@fuzdev/fuz_app 0.1.0

package/dist/testing/app_server.js

@@ -0,0 +1,240 @@
+import './assert_dev_env.js';
+import { z } from 'zod';
+import { Logger } from '@fuzdev/fuz_util/log.js';
+import { ROLE_KEEPER } from '../auth/role_schema.js';
+import { create_validated_keyring } from '../auth/keyring.js';
+import { generate_api_token } from '../auth/api_token.js';
+import { query_create_account_with_actor } from '../auth/account_queries.js';
+import { query_grant_permit } from '../auth/permit_queries.js';
+import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, query_create_session, } from '../auth/session_queries.js';
+import { query_create_api_token } from '../auth/api_token_queries.js';
+import { create_session_cookie_value } from '../auth/session_cookie.js';
+import { run_migrations } from '../db/migrate.js';
+import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { create_app_server, } from '../server/app_server.js';
+import { create_pglite_factory } from './db.js';
+/* eslint-disable @typescript-eslint/require-await */
+/**
+ * Fast password stub for tests that don't exercise login/password flows.
+ *
+ * Hashes are deterministic (`stub_hash_<password>`) and verify correctly,
+ * so auth bootstrap and session creation work without Argon2 overhead.
+ */
+export const stub_password_deps = {
+    hash_password: async (p) => `stub_hash_${p}`,
+    verify_password: async (p, h) => h === `stub_hash_${p}`,
+    verify_dummy: async () => false,
+};
+/** 64-hex-char test cookie secret — deterministic, never used in production. */
+export const TEST_COOKIE_SECRET = 'a'.repeat(64);
+// Module-level PGlite factory for create_test_app_server when no db is provided.
+// Shares the WASM instance cache from test_db.ts, avoiding redundant cold starts
+// within the same vitest worker thread. Schema is reset on each create() call.
+const fallback_pglite_factory = create_pglite_factory(async (db) => {
+    await run_migrations(db, [AUTH_MIGRATION_NS]);
+});
+/**
+ * Bootstrap a test account with credentials.
+ *
+ * Creates an account with actor, grants roles, creates an API token,
+ * creates a session, and signs a session cookie. Shared by
+ * `create_test_app_server` and `TestApp.create_account`.
+ */
+export const bootstrap_test_account = async (options) => {
+    const { db, keyring, session_options, password, username = 'keeper', password_value = 'test-password-123', roles = [], } = options;
+    const deps = { db };
+    const password_hash = await password.hash_password(password_value);
+    const { account, actor } = await query_create_account_with_actor(deps, {
+        username,
+        password_hash,
+    });
+    // Grant roles
+    for (const role of roles) {
+        await query_grant_permit(deps, { actor_id: actor.id, role, granted_by: null }); // eslint-disable-line no-await-in-loop
+    }
+    // Create API token
+    const { token: api_token, id: token_id, token_hash } = generate_api_token();
+    await query_create_api_token(deps, token_id, account.id, 'test-cli', token_hash);
+    // Create session + cookie
+    const session_token = generate_session_token();
+    const session_hash = hash_session_token(session_token);
+    const expires_at = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
+    await query_create_session(deps, session_hash, account.id, expires_at);
+    const session_cookie = await create_session_cookie_value(keyring, session_token, session_options);
+    return {
+        account: { id: account.id, username: account.username },
+        actor: { id: actor.id },
+        api_token,
+        session_cookie,
+    };
+};
+/**
+ * Create an app server with a bootstrapped account for testing.
+ *
+ * Sets up:
+ * - Auth tables (via cached PGlite factory, or reuses existing `db`)
+ * - A keeper account with hashed password
+ * - Role permits for each role in `options.roles`
+ * - An API token for Bearer auth
+ * - A session with a signed cookie value
+ *
+ * Uses `stub_password_deps` by default — deterministic hashing that works
+ * correctly for login/logout tests without Argon2 overhead.
+ *
+ * @param options - session options and optional overrides
+ * @returns a `TestAppServer` ready for HTTP testing
+ */
+/** Silent logger for tests — suppresses all output. */
+const test_log = new Logger('test', { level: 'off' });
+export const create_test_app_server = async (options) => {
+    const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], } = options;
+    // Keyring from test secret
+    const keyring_result = create_validated_keyring(TEST_COOKIE_SECRET);
+    if (!keyring_result.ok) {
+        throw new Error(`Test keyring failed: ${keyring_result.errors.join(', ')}`);
+    }
+    const fs_stubs = {
+        stat: async () => null,
+        read_file: async () => '',
+        delete_file: async (_path) => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+    };
+    let backend;
+    if (existing_db) {
+        // Reset singleton config rows that may retain state from a previous test.
+        // Harmless for fresh pglite (these are already at defaults).
+        await existing_db.query('UPDATE bootstrap_lock SET bootstrapped = false WHERE bootstrapped = true');
+        await existing_db.query('UPDATE app_settings SET open_signup = false, updated_at = NULL, updated_by = NULL WHERE open_signup = true OR updated_at IS NOT NULL');
+        // Use the caller's database — tables already created by the factory's init_schema.
+        // Caller owns the DB lifecycle — close is a no-op.
+        backend = {
+            db_type,
+            db_name: 'test',
+            migration_results: [], // migrations ran in the factory's init_schema, results not captured
+            close: async () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+            deps: {
+                keyring: keyring_result.keyring,
+                password,
+                db: existing_db,
+                log: test_log,
+                on_audit_event: () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+                ...fs_stubs,
+            },
+        };
+    }
+    else {
+        // In-memory PGlite via cached factory — reuses the WASM instance from test_db.ts
+        // instead of creating a new PGlite each time. Schema is reset and migrations re-run
+        // on each call, but the expensive WASM cold start only happens once per worker thread.
+        const db = await fallback_pglite_factory.create();
+        backend = {
+            db_type: 'pglite-memory',
+            db_name: '(memory)',
+            migration_results: [],
+            close: async () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+            deps: {
+                keyring: keyring_result.keyring,
+                password,
+                db,
+                log: test_log,
+                on_audit_event: () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
+                ...fs_stubs,
+            },
+        };
+    }
+    const bootstrapped = await bootstrap_test_account({
+        db: backend.deps.db,
+        keyring: keyring_result.keyring,
+        session_options,
+        password,
+        username,
+        password_value,
+        roles,
+    });
+    return {
+        ...backend,
+        ...bootstrapped,
+        keyring: keyring_result.keyring,
+        cleanup: () => backend.close(),
+    };
+};
+/**
+ * Create a fully assembled test app with a Hono server, middleware, and routes.
+ *
+ * Combines `create_test_app_server` + `create_app_server` into a single call.
+ * Disables rate limiters and logging by default (test-friendly).
+ *
+ * A fresh Hono app is created each call — middleware closures bind to the
+ * server's deps (db, keyring), so reuse across servers is unsafe.
+ * The expensive resource (PGlite WASM) is cached separately in `test_db.ts`.
+ *
+ * @param options - test app configuration
+ * @returns a `TestApp` ready for HTTP testing
+ */
+export const create_test_app = async (options) => {
+    const test_server = await create_test_app_server(options);
+    const result = await create_app_server({
+        backend: test_server,
+        session_options: options.session_options,
+        allowed_origins: [/^http:\/\/localhost/],
+        proxy: { trusted_proxies: ['127.0.0.1'], get_connection_ip: () => '127.0.0.1' },
+        env_schema: z.object({}),
+        ip_rate_limiter: null,
+        login_account_rate_limiter: null,
+        signup_account_rate_limiter: null,
+        bearer_ip_rate_limiter: null,
+        await_pending_effects: true,
+        ...options.app_options,
+        create_route_specs: options.create_route_specs,
+    });
+    const { app, surface_spec } = result;
+    const { cookie_name } = options.session_options;
+    const { password = stub_password_deps } = options;
+    const create_session_headers = (extra) => ({
+        host: 'localhost',
+        origin: 'http://localhost:5173',
+        cookie: `${cookie_name}=${test_server.session_cookie}`,
+        ...extra,
+    });
+    const create_bearer_headers = (extra) => ({
+        host: 'localhost',
+        authorization: `Bearer ${test_server.api_token}`,
+        ...extra,
+    });
+    let account_counter = 0;
+    const create_account = async (account_options) => {
+        account_counter++;
+        const bootstrapped = await bootstrap_test_account({
+            db: test_server.deps.db,
+            keyring: test_server.keyring,
+            session_options: options.session_options,
+            password,
+            username: account_options?.username ?? `test_user_${account_counter}`,
+            password_value: account_options?.password_value ?? 'test-password-123',
+            roles: account_options?.roles ?? [],
+        });
+        return {
+            ...bootstrapped,
+            create_session_headers: (extra) => ({
+                host: 'localhost',
+                origin: 'http://localhost:5173',
+                cookie: `${cookie_name}=${bootstrapped.session_cookie}`,
+                ...extra,
+            }),
+            create_bearer_headers: (extra) => ({
+                host: 'localhost',
+                authorization: `Bearer ${bootstrapped.api_token}`,
+                ...extra,
+            }),
+        };
+    };
+    return {
+        app,
+        backend: test_server,
+        surface: surface_spec.surface,
+        route_specs: surface_spec.route_specs,
+        create_session_headers,
+        create_bearer_headers,
+        create_account,
+        cleanup: () => test_server.cleanup(),
+    };
+};

package/dist/testing/assert_dev_env.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Asserts that testing utilities are only imported in development environments.
+ *
+ * Each testing module imports this as a side effect to prevent accidental
+ * inclusion in production bundles. Uses `esm-env` which is set correctly
+ * by SvelteKit and Vite build tools — `DEV` is `true` during development
+ * and testing, `false` in production builds.
+ */
+export {};
+//# sourceMappingURL=assert_dev_env.d.ts.map

package/dist/testing/assert_dev_env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert_dev_env.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assert_dev_env.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG"}

package/dist/testing/assert_dev_env.js

@@ -0,0 +1,13 @@
+/**
+ * Asserts that testing utilities are only imported in development environments.
+ *
+ * Each testing module imports this as a side effect to prevent accidental
+ * inclusion in production bundles. Uses `esm-env` which is set correctly
+ * by SvelteKit and Vite build tools — `DEV` is `true` during development
+ * and testing, `false` in production builds.
+ */
+import { DEV } from 'esm-env';
+if (!DEV) {
+    throw new Error('fuz_app testing utilities must not be imported in production. ' +
+        'These modules are intended for use in test files only.');
+}

package/dist/testing/assertions.d.ts

@@ -0,0 +1,61 @@
+import './assert_dev_env.js';
+import type { z } from 'zod';
+import type { AppSurface, AppSurfaceRoute } from '../http/surface.js';
+import type { RouteErrorSchemas } from '../http/error_schemas.js';
+/**
+ * Resolve an absolute path relative to the caller's module.
+ *
+ * @param filename - the filename to resolve
+ * @param import_meta_url - the caller's `import.meta.url`
+ * @returns absolute path
+ */
+export declare const resolve_fixture_path: (filename: string, import_meta_url: string) => string;
+/**
+ * Compare live surface against a committed snapshot JSON file.
+ *
+ * @param surface - the live surface to check
+ * @param snapshot_path - absolute path to the committed JSON snapshot
+ */
+export declare const assert_surface_matches_snapshot: (surface: AppSurface, snapshot_path: string) => void;
+/**
+ * Verify surface generation is deterministic (build twice, compare).
+ *
+ * @param build_surface - function that builds the surface
+ */
+export declare const assert_surface_deterministic: (build_surface: () => AppSurface) => void;
+/**
+ * Bidirectional check: no unexpected public routes, no missing expected ones.
+ *
+ * @param surface - the app surface to check
+ * @param expected_public - format: `['GET /health', 'POST /api/account/login']`
+ */
+export declare const assert_only_expected_public_routes: (surface: AppSurface, expected_public: Array<string>) => void;
+/**
+ * Verify every route under a path prefix has the exact expected middleware stack.
+ *
+ * @param surface - the app surface to check
+ * @param path_prefix - prefix to filter routes (e.g. `'/api/'`)
+ * @param expected_middleware - the exact middleware names in order
+ */
+/**
+ * Look up the merged error schema for a route+status from a pre-built schema lookup.
+ *
+ * @param lookup - map from `"METHOD /path"` to merged error schemas
+ * @param route - the surface route to look up
+ * @param status - HTTP status code
+ */
+export declare const get_route_error_schema: (lookup: Map<string, RouteErrorSchemas>, route: AppSurfaceRoute, status: number) => z.ZodType | undefined;
+/**
+ * Assert that an error schema exists for a route+status and validate the body against it.
+ *
+ * Protected routes should always have auto-derived error schemas (401 for authenticated,
+ * 403 for role-restricted). A missing schema indicates a gap in error schema derivation.
+ *
+ * @param lookup - map from `"METHOD /path"` to merged error schemas
+ * @param route - the surface route to validate against
+ * @param status - expected HTTP status code
+ * @param body - the parsed response body to validate
+ */
+export declare const assert_error_schema_valid: (lookup: Map<string, RouteErrorSchemas>, route: AppSurfaceRoute, status: number, body: unknown) => void;
+export declare const assert_full_middleware_stack: (surface: AppSurface, path_prefix: string, expected_middleware: Array<string>) => void;
+//# sourceMappingURL=assertions.d.ts.map

package/dist/testing/assertions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assertions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assertions.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,0BAA0B,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAAI,UAAU,MAAM,EAAE,iBAAiB,MAAM,KAAG,MACtB,CAAC;AAE5D;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B,GAC3C,SAAS,UAAU,EACnB,eAAe,MAAM,KACnB,IAOF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,GAAI,eAAe,MAAM,UAAU,KAAG,IAE9E,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAC9C,SAAS,UAAU,EACnB,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,IAWF,CAAC;AAEF;;;;;;GAMG;AACH;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,KACZ,CAAC,CAAC,OAAO,GAAG,SAGd,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GACrC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,EACd,MAAM,OAAO,KACX,IAIF,CAAC;AAEF,eAAO,MAAM,4BAA4B,GACxC,SAAS,UAAU,EACnB,aAAa,MAAM,EACnB,qBAAqB,KAAK,CAAC,MAAM,CAAC,KAChC,IAUF,CAAC"}

package/dist/testing/assertions.js

@@ -0,0 +1,96 @@
+import './assert_dev_env.js';
+/**
+ * Assertion helpers for auth attack surface testing.
+ *
+ * Plain functions called inside explicit `test()` blocks to verify
+ * surface snapshots, public routes, and middleware stacks.
+ *
+ * @module
+ */
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { assert } from 'vitest';
+/**
+ * Resolve an absolute path relative to the caller's module.
+ *
+ * @param filename - the filename to resolve
+ * @param import_meta_url - the caller's `import.meta.url`
+ * @returns absolute path
+ */
+export const resolve_fixture_path = (filename, import_meta_url) => resolve(dirname(fileURLToPath(import_meta_url)), filename);
+/**
+ * Compare live surface against a committed snapshot JSON file.
+ *
+ * @param surface - the live surface to check
+ * @param snapshot_path - absolute path to the committed JSON snapshot
+ */
+export const assert_surface_matches_snapshot = (surface, snapshot_path) => {
+    const committed = JSON.parse(readFileSync(snapshot_path, 'utf-8'));
+    assert.deepStrictEqual(surface, committed, 'Attack surface changed! Run `gro gen` to update the snapshot, then review the diff.');
+};
+/**
+ * Verify surface generation is deterministic (build twice, compare).
+ *
+ * @param build_surface - function that builds the surface
+ */
+export const assert_surface_deterministic = (build_surface) => {
+    assert.deepStrictEqual(build_surface(), build_surface());
+};
+/**
+ * Bidirectional check: no unexpected public routes, no missing expected ones.
+ *
+ * @param surface - the app surface to check
+ * @param expected_public - format: `['GET /health', 'POST /api/account/login']`
+ */
+export const assert_only_expected_public_routes = (surface, expected_public) => {
+    const expected = new Set(expected_public);
+    const actual_public = surface.routes
+        .filter((r) => r.auth.type === 'none')
+        .map((r) => `${r.method} ${r.path}`);
+    const unexpected = actual_public.filter((r) => !expected.has(r));
+    const missing = expected_public.filter((r) => !actual_public.includes(r));
+    assert.strictEqual(unexpected.length, 0, `Unexpected public routes: ${unexpected.join(', ')}`);
+    assert.strictEqual(missing.length, 0, `Expected public routes missing: ${missing.join(', ')}`);
+};
+/**
+ * Verify every route under a path prefix has the exact expected middleware stack.
+ *
+ * @param surface - the app surface to check
+ * @param path_prefix - prefix to filter routes (e.g. `'/api/'`)
+ * @param expected_middleware - the exact middleware names in order
+ */
+/**
+ * Look up the merged error schema for a route+status from a pre-built schema lookup.
+ *
+ * @param lookup - map from `"METHOD /path"` to merged error schemas
+ * @param route - the surface route to look up
+ * @param status - HTTP status code
+ */
+export const get_route_error_schema = (lookup, route, status) => {
+    const key = `${route.method} ${route.path}`;
+    return lookup.get(key)?.[status];
+};
+/**
+ * Assert that an error schema exists for a route+status and validate the body against it.
+ *
+ * Protected routes should always have auto-derived error schemas (401 for authenticated,
+ * 403 for role-restricted). A missing schema indicates a gap in error schema derivation.
+ *
+ * @param lookup - map from `"METHOD /path"` to merged error schemas
+ * @param route - the surface route to validate against
+ * @param status - expected HTTP status code
+ * @param body - the parsed response body to validate
+ */
+export const assert_error_schema_valid = (lookup, route, status, body) => {
+    const schema = get_route_error_schema(lookup, route, status);
+    assert.ok(schema, `missing error schema for ${status} on ${route.method} ${route.path}`);
+    schema.parse(body);
+};
+export const assert_full_middleware_stack = (surface, path_prefix, expected_middleware) => {
+    const routes = surface.routes.filter((r) => r.path.startsWith(path_prefix));
+    assert.ok(routes.length > 0, `No routes found under ${path_prefix}`);
+    for (const route of routes) {
+        assert.deepStrictEqual(route.applicable_middleware, expected_middleware, `${route.method} ${route.path} has wrong middleware stack`);
+    }
+};

package/dist/testing/attack_surface.d.ts

@@ -0,0 +1,63 @@
+import './assert_dev_env.js';
+import { type SurfaceSecurityPolicyOptions, type ErrorSchemaTightnessOptions } from './surface_invariants.js';
+import { type AppSurfaceSpec } from '../http/surface.js';
+/** Options for adversarial test runners (auth enforcement and input validation). */
+export interface AdversarialTestOptions {
+    /** Build the app surface bundle (surface + route specs + middleware specs). */
+    build: () => AppSurfaceSpec;
+    /** All roles in the app (e.g. `['admin', 'keeper']`). */
+    roles: Array<string>;
+}
+/**
+ * Generate adversarial HTTP auth enforcement test suites.
+ *
+ * Describe blocks:
+ * - unauthenticated → 401 — every protected route
+ * - wrong role → 403 — every role route, tested with all non-matching roles
+ * - authenticated without role → 403 — every role route, no-role context
+ * - correct auth passes guard — every protected route, assert not 401/403
+ *
+ * @param options - the test configuration
+ */
+export declare const describe_adversarial_auth: (options: AdversarialTestOptions) => void;
+/** Options for the standard attack surface test suite. */
+export interface StandardAttackSurfaceOptions {
+    /** Build the app surface bundle (surface + route specs + middleware specs). */
+    build: () => AppSurfaceSpec;
+    /** Absolute path to the committed snapshot JSON file. */
+    snapshot_path: string;
+    /** Expected public routes, e.g. `['GET /health', 'POST /api/account/login']`. */
+    expected_public_routes: Array<string>;
+    /** Expected middleware names for API routes, e.g. `['origin', 'session', 'request_context', 'bearer_auth']`. */
+    expected_api_middleware: Array<string>;
+    /** All roles in the app (e.g. `['admin', 'keeper']`). */
+    roles: Array<string>;
+    /** Path prefix for middleware stack assertion. Default `'/api/'`. */
+    api_path_prefix?: string;
+    /** Security policy configuration. Omit for sensible defaults. */
+    security_policy?: SurfaceSecurityPolicyOptions;
+    /** Error schema tightness assertion. Omit for informational-only behavior. */
+    error_schema_tightness?: ErrorSchemaTightnessOptions;
+}
+/**
+ * Run the standard attack surface test suite.
+ *
+ * Generates 10 test groups:
+ * 1. Snapshot — live surface matches committed JSON
+ * 2. Determinism — building twice yields identical results
+ * 3. Public routes — bidirectional check (no unexpected, no missing)
+ * 4. Middleware stack — every API route has the full middleware chain
+ * 5. Surface invariants — structural assertions (error schemas, descriptions, duplicates, consistency)
+ * 6. Security policy — rate limiting on sensitive routes, no unexpected public mutations, method conventions
+ * 7. Error schema tightness audit — informational log of generic vs specific error schemas
+ * 8. Adversarial auth — unauthenticated/wrong-role/correct-auth enforcement
+ * 9. Adversarial input — input body and params validation
+ * 10. Adversarial 404 — stub 404 handlers, validate response bodies against declared schemas
+ *
+ * Consumer test files call this with project-specific options, then add
+ * any project-specific assertions in additional `describe` blocks.
+ *
+ * @param options - the test configuration
+ */
+export declare const describe_standard_attack_surface_tests: (options: StandardAttackSurfaceOptions) => void;
+//# sourceMappingURL=attack_surface.d.ts.map

package/dist/testing/attack_surface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAKN,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IAkH3E,CAAC;AAIF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C,8EAA8E;IAC9E,sBAAsB,CAAC,EAAE,2BAA2B,CAAC;CACrD;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAoEF,CAAC"}