sBAAsB,iBAAiB,oBAAoB;AAAA,QAC/F,4BAA4B;AAAA,QAC5B,gBAAgB,OAAO,kBAAkB;AAAA,MAC3C,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MAAI,OAAO,mBAAmB;AAC5B,eAAW,cAAc,OAAO,mBAAmB;AACjD,YAAM,QAAQ,KAAK,OAAO,UAAU,WAAW,WAAW,aAAa;AACvE,YAAM,OAAO,KAAK,MAAM,UAAU,WAAW,WAAW,YAAY;AACpE,UAAI,CAAC,SAAS,CAAC,KAAM;AACrB,uBAAiB,MAAM,MAAM,SAAS,KAAK,OAAO;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,OAAO,iBAAiB;AAC1B,eAAW,cAAc,OAAO,iBAAiB;AAC/C,YAAM,MAAM,KAAK,KAAK,UAAU,WAAW,WAAW,WAAW;AACjE,YAAM,OAAO,KAAK,MAAM,UAAU,WAAW,WAAW,YAAY;AACpE,UAAI,CAAC,OAAO,CAAC,KAAM;AACnB,0BAAoB,MAAM,IAAI,SAAS,KAAK,OAAO;AAAA,IACrD;AAAA,EACF;AACF;AAEO,IAAM,aAA4B;AAAA,EACvC,MAAM;AAAA,EACN,SAAS,KAAmB,OAAc,UAA6B,SAAiB,UAA2B;AACjH,UAAM,MAAoB,EAAE,KAAK,OAAO,UAAU,SAAS,SAAS;AACpE,gBAAY,GAAG;AACf,eAAW,GAAG;AACd,gBAAY,GAAG;AACf,cAAU,GAAG;AACb,8BAA0B,GAAG;AAAA,EAC/B;AAAA,EACA,KAAK,OAAc,SAAuB;AACxC,iBAAa,OAAO,OAAO;AAAA,EAC7B;AACF;AAEA,IAAO,gBAAQ;","names":[]}
|