npm - @enactprotocol/trust - Versions diffs - 2.0.0 → 2.0.1 - Mend

@enactprotocol/trust 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

package/dist/hash.d.ts +53 -0
package/dist/hash.d.ts.map +1 -0
package/dist/hash.js +104 -0
package/dist/hash.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +14 -0
package/dist/index.js.map +1 -0
package/dist/keys.d.ts +41 -0
package/dist/keys.d.ts.map +1 -0
package/dist/keys.js +130 -0
package/dist/keys.js.map +1 -0
package/dist/sigstore/attestation.d.ts +245 -0
package/dist/sigstore/attestation.d.ts.map +1 -0
package/dist/sigstore/attestation.js +324 -0
package/dist/sigstore/attestation.js.map +1 -0
package/dist/sigstore/cosign.d.ts +90 -0
package/dist/sigstore/cosign.d.ts.map +1 -0
package/dist/sigstore/cosign.js +457 -0
package/dist/sigstore/cosign.js.map +1 -0
package/dist/sigstore/index.d.ts +17 -0
package/dist/sigstore/index.d.ts.map +1 -0
package/dist/sigstore/index.js +21 -0
package/dist/sigstore/index.js.map +1 -0
package/dist/sigstore/oauth/client.d.ts +38 -0
package/dist/sigstore/oauth/client.d.ts.map +1 -0
package/dist/sigstore/oauth/client.js +71 -0
package/dist/sigstore/oauth/client.js.map +1 -0
package/dist/sigstore/oauth/index.d.ts +47 -0
package/dist/sigstore/oauth/index.d.ts.map +1 -0
package/dist/sigstore/oauth/index.js +66 -0
package/dist/sigstore/oauth/index.js.map +1 -0
package/dist/sigstore/oauth/server.d.ts +29 -0
package/dist/sigstore/oauth/server.d.ts.map +1 -0
package/dist/sigstore/oauth/server.js +145 -0
package/dist/sigstore/oauth/server.js.map +1 -0
package/dist/sigstore/policy.d.ts +85 -0
package/dist/sigstore/policy.d.ts.map +1 -0
package/dist/sigstore/policy.js +351 -0
package/dist/sigstore/policy.js.map +1 -0
package/dist/sigstore/signing.d.ts +94 -0
package/dist/sigstore/signing.d.ts.map +1 -0
package/dist/sigstore/signing.js +477 -0
package/dist/sigstore/signing.js.map +1 -0
package/dist/sigstore/types.d.ts +541 -0
package/dist/sigstore/types.d.ts.map +1 -0
package/dist/sigstore/types.js +5 -0
package/dist/sigstore/types.js.map +1 -0
package/dist/sigstore/verification.d.ts +66 -0
package/dist/sigstore/verification.d.ts.map +1 -0
package/dist/sigstore/verification.js +317 -0
package/dist/sigstore/verification.js.map +1 -0
package/dist/types.d.ts +61 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +5 -0
package/dist/types.js.map +1 -0
package/package.json +1 -1
package/tsconfig.tsbuildinfo +0 -1

package/dist/sigstore/signing.js ADDED Viewed

@@ -0,0 +1,477 @@
+/**
+ * OIDC-based keyless signing using Sigstore
+ *
+ * This module provides keyless signing capabilities using OIDC identity tokens.
+ * It integrates with Fulcio for certificate issuance and Rekor for transparency logging.
+ *
+ * For CI environments (GitHub Actions, GitLab CI, etc.), the sigstore library's
+ * native OIDC support is used. For interactive local signing, we use a native
+ * OAuth implementation that opens a browser for authentication.
+ */
+import { attest, sign } from "sigstore";
+import { attestWithCosign, isCosignAvailable, signWithCosign } from "./cosign";
+import { OAuthIdentityProvider } from "./oauth";
+// ============================================================================
+// Constants
+// ============================================================================
+/** Public Sigstore Fulcio URL */
+export const FULCIO_PUBLIC_URL = "https://fulcio.sigstore.dev";
+/** Public Sigstore Rekor URL */
+export const REKOR_PUBLIC_URL = "https://rekor.sigstore.dev";
+/** Public Sigstore TSA URL */
+export const TSA_PUBLIC_URL = "https://timestamp.sigstore.dev";
+/** OIDC issuer URLs for known providers */
+export const OIDC_ISSUERS = {
+    github: "https://token.actions.githubusercontent.com",
+    google: "https://accounts.google.com",
+    microsoft: "https://login.microsoftonline.com",
+    gitlab: "https://gitlab.com",
+    custom: "",
+};
+// ============================================================================
+// OIDC Identity Extraction
+// ============================================================================
+/**
+ * Decode a JWT token without verification (for extracting claims)
+ */
+function decodeJWT(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Invalid JWT format");
+    }
+    const payloadPart = parts[1];
+    if (!payloadPart) {
+        throw new Error("Invalid JWT: missing payload");
+    }
+    try {
+        // Use standard base64 decoding with URL-safe character replacement
+        const base64 = payloadPart.replace(/-/g, "+").replace(/_/g, "/");
+        const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+        const payload = Buffer.from(padded, "base64").toString("utf8");
+        return JSON.parse(payload);
+    }
+    catch {
+        throw new Error("Failed to decode JWT payload");
+    }
+}
+/**
+ * Detect OIDC provider from issuer URL
+ */
+export function detectOIDCProvider(issuer) {
+    for (const [provider, url] of Object.entries(OIDC_ISSUERS)) {
+        if (url && issuer.startsWith(url)) {
+            return provider;
+        }
+    }
+    return "custom";
+}
+/**
+ * Extract identity information from an OIDC token
+ *
+ * @param token - The OIDC identity token
+ * @returns Extracted identity information
+ */
+export function extractOIDCIdentity(token) {
+    const claims = decodeJWT(token);
+    const issuer = claims.iss;
+    const provider = detectOIDCProvider(issuer);
+    const identity = {
+        provider,
+        subject: claims.sub,
+        issuer,
+        claims,
+    };
+    // Extract email if present
+    if (claims.email) {
+        identity.email = claims.email;
+    }
+    // Extract GitHub-specific claims
+    if (provider === "github") {
+        if (claims.repository) {
+            identity.workflowRepository = claims.repository;
+        }
+        if (claims.ref) {
+            identity.workflowRef = claims.ref;
+        }
+        if (claims.event_name) {
+            identity.workflowTrigger = claims.event_name;
+        }
+    }
+    return identity;
+}
+/**
+ * Get OIDC token from environment (for CI/CD environments)
+ *
+ * @param provider - The OIDC provider
+ * @returns The OIDC token if available
+ */
+export function getOIDCTokenFromEnvironment(provider) {
+    switch (provider) {
+        case "github":
+            // GitHub Actions provides OIDC tokens via ACTIONS_ID_TOKEN_REQUEST_URL
+            return process.env.ACTIONS_ID_TOKEN;
+        case "gitlab":
+            return process.env.CI_JOB_JWT_V2 || process.env.CI_JOB_JWT;
+        default:
+            return undefined;
+    }
+}
+// ============================================================================
+// Environment Detection
+// ============================================================================
+/**
+ * Check if we're running in a CI environment with native OIDC support
+ */
+function isInCIEnvironment() {
+    // GitHub Actions
+    if (process.env.GITHUB_ACTIONS && process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        return true;
+    }
+    // GitLab CI
+    if (process.env.GITLAB_CI && (process.env.CI_JOB_JWT_V2 || process.env.CI_JOB_JWT)) {
+        return true;
+    }
+    // Generic CI detection with token
+    if (process.env.CI && process.env.SIGSTORE_ID_TOKEN) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if we're in an interactive terminal environment
+ */
+function isInteractiveEnvironment() {
+    return process.stdout.isTTY === true;
+}
+// ============================================================================
+// Signing Functions
+// ============================================================================
+/**
+ * Sign an artifact using keyless (OIDC) signing
+ *
+ * In CI environments with native OIDC support (GitHub Actions, GitLab CI),
+ * uses the sigstore library directly. For interactive local signing,
+ * uses native OAuth implementation that opens browser for authentication.
+ *
+ * @param artifact - The artifact to sign (as a Buffer)
+ * @param options - Signing options
+ * @returns The signing result including the Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const artifact = Buffer.from(JSON.stringify(manifest));
+ * const result = await signArtifact(artifact, {
+ *   oidc: { provider: "github" }
+ * });
+ * console.log(result.bundle);
+ * ```
+ */
+export async function signArtifact(artifact, options = {}) {
+    const { fulcioURL, rekorURL, timeout = 30000 } = options;
+    // Create sigstore sign options
+    const signOptions = {
+        fulcioURL: fulcioURL || FULCIO_PUBLIC_URL,
+        rekorURL: rekorURL || REKOR_PUBLIC_URL,
+        timeout,
+    };
+    // If we have an explicit OIDC token, use it directly
+    if (options.oidc?.token) {
+        signOptions.identityToken = options.oidc.token;
+    }
+    // If we're in a CI environment, sigstore library will handle OIDC
+    else if (isInCIEnvironment()) {
+        // No additional config needed - sigstore will use CI provider
+    }
+    // Interactive environment - try native OAuth first, fall back to cosign
+    else if (isInteractiveEnvironment()) {
+        // Try native OAuth with sigstore-js first
+        try {
+            const provider = new OAuthIdentityProvider();
+            signOptions.identityProvider = provider;
+            const bundle = await sign(artifact, signOptions);
+            const sigstoreBundle = bundle;
+            const certificate = extractCertificateFromBundle(sigstoreBundle);
+            const result = {
+                bundle: sigstoreBundle,
+                timestamp: new Date(),
+            };
+            if (certificate) {
+                result.certificate = certificate;
+            }
+            return result;
+        }
+        catch (nativeError) {
+            // Check if this is a BoringSSL/crypto compatibility issue
+            const errorMessage = nativeError instanceof Error ? nativeError.message : String(nativeError);
+            const isCryptoError = errorMessage.includes("NO_DEFAULT_DIGEST") || errorMessage.includes("public key routines");
+            if (isCryptoError && isCosignAvailable()) {
+                // Fall back to cosign CLI
+                const result = await signWithCosign(artifact, {
+                    timeout,
+                    verbose: false,
+                });
+                return {
+                    bundle: result.bundle,
+                    timestamp: new Date(),
+                };
+            }
+            // If cosign is not available and we hit a crypto error, give helpful message
+            if (isCryptoError) {
+                throw new Error("Signing failed due to a crypto compatibility issue with Bun's BoringSSL.\n" +
+                    "Install cosign CLI for local signing: brew install cosign\n" +
+                    "Or run with Node.js instead of Bun.\n" +
+                    "See: https://docs.sigstore.dev/cosign/system_config/installation/");
+            }
+            // Re-throw other errors
+            throw nativeError;
+        }
+    }
+    // Non-interactive, non-CI - error
+    else {
+        throw new Error("No OIDC token available and not in an interactive environment.\n" +
+            "Provide an OIDC token via options.oidc.token or run in a CI environment with OIDC support.");
+    }
+    const bundle = await sign(artifact, signOptions);
+    // Parse the result
+    const sigstoreBundle = bundle;
+    const certificate = extractCertificateFromBundle(sigstoreBundle);
+    const result = {
+        bundle: sigstoreBundle,
+        timestamp: new Date(),
+    };
+    if (certificate) {
+        result.certificate = certificate;
+    }
+    return result;
+}
+/**
+ * Sign an in-toto attestation using keyless signing
+ *
+ * In CI environments with native OIDC support, uses the sigstore library.
+ * For interactive local signing, uses native OAuth with browser authentication.
+ *
+ * @param attestation - The attestation to sign (in-toto statement)
+ * @param options - Signing options
+ * @returns The signing result including the Sigstore bundle
+ *
+ * @example
+ * ```ts
+ * const statement = {
+ *   _type: "https://in-toto.io/Statement/v1",
+ *   subject: [{ name: "tool.yaml", digest: { sha256: "abc123..." } }],
+ *   predicateType: "https://slsa.dev/provenance/v1",
+ *   predicate: { ... }
+ * };
+ * const result = await signAttestation(statement, { oidc: { provider: "github" } });
+ * ```
+ */
+export async function signAttestation(attestation, options = {}) {
+    const { fulcioURL, rekorURL, timeout = 30000 } = options;
+    // Serialize attestation
+    const payload = Buffer.from(JSON.stringify(attestation));
+    // Create sigstore attest options
+    const attestOptions = {
+        fulcioURL: fulcioURL || FULCIO_PUBLIC_URL,
+        rekorURL: rekorURL || REKOR_PUBLIC_URL,
+        timeout,
+    };
+    // If we have an explicit OIDC token, use it directly
+    if (options.oidc?.token) {
+        attestOptions.identityToken = options.oidc.token;
+    }
+    // If we're in a CI environment, sigstore library will handle OIDC
+    else if (isInCIEnvironment()) {
+        // No additional config needed - sigstore will use CI provider
+    }
+    // Interactive environment - try native OAuth first, fall back to cosign
+    else if (isInteractiveEnvironment()) {
+        // Try native OAuth with sigstore-js first
+        try {
+            const provider = new OAuthIdentityProvider();
+            attestOptions.identityProvider = provider;
+            const bundle = await attest(payload, "application/vnd.in-toto+json", attestOptions);
+            const sigstoreBundle = bundle;
+            const certificate = extractCertificateFromBundle(sigstoreBundle);
+            const result = {
+                bundle: sigstoreBundle,
+                timestamp: new Date(),
+            };
+            if (certificate) {
+                result.certificate = certificate;
+            }
+            return result;
+        }
+        catch (nativeError) {
+            // Check if this is a BoringSSL/crypto compatibility issue
+            const errorMessage = nativeError instanceof Error ? nativeError.message : String(nativeError);
+            const isCryptoError = errorMessage.includes("NO_DEFAULT_DIGEST") || errorMessage.includes("public key routines");
+            if (isCryptoError && isCosignAvailable()) {
+                // Fall back to cosign CLI
+                const result = await attestWithCosign(attestation, {
+                    timeout,
+                    verbose: false,
+                });
+                return {
+                    bundle: result.bundle,
+                    timestamp: new Date(),
+                };
+            }
+            // If cosign is not available and we hit a crypto error, give helpful message
+            if (isCryptoError) {
+                throw new Error("Signing failed due to a crypto compatibility issue with Bun's BoringSSL.\n" +
+                    "Install cosign CLI for local signing: brew install cosign\n" +
+                    "Or run with Node.js instead of Bun.\n" +
+                    "See: https://docs.sigstore.dev/cosign/system_config/installation/");
+            }
+            // Re-throw other errors
+            throw nativeError;
+        }
+    }
+    // Non-interactive, non-CI - error
+    else {
+        throw new Error("No OIDC token available and not in an interactive environment.\n" +
+            "Provide an OIDC token via options.oidc.token or run in a CI environment with OIDC support.");
+    }
+    const bundle = await attest(payload, "application/vnd.in-toto+json", attestOptions);
+    // Parse the result
+    const sigstoreBundle = bundle;
+    const certificate = extractCertificateFromBundle(sigstoreBundle);
+    const result = {
+        bundle: sigstoreBundle,
+        timestamp: new Date(),
+    };
+    if (certificate) {
+        result.certificate = certificate;
+    }
+    return result;
+}
+// ============================================================================
+// Certificate Extraction
+// ============================================================================
+/**
+ * Extract the signer email from a certificate's raw bytes
+ * Uses simple regex matching on the DER-encoded certificate
+ */
+function extractEmailFromCertificate(rawBytes) {
+    try {
+        const certStr = rawBytes.toString("latin1");
+        // Look for email pattern in the SAN extension
+        const emailMatch = certStr.match(/[\w.+-]+@[\w.-]+\.[a-zA-Z]{2,}/);
+        return emailMatch?.[0];
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Extract GitHub username from certificate extensions
+ * GitHub OAuth includes the username in the certificate
+ */
+function extractGitHubUsernameFromCertificate(rawBytes) {
+    try {
+        const certStr = rawBytes.toString("latin1");
+        // GitHub username is stored in a custom extension
+        // Look for pattern like "login" followed by the username
+        // The OID 1.3.6.1.4.1.57264.1.8 contains GitHub username
+        // For now, try to find it via common patterns
+        // Try to find GitHub user ID pattern (numeric)
+        // biome-ignore lint/suspicious/noControlCharactersInRegex: We need to match control chars in cert strings
+        const userIdMatch = certStr.match(/github\.com[^\x00-\x1f]*?(\d{5,10})/i);
+        if (userIdMatch) {
+            // We found a user ID but need the username
+            // This would require an API call, which we handle elsewhere
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Extract the OIDC issuer from a certificate's raw bytes
+ * Looks for common issuer URLs in the certificate extensions
+ */
+function extractIssuerFromCertificate(rawBytes) {
+    try {
+        const certStr = rawBytes.toString("latin1");
+        // Look for common OIDC issuer patterns
+        const issuerPatterns = [
+            /https:\/\/accounts\.google\.com/,
+            /https:\/\/github\.com\/login\/oauth/,
+            /https:\/\/token\.actions\.githubusercontent\.com/,
+            /https:\/\/gitlab\.com/,
+            /https:\/\/login\.microsoftonline\.com\/[\w-]+\/v2\.0/,
+        ];
+        for (const pattern of issuerPatterns) {
+            const match = certStr.match(pattern);
+            if (match) {
+                return match[0];
+            }
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Extract certificate information from a Sigstore bundle
+ */
+export function extractCertificateFromBundle(bundle) {
+    if (!bundle.verificationMaterial?.certificate?.rawBytes) {
+        return undefined;
+    }
+    const rawBytes = Buffer.from(bundle.verificationMaterial.certificate.rawBytes, "base64");
+    // Extract email and issuer from certificate
+    const email = extractEmailFromCertificate(rawBytes);
+    const issuer = extractIssuerFromCertificate(rawBytes);
+    // Try to extract GitHub username (if GitHub OAuth)
+    const username = extractGitHubUsernameFromCertificate(rawBytes);
+    // Parse certificate (simplified - in production would use a proper X.509 parser)
+    const pem = `-----BEGIN CERTIFICATE-----\n${rawBytes
+        .toString("base64")
+        .match(/.{1,64}/g)
+        ?.join("\n")}\n-----END CERTIFICATE-----`;
+    // Build identity object, only including email if present
+    const identity = {
+        provider: issuer?.includes("google")
+            ? "google"
+            : issuer?.includes("github")
+                ? "github"
+                : issuer?.includes("gitlab")
+                    ? "gitlab"
+                    : issuer?.includes("microsoft")
+                        ? "microsoft"
+                        : "custom",
+        subject: email || "unknown",
+        issuer: issuer || "https://fulcio.sigstore.dev",
+    };
+    if (email) {
+        identity.email = email;
+    }
+    if (username) {
+        identity.username = username;
+    }
+    return {
+        certificateChain: [pem],
+        serialNumber: "unknown", // Would need X.509 parsing
+        notBefore: new Date(),
+        notAfter: new Date(Date.now() + 10 * 60 * 1000), // Fulcio certs are valid for 10 minutes
+        subject: email || "unknown",
+        issuer: "sigstore",
+        identity,
+        raw: rawBytes,
+    };
+}
+/**
+ * Extract identity from a signing certificate in a bundle
+ *
+ * @param bundle - The Sigstore bundle
+ * @returns The OIDC identity if it can be extracted
+ */
+export function extractIdentityFromBundle(bundle) {
+    // Parse the X.509 certificate and extract identity from SAN extension
+    const certificate = extractCertificateFromBundle(bundle);
+    return certificate?.identity;
+}
+//# sourceMappingURL=signing.js.map

package/dist/sigstore/signing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signing.js","sourceRoot":"","sources":["../../src/sigstore/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAoB,MAAM,EAAE,IAAI,EAAE,MAAM,UAAU,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAahD,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,iCAAiC;AACjC,MAAM,CAAC,MAAM,iBAAiB,GAAG,6BAA6B,CAAC;AAE/D,gCAAgC;AAChC,MAAM,CAAC,MAAM,gBAAgB,GAAG,4BAA4B,CAAC;AAE7D,8BAA8B;AAC9B,MAAM,CAAC,MAAM,cAAc,GAAG,gCAAgC,CAAC;AAE/D,2CAA2C;AAC3C,MAAM,CAAC,MAAM,YAAY,GAAiC;IACxD,MAAM,EAAE,6CAA6C;IACrD,MAAM,EAAE,6BAA6B;IACrC,SAAS,EAAE,mCAAmC;IAC9C,MAAM,EAAE,oBAAoB;IAC5B,MAAM,EAAE,EAAE;CACX,CAAC;AAEF,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,CAAC;QACH,mEAAmE;QACnE,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAClE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,KAAK,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3D,IAAI,GAAG,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,OAAO,QAAwB,CAAC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAEhC,MAAM,MAAM,GAAG,MAAM,CAAC,GAAa,CAAC;IACpC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAE5C,MAAM,QAAQ,GAAiB;QAC7B,QAAQ;QACR,OAAO,EAAE,MAAM,CAAC,GAAa;QAC7B,MAAM;QACN,MAAM;KACP,CAAC;IAEF,2BAA2B;IAC3B,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,QAAQ,CAAC,KAAK,GAAG,MAAM,CAAC,KAAe,CAAC;IAC1C,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,QAAQ,CAAC,kBAAkB,GAAG,MAAM,CAAC,UAAoB,CAAC;QAC5D,CAAC;QACD,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YACf,QAAQ,CAAC,WAAW,GAAG,MAAM,CAAC,GAAa,CAAC;QAC9C,CAAC;QACD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,QAAQ,CAAC,eAAe,GAAG,MAAM,CAAC,UAAoB,CAAC;QACzD,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,QAAsB;IAChE,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,uEAAuE;YACvE,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACtC,KAAK,QAAQ;YACX,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAC7D;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,iBAAiB;IACxB,iBAAiB;IACjB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,CAAC;QAC3E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,YAAY;IACZ,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,kCAAkC;IAClC,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB;IAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,KAAK,IAAI,CAAC;AACvC,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,UAA+B,EAAE;IAEjC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEzD,+BAA+B;IAC/B,MAAM,WAAW,GAAgB;QAC/B,SAAS,EAAE,SAAS,IAAI,iBAAiB;QACzC,QAAQ,EAAE,QAAQ,IAAI,gBAAgB;QACtC,OAAO;KACR,CAAC;IAEF,qDAAqD;IACrD,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QACxB,WAAW,CAAC,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;IACjD,CAAC;IACD,kEAAkE;SAC7D,IAAI,iBAAiB,EAAE,EAAE,CAAC;QAC7B,8DAA8D;IAChE,CAAC;IACD,wEAAwE;SACnE,IAAI,wBAAwB,EAAE,EAAE,CAAC;QACpC,0CAA0C;QAC1C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,qBAAqB,EAAE,CAAC;YAC7C,WAAW,CAAC,gBAAgB,GAAG,QAAQ,CAAC;YAExC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YACjD,MAAM,cAAc,GAAG,MAAmC,CAAC;YAC3D,MAAM,WAAW,GAAG,4BAA4B,CAAC,cAAc,CAAC,CAAC;YAEjE,MAAM,MAAM,GAAkB;gBAC5B,MAAM,EAAE,cAAc;gBACtB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;YAEF,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;YACnC,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,WAAW,EAAE,CAAC;YACrB,0DAA0D;YAC1D,MAAM,YAAY,GAAG,WAAW,YAAY,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC9F,MAAM,aAAa,GACjB,YAAY,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAE7F,IAAI,aAAa,IAAI,iBAAiB,EAAE,EAAE,CAAC;gBACzC,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE;oBAC5C,OAAO;oBACP,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBAEH,OAAO;oBACL,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB,CAAC;YACJ,CAAC;YAED,6EAA6E;YAC7E,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CACb,4EAA4E;oBAC1E,6DAA6D;oBAC7D,uCAAuC;oBACvC,mEAAmE,CACtE,CAAC;YACJ,CAAC;YAED,wBAAwB;YACxB,MAAM,WAAW,CAAC;QACpB,CAAC;IACH,CAAC;IACD,kCAAkC;SAC7B,CAAC;QACJ,MAAM,IAAI,KAAK,CACb,kEAAkE;YAChE,4FAA4F,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAEjD,mBAAmB;IACnB,MAAM,cAAc,GAAG,MAAmC,CAAC;IAC3D,MAAM,WAAW,GAAG,4BAA4B,CAAC,cAAc,CAAC,CAAC;IAEjE,MAAM,MAAM,GAAkB;QAC5B,MAAM,EAAE,cAAc;QACtB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;IAEF,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,WAAoC,EACpC,UAA+B,EAAE;IAEjC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAEzD,wBAAwB;IACxB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;IAEzD,iCAAiC;IACjC,MAAM,aAAa,GAAgB;QACjC,SAAS,EAAE,SAAS,IAAI,iBAAiB;QACzC,QAAQ,EAAE,QAAQ,IAAI,gBAAgB;QACtC,OAAO;KACR,CAAC;IAEF,qDAAqD;IACrD,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QACxB,aAAa,CAAC,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;IACnD,CAAC;IACD,kEAAkE;SAC7D,IAAI,iBAAiB,EAAE,EAAE,CAAC;QAC7B,8DAA8D;IAChE,CAAC;IACD,wEAAwE;SACnE,IAAI,wBAAwB,EAAE,EAAE,CAAC;QACpC,0CAA0C;QAC1C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,qBAAqB,EAAE,CAAC;YAC7C,aAAa,CAAC,gBAAgB,GAAG,QAAQ,CAAC;YAE1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,8BAA8B,EAAE,aAAa,CAAC,CAAC;YACpF,MAAM,cAAc,GAAG,MAAmC,CAAC;YAC3D,MAAM,WAAW,GAAG,4BAA4B,CAAC,cAAc,CAAC,CAAC;YAEjE,MAAM,MAAM,GAAkB;gBAC5B,MAAM,EAAE,cAAc;gBACtB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;YAEF,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;YACnC,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,WAAW,EAAE,CAAC;YACrB,0DAA0D;YAC1D,MAAM,YAAY,GAAG,WAAW,YAAY,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC9F,MAAM,aAAa,GACjB,YAAY,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;YAE7F,IAAI,aAAa,IAAI,iBAAiB,EAAE,EAAE,CAAC;gBACzC,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE;oBACjD,OAAO;oBACP,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBAEH,OAAO;oBACL,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB,CAAC;YACJ,CAAC;YAED,6EAA6E;YAC7E,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CACb,4EAA4E;oBAC1E,6DAA6D;oBAC7D,uCAAuC;oBACvC,mEAAmE,CACtE,CAAC;YACJ,CAAC;YAED,wBAAwB;YACxB,MAAM,WAAW,CAAC;QACpB,CAAC;IACH,CAAC;IACD,kCAAkC;SAC7B,CAAC;QACJ,MAAM,IAAI,KAAK,CACb,kEAAkE;YAChE,4FAA4F,CAC/F,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,EAAE,8BAA8B,EAAE,aAAa,CAAC,CAAC;IAEpF,mBAAmB;IACnB,MAAM,cAAc,GAAG,MAAmC,CAAC;IAC3D,MAAM,WAAW,GAAG,4BAA4B,CAAC,cAAc,CAAC,CAAC;IAEjE,MAAM,MAAM,GAAkB;QAC5B,MAAM,EAAE,cAAc;QACtB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;IAEF,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,2BAA2B,CAAC,QAAgB;IACnD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,8CAA8C;QAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACnE,OAAO,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,oCAAoC,CAAC,QAAgB;IAC5D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,kDAAkD;QAClD,yDAAyD;QACzD,yDAAyD;QACzD,8CAA8C;QAE9C,+CAA+C;QAC/C,0GAA0G;QAC1G,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1E,IAAI,WAAW,EAAE,CAAC;YAChB,2CAA2C;YAC3C,4DAA4D;QAC9D,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,4BAA4B,CAAC,QAAgB;IACpD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,uCAAuC;QACvC,MAAM,cAAc,GAAG;YACrB,iCAAiC;YACjC,qCAAqC;YACrC,kDAAkD;YAClD,uBAAuB;YACvB,sDAAsD;SACvD,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,MAAsB;IAEtB,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;QACxD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,WAAW,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAEzF,4CAA4C;IAC5C,MAAM,KAAK,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;IAEtD,mDAAmD;IACnD,MAAM,QAAQ,GAAG,oCAAoC,CAAC,QAAQ,CAAC,CAAC;IAEhE,iFAAiF;IACjF,MAAM,GAAG,GAAG,gCAAgC,QAAQ;SACjD,QAAQ,CAAC,QAAQ,CAAC;SAClB,KAAK,CAAC,UAAU,CAAC;QAClB,EAAE,IAAI,CAAC,IAAI,CAAC,6BAA6B,CAAC;IAE5C,yDAAyD;IACzD,MAAM,QAAQ,GAAiB;QAC7B,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC;YAClC,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC;gBAC1B,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC;oBAC1B,CAAC,CAAC,QAAQ;oBACV,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC;wBAC7B,CAAC,CAAC,WAAW;wBACb,CAAC,CAAC,QAAQ;QAClB,OAAO,EAAE,KAAK,IAAI,SAAS;QAC3B,MAAM,EAAE,MAAM,IAAI,6BAA6B;KAChD,CAAC;IACF,IAAI,KAAK,EAAE,CAAC;QACV,QAAQ,CAAC,KAAK,GAAG,KAAK,CAAC;IACzB,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,gBAAgB,EAAE,CAAC,GAAG,CAAC;QACvB,YAAY,EAAE,SAAS,EAAE,2BAA2B;QACpD,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,QAAQ,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,wCAAwC;QACzF,OAAO,EAAE,KAAK,IAAI,SAAS;QAC3B,MAAM,EAAE,UAAU;QAClB,QAAQ;QACR,GAAG,EAAE,QAAQ;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAsB;IAC9D,sEAAsE;IACtE,MAAM,WAAW,GAAG,4BAA4B,CAAC,MAAM,CAAC,CAAC;IACzD,OAAO,WAAW,EAAE,QAAQ,CAAC;AAC/B,CAAC"}