npm - @genation/sdk - Versions diffs - 0.2.10 → 0.2.11 - Mend

@genation/sdk 0.2.10 → 0.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/genation.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"genation.cjs.js","sources":["../src/http/errors.ts","../src/http/client.ts","../src/auth/pkce.ts","../src/auth/token-manager.ts","../src/auth/oauth.ts","../node_modules/jose/dist/webapi/lib/buffer_utils.js","../node_modules/jose/dist/webapi/lib/base64.js","../node_modules/jose/dist/webapi/util/base64url.js","../node_modules/jose/dist/webapi/util/errors.js","../node_modules/jose/dist/webapi/lib/crypto_key.js","../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../node_modules/jose/dist/webapi/lib/is_key_like.js","../node_modules/jose/dist/webapi/lib/is_disjoint.js","../node_modules/jose/dist/webapi/lib/is_object.js","../node_modules/jose/dist/webapi/lib/check_key_length.js","../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../node_modules/jose/dist/webapi/key/import.js","../node_modules/jose/dist/webapi/lib/validate_crit.js","../node_modules/jose/dist/webapi/lib/is_jwk.js","../node_modules/jose/dist/webapi/lib/normalize_key.js","../node_modules/jose/dist/webapi/lib/check_key_type.js","../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../node_modules/jose/dist/webapi/lib/verify.js","../node_modules/jose/dist/webapi/jws/flattened/verify.js","../node_modules/jose/dist/webapi/jws/compact/verify.js","../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../node_modules/jose/dist/webapi/jwt/verify.js","../node_modules/jose/dist/webapi/jwks/local.js","../node_modules/jose/dist/webapi/jwks/remote.js","../src/auth/verifier.ts","../src/storage/memory.ts","../src/storage/local-storage.ts","../src/storage/session-storage.ts","../src/storage/index.ts","../src/utils/converter.ts","../src/client.ts"],"sourcesContent":["/*\r\n Base error class for Genation SDK\r\n /\r\nexport class GenationError extends Error {\r\n public code: string;\r\n public cause?: unknown;\r\n\r\n constructor(message: string, code: string, cause?: unknown) {\r\n super(message);\r\n this.name = \"GenationError\";\r\n this.code = code;\r\n this.cause = cause;\r\n }\r\n}\r\n\r\n/\r\n Authentication-related errors\r\n /\r\nexport class AuthError extends GenationError {\r\n constructor(message: string, code: string, cause?: unknown) {\r\n super(message, code, cause);\r\n this.name = \"AuthError\";\r\n }\r\n\r\n static invalidGrant(\r\n message = \"Invalid authorization code or refresh token\",\r\n ) {\r\n return new AuthError(message, \"invalid_grant\");\r\n }\r\n\r\n static accessDenied(message = \"User denied access\") {\r\n return new AuthError(message, \"access_denied\");\r\n }\r\n\r\n static expiredToken(message = \"Token has expired\") {\r\n return new AuthError(message, \"expired_token\");\r\n }\r\n\r\n static invalidState(message = \"State mismatch, possible CSRF attack\") {\r\n return new AuthError(message, \"invalid_state\");\r\n }\r\n\r\n static pkceVerificationFailed(message = \"PKCE verification failed\") {\r\n return new AuthError(message, \"pkce_verification_failed\");\r\n }\r\n}\r\n\r\n/\r\n Network-related errors\r\n /\r\nexport class NetworkError extends GenationError {\r\n public status?: number;\r\n\r\n constructor(message: string, status?: number, cause?: unknown) {\r\n super(message, \"network_error\", cause);\r\n this.name = \"NetworkError\";\r\n this.status = status;\r\n }\r\n\r\n static fromResponse(response: Response) {\r\n return new NetworkError(\r\n `HTTP ${response.status}: ${response.statusText}`,\r\n response.status,\r\n );\r\n }\r\n}\r\n\r\n/\r\n Configuration-related errors\r\n /\r\nexport class ConfigError extends GenationError {\r\n constructor(message: string) {\r\n super(message, \"config_error\");\r\n this.name = \"ConfigError\";\r\n }\r\n\r\n static missingField(field: string) {\r\n return new ConfigError(`Missing required config field: ${field}`);\r\n }\r\n}\r\n","import { NetworkError } from \"./errors\";\r\n\r\nexport interface HttpClientConfig {\r\n baseUrl: string;\r\n timeout?: number;\r\n}\r\n\r\nexport interface RequestOptions {\r\n method?: \"GET\" \| \"POST\" \| \"PUT\" \| \"DELETE\";\r\n headers?: Record<string, string>;\r\n body?: unknown;\r\n params?: Record<string, string>;\r\n}\r\n\r\n/\r\n Simple HTTP client wrapper around fetch\r\n /\r\nexport class HttpClient {\r\n private baseUrl: string;\r\n private timeout: number;\r\n\r\n constructor(config: HttpClientConfig) {\r\n this.baseUrl = config.baseUrl.replace(/\\/$/, \"\");\r\n this.timeout = config.timeout ?? 30000;\r\n }\r\n\r\n /\r\n Make an HTTP request\r\n /\r\n async request<T>(\r\n endpoint: string,\r\n options: RequestOptions = {},\r\n ): Promise<T> {\r\n const { method = \"GET\", headers = {}, body, params } = options;\r\n\r\n // Build URL with query params\r\n let url = `${this.baseUrl}${endpoint}`;\r\n if (params) {\r\n const searchParams = new URLSearchParams(params);\r\n url += `?${searchParams.toString()}`;\r\n }\r\n\r\n // Setup abort controller for timeout\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\r\n\r\n try {\r\n const response = await fetch(url, {\r\n method,\r\n headers: {\r\n \"Content-Type\": \"application/json\",\r\n ...headers,\r\n },\r\n body: body ? JSON.stringify(body) : undefined,\r\n signal: controller.signal,\r\n });\r\n\r\n clearTimeout(timeoutId);\r\n\r\n if (!response.ok) {\r\n throw NetworkError.fromResponse(response);\r\n }\r\n\r\n return await response.json();\r\n } catch (error) {\r\n clearTimeout(timeoutId);\r\n\r\n if (error instanceof NetworkError) {\r\n throw error;\r\n }\r\n\r\n if (error instanceof Error && error.name === \"AbortError\") {\r\n throw new NetworkError(\"Request timeout\", undefined, error);\r\n }\r\n\r\n throw new NetworkError(\"Network request failed\", undefined, error);\r\n }\r\n }\r\n\r\n /\r\n POST request with form data (for OAuth token exchange)\r\n /\r\n async postForm<T>(\r\n endpoint: string,\r\n data: Record<string, string>,\r\n headers: Record<string, string> = {},\r\n ): Promise<T> {\r\n const url = `${this.baseUrl}${endpoint}`;\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\r\n\r\n try {\r\n const response = await fetch(url, {\r\n method: \"POST\",\r\n headers: {\r\n \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n ...headers,\r\n },\r\n body: new URLSearchParams(data).toString(),\r\n signal: controller.signal,\r\n });\r\n\r\n clearTimeout(timeoutId);\r\n\r\n if (!response.ok) {\r\n throw NetworkError.fromResponse(response);\r\n }\r\n\r\n return await response.json();\r\n } catch (error) {\r\n clearTimeout(timeoutId);\r\n\r\n if (error instanceof NetworkError) {\r\n throw error;\r\n }\r\n\r\n throw new NetworkError(\"Network request failed\", undefined, error);\r\n }\r\n }\r\n}\r\n\r\nexport { AuthError, ConfigError, GenationError, NetworkError } from \"./errors\";\r\n","import type { PKCEChallenge } from \"../types\";\r\n\r\n/\r\n Base64URL encode a buffer (matches Supabase implementation)\r\n /\r\nfunction base64URLEncode(buffer: Uint8Array): string {\r\n return btoa(String.fromCharCode(...buffer))\r\n .replace(/\\+/g, \"-\")\r\n .replace(/\\//g, \"_\")\r\n .replace(/=/g, \"\");\r\n}\r\n\r\n/\r\n Generate a random code verifier (43-128 characters)\r\n * Matches Supabase implementation\r\n /\r\nfunction generateCodeVerifier(): string {\r\n const array = new Uint8Array(32);\r\n crypto.getRandomValues(array);\r\n return base64URLEncode(array);\r\n}\r\n\r\n/\r\n Create code challenge from verifier using SHA-256\r\n * Matches Supabase implementation\r\n /\r\nasync function generateCodeChallenge(verifier: string): Promise<string> {\r\n const encoder = new TextEncoder();\r\n const data = encoder.encode(verifier);\r\n const hash = await crypto.subtle.digest(\"SHA-256\", data);\r\n return base64URLEncode(new Uint8Array(hash));\r\n}\r\n\r\n/\r\n Generate PKCE code verifier and challenge pair\r\n * Uses S256 method as required by OAuth 2.1\r\n /\r\nexport async function generatePKCE(): Promise<PKCEChallenge> {\r\n const codeVerifier = generateCodeVerifier();\r\n const codeChallenge = await generateCodeChallenge(codeVerifier);\r\n\r\n return {\r\n codeVerifier,\r\n codeChallenge,\r\n codeChallengeMethod: \"S256\",\r\n };\r\n}\r\n\r\n/\r\n Generate random state parameter for CSRF protection\r\n /\r\nexport function generateState(): string {\r\n const array = new Uint8Array(16);\r\n crypto.getRandomValues(array);\r\n return base64URLEncode(array);\r\n}\r\n","import type { TokenSet, TokenStorage } from \"../types\";\r\n\r\nconst TOKEN_KEY = \"tokens\";\r\nconst PKCE_KEY = \"pkce\";\r\nconst STATE_KEY = \"state\";\r\n\r\n/\r\n Manages token lifecycle: storage, retrieval, refresh\r\n /\r\nexport class TokenManager {\r\n private storage: TokenStorage;\r\n\r\n constructor(storage: TokenStorage) {\r\n this.storage = storage;\r\n }\r\n\r\n /\r\n Store token set\r\n /\r\n async setTokens(tokens: TokenSet): Promise<void> {\r\n await this.storage.set(TOKEN_KEY, JSON.stringify(tokens));\r\n }\r\n\r\n /\r\n Get stored tokens\r\n /\r\n async getTokens(): Promise<TokenSet \| null> {\r\n const data = await this.storage.get(TOKEN_KEY);\r\n if (!data) return null;\r\n\r\n try {\r\n return JSON.parse(data) as TokenSet;\r\n } catch {\r\n return null;\r\n }\r\n }\r\n\r\n /\r\n Clear stored tokens\r\n /\r\n async clearTokens(): Promise<void> {\r\n await this.storage.remove(TOKEN_KEY);\r\n }\r\n\r\n /\r\n Check if access token is expired\r\n /\r\n async isTokenExpired(): Promise<boolean> {\r\n const tokens = await this.getTokens();\r\n if (!tokens) return true;\r\n\r\n const expiresAt = tokens.issuedAt + tokens.expiresIn 1000;\r\n // Consider expired if less than 60 seconds remaining\r\n return Date.now() > expiresAt - 60000;\r\n }\r\n\r\n /*\r\n Store PKCE verifier for later validation\r\n /\r\n async setPKCE(codeVerifier: string): Promise<void> {\r\n await this.storage.set(PKCE_KEY, codeVerifier);\r\n }\r\n\r\n /\r\n Get and clear stored PKCE verifier\r\n /\r\n async consumePKCE(): Promise<string \| null> {\r\n const verifier = await this.storage.get(PKCE_KEY);\r\n if (verifier) {\r\n await this.storage.remove(PKCE_KEY);\r\n }\r\n return verifier;\r\n }\r\n\r\n /\r\n Store state for CSRF validation\r\n /\r\n async setState(state: string): Promise<void> {\r\n await this.storage.set(STATE_KEY, state);\r\n }\r\n\r\n /\r\n Get and clear stored state\r\n /\r\n async consumeState(): Promise<string \| null> {\r\n const state = await this.storage.get(STATE_KEY);\r\n if (state) {\r\n await this.storage.remove(STATE_KEY);\r\n }\r\n return state;\r\n }\r\n\r\n /\r\n Clear all auth-related data\r\n /\r\n async clearAll(): Promise<void> {\r\n await this.storage.clear();\r\n }\r\n}\r\n","import type { GenationConfig, TokenSet } from \"../types\";\r\nimport { AuthError, HttpClient } from \"../http\";\r\nimport { generatePKCE, generateState } from \"./pkce\";\r\nimport { TokenManager } from \"./token-manager\";\r\n\r\nconst DEFAULT_AUTH_URL = \"https://mnnoheowoowbtpuoguul.supabase.co/auth/v1\";\r\n\r\ninterface TokenResponse {\r\n access_token: string;\r\n refresh_token?: string;\r\n token_type: string;\r\n expires_in: number;\r\n scope?: string;\r\n}\r\n\r\n/\r\n OAuth 2.1 handler with PKCE support\r\n /\r\nexport class OAuth2Handler {\r\n private config:\r\n & Required<\r\n Pick<GenationConfig, \"clientId\" \| \"clientSecret\" \| \"redirectUri\">\r\n >\r\n & Pick<GenationConfig, \"scopes\" \| \"authUrl\">;\r\n private http: HttpClient;\r\n private tokenManager: TokenManager;\r\n\r\n constructor(\r\n config: GenationConfig,\r\n tokenManager: TokenManager,\r\n ) {\r\n this.config = {\r\n clientId: config.clientId,\r\n clientSecret: config.clientSecret,\r\n redirectUri: config.redirectUri,\r\n scopes: config.scopes,\r\n authUrl: config.authUrl ?? DEFAULT_AUTH_URL,\r\n };\r\n this.http = new HttpClient({ baseUrl: this.config.authUrl! });\r\n this.tokenManager = tokenManager;\r\n }\r\n\r\n /\r\n Generate authorization URL for OAuth flow\r\n * Stores PKCE verifier and state for later validation\r\n /\r\n async getAuthorizationUrl(): Promise<string> {\r\n const pkce = await generatePKCE();\r\n const state = generateState();\r\n\r\n // Store for later validation\r\n await this.tokenManager.setPKCE(pkce.codeVerifier);\r\n await this.tokenManager.setState(state);\r\n\r\n const params = new URLSearchParams({\r\n response_type: \"code\",\r\n client_id: this.config.clientId,\r\n redirect_uri: this.config.redirectUri,\r\n state,\r\n code_challenge: pkce.codeChallenge,\r\n code_challenge_method: pkce.codeChallengeMethod,\r\n });\r\n\r\n if (this.config.scopes && this.config.scopes.length > 0) {\r\n params.append(\"scope\", this.config.scopes.join(\" \"));\r\n }\r\n\r\n return `${this.config.authUrl}/oauth/authorize?${params.toString()}`;\r\n }\r\n\r\n /\r\n Exchange authorization code for tokens\r\n /\r\n async exchangeCode(code: string, state: string): Promise<TokenSet> {\r\n // Validate state\r\n const storedState = await this.tokenManager.consumeState();\r\n if (!storedState \|\| storedState !== state) {\r\n throw AuthError.invalidState();\r\n }\r\n\r\n // Get PKCE verifier\r\n const codeVerifier = await this.tokenManager.consumePKCE();\r\n if (!codeVerifier) {\r\n throw AuthError.pkceVerificationFailed(\"Missing code verifier\");\r\n }\r\n\r\n // Exchange code for tokens\r\n const response = await this.http.postForm<TokenResponse>(\r\n \"/oauth/token\",\r\n {\r\n grant_type: \"authorization_code\",\r\n code,\r\n redirect_uri: this.config.redirectUri,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n code_verifier: codeVerifier,\r\n },\r\n );\r\n\r\n const tokens = this.mapTokenResponse(response);\r\n await this.tokenManager.setTokens(tokens);\r\n\r\n return tokens;\r\n }\r\n\r\n /\r\n Refresh access token using refresh token\r\n /\r\n async refreshToken(): Promise<TokenSet> {\r\n const currentTokens = await this.tokenManager.getTokens();\r\n if (!currentTokens?.refreshToken) {\r\n throw AuthError.invalidGrant(\"No refresh token available\");\r\n }\r\n\r\n const response = await this.http.postForm<TokenResponse>(\r\n \"/oauth/token\",\r\n {\r\n grant_type: \"refresh_token\",\r\n refresh_token: currentTokens.refreshToken,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n },\r\n );\r\n\r\n const tokens = this.mapTokenResponse(response);\r\n await this.tokenManager.setTokens(tokens);\r\n\r\n return tokens;\r\n }\r\n\r\n /\r\n Revoke current tokens\r\n /\r\n async revokeToken(): Promise<void> {\r\n const tokens = await this.tokenManager.getTokens();\r\n if (!tokens) return;\r\n\r\n try {\r\n await this.http.postForm(\"/oauth/revoke\", {\r\n token: tokens.accessToken,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n });\r\n } finally {\r\n await this.tokenManager.clearTokens();\r\n }\r\n }\r\n\r\n /\r\n Map OAuth token response to TokenSet\r\n /\r\n private mapTokenResponse(response: TokenResponse): TokenSet {\r\n return {\r\n accessToken: response.access_token,\r\n refreshToken: response.refresh_token,\r\n tokenType: response.token_type,\r\n expiresIn: response.expires_in,\r\n issuedAt: Date.now(),\r\n scope: response.scope,\r\n };\r\n }\r\n}\r\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 * 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 \|\| value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) \|\| 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) \|\| isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 \|\| sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc \|\| acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) \|\| Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') \|\| alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' \|\| modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) \|\| 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d \|\| jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' \|\| spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' \|\| x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' \|\| pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' \|\| !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' \|\| !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader \|\| protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) \|\|\n protectedHeader.crit.length === 0 \|\|\n protectedHeader.crit.some((input) => typeof input !== 'string' \|\| input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') \|\| typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache \|\|= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache \|\|= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' \|\| usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' \|\| !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+\|\\-)? ?(\\d+\|\\d+\\.\\d+) ?(seconds?\|secs?\|s\|minutes?\|mins?\|m\|hours?\|hrs?\|h\|days?\|d\|weeks?\|w\|years?\|yrs?\|y)(?: (ago\|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched \|\| (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' \|\| matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' \|\|\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate \|\| new Date());\n if ((payload.iat !== undefined \|\| maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' \|\| kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) \|\| cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array \|\| key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' \|\|\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') \|\|\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' \|\| !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' \|\| input === null) {\n return false;\n }\n if (!('uat' in input) \|\| typeof input.uat !== 'number' \|\| Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) \|\|\n !isObject(input.jwks) \|\|\n !Array.isArray(input.jwks.keys) \|\|\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local \|\| !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch \|\|= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createRemoteJWKSet, jwtVerify, type JWTVerifyResult } from \"jose\";\r\n\r\nexport class TokenVerifier {\r\n private jwksUrl: string;\r\n private JWKS: ReturnType<typeof createRemoteJWKSet>;\r\n\r\n constructor(jwksUrl: string) {\r\n this.jwksUrl = jwksUrl;\r\n this.JWKS = createRemoteJWKSet(new URL(this.jwksUrl));\r\n }\r\n\r\n /*\r\n Verify a JWT against the JWKS\r\n /\r\n async verify(token: string): Promise<JWTVerifyResult> {\r\n return jwtVerify(token, this.JWKS);\r\n }\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n In-memory storage implementation\r\n * Tokens are lost when page refreshes\r\n /\r\nexport class MemoryStorage implements TokenStorage {\r\n private store = new Map<string, string>();\r\n\r\n async get(key: string): Promise<string \| null> {\r\n return this.store.get(key) ?? null;\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n this.store.set(key, value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n this.store.delete(key);\r\n }\r\n\r\n async clear(): Promise<void> {\r\n this.store.clear();\r\n }\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n Browser localStorage implementation\r\n * Tokens persist across browser sessions\r\n /\r\nexport class LocalStorage implements TokenStorage {\r\n private prefix: string;\r\n\r\n constructor(prefix = \"genation\") {\r\n this.prefix = prefix;\r\n }\r\n\r\n private getKey(key: string): string {\r\n return `${this.prefix}:${key}`;\r\n }\r\n\r\n async get(key: string): Promise<string \| null> {\r\n if (typeof window === \"undefined\") return null;\r\n return localStorage.getItem(this.getKey(key));\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n localStorage.setItem(this.getKey(key), value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n localStorage.removeItem(this.getKey(key));\r\n }\r\n\r\n async clear(): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n const keys = Object.keys(localStorage).filter((k) =>\r\n k.startsWith(`${this.prefix}:`)\r\n );\r\n keys.forEach((k) => localStorage.removeItem(k));\r\n }\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n Browser sessionStorage implementation\r\n * Tokens persist until browser tab is closed\r\n /\r\nexport class SessionStorage implements TokenStorage {\r\n private prefix: string;\r\n\r\n constructor(prefix = \"genation\") {\r\n this.prefix = prefix;\r\n }\r\n\r\n private getKey(key: string): string {\r\n return `${this.prefix}:${key}`;\r\n }\r\n\r\n async get(key: string): Promise<string \| null> {\r\n if (typeof window === \"undefined\") return null;\r\n return sessionStorage.getItem(this.getKey(key));\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n sessionStorage.setItem(this.getKey(key), value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n sessionStorage.removeItem(this.getKey(key));\r\n }\r\n\r\n async clear(): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n const keys = Object.keys(sessionStorage).filter((k) =>\r\n k.startsWith(`${this.prefix}:`)\r\n );\r\n keys.forEach((k) => sessionStorage.removeItem(k));\r\n }\r\n}\r\n","/\r\n @fileoverview Storage factory and implementations\r\n * @module storage\r\n /\r\n\r\nimport type { StorageType, TokenStorage } from \"../types\";\r\nimport { MemoryStorage } from \"./memory\";\r\nimport { LocalStorage } from \"./local-storage\";\r\nimport { SessionStorage } from \"./session-storage\";\r\n\r\nexport { MemoryStorage } from \"./memory\";\r\nexport { LocalStorage } from \"./local-storage\";\r\nexport { SessionStorage } from \"./session-storage\";\r\n\r\n/\r\n Create a storage instance based on type\r\n \r\n @param type - Storage type to create\r\n * @returns Storage implementation\r\n \r\n @example\r\n * ```typescript\r\n * const storage = createStorage('localStorage');\r\n * await storage.set('key', 'value');\r\n * ```\r\n /\r\nexport function createStorage(\r\n type: StorageType = \"localStorage\",\r\n): TokenStorage {\r\n switch (type) {\r\n case \"memory\":\r\n return new MemoryStorage();\r\n case \"localStorage\":\r\n return new LocalStorage();\r\n case \"sessionStorage\":\r\n return new SessionStorage();\r\n default:\r\n return new LocalStorage();\r\n }\r\n}\r\n","// Function to convert snake_case to camelCase, handles arrays and objects recursively\r\nexport function snakeToCamel(data: any): any {\r\n if (Array.isArray(data)) {\r\n return data.map(snakeToCamel);\r\n } else if (typeof data === \"object\" && data !== null) {\r\n return Object.fromEntries(\r\n Object.entries(data).map(([key, value]) => [\r\n key.replace(/_([a-z])/g, (_, c) => c.toUpperCase()),\r\n snakeToCamel(value)\r\n ])\r\n );\r\n }\r\n return data;\r\n}","/\r\n @fileoverview Main Genation SDK client\r\n * @module client\r\n /\r\n\r\nimport type {\r\n AuthEvent,\r\n AuthStateChangeCallback,\r\n GenationConfig,\r\n Session,\r\n Subscription,\r\n TokenSet,\r\n TokenStorage,\r\n User,\r\n} from \"./types\";\r\nimport { OAuth2Handler, TokenManager, TokenVerifier } from \"./auth\";\r\nimport { createStorage } from \"./storage\";\r\nimport { ConfigError, HttpClient } from \"./http\";\r\nimport type { License, LicenseResponse } from \"./types/server/license\";\r\nimport type { ApiResponse } from \"./types/server/api-response\";\r\nimport { snakeToCamel } from \"./utils/converter\";\r\n\r\n// Re-export types for convenience\r\nexport type { AuthEvent, AuthStateChangeCallback, Session, Subscription };\r\n\r\n/\r\n Main Genation SDK client\r\n \r\n OAuth 2.1 authentication client for Genation platform.\r\n * Supports PKCE flow and automatic token refresh.\r\n \r\n @example\r\n * ```typescript\r\n * import { createClient } from 'genation';\r\n \r\n const client = createClient({\r\n * clientId: 'your-client-id',\r\n * clientSecret: 'your-client-secret',\r\n * redirectUri: 'http://localhost:3000/callback'\r\n * });\r\n \r\n // Listen to auth state changes\r\n * const { subscription } = client.onAuthStateChange((event, session) => {\r\n * if (event === 'SIGNED_IN') {\r\n * console.log('User signed in:', session?.user);\r\n * }\r\n * });\r\n \r\n // Start login flow\r\n * window.location.href = await client.signIn();\r\n * ```\r\n /\r\nexport class GenationClient {\r\n private oauth: OAuth2Handler;\r\n private tokenManager: TokenManager;\r\n private tokenVerifier: TokenVerifier;\r\n private http: HttpClient;\r\n private httpServer: HttpClient;\r\n private listeners: Set<AuthStateChangeCallback> = new Set();\r\n private initialized = false;\r\n\r\n constructor(config: GenationConfig) {\r\n this.validateConfig(config);\r\n\r\n const storage: TokenStorage = typeof config.storage === \"object\"\r\n ? (config.storage as unknown as TokenStorage)\r\n : createStorage(config.storage);\r\n\r\n const authUrl = config.authUrl ??\r\n \"https://mnnoheowoowbtpuoguul.supabase.co/auth/v1\";\r\n\r\n this.tokenManager = new TokenManager(storage);\r\n this.oauth = new OAuth2Handler(config, this.tokenManager);\r\n this.tokenVerifier = new TokenVerifier(\r\n `${authUrl}/.well-known/jwks.json`,\r\n );\r\n\r\n this.http = new HttpClient({\r\n baseUrl: authUrl,\r\n });\r\n this.httpServer = new HttpClient({\r\n baseUrl: \"https://ff-api.genation.ai/api/v2/client\"\r\n });\r\n }\r\n\r\n private validateConfig(config: GenationConfig): void {\r\n if (!config.clientId) throw ConfigError.missingField(\"clientId\");\r\n if (!config.clientSecret) {\r\n throw ConfigError.missingField(\"clientSecret\");\r\n }\r\n if (!config.redirectUri) throw ConfigError.missingField(\"redirectUri\");\r\n }\r\n\r\n /\r\n Emit auth state change event to all listeners\r\n /\r\n private async emitAuthStateChange(event: AuthEvent): Promise<void> {\r\n const session = await this.getSession();\r\n this.listeners.forEach((callback) => {\r\n try {\r\n callback(event, session);\r\n } catch (error) {\r\n console.error(\"Error in auth state change callback:\", error);\r\n }\r\n });\r\n }\r\n\r\n /\r\n Listen to authentication state changes\r\n \r\n Register a callback that fires when:\r\n * - `INITIAL_SESSION`: On first subscription, with current session state\r\n * - `SIGNED_IN`: User successfully authenticated\r\n * - `SIGNED_OUT`: User logged out or session expired\r\n * - `TOKEN_REFRESHED`: Access token was automatically refreshed\r\n \r\n @param callback - Function called on each auth state change\r\n * @returns Object containing subscription with `unsubscribe()` method\r\n \r\n @example\r\n * ```typescript\r\n * const { subscription } = client.onAuthStateChange((event, session) => {\r\n * console.log('Auth event:', event);\r\n \r\n if (event === 'INITIAL_SESSION') {\r\n * // Check if user was previously logged in\r\n * if (session) {\r\n * console.log('Welcome back!', session.user);\r\n * }\r\n * } else if (event === 'SIGNED_IN') {\r\n * // User just signed in\r\n * console.log('Signed in:', session?.user);\r\n * } else if (event === 'SIGNED_OUT') {\r\n * // Clear app state, redirect to login\r\n * console.log('Signed out');\r\n * }\r\n * });\r\n \r\n // Cleanup when component unmounts\r\n * subscription.unsubscribe();\r\n * ```\r\n /\r\n onAuthStateChange(\r\n callback: AuthStateChangeCallback,\r\n ): { subscription: Subscription } {\r\n this.listeners.add(callback);\r\n\r\n // Emit INITIAL_SESSION on first subscription\r\n if (!this.initialized) {\r\n this.initialized = true;\r\n setTimeout(() => {\r\n this.emitAuthStateChange(\"INITIAL_SESSION\");\r\n }, 0);\r\n } else {\r\n // For subsequent subscriptions, also emit current state\r\n setTimeout(() => {\r\n this.emitAuthStateChange(\"INITIAL_SESSION\");\r\n }, 0);\r\n }\r\n\r\n return {\r\n subscription: {\r\n unsubscribe: () => {\r\n this.listeners.delete(callback);\r\n },\r\n },\r\n };\r\n }\r\n\r\n /\r\n Start OAuth sign-in flow\r\n \r\n Generates authorization URL with PKCE challenge.\r\n * Redirect user to this URL to start authentication.\r\n \r\n @returns Authorization URL to redirect user to\r\n \r\n @example\r\n * ```typescript\r\n * async function handleLogin() {\r\n * const url = await client.signIn();\r\n * window.location.href = url;\r\n * }\r\n * ```\r\n /\r\n async signIn(): Promise<string> {\r\n return this.oauth.getAuthorizationUrl();\r\n }\r\n\r\n /\r\n Handle OAuth callback after user authentication\r\n \r\n Call this on your redirect URI page to exchange\r\n * the authorization code for access tokens.\r\n * Triggers `SIGNED_IN` event on success.\r\n \r\n @param code - Authorization code from URL query params\r\n * @param state - State parameter for CSRF validation\r\n * @returns Token set with access and refresh tokens\r\n * @throws {AuthError} If state mismatch or code exchange fails\r\n \r\n @example\r\n * ```typescript\r\n * // On your /callback page\r\n * async function handleCallback() {\r\n * const url = window.location.href;\r\n * await client.handleCallback(url);\r\n * // onAuthStateChange will fire with SIGNED_IN event\r\n * }\r\n * ```\r\n /\r\n async handleCallback(url: string): Promise<TokenSet> {\r\n const params = new URL(url);\r\n const code = params.searchParams.get('code');\r\n const state = params.searchParams.get('state');\r\n if (!code \|\| !state) {\r\n throw new Error('Missing code or state');\r\n }\r\n const tokens = await this.oauth.exchangeCode(code, state);\r\n await this.emitAuthStateChange(\"SIGNED_IN\");\r\n return tokens;\r\n }\r\n\r\n /\r\n Sign out and revoke tokens\r\n \r\n Clears local session.\r\n * Triggers `SIGNED_OUT` event for all listeners.\r\n \r\n @example\r\n * ```typescript\r\n * async function handleLogout() {\r\n * await client.signOut();\r\n * // onAuthStateChange will fire with SIGNED_OUT event\r\n * }\r\n * ```\r\n /\r\n async signOut(): Promise<void> {\r\n // TODO: Server-side signout API is not yet available.\r\n // Once implemented, we should call this.oauth.revokeToken() here.\r\n // await this.oauth.revokeToken();\r\n\r\n await this.tokenManager.clearTokens();\r\n await this.emitAuthStateChange(\"SIGNED_OUT\");\r\n }\r\n\r\n /\r\n Get current session\r\n \r\n Returns session with access token and user info.\r\n * Automatically refreshes token if expired.\r\n \r\n @returns Current session or null if not authenticated\r\n \r\n @example\r\n * ```typescript\r\n * const session = await client.getSession();\r\n * if (session) {\r\n * console.log('Logged in as:', session.user?.email);\r\n \r\n // Use access token for API calls\r\n * fetch('/api/data', {\r\n * headers: { Authorization: `Bearer ${session.accessToken}` }\r\n * });\r\n * }\r\n * ```\r\n /\r\n async getSession(): Promise<Session \| null> {\r\n const isExpired = await this.tokenManager.isTokenExpired();\r\n\r\n if (isExpired) {\r\n try {\r\n await this.oauth.refreshToken();\r\n } catch {\r\n return null;\r\n }\r\n }\r\n\r\n const tokens = await this.tokenManager.getTokens();\r\n if (!tokens) return null;\r\n\r\n const user = await this.fetchUser(tokens.accessToken);\r\n\r\n return {\r\n accessToken: tokens.accessToken,\r\n refreshToken: tokens.refreshToken,\r\n expiresIn: tokens.expiresIn,\r\n expiresAt: tokens.issuedAt + tokens.expiresIn 1000,\r\n user,\r\n };\r\n }\r\n /*\r\n Verify a JWT token\r\n \r\n Validates the token signature using the public JWKS.\r\n \r\n @param token - JWT token to verify\r\n * @returns Decoded token payload if valid\r\n * @throws Error if token is invalid\r\n /\r\n async verifyToken(token: string): Promise<any> {\r\n const { payload } = await this.tokenVerifier.verify(token);\r\n return payload;\r\n }\r\n\r\n /\r\n Get licenses\r\n * @param accessToken - The access token to use for the request\r\n * @param options - The options for the request\r\n * @param options.expiresAfter - Query licenses that are expired after the given date, default set to today to get all valid licenses (unexpired licenses)\r\n * @returns The licenses\r\n /\r\n async getLicenses(options: { expiresAfter?: Date } = {}): Promise<License[] \| null> {\r\n const session = await this.getSession();\r\n if (!session) {\r\n return null;\r\n }\r\n const accessToken = session.accessToken;\r\n const { expiresAfter = new Date() } = options;\r\n const response = await this.httpServer.request<ApiResponse<LicenseResponse[]>>(\"/licenses\", {\r\n headers: { Authorization: `Bearer ${accessToken}` },\r\n params: { expiresAfter: expiresAfter.toISOString() }\r\n });\r\n if (!response.ok) {\r\n console.error(\"GenationClient: Error fetching licenses:\", response.error);\r\n return null;\r\n }\r\n const licenses: License[] = snakeToCamel(response.data);\r\n return licenses;\r\n }\r\n /\r\n Fetch user info from auth server\r\n /\r\n private async fetchUser(accessToken: string): Promise<User \| null> {\r\n try {\r\n // Use standard OIDC UserInfo endpoint\r\n // https://supabase.com/docs/guides/auth/oauth-server/oauth-flows#userinfo-endpoint\r\n const response = await this.http.request<{\r\n sub: string;\r\n email?: string;\r\n name?: string;\r\n picture?: string;\r\n email_verified?: boolean;\r\n phone_number?: string;\r\n phone_number_verified?: boolean;\r\n }>(\"/oauth/userinfo\", {\r\n headers: { Authorization: `Bearer ${accessToken}` },\r\n });\r\n\r\n return {\r\n sub: response.sub,\r\n name: response.name,\r\n picture: response.picture,\r\n email: response.email,\r\n email_verified: response.email_verified,\r\n phone_number: response.phone_number,\r\n phone_number_verified: response.phone_number_verified,\r\n };\r\n } catch (error) {\r\n console.error(\"GenationClient: Error fetching user:\", error);\r\n return null;\r\n }\r\n }\r\n}\r\n\r\n/\r\n Create a new Genation client instance\r\n \r\n Factory function for creating SDK client with configuration.\r\n \r\n @param config - Client configuration options\r\n * @returns Configured GenationClient instance\r\n \r\n @example\r\n * ```typescript\r\n * import { createClient } from 'genation';\r\n \r\n const client = createClient({\r\n * clientId: 'your-client-id',\r\n * clientSecret: 'your-client-secret',\r\n * redirectUri: 'http://localhost:3000/callback',\r\n * // Optional\r\n * scopes: ['openid', 'profile', 'email'],\r\n * storage: 'localStorage',\r\n * });\r\n * ```\r\n */\r\nexport function createClient(config: GenationConfig): GenationClient {\r\n return new GenationClient(config);\r\n}\r\n"],"names":["GenationError","message","code","cause","AuthError","NetworkError","status","response","ConfigError","field","HttpClient","config","endpoint","options","method","headers","body","params","url","searchParams","controller","timeoutId","error","data","base64URLEncode","buffer","generateCodeVerifier","array","generateCodeChallenge","verifier","hash","generatePKCE","codeVerifier","codeChallenge","generateState","TOKEN_KEY","PKCE_KEY","STATE_KEY","TokenManager","storage","tokens","expiresAt","state","DEFAULT_AUTH_URL","OAuth2Handler","tokenManager","pkce","storedState","currentTokens","encoder","decoder","concat","buffers","size","acc","length","buf","i","encode","string","bytes","decodeBase64","encoded","binary","decode","input","JOSEError","JWTClaimValidationFailed","payload","claim","reason","JWTExpired","JOSENotSupported","JWSInvalid","JWTInvalid","JWKSInvalid","JWKSNoMatchingKey","JWKSMultipleMatchingKeys","JWKSTimeout","JWSSignatureVerificationFailed","unusable","name","prop","isAlgorithm","algorithm","getHashLength","getNamedCurve","alg","checkUsage","key","usage","checkSigCryptoKey","expected","msg","actual","types","last","invalidKeyInput","withAlg","isCryptoKey","isKeyObject","isKeyLike","isDisjoint","sources","header","parameters","parameter","isObjectLike","value","isObject","proto","checkKeyLength","modulusLength","subtleMapping","jwk","keyUsages","jwkToKey","keyData","importJWK","ext","decodeBase64URL","validateCrit","Err","recognizedDefault","recognizedOption","protectedHeader","joseHeader","recognized","isJWK","isPrivateJWK","isPublicJWK","isSecretJWK","cache","handleJWK","freeze","cached","cryptoKey","handleKeyObject","keyObject","isPublic","extractable","namedCurve","normalizeKey","err","tag","jwkMatchesOp","expectedKeyOp","symmetricTypeCheck","jwk.isJWK","jwk.isSecretJWK","asymmetricTypeCheck","jwk.isPrivateJWK","jwk.isPublicJWK","checkKeyType","subtleAlgorithm","getSigKey","verify","signature","flattenedVerify","jws","parsedProt","b64u","extensions","b64","resolvedKey","k","result","compactVerify","verified","epoch","date","minute","hour","day","week","year","REGEX","secs","str","matched","unit","numericDate","normalizeTyp","checkAudiencePresence","audPayload","audOption","validateClaimsSet","encodedPayload","typ","requiredClaims","issuer","subject","audience","maxTokenAge","presenceCheck","tolerance","currentDate","now","age","max","jwtVerify","jwt","getKtyFromAlg","isJWKSLike","jwks","isJWKLike","LocalJWKSet","#jwks","#cached","token","kid","kty","candidates","candidate","_cached","importWithAlgCache","createLocalJWKSet","set","localJWKSet","isCloudflareWorkers","USER_AGENT","customFetch","fetchJwks","signal","fetchImpl","jwksCache","isFreshJwksCache","cacheMaxAge","RemoteJWKSet","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#jwksTimestamp","#pendingFetch","#headers","#customFetch","#local","#cache","json","createRemoteJWKSet","remoteJWKSet","TokenVerifier","jwksUrl","MemoryStorage","LocalStorage","prefix","SessionStorage","createStorage","type","snakeToCamel","_","c","GenationClient","authUrl","event","session","callback","user","accessToken","expiresAfter","createClient"],"mappings":"gFAGO,MAAMA,UAAsB,KAAM,CAC9B,KACA,MAEP,YAAYC,EAAiBC,EAAcC,EAAiB,CACxD,MAAMF,CAAO,EACb,KAAK,KAAO,gBACZ,KAAK,KAAOC,EACZ,KAAK,MAAQC,CACjB,CACJ,CAKO,MAAMC,UAAkBJ,CAAc,CACzC,YAAYC,EAAiBC,EAAcC,EAAiB,CACxD,MAAMF,EAASC,EAAMC,CAAK,EAC1B,KAAK,KAAO,WAChB,CAEA,OAAO,aACHF,EAAU,8CACZ,CACE,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,qBAAsB,CAChD,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,oBAAqB,CAC/C,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,uCAAwC,CAClE,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,uBAAuBA,EAAU,2BAA4B,CAChE,OAAO,IAAIG,EAAUH,EAAS,0BAA0B,CAC5D,CACJ,CAKO,MAAMI,UAAqBL,CAAc,CACrC,OAEP,YAAYC,EAAiBK,EAAiBH,EAAiB,CAC3D,MAAMF,EAAS,gBAAiBE,CAAK,EACrC,KAAK,KAAO,eACZ,KAAK,OAASG,CAClB,CAEA,OAAO,aAAaC,EAAoB,CACpC,OAAO,IAAIF,EACP,QAAQE,EAAS,MAAM,KAAKA,EAAS,UAAU,GAC/CA,EAAS,MAAA,CAEjB,CACJ,CAKO,MAAMC,UAAoBR,CAAc,CAC3C,YAAYC,EAAiB,CACzB,MAAMA,EAAS,cAAc,EAC7B,KAAK,KAAO,aAChB,CAEA,OAAO,aAAaQ,EAAe,CAC/B,OAAO,IAAID,EAAY,kCAAkCC,CAAK,EAAE,CACpE,CACJ,CC9DO,MAAMC,CAAW,CACZ,QACA,QAER,YAAYC,EAA0B,CAClC,KAAK,QAAUA,EAAO,QAAQ,QAAQ,MAAO,EAAE,EAC/C,KAAK,QAAUA,EAAO,SAAW,GACrC,CAKA,MAAM,QACFC,EACAC,EAA0B,GAChB,CACV,KAAM,CAAE,OAAAC,EAAS,MAAO,QAAAC,EAAU,CAAA,EAAI,KAAAC,EAAM,OAAAC,GAAWJ,EAGvD,IAAIK,EAAM,GAAG,KAAK,OAAO,GAAGN,CAAQ,GACpC,GAAIK,EAAQ,CACR,MAAME,EAAe,IAAI,gBAAgBF,CAAM,EAC/CC,GAAO,IAAIC,EAAa,SAAA,CAAU,EACtC,CAGA,MAAMC,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAA,EAAS,KAAK,OAAO,EAEnE,GAAI,CACA,MAAMb,EAAW,MAAM,MAAMW,EAAK,CAC9B,OAAAJ,EACA,QAAS,CACL,eAAgB,mBAChB,GAAGC,CAAA,EAEP,KAAMC,EAAO,KAAK,UAAUA,CAAI,EAAI,OACpC,OAAQI,EAAW,MAAA,CACtB,EAID,GAFA,aAAaC,CAAS,EAElB,CAACd,EAAS,GACV,MAAMF,EAAa,aAAaE,CAAQ,EAG5C,OAAO,MAAMA,EAAS,KAAA,CAC1B,OAASe,EAAO,CAGZ,MAFA,aAAaD,CAAS,EAElBC,aAAiBjB,EACXiB,EAGNA,aAAiB,OAASA,EAAM,OAAS,aACnC,IAAIjB,EAAa,kBAAmB,OAAWiB,CAAK,EAGxD,IAAIjB,EAAa,yBAA0B,OAAWiB,CAAK,CACrE,CACJ,CAKA,MAAM,SACFV,EACAW,EACAR,EAAkC,CAAA,EACxB,CACV,MAAMG,EAAM,GAAG,KAAK,OAAO,GAAGN,CAAQ,GAChCQ,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAA,EAAS,KAAK,OAAO,EAEnE,GAAI,CACA,MAAMb,EAAW,MAAM,MAAMW,EAAK,CAC9B,OAAQ,OACR,QAAS,CACL,eAAgB,oCAChB,GAAGH,CAAA,EAEP,KAAM,IAAI,gBAAgBQ,CAAI,EAAE,SAAA,EAChC,OAAQH,EAAW,MAAA,CACtB,EAID,GAFA,aAAaC,CAAS,EAElB,CAACd,EAAS,GACV,MAAMF,EAAa,aAAaE,CAAQ,EAG5C,OAAO,MAAMA,EAAS,KAAA,CAC1B,OAASe,EAAO,CAGZ,MAFA,aAAaD,CAAS,EAElBC,aAAiBjB,EACXiB,EAGJ,IAAIjB,EAAa,yBAA0B,OAAWiB,CAAK,CACrE,CACJ,CACJ,CClHA,SAASE,EAAgBC,EAA4B,CACjD,OAAO,KAAK,OAAO,aAAa,GAAGA,CAAM,CAAC,EACrC,QAAQ,MAAO,GAAG,EAClB,QAAQ,MAAO,GAAG,EAClB,QAAQ,KAAM,EAAE,CACzB,CAMA,SAASC,IAA+B,CACpC,MAAMC,EAAQ,IAAI,WAAW,EAAE,EAC/B,cAAO,gBAAgBA,CAAK,EACrBH,EAAgBG,CAAK,CAChC,CAMA,eAAeC,GAAsBC,EAAmC,CAEpE,MAAMN,EADU,IAAI,YAAA,EACC,OAAOM,CAAQ,EAC9BC,EAAO,MAAM,OAAO,OAAO,OAAO,UAAWP,CAAI,EACvD,OAAOC,EAAgB,IAAI,WAAWM,CAAI,CAAC,CAC/C,CAMA,eAAsBC,IAAuC,CACzD,MAAMC,EAAeN,GAAA,EACfO,EAAgB,MAAML,GAAsBI,CAAY,EAE9D,MAAO,CACH,aAAAA,EACA,cAAAC,EACA,oBAAqB,MAAA,CAE7B,CAKO,SAASC,IAAwB,CACpC,MAAMP,EAAQ,IAAI,WAAW,EAAE,EAC/B,cAAO,gBAAgBA,CAAK,EACrBH,EAAgBG,CAAK,CAChC,CCrDA,MAAMQ,EAAY,SACZC,EAAW,OACXC,EAAY,QAKX,MAAMC,EAAa,CACd,QAER,YAAYC,EAAuB,CAC/B,KAAK,QAAUA,CACnB,CAKA,MAAM,UAAUC,EAAiC,CAC7C,MAAM,KAAK,QAAQ,IAAIL,EAAW,KAAK,UAAUK,CAAM,CAAC,CAC5D,CAKA,MAAM,WAAsC,CACxC,MAAMjB,EAAO,MAAM,KAAK,QAAQ,IAAIY,CAAS,EAC7C,GAAI,CAACZ,EAAM,OAAO,KAElB,GAAI,CACA,OAAO,KAAK,MAAMA,CAAI,CAC1B,MAAQ,CACJ,OAAO,IACX,CACJ,CAKA,MAAM,aAA6B,CAC/B,MAAM,KAAK,QAAQ,OAAOY,CAAS,CACvC,CAKA,MAAM,gBAAmC,CACrC,MAAMK,EAAS,MAAM,KAAK,UAAA,EAC1B,GAAI,CAACA,EAAQ,MAAO,GAEpB,MAAMC,EAAYD,EAAO,SAAWA,EAAO,UAAY,IAEvD,OAAO,KAAK,MAAQC,EAAY,GACpC,CAKA,MAAM,QAAQT,EAAqC,CAC/C,MAAM,KAAK,QAAQ,IAAII,EAAUJ,CAAY,CACjD,CAKA,MAAM,aAAsC,CACxC,MAAMH,EAAW,MAAM,KAAK,QAAQ,IAAIO,CAAQ,EAChD,OAAIP,GACA,MAAM,KAAK,QAAQ,OAAOO,CAAQ,EAE/BP,CACX,CAKA,MAAM,SAASa,EAA8B,CACzC,MAAM,KAAK,QAAQ,IAAIL,EAAWK,CAAK,CAC3C,CAKA,MAAM,cAAuC,CACzC,MAAMA,EAAQ,MAAM,KAAK,QAAQ,IAAIL,CAAS,EAC9C,OAAIK,GACA,MAAM,KAAK,QAAQ,OAAOL,CAAS,EAEhCK,CACX,CAKA,MAAM,UAA0B,CAC5B,MAAM,KAAK,QAAQ,MAAA,CACvB,CACJ,CC7FA,MAAMC,GAAmB,mDAalB,MAAMC,EAAc,CACf,OAKA,KACA,aAER,YACIjC,EACAkC,EACF,CACE,KAAK,OAAS,CACV,SAAUlC,EAAO,SACjB,aAAcA,EAAO,aACrB,YAAaA,EAAO,YACpB,OAAQA,EAAO,OACf,QAASA,EAAO,SAAWgC,EAAA,EAE/B,KAAK,KAAO,IAAIjC,EAAW,CAAE,QAAS,KAAK,OAAO,QAAU,EAC5D,KAAK,aAAemC,CACxB,CAMA,MAAM,qBAAuC,CACzC,MAAMC,EAAO,MAAMf,GAAA,EACbW,EAAQR,GAAA,EAGd,MAAM,KAAK,aAAa,QAAQY,EAAK,YAAY,EACjD,MAAM,KAAK,aAAa,SAASJ,CAAK,EAEtC,MAAMzB,EAAS,IAAI,gBAAgB,CAC/B,cAAe,OACf,UAAW,KAAK,OAAO,SACvB,aAAc,KAAK,OAAO,YAC1B,MAAAyB,EACA,eAAgBI,EAAK,cACrB,sBAAuBA,EAAK,mBAAA,CAC/B,EAED,OAAI,KAAK,OAAO,QAAU,KAAK,OAAO,OAAO,OAAS,GAClD7B,EAAO,OAAO,QAAS,KAAK,OAAO,OAAO,KAAK,GAAG,CAAC,EAGhD,GAAG,KAAK,OAAO,OAAO,oBAAoBA,EAAO,UAAU,EACtE,CAKA,MAAM,aAAaf,EAAcwC,EAAkC,CAE/D,MAAMK,EAAc,MAAM,KAAK,aAAa,aAAA,EAC5C,GAAI,CAACA,GAAeA,IAAgBL,EAChC,MAAMtC,EAAU,aAAA,EAIpB,MAAM4B,EAAe,MAAM,KAAK,aAAa,YAAA,EAC7C,GAAI,CAACA,EACD,MAAM5B,EAAU,uBAAuB,uBAAuB,EAIlE,MAAMG,EAAW,MAAM,KAAK,KAAK,SAC7B,eACA,CACI,WAAY,qBACZ,KAAAL,EACA,aAAc,KAAK,OAAO,YAC1B,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,aAC3B,cAAe8B,CAAA,CACnB,EAGEQ,EAAS,KAAK,iBAAiBjC,CAAQ,EAC7C,aAAM,KAAK,aAAa,UAAUiC,CAAM,EAEjCA,CACX,CAKA,MAAM,cAAkC,CACpC,MAAMQ,EAAgB,MAAM,KAAK,aAAa,UAAA,EAC9C,GAAI,CAACA,GAAe,aAChB,MAAM5C,EAAU,aAAa,4BAA4B,EAG7D,MAAMG,EAAW,MAAM,KAAK,KAAK,SAC7B,eACA,CACI,WAAY,gBACZ,cAAeyC,EAAc,aAC7B,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,YAAA,CAC/B,EAGER,EAAS,KAAK,iBAAiBjC,CAAQ,EAC7C,aAAM,KAAK,aAAa,UAAUiC,CAAM,EAEjCA,CACX,CAKA,MAAM,aAA6B,CAC/B,MAAMA,EAAS,MAAM,KAAK,aAAa,UAAA,EACvC,GAAKA,EAEL,GAAI,CACA,MAAM,KAAK,KAAK,SAAS,gBAAiB,CACtC,MAAOA,EAAO,YACd,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,YAAA,CAC9B,CACL,QAAA,CACI,MAAM,KAAK,aAAa,YAAA,CAC5B,CACJ,CAKQ,iBAAiBjC,EAAmC,CACxD,MAAO,CACH,YAAaA,EAAS,aACtB,aAAcA,EAAS,cACvB,UAAWA,EAAS,WACpB,UAAWA,EAAS,WACpB,SAAU,KAAK,IAAA,EACf,MAAOA,EAAS,KAAA,CAExB,CACJ,CCjKO,MAAM0C,EAAU,IAAI,YACdC,EAAU,IAAI,YAEpB,SAASC,MAAUC,EAAS,CAC/B,MAAMC,EAAOD,EAAQ,OAAO,CAACE,EAAK,CAAE,OAAAC,KAAaD,EAAMC,EAAQ,CAAC,EAC1DC,EAAM,IAAI,WAAWH,CAAI,EAC/B,IAAII,EAAI,EACR,UAAWhC,KAAU2B,EACjBI,EAAI,IAAI/B,EAAQgC,CAAC,EACjBA,GAAKhC,EAAO,OAEhB,OAAO+B,CACX,CAoBO,SAASE,EAAOC,EAAQ,CAC3B,MAAMC,EAAQ,IAAI,WAAWD,EAAO,MAAM,EAC1C,QAASF,EAAI,EAAGA,EAAIE,EAAO,OAAQF,IAAK,CACpC,MAAMvD,EAAOyD,EAAO,WAAWF,CAAC,EAChC,GAAIvD,EAAO,IACP,MAAM,IAAI,UAAU,0CAA0C,EAElE0D,EAAMH,CAAC,EAAIvD,CACf,CACA,OAAO0D,CACX,CC/BO,SAASC,GAAaC,EAAS,CAClC,GAAI,WAAW,WACX,OAAO,WAAW,WAAWA,CAAO,EAExC,MAAMC,EAAS,KAAKD,CAAO,EACrBF,EAAQ,IAAI,WAAWG,EAAO,MAAM,EAC1C,QAASN,EAAI,EAAGA,EAAIM,EAAO,OAAQN,IAC/BG,EAAMH,CAAC,EAAIM,EAAO,WAAWN,CAAC,EAElC,OAAOG,CACX,CCnBO,SAASI,EAAOC,EAAO,CAC1B,GAAI,WAAW,WACX,OAAO,WAAW,WAAW,OAAOA,GAAU,SAAWA,EAAQf,EAAQ,OAAOe,CAAK,EAAG,CACpF,SAAU,WACtB,CAAS,EAEL,IAAIH,EAAUG,EACVH,aAAmB,aACnBA,EAAUZ,EAAQ,OAAOY,CAAO,GAEpCA,EAAUA,EAAQ,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EACtD,GAAI,CACA,OAAOD,GAAaC,CAAO,CAC/B,MACM,CACF,MAAM,IAAI,UAAU,mDAAmD,CAC3E,CACJ,CCnBO,MAAMI,UAAkB,KAAM,CACjC,OAAO,KAAO,mBACd,KAAO,mBACP,YAAYjE,EAASY,EAAS,CAC1B,MAAMZ,EAASY,CAAO,EACtB,KAAK,KAAO,KAAK,YAAY,KAC7B,MAAM,oBAAoB,KAAM,KAAK,WAAW,CACpD,CACJ,CACO,MAAMsD,UAAiCD,CAAU,CACpD,OAAO,KAAO,kCACd,KAAO,kCACP,MACA,OACA,QACA,YAAYjE,EAASmE,EAASC,EAAQ,cAAeC,EAAS,cAAe,CACzE,MAAMrE,EAAS,CAAE,MAAO,CAAE,MAAAoE,EAAO,OAAAC,EAAQ,QAAAF,CAAO,EAAI,EACpD,KAAK,MAAQC,EACb,KAAK,OAASC,EACd,KAAK,QAAUF,CACnB,CACJ,CACO,MAAMG,UAAmBL,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,kBACP,MACA,OACA,QACA,YAAYjE,EAASmE,EAASC,EAAQ,cAAeC,EAAS,cAAe,CACzE,MAAMrE,EAAS,CAAE,MAAO,CAAE,MAAAoE,EAAO,OAAAC,EAAQ,QAAAF,CAAO,EAAI,EACpD,KAAK,MAAQC,EACb,KAAK,OAASC,EACd,KAAK,QAAUF,CACnB,CACJ,CAKO,MAAMI,UAAyBN,CAAU,CAC5C,OAAO,KAAO,yBACd,KAAO,wBACX,CAYO,MAAMO,UAAmBP,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,iBACX,CACO,MAAMQ,UAAmBR,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,iBACX,CAKO,MAAMS,WAAoBT,CAAU,CACvC,OAAO,KAAO,mBACd,KAAO,kBACX,CACO,MAAMU,WAA0BV,CAAU,CAC7C,OAAO,KAAO,2BACd,KAAO,2BACP,YAAYjE,EAAU,kDAAmDY,EAAS,CAC9E,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMgE,WAAiCX,CAAU,CACpD,CAAC,OAAO,aAAa,EACrB,OAAO,KAAO,kCACd,KAAO,kCACP,YAAYjE,EAAU,uDAAwDY,EAAS,CACnF,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMiE,WAAoBZ,CAAU,CACvC,OAAO,KAAO,mBACd,KAAO,mBACP,YAAYjE,EAAU,oBAAqBY,EAAS,CAChD,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMkE,WAAuCb,CAAU,CAC1D,OAAO,KAAO,wCACd,KAAO,wCACP,YAAYjE,EAAU,gCAAiCY,EAAS,CAC5D,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CClGA,MAAMmE,EAAW,CAACC,EAAMC,EAAO,mBAAqB,IAAI,UAAU,kDAAkDA,CAAI,YAAYD,CAAI,EAAE,EACpIE,EAAc,CAACC,EAAWH,IAASG,EAAU,OAASH,EAC5D,SAASI,EAAcvD,EAAM,CACzB,OAAO,SAASA,EAAK,KAAK,MAAM,CAAC,EAAG,EAAE,CAC1C,CACA,SAASwD,GAAcC,EAAK,CACxB,OAAQA,EAAG,CACP,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,aAAa,CACzC,CACA,CACA,SAASC,GAAWC,EAAKC,EAAO,CAC5B,GAAa,CAACD,EAAI,OAAO,SAASC,CAAK,EACnC,MAAM,IAAI,UAAU,sEAAsEA,CAAK,GAAG,CAE1G,CACO,SAASC,GAAkBF,EAAKF,EAAKG,EAAO,CAC/C,OAAQH,EAAG,CACP,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACJ,EAAYM,EAAI,UAAW,MAAM,EAClC,MAAMT,EAAS,MAAM,EACzB,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,mBAAmB,EAC/C,MAAMT,EAAS,mBAAmB,EACtC,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,SAAS,EACrC,MAAMT,EAAS,SAAS,EAC5B,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,UACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,SAAS,EACrC,MAAMT,EAAS,SAAS,EAC5B,KACJ,CACA,IAAK,YACL,IAAK,YACL,IAAK,YAAa,CACd,GAAI,CAACG,EAAYM,EAAI,UAAWF,CAAG,EAC/B,MAAMP,EAASO,CAAG,EACtB,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACJ,EAAYM,EAAI,UAAW,OAAO,EACnC,MAAMT,EAAS,OAAO,EAC1B,MAAMY,EAAWN,GAAcC,CAAG,EAElC,GADeE,EAAI,UAAU,aACdG,EACX,MAAMZ,EAASY,EAAU,sBAAsB,EACnD,KACJ,CACA,QACI,MAAM,IAAI,UAAU,2CAA2C,CAC3E,CACIJ,GAAWC,EAAKC,CAAK,CACzB,CCrFA,SAASzF,GAAQ4F,EAAKC,KAAWC,EAAO,CAEpC,GADAA,EAAQA,EAAM,OAAO,OAAO,EACxBA,EAAM,OAAS,EAAG,CAClB,MAAMC,EAAOD,EAAM,IAAG,EACtBF,GAAO,eAAeE,EAAM,KAAK,IAAI,CAAC,QAAQC,CAAI,GACtD,MACSD,EAAM,SAAW,EACtBF,GAAO,eAAeE,EAAM,CAAC,CAAC,OAAOA,EAAM,CAAC,CAAC,IAG7CF,GAAO,WAAWE,EAAM,CAAC,CAAC,IAE9B,OAAID,GAAU,KACVD,GAAO,aAAaC,CAAM,GAErB,OAAOA,GAAW,YAAcA,EAAO,KAC5CD,GAAO,sBAAsBC,EAAO,IAAI,GAEnC,OAAOA,GAAW,UAAYA,GAAU,MACzCA,EAAO,aAAa,OACpBD,GAAO,4BAA4BC,EAAO,YAAY,IAAI,IAG3DD,CACX,CACO,MAAMI,GAAkB,CAACH,KAAWC,IAAU9F,GAAQ,eAAgB6F,EAAQ,GAAGC,CAAK,EAChFG,GAAU,CAACX,EAAKO,KAAWC,IAAU9F,GAAQ,eAAesF,CAAG,sBAAuBO,EAAQ,GAAGC,CAAK,ECrBtGI,GAAeV,GAAQ,CAChC,GAAIA,IAAM,OAAO,WAAW,IAAM,YAC9B,MAAO,GACX,GAAI,CACA,OAAOA,aAAe,SAC1B,MACM,CACF,MAAO,EACX,CACJ,EACaW,GAAeX,GAAQA,IAAM,OAAO,WAAW,IAAM,YACrDY,GAAaZ,GAAQU,GAAYV,CAAG,GAAKW,GAAYX,CAAG,EChB9D,SAASa,MAAcvF,EAAS,CACnC,MAAMwF,EAAUxF,EAAQ,OAAO,OAAO,EACtC,GAAIwF,EAAQ,SAAW,GAAKA,EAAQ,SAAW,EAC3C,MAAO,GAEX,IAAIjD,EACJ,UAAWkD,KAAUD,EAAS,CAC1B,MAAME,EAAa,OAAO,KAAKD,CAAM,EACrC,GAAI,CAAClD,GAAOA,EAAI,OAAS,EAAG,CACxBA,EAAM,IAAI,IAAImD,CAAU,EACxB,QACJ,CACA,UAAWC,KAAaD,EAAY,CAChC,GAAInD,EAAI,IAAIoD,CAAS,EACjB,MAAO,GAEXpD,EAAI,IAAIoD,CAAS,CACrB,CACJ,CACA,MAAO,EACX,CCpBA,MAAMC,GAAgBC,GAAU,OAAOA,GAAU,UAAYA,IAAU,KAChE,SAASC,EAAS5C,EAAO,CAC5B,GAAI,CAAC0C,GAAa1C,CAAK,GAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,IAAM,kBAClE,MAAO,GAEX,GAAI,OAAO,eAAeA,CAAK,IAAM,KACjC,MAAO,GAEX,IAAI6C,EAAQ7C,EACZ,KAAO,OAAO,eAAe6C,CAAK,IAAM,MACpCA,EAAQ,OAAO,eAAeA,CAAK,EAEvC,OAAO,OAAO,eAAe7C,CAAK,IAAM6C,CAC5C,CCbO,SAASC,GAAexB,EAAKE,EAAK,CACrC,GAAIF,EAAI,WAAW,IAAI,GAAKA,EAAI,WAAW,IAAI,EAAG,CAC9C,KAAM,CAAE,cAAAyB,GAAkBvB,EAAI,UAC9B,GAAI,OAAOuB,GAAkB,UAAYA,EAAgB,KACrD,MAAM,IAAI,UAAU,GAAGzB,CAAG,uDAAuD,CAEzF,CACJ,CCNA,SAAS0B,GAAcC,EAAK,CACxB,IAAI9B,EACA+B,EACJ,OAAQD,EAAI,IAAG,CACX,IAAK,MAAO,CACR,OAAQA,EAAI,IAAG,CACX,IAAK,YACL,IAAK,YACL,IAAK,YACD9B,EAAY,CAAE,KAAM8B,EAAI,GAAG,EAC3BC,EAAYD,EAAI,KAAO,CAAC,MAAM,EAAI,CAAC,QAAQ,EAC3C,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,MAAO,CACR,OAAQ0C,EAAI,IAAG,CACX,IAAK,QACL,IAAK,QACL,IAAK,QACD9B,EAAY,CAAE,KAAM,UAAW,KAAM,OAAO8B,EAAI,IAAI,MAAM,EAAE,CAAC,EAAE,EAC/DC,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACL,IAAK,QACL,IAAK,QACD9B,EAAY,CAAE,KAAM,oBAAqB,KAAM,OAAO8B,EAAI,IAAI,MAAM,EAAE,CAAC,EAAE,EACzEC,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,WACL,IAAK,eACL,IAAK,eACL,IAAK,eACD9B,EAAY,CACR,KAAM,WACN,KAAM,OAAO,SAAS8B,EAAI,IAAI,MAAM,EAAE,EAAG,EAAE,GAAK,CAAC,EACzE,EACoBC,EAAYD,EAAI,EAAI,CAAC,UAAW,WAAW,EAAI,CAAC,UAAW,SAAS,EACpE,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,KAAM,CACP,OAAQ0C,EAAI,IAAG,CACX,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD9B,EAAY,CAAE,KAAM,OAAQ,WAAY8B,EAAI,GAAG,EAC/CC,EAAYD,EAAI,EAAI,CAAC,YAAY,EAAI,CAAA,EACrC,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,MAAO,CACR,OAAQ0C,EAAI,IAAG,CACX,IAAK,UACL,IAAK,QACD9B,EAAY,CAAE,KAAM,SAAS,EAC7B+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD9B,EAAY,CAAE,KAAM8B,EAAI,GAAG,EAC3BC,EAAYD,EAAI,EAAI,CAAC,YAAY,EAAI,CAAA,EACrC,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,QACI,MAAM,IAAIA,EAAiB,6DAA6D,CACpG,CACI,MAAO,CAAE,UAAAY,EAAW,UAAA+B,CAAS,CACjC,CACO,eAAeC,EAASF,EAAK,CAChC,GAAI,CAACA,EAAI,IACL,MAAM,IAAI,UAAU,0DAA0D,EAElF,KAAM,CAAE,UAAA9B,EAAW,UAAA+B,GAAcF,GAAcC,CAAG,EAC5CG,EAAU,CAAE,GAAGH,CAAG,EACxB,OAAIG,EAAQ,MAAQ,OAChB,OAAOA,EAAQ,IAEnB,OAAOA,EAAQ,IACR,OAAO,OAAO,UAAU,MAAOA,EAASjC,EAAW8B,EAAI,KAAQ,EAAAA,EAAI,GAAKA,EAAI,MAAsBA,EAAI,SAAWC,CAAS,CACrI,CCrFO,eAAeG,GAAUJ,EAAK3B,EAAK1E,EAAS,CAC/C,GAAI,CAACgG,EAASK,CAAG,EACb,MAAM,IAAI,UAAU,uBAAuB,EAE/C,IAAIK,EAGJ,OAFAhC,IAAQ2B,EAAI,IACZK,IAAgCL,EAAI,IAC5BA,EAAI,IAAG,CACX,IAAK,MACD,GAAI,OAAOA,EAAI,GAAM,UAAY,CAACA,EAAI,EAClC,MAAM,IAAI,UAAU,yCAAyC,EAEjE,OAAOM,EAAgBN,EAAI,CAAC,EAChC,IAAK,MACD,GAAI,QAASA,GAAOA,EAAI,MAAQ,OAC5B,MAAM,IAAI1C,EAAiB,oEAAoE,EAEnG,OAAO4C,EAAS,CAAE,GAAGF,EAAK,IAAA3B,EAAK,IAAAgC,CAAG,CAAE,EACxC,IAAK,MAAO,CACR,GAAI,OAAOL,EAAI,KAAQ,UAAY,CAACA,EAAI,IACpC,MAAM,IAAI,UAAU,2CAA2C,EAEnE,GAAI3B,IAAQ,QAAaA,IAAQ2B,EAAI,IACjC,MAAM,IAAI,UAAU,uCAAuC,EAE/D,OAAOE,EAAS,CAAE,GAAGF,EAAK,IAAAK,CAAG,CAAE,CACnC,CACA,IAAK,KACL,IAAK,MACD,OAAOH,EAAS,CAAE,GAAGF,EAAK,IAAA3B,EAAK,IAAAgC,CAAG,CAAE,EACxC,QACI,MAAM,IAAI/C,EAAiB,8CAA8C,CACrF,CACA,CCvDO,SAASiD,GAAaC,EAAKC,EAAmBC,EAAkBC,EAAiBC,EAAY,CAChG,GAAIA,EAAW,OAAS,QAAaD,GAAiB,OAAS,OAC3D,MAAM,IAAIH,EAAI,gEAAgE,EAElF,GAAI,CAACG,GAAmBA,EAAgB,OAAS,OAC7C,OAAO,IAAI,IAEf,GAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,GACnCA,EAAgB,KAAK,SAAW,GAChCA,EAAgB,KAAK,KAAM5D,GAAU,OAAOA,GAAU,UAAYA,EAAM,SAAW,CAAC,EACpF,MAAM,IAAIyD,EAAI,uFAAuF,EAEzG,IAAIK,EAKAA,EAAaJ,EAEjB,UAAWjB,KAAamB,EAAgB,KAAM,CAC1C,GAAI,CAACE,EAAW,IAAIrB,CAAS,EACzB,MAAM,IAAIlC,EAAiB,+BAA+BkC,CAAS,qBAAqB,EAE5F,GAAIoB,EAAWpB,CAAS,IAAM,OAC1B,MAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,cAAc,EAExE,GAAIqB,EAAW,IAAIrB,CAAS,GAAKmB,EAAgBnB,CAAS,IAAM,OAC5D,MAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,+BAA+B,CAE7F,CACA,OAAO,IAAI,IAAImB,EAAgB,IAAI,CACvC,CC/BO,MAAMG,EAASvC,GAAQoB,EAASpB,CAAG,GAAK,OAAOA,EAAI,KAAQ,SACrDwC,GAAgBxC,GAAQA,EAAI,MAAQ,QAC3CA,EAAI,MAAQ,OAAS,OAAOA,EAAI,MAAS,UAAa,OAAOA,EAAI,GAAM,UAChEyC,GAAezC,GAAQA,EAAI,MAAQ,OAASA,EAAI,IAAM,QAAaA,EAAI,OAAS,OAChF0C,GAAe1C,GAAQA,EAAI,MAAQ,OAAS,OAAOA,EAAI,GAAM,SCD1E,IAAI2C,EACJ,MAAMC,EAAY,MAAO5C,EAAKyB,EAAK3B,EAAK+C,EAAS,KAAU,CACvDF,IAAU,IAAI,QACd,IAAIG,EAASH,EAAM,IAAI3C,CAAG,EAC1B,GAAI8C,IAAShD,CAAG,EACZ,OAAOgD,EAAOhD,CAAG,EAErB,MAAMiD,EAAY,MAAMpB,EAAS,CAAE,GAAGF,EAAK,IAAA3B,CAAG,CAAE,EAChD,OAAI+C,GACA,OAAO,OAAO7C,CAAG,EAChB8C,EAIDA,EAAOhD,CAAG,EAAIiD,EAHdJ,EAAM,IAAI3C,EAAK,CAAE,CAACF,CAAG,EAAGiD,CAAS,CAAE,EAKhCA,CACX,EACMC,GAAkB,CAACC,EAAWnD,IAAQ,CACxC6C,IAAU,IAAI,QACd,IAAIG,EAASH,EAAM,IAAIM,CAAS,EAChC,GAAIH,IAAShD,CAAG,EACZ,OAAOgD,EAAOhD,CAAG,EAErB,MAAMoD,EAAWD,EAAU,OAAS,SAC9BE,EAAc,EAAAD,EACpB,IAAIH,EACJ,GAAIE,EAAU,oBAAsB,SAAU,CAC1C,OAAQnD,EAAG,CACP,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD,MACJ,QACI,MAAM,IAAI,UAAU,4DAA4D,CAChG,CACQiD,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAaD,EAAW,CAAA,EAAK,CAAC,YAAY,CAAC,CAC9G,CACA,GAAID,EAAU,oBAAsB,UAAW,CAC3C,GAAInD,IAAQ,SAAWA,IAAQ,UAC3B,MAAM,IAAI,UAAU,4DAA4D,EAEpFiD,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAa,CACxED,EAAW,SAAW,MAClC,CAAS,CACL,CACA,OAAQD,EAAU,kBAAiB,CAC/B,IAAK,YACL,IAAK,YACL,IAAK,YAAa,CACd,GAAInD,IAAQmD,EAAU,kBAAkB,YAAW,EAC/C,MAAM,IAAI,UAAU,4DAA4D,EAEpFF,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAa,CACxED,EAAW,SAAW,MACtC,CAAa,CACL,CACR,CACI,GAAID,EAAU,oBAAsB,MAAO,CACvC,IAAI5G,EACJ,OAAQyD,EAAG,CACP,IAAK,WACDzD,EAAO,QACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,QACI,MAAM,IAAI,UAAU,4DAA4D,CAChG,CACQ,GAAIyD,EAAI,WAAW,UAAU,EACzB,OAAOmD,EAAU,YAAY,CACzB,KAAM,WACN,KAAA5G,CAChB,EAAe8G,EAAaD,EAAW,CAAC,SAAS,EAAI,CAAC,SAAS,CAAC,EAExDH,EAAYE,EAAU,YAAY,CAC9B,KAAMnD,EAAI,WAAW,IAAI,EAAI,UAAY,oBACzC,KAAAzD,CACZ,EAAW8G,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,CAClD,CACA,GAAID,EAAU,oBAAsB,KAAM,CAMtC,MAAMG,EALO,IAAI,IAAI,CACjB,CAAC,aAAc,OAAO,EACtB,CAAC,YAAa,OAAO,EACrB,CAAC,YAAa,OAAO,CACjC,CAAS,EACuB,IAAIH,EAAU,sBAAsB,UAAU,EACtE,GAAI,CAACG,EACD,MAAM,IAAI,UAAU,4DAA4D,EAEhFtD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,EAAI,WAAW,SAAS,IACxBiD,EAAYE,EAAU,YAAY,CAC9B,KAAM,OACN,WAAAG,CAChB,EAAeD,EAAaD,EAAW,GAAK,CAAC,YAAY,CAAC,EAEtD,CACA,GAAI,CAACH,EACD,MAAM,IAAI,UAAU,4DAA4D,EAEpF,OAAKD,EAIDA,EAAOhD,CAAG,EAAIiD,EAHdJ,EAAM,IAAIM,EAAW,CAAE,CAACnD,CAAG,EAAGiD,CAAS,CAAE,EAKtCA,CACX,EACO,eAAeM,GAAarD,EAAKF,EAAK,CAIzC,GAHIE,aAAe,YAGfU,GAAYV,CAAG,EACf,OAAOA,EAEX,GAAIW,GAAYX,CAAG,EAAG,CAClB,GAAIA,EAAI,OAAS,SACb,OAAOA,EAAI,OAAM,EAErB,GAAI,gBAAiBA,GAAO,OAAOA,EAAI,aAAgB,WACnD,GAAI,CACA,OAAOgD,GAAgBhD,EAAKF,CAAG,CACnC,OACOwD,EAAK,CACR,GAAIA,aAAe,UACf,MAAMA,CAEd,CAEJ,IAAI7B,EAAMzB,EAAI,OAAO,CAAE,OAAQ,KAAK,CAAE,EACtC,OAAO4C,EAAU5C,EAAKyB,EAAK3B,CAAG,CAClC,CACA,GAAIyC,EAAMvC,CAAG,EACT,OAAIA,EAAI,EACGzB,EAAOyB,EAAI,CAAC,EAEhB4C,EAAU5C,EAAKA,EAAKF,EAAK,EAAI,EAExC,MAAM,IAAI,MAAM,aAAa,CACjC,CC5KA,MAAMyD,EAAOvD,GAAQA,IAAM,OAAO,WAAW,EACvCwD,EAAe,CAAC1D,EAAKE,EAAKC,IAAU,CACtC,GAAID,EAAI,MAAQ,OAAW,CACvB,IAAIG,EACJ,OAAQF,EAAK,CACT,IAAK,OACL,IAAK,SACDE,EAAW,MACX,MACJ,IAAK,UACL,IAAK,UACDA,EAAW,MACX,KAChB,CACQ,GAAIH,EAAI,MAAQG,EACZ,MAAM,IAAI,UAAU,sDAAsDA,CAAQ,gBAAgB,CAE1G,CACA,GAAIH,EAAI,MAAQ,QAAaA,EAAI,MAAQF,EACrC,MAAM,IAAI,UAAU,sDAAsDA,CAAG,gBAAgB,EAEjG,GAAI,MAAM,QAAQE,EAAI,OAAO,EAAG,CAC5B,IAAIyD,EACJ,OAAQ,GAAI,CACR,KAAyBxD,IAAU,SACnC,KAAKH,IAAQ,MACb,KAAKA,EAAI,SAAS,QAAQ,EACtB2D,EAAgBxD,EAChB,MACJ,KAAKH,EAAI,WAAW,OAAO,EACvB2D,EAAgB,aAChB,MACJ,IAAK,0BAA0B,KAAK3D,CAAG,EAC/B,CAACA,EAAI,SAAS,KAAK,GAAKA,EAAI,SAAS,IAAI,EACzC2D,EAAkD,YAGlDA,EAAgBxD,EAEpB,MACJ,KAAKA,IAAU,UACXwD,EAAgB,UAChB,MACJ,KAAKxD,IAAU,UACXwD,EAAgB3D,EAAI,WAAW,KAAK,EAAI,YAAc,aACtD,KAChB,CACQ,GAAI2D,GAAiBzD,EAAI,SAAS,WAAWyD,CAAa,IAAM,GAC5D,MAAM,IAAI,UAAU,+DAA+DA,CAAa,gBAAgB,CAExH,CACA,MAAO,EACX,EACMC,GAAqB,CAAC5D,EAAKE,EAAKC,IAAU,CAC5C,GAAI,EAAAD,aAAe,YAEnB,IAAI2D,EAAU3D,CAAG,EAAG,CAChB,GAAI4D,GAAgB5D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACpD,OACJ,MAAM,IAAI,UAAU,yHAAyH,CACjJ,CACA,GAAI,CAACW,GAAUZ,CAAG,EACd,MAAM,IAAI,UAAUQ,GAAgBV,EAAKE,EAAK,YAAa,YAAa,eAAgB,YAAY,CAAC,EAEzG,GAAIA,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,8DAA8D,EAErG,EACM6D,GAAsB,CAAC/D,EAAKE,EAAKC,IAAU,CAC7C,GAAI0D,EAAU3D,CAAG,EACb,OAAQC,EAAK,CACT,IAAK,UACL,IAAK,OACD,GAAI6D,GAAiB9D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACrD,OACJ,MAAM,IAAI,UAAU,uDAAuD,EAC/E,IAAK,UACL,IAAK,SACD,GAAI8D,GAAgB/D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACpD,OACJ,MAAM,IAAI,UAAU,sDAAsD,CAC1F,CAEI,GAAI,CAACW,GAAUZ,CAAG,EACd,MAAM,IAAI,UAAUQ,GAAgBV,EAAKE,EAAK,YAAa,YAAa,cAAc,CAAC,EAE3F,GAAIA,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,mEAAmE,EAEtG,GAAIA,EAAI,OAAS,SACb,OAAQC,EAAK,CACT,IAAK,OACD,MAAM,IAAI,UAAU,GAAGsD,EAAIvD,CAAG,CAAC,uEAAuE,EAC1G,IAAK,UACD,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,0EAA0E,CACzH,CAEI,GAAIA,EAAI,OAAS,UACb,OAAQC,EAAK,CACT,IAAK,SACD,MAAM,IAAI,UAAU,GAAGsD,EAAIvD,CAAG,CAAC,wEAAwE,EAC3G,IAAK,UACD,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,yEAAyE,CACxH,CAEA,EACO,SAASgE,GAAalE,EAAKE,EAAKC,EAAO,CAC1C,OAAQH,EAAI,UAAU,EAAG,CAAC,EAAC,CACvB,IAAK,KACL,IAAK,KACL,IAAK,KACL,IAAK,KACL,IAAK,KACD4D,GAAmB5D,EAAKE,EAAKC,CAAK,EAClC,MACJ,QACI4D,GAAoB/D,EAAKE,EAAKC,CAAK,CAC/C,CACA,CCxHO,SAASgE,GAAgBnE,EAAKH,EAAW,CAC5C,MAAMtD,EAAO,OAAOyD,EAAI,MAAM,EAAE,CAAC,GACjC,OAAQA,EAAG,CACP,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAzD,EAAM,KAAM,MAAM,EAC/B,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,UAAW,WAAY,SAASyD,EAAI,MAAM,EAAE,EAAG,EAAE,GAAK,CAAC,EAChF,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAzD,EAAM,KAAM,mBAAmB,EAC5C,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,QAAS,WAAYsD,EAAU,UAAU,EAClE,IAAK,UACL,IAAK,QACD,MAAO,CAAE,KAAM,SAAS,EAC5B,IAAK,YACL,IAAK,YACL,IAAK,YACD,MAAO,CAAE,KAAMG,CAAG,EACtB,QACI,MAAM,IAAIf,EAAiB,OAAOe,CAAG,6DAA6D,CAC9G,CACA,CC5BO,eAAeoE,GAAUpE,EAAKE,EAAKC,EAAO,CAC7C,GAAID,aAAe,WAAY,CAC3B,GAAI,CAACF,EAAI,WAAW,IAAI,EACpB,MAAM,IAAI,UAAUU,GAAgBR,EAAK,YAAa,YAAa,cAAc,CAAC,EAEtF,OAAO,OAAO,OAAO,UAAU,MAAOA,EAAK,CAAE,KAAM,OAAOF,EAAI,MAAM,EAAE,CAAC,GAAI,KAAM,MAAM,EAAI,GAAO,CAACG,CAAK,CAAC,CAC7G,CACA,OAAAC,GAAkBF,EAAKF,EAAKG,CAAK,EAC1BD,CACX,CCRO,eAAemE,GAAOrE,EAAKE,EAAKoE,EAAWtI,EAAM,CACpD,MAAMiH,EAAY,MAAMmB,GAAUpE,EAAKE,EAAK,QAAQ,EACpDsB,GAAexB,EAAKiD,CAAS,EAC7B,MAAMpD,EAAYsE,GAAgBnE,EAAKiD,EAAU,SAAS,EAC1D,GAAI,CACA,OAAO,MAAM,OAAO,OAAO,OAAOpD,EAAWoD,EAAWqB,EAAWtI,CAAI,CAC3E,MACM,CACF,MAAO,EACX,CACJ,CCHO,eAAeuI,GAAgBC,EAAKtE,EAAK5E,EAAS,CACrD,GAAI,CAACgG,EAASkD,CAAG,EACb,MAAM,IAAItF,EAAW,iCAAiC,EAE1D,GAAIsF,EAAI,YAAc,QAAaA,EAAI,SAAW,OAC9C,MAAM,IAAItF,EAAW,uEAAuE,EAEhG,GAAIsF,EAAI,YAAc,QAAa,OAAOA,EAAI,WAAc,SACxD,MAAM,IAAItF,EAAW,qCAAqC,EAE9D,GAAIsF,EAAI,UAAY,OAChB,MAAM,IAAItF,EAAW,qBAAqB,EAE9C,GAAI,OAAOsF,EAAI,WAAc,SACzB,MAAM,IAAItF,EAAW,yCAAyC,EAElE,GAAIsF,EAAI,SAAW,QAAa,CAAClD,EAASkD,EAAI,MAAM,EAChD,MAAM,IAAItF,EAAW,uCAAuC,EAEhE,IAAIuF,EAAa,CAAA,EACjB,GAAID,EAAI,UACJ,GAAI,CACA,MAAMlC,EAAkBoC,EAAKF,EAAI,SAAS,EAC1CC,EAAa,KAAK,MAAM9G,EAAQ,OAAO2E,CAAe,CAAC,CAC3D,MACM,CACF,MAAM,IAAIpD,EAAW,iCAAiC,CAC1D,CAEJ,GAAI,CAAC6B,GAAW0D,EAAYD,EAAI,MAAM,EAClC,MAAM,IAAItF,EAAW,2EAA2E,EAEpG,MAAMqD,EAAa,CACf,GAAGkC,EACH,GAAGD,EAAI,MACf,EACUG,EAAazC,GAAahD,EAAY,IAAI,IAAI,CAAC,CAAC,MAAO,EAAI,CAAC,CAAC,EAAG5D,GAAS,KAAMmJ,EAAYlC,CAAU,EAC3G,IAAIqC,EAAM,GACV,GAAID,EAAW,IAAI,KAAK,IACpBC,EAAMH,EAAW,IACb,OAAOG,GAAQ,WACf,MAAM,IAAI1F,EAAW,yEAAyE,EAGtG,KAAM,CAAE,IAAAc,CAAG,EAAKuC,EAChB,GAAI,OAAOvC,GAAQ,UAAY,CAACA,EAC5B,MAAM,IAAId,EAAW,2DAA2D,EAMpF,GAAI0F,GACA,GAAI,OAAOJ,EAAI,SAAY,SACvB,MAAM,IAAItF,EAAW,8BAA8B,UAGlD,OAAOsF,EAAI,SAAY,UAAY,EAAEA,EAAI,mBAAmB,YACjE,MAAM,IAAItF,EAAW,wDAAwD,EAEjF,IAAI2F,EAAc,GACd,OAAO3E,GAAQ,aACfA,EAAM,MAAMA,EAAIuE,EAAYD,CAAG,EAC/BK,EAAc,IAElBX,GAAalE,EAAKE,EAAK,QAAQ,EAC/B,MAAMlE,EAAO4B,GAAO4G,EAAI,YAAc,OAAYrG,EAAOqG,EAAI,SAAS,EAAI,IAAI,WAAcrG,EAAO,GAAG,EAAG,OAAOqG,EAAI,SAAY,SAC1HI,EACIzG,EAAOqG,EAAI,OAAO,EAClB9G,EAAQ,OAAO8G,EAAI,OAAO,EAC9BA,EAAI,OAAO,EACjB,IAAIF,EACJ,GAAI,CACAA,EAAYI,EAAKF,EAAI,SAAS,CAClC,MACM,CACF,MAAM,IAAItF,EAAW,0CAA0C,CACnE,CACA,MAAM4F,EAAI,MAAMvB,GAAarD,EAAKF,CAAG,EAErC,GAAI,CADa,MAAMqE,GAAOrE,EAAK8E,EAAGR,EAAWtI,CAAI,EAEjD,MAAM,IAAIwD,GAEd,IAAIX,EACJ,GAAI+F,EACA,GAAI,CACA/F,EAAU6F,EAAKF,EAAI,OAAO,CAC9B,MACM,CACF,MAAM,IAAItF,EAAW,wCAAwC,CACjE,MAEK,OAAOsF,EAAI,SAAY,SAC5B3F,EAAUnB,EAAQ,OAAO8G,EAAI,OAAO,EAGpC3F,EAAU2F,EAAI,QAElB,MAAMO,EAAS,CAAE,QAAAlG,CAAO,EAOxB,OANI2F,EAAI,YAAc,SAClBO,EAAO,gBAAkBN,GAEzBD,EAAI,SAAW,SACfO,EAAO,kBAAoBP,EAAI,QAE/BK,EACO,CAAE,GAAGE,EAAQ,IAAKD,CAAC,EAEvBC,CACX,CCpHO,eAAeC,GAAcR,EAAKtE,EAAK5E,EAAS,CAInD,GAHIkJ,aAAe,aACfA,EAAM7G,EAAQ,OAAO6G,CAAG,GAExB,OAAOA,GAAQ,SACf,MAAM,IAAItF,EAAW,4CAA4C,EAErE,KAAM,CAAE,EAAGoD,EAAiB,EAAGzD,EAAS,EAAGyF,EAAW,OAAAtG,CAAM,EAAKwG,EAAI,MAAM,GAAG,EAC9E,GAAIxG,IAAW,EACX,MAAM,IAAIkB,EAAW,qBAAqB,EAE9C,MAAM+F,EAAW,MAAMV,GAAgB,CAAE,QAAA1F,EAAS,UAAWyD,EAAiB,UAAAgC,CAAS,EAAIpE,EAAK5E,CAAO,EACjGyJ,EAAS,CAAE,QAASE,EAAS,QAAS,gBAAiBA,EAAS,eAAe,EACrF,OAAI,OAAO/E,GAAQ,WACR,CAAE,GAAG6E,EAAQ,IAAKE,EAAS,GAAG,EAElCF,CACX,CCjBA,MAAMG,GAASC,GAAS,KAAK,MAAMA,EAAK,QAAO,EAAK,GAAI,EAClDC,GAAS,GACTC,GAAOD,GAAS,GAChBE,EAAMD,GAAO,GACbE,GAAOD,EAAM,EACbE,GAAOF,EAAM,OACbG,GAAQ,oIACP,SAASC,EAAKC,EAAK,CACtB,MAAMC,EAAUH,GAAM,KAAKE,CAAG,EAC9B,GAAI,CAACC,GAAYA,EAAQ,CAAC,GAAKA,EAAQ,CAAC,EACpC,MAAM,IAAI,UAAU,4BAA4B,EAEpD,MAAMvE,EAAQ,WAAWuE,EAAQ,CAAC,CAAC,EAC7BC,EAAOD,EAAQ,CAAC,EAAE,YAAW,EACnC,IAAIE,EACJ,OAAQD,EAAI,CACR,IAAK,MACL,IAAK,OACL,IAAK,SACL,IAAK,UACL,IAAK,IACDC,EAAc,KAAK,MAAMzE,CAAK,EAC9B,MACJ,IAAK,SACL,IAAK,UACL,IAAK,MACL,IAAK,OACL,IAAK,IACDyE,EAAc,KAAK,MAAMzE,EAAQ+D,EAAM,EACvC,MACJ,IAAK,OACL,IAAK,QACL,IAAK,KACL,IAAK,MACL,IAAK,IACDU,EAAc,KAAK,MAAMzE,EAAQgE,EAAI,EACrC,MACJ,IAAK,MACL,IAAK,OACL,IAAK,IACDS,EAAc,KAAK,MAAMzE,EAAQiE,CAAG,EACpC,MACJ,IAAK,OACL,IAAK,QACL,IAAK,IACDQ,EAAc,KAAK,MAAMzE,EAAQkE,EAAI,EACrC,MACJ,QACIO,EAAc,KAAK,MAAMzE,EAAQmE,EAAI,EACrC,KACZ,CACI,OAAII,EAAQ,CAAC,IAAM,KAAOA,EAAQ,CAAC,IAAM,MAC9B,CAACE,EAELA,CACX,CAOA,MAAMC,EAAgB1E,GACdA,EAAM,SAAS,GAAG,EACXA,EAAM,YAAW,EAErB,eAAeA,EAAM,YAAW,CAAE,GAEvC2E,GAAwB,CAACC,EAAYC,IACnC,OAAOD,GAAe,SACfC,EAAU,SAASD,CAAU,EAEpC,MAAM,QAAQA,CAAU,EACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,EAE9D,GAEJ,SAASE,GAAkB7D,EAAiB8D,EAAgB9K,EAAU,CAAA,EAAI,CAC7E,IAAIuD,EACJ,GAAI,CACAA,EAAU,KAAK,MAAMlB,EAAQ,OAAOyI,CAAc,CAAC,CACvD,MACM,CACN,CACA,GAAI,CAAC9E,EAASzC,CAAO,EACjB,MAAM,IAAIM,EAAW,gDAAgD,EAEzE,KAAM,CAAE,IAAAkH,CAAG,EAAK/K,EAChB,GAAI+K,IACC,OAAO/D,EAAgB,KAAQ,UAC5ByD,EAAazD,EAAgB,GAAG,IAAMyD,EAAaM,CAAG,GAC1D,MAAM,IAAIzH,EAAyB,oCAAqCC,EAAS,MAAO,cAAc,EAE1G,KAAM,CAAE,eAAAyH,EAAiB,GAAI,OAAAC,EAAQ,QAAAC,EAAS,SAAAC,EAAU,YAAAC,CAAW,EAAKpL,EAClEqL,EAAgB,CAAC,GAAGL,CAAc,EACpCI,IAAgB,QAChBC,EAAc,KAAK,KAAK,EACxBF,IAAa,QACbE,EAAc,KAAK,KAAK,EACxBH,IAAY,QACZG,EAAc,KAAK,KAAK,EACxBJ,IAAW,QACXI,EAAc,KAAK,KAAK,EAC5B,UAAW7H,KAAS,IAAI,IAAI6H,EAAc,QAAO,CAAE,EAC/C,GAAI,EAAE7H,KAASD,GACX,MAAM,IAAID,EAAyB,qBAAqBE,CAAK,UAAWD,EAASC,EAAO,SAAS,EAGzG,GAAIyH,GACA,EAAE,MAAM,QAAQA,CAAM,EAAIA,EAAS,CAACA,CAAM,GAAG,SAAS1H,EAAQ,GAAG,EACjE,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,GAAI2H,GAAW3H,EAAQ,MAAQ2H,EAC3B,MAAM,IAAI5H,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,GAAI4H,GACA,CAACT,GAAsBnH,EAAQ,IAAK,OAAO4H,GAAa,SAAW,CAACA,CAAQ,EAAIA,CAAQ,EACxF,MAAM,IAAI7H,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,IAAI+H,EACJ,OAAQ,OAAOtL,EAAQ,eAAc,CACjC,IAAK,SACDsL,EAAYlB,EAAKpK,EAAQ,cAAc,EACvC,MACJ,IAAK,SACDsL,EAAYtL,EAAQ,eACpB,MACJ,IAAK,YACDsL,EAAY,EACZ,MACJ,QACI,MAAM,IAAI,UAAU,oCAAoC,CACpE,CACI,KAAM,CAAE,YAAAC,CAAW,EAAKvL,EAClBwL,EAAM5B,GAAM2B,GAAe,IAAI,IAAM,EAC3C,IAAKhI,EAAQ,MAAQ,QAAa6H,IAAgB,OAAO7H,EAAQ,KAAQ,SACrE,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,IAAMiI,EAAMF,EACpB,MAAM,IAAIhI,EAAyB,qCAAsCC,EAAS,MAAO,cAAc,CAE/G,CACA,GAAIA,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,KAAOiI,EAAMF,EACrB,MAAM,IAAI5H,EAAW,qCAAsCH,EAAS,MAAO,cAAc,CAEjG,CACA,GAAI6H,EAAa,CACb,MAAMK,EAAMD,EAAMjI,EAAQ,IACpBmI,EAAM,OAAON,GAAgB,SAAWA,EAAchB,EAAKgB,CAAW,EAC5E,GAAIK,EAAMH,EAAYI,EAClB,MAAM,IAAIhI,EAAW,2DAA4DH,EAAS,MAAO,cAAc,EAEnH,GAAIkI,EAAM,EAAIH,EACV,MAAM,IAAIhI,EAAyB,gEAAiEC,EAAS,MAAO,cAAc,CAE1I,CACA,OAAOA,CACX,CCrKO,eAAeoI,GAAUC,EAAKhH,EAAK5E,EAAS,CAC/C,MAAM2J,EAAW,MAAMD,GAAckC,EAAKhH,EAAK5E,CAAO,EACtD,GAAI2J,EAAS,gBAAgB,MAAM,SAAS,KAAK,GAAKA,EAAS,gBAAgB,MAAQ,GACnF,MAAM,IAAI9F,EAAW,qCAAqC,EAG9D,MAAM4F,EAAS,CAAE,QADDoB,GAAkBlB,EAAS,gBAAiBA,EAAS,QAAS3J,CAAO,EAC3D,gBAAiB2J,EAAS,eAAe,EACnE,OAAI,OAAO/E,GAAQ,WACR,CAAE,GAAG6E,EAAQ,IAAKE,EAAS,GAAG,EAElCF,CACX,CCXA,SAASoC,GAAcnH,EAAK,CACxB,OAAQ,OAAOA,GAAQ,UAAYA,EAAI,MAAM,EAAG,CAAC,EAAC,CAC9C,IAAK,KACL,IAAK,KACD,MAAO,MACX,IAAK,KACD,MAAO,KACX,IAAK,KACD,MAAO,MACX,IAAK,KACD,MAAO,MACX,QACI,MAAM,IAAIf,EAAiB,gDAAgD,CACvF,CACA,CACA,SAASmI,GAAWC,EAAM,CACtB,OAAQA,GACJ,OAAOA,GAAS,UAChB,MAAM,QAAQA,EAAK,IAAI,GACvBA,EAAK,KAAK,MAAMC,EAAS,CACjC,CACA,SAASA,GAAUpH,EAAK,CACpB,OAAOoB,EAASpB,CAAG,CACvB,CACA,MAAMqH,EAAY,CACdC,GACAC,GAAU,IAAI,QACd,YAAYJ,EAAM,CACd,GAAI,CAACD,GAAWC,CAAI,EAChB,MAAM,IAAIjI,GAAY,4BAA4B,EAEtD,KAAKoI,GAAQ,gBAAgBH,CAAI,CACrC,CACA,MAAO,CACH,OAAO,KAAKG,EAChB,CACA,MAAM,OAAOlF,EAAiBoF,EAAO,CACjC,KAAM,CAAE,IAAA1H,EAAK,IAAA2H,CAAG,EAAK,CAAE,GAAGrF,EAAiB,GAAGoF,GAAO,MAAM,EACrDE,EAAMT,GAAcnH,CAAG,EACvB6H,EAAa,KAAKL,GAAM,KAAK,OAAQ7F,GAAQ,CAC/C,IAAImG,EAAYF,IAAQjG,EAAI,IAa5B,GAZImG,GAAa,OAAOH,GAAQ,WAC5BG,EAAYH,IAAQhG,EAAI,KAExBmG,IAAc,OAAOnG,EAAI,KAAQ,UAAYiG,IAAQ,SACrDE,EAAY9H,IAAQ2B,EAAI,KAExBmG,GAAa,OAAOnG,EAAI,KAAQ,WAChCmG,EAAYnG,EAAI,MAAQ,OAExBmG,GAAa,MAAM,QAAQnG,EAAI,OAAO,IACtCmG,EAAYnG,EAAI,QAAQ,SAAS,QAAQ,GAEzCmG,EACA,OAAQ9H,EAAG,CACP,IAAK,QACD8H,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,UACL,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,UACxB,KACxB,CAEY,OAAOmG,CACX,CAAC,EACK,CAAE,EAAGnG,EAAK,OAAA3D,CAAM,EAAK6J,EAC3B,GAAI7J,IAAW,EACX,MAAM,IAAIqB,GAEd,GAAIrB,IAAW,EAAG,CACd,MAAMjC,EAAQ,IAAIuD,GACZyI,EAAU,KAAKN,GACrB,MAAA1L,EAAM,OAAO,aAAa,EAAI,iBAAmB,CAC7C,UAAW4F,KAAOkG,EACd,GAAI,CACA,MAAM,MAAMG,EAAmBD,EAASpG,EAAK3B,CAAG,CACpD,MACM,CAAE,CAEhB,EACMjE,CACV,CACA,OAAOiM,EAAmB,KAAKP,GAAS9F,EAAK3B,CAAG,CACpD,CACJ,CACA,eAAegI,EAAmBnF,EAAOlB,EAAK3B,EAAK,CAC/C,MAAMgD,EAASH,EAAM,IAAIlB,CAAG,GAAKkB,EAAM,IAAIlB,EAAK,CAAA,CAAE,EAAE,IAAIA,CAAG,EAC3D,GAAIqB,EAAOhD,CAAG,IAAM,OAAW,CAC3B,MAAME,EAAM,MAAM6B,GAAU,CAAE,GAAGJ,EAAK,IAAK,EAAI,EAAI3B,CAAG,EACtD,GAAIE,aAAe,YAAcA,EAAI,OAAS,SAC1C,MAAM,IAAId,GAAY,8CAA8C,EAExE4D,EAAOhD,CAAG,EAAIE,CAClB,CACA,OAAO8C,EAAOhD,CAAG,CACrB,CACO,SAASiI,EAAkBZ,EAAM,CACpC,MAAMa,EAAM,IAAIX,GAAYF,CAAI,EAC1Bc,EAAc,MAAO7F,EAAiBoF,IAAUQ,EAAI,OAAO5F,EAAiBoF,CAAK,EACvF,cAAO,iBAAiBS,EAAa,CACjC,KAAM,CACF,MAAO,IAAM,gBAAgBD,EAAI,KAAI,CAAE,EACvC,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,CACA,CAAK,EACMC,CACX,CCnHA,SAASC,IAAsB,CAC3B,OAAQ,OAAO,cAAkB,KAC5B,OAAO,UAAc,KAAe,UAAU,YAAc,sBAC5D,OAAO,YAAgB,KAAe,cAAgB,QAC/D,CACA,IAAIC,GACA,OAAO,UAAc,KAAe,CAAC,UAAU,WAAW,aAAa,cAAc,KAGrFA,EAAa,eAEV,MAAMC,GAAc,OAAM,EACjC,eAAeC,GAAU5M,EAAKH,EAASgN,EAAQC,EAAY,MAAO,CAC9D,MAAMzN,EAAW,MAAMyN,EAAU9M,EAAK,CAClC,OAAQ,MACR,OAAA6M,EACA,SAAU,SACV,QAAAhN,CACR,CAAK,EAAE,MAAOgI,GAAQ,CACd,MAAIA,EAAI,OAAS,eACP,IAAIjE,GAERiE,CACV,CAAC,EACD,GAAIxI,EAAS,SAAW,IACpB,MAAM,IAAI2D,EAAU,yDAAyD,EAEjF,GAAI,CACA,OAAO,MAAM3D,EAAS,KAAI,CAC9B,MACM,CACF,MAAM,IAAI2D,EAAU,4DAA4D,CACpF,CACJ,CACO,MAAM+J,EAAY,OAAM,EAC/B,SAASC,GAAiBjK,EAAOkK,EAAa,CAO1C,MANI,SAAOlK,GAAU,UAAYA,IAAU,MAGvC,EAAE,QAASA,IAAU,OAAOA,EAAM,KAAQ,UAAY,KAAK,IAAG,EAAKA,EAAM,KAAOkK,GAGhF,EAAE,SAAUlK,IACZ,CAAC4C,EAAS5C,EAAM,IAAI,GACpB,CAAC,MAAM,QAAQA,EAAM,KAAK,IAAI,GAC9B,CAAC,MAAM,UAAU,MAAM,KAAKA,EAAM,KAAK,KAAM4C,CAAQ,EAI7D,CACA,MAAMuH,EAAa,CACfC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACA,YAAY5N,EAAKL,EAAS,CACtB,GAAI,EAAEK,aAAe,KACjB,MAAM,IAAI,UAAU,gCAAgC,EAExD,KAAKmN,GAAO,IAAI,IAAInN,EAAI,IAAI,EAC5B,KAAKoN,GACD,OAAOzN,GAAS,iBAAoB,SAAWA,GAAS,gBAAkB,IAC9E,KAAK0N,GACD,OAAO1N,GAAS,kBAAqB,SAAWA,GAAS,iBAAmB,IAChF,KAAK2N,GAAe,OAAO3N,GAAS,aAAgB,SAAWA,GAAS,YAAc,IACtF,KAAK8N,GAAW,IAAI,QAAQ9N,GAAS,OAAO,EACxC+M,GAAc,CAAC,KAAKe,GAAS,IAAI,YAAY,GAC7C,KAAKA,GAAS,IAAI,aAAcf,CAAU,EAEzC,KAAKe,GAAS,IAAI,QAAQ,IAC3B,KAAKA,GAAS,IAAI,SAAU,kBAAkB,EAC9C,KAAKA,GAAS,OAAO,SAAU,0BAA0B,GAE7D,KAAKC,GAAe/N,IAAUgN,EAAW,EACrChN,IAAUoN,CAAS,IAAM,SACzB,KAAKa,GAASjO,IAAUoN,CAAS,EAC7BC,GAAiBrN,IAAUoN,CAAS,EAAG,KAAKO,EAAY,IACxD,KAAKC,GAAiB,KAAKK,GAAO,IAClC,KAAKD,GAASrB,EAAkB,KAAKsB,GAAO,IAAI,GAG5D,CACA,cAAe,CACX,MAAO,CAAC,CAAC,KAAKJ,EAClB,CACA,aAAc,CACV,OAAO,OAAO,KAAKD,IAAmB,SAChC,KAAK,IAAG,EAAK,KAAKA,GAAiB,KAAKF,GACxC,EACV,CACA,OAAQ,CACJ,OAAO,OAAO,KAAKE,IAAmB,SAChC,KAAK,IAAG,EAAK,KAAKA,GAAiB,KAAKD,GACxC,EACV,CACA,MAAO,CACH,OAAO,KAAKK,IAAQ,KAAI,CAC5B,CACA,MAAM,OAAOhH,EAAiBoF,EAAO,EAC7B,CAAC,KAAK4B,IAAU,CAAC,KAAK,MAAK,IAC3B,MAAM,KAAK,OAAM,EAErB,GAAI,CACA,OAAO,MAAM,KAAKA,GAAOhH,EAAiBoF,CAAK,CACnD,OACOlE,EAAK,CACR,GAAIA,aAAenE,IACX,KAAK,YAAW,IAAO,GACvB,aAAM,KAAK,OAAM,EACV,KAAKiK,GAAOhH,EAAiBoF,CAAK,EAGjD,MAAMlE,CACV,CACJ,CACA,MAAM,QAAS,CACP,KAAK2F,IAAiBf,OACtB,KAAKe,GAAgB,QAEzB,KAAKA,KAAkBZ,GAAU,KAAKO,GAAK,KAAM,KAAKM,GAAU,YAAY,QAAQ,KAAKL,EAAgB,EAAG,KAAKM,EAAY,EACxH,KAAMG,GAAS,CAChB,KAAKF,GAASrB,EAAkBuB,CAAI,EAChC,KAAKD,KACL,KAAKA,GAAO,IAAM,KAAK,IAAG,EAC1B,KAAKA,GAAO,KAAOC,GAEvB,KAAKN,GAAiB,KAAK,IAAG,EAC9B,KAAKC,GAAgB,MACzB,CAAC,EACI,MAAO3F,GAAQ,CAChB,WAAK2F,GAAgB,OACf3F,CACV,CAAC,EACD,MAAM,KAAK2F,EACf,CACJ,CACO,SAASM,GAAmB9N,EAAKL,EAAS,CAC7C,MAAM4M,EAAM,IAAIW,GAAalN,EAAKL,CAAO,EACnCoO,EAAe,MAAOpH,EAAiBoF,IAAUQ,EAAI,OAAO5F,EAAiBoF,CAAK,EACxF,cAAO,iBAAiBgC,EAAc,CAClC,YAAa,CACT,IAAK,IAAMxB,EAAI,YAAW,EAC1B,WAAY,GACZ,aAAc,EAC1B,EACQ,MAAO,CACH,IAAK,IAAMA,EAAI,MAAK,EACpB,WAAY,GACZ,aAAc,EAC1B,EACQ,OAAQ,CACJ,MAAO,IAAMA,EAAI,OAAM,EACvB,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,EACQ,UAAW,CACP,IAAK,IAAMA,EAAI,aAAY,EAC3B,WAAY,GACZ,aAAc,EAC1B,EACQ,KAAM,CACF,MAAO,IAAMA,EAAI,KAAI,EACrB,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,CACA,CAAK,EACMwB,CACX,CChLO,MAAMC,EAAc,CACf,QACA,KAER,YAAYC,EAAiB,CACzB,KAAK,QAAUA,EACf,KAAK,KAAOH,GAAmB,IAAI,IAAI,KAAK,OAAO,CAAC,CACxD,CAKA,MAAM,OAAO/B,EAAyC,CAClD,OAAOT,GAAUS,EAAO,KAAK,IAAI,CACrC,CACJ,CCXO,MAAMmC,EAAsC,CACvC,UAAY,IAEpB,MAAM,IAAI3J,EAAqC,CAC3C,OAAO,KAAK,MAAM,IAAIA,CAAG,GAAK,IAClC,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CACjD,KAAK,MAAM,IAAInB,EAAKmB,CAAK,CAC7B,CAEA,MAAM,OAAOnB,EAA4B,CACrC,KAAK,MAAM,OAAOA,CAAG,CACzB,CAEA,MAAM,OAAuB,CACzB,KAAK,MAAM,MAAA,CACf,CACJ,CClBO,MAAM4J,CAAqC,CACtC,OAER,YAAYC,EAAS,WAAY,CAC7B,KAAK,OAASA,CAClB,CAEQ,OAAO7J,EAAqB,CAChC,MAAO,GAAG,KAAK,MAAM,IAAIA,CAAG,EAChC,CAEA,MAAM,IAAIA,EAAqC,CAC3C,OAAI,OAAO,OAAW,IAAoB,KACnC,aAAa,QAAQ,KAAK,OAAOA,CAAG,CAAC,CAChD,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CAC7C,OAAO,OAAW,KACtB,aAAa,QAAQ,KAAK,OAAOnB,CAAG,EAAGmB,CAAK,CAChD,CAEA,MAAM,OAAOnB,EAA4B,CACjC,OAAO,OAAW,KACtB,aAAa,WAAW,KAAK,OAAOA,CAAG,CAAC,CAC5C,CAEA,MAAM,OAAuB,CACzB,GAAI,OAAO,OAAW,IAAa,OACtB,OAAO,KAAK,YAAY,EAAE,OAAQ4E,GAC3CA,EAAE,WAAW,GAAG,KAAK,MAAM,GAAG,CAAA,EAE7B,QAASA,GAAM,aAAa,WAAWA,CAAC,CAAC,CAClD,CACJ,CCjCO,MAAMkF,EAAuC,CACxC,OAER,YAAYD,EAAS,WAAY,CAC7B,KAAK,OAASA,CAClB,CAEQ,OAAO7J,EAAqB,CAChC,MAAO,GAAG,KAAK,MAAM,IAAIA,CAAG,EAChC,CAEA,MAAM,IAAIA,EAAqC,CAC3C,OAAI,OAAO,OAAW,IAAoB,KACnC,eAAe,QAAQ,KAAK,OAAOA,CAAG,CAAC,CAClD,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CAC7C,OAAO,OAAW,KACtB,eAAe,QAAQ,KAAK,OAAOnB,CAAG,EAAGmB,CAAK,CAClD,CAEA,MAAM,OAAOnB,EAA4B,CACjC,OAAO,OAAW,KACtB,eAAe,WAAW,KAAK,OAAOA,CAAG,CAAC,CAC9C,CAEA,MAAM,OAAuB,CACzB,GAAI,OAAO,OAAW,IAAa,OACtB,OAAO,KAAK,cAAc,EAAE,OAAQ4E,GAC7CA,EAAE,WAAW,GAAG,KAAK,MAAM,GAAG,CAAA,EAE7B,QAASA,GAAM,eAAe,WAAWA,CAAC,CAAC,CACpD,CACJ,CCbO,SAASmF,GACZC,EAAoB,eACR,CACZ,OAAQA,EAAA,CACJ,IAAK,SACD,OAAO,IAAIL,GACf,IAAK,eACD,OAAO,IAAIC,EACf,IAAK,iBACD,OAAO,IAAIE,GACf,QACI,OAAO,IAAIF,CAAa,CAEpC,CCtCO,SAASK,EAAanO,EAAgB,CAC3C,OAAI,MAAM,QAAQA,CAAI,EACbA,EAAK,IAAImO,CAAY,EACnB,OAAOnO,GAAS,UAAYA,IAAS,KACvC,OAAO,YACZ,OAAO,QAAQA,CAAI,EAAE,IAAI,CAAC,CAACkE,EAAKmB,CAAK,IAAM,CACzCnB,EAAI,QAAQ,YAAa,CAACkK,EAAGC,IAAMA,EAAE,aAAa,EAClDF,EAAa9I,CAAK,CAAA,CACnB,CAAA,EAGErF,CACT,CCuCO,MAAMsO,EAAe,CAChB,MACA,aACA,cACA,KACA,WACA,cAA8C,IAC9C,YAAc,GAEtB,YAAYlP,EAAwB,CAChC,KAAK,eAAeA,CAAM,EAE1B,MAAM4B,EAAwB,OAAO5B,EAAO,SAAY,SACjDA,EAAO,QACR6O,GAAc7O,EAAO,OAAO,EAE5BmP,EAAUnP,EAAO,SACnB,mDAEJ,KAAK,aAAe,IAAI2B,GAAaC,CAAO,EAC5C,KAAK,MAAQ,IAAIK,GAAcjC,EAAQ,KAAK,YAAY,EACxD,KAAK,cAAgB,IAAIuO,GACrB,GAAGY,CAAO,wBAAA,EAGd,KAAK,KAAO,IAAIpP,EAAW,CACvB,QAASoP,CAAA,CACZ,EACD,KAAK,WAAa,IAAIpP,EAAW,CAC7B,QAAS,0CAAA,CACZ,CACL,CAEQ,eAAeC,EAA8B,CACjD,GAAI,CAACA,EAAO,SAAU,MAAMH,EAAY,aAAa,UAAU,EAC/D,GAAI,CAACG,EAAO,aACR,MAAMH,EAAY,aAAa,cAAc,EAEjD,GAAI,CAACG,EAAO,YAAa,MAAMH,EAAY,aAAa,aAAa,CACzE,CAKA,MAAc,oBAAoBuP,EAAiC,CAC/D,MAAMC,EAAU,MAAM,KAAK,WAAA,EAC3B,KAAK,UAAU,QAASC,GAAa,CACjC,GAAI,CACAA,EAASF,EAAOC,CAAO,CAC3B,OAAS1O,EAAO,CACZ,QAAQ,MAAM,uCAAwCA,CAAK,CAC/D,CACJ,CAAC,CACL,CAqCA,kBACI2O,EAC8B,CAC9B,YAAK,UAAU,IAAIA,CAAQ,EAGtB,KAAK,YAON,WAAW,IAAM,CACb,KAAK,oBAAoB,iBAAiB,CAC9C,EAAG,CAAC,GARJ,KAAK,YAAc,GACnB,WAAW,IAAM,CACb,KAAK,oBAAoB,iBAAiB,CAC9C,EAAG,CAAC,GAQD,CACH,aAAc,CACV,YAAa,IAAM,CACf,KAAK,UAAU,OAAOA,CAAQ,CAClC,CAAA,CACJ,CAER,CAkBA,MAAM,QAA0B,CAC5B,OAAO,KAAK,MAAM,oBAAA,CACtB,CAwBA,MAAM,eAAe/O,EAAgC,CACjD,MAAMD,EAAS,IAAI,IAAIC,CAAG,EACpBhB,EAAOe,EAAO,aAAa,IAAI,MAAM,EACrCyB,EAAQzB,EAAO,aAAa,IAAI,OAAO,EAC7C,GAAI,CAACf,GAAQ,CAACwC,EACV,MAAM,IAAI,MAAM,uBAAuB,EAE3C,MAAMF,EAAS,MAAM,KAAK,MAAM,aAAatC,EAAMwC,CAAK,EACxD,aAAM,KAAK,oBAAoB,WAAW,EACnCF,CACX,CAgBA,MAAM,SAAyB,CAK3B,MAAM,KAAK,aAAa,YAAA,EACxB,MAAM,KAAK,oBAAoB,YAAY,CAC/C,CAuBA,MAAM,YAAsC,CAGxC,GAFkB,MAAM,KAAK,aAAa,eAAA,EAGtC,GAAI,CACA,MAAM,KAAK,MAAM,aAAA,CACrB,MAAQ,CACJ,OAAO,IACX,CAGJ,MAAMA,EAAS,MAAM,KAAK,aAAa,UAAA,EACvC,GAAI,CAACA,EAAQ,OAAO,KAEpB,MAAM0N,EAAO,MAAM,KAAK,UAAU1N,EAAO,WAAW,EAEpD,MAAO,CACH,YAAaA,EAAO,YACpB,aAAcA,EAAO,aACrB,UAAWA,EAAO,UAClB,UAAWA,EAAO,SAAWA,EAAO,UAAY,IAChD,KAAA0N,CAAA,CAER,CAUA,MAAM,YAAYjD,EAA6B,CAC3C,KAAM,CAAE,QAAA7I,CAAA,EAAY,MAAM,KAAK,cAAc,OAAO6I,CAAK,EACzD,OAAO7I,CACX,CASA,MAAM,YAAYvD,EAAmC,GAA+B,CAChF,MAAMmP,EAAU,MAAM,KAAK,WAAA,EAC3B,GAAI,CAACA,EACD,OAAO,KAEX,MAAMG,EAAcH,EAAQ,YACtB,CAAE,aAAAI,EAAe,IAAI,MAAWvP,EAChCN,EAAW,MAAM,KAAK,WAAW,QAAwC,YAAa,CACxF,QAAS,CAAE,cAAe,UAAU4P,CAAW,EAAA,EAC/C,OAAQ,CAAE,aAAcC,EAAa,aAAY,CAAE,CACtD,EACD,OAAK7P,EAAS,GAIcmP,EAAanP,EAAS,IAAI,GAHlD,QAAQ,MAAM,2CAA4CA,EAAS,KAAK,EACjE,KAIf,CAIA,MAAc,UAAU4P,EAA2C,CAC/D,GAAI,CAGA,MAAM5P,EAAW,MAAM,KAAK,KAAK,QAQ9B,kBAAmB,CAClB,QAAS,CAAE,cAAe,UAAU4P,CAAW,EAAA,CAAG,CACrD,EAED,MAAO,CACH,IAAK5P,EAAS,IACd,KAAMA,EAAS,KACf,QAASA,EAAS,QAClB,MAAOA,EAAS,MAChB,eAAgBA,EAAS,eACzB,aAAcA,EAAS,aACvB,sBAAuBA,EAAS,qBAAA,CAExC,OAASe,EAAO,CACZ,eAAQ,MAAM,uCAAwCA,CAAK,EACpD,IACX,CACJ,CACJ,CAwBO,SAAS+O,GAAa1P,EAAwC,CACjE,OAAO,IAAIkP,GAAelP,CAAM,CACpC","x_google_ignoreList":[5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29]}
1	+ {"version":3,"file":"genation.cjs.js","sources":["../src/http/errors.ts","../src/http/client.ts","../src/auth/pkce.ts","../src/auth/token-manager.ts","../src/auth/oauth.ts","../node_modules/jose/dist/webapi/lib/buffer_utils.js","../node_modules/jose/dist/webapi/lib/base64.js","../node_modules/jose/dist/webapi/util/base64url.js","../node_modules/jose/dist/webapi/util/errors.js","../node_modules/jose/dist/webapi/lib/crypto_key.js","../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../node_modules/jose/dist/webapi/lib/is_key_like.js","../node_modules/jose/dist/webapi/lib/is_disjoint.js","../node_modules/jose/dist/webapi/lib/is_object.js","../node_modules/jose/dist/webapi/lib/check_key_length.js","../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../node_modules/jose/dist/webapi/key/import.js","../node_modules/jose/dist/webapi/lib/validate_crit.js","../node_modules/jose/dist/webapi/lib/is_jwk.js","../node_modules/jose/dist/webapi/lib/normalize_key.js","../node_modules/jose/dist/webapi/lib/check_key_type.js","../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../node_modules/jose/dist/webapi/lib/verify.js","../node_modules/jose/dist/webapi/jws/flattened/verify.js","../node_modules/jose/dist/webapi/jws/compact/verify.js","../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../node_modules/jose/dist/webapi/jwt/verify.js","../node_modules/jose/dist/webapi/jwks/local.js","../node_modules/jose/dist/webapi/jwks/remote.js","../src/auth/verifier.ts","../src/storage/memory.ts","../src/storage/local-storage.ts","../src/storage/session-storage.ts","../src/storage/index.ts","../src/utils/converter.ts","../src/client.ts"],"sourcesContent":["/*\r\n Base error class for Genation SDK\r\n /\r\nexport class GenationError extends Error {\r\n public code: string;\r\n public cause?: unknown;\r\n\r\n constructor(message: string, code: string, cause?: unknown) {\r\n super(message);\r\n this.name = \"GenationError\";\r\n this.code = code;\r\n this.cause = cause;\r\n }\r\n}\r\n\r\n/\r\n Authentication-related errors\r\n /\r\nexport class AuthError extends GenationError {\r\n constructor(message: string, code: string, cause?: unknown) {\r\n super(message, code, cause);\r\n this.name = \"AuthError\";\r\n }\r\n\r\n static invalidGrant(\r\n message = \"Invalid authorization code or refresh token\",\r\n ) {\r\n return new AuthError(message, \"invalid_grant\");\r\n }\r\n\r\n static accessDenied(message = \"User denied access\") {\r\n return new AuthError(message, \"access_denied\");\r\n }\r\n\r\n static expiredToken(message = \"Token has expired\") {\r\n return new AuthError(message, \"expired_token\");\r\n }\r\n\r\n static invalidState(message = \"State mismatch, possible CSRF attack\") {\r\n return new AuthError(message, \"invalid_state\");\r\n }\r\n\r\n static pkceVerificationFailed(message = \"PKCE verification failed\") {\r\n return new AuthError(message, \"pkce_verification_failed\");\r\n }\r\n}\r\n\r\n/\r\n Network-related errors\r\n /\r\nexport class NetworkError extends GenationError {\r\n public status?: number;\r\n\r\n constructor(message: string, status?: number, cause?: unknown) {\r\n super(message, \"network_error\", cause);\r\n this.name = \"NetworkError\";\r\n this.status = status;\r\n }\r\n\r\n static fromResponse(response: Response) {\r\n return new NetworkError(\r\n `HTTP ${response.status}: ${response.statusText}`,\r\n response.status,\r\n );\r\n }\r\n}\r\n\r\n/\r\n Configuration-related errors\r\n /\r\nexport class ConfigError extends GenationError {\r\n constructor(message: string) {\r\n super(message, \"config_error\");\r\n this.name = \"ConfigError\";\r\n }\r\n\r\n static missingField(field: string) {\r\n return new ConfigError(`Missing required config field: ${field}`);\r\n }\r\n}\r\n","import { NetworkError } from \"./errors\";\r\n\r\nexport interface HttpClientConfig {\r\n baseUrl: string;\r\n timeout?: number;\r\n}\r\n\r\nexport interface RequestOptions {\r\n method?: \"GET\" \| \"POST\" \| \"PUT\" \| \"DELETE\";\r\n headers?: Record<string, string>;\r\n body?: unknown;\r\n params?: Record<string, string>;\r\n}\r\n\r\n/\r\n Simple HTTP client wrapper around fetch\r\n /\r\nexport class HttpClient {\r\n private baseUrl: string;\r\n private timeout: number;\r\n\r\n constructor(config: HttpClientConfig) {\r\n this.baseUrl = config.baseUrl.replace(/\\/$/, \"\");\r\n this.timeout = config.timeout ?? 30000;\r\n }\r\n\r\n /\r\n Make an HTTP request\r\n /\r\n async request<T>(\r\n endpoint: string,\r\n options: RequestOptions = {},\r\n ): Promise<T> {\r\n const { method = \"GET\", headers = {}, body, params } = options;\r\n\r\n // Build URL with query params\r\n let url = `${this.baseUrl}${endpoint}`;\r\n if (params) {\r\n const searchParams = new URLSearchParams(params);\r\n url += `?${searchParams.toString()}`;\r\n }\r\n\r\n // Setup abort controller for timeout\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\r\n\r\n try {\r\n const response = await fetch(url, {\r\n method,\r\n headers: {\r\n \"Content-Type\": \"application/json\",\r\n ...headers,\r\n },\r\n body: body ? JSON.stringify(body) : undefined,\r\n signal: controller.signal,\r\n });\r\n\r\n clearTimeout(timeoutId);\r\n\r\n if (!response.ok) {\r\n throw NetworkError.fromResponse(response);\r\n }\r\n\r\n return await response.json();\r\n } catch (error) {\r\n clearTimeout(timeoutId);\r\n\r\n if (error instanceof NetworkError) {\r\n throw error;\r\n }\r\n\r\n if (error instanceof Error && error.name === \"AbortError\") {\r\n throw new NetworkError(\"Request timeout\", undefined, error);\r\n }\r\n\r\n throw new NetworkError(\"Network request failed\", undefined, error);\r\n }\r\n }\r\n\r\n /\r\n POST request with form data (for OAuth token exchange)\r\n /\r\n async postForm<T>(\r\n endpoint: string,\r\n data: Record<string, string>,\r\n headers: Record<string, string> = {},\r\n ): Promise<T> {\r\n const url = `${this.baseUrl}${endpoint}`;\r\n const controller = new AbortController();\r\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\r\n\r\n try {\r\n const response = await fetch(url, {\r\n method: \"POST\",\r\n headers: {\r\n \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n ...headers,\r\n },\r\n body: new URLSearchParams(data).toString(),\r\n signal: controller.signal,\r\n });\r\n\r\n clearTimeout(timeoutId);\r\n\r\n if (!response.ok) {\r\n throw NetworkError.fromResponse(response);\r\n }\r\n\r\n return await response.json();\r\n } catch (error) {\r\n clearTimeout(timeoutId);\r\n\r\n if (error instanceof NetworkError) {\r\n throw error;\r\n }\r\n\r\n throw new NetworkError(\"Network request failed\", undefined, error);\r\n }\r\n }\r\n}\r\n\r\nexport { AuthError, ConfigError, GenationError, NetworkError } from \"./errors\";\r\n","import type { PKCEChallenge } from \"../types\";\r\n\r\n/\r\n Base64URL encode a buffer (matches Supabase implementation)\r\n /\r\nfunction base64URLEncode(buffer: Uint8Array): string {\r\n return btoa(String.fromCharCode(...buffer))\r\n .replace(/\\+/g, \"-\")\r\n .replace(/\\//g, \"_\")\r\n .replace(/=/g, \"\");\r\n}\r\n\r\n/\r\n Generate a random code verifier (43-128 characters)\r\n * Matches Supabase implementation\r\n /\r\nfunction generateCodeVerifier(): string {\r\n const array = new Uint8Array(32);\r\n crypto.getRandomValues(array);\r\n return base64URLEncode(array);\r\n}\r\n\r\n/\r\n Create code challenge from verifier using SHA-256\r\n * Matches Supabase implementation\r\n /\r\nasync function generateCodeChallenge(verifier: string): Promise<string> {\r\n const encoder = new TextEncoder();\r\n const data = encoder.encode(verifier);\r\n const hash = await crypto.subtle.digest(\"SHA-256\", data);\r\n return base64URLEncode(new Uint8Array(hash));\r\n}\r\n\r\n/\r\n Generate PKCE code verifier and challenge pair\r\n * Uses S256 method as required by OAuth 2.1\r\n /\r\nexport async function generatePKCE(): Promise<PKCEChallenge> {\r\n const codeVerifier = generateCodeVerifier();\r\n const codeChallenge = await generateCodeChallenge(codeVerifier);\r\n\r\n return {\r\n codeVerifier,\r\n codeChallenge,\r\n codeChallengeMethod: \"S256\",\r\n };\r\n}\r\n\r\n/\r\n Generate random state parameter for CSRF protection\r\n /\r\nexport function generateState(): string {\r\n const array = new Uint8Array(16);\r\n crypto.getRandomValues(array);\r\n return base64URLEncode(array);\r\n}\r\n","import type { TokenSet, TokenStorage } from \"../types\";\r\n\r\nconst TOKEN_KEY = \"tokens\";\r\nconst PKCE_KEY = \"pkce\";\r\nconst STATE_KEY = \"state\";\r\n\r\n/\r\n Manages token lifecycle: storage, retrieval, refresh\r\n /\r\nexport class TokenManager {\r\n private storage: TokenStorage;\r\n\r\n constructor(storage: TokenStorage) {\r\n this.storage = storage;\r\n }\r\n\r\n /\r\n Store token set\r\n /\r\n async setTokens(tokens: TokenSet): Promise<void> {\r\n await this.storage.set(TOKEN_KEY, JSON.stringify(tokens));\r\n }\r\n\r\n /\r\n Get stored tokens\r\n /\r\n async getTokens(): Promise<TokenSet \| null> {\r\n const data = await this.storage.get(TOKEN_KEY);\r\n if (!data) return null;\r\n\r\n try {\r\n return JSON.parse(data) as TokenSet;\r\n } catch {\r\n return null;\r\n }\r\n }\r\n\r\n /\r\n Clear stored tokens\r\n /\r\n async clearTokens(): Promise<void> {\r\n await this.storage.remove(TOKEN_KEY);\r\n }\r\n\r\n /\r\n Check if access token is expired\r\n /\r\n async isTokenExpired(): Promise<boolean> {\r\n const tokens = await this.getTokens();\r\n if (!tokens) return true;\r\n\r\n const expiresAt = tokens.issuedAt + tokens.expiresIn 1000;\r\n // Consider expired if less than 60 seconds remaining\r\n return Date.now() > expiresAt - 60000;\r\n }\r\n\r\n /*\r\n Store PKCE verifier for later validation\r\n /\r\n async setPKCE(codeVerifier: string): Promise<void> {\r\n await this.storage.set(PKCE_KEY, codeVerifier);\r\n }\r\n\r\n /\r\n Get and clear stored PKCE verifier\r\n /\r\n async consumePKCE(): Promise<string \| null> {\r\n const verifier = await this.storage.get(PKCE_KEY);\r\n if (verifier) {\r\n await this.storage.remove(PKCE_KEY);\r\n }\r\n return verifier;\r\n }\r\n\r\n /\r\n Store state for CSRF validation\r\n /\r\n async setState(state: string): Promise<void> {\r\n await this.storage.set(STATE_KEY, state);\r\n }\r\n\r\n /\r\n Get and clear stored state\r\n /\r\n async consumeState(): Promise<string \| null> {\r\n const state = await this.storage.get(STATE_KEY);\r\n if (state) {\r\n await this.storage.remove(STATE_KEY);\r\n }\r\n return state;\r\n }\r\n\r\n /\r\n Clear all auth-related data\r\n /\r\n async clearAll(): Promise<void> {\r\n await this.storage.clear();\r\n }\r\n}\r\n","import type { GenationConfig, TokenSet } from \"../types\";\r\nimport { AuthError, HttpClient } from \"../http\";\r\nimport { generatePKCE, generateState } from \"./pkce\";\r\nimport { TokenManager } from \"./token-manager\";\r\n\r\nexport const DEFAULT_AUTH_URL = \"https://mnnoheowoowbtpuoguul.supabase.co/auth/v1\";\r\n\r\ninterface TokenResponse {\r\n access_token: string;\r\n refresh_token?: string;\r\n token_type: string;\r\n expires_in: number;\r\n scope?: string;\r\n}\r\n\r\n/\r\n OAuth 2.1 handler with PKCE support\r\n /\r\nexport class OAuth2Handler {\r\n private config:\r\n & Required<\r\n Pick<GenationConfig, \"clientId\" \| \"clientSecret\" \| \"redirectUri\">\r\n >\r\n & Pick<GenationConfig, \"scopes\" \| \"authUrl\">;\r\n private http: HttpClient;\r\n private tokenManager: TokenManager;\r\n\r\n constructor(\r\n config: GenationConfig,\r\n tokenManager: TokenManager,\r\n ) {\r\n this.config = {\r\n clientId: config.clientId,\r\n clientSecret: config.clientSecret,\r\n redirectUri: config.redirectUri,\r\n scopes: config.scopes,\r\n authUrl: config.authUrl ?? DEFAULT_AUTH_URL,\r\n };\r\n this.http = new HttpClient({ baseUrl: this.config.authUrl! });\r\n this.tokenManager = tokenManager;\r\n }\r\n\r\n /\r\n Generate authorization URL for OAuth flow\r\n * Stores PKCE verifier and state for later validation\r\n /\r\n async getAuthorizationUrl(): Promise<string> {\r\n const pkce = await generatePKCE();\r\n const state = generateState();\r\n\r\n // Store for later validation\r\n await this.tokenManager.setPKCE(pkce.codeVerifier);\r\n await this.tokenManager.setState(state);\r\n\r\n const params = new URLSearchParams({\r\n response_type: \"code\",\r\n client_id: this.config.clientId,\r\n redirect_uri: this.config.redirectUri,\r\n state,\r\n code_challenge: pkce.codeChallenge,\r\n code_challenge_method: pkce.codeChallengeMethod,\r\n });\r\n\r\n if (this.config.scopes && this.config.scopes.length > 0) {\r\n params.append(\"scope\", this.config.scopes.join(\" \"));\r\n }\r\n\r\n return `${this.config.authUrl}/oauth/authorize?${params.toString()}`;\r\n }\r\n\r\n /\r\n Exchange authorization code for tokens\r\n /\r\n async exchangeCode(code: string, state: string): Promise<TokenSet> {\r\n // Validate state\r\n const storedState = await this.tokenManager.consumeState();\r\n if (!storedState \|\| storedState !== state) {\r\n throw AuthError.invalidState();\r\n }\r\n\r\n // Get PKCE verifier\r\n const codeVerifier = await this.tokenManager.consumePKCE();\r\n if (!codeVerifier) {\r\n throw AuthError.pkceVerificationFailed(\"Missing code verifier\");\r\n }\r\n\r\n // Exchange code for tokens\r\n const response = await this.http.postForm<TokenResponse>(\r\n \"/oauth/token\",\r\n {\r\n grant_type: \"authorization_code\",\r\n code,\r\n redirect_uri: this.config.redirectUri,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n code_verifier: codeVerifier,\r\n },\r\n );\r\n\r\n const tokens = this.mapTokenResponse(response);\r\n await this.tokenManager.setTokens(tokens);\r\n\r\n return tokens;\r\n }\r\n\r\n /\r\n Refresh access token using refresh token\r\n /\r\n async refreshToken(): Promise<TokenSet> {\r\n const currentTokens = await this.tokenManager.getTokens();\r\n if (!currentTokens?.refreshToken) {\r\n throw AuthError.invalidGrant(\"No refresh token available\");\r\n }\r\n\r\n const response = await this.http.postForm<TokenResponse>(\r\n \"/oauth/token\",\r\n {\r\n grant_type: \"refresh_token\",\r\n refresh_token: currentTokens.refreshToken,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n },\r\n );\r\n\r\n const tokens = this.mapTokenResponse(response);\r\n await this.tokenManager.setTokens(tokens);\r\n\r\n return tokens;\r\n }\r\n\r\n /\r\n Revoke current tokens\r\n /\r\n async revokeToken(): Promise<void> {\r\n const tokens = await this.tokenManager.getTokens();\r\n if (!tokens) return;\r\n\r\n try {\r\n await this.http.postForm(\"/oauth/revoke\", {\r\n token: tokens.accessToken,\r\n client_id: this.config.clientId,\r\n client_secret: this.config.clientSecret,\r\n });\r\n } finally {\r\n await this.tokenManager.clearTokens();\r\n }\r\n }\r\n\r\n /\r\n Map OAuth token response to TokenSet\r\n /\r\n private mapTokenResponse(response: TokenResponse): TokenSet {\r\n return {\r\n accessToken: response.access_token,\r\n refreshToken: response.refresh_token,\r\n tokenType: response.token_type,\r\n expiresIn: response.expires_in,\r\n issuedAt: Date.now(),\r\n scope: response.scope,\r\n };\r\n }\r\n}\r\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 * 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 \|\| value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) \|\| 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) \|\| isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 \|\| sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc \|\| acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) \|\| Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') \|\| alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' \|\| modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) \|\| 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d \|\| jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' \|\| spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' \|\| x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' \|\| pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' \|\| !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' \|\| !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader \|\| protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) \|\|\n protectedHeader.crit.length === 0 \|\|\n protectedHeader.crit.some((input) => typeof input !== 'string' \|\| input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') \|\| typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache \|\|= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache \|\|= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' \|\| usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' \|\| !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+\|\\-)? ?(\\d+\|\\d+\\.\\d+) ?(seconds?\|secs?\|s\|minutes?\|mins?\|m\|hours?\|hrs?\|h\|days?\|d\|weeks?\|w\|years?\|yrs?\|y)(?: (ago\|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched \|\| (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' \|\| matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' \|\|\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate \|\| new Date());\n if ((payload.iat !== undefined \|\| maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' \|\| kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) \|\| cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array \|\| key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' \|\|\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') \|\|\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' \|\| !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' \|\| input === null) {\n return false;\n }\n if (!('uat' in input) \|\| typeof input.uat !== 'number' \|\| Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) \|\|\n !isObject(input.jwks) \|\|\n !Array.isArray(input.jwks.keys) \|\|\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local \|\| !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch \|\|= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createRemoteJWKSet, jwtVerify, type JWTVerifyResult } from \"jose\";\r\nimport { DEFAULT_AUTH_URL } from \"./oauth\";\r\n\r\n// Cache JWKS sets by URL to avoid re-fetching constantly\r\n// and to share across client instances if needed\r\nconst jwksCache = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\r\n\r\n/*\r\n Verify a JWT against a public JWKS endpoint\r\n \r\n @param token - The JWT to verify\r\n * @param jwksUrl - The URL of the JWKS endpoint. Defaults to Genation Auth URL.\r\n * @returns The verification result including the payload\r\n /\r\nexport async function verifyToken(\r\n token: string,\r\n jwksUrl: string = `${DEFAULT_AUTH_URL}/.well-known/jwks.json`,\r\n): Promise<JWTVerifyResult> {\r\n let JWKS = jwksCache.get(jwksUrl);\r\n\r\n if (!JWKS) {\r\n JWKS = createRemoteJWKSet(new URL(jwksUrl));\r\n jwksCache.set(jwksUrl, JWKS);\r\n }\r\n\r\n return jwtVerify(token, JWKS);\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n In-memory storage implementation\r\n * Tokens are lost when page refreshes\r\n /\r\nexport class MemoryStorage implements TokenStorage {\r\n private store = new Map<string, string>();\r\n\r\n async get(key: string): Promise<string \| null> {\r\n return this.store.get(key) ?? null;\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n this.store.set(key, value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n this.store.delete(key);\r\n }\r\n\r\n async clear(): Promise<void> {\r\n this.store.clear();\r\n }\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n Browser localStorage implementation\r\n * Tokens persist across browser sessions\r\n /\r\nexport class LocalStorage implements TokenStorage {\r\n private prefix: string;\r\n\r\n constructor(prefix = \"genation\") {\r\n this.prefix = prefix;\r\n }\r\n\r\n private getKey(key: string): string {\r\n return `${this.prefix}:${key}`;\r\n }\r\n\r\n async get(key: string): Promise<string \| null> {\r\n if (typeof window === \"undefined\") return null;\r\n return localStorage.getItem(this.getKey(key));\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n localStorage.setItem(this.getKey(key), value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n localStorage.removeItem(this.getKey(key));\r\n }\r\n\r\n async clear(): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n const keys = Object.keys(localStorage).filter((k) =>\r\n k.startsWith(`${this.prefix}:`)\r\n );\r\n keys.forEach((k) => localStorage.removeItem(k));\r\n }\r\n}\r\n","import type { TokenStorage } from \"../types\";\r\n\r\n/\r\n Browser sessionStorage implementation\r\n * Tokens persist until browser tab is closed\r\n /\r\nexport class SessionStorage implements TokenStorage {\r\n private prefix: string;\r\n\r\n constructor(prefix = \"genation\") {\r\n this.prefix = prefix;\r\n }\r\n\r\n private getKey(key: string): string {\r\n return `${this.prefix}:${key}`;\r\n }\r\n\r\n async get(key: string): Promise<string \| null> {\r\n if (typeof window === \"undefined\") return null;\r\n return sessionStorage.getItem(this.getKey(key));\r\n }\r\n\r\n async set(key: string, value: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n sessionStorage.setItem(this.getKey(key), value);\r\n }\r\n\r\n async remove(key: string): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n sessionStorage.removeItem(this.getKey(key));\r\n }\r\n\r\n async clear(): Promise<void> {\r\n if (typeof window === \"undefined\") return;\r\n const keys = Object.keys(sessionStorage).filter((k) =>\r\n k.startsWith(`${this.prefix}:`)\r\n );\r\n keys.forEach((k) => sessionStorage.removeItem(k));\r\n }\r\n}\r\n","/\r\n @fileoverview Storage factory and implementations\r\n * @module storage\r\n /\r\n\r\nimport type { StorageType, TokenStorage } from \"../types\";\r\nimport { MemoryStorage } from \"./memory\";\r\nimport { LocalStorage } from \"./local-storage\";\r\nimport { SessionStorage } from \"./session-storage\";\r\n\r\nexport { MemoryStorage } from \"./memory\";\r\nexport { LocalStorage } from \"./local-storage\";\r\nexport { SessionStorage } from \"./session-storage\";\r\n\r\n/\r\n Create a storage instance based on type\r\n \r\n @param type - Storage type to create\r\n * @returns Storage implementation\r\n \r\n @example\r\n * ```typescript\r\n * const storage = createStorage('localStorage');\r\n * await storage.set('key', 'value');\r\n * ```\r\n /\r\nexport function createStorage(\r\n type: StorageType = \"localStorage\",\r\n): TokenStorage {\r\n switch (type) {\r\n case \"memory\":\r\n return new MemoryStorage();\r\n case \"localStorage\":\r\n return new LocalStorage();\r\n case \"sessionStorage\":\r\n return new SessionStorage();\r\n default:\r\n return new LocalStorage();\r\n }\r\n}\r\n","// Function to convert snake_case to camelCase, handles arrays and objects recursively\r\nexport function snakeToCamel(data: any): any {\r\n if (Array.isArray(data)) {\r\n return data.map(snakeToCamel);\r\n } else if (typeof data === \"object\" && data !== null) {\r\n return Object.fromEntries(\r\n Object.entries(data).map(([key, value]) => [\r\n key.replace(/_([a-z])/g, (_, c) => c.toUpperCase()),\r\n snakeToCamel(value)\r\n ])\r\n );\r\n }\r\n return data;\r\n}","/\r\n @fileoverview Main Genation SDK client\r\n * @module client\r\n /\r\n\r\nimport type {\r\n AuthEvent,\r\n AuthStateChangeCallback,\r\n GenationConfig,\r\n Session,\r\n Subscription,\r\n TokenSet,\r\n TokenStorage,\r\n User,\r\n} from \"./types\";\r\nimport { OAuth2Handler, TokenManager, verifyToken } from \"./auth\";\r\nimport { createStorage } from \"./storage\";\r\nimport { ConfigError, HttpClient } from \"./http\";\r\nimport type { License, LicenseResponse } from \"./types/server/license\";\r\nimport type { ApiResponse } from \"./types/server/api-response\";\r\nimport { snakeToCamel } from \"./utils/converter\";\r\n\r\n// Re-export types for convenience\r\nexport type { AuthEvent, AuthStateChangeCallback, Session, Subscription };\r\n\r\n/\r\n Main Genation SDK client\r\n \r\n OAuth 2.1 authentication client for Genation platform.\r\n * Supports PKCE flow and automatic token refresh.\r\n \r\n @example\r\n * ```typescript\r\n * import { createClient } from 'genation';\r\n \r\n const client = createClient({\r\n * clientId: 'your-client-id',\r\n * clientSecret: 'your-client-secret',\r\n * redirectUri: 'http://localhost:3000/callback'\r\n * });\r\n \r\n // Listen to auth state changes\r\n * const { subscription } = client.onAuthStateChange((event, session) => {\r\n * if (event === 'SIGNED_IN') {\r\n * console.log('User signed in:', session?.user);\r\n * }\r\n * });\r\n \r\n // Start login flow\r\n * window.location.href = await client.signIn();\r\n * ```\r\n /\r\nexport class GenationClient {\r\n private oauth: OAuth2Handler;\r\n private tokenManager: TokenManager;\r\n private jwksUrl: string;\r\n private http: HttpClient;\r\n private httpServer: HttpClient;\r\n private listeners: Set<AuthStateChangeCallback> = new Set();\r\n private initialized = false;\r\n\r\n constructor(config: GenationConfig) {\r\n this.validateConfig(config);\r\n\r\n const storage: TokenStorage = typeof config.storage === \"object\"\r\n ? (config.storage as unknown as TokenStorage)\r\n : createStorage(config.storage);\r\n\r\n const authUrl = config.authUrl ??\r\n \"https://mnnoheowoowbtpuoguul.supabase.co/auth/v1\";\r\n\r\n this.tokenManager = new TokenManager(storage);\r\n this.oauth = new OAuth2Handler(config, this.tokenManager);\r\n this.jwksUrl = `${authUrl}/.well-known/jwks.json`;\r\n\r\n this.http = new HttpClient({\r\n baseUrl: authUrl,\r\n });\r\n this.httpServer = new HttpClient({\r\n baseUrl: \"https://ff-api.genation.ai/api/v2/client\"\r\n });\r\n }\r\n\r\n private validateConfig(config: GenationConfig): void {\r\n if (!config.clientId) throw ConfigError.missingField(\"clientId\");\r\n if (!config.clientSecret) {\r\n throw ConfigError.missingField(\"clientSecret\");\r\n }\r\n if (!config.redirectUri) throw ConfigError.missingField(\"redirectUri\");\r\n }\r\n\r\n /\r\n Emit auth state change event to all listeners\r\n /\r\n private async emitAuthStateChange(event: AuthEvent): Promise<void> {\r\n const session = await this.getSession();\r\n this.listeners.forEach((callback) => {\r\n try {\r\n callback(event, session);\r\n } catch (error) {\r\n console.error(\"Error in auth state change callback:\", error);\r\n }\r\n });\r\n }\r\n\r\n /\r\n Listen to authentication state changes\r\n \r\n Register a callback that fires when:\r\n * - `INITIAL_SESSION`: On first subscription, with current session state\r\n * - `SIGNED_IN`: User successfully authenticated\r\n * - `SIGNED_OUT`: User logged out or session expired\r\n * - `TOKEN_REFRESHED`: Access token was automatically refreshed\r\n \r\n @param callback - Function called on each auth state change\r\n * @returns Object containing subscription with `unsubscribe()` method\r\n \r\n @example\r\n * ```typescript\r\n * const { subscription } = client.onAuthStateChange((event, session) => {\r\n * console.log('Auth event:', event);\r\n \r\n if (event === 'INITIAL_SESSION') {\r\n * // Check if user was previously logged in\r\n * if (session) {\r\n * console.log('Welcome back!', session.user);\r\n * }\r\n * } else if (event === 'SIGNED_IN') {\r\n * // User just signed in\r\n * console.log('Signed in:', session?.user);\r\n * } else if (event === 'SIGNED_OUT') {\r\n * // Clear app state, redirect to login\r\n * console.log('Signed out');\r\n * }\r\n * });\r\n \r\n // Cleanup when component unmounts\r\n * subscription.unsubscribe();\r\n * ```\r\n /\r\n onAuthStateChange(\r\n callback: AuthStateChangeCallback,\r\n ): { subscription: Subscription } {\r\n this.listeners.add(callback);\r\n\r\n // Emit INITIAL_SESSION on first subscription\r\n if (!this.initialized) {\r\n this.initialized = true;\r\n setTimeout(() => {\r\n this.emitAuthStateChange(\"INITIAL_SESSION\");\r\n }, 0);\r\n } else {\r\n // For subsequent subscriptions, also emit current state\r\n setTimeout(() => {\r\n this.emitAuthStateChange(\"INITIAL_SESSION\");\r\n }, 0);\r\n }\r\n\r\n return {\r\n subscription: {\r\n unsubscribe: () => {\r\n this.listeners.delete(callback);\r\n },\r\n },\r\n };\r\n }\r\n\r\n /\r\n Start OAuth sign-in flow\r\n \r\n Generates authorization URL with PKCE challenge.\r\n * Redirect user to this URL to start authentication.\r\n \r\n @returns Authorization URL to redirect user to\r\n \r\n @example\r\n * ```typescript\r\n * async function handleLogin() {\r\n * const url = await client.signIn();\r\n * window.location.href = url;\r\n * }\r\n * ```\r\n /\r\n async signIn(): Promise<string> {\r\n return this.oauth.getAuthorizationUrl();\r\n }\r\n\r\n /\r\n Handle OAuth callback after user authentication\r\n \r\n Call this on your redirect URI page to exchange\r\n * the authorization code for access tokens.\r\n * Triggers `SIGNED_IN` event on success.\r\n \r\n @param code - Authorization code from URL query params\r\n * @param state - State parameter for CSRF validation\r\n * @returns Token set with access and refresh tokens\r\n * @throws {AuthError} If state mismatch or code exchange fails\r\n \r\n @example\r\n * ```typescript\r\n * // On your /callback page\r\n * async function handleCallback() {\r\n * const url = window.location.href;\r\n * await client.handleCallback(url);\r\n * // onAuthStateChange will fire with SIGNED_IN event\r\n * }\r\n * ```\r\n /\r\n async handleCallback(url: string): Promise<TokenSet> {\r\n const params = new URL(url);\r\n const code = params.searchParams.get('code');\r\n const state = params.searchParams.get('state');\r\n if (!code \|\| !state) {\r\n throw new Error('Missing code or state');\r\n }\r\n const tokens = await this.oauth.exchangeCode(code, state);\r\n await this.emitAuthStateChange(\"SIGNED_IN\");\r\n return tokens;\r\n }\r\n\r\n /\r\n Sign out and revoke tokens\r\n \r\n Clears local session.\r\n * Triggers `SIGNED_OUT` event for all listeners.\r\n \r\n @example\r\n * ```typescript\r\n * async function handleLogout() {\r\n * await client.signOut();\r\n * // onAuthStateChange will fire with SIGNED_OUT event\r\n * }\r\n * ```\r\n /\r\n async signOut(): Promise<void> {\r\n // TODO: Server-side signout API is not yet available.\r\n // Once implemented, we should call this.oauth.revokeToken() here.\r\n // await this.oauth.revokeToken();\r\n\r\n await this.tokenManager.clearTokens();\r\n await this.emitAuthStateChange(\"SIGNED_OUT\");\r\n }\r\n\r\n /\r\n Get current session\r\n \r\n Returns session with access token and user info.\r\n * Automatically refreshes token if expired.\r\n \r\n @returns Current session or null if not authenticated\r\n \r\n @example\r\n * ```typescript\r\n * const session = await client.getSession();\r\n * if (session) {\r\n * console.log('Logged in as:', session.user?.email);\r\n \r\n // Use access token for API calls\r\n * fetch('/api/data', {\r\n * headers: { Authorization: `Bearer ${session.accessToken}` }\r\n * });\r\n * }\r\n * ```\r\n /\r\n async getSession(): Promise<Session \| null> {\r\n const isExpired = await this.tokenManager.isTokenExpired();\r\n\r\n if (isExpired) {\r\n try {\r\n await this.oauth.refreshToken();\r\n } catch {\r\n return null;\r\n }\r\n }\r\n\r\n const tokens = await this.tokenManager.getTokens();\r\n if (!tokens) return null;\r\n\r\n const user = await this.fetchUser(tokens.accessToken);\r\n\r\n return {\r\n accessToken: tokens.accessToken,\r\n refreshToken: tokens.refreshToken,\r\n expiresIn: tokens.expiresIn,\r\n expiresAt: tokens.issuedAt + tokens.expiresIn 1000,\r\n user,\r\n };\r\n }\r\n /*\r\n Verify a JWT token\r\n \r\n Validates the token signature using the public JWKS.\r\n \r\n @param token - JWT token to verify\r\n * @returns Decoded token payload if valid\r\n * @throws Error if token is invalid\r\n /\r\n async verifyToken(token: string): Promise<any> {\r\n const { payload } = await verifyToken(token, this.jwksUrl);\r\n return payload;\r\n }\r\n\r\n /\r\n Get licenses\r\n * @param accessToken - The access token to use for the request\r\n * @param options - The options for the request\r\n * @param options.expiresAfter - Query licenses that are expired after the given date, default set to today to get all valid licenses (unexpired licenses)\r\n * @returns The licenses\r\n /\r\n async getLicenses(options: { expiresAfter?: Date } = {}): Promise<License[] \| null> {\r\n const session = await this.getSession();\r\n if (!session) {\r\n return null;\r\n }\r\n const accessToken = session.accessToken;\r\n const { expiresAfter = new Date() } = options;\r\n const response = await this.httpServer.request<ApiResponse<LicenseResponse[]>>(\"/licenses\", {\r\n headers: { Authorization: `Bearer ${accessToken}` },\r\n params: { expiresAfter: expiresAfter.toISOString() }\r\n });\r\n if (!response.ok) {\r\n console.error(\"GenationClient: Error fetching licenses:\", response.error);\r\n return null;\r\n }\r\n const licenses: License[] = snakeToCamel(response.data);\r\n return licenses;\r\n }\r\n /\r\n Fetch user info from auth server\r\n /\r\n private async fetchUser(accessToken: string): Promise<User \| null> {\r\n try {\r\n // Use standard OIDC UserInfo endpoint\r\n // https://supabase.com/docs/guides/auth/oauth-server/oauth-flows#userinfo-endpoint\r\n const response = await this.http.request<{\r\n sub: string;\r\n email?: string;\r\n name?: string;\r\n picture?: string;\r\n email_verified?: boolean;\r\n phone_number?: string;\r\n phone_number_verified?: boolean;\r\n }>(\"/oauth/userinfo\", {\r\n headers: { Authorization: `Bearer ${accessToken}` },\r\n });\r\n\r\n return {\r\n sub: response.sub,\r\n name: response.name,\r\n picture: response.picture,\r\n email: response.email,\r\n email_verified: response.email_verified,\r\n phone_number: response.phone_number,\r\n phone_number_verified: response.phone_number_verified,\r\n };\r\n } catch (error) {\r\n console.error(\"GenationClient: Error fetching user:\", error);\r\n return null;\r\n }\r\n }\r\n}\r\n\r\n/\r\n Create a new Genation client instance\r\n \r\n Factory function for creating SDK client with configuration.\r\n \r\n @param config - Client configuration options\r\n * @returns Configured GenationClient instance\r\n \r\n @example\r\n * ```typescript\r\n * import { createClient } from 'genation';\r\n \r\n const client = createClient({\r\n * clientId: 'your-client-id',\r\n * clientSecret: 'your-client-secret',\r\n * redirectUri: 'http://localhost:3000/callback',\r\n * // Optional\r\n * scopes: ['openid', 'profile', 'email'],\r\n * storage: 'localStorage',\r\n * });\r\n * ```\r\n */\r\nexport function createClient(config: GenationConfig): GenationClient {\r\n return new GenationClient(config);\r\n}\r\n"],"names":["GenationError","message","code","cause","AuthError","NetworkError","status","response","ConfigError","field","HttpClient","config","endpoint","options","method","headers","body","params","url","searchParams","controller","timeoutId","error","data","base64URLEncode","buffer","generateCodeVerifier","array","generateCodeChallenge","verifier","hash","generatePKCE","codeVerifier","codeChallenge","generateState","TOKEN_KEY","PKCE_KEY","STATE_KEY","TokenManager","storage","tokens","expiresAt","state","DEFAULT_AUTH_URL","OAuth2Handler","tokenManager","pkce","storedState","currentTokens","encoder","decoder","concat","buffers","size","acc","length","buf","i","encode","string","bytes","decodeBase64","encoded","binary","decode","input","JOSEError","JWTClaimValidationFailed","payload","claim","reason","JWTExpired","JOSENotSupported","JWSInvalid","JWTInvalid","JWKSInvalid","JWKSNoMatchingKey","JWKSMultipleMatchingKeys","JWKSTimeout","JWSSignatureVerificationFailed","unusable","name","prop","isAlgorithm","algorithm","getHashLength","getNamedCurve","alg","checkUsage","key","usage","checkSigCryptoKey","expected","msg","actual","types","last","invalidKeyInput","withAlg","isCryptoKey","isKeyObject","isKeyLike","isDisjoint","sources","header","parameters","parameter","isObjectLike","value","isObject","proto","checkKeyLength","modulusLength","subtleMapping","jwk","keyUsages","jwkToKey","keyData","importJWK","ext","decodeBase64URL","validateCrit","Err","recognizedDefault","recognizedOption","protectedHeader","joseHeader","recognized","isJWK","isPrivateJWK","isPublicJWK","isSecretJWK","cache","handleJWK","freeze","cached","cryptoKey","handleKeyObject","keyObject","isPublic","extractable","namedCurve","normalizeKey","err","tag","jwkMatchesOp","expectedKeyOp","symmetricTypeCheck","jwk.isJWK","jwk.isSecretJWK","asymmetricTypeCheck","jwk.isPrivateJWK","jwk.isPublicJWK","checkKeyType","subtleAlgorithm","getSigKey","verify","signature","flattenedVerify","jws","parsedProt","b64u","extensions","b64","resolvedKey","k","result","compactVerify","verified","epoch","date","minute","hour","day","week","year","REGEX","secs","str","matched","unit","numericDate","normalizeTyp","checkAudiencePresence","audPayload","audOption","validateClaimsSet","encodedPayload","typ","requiredClaims","issuer","subject","audience","maxTokenAge","presenceCheck","tolerance","currentDate","now","age","max","jwtVerify","jwt","getKtyFromAlg","isJWKSLike","jwks","isJWKLike","LocalJWKSet","#jwks","#cached","token","kid","kty","candidates","candidate","_cached","importWithAlgCache","createLocalJWKSet","set","localJWKSet","isCloudflareWorkers","USER_AGENT","customFetch","fetchJwks","signal","fetchImpl","jwksCache","isFreshJwksCache","cacheMaxAge","RemoteJWKSet","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#jwksTimestamp","#pendingFetch","#headers","#customFetch","#local","#cache","json","createRemoteJWKSet","remoteJWKSet","verifyToken","jwksUrl","JWKS","MemoryStorage","LocalStorage","prefix","SessionStorage","createStorage","type","snakeToCamel","_","c","GenationClient","authUrl","event","session","callback","user","accessToken","expiresAfter","createClient"],"mappings":"gFAGO,MAAMA,UAAsB,KAAM,CAC9B,KACA,MAEP,YAAYC,EAAiBC,EAAcC,EAAiB,CACxD,MAAMF,CAAO,EACb,KAAK,KAAO,gBACZ,KAAK,KAAOC,EACZ,KAAK,MAAQC,CACjB,CACJ,CAKO,MAAMC,UAAkBJ,CAAc,CACzC,YAAYC,EAAiBC,EAAcC,EAAiB,CACxD,MAAMF,EAASC,EAAMC,CAAK,EAC1B,KAAK,KAAO,WAChB,CAEA,OAAO,aACHF,EAAU,8CACZ,CACE,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,qBAAsB,CAChD,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,oBAAqB,CAC/C,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,aAAaA,EAAU,uCAAwC,CAClE,OAAO,IAAIG,EAAUH,EAAS,eAAe,CACjD,CAEA,OAAO,uBAAuBA,EAAU,2BAA4B,CAChE,OAAO,IAAIG,EAAUH,EAAS,0BAA0B,CAC5D,CACJ,CAKO,MAAMI,UAAqBL,CAAc,CACrC,OAEP,YAAYC,EAAiBK,EAAiBH,EAAiB,CAC3D,MAAMF,EAAS,gBAAiBE,CAAK,EACrC,KAAK,KAAO,eACZ,KAAK,OAASG,CAClB,CAEA,OAAO,aAAaC,EAAoB,CACpC,OAAO,IAAIF,EACP,QAAQE,EAAS,MAAM,KAAKA,EAAS,UAAU,GAC/CA,EAAS,MAAA,CAEjB,CACJ,CAKO,MAAMC,UAAoBR,CAAc,CAC3C,YAAYC,EAAiB,CACzB,MAAMA,EAAS,cAAc,EAC7B,KAAK,KAAO,aAChB,CAEA,OAAO,aAAaQ,EAAe,CAC/B,OAAO,IAAID,EAAY,kCAAkCC,CAAK,EAAE,CACpE,CACJ,CC9DO,MAAMC,CAAW,CACZ,QACA,QAER,YAAYC,EAA0B,CAClC,KAAK,QAAUA,EAAO,QAAQ,QAAQ,MAAO,EAAE,EAC/C,KAAK,QAAUA,EAAO,SAAW,GACrC,CAKA,MAAM,QACFC,EACAC,EAA0B,GAChB,CACV,KAAM,CAAE,OAAAC,EAAS,MAAO,QAAAC,EAAU,CAAA,EAAI,KAAAC,EAAM,OAAAC,GAAWJ,EAGvD,IAAIK,EAAM,GAAG,KAAK,OAAO,GAAGN,CAAQ,GACpC,GAAIK,EAAQ,CACR,MAAME,EAAe,IAAI,gBAAgBF,CAAM,EAC/CC,GAAO,IAAIC,EAAa,SAAA,CAAU,EACtC,CAGA,MAAMC,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAA,EAAS,KAAK,OAAO,EAEnE,GAAI,CACA,MAAMb,EAAW,MAAM,MAAMW,EAAK,CAC9B,OAAAJ,EACA,QAAS,CACL,eAAgB,mBAChB,GAAGC,CAAA,EAEP,KAAMC,EAAO,KAAK,UAAUA,CAAI,EAAI,OACpC,OAAQI,EAAW,MAAA,CACtB,EAID,GAFA,aAAaC,CAAS,EAElB,CAACd,EAAS,GACV,MAAMF,EAAa,aAAaE,CAAQ,EAG5C,OAAO,MAAMA,EAAS,KAAA,CAC1B,OAASe,EAAO,CAGZ,MAFA,aAAaD,CAAS,EAElBC,aAAiBjB,EACXiB,EAGNA,aAAiB,OAASA,EAAM,OAAS,aACnC,IAAIjB,EAAa,kBAAmB,OAAWiB,CAAK,EAGxD,IAAIjB,EAAa,yBAA0B,OAAWiB,CAAK,CACrE,CACJ,CAKA,MAAM,SACFV,EACAW,EACAR,EAAkC,CAAA,EACxB,CACV,MAAMG,EAAM,GAAG,KAAK,OAAO,GAAGN,CAAQ,GAChCQ,EAAa,IAAI,gBACjBC,EAAY,WAAW,IAAMD,EAAW,MAAA,EAAS,KAAK,OAAO,EAEnE,GAAI,CACA,MAAMb,EAAW,MAAM,MAAMW,EAAK,CAC9B,OAAQ,OACR,QAAS,CACL,eAAgB,oCAChB,GAAGH,CAAA,EAEP,KAAM,IAAI,gBAAgBQ,CAAI,EAAE,SAAA,EAChC,OAAQH,EAAW,MAAA,CACtB,EAID,GAFA,aAAaC,CAAS,EAElB,CAACd,EAAS,GACV,MAAMF,EAAa,aAAaE,CAAQ,EAG5C,OAAO,MAAMA,EAAS,KAAA,CAC1B,OAASe,EAAO,CAGZ,MAFA,aAAaD,CAAS,EAElBC,aAAiBjB,EACXiB,EAGJ,IAAIjB,EAAa,yBAA0B,OAAWiB,CAAK,CACrE,CACJ,CACJ,CClHA,SAASE,EAAgBC,EAA4B,CACjD,OAAO,KAAK,OAAO,aAAa,GAAGA,CAAM,CAAC,EACrC,QAAQ,MAAO,GAAG,EAClB,QAAQ,MAAO,GAAG,EAClB,QAAQ,KAAM,EAAE,CACzB,CAMA,SAASC,IAA+B,CACpC,MAAMC,EAAQ,IAAI,WAAW,EAAE,EAC/B,cAAO,gBAAgBA,CAAK,EACrBH,EAAgBG,CAAK,CAChC,CAMA,eAAeC,GAAsBC,EAAmC,CAEpE,MAAMN,EADU,IAAI,YAAA,EACC,OAAOM,CAAQ,EAC9BC,EAAO,MAAM,OAAO,OAAO,OAAO,UAAWP,CAAI,EACvD,OAAOC,EAAgB,IAAI,WAAWM,CAAI,CAAC,CAC/C,CAMA,eAAsBC,IAAuC,CACzD,MAAMC,EAAeN,GAAA,EACfO,EAAgB,MAAML,GAAsBI,CAAY,EAE9D,MAAO,CACH,aAAAA,EACA,cAAAC,EACA,oBAAqB,MAAA,CAE7B,CAKO,SAASC,IAAwB,CACpC,MAAMP,EAAQ,IAAI,WAAW,EAAE,EAC/B,cAAO,gBAAgBA,CAAK,EACrBH,EAAgBG,CAAK,CAChC,CCrDA,MAAMQ,EAAY,SACZC,EAAW,OACXC,EAAY,QAKX,MAAMC,EAAa,CACd,QAER,YAAYC,EAAuB,CAC/B,KAAK,QAAUA,CACnB,CAKA,MAAM,UAAUC,EAAiC,CAC7C,MAAM,KAAK,QAAQ,IAAIL,EAAW,KAAK,UAAUK,CAAM,CAAC,CAC5D,CAKA,MAAM,WAAsC,CACxC,MAAMjB,EAAO,MAAM,KAAK,QAAQ,IAAIY,CAAS,EAC7C,GAAI,CAACZ,EAAM,OAAO,KAElB,GAAI,CACA,OAAO,KAAK,MAAMA,CAAI,CAC1B,MAAQ,CACJ,OAAO,IACX,CACJ,CAKA,MAAM,aAA6B,CAC/B,MAAM,KAAK,QAAQ,OAAOY,CAAS,CACvC,CAKA,MAAM,gBAAmC,CACrC,MAAMK,EAAS,MAAM,KAAK,UAAA,EAC1B,GAAI,CAACA,EAAQ,MAAO,GAEpB,MAAMC,EAAYD,EAAO,SAAWA,EAAO,UAAY,IAEvD,OAAO,KAAK,MAAQC,EAAY,GACpC,CAKA,MAAM,QAAQT,EAAqC,CAC/C,MAAM,KAAK,QAAQ,IAAII,EAAUJ,CAAY,CACjD,CAKA,MAAM,aAAsC,CACxC,MAAMH,EAAW,MAAM,KAAK,QAAQ,IAAIO,CAAQ,EAChD,OAAIP,GACA,MAAM,KAAK,QAAQ,OAAOO,CAAQ,EAE/BP,CACX,CAKA,MAAM,SAASa,EAA8B,CACzC,MAAM,KAAK,QAAQ,IAAIL,EAAWK,CAAK,CAC3C,CAKA,MAAM,cAAuC,CACzC,MAAMA,EAAQ,MAAM,KAAK,QAAQ,IAAIL,CAAS,EAC9C,OAAIK,GACA,MAAM,KAAK,QAAQ,OAAOL,CAAS,EAEhCK,CACX,CAKA,MAAM,UAA0B,CAC5B,MAAM,KAAK,QAAQ,MAAA,CACvB,CACJ,CC7FO,MAAMC,GAAmB,mDAazB,MAAMC,EAAc,CACf,OAKA,KACA,aAER,YACIjC,EACAkC,EACF,CACE,KAAK,OAAS,CACV,SAAUlC,EAAO,SACjB,aAAcA,EAAO,aACrB,YAAaA,EAAO,YACpB,OAAQA,EAAO,OACf,QAASA,EAAO,SAAWgC,EAAA,EAE/B,KAAK,KAAO,IAAIjC,EAAW,CAAE,QAAS,KAAK,OAAO,QAAU,EAC5D,KAAK,aAAemC,CACxB,CAMA,MAAM,qBAAuC,CACzC,MAAMC,EAAO,MAAMf,GAAA,EACbW,EAAQR,GAAA,EAGd,MAAM,KAAK,aAAa,QAAQY,EAAK,YAAY,EACjD,MAAM,KAAK,aAAa,SAASJ,CAAK,EAEtC,MAAMzB,EAAS,IAAI,gBAAgB,CAC/B,cAAe,OACf,UAAW,KAAK,OAAO,SACvB,aAAc,KAAK,OAAO,YAC1B,MAAAyB,EACA,eAAgBI,EAAK,cACrB,sBAAuBA,EAAK,mBAAA,CAC/B,EAED,OAAI,KAAK,OAAO,QAAU,KAAK,OAAO,OAAO,OAAS,GAClD7B,EAAO,OAAO,QAAS,KAAK,OAAO,OAAO,KAAK,GAAG,CAAC,EAGhD,GAAG,KAAK,OAAO,OAAO,oBAAoBA,EAAO,UAAU,EACtE,CAKA,MAAM,aAAaf,EAAcwC,EAAkC,CAE/D,MAAMK,EAAc,MAAM,KAAK,aAAa,aAAA,EAC5C,GAAI,CAACA,GAAeA,IAAgBL,EAChC,MAAMtC,EAAU,aAAA,EAIpB,MAAM4B,EAAe,MAAM,KAAK,aAAa,YAAA,EAC7C,GAAI,CAACA,EACD,MAAM5B,EAAU,uBAAuB,uBAAuB,EAIlE,MAAMG,EAAW,MAAM,KAAK,KAAK,SAC7B,eACA,CACI,WAAY,qBACZ,KAAAL,EACA,aAAc,KAAK,OAAO,YAC1B,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,aAC3B,cAAe8B,CAAA,CACnB,EAGEQ,EAAS,KAAK,iBAAiBjC,CAAQ,EAC7C,aAAM,KAAK,aAAa,UAAUiC,CAAM,EAEjCA,CACX,CAKA,MAAM,cAAkC,CACpC,MAAMQ,EAAgB,MAAM,KAAK,aAAa,UAAA,EAC9C,GAAI,CAACA,GAAe,aAChB,MAAM5C,EAAU,aAAa,4BAA4B,EAG7D,MAAMG,EAAW,MAAM,KAAK,KAAK,SAC7B,eACA,CACI,WAAY,gBACZ,cAAeyC,EAAc,aAC7B,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,YAAA,CAC/B,EAGER,EAAS,KAAK,iBAAiBjC,CAAQ,EAC7C,aAAM,KAAK,aAAa,UAAUiC,CAAM,EAEjCA,CACX,CAKA,MAAM,aAA6B,CAC/B,MAAMA,EAAS,MAAM,KAAK,aAAa,UAAA,EACvC,GAAKA,EAEL,GAAI,CACA,MAAM,KAAK,KAAK,SAAS,gBAAiB,CACtC,MAAOA,EAAO,YACd,UAAW,KAAK,OAAO,SACvB,cAAe,KAAK,OAAO,YAAA,CAC9B,CACL,QAAA,CACI,MAAM,KAAK,aAAa,YAAA,CAC5B,CACJ,CAKQ,iBAAiBjC,EAAmC,CACxD,MAAO,CACH,YAAaA,EAAS,aACtB,aAAcA,EAAS,cACvB,UAAWA,EAAS,WACpB,UAAWA,EAAS,WACpB,SAAU,KAAK,IAAA,EACf,MAAOA,EAAS,KAAA,CAExB,CACJ,CCjKO,MAAM0C,EAAU,IAAI,YACdC,EAAU,IAAI,YAEpB,SAASC,MAAUC,EAAS,CAC/B,MAAMC,EAAOD,EAAQ,OAAO,CAACE,EAAK,CAAE,OAAAC,KAAaD,EAAMC,EAAQ,CAAC,EAC1DC,EAAM,IAAI,WAAWH,CAAI,EAC/B,IAAII,EAAI,EACR,UAAWhC,KAAU2B,EACjBI,EAAI,IAAI/B,EAAQgC,CAAC,EACjBA,GAAKhC,EAAO,OAEhB,OAAO+B,CACX,CAoBO,SAASE,EAAOC,EAAQ,CAC3B,MAAMC,EAAQ,IAAI,WAAWD,EAAO,MAAM,EAC1C,QAASF,EAAI,EAAGA,EAAIE,EAAO,OAAQF,IAAK,CACpC,MAAMvD,EAAOyD,EAAO,WAAWF,CAAC,EAChC,GAAIvD,EAAO,IACP,MAAM,IAAI,UAAU,0CAA0C,EAElE0D,EAAMH,CAAC,EAAIvD,CACf,CACA,OAAO0D,CACX,CC/BO,SAASC,GAAaC,EAAS,CAClC,GAAI,WAAW,WACX,OAAO,WAAW,WAAWA,CAAO,EAExC,MAAMC,EAAS,KAAKD,CAAO,EACrBF,EAAQ,IAAI,WAAWG,EAAO,MAAM,EAC1C,QAASN,EAAI,EAAGA,EAAIM,EAAO,OAAQN,IAC/BG,EAAMH,CAAC,EAAIM,EAAO,WAAWN,CAAC,EAElC,OAAOG,CACX,CCnBO,SAASI,EAAOC,EAAO,CAC1B,GAAI,WAAW,WACX,OAAO,WAAW,WAAW,OAAOA,GAAU,SAAWA,EAAQf,EAAQ,OAAOe,CAAK,EAAG,CACpF,SAAU,WACtB,CAAS,EAEL,IAAIH,EAAUG,EACVH,aAAmB,aACnBA,EAAUZ,EAAQ,OAAOY,CAAO,GAEpCA,EAAUA,EAAQ,QAAQ,KAAM,GAAG,EAAE,QAAQ,KAAM,GAAG,EACtD,GAAI,CACA,OAAOD,GAAaC,CAAO,CAC/B,MACM,CACF,MAAM,IAAI,UAAU,mDAAmD,CAC3E,CACJ,CCnBO,MAAMI,UAAkB,KAAM,CACjC,OAAO,KAAO,mBACd,KAAO,mBACP,YAAYjE,EAASY,EAAS,CAC1B,MAAMZ,EAASY,CAAO,EACtB,KAAK,KAAO,KAAK,YAAY,KAC7B,MAAM,oBAAoB,KAAM,KAAK,WAAW,CACpD,CACJ,CACO,MAAMsD,UAAiCD,CAAU,CACpD,OAAO,KAAO,kCACd,KAAO,kCACP,MACA,OACA,QACA,YAAYjE,EAASmE,EAASC,EAAQ,cAAeC,EAAS,cAAe,CACzE,MAAMrE,EAAS,CAAE,MAAO,CAAE,MAAAoE,EAAO,OAAAC,EAAQ,QAAAF,CAAO,EAAI,EACpD,KAAK,MAAQC,EACb,KAAK,OAASC,EACd,KAAK,QAAUF,CACnB,CACJ,CACO,MAAMG,UAAmBL,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,kBACP,MACA,OACA,QACA,YAAYjE,EAASmE,EAASC,EAAQ,cAAeC,EAAS,cAAe,CACzE,MAAMrE,EAAS,CAAE,MAAO,CAAE,MAAAoE,EAAO,OAAAC,EAAQ,QAAAF,CAAO,EAAI,EACpD,KAAK,MAAQC,EACb,KAAK,OAASC,EACd,KAAK,QAAUF,CACnB,CACJ,CAKO,MAAMI,UAAyBN,CAAU,CAC5C,OAAO,KAAO,yBACd,KAAO,wBACX,CAYO,MAAMO,UAAmBP,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,iBACX,CACO,MAAMQ,WAAmBR,CAAU,CACtC,OAAO,KAAO,kBACd,KAAO,iBACX,CAKO,MAAMS,WAAoBT,CAAU,CACvC,OAAO,KAAO,mBACd,KAAO,kBACX,CACO,MAAMU,WAA0BV,CAAU,CAC7C,OAAO,KAAO,2BACd,KAAO,2BACP,YAAYjE,EAAU,kDAAmDY,EAAS,CAC9E,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMgE,WAAiCX,CAAU,CACpD,CAAC,OAAO,aAAa,EACrB,OAAO,KAAO,kCACd,KAAO,kCACP,YAAYjE,EAAU,uDAAwDY,EAAS,CACnF,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMiE,WAAoBZ,CAAU,CACvC,OAAO,KAAO,mBACd,KAAO,mBACP,YAAYjE,EAAU,oBAAqBY,EAAS,CAChD,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CACO,MAAMkE,WAAuCb,CAAU,CAC1D,OAAO,KAAO,wCACd,KAAO,wCACP,YAAYjE,EAAU,gCAAiCY,EAAS,CAC5D,MAAMZ,EAASY,CAAO,CAC1B,CACJ,CClGA,MAAMmE,EAAW,CAACC,EAAMC,EAAO,mBAAqB,IAAI,UAAU,kDAAkDA,CAAI,YAAYD,CAAI,EAAE,EACpIE,EAAc,CAACC,EAAWH,IAASG,EAAU,OAASH,EAC5D,SAASI,EAAcvD,EAAM,CACzB,OAAO,SAASA,EAAK,KAAK,MAAM,CAAC,EAAG,EAAE,CAC1C,CACA,SAASwD,GAAcC,EAAK,CACxB,OAAQA,EAAG,CACP,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,IAAK,QACD,MAAO,QACX,QACI,MAAM,IAAI,MAAM,aAAa,CACzC,CACA,CACA,SAASC,GAAWC,EAAKC,EAAO,CAC5B,GAAa,CAACD,EAAI,OAAO,SAASC,CAAK,EACnC,MAAM,IAAI,UAAU,sEAAsEA,CAAK,GAAG,CAE1G,CACO,SAASC,GAAkBF,EAAKF,EAAKG,EAAO,CAC/C,OAAQH,EAAG,CACP,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACJ,EAAYM,EAAI,UAAW,MAAM,EAClC,MAAMT,EAAS,MAAM,EACzB,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,mBAAmB,EAC/C,MAAMT,EAAS,mBAAmB,EACtC,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,SAAS,EACrC,MAAMT,EAAS,SAAS,EAC5B,MAAMY,EAAW,SAASL,EAAI,MAAM,CAAC,EAAG,EAAE,EAE1C,GADeF,EAAcI,EAAI,UAAU,IAAI,IAChCG,EACX,MAAMZ,EAAS,OAAOY,CAAQ,GAAI,gBAAgB,EACtD,KACJ,CACA,IAAK,UACL,IAAK,QAAS,CACV,GAAI,CAACT,EAAYM,EAAI,UAAW,SAAS,EACrC,MAAMT,EAAS,SAAS,EAC5B,KACJ,CACA,IAAK,YACL,IAAK,YACL,IAAK,YAAa,CACd,GAAI,CAACG,EAAYM,EAAI,UAAWF,CAAG,EAC/B,MAAMP,EAASO,CAAG,EACtB,KACJ,CACA,IAAK,QACL,IAAK,QACL,IAAK,QAAS,CACV,GAAI,CAACJ,EAAYM,EAAI,UAAW,OAAO,EACnC,MAAMT,EAAS,OAAO,EAC1B,MAAMY,EAAWN,GAAcC,CAAG,EAElC,GADeE,EAAI,UAAU,aACdG,EACX,MAAMZ,EAASY,EAAU,sBAAsB,EACnD,KACJ,CACA,QACI,MAAM,IAAI,UAAU,2CAA2C,CAC3E,CACIJ,GAAWC,EAAKC,CAAK,CACzB,CCrFA,SAASzF,GAAQ4F,EAAKC,KAAWC,EAAO,CAEpC,GADAA,EAAQA,EAAM,OAAO,OAAO,EACxBA,EAAM,OAAS,EAAG,CAClB,MAAMC,EAAOD,EAAM,IAAG,EACtBF,GAAO,eAAeE,EAAM,KAAK,IAAI,CAAC,QAAQC,CAAI,GACtD,MACSD,EAAM,SAAW,EACtBF,GAAO,eAAeE,EAAM,CAAC,CAAC,OAAOA,EAAM,CAAC,CAAC,IAG7CF,GAAO,WAAWE,EAAM,CAAC,CAAC,IAE9B,OAAID,GAAU,KACVD,GAAO,aAAaC,CAAM,GAErB,OAAOA,GAAW,YAAcA,EAAO,KAC5CD,GAAO,sBAAsBC,EAAO,IAAI,GAEnC,OAAOA,GAAW,UAAYA,GAAU,MACzCA,EAAO,aAAa,OACpBD,GAAO,4BAA4BC,EAAO,YAAY,IAAI,IAG3DD,CACX,CACO,MAAMI,GAAkB,CAACH,KAAWC,IAAU9F,GAAQ,eAAgB6F,EAAQ,GAAGC,CAAK,EAChFG,GAAU,CAACX,EAAKO,KAAWC,IAAU9F,GAAQ,eAAesF,CAAG,sBAAuBO,EAAQ,GAAGC,CAAK,ECrBtGI,GAAeV,GAAQ,CAChC,GAAIA,IAAM,OAAO,WAAW,IAAM,YAC9B,MAAO,GACX,GAAI,CACA,OAAOA,aAAe,SAC1B,MACM,CACF,MAAO,EACX,CACJ,EACaW,GAAeX,GAAQA,IAAM,OAAO,WAAW,IAAM,YACrDY,GAAaZ,GAAQU,GAAYV,CAAG,GAAKW,GAAYX,CAAG,EChB9D,SAASa,MAAcvF,EAAS,CACnC,MAAMwF,EAAUxF,EAAQ,OAAO,OAAO,EACtC,GAAIwF,EAAQ,SAAW,GAAKA,EAAQ,SAAW,EAC3C,MAAO,GAEX,IAAIjD,EACJ,UAAWkD,KAAUD,EAAS,CAC1B,MAAME,EAAa,OAAO,KAAKD,CAAM,EACrC,GAAI,CAAClD,GAAOA,EAAI,OAAS,EAAG,CACxBA,EAAM,IAAI,IAAImD,CAAU,EACxB,QACJ,CACA,UAAWC,KAAaD,EAAY,CAChC,GAAInD,EAAI,IAAIoD,CAAS,EACjB,MAAO,GAEXpD,EAAI,IAAIoD,CAAS,CACrB,CACJ,CACA,MAAO,EACX,CCpBA,MAAMC,GAAgBC,GAAU,OAAOA,GAAU,UAAYA,IAAU,KAChE,SAASC,EAAS5C,EAAO,CAC5B,GAAI,CAAC0C,GAAa1C,CAAK,GAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,IAAM,kBAClE,MAAO,GAEX,GAAI,OAAO,eAAeA,CAAK,IAAM,KACjC,MAAO,GAEX,IAAI6C,EAAQ7C,EACZ,KAAO,OAAO,eAAe6C,CAAK,IAAM,MACpCA,EAAQ,OAAO,eAAeA,CAAK,EAEvC,OAAO,OAAO,eAAe7C,CAAK,IAAM6C,CAC5C,CCbO,SAASC,GAAexB,EAAKE,EAAK,CACrC,GAAIF,EAAI,WAAW,IAAI,GAAKA,EAAI,WAAW,IAAI,EAAG,CAC9C,KAAM,CAAE,cAAAyB,GAAkBvB,EAAI,UAC9B,GAAI,OAAOuB,GAAkB,UAAYA,EAAgB,KACrD,MAAM,IAAI,UAAU,GAAGzB,CAAG,uDAAuD,CAEzF,CACJ,CCNA,SAAS0B,GAAcC,EAAK,CACxB,IAAI9B,EACA+B,EACJ,OAAQD,EAAI,IAAG,CACX,IAAK,MAAO,CACR,OAAQA,EAAI,IAAG,CACX,IAAK,YACL,IAAK,YACL,IAAK,YACD9B,EAAY,CAAE,KAAM8B,EAAI,GAAG,EAC3BC,EAAYD,EAAI,KAAO,CAAC,MAAM,EAAI,CAAC,QAAQ,EAC3C,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,MAAO,CACR,OAAQ0C,EAAI,IAAG,CACX,IAAK,QACL,IAAK,QACL,IAAK,QACD9B,EAAY,CAAE,KAAM,UAAW,KAAM,OAAO8B,EAAI,IAAI,MAAM,EAAE,CAAC,EAAE,EAC/DC,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACL,IAAK,QACL,IAAK,QACD9B,EAAY,CAAE,KAAM,oBAAqB,KAAM,OAAO8B,EAAI,IAAI,MAAM,EAAE,CAAC,EAAE,EACzEC,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,WACL,IAAK,eACL,IAAK,eACL,IAAK,eACD9B,EAAY,CACR,KAAM,WACN,KAAM,OAAO,SAAS8B,EAAI,IAAI,MAAM,EAAE,EAAG,EAAE,GAAK,CAAC,EACzE,EACoBC,EAAYD,EAAI,EAAI,CAAC,UAAW,WAAW,EAAI,CAAC,UAAW,SAAS,EACpE,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,KAAM,CACP,OAAQ0C,EAAI,IAAG,CACX,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,QACD9B,EAAY,CAAE,KAAM,QAAS,WAAY,OAAO,EAChD+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD9B,EAAY,CAAE,KAAM,OAAQ,WAAY8B,EAAI,GAAG,EAC/CC,EAAYD,EAAI,EAAI,CAAC,YAAY,EAAI,CAAA,EACrC,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,IAAK,MAAO,CACR,OAAQ0C,EAAI,IAAG,CACX,IAAK,UACL,IAAK,QACD9B,EAAY,CAAE,KAAM,SAAS,EAC7B+B,EAAYD,EAAI,EAAI,CAAC,MAAM,EAAI,CAAC,QAAQ,EACxC,MACJ,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD9B,EAAY,CAAE,KAAM8B,EAAI,GAAG,EAC3BC,EAAYD,EAAI,EAAI,CAAC,YAAY,EAAI,CAAA,EACrC,MACJ,QACI,MAAM,IAAI1C,EAAiB,8DAA8D,CAC7G,CACY,KACJ,CACA,QACI,MAAM,IAAIA,EAAiB,6DAA6D,CACpG,CACI,MAAO,CAAE,UAAAY,EAAW,UAAA+B,CAAS,CACjC,CACO,eAAeC,EAASF,EAAK,CAChC,GAAI,CAACA,EAAI,IACL,MAAM,IAAI,UAAU,0DAA0D,EAElF,KAAM,CAAE,UAAA9B,EAAW,UAAA+B,GAAcF,GAAcC,CAAG,EAC5CG,EAAU,CAAE,GAAGH,CAAG,EACxB,OAAIG,EAAQ,MAAQ,OAChB,OAAOA,EAAQ,IAEnB,OAAOA,EAAQ,IACR,OAAO,OAAO,UAAU,MAAOA,EAASjC,EAAW8B,EAAI,KAAQ,EAAAA,EAAI,GAAKA,EAAI,MAAsBA,EAAI,SAAWC,CAAS,CACrI,CCrFO,eAAeG,GAAUJ,EAAK3B,EAAK1E,EAAS,CAC/C,GAAI,CAACgG,EAASK,CAAG,EACb,MAAM,IAAI,UAAU,uBAAuB,EAE/C,IAAIK,EAGJ,OAFAhC,IAAQ2B,EAAI,IACZK,IAAgCL,EAAI,IAC5BA,EAAI,IAAG,CACX,IAAK,MACD,GAAI,OAAOA,EAAI,GAAM,UAAY,CAACA,EAAI,EAClC,MAAM,IAAI,UAAU,yCAAyC,EAEjE,OAAOM,EAAgBN,EAAI,CAAC,EAChC,IAAK,MACD,GAAI,QAASA,GAAOA,EAAI,MAAQ,OAC5B,MAAM,IAAI1C,EAAiB,oEAAoE,EAEnG,OAAO4C,EAAS,CAAE,GAAGF,EAAK,IAAA3B,EAAK,IAAAgC,CAAG,CAAE,EACxC,IAAK,MAAO,CACR,GAAI,OAAOL,EAAI,KAAQ,UAAY,CAACA,EAAI,IACpC,MAAM,IAAI,UAAU,2CAA2C,EAEnE,GAAI3B,IAAQ,QAAaA,IAAQ2B,EAAI,IACjC,MAAM,IAAI,UAAU,uCAAuC,EAE/D,OAAOE,EAAS,CAAE,GAAGF,EAAK,IAAAK,CAAG,CAAE,CACnC,CACA,IAAK,KACL,IAAK,MACD,OAAOH,EAAS,CAAE,GAAGF,EAAK,IAAA3B,EAAK,IAAAgC,CAAG,CAAE,EACxC,QACI,MAAM,IAAI/C,EAAiB,8CAA8C,CACrF,CACA,CCvDO,SAASiD,GAAaC,EAAKC,EAAmBC,EAAkBC,EAAiBC,EAAY,CAChG,GAAIA,EAAW,OAAS,QAAaD,GAAiB,OAAS,OAC3D,MAAM,IAAIH,EAAI,gEAAgE,EAElF,GAAI,CAACG,GAAmBA,EAAgB,OAAS,OAC7C,OAAO,IAAI,IAEf,GAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,GACnCA,EAAgB,KAAK,SAAW,GAChCA,EAAgB,KAAK,KAAM5D,GAAU,OAAOA,GAAU,UAAYA,EAAM,SAAW,CAAC,EACpF,MAAM,IAAIyD,EAAI,uFAAuF,EAEzG,IAAIK,EAKAA,EAAaJ,EAEjB,UAAWjB,KAAamB,EAAgB,KAAM,CAC1C,GAAI,CAACE,EAAW,IAAIrB,CAAS,EACzB,MAAM,IAAIlC,EAAiB,+BAA+BkC,CAAS,qBAAqB,EAE5F,GAAIoB,EAAWpB,CAAS,IAAM,OAC1B,MAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,cAAc,EAExE,GAAIqB,EAAW,IAAIrB,CAAS,GAAKmB,EAAgBnB,CAAS,IAAM,OAC5D,MAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,+BAA+B,CAE7F,CACA,OAAO,IAAI,IAAImB,EAAgB,IAAI,CACvC,CC/BO,MAAMG,EAASvC,GAAQoB,EAASpB,CAAG,GAAK,OAAOA,EAAI,KAAQ,SACrDwC,GAAgBxC,GAAQA,EAAI,MAAQ,QAC3CA,EAAI,MAAQ,OAAS,OAAOA,EAAI,MAAS,UAAa,OAAOA,EAAI,GAAM,UAChEyC,GAAezC,GAAQA,EAAI,MAAQ,OAASA,EAAI,IAAM,QAAaA,EAAI,OAAS,OAChF0C,GAAe1C,GAAQA,EAAI,MAAQ,OAAS,OAAOA,EAAI,GAAM,SCD1E,IAAI2C,EACJ,MAAMC,EAAY,MAAO5C,EAAKyB,EAAK3B,EAAK+C,EAAS,KAAU,CACvDF,IAAU,IAAI,QACd,IAAIG,EAASH,EAAM,IAAI3C,CAAG,EAC1B,GAAI8C,IAAShD,CAAG,EACZ,OAAOgD,EAAOhD,CAAG,EAErB,MAAMiD,EAAY,MAAMpB,EAAS,CAAE,GAAGF,EAAK,IAAA3B,CAAG,CAAE,EAChD,OAAI+C,GACA,OAAO,OAAO7C,CAAG,EAChB8C,EAIDA,EAAOhD,CAAG,EAAIiD,EAHdJ,EAAM,IAAI3C,EAAK,CAAE,CAACF,CAAG,EAAGiD,CAAS,CAAE,EAKhCA,CACX,EACMC,GAAkB,CAACC,EAAWnD,IAAQ,CACxC6C,IAAU,IAAI,QACd,IAAIG,EAASH,EAAM,IAAIM,CAAS,EAChC,GAAIH,IAAShD,CAAG,EACZ,OAAOgD,EAAOhD,CAAG,EAErB,MAAMoD,EAAWD,EAAU,OAAS,SAC9BE,EAAc,EAAAD,EACpB,IAAIH,EACJ,GAAIE,EAAU,oBAAsB,SAAU,CAC1C,OAAQnD,EAAG,CACP,IAAK,UACL,IAAK,iBACL,IAAK,iBACL,IAAK,iBACD,MACJ,QACI,MAAM,IAAI,UAAU,4DAA4D,CAChG,CACQiD,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAaD,EAAW,CAAA,EAAK,CAAC,YAAY,CAAC,CAC9G,CACA,GAAID,EAAU,oBAAsB,UAAW,CAC3C,GAAInD,IAAQ,SAAWA,IAAQ,UAC3B,MAAM,IAAI,UAAU,4DAA4D,EAEpFiD,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAa,CACxED,EAAW,SAAW,MAClC,CAAS,CACL,CACA,OAAQD,EAAU,kBAAiB,CAC/B,IAAK,YACL,IAAK,YACL,IAAK,YAAa,CACd,GAAInD,IAAQmD,EAAU,kBAAkB,YAAW,EAC/C,MAAM,IAAI,UAAU,4DAA4D,EAEpFF,EAAYE,EAAU,YAAYA,EAAU,kBAAmBE,EAAa,CACxED,EAAW,SAAW,MACtC,CAAa,CACL,CACR,CACI,GAAID,EAAU,oBAAsB,MAAO,CACvC,IAAI5G,EACJ,OAAQyD,EAAG,CACP,IAAK,WACDzD,EAAO,QACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,IAAK,QACL,IAAK,QACL,IAAK,eACDA,EAAO,UACP,MACJ,QACI,MAAM,IAAI,UAAU,4DAA4D,CAChG,CACQ,GAAIyD,EAAI,WAAW,UAAU,EACzB,OAAOmD,EAAU,YAAY,CACzB,KAAM,WACN,KAAA5G,CAChB,EAAe8G,EAAaD,EAAW,CAAC,SAAS,EAAI,CAAC,SAAS,CAAC,EAExDH,EAAYE,EAAU,YAAY,CAC9B,KAAMnD,EAAI,WAAW,IAAI,EAAI,UAAY,oBACzC,KAAAzD,CACZ,EAAW8G,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,CAClD,CACA,GAAID,EAAU,oBAAsB,KAAM,CAMtC,MAAMG,EALO,IAAI,IAAI,CACjB,CAAC,aAAc,OAAO,EACtB,CAAC,YAAa,OAAO,EACrB,CAAC,YAAa,OAAO,CACjC,CAAS,EACuB,IAAIH,EAAU,sBAAsB,UAAU,EACtE,GAAI,CAACG,EACD,MAAM,IAAI,UAAU,4DAA4D,EAEhFtD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,IAAQ,SAAWsD,IAAe,UAClCL,EAAYE,EAAU,YAAY,CAC9B,KAAM,QACN,WAAAG,CAChB,EAAeD,EAAa,CAACD,EAAW,SAAW,MAAM,CAAC,GAE9CpD,EAAI,WAAW,SAAS,IACxBiD,EAAYE,EAAU,YAAY,CAC9B,KAAM,OACN,WAAAG,CAChB,EAAeD,EAAaD,EAAW,GAAK,CAAC,YAAY,CAAC,EAEtD,CACA,GAAI,CAACH,EACD,MAAM,IAAI,UAAU,4DAA4D,EAEpF,OAAKD,EAIDA,EAAOhD,CAAG,EAAIiD,EAHdJ,EAAM,IAAIM,EAAW,CAAE,CAACnD,CAAG,EAAGiD,CAAS,CAAE,EAKtCA,CACX,EACO,eAAeM,GAAarD,EAAKF,EAAK,CAIzC,GAHIE,aAAe,YAGfU,GAAYV,CAAG,EACf,OAAOA,EAEX,GAAIW,GAAYX,CAAG,EAAG,CAClB,GAAIA,EAAI,OAAS,SACb,OAAOA,EAAI,OAAM,EAErB,GAAI,gBAAiBA,GAAO,OAAOA,EAAI,aAAgB,WACnD,GAAI,CACA,OAAOgD,GAAgBhD,EAAKF,CAAG,CACnC,OACOwD,EAAK,CACR,GAAIA,aAAe,UACf,MAAMA,CAEd,CAEJ,IAAI7B,EAAMzB,EAAI,OAAO,CAAE,OAAQ,KAAK,CAAE,EACtC,OAAO4C,EAAU5C,EAAKyB,EAAK3B,CAAG,CAClC,CACA,GAAIyC,EAAMvC,CAAG,EACT,OAAIA,EAAI,EACGzB,EAAOyB,EAAI,CAAC,EAEhB4C,EAAU5C,EAAKA,EAAKF,EAAK,EAAI,EAExC,MAAM,IAAI,MAAM,aAAa,CACjC,CC5KA,MAAMyD,EAAOvD,GAAQA,IAAM,OAAO,WAAW,EACvCwD,EAAe,CAAC1D,EAAKE,EAAKC,IAAU,CACtC,GAAID,EAAI,MAAQ,OAAW,CACvB,IAAIG,EACJ,OAAQF,EAAK,CACT,IAAK,OACL,IAAK,SACDE,EAAW,MACX,MACJ,IAAK,UACL,IAAK,UACDA,EAAW,MACX,KAChB,CACQ,GAAIH,EAAI,MAAQG,EACZ,MAAM,IAAI,UAAU,sDAAsDA,CAAQ,gBAAgB,CAE1G,CACA,GAAIH,EAAI,MAAQ,QAAaA,EAAI,MAAQF,EACrC,MAAM,IAAI,UAAU,sDAAsDA,CAAG,gBAAgB,EAEjG,GAAI,MAAM,QAAQE,EAAI,OAAO,EAAG,CAC5B,IAAIyD,EACJ,OAAQ,GAAI,CACR,KAAyBxD,IAAU,SACnC,KAAKH,IAAQ,MACb,KAAKA,EAAI,SAAS,QAAQ,EACtB2D,EAAgBxD,EAChB,MACJ,KAAKH,EAAI,WAAW,OAAO,EACvB2D,EAAgB,aAChB,MACJ,IAAK,0BAA0B,KAAK3D,CAAG,EAC/B,CAACA,EAAI,SAAS,KAAK,GAAKA,EAAI,SAAS,IAAI,EACzC2D,EAAkD,YAGlDA,EAAgBxD,EAEpB,MACJ,KAAKA,IAAU,UACXwD,EAAgB,UAChB,MACJ,KAAKxD,IAAU,UACXwD,EAAgB3D,EAAI,WAAW,KAAK,EAAI,YAAc,aACtD,KAChB,CACQ,GAAI2D,GAAiBzD,EAAI,SAAS,WAAWyD,CAAa,IAAM,GAC5D,MAAM,IAAI,UAAU,+DAA+DA,CAAa,gBAAgB,CAExH,CACA,MAAO,EACX,EACMC,GAAqB,CAAC5D,EAAKE,EAAKC,IAAU,CAC5C,GAAI,EAAAD,aAAe,YAEnB,IAAI2D,EAAU3D,CAAG,EAAG,CAChB,GAAI4D,GAAgB5D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACpD,OACJ,MAAM,IAAI,UAAU,yHAAyH,CACjJ,CACA,GAAI,CAACW,GAAUZ,CAAG,EACd,MAAM,IAAI,UAAUQ,GAAgBV,EAAKE,EAAK,YAAa,YAAa,eAAgB,YAAY,CAAC,EAEzG,GAAIA,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,8DAA8D,EAErG,EACM6D,GAAsB,CAAC/D,EAAKE,EAAKC,IAAU,CAC7C,GAAI0D,EAAU3D,CAAG,EACb,OAAQC,EAAK,CACT,IAAK,UACL,IAAK,OACD,GAAI6D,GAAiB9D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACrD,OACJ,MAAM,IAAI,UAAU,uDAAuD,EAC/E,IAAK,UACL,IAAK,SACD,GAAI8D,GAAgB/D,CAAG,GAAKwD,EAAa1D,EAAKE,EAAKC,CAAK,EACpD,OACJ,MAAM,IAAI,UAAU,sDAAsD,CAC1F,CAEI,GAAI,CAACW,GAAUZ,CAAG,EACd,MAAM,IAAI,UAAUQ,GAAgBV,EAAKE,EAAK,YAAa,YAAa,cAAc,CAAC,EAE3F,GAAIA,EAAI,OAAS,SACb,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,mEAAmE,EAEtG,GAAIA,EAAI,OAAS,SACb,OAAQC,EAAK,CACT,IAAK,OACD,MAAM,IAAI,UAAU,GAAGsD,EAAIvD,CAAG,CAAC,uEAAuE,EAC1G,IAAK,UACD,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,0EAA0E,CACzH,CAEI,GAAIA,EAAI,OAAS,UACb,OAAQC,EAAK,CACT,IAAK,SACD,MAAM,IAAI,UAAU,GAAGsD,EAAIvD,CAAG,CAAC,wEAAwE,EAC3G,IAAK,UACD,MAAM,IAAI,UAAU,GAAGuD,EAAIvD,CAAG,CAAC,yEAAyE,CACxH,CAEA,EACO,SAASgE,GAAalE,EAAKE,EAAKC,EAAO,CAC1C,OAAQH,EAAI,UAAU,EAAG,CAAC,EAAC,CACvB,IAAK,KACL,IAAK,KACL,IAAK,KACL,IAAK,KACL,IAAK,KACD4D,GAAmB5D,EAAKE,EAAKC,CAAK,EAClC,MACJ,QACI4D,GAAoB/D,EAAKE,EAAKC,CAAK,CAC/C,CACA,CCxHO,SAASgE,GAAgBnE,EAAKH,EAAW,CAC5C,MAAMtD,EAAO,OAAOyD,EAAI,MAAM,EAAE,CAAC,GACjC,OAAQA,EAAG,CACP,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAzD,EAAM,KAAM,MAAM,EAC/B,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,UAAW,WAAY,SAASyD,EAAI,MAAM,EAAE,EAAG,EAAE,GAAK,CAAC,EAChF,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAzD,EAAM,KAAM,mBAAmB,EAC5C,IAAK,QACL,IAAK,QACL,IAAK,QACD,MAAO,CAAE,KAAAA,EAAM,KAAM,QAAS,WAAYsD,EAAU,UAAU,EAClE,IAAK,UACL,IAAK,QACD,MAAO,CAAE,KAAM,SAAS,EAC5B,IAAK,YACL,IAAK,YACL,IAAK,YACD,MAAO,CAAE,KAAMG,CAAG,EACtB,QACI,MAAM,IAAIf,EAAiB,OAAOe,CAAG,6DAA6D,CAC9G,CACA,CC5BO,eAAeoE,GAAUpE,EAAKE,EAAKC,EAAO,CAC7C,GAAID,aAAe,WAAY,CAC3B,GAAI,CAACF,EAAI,WAAW,IAAI,EACpB,MAAM,IAAI,UAAUU,GAAgBR,EAAK,YAAa,YAAa,cAAc,CAAC,EAEtF,OAAO,OAAO,OAAO,UAAU,MAAOA,EAAK,CAAE,KAAM,OAAOF,EAAI,MAAM,EAAE,CAAC,GAAI,KAAM,MAAM,EAAI,GAAO,CAACG,CAAK,CAAC,CAC7G,CACA,OAAAC,GAAkBF,EAAKF,EAAKG,CAAK,EAC1BD,CACX,CCRO,eAAemE,GAAOrE,EAAKE,EAAKoE,EAAWtI,EAAM,CACpD,MAAMiH,EAAY,MAAMmB,GAAUpE,EAAKE,EAAK,QAAQ,EACpDsB,GAAexB,EAAKiD,CAAS,EAC7B,MAAMpD,EAAYsE,GAAgBnE,EAAKiD,EAAU,SAAS,EAC1D,GAAI,CACA,OAAO,MAAM,OAAO,OAAO,OAAOpD,EAAWoD,EAAWqB,EAAWtI,CAAI,CAC3E,MACM,CACF,MAAO,EACX,CACJ,CCHO,eAAeuI,GAAgBC,EAAKtE,EAAK5E,EAAS,CACrD,GAAI,CAACgG,EAASkD,CAAG,EACb,MAAM,IAAItF,EAAW,iCAAiC,EAE1D,GAAIsF,EAAI,YAAc,QAAaA,EAAI,SAAW,OAC9C,MAAM,IAAItF,EAAW,uEAAuE,EAEhG,GAAIsF,EAAI,YAAc,QAAa,OAAOA,EAAI,WAAc,SACxD,MAAM,IAAItF,EAAW,qCAAqC,EAE9D,GAAIsF,EAAI,UAAY,OAChB,MAAM,IAAItF,EAAW,qBAAqB,EAE9C,GAAI,OAAOsF,EAAI,WAAc,SACzB,MAAM,IAAItF,EAAW,yCAAyC,EAElE,GAAIsF,EAAI,SAAW,QAAa,CAAClD,EAASkD,EAAI,MAAM,EAChD,MAAM,IAAItF,EAAW,uCAAuC,EAEhE,IAAIuF,EAAa,CAAA,EACjB,GAAID,EAAI,UACJ,GAAI,CACA,MAAMlC,EAAkBoC,EAAKF,EAAI,SAAS,EAC1CC,EAAa,KAAK,MAAM9G,EAAQ,OAAO2E,CAAe,CAAC,CAC3D,MACM,CACF,MAAM,IAAIpD,EAAW,iCAAiC,CAC1D,CAEJ,GAAI,CAAC6B,GAAW0D,EAAYD,EAAI,MAAM,EAClC,MAAM,IAAItF,EAAW,2EAA2E,EAEpG,MAAMqD,EAAa,CACf,GAAGkC,EACH,GAAGD,EAAI,MACf,EACUG,EAAazC,GAAahD,EAAY,IAAI,IAAI,CAAC,CAAC,MAAO,EAAI,CAAC,CAAC,EAAG5D,GAAS,KAAMmJ,EAAYlC,CAAU,EAC3G,IAAIqC,EAAM,GACV,GAAID,EAAW,IAAI,KAAK,IACpBC,EAAMH,EAAW,IACb,OAAOG,GAAQ,WACf,MAAM,IAAI1F,EAAW,yEAAyE,EAGtG,KAAM,CAAE,IAAAc,CAAG,EAAKuC,EAChB,GAAI,OAAOvC,GAAQ,UAAY,CAACA,EAC5B,MAAM,IAAId,EAAW,2DAA2D,EAMpF,GAAI0F,GACA,GAAI,OAAOJ,EAAI,SAAY,SACvB,MAAM,IAAItF,EAAW,8BAA8B,UAGlD,OAAOsF,EAAI,SAAY,UAAY,EAAEA,EAAI,mBAAmB,YACjE,MAAM,IAAItF,EAAW,wDAAwD,EAEjF,IAAI2F,EAAc,GACd,OAAO3E,GAAQ,aACfA,EAAM,MAAMA,EAAIuE,EAAYD,CAAG,EAC/BK,EAAc,IAElBX,GAAalE,EAAKE,EAAK,QAAQ,EAC/B,MAAMlE,EAAO4B,GAAO4G,EAAI,YAAc,OAAYrG,EAAOqG,EAAI,SAAS,EAAI,IAAI,WAAcrG,EAAO,GAAG,EAAG,OAAOqG,EAAI,SAAY,SAC1HI,EACIzG,EAAOqG,EAAI,OAAO,EAClB9G,EAAQ,OAAO8G,EAAI,OAAO,EAC9BA,EAAI,OAAO,EACjB,IAAIF,EACJ,GAAI,CACAA,EAAYI,EAAKF,EAAI,SAAS,CAClC,MACM,CACF,MAAM,IAAItF,EAAW,0CAA0C,CACnE,CACA,MAAM4F,EAAI,MAAMvB,GAAarD,EAAKF,CAAG,EAErC,GAAI,CADa,MAAMqE,GAAOrE,EAAK8E,EAAGR,EAAWtI,CAAI,EAEjD,MAAM,IAAIwD,GAEd,IAAIX,EACJ,GAAI+F,EACA,GAAI,CACA/F,EAAU6F,EAAKF,EAAI,OAAO,CAC9B,MACM,CACF,MAAM,IAAItF,EAAW,wCAAwC,CACjE,MAEK,OAAOsF,EAAI,SAAY,SAC5B3F,EAAUnB,EAAQ,OAAO8G,EAAI,OAAO,EAGpC3F,EAAU2F,EAAI,QAElB,MAAMO,EAAS,CAAE,QAAAlG,CAAO,EAOxB,OANI2F,EAAI,YAAc,SAClBO,EAAO,gBAAkBN,GAEzBD,EAAI,SAAW,SACfO,EAAO,kBAAoBP,EAAI,QAE/BK,EACO,CAAE,GAAGE,EAAQ,IAAKD,CAAC,EAEvBC,CACX,CCpHO,eAAeC,GAAcR,EAAKtE,EAAK5E,EAAS,CAInD,GAHIkJ,aAAe,aACfA,EAAM7G,EAAQ,OAAO6G,CAAG,GAExB,OAAOA,GAAQ,SACf,MAAM,IAAItF,EAAW,4CAA4C,EAErE,KAAM,CAAE,EAAGoD,EAAiB,EAAGzD,EAAS,EAAGyF,EAAW,OAAAtG,CAAM,EAAKwG,EAAI,MAAM,GAAG,EAC9E,GAAIxG,IAAW,EACX,MAAM,IAAIkB,EAAW,qBAAqB,EAE9C,MAAM+F,EAAW,MAAMV,GAAgB,CAAE,QAAA1F,EAAS,UAAWyD,EAAiB,UAAAgC,CAAS,EAAIpE,EAAK5E,CAAO,EACjGyJ,EAAS,CAAE,QAASE,EAAS,QAAS,gBAAiBA,EAAS,eAAe,EACrF,OAAI,OAAO/E,GAAQ,WACR,CAAE,GAAG6E,EAAQ,IAAKE,EAAS,GAAG,EAElCF,CACX,CCjBA,MAAMG,GAASC,GAAS,KAAK,MAAMA,EAAK,QAAO,EAAK,GAAI,EAClDC,GAAS,GACTC,GAAOD,GAAS,GAChBE,EAAMD,GAAO,GACbE,GAAOD,EAAM,EACbE,GAAOF,EAAM,OACbG,GAAQ,oIACP,SAASC,EAAKC,EAAK,CACtB,MAAMC,EAAUH,GAAM,KAAKE,CAAG,EAC9B,GAAI,CAACC,GAAYA,EAAQ,CAAC,GAAKA,EAAQ,CAAC,EACpC,MAAM,IAAI,UAAU,4BAA4B,EAEpD,MAAMvE,EAAQ,WAAWuE,EAAQ,CAAC,CAAC,EAC7BC,EAAOD,EAAQ,CAAC,EAAE,YAAW,EACnC,IAAIE,EACJ,OAAQD,EAAI,CACR,IAAK,MACL,IAAK,OACL,IAAK,SACL,IAAK,UACL,IAAK,IACDC,EAAc,KAAK,MAAMzE,CAAK,EAC9B,MACJ,IAAK,SACL,IAAK,UACL,IAAK,MACL,IAAK,OACL,IAAK,IACDyE,EAAc,KAAK,MAAMzE,EAAQ+D,EAAM,EACvC,MACJ,IAAK,OACL,IAAK,QACL,IAAK,KACL,IAAK,MACL,IAAK,IACDU,EAAc,KAAK,MAAMzE,EAAQgE,EAAI,EACrC,MACJ,IAAK,MACL,IAAK,OACL,IAAK,IACDS,EAAc,KAAK,MAAMzE,EAAQiE,CAAG,EACpC,MACJ,IAAK,OACL,IAAK,QACL,IAAK,IACDQ,EAAc,KAAK,MAAMzE,EAAQkE,EAAI,EACrC,MACJ,QACIO,EAAc,KAAK,MAAMzE,EAAQmE,EAAI,EACrC,KACZ,CACI,OAAII,EAAQ,CAAC,IAAM,KAAOA,EAAQ,CAAC,IAAM,MAC9B,CAACE,EAELA,CACX,CAOA,MAAMC,EAAgB1E,GACdA,EAAM,SAAS,GAAG,EACXA,EAAM,YAAW,EAErB,eAAeA,EAAM,YAAW,CAAE,GAEvC2E,GAAwB,CAACC,EAAYC,IACnC,OAAOD,GAAe,SACfC,EAAU,SAASD,CAAU,EAEpC,MAAM,QAAQA,CAAU,EACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,EAE9D,GAEJ,SAASE,GAAkB7D,EAAiB8D,EAAgB9K,EAAU,CAAA,EAAI,CAC7E,IAAIuD,EACJ,GAAI,CACAA,EAAU,KAAK,MAAMlB,EAAQ,OAAOyI,CAAc,CAAC,CACvD,MACM,CACN,CACA,GAAI,CAAC9E,EAASzC,CAAO,EACjB,MAAM,IAAIM,GAAW,gDAAgD,EAEzE,KAAM,CAAE,IAAAkH,CAAG,EAAK/K,EAChB,GAAI+K,IACC,OAAO/D,EAAgB,KAAQ,UAC5ByD,EAAazD,EAAgB,GAAG,IAAMyD,EAAaM,CAAG,GAC1D,MAAM,IAAIzH,EAAyB,oCAAqCC,EAAS,MAAO,cAAc,EAE1G,KAAM,CAAE,eAAAyH,EAAiB,GAAI,OAAAC,EAAQ,QAAAC,EAAS,SAAAC,EAAU,YAAAC,CAAW,EAAKpL,EAClEqL,EAAgB,CAAC,GAAGL,CAAc,EACpCI,IAAgB,QAChBC,EAAc,KAAK,KAAK,EACxBF,IAAa,QACbE,EAAc,KAAK,KAAK,EACxBH,IAAY,QACZG,EAAc,KAAK,KAAK,EACxBJ,IAAW,QACXI,EAAc,KAAK,KAAK,EAC5B,UAAW7H,KAAS,IAAI,IAAI6H,EAAc,QAAO,CAAE,EAC/C,GAAI,EAAE7H,KAASD,GACX,MAAM,IAAID,EAAyB,qBAAqBE,CAAK,UAAWD,EAASC,EAAO,SAAS,EAGzG,GAAIyH,GACA,EAAE,MAAM,QAAQA,CAAM,EAAIA,EAAS,CAACA,CAAM,GAAG,SAAS1H,EAAQ,GAAG,EACjE,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,GAAI2H,GAAW3H,EAAQ,MAAQ2H,EAC3B,MAAM,IAAI5H,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,GAAI4H,GACA,CAACT,GAAsBnH,EAAQ,IAAK,OAAO4H,GAAa,SAAW,CAACA,CAAQ,EAAIA,CAAQ,EACxF,MAAM,IAAI7H,EAAyB,+BAAgCC,EAAS,MAAO,cAAc,EAErG,IAAI+H,EACJ,OAAQ,OAAOtL,EAAQ,eAAc,CACjC,IAAK,SACDsL,EAAYlB,EAAKpK,EAAQ,cAAc,EACvC,MACJ,IAAK,SACDsL,EAAYtL,EAAQ,eACpB,MACJ,IAAK,YACDsL,EAAY,EACZ,MACJ,QACI,MAAM,IAAI,UAAU,oCAAoC,CACpE,CACI,KAAM,CAAE,YAAAC,CAAW,EAAKvL,EAClBwL,EAAM5B,GAAM2B,GAAe,IAAI,IAAM,EAC3C,IAAKhI,EAAQ,MAAQ,QAAa6H,IAAgB,OAAO7H,EAAQ,KAAQ,SACrE,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,IAAMiI,EAAMF,EACpB,MAAM,IAAIhI,EAAyB,qCAAsCC,EAAS,MAAO,cAAc,CAE/G,CACA,GAAIA,EAAQ,MAAQ,OAAW,CAC3B,GAAI,OAAOA,EAAQ,KAAQ,SACvB,MAAM,IAAID,EAAyB,+BAAgCC,EAAS,MAAO,SAAS,EAEhG,GAAIA,EAAQ,KAAOiI,EAAMF,EACrB,MAAM,IAAI5H,EAAW,qCAAsCH,EAAS,MAAO,cAAc,CAEjG,CACA,GAAI6H,EAAa,CACb,MAAMK,EAAMD,EAAMjI,EAAQ,IACpBmI,EAAM,OAAON,GAAgB,SAAWA,EAAchB,EAAKgB,CAAW,EAC5E,GAAIK,EAAMH,EAAYI,EAClB,MAAM,IAAIhI,EAAW,2DAA4DH,EAAS,MAAO,cAAc,EAEnH,GAAIkI,EAAM,EAAIH,EACV,MAAM,IAAIhI,EAAyB,gEAAiEC,EAAS,MAAO,cAAc,CAE1I,CACA,OAAOA,CACX,CCrKO,eAAeoI,GAAUC,EAAKhH,EAAK5E,EAAS,CAC/C,MAAM2J,EAAW,MAAMD,GAAckC,EAAKhH,EAAK5E,CAAO,EACtD,GAAI2J,EAAS,gBAAgB,MAAM,SAAS,KAAK,GAAKA,EAAS,gBAAgB,MAAQ,GACnF,MAAM,IAAI9F,GAAW,qCAAqC,EAG9D,MAAM4F,EAAS,CAAE,QADDoB,GAAkBlB,EAAS,gBAAiBA,EAAS,QAAS3J,CAAO,EAC3D,gBAAiB2J,EAAS,eAAe,EACnE,OAAI,OAAO/E,GAAQ,WACR,CAAE,GAAG6E,EAAQ,IAAKE,EAAS,GAAG,EAElCF,CACX,CCXA,SAASoC,GAAcnH,EAAK,CACxB,OAAQ,OAAOA,GAAQ,UAAYA,EAAI,MAAM,EAAG,CAAC,EAAC,CAC9C,IAAK,KACL,IAAK,KACD,MAAO,MACX,IAAK,KACD,MAAO,KACX,IAAK,KACD,MAAO,MACX,IAAK,KACD,MAAO,MACX,QACI,MAAM,IAAIf,EAAiB,gDAAgD,CACvF,CACA,CACA,SAASmI,GAAWC,EAAM,CACtB,OAAQA,GACJ,OAAOA,GAAS,UAChB,MAAM,QAAQA,EAAK,IAAI,GACvBA,EAAK,KAAK,MAAMC,EAAS,CACjC,CACA,SAASA,GAAUpH,EAAK,CACpB,OAAOoB,EAASpB,CAAG,CACvB,CACA,MAAMqH,EAAY,CACdC,GACAC,GAAU,IAAI,QACd,YAAYJ,EAAM,CACd,GAAI,CAACD,GAAWC,CAAI,EAChB,MAAM,IAAIjI,GAAY,4BAA4B,EAEtD,KAAKoI,GAAQ,gBAAgBH,CAAI,CACrC,CACA,MAAO,CACH,OAAO,KAAKG,EAChB,CACA,MAAM,OAAOlF,EAAiBoF,EAAO,CACjC,KAAM,CAAE,IAAA1H,EAAK,IAAA2H,CAAG,EAAK,CAAE,GAAGrF,EAAiB,GAAGoF,GAAO,MAAM,EACrDE,EAAMT,GAAcnH,CAAG,EACvB6H,EAAa,KAAKL,GAAM,KAAK,OAAQ7F,GAAQ,CAC/C,IAAImG,EAAYF,IAAQjG,EAAI,IAa5B,GAZImG,GAAa,OAAOH,GAAQ,WAC5BG,EAAYH,IAAQhG,EAAI,KAExBmG,IAAc,OAAOnG,EAAI,KAAQ,UAAYiG,IAAQ,SACrDE,EAAY9H,IAAQ2B,EAAI,KAExBmG,GAAa,OAAOnG,EAAI,KAAQ,WAChCmG,EAAYnG,EAAI,MAAQ,OAExBmG,GAAa,MAAM,QAAQnG,EAAI,OAAO,IACtCmG,EAAYnG,EAAI,QAAQ,SAAS,QAAQ,GAEzCmG,EACA,OAAQ9H,EAAG,CACP,IAAK,QACD8H,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,QACxB,MACJ,IAAK,UACL,IAAK,QACDmG,EAAYnG,EAAI,MAAQ,UACxB,KACxB,CAEY,OAAOmG,CACX,CAAC,EACK,CAAE,EAAGnG,EAAK,OAAA3D,CAAM,EAAK6J,EAC3B,GAAI7J,IAAW,EACX,MAAM,IAAIqB,GAEd,GAAIrB,IAAW,EAAG,CACd,MAAMjC,EAAQ,IAAIuD,GACZyI,EAAU,KAAKN,GACrB,MAAA1L,EAAM,OAAO,aAAa,EAAI,iBAAmB,CAC7C,UAAW4F,KAAOkG,EACd,GAAI,CACA,MAAM,MAAMG,EAAmBD,EAASpG,EAAK3B,CAAG,CACpD,MACM,CAAE,CAEhB,EACMjE,CACV,CACA,OAAOiM,EAAmB,KAAKP,GAAS9F,EAAK3B,CAAG,CACpD,CACJ,CACA,eAAegI,EAAmBnF,EAAOlB,EAAK3B,EAAK,CAC/C,MAAMgD,EAASH,EAAM,IAAIlB,CAAG,GAAKkB,EAAM,IAAIlB,EAAK,CAAA,CAAE,EAAE,IAAIA,CAAG,EAC3D,GAAIqB,EAAOhD,CAAG,IAAM,OAAW,CAC3B,MAAME,EAAM,MAAM6B,GAAU,CAAE,GAAGJ,EAAK,IAAK,EAAI,EAAI3B,CAAG,EACtD,GAAIE,aAAe,YAAcA,EAAI,OAAS,SAC1C,MAAM,IAAId,GAAY,8CAA8C,EAExE4D,EAAOhD,CAAG,EAAIE,CAClB,CACA,OAAO8C,EAAOhD,CAAG,CACrB,CACO,SAASiI,EAAkBZ,EAAM,CACpC,MAAMa,EAAM,IAAIX,GAAYF,CAAI,EAC1Bc,EAAc,MAAO7F,EAAiBoF,IAAUQ,EAAI,OAAO5F,EAAiBoF,CAAK,EACvF,cAAO,iBAAiBS,EAAa,CACjC,KAAM,CACF,MAAO,IAAM,gBAAgBD,EAAI,KAAI,CAAE,EACvC,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,CACA,CAAK,EACMC,CACX,CCnHA,SAASC,IAAsB,CAC3B,OAAQ,OAAO,cAAkB,KAC5B,OAAO,UAAc,KAAe,UAAU,YAAc,sBAC5D,OAAO,YAAgB,KAAe,cAAgB,QAC/D,CACA,IAAIC,GACA,OAAO,UAAc,KAAe,CAAC,UAAU,WAAW,aAAa,cAAc,KAGrFA,EAAa,eAEV,MAAMC,GAAc,OAAM,EACjC,eAAeC,GAAU5M,EAAKH,EAASgN,EAAQC,EAAY,MAAO,CAC9D,MAAMzN,EAAW,MAAMyN,EAAU9M,EAAK,CAClC,OAAQ,MACR,OAAA6M,EACA,SAAU,SACV,QAAAhN,CACR,CAAK,EAAE,MAAOgI,GAAQ,CACd,MAAIA,EAAI,OAAS,eACP,IAAIjE,GAERiE,CACV,CAAC,EACD,GAAIxI,EAAS,SAAW,IACpB,MAAM,IAAI2D,EAAU,yDAAyD,EAEjF,GAAI,CACA,OAAO,MAAM3D,EAAS,KAAI,CAC9B,MACM,CACF,MAAM,IAAI2D,EAAU,4DAA4D,CACpF,CACJ,CACO,MAAM+J,EAAY,OAAM,EAC/B,SAASC,GAAiBjK,EAAOkK,EAAa,CAO1C,MANI,SAAOlK,GAAU,UAAYA,IAAU,MAGvC,EAAE,QAASA,IAAU,OAAOA,EAAM,KAAQ,UAAY,KAAK,IAAG,EAAKA,EAAM,KAAOkK,GAGhF,EAAE,SAAUlK,IACZ,CAAC4C,EAAS5C,EAAM,IAAI,GACpB,CAAC,MAAM,QAAQA,EAAM,KAAK,IAAI,GAC9B,CAAC,MAAM,UAAU,MAAM,KAAKA,EAAM,KAAK,KAAM4C,CAAQ,EAI7D,CACA,MAAMuH,EAAa,CACfC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACAC,GACA,YAAY5N,EAAKL,EAAS,CACtB,GAAI,EAAEK,aAAe,KACjB,MAAM,IAAI,UAAU,gCAAgC,EAExD,KAAKmN,GAAO,IAAI,IAAInN,EAAI,IAAI,EAC5B,KAAKoN,GACD,OAAOzN,GAAS,iBAAoB,SAAWA,GAAS,gBAAkB,IAC9E,KAAK0N,GACD,OAAO1N,GAAS,kBAAqB,SAAWA,GAAS,iBAAmB,IAChF,KAAK2N,GAAe,OAAO3N,GAAS,aAAgB,SAAWA,GAAS,YAAc,IACtF,KAAK8N,GAAW,IAAI,QAAQ9N,GAAS,OAAO,EACxC+M,GAAc,CAAC,KAAKe,GAAS,IAAI,YAAY,GAC7C,KAAKA,GAAS,IAAI,aAAcf,CAAU,EAEzC,KAAKe,GAAS,IAAI,QAAQ,IAC3B,KAAKA,GAAS,IAAI,SAAU,kBAAkB,EAC9C,KAAKA,GAAS,OAAO,SAAU,0BAA0B,GAE7D,KAAKC,GAAe/N,IAAUgN,EAAW,EACrChN,IAAUoN,CAAS,IAAM,SACzB,KAAKa,GAASjO,IAAUoN,CAAS,EAC7BC,GAAiBrN,IAAUoN,CAAS,EAAG,KAAKO,EAAY,IACxD,KAAKC,GAAiB,KAAKK,GAAO,IAClC,KAAKD,GAASrB,EAAkB,KAAKsB,GAAO,IAAI,GAG5D,CACA,cAAe,CACX,MAAO,CAAC,CAAC,KAAKJ,EAClB,CACA,aAAc,CACV,OAAO,OAAO,KAAKD,IAAmB,SAChC,KAAK,IAAG,EAAK,KAAKA,GAAiB,KAAKF,GACxC,EACV,CACA,OAAQ,CACJ,OAAO,OAAO,KAAKE,IAAmB,SAChC,KAAK,IAAG,EAAK,KAAKA,GAAiB,KAAKD,GACxC,EACV,CACA,MAAO,CACH,OAAO,KAAKK,IAAQ,KAAI,CAC5B,CACA,MAAM,OAAOhH,EAAiBoF,EAAO,EAC7B,CAAC,KAAK4B,IAAU,CAAC,KAAK,MAAK,IAC3B,MAAM,KAAK,OAAM,EAErB,GAAI,CACA,OAAO,MAAM,KAAKA,GAAOhH,EAAiBoF,CAAK,CACnD,OACOlE,EAAK,CACR,GAAIA,aAAenE,IACX,KAAK,YAAW,IAAO,GACvB,aAAM,KAAK,OAAM,EACV,KAAKiK,GAAOhH,EAAiBoF,CAAK,EAGjD,MAAMlE,CACV,CACJ,CACA,MAAM,QAAS,CACP,KAAK2F,IAAiBf,OACtB,KAAKe,GAAgB,QAEzB,KAAKA,KAAkBZ,GAAU,KAAKO,GAAK,KAAM,KAAKM,GAAU,YAAY,QAAQ,KAAKL,EAAgB,EAAG,KAAKM,EAAY,EACxH,KAAMG,GAAS,CAChB,KAAKF,GAASrB,EAAkBuB,CAAI,EAChC,KAAKD,KACL,KAAKA,GAAO,IAAM,KAAK,IAAG,EAC1B,KAAKA,GAAO,KAAOC,GAEvB,KAAKN,GAAiB,KAAK,IAAG,EAC9B,KAAKC,GAAgB,MACzB,CAAC,EACI,MAAO3F,GAAQ,CAChB,WAAK2F,GAAgB,OACf3F,CACV,CAAC,EACD,MAAM,KAAK2F,EACf,CACJ,CACO,SAASM,GAAmB9N,EAAKL,EAAS,CAC7C,MAAM4M,EAAM,IAAIW,GAAalN,EAAKL,CAAO,EACnCoO,EAAe,MAAOpH,EAAiBoF,IAAUQ,EAAI,OAAO5F,EAAiBoF,CAAK,EACxF,cAAO,iBAAiBgC,EAAc,CAClC,YAAa,CACT,IAAK,IAAMxB,EAAI,YAAW,EAC1B,WAAY,GACZ,aAAc,EAC1B,EACQ,MAAO,CACH,IAAK,IAAMA,EAAI,MAAK,EACpB,WAAY,GACZ,aAAc,EAC1B,EACQ,OAAQ,CACJ,MAAO,IAAMA,EAAI,OAAM,EACvB,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,EACQ,UAAW,CACP,IAAK,IAAMA,EAAI,aAAY,EAC3B,WAAY,GACZ,aAAc,EAC1B,EACQ,KAAM,CACF,MAAO,IAAMA,EAAI,KAAI,EACrB,WAAY,GACZ,aAAc,GACd,SAAU,EACtB,CACA,CAAK,EACMwB,CACX,CC7KA,MAAMhB,MAAgB,IAStB,eAAsBiB,GAClBjC,EACAkC,EAAkB,GAAGxM,EAAgB,yBACb,CACxB,IAAIyM,EAAOnB,EAAU,IAAIkB,CAAO,EAEhC,OAAKC,IACDA,EAAOJ,GAAmB,IAAI,IAAIG,CAAO,CAAC,EAC1ClB,EAAU,IAAIkB,EAASC,CAAI,GAGxB5C,GAAUS,EAAOmC,CAAI,CAChC,CCpBO,MAAMC,EAAsC,CACvC,UAAY,IAEpB,MAAM,IAAI5J,EAAqC,CAC3C,OAAO,KAAK,MAAM,IAAIA,CAAG,GAAK,IAClC,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CACjD,KAAK,MAAM,IAAInB,EAAKmB,CAAK,CAC7B,CAEA,MAAM,OAAOnB,EAA4B,CACrC,KAAK,MAAM,OAAOA,CAAG,CACzB,CAEA,MAAM,OAAuB,CACzB,KAAK,MAAM,MAAA,CACf,CACJ,CClBO,MAAM6J,CAAqC,CACtC,OAER,YAAYC,EAAS,WAAY,CAC7B,KAAK,OAASA,CAClB,CAEQ,OAAO9J,EAAqB,CAChC,MAAO,GAAG,KAAK,MAAM,IAAIA,CAAG,EAChC,CAEA,MAAM,IAAIA,EAAqC,CAC3C,OAAI,OAAO,OAAW,IAAoB,KACnC,aAAa,QAAQ,KAAK,OAAOA,CAAG,CAAC,CAChD,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CAC7C,OAAO,OAAW,KACtB,aAAa,QAAQ,KAAK,OAAOnB,CAAG,EAAGmB,CAAK,CAChD,CAEA,MAAM,OAAOnB,EAA4B,CACjC,OAAO,OAAW,KACtB,aAAa,WAAW,KAAK,OAAOA,CAAG,CAAC,CAC5C,CAEA,MAAM,OAAuB,CACzB,GAAI,OAAO,OAAW,IAAa,OACtB,OAAO,KAAK,YAAY,EAAE,OAAQ4E,GAC3CA,EAAE,WAAW,GAAG,KAAK,MAAM,GAAG,CAAA,EAE7B,QAASA,GAAM,aAAa,WAAWA,CAAC,CAAC,CAClD,CACJ,CCjCO,MAAMmF,EAAuC,CACxC,OAER,YAAYD,EAAS,WAAY,CAC7B,KAAK,OAASA,CAClB,CAEQ,OAAO9J,EAAqB,CAChC,MAAO,GAAG,KAAK,MAAM,IAAIA,CAAG,EAChC,CAEA,MAAM,IAAIA,EAAqC,CAC3C,OAAI,OAAO,OAAW,IAAoB,KACnC,eAAe,QAAQ,KAAK,OAAOA,CAAG,CAAC,CAClD,CAEA,MAAM,IAAIA,EAAamB,EAA8B,CAC7C,OAAO,OAAW,KACtB,eAAe,QAAQ,KAAK,OAAOnB,CAAG,EAAGmB,CAAK,CAClD,CAEA,MAAM,OAAOnB,EAA4B,CACjC,OAAO,OAAW,KACtB,eAAe,WAAW,KAAK,OAAOA,CAAG,CAAC,CAC9C,CAEA,MAAM,OAAuB,CACzB,GAAI,OAAO,OAAW,IAAa,OACtB,OAAO,KAAK,cAAc,EAAE,OAAQ4E,GAC7CA,EAAE,WAAW,GAAG,KAAK,MAAM,GAAG,CAAA,EAE7B,QAASA,GAAM,eAAe,WAAWA,CAAC,CAAC,CACpD,CACJ,CCbO,SAASoF,GACZC,EAAoB,eACR,CACZ,OAAQA,EAAA,CACJ,IAAK,SACD,OAAO,IAAIL,GACf,IAAK,eACD,OAAO,IAAIC,EACf,IAAK,iBACD,OAAO,IAAIE,GACf,QACI,OAAO,IAAIF,CAAa,CAEpC,CCtCO,SAASK,EAAapO,EAAgB,CAC3C,OAAI,MAAM,QAAQA,CAAI,EACbA,EAAK,IAAIoO,CAAY,EACnB,OAAOpO,GAAS,UAAYA,IAAS,KACvC,OAAO,YACZ,OAAO,QAAQA,CAAI,EAAE,IAAI,CAAC,CAACkE,EAAKmB,CAAK,IAAM,CACzCnB,EAAI,QAAQ,YAAa,CAACmK,EAAGC,IAAMA,EAAE,aAAa,EAClDF,EAAa/I,CAAK,CAAA,CACnB,CAAA,EAGErF,CACT,CCuCO,MAAMuO,EAAe,CAChB,MACA,aACA,QACA,KACA,WACA,cAA8C,IAC9C,YAAc,GAEtB,YAAYnP,EAAwB,CAChC,KAAK,eAAeA,CAAM,EAE1B,MAAM4B,EAAwB,OAAO5B,EAAO,SAAY,SACjDA,EAAO,QACR8O,GAAc9O,EAAO,OAAO,EAE5BoP,EAAUpP,EAAO,SACnB,mDAEJ,KAAK,aAAe,IAAI2B,GAAaC,CAAO,EAC5C,KAAK,MAAQ,IAAIK,GAAcjC,EAAQ,KAAK,YAAY,EACxD,KAAK,QAAU,GAAGoP,CAAO,yBAEzB,KAAK,KAAO,IAAIrP,EAAW,CACvB,QAASqP,CAAA,CACZ,EACD,KAAK,WAAa,IAAIrP,EAAW,CAC7B,QAAS,0CAAA,CACZ,CACL,CAEQ,eAAeC,EAA8B,CACjD,GAAI,CAACA,EAAO,SAAU,MAAMH,EAAY,aAAa,UAAU,EAC/D,GAAI,CAACG,EAAO,aACR,MAAMH,EAAY,aAAa,cAAc,EAEjD,GAAI,CAACG,EAAO,YAAa,MAAMH,EAAY,aAAa,aAAa,CACzE,CAKA,MAAc,oBAAoBwP,EAAiC,CAC/D,MAAMC,EAAU,MAAM,KAAK,WAAA,EAC3B,KAAK,UAAU,QAASC,GAAa,CACjC,GAAI,CACAA,EAASF,EAAOC,CAAO,CAC3B,OAAS3O,EAAO,CACZ,QAAQ,MAAM,uCAAwCA,CAAK,CAC/D,CACJ,CAAC,CACL,CAqCA,kBACI4O,EAC8B,CAC9B,YAAK,UAAU,IAAIA,CAAQ,EAGtB,KAAK,YAON,WAAW,IAAM,CACb,KAAK,oBAAoB,iBAAiB,CAC9C,EAAG,CAAC,GARJ,KAAK,YAAc,GACnB,WAAW,IAAM,CACb,KAAK,oBAAoB,iBAAiB,CAC9C,EAAG,CAAC,GAQD,CACH,aAAc,CACV,YAAa,IAAM,CACf,KAAK,UAAU,OAAOA,CAAQ,CAClC,CAAA,CACJ,CAER,CAkBA,MAAM,QAA0B,CAC5B,OAAO,KAAK,MAAM,oBAAA,CACtB,CAwBA,MAAM,eAAehP,EAAgC,CACjD,MAAMD,EAAS,IAAI,IAAIC,CAAG,EACpBhB,EAAOe,EAAO,aAAa,IAAI,MAAM,EACrCyB,EAAQzB,EAAO,aAAa,IAAI,OAAO,EAC7C,GAAI,CAACf,GAAQ,CAACwC,EACV,MAAM,IAAI,MAAM,uBAAuB,EAE3C,MAAMF,EAAS,MAAM,KAAK,MAAM,aAAatC,EAAMwC,CAAK,EACxD,aAAM,KAAK,oBAAoB,WAAW,EACnCF,CACX,CAgBA,MAAM,SAAyB,CAK3B,MAAM,KAAK,aAAa,YAAA,EACxB,MAAM,KAAK,oBAAoB,YAAY,CAC/C,CAuBA,MAAM,YAAsC,CAGxC,GAFkB,MAAM,KAAK,aAAa,eAAA,EAGtC,GAAI,CACA,MAAM,KAAK,MAAM,aAAA,CACrB,MAAQ,CACJ,OAAO,IACX,CAGJ,MAAMA,EAAS,MAAM,KAAK,aAAa,UAAA,EACvC,GAAI,CAACA,EAAQ,OAAO,KAEpB,MAAM2N,EAAO,MAAM,KAAK,UAAU3N,EAAO,WAAW,EAEpD,MAAO,CACH,YAAaA,EAAO,YACpB,aAAcA,EAAO,aACrB,UAAWA,EAAO,UAClB,UAAWA,EAAO,SAAWA,EAAO,UAAY,IAChD,KAAA2N,CAAA,CAER,CAUA,MAAM,YAAYlD,EAA6B,CAC3C,KAAM,CAAE,QAAA7I,CAAA,EAAY,MAAM8K,GAAYjC,EAAO,KAAK,OAAO,EACzD,OAAO7I,CACX,CASA,MAAM,YAAYvD,EAAmC,GAA+B,CAChF,MAAMoP,EAAU,MAAM,KAAK,WAAA,EAC3B,GAAI,CAACA,EACD,OAAO,KAEX,MAAMG,EAAcH,EAAQ,YACtB,CAAE,aAAAI,EAAe,IAAI,MAAWxP,EAChCN,EAAW,MAAM,KAAK,WAAW,QAAwC,YAAa,CACxF,QAAS,CAAE,cAAe,UAAU6P,CAAW,EAAA,EAC/C,OAAQ,CAAE,aAAcC,EAAa,aAAY,CAAE,CACtD,EACD,OAAK9P,EAAS,GAIcoP,EAAapP,EAAS,IAAI,GAHlD,QAAQ,MAAM,2CAA4CA,EAAS,KAAK,EACjE,KAIf,CAIA,MAAc,UAAU6P,EAA2C,CAC/D,GAAI,CAGA,MAAM7P,EAAW,MAAM,KAAK,KAAK,QAQ9B,kBAAmB,CAClB,QAAS,CAAE,cAAe,UAAU6P,CAAW,EAAA,CAAG,CACrD,EAED,MAAO,CACH,IAAK7P,EAAS,IACd,KAAMA,EAAS,KACf,QAASA,EAAS,QAClB,MAAOA,EAAS,MAChB,eAAgBA,EAAS,eACzB,aAAcA,EAAS,aACvB,sBAAuBA,EAAS,qBAAA,CAExC,OAASe,EAAO,CACZ,eAAQ,MAAM,uCAAwCA,CAAK,EACpD,IACX,CACJ,CACJ,CAwBO,SAASgP,GAAa3P,EAAwC,CACjE,OAAO,IAAImP,GAAenP,CAAM,CACpC","x_google_ignoreList":[5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29]}