@guardcore/core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/dist/chunk-4HBVN5N7.js +256 -0
  2. package/dist/chunk-4HBVN5N7.js.map +1 -0
  3. package/dist/chunk-DGUM43GV.js +11 -0
  4. package/dist/chunk-DGUM43GV.js.map +1 -0
  5. package/dist/chunk-I634N6VV.js +1099 -0
  6. package/dist/chunk-I634N6VV.js.map +1 -0
  7. package/dist/chunk-LK7N5CAQ.js +132 -0
  8. package/dist/chunk-LK7N5CAQ.js.map +1 -0
  9. package/dist/cloud-46J7XK7I.js +8 -0
  10. package/dist/cloud-46J7XK7I.js.map +1 -0
  11. package/dist/index.cjs +4120 -0
  12. package/dist/index.cjs.map +1 -0
  13. package/dist/index.d.cts +898 -0
  14. package/dist/index.d.ts +898 -0
  15. package/dist/index.js +2533 -0
  16. package/dist/index.js.map +1 -0
  17. package/dist/sus-patterns-YZFPGJEF.js +8 -0
  18. package/dist/sus-patterns-YZFPGJEF.js.map +1 -0
  19. package/dist/utils-5L6SNIYK.js +22 -0
  20. package/dist/utils-5L6SNIYK.js.map +1 -0
  21. package/package.json +76 -0
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/models/behavior-rule.ts","../src/models/config.ts","../src/models/dynamic-rules.ts","../src/models/logger.ts","../src/models/route-config.ts","../src/core/events/event-bus.ts","../src/core/events/metrics.ts","../src/handlers/behavior.ts","../src/handlers/dynamic-rules.ts","../src/handlers/ip-ban.ts","../src/handlers/rate-limit.ts","../src/handlers/redis.ts","../src/handlers/security-headers.ts","../src/core/initialization/handler-initializer.ts","../src/core/validation/validator.ts","../src/core/routing/resolver.ts","../src/core/bypass/handler.ts","../src/core/responses/factory.ts","../src/core/behavioral/processor.ts","../src/core/checks/pipeline.ts","../src/core/checks/base.ts","../src/core/checks/implementations/route-config.ts","../src/core/checks/implementations/emergency-mode.ts","../src/core/checks/implementations/https-enforcement.ts","../src/core/checks/implementations/request-logging.ts","../src/core/checks/implementations/request-size-content.ts","../src/core/checks/implementations/required-headers.ts","../src/core/checks/helpers.ts","../src/core/checks/implementations/authentication.ts","../src/core/checks/implementations/referrer.ts","../src/core/checks/implementations/custom-validators.ts","../src/core/checks/implementations/time-window.ts","../src/core/checks/implementations/cloud-ip-refresh.ts","../src/core/checks/implementations/ip-security.ts","../src/core/checks/implementations/cloud-provider.ts","../src/core/checks/implementations/user-agent.ts","../src/core/checks/implementations/rate-limit.ts","../src/core/checks/implementations/suspicious-activity.ts","../src/core/checks/implementations/custom-request.ts","../src/middleware-support.ts","../src/decorators/base.ts","../src/decorators/access-control.ts","../src/decorators/rate-limiting.ts","../src/decorators/authentication.ts","../src/decorators/content-filtering.ts","../src/decorators/behavioral.ts","../src/decorators/advanced.ts","../src/decorators/index.ts"],"sourcesContent":["export type BehaviorRuleType = 'usage' | 'return_pattern' | 'frequency';\nexport type BehaviorAction = 'ban' | 'log' | 'throttle' | 'alert';\n\nexport class BehaviorRule {\n readonly ruleType: BehaviorRuleType;\n readonly threshold: number;\n readonly window: number;\n readonly pattern: string | null;\n readonly action: BehaviorAction;\n readonly customAction: ((...args: unknown[]) => unknown) | null;\n\n constructor(\n ruleType: BehaviorRuleType,\n threshold: number,\n window = 3600,\n pattern: string | null = null,\n action: BehaviorAction = 'log',\n customAction: ((...args: unknown[]) => unknown) | null = null,\n ) {\n this.ruleType = ruleType;\n this.threshold = threshold;\n this.window = window;\n this.pattern = pattern;\n this.action = action;\n this.customAction = customAction;\n }\n}\n","import * as ipaddr from 'ipaddr.js';\nimport { z } from 'zod';\n\nimport type { GeoIPHandler } from '../protocols/geo-ip.js';\nimport type { GuardRequest } from '../protocols/request.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport type { Logger } from './logger.js';\n\nfunction isValidIpOrCidr(value: string): boolean {\n if (value.includes('/')) {\n try {\n ipaddr.parseCIDR(value);\n return true;\n } catch {\n return false;\n }\n }\n return ipaddr.isValid(value);\n}\n\nconst VALID_CLOUD_PROVIDERS = ['AWS', 'GCP', 'Azure'] as const;\n\nconst IpOrCidrSchema = z.string().refine(isValidIpOrCidr, 'Invalid IP or CIDR');\n\nconst LogLevel = z.enum(['INFO', 'DEBUG', 'WARNING', 'ERROR', 'CRITICAL']);\n\nexport const SecurityConfigSchema = z.object({\n trustedProxies: z.array(IpOrCidrSchema).default([]),\n trustedProxyDepth: z.number().int().min(1).default(1),\n trustXForwardedProto: z.boolean().default(false),\n\n passiveMode: z.boolean().default(false),\n\n geoIpHandler: z.custom<GeoIPHandler>().optional(),\n geoResolver: z.custom<(ip: string) => string | null>().optional(),\n\n enableRedis: z.boolean().default(true),\n redisUrl: z.string().default('redis://localhost:6379'),\n redisPrefix: z.string().default('guard_core:'),\n\n whitelist: z.array(IpOrCidrSchema).nullable().default(null),\n blacklist: z.array(IpOrCidrSchema).default([]),\n\n whitelistCountries: z.array(z.string().length(2)).default([]),\n blockedCountries: z.array(z.string().length(2)).default([]),\n\n blockedUserAgents: z.array(z.string()).default([]),\n\n autoBanThreshold: z.number().int().positive().default(10),\n autoBanDuration: z.number().int().positive().default(3600),\n\n logger: z.custom<Logger>().optional(),\n customLogFile: z.string().nullable().default(null),\n logSuspiciousLevel: LogLevel.nullable().default('WARNING'),\n logRequestLevel: LogLevel.nullable().default(null),\n logFormat: z.enum(['text', 'json']).default('text'),\n\n customErrorResponses: z.record(z.coerce.number(), z.string()).default({}),\n\n rateLimit: z.number().int().positive().default(10),\n rateLimitWindow: z.number().int().positive().default(60),\n\n enforceHttps: z.boolean().default(false),\n\n securityHeaders: z.object({\n enabled: z.boolean().default(true),\n hsts: z.object({\n maxAge: z.number().default(31536000),\n includeSubdomains: z.boolean().default(true),\n preload: z.boolean().default(false),\n }).optional(),\n csp: z.record(z.string(), z.array(z.string())).nullable().default(null),\n frameOptions: z.enum(['DENY', 'SAMEORIGIN']).default('SAMEORIGIN'),\n contentTypeOptions: z.string().default('nosniff'),\n xssProtection: z.string().default('1; mode=block'),\n referrerPolicy: z.string().default('strict-origin-when-cross-origin'),\n permissionsPolicy: z.string().default('geolocation=(), microphone=(), camera=()'),\n custom: z.record(z.string(), z.string()).nullable().default(null),\n }).nullable().default({\n enabled: true,\n hsts: { maxAge: 31536000, includeSubdomains: true, preload: false },\n frameOptions: 'SAMEORIGIN',\n contentTypeOptions: 'nosniff',\n xssProtection: '1; mode=block',\n referrerPolicy: 'strict-origin-when-cross-origin',\n permissionsPolicy: 'geolocation=(), microphone=(), camera=()',\n csp: null,\n custom: null,\n }),\n\n customRequestCheck: z.custom<(req: GuardRequest) => Promise<GuardResponse | null>>().optional(),\n customResponseModifier: z.custom<(res: GuardResponse) => Promise<GuardResponse>>().optional(),\n\n enableCors: z.boolean().default(false),\n corsAllowOrigins: z.array(z.string()).default(['*']),\n corsAllowMethods: z.array(z.string()).default(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']),\n corsAllowHeaders: z.array(z.string()).default(['*']),\n corsAllowCredentials: z.boolean().default(false),\n corsExposeHeaders: z.array(z.string()).default([]),\n corsMaxAge: z.number().int().positive().default(600),\n\n blockCloudProviders: z\n .array(z.enum(VALID_CLOUD_PROVIDERS))\n .default([])\n .transform((arr) => new Set(arr)),\n cloudIpRefreshInterval: z.number().int().min(60).max(86400).default(3600),\n\n excludePaths: z.array(z.string()).default([]),\n\n enableIpBanning: z.boolean().default(true),\n enableRateLimiting: z.boolean().default(true),\n enablePenetrationDetection: z.boolean().default(true),\n\n emergencyMode: z.boolean().default(false),\n emergencyWhitelist: z.array(z.string()).default([]),\n\n endpointRateLimits: z.record(z.string(), z.tuple([z.number(), z.number()])).default({}),\n\n detectionCompilerTimeout: z.number().min(0.1).max(10).default(2.0),\n detectionMaxContentLength: z.number().int().min(1000).max(100000).default(10000),\n detectionPreserveAttackPatterns: z.boolean().default(true),\n detectionSemanticThreshold: z.number().min(0).max(1).default(0.7),\n detectionAnomalyThreshold: z.number().min(1).max(10).default(3.0),\n detectionSlowPatternThreshold: z.number().min(0.01).max(1).default(0.1),\n detectionMonitorHistorySize: z.number().int().min(100).max(10000).default(1000),\n detectionMaxTrackedPatterns: z.number().int().min(100).max(5000).default(1000),\n\n enableAgent: z.boolean().default(false),\n agentApiKey: z.string().nullable().default(null),\n agentEndpoint: z.string().url().default('https://api.fastapi-guard.com'),\n agentProjectId: z.string().nullable().default(null),\n agentBufferSize: z.number().int().positive().default(100),\n agentFlushInterval: z.number().int().positive().default(30),\n agentEnableEvents: z.boolean().default(true),\n agentEnableMetrics: z.boolean().default(true),\n agentTimeout: z.number().int().positive().default(30),\n agentRetryAttempts: z.number().int().nonnegative().default(3),\n\n enableDynamicRules: z.boolean().default(false),\n dynamicRuleInterval: z.number().int().positive().default(300),\n\n}).superRefine((data, ctx) => {\n if (data.enableAgent && !data.agentApiKey) {\n ctx.addIssue({\n code: 'custom',\n message: 'agentApiKey is required when enableAgent is true',\n path: ['agentApiKey'],\n });\n }\n if (data.enableDynamicRules && !data.enableAgent) {\n ctx.addIssue({\n code: 'custom',\n message: 'enableAgent must be true when enableDynamicRules is true',\n path: ['enableDynamicRules'],\n });\n }\n if (\n (data.blockedCountries.length > 0 || data.whitelistCountries.length > 0) &&\n !data.geoIpHandler &&\n !data.geoResolver\n ) {\n ctx.addIssue({\n code: 'custom',\n message: 'geoIpHandler or geoResolver is required when using country filtering',\n path: ['geoIpHandler'],\n });\n }\n});\n\nexport type SecurityConfig = z.input<typeof SecurityConfigSchema>;\nexport type ResolvedSecurityConfig = z.output<typeof SecurityConfigSchema>;\n","import { z } from 'zod';\n\nconst VALID_CLOUD_PROVIDERS = ['AWS', 'GCP', 'Azure'] as const;\n\nexport const DynamicRulesSchema = z.object({\n ruleId: z.string(),\n version: z.number().int(),\n timestamp: z.string().datetime(),\n expiresAt: z.string().datetime().nullable().default(null),\n ttl: z.number().int().default(300),\n ipBlacklist: z.array(z.string()).default([]),\n ipWhitelist: z.array(z.string()).default([]),\n ipBanDuration: z.number().int().default(3600),\n blockedCountries: z.array(z.string().length(2)).default([]),\n whitelistCountries: z.array(z.string().length(2)).default([]),\n globalRateLimit: z.number().int().nullable().default(null),\n globalRateWindow: z.number().int().nullable().default(null),\n endpointRateLimits: z.record(z.string(), z.tuple([z.number(), z.number()])).default({}),\n blockedCloudProviders: z\n .array(z.enum(VALID_CLOUD_PROVIDERS))\n .default([])\n .transform((arr) => new Set(arr)),\n blockedUserAgents: z.array(z.string()).default([]),\n suspiciousPatterns: z.array(z.string()).default([]),\n enablePenetrationDetection: z.boolean().nullable().default(null),\n enableIpBanning: z.boolean().nullable().default(null),\n enableRateLimiting: z.boolean().nullable().default(null),\n emergencyMode: z.boolean().default(false),\n emergencyWhitelist: z.array(z.string()).default([]),\n});\n\nexport type DynamicRules = z.output<typeof DynamicRulesSchema>;\n","export interface Logger {\n info(message: string, ...args: unknown[]): void;\n warn(message: string, ...args: unknown[]): void;\n error(message: string, ...args: unknown[]): void;\n debug(message: string, ...args: unknown[]): void;\n}\n\nexport const defaultLogger: Logger = {\n info: (msg, ...args) => console.info(`[guard-core] ${msg}`, ...args),\n warn: (msg, ...args) => console.warn(`[guard-core] ${msg}`, ...args),\n error: (msg, ...args) => console.error(`[guard-core] ${msg}`, ...args),\n debug: (msg, ...args) => console.debug(`[guard-core] ${msg}`, ...args),\n};\n","import type { GuardRequest } from '../protocols/request.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport type { BehaviorRule } from './behavior-rule.js';\n\nexport class RouteConfig {\n rateLimit: number | null = null;\n rateLimitWindow: number | null = null;\n ipWhitelist: string[] | null = null;\n ipBlacklist: string[] | null = null;\n blockedCountries: string[] | null = null;\n whitelistCountries: string[] | null = null;\n bypassedChecks: Set<string> = new Set();\n requireHttps = false;\n authRequired: string | null = null;\n customValidators: Array<(request: GuardRequest) => Promise<GuardResponse | null>> = [];\n blockedUserAgents: string[] = [];\n requiredHeaders: Record<string, string> = {};\n behaviorRules: BehaviorRule[] = [];\n blockCloudProviders: Set<string> = new Set();\n maxRequestSize: number | null = null;\n allowedContentTypes: string[] | null = null;\n timeRestrictions: { start: string; end: string } | null = null;\n enableSuspiciousDetection = true;\n requireReferrer: string[] | null = null;\n apiKeyRequired = false;\n sessionLimits: Record<string, number> | null = null;\n geoRateLimits: Record<string, [number, number]> | null = null;\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { AgentHandlerProtocol } from '../../protocols/agent.js';\nimport type { GeoIPHandler } from '../../protocols/geo-ip.js';\nimport type { GuardRequest } from '../../protocols/request.js';\n\nexport class SecurityEventBus {\n constructor(\n private readonly agentHandler: AgentHandlerProtocol | null,\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n private readonly geoIpHandler: GeoIPHandler | null = null,\n ) {}\n\n async sendMiddlewareEvent(\n eventType: string,\n request: GuardRequest,\n actionTaken: string,\n reason: string,\n metadata?: Record<string, unknown>,\n ): Promise<void> {\n if (!this.agentHandler || !this.config.agentEnableEvents) return;\n\n try {\n const clientIp = request.clientHost ?? 'unknown';\n let country: string | null = null;\n\n if (this.geoIpHandler) {\n try { country = this.geoIpHandler.getCountry(clientIp); } catch { /* ignore */ }\n }\n\n await this.agentHandler.sendEvent({\n timestamp: new Date(),\n eventType,\n ipAddress: clientIp,\n country,\n userAgent: request.headers['user-agent'] ?? null,\n actionTaken,\n reason,\n endpoint: request.urlPath,\n method: request.method,\n metadata: metadata ?? {},\n });\n } catch (e) {\n this.logger.error(`Failed to send security event: ${e}`);\n }\n }\n\n async sendHttpsViolationEvent(\n request: GuardRequest,\n isRouteSpecific: boolean,\n ): Promise<void> {\n const httpsUrl = request.urlReplaceScheme('https');\n\n if (isRouteSpecific) {\n await this.sendMiddlewareEvent(\n 'decorator_violation', request, 'https_redirect',\n 'Route requires HTTPS but request was HTTP',\n { decoratorType: 'authentication', violationType: 'require_https', redirectUrl: httpsUrl },\n );\n } else {\n await this.sendMiddlewareEvent(\n 'https_enforced', request, 'https_redirect',\n 'HTTP request redirected to HTTPS for security',\n { originalScheme: request.urlScheme, redirectUrl: httpsUrl },\n );\n }\n }\n\n async sendCloudDetectionEvents(\n request: GuardRequest,\n clientIp: string,\n providers: string[],\n passiveMode: boolean,\n ): Promise<void> {\n await this.sendMiddlewareEvent(\n 'cloud_detection', request,\n /* v8 ignore next -- V8 cannot track ternary branch coverage inside string template literal */\n passiveMode ? 'logged_only' : 'request_blocked',\n `Cloud provider IP ${clientIp} detected`,\n { blockedProviders: providers },\n );\n }\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { AgentHandlerProtocol } from '../../protocols/agent.js';\nimport type { GuardRequest } from '../../protocols/request.js';\n\nexport class MetricsCollector {\n constructor(\n private readonly agentHandler: AgentHandlerProtocol | null,\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n ) {}\n\n async sendMetric(\n metricType: string,\n value: number,\n tags?: Record<string, string>,\n ): Promise<void> {\n if (!this.agentHandler || !this.config.agentEnableMetrics) return;\n\n try {\n await this.agentHandler.sendMetric({\n timestamp: new Date(),\n metricType,\n value,\n tags: tags ?? {},\n });\n } catch (e) {\n this.logger.error(`Failed to send metric: ${e}`);\n }\n }\n\n async collectRequestMetrics(\n request: GuardRequest,\n responseTime: number,\n statusCode: number,\n ): Promise<void> {\n if (!this.agentHandler || !this.config.agentEnableMetrics) return;\n\n const endpoint = request.urlPath;\n const method = request.method;\n const tags = { endpoint, method, status: String(statusCode) };\n\n await this.sendMetric('response_time', responseTime, tags);\n await this.sendMetric('request_count', 1.0, { endpoint, method });\n\n if (statusCode >= 400) {\n await this.sendMetric('error_rate', 1.0, tags);\n }\n }\n}\n","import type { ResolvedSecurityConfig } from '../models/config.js';\nimport type { Logger } from '../models/logger.js';\nimport type { BehaviorAction, BehaviorRule } from '../models/behavior-rule.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport type { RedisManager } from './redis.js';\n\nexport class BehaviorTracker {\n private usageCounts = new Map<string, Map<string, number[]>>();\n private returnPatterns = new Map<string, Map<string, number[]>>();\n private redisHandler: RedisManager | null = null;\n private agentHandler: AgentHandlerProtocol | null = null;\n\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n ) {}\n\n async initializeRedis(redisHandler: RedisManager): Promise<void> {\n this.redisHandler = redisHandler;\n }\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n }\n\n async trackEndpointUsage(endpointId: string, clientIp: string, rule: BehaviorRule): Promise<boolean> {\n const now = Date.now() / 1000;\n const windowStart = now - rule.window;\n\n if (!this.usageCounts.has(endpointId)) {\n this.usageCounts.set(endpointId, new Map());\n }\n const endpointMap = this.usageCounts.get(endpointId)!;\n\n if (!endpointMap.has(clientIp)) {\n endpointMap.set(clientIp, []);\n }\n const timestamps = endpointMap.get(clientIp)!;\n\n const validIdx = timestamps.findIndex((t) => t > windowStart);\n /* v8 ignore next -- branch-only gap in validIndex timestamp cleanup condition */\n if (validIdx > 0) timestamps.splice(0, validIdx);\n else if (validIdx === -1) timestamps.length = 0;\n\n timestamps.push(now);\n\n return timestamps.length > rule.threshold;\n }\n\n async trackReturnPattern(\n endpointId: string,\n clientIp: string,\n response: GuardResponse,\n rule: BehaviorRule,\n ): Promise<boolean> {\n if (!rule.pattern) return false;\n\n const matched = this.checkResponsePattern(response, rule.pattern);\n if (!matched) return false;\n\n const now = Date.now() / 1000;\n const windowStart = now - rule.window;\n const key = `${endpointId}:${rule.pattern}`;\n\n if (!this.returnPatterns.has(key)) {\n this.returnPatterns.set(key, new Map());\n }\n const patternMap = this.returnPatterns.get(key)!;\n\n if (!patternMap.has(clientIp)) {\n patternMap.set(clientIp, []);\n }\n const timestamps = patternMap.get(clientIp)!;\n\n const validIdx = timestamps.findIndex((t) => t > windowStart);\n /* v8 ignore next -- branch-only gap in validIndex timestamp cleanup condition */\n if (validIdx > 0) timestamps.splice(0, validIdx);\n else if (validIdx === -1) timestamps.length = 0;\n\n timestamps.push(now);\n\n return timestamps.length > rule.threshold;\n }\n\n private checkResponsePattern(response: GuardResponse, pattern: string): boolean {\n if (pattern.startsWith('status:')) {\n const code = parseInt(pattern.slice(7), 10);\n return response.statusCode === code;\n }\n\n if (pattern.startsWith('regex:')) {\n const re = new RegExp(pattern.slice(6), 'i');\n return response.bodyText ? re.test(response.bodyText) : false;\n }\n\n if (pattern.startsWith('json:')) {\n if (!response.bodyText) return false;\n try {\n const data = JSON.parse(response.bodyText);\n const path = pattern.slice(5);\n const parts = path.split('.');\n let current: unknown = data;\n for (const part of parts) {\n /* v8 ignore next -- JSON path traversal null guard; requires partial JSON structure */\n if (current === null || current === undefined) return false;\n current = (current as Record<string, unknown>)[part];\n }\n return current !== undefined && current !== null;\n } catch { return false; }\n }\n\n /* v8 ignore next -- branch-only gap in bodyText includes fallback */\n return response.bodyText ? response.bodyText.includes(pattern) : false;\n }\n\n async applyAction(\n rule: BehaviorRule,\n clientIp: string,\n endpointId: string,\n details: string,\n ): Promise<void> {\n if (this.config.passiveMode) {\n this.logger.info(`[PASSIVE] Would ${rule.action} ${clientIp} for ${details}`);\n return;\n }\n\n switch (rule.action) {\n case 'ban':\n this.logger.warn(`Behavioral ban: ${clientIp} - ${details}`);\n break;\n case 'log':\n this.logger.info(`Behavioral log: ${clientIp} - ${details}`);\n break;\n case 'throttle':\n this.logger.info(`Behavioral throttle: ${clientIp} - ${details}`);\n break;\n case 'alert':\n this.logger.warn(`Behavioral alert: ${clientIp} - ${details}`);\n break;\n }\n\n if (rule.customAction) {\n try { rule.customAction(rule.action, clientIp, endpointId, details); } catch { /* ignore */ }\n }\n\n if (this.agentHandler) {\n try {\n await this.agentHandler.sendEvent({\n eventType: 'behavioral_action',\n ipAddress: clientIp,\n actionTaken: rule.action,\n reason: details,\n metadata: { endpointId, ruleType: rule.ruleType, threshold: rule.threshold },\n });\n } catch { /* never throw */ }\n }\n }\n\n async reset(): Promise<void> {\n this.usageCounts.clear();\n this.returnPatterns.clear();\n }\n}\n","import type { ResolvedSecurityConfig } from '../models/config.js';\nimport { DynamicRulesSchema } from '../models/dynamic-rules.js';\nimport type { DynamicRules } from '../models/dynamic-rules.js';\nimport type { Logger } from '../models/logger.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { RedisManager } from './redis.js';\n\nexport class DynamicRuleManager {\n private currentRules: DynamicRules | null = null;\n private updateTimer: ReturnType<typeof setInterval> | null = null;\n private lastUpdate = 0;\n private agentHandler: AgentHandlerProtocol | null = null;\n private redisHandler: RedisManager | null = null;\n\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n ) {}\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n if (this.config.enableDynamicRules) {\n this.startUpdateLoop();\n }\n }\n\n async initializeRedis(redisHandler: RedisManager): Promise<void> {\n this.redisHandler = redisHandler;\n }\n\n private startUpdateLoop(): void {\n if (this.updateTimer) return;\n /* v8 ignore next -- setInterval timer assignment; already tested via initializeAgent */\n this.updateTimer = setInterval(\n () => { this.updateRules().catch((e) => this.logger.error(`Rule update failed: ${e}`)); },\n this.config.dynamicRuleInterval * 1000,\n );\n }\n\n async updateRules(): Promise<void> {\n if (!this.agentHandler) return;\n\n try {\n const rawRules = await this.agentHandler.getDynamicRules();\n if (!rawRules) return;\n\n const parsed = DynamicRulesSchema.safeParse(rawRules);\n if (!parsed.success) {\n this.logger.warn(`Invalid dynamic rules: ${parsed.error.message}`);\n return;\n }\n\n const rules = parsed.data;\n\n if (this.currentRules &&\n this.currentRules.ruleId === rules.ruleId &&\n this.currentRules.version >= rules.version) {\n return;\n }\n\n this.currentRules = rules;\n this.lastUpdate = Date.now() / 1000;\n\n this.logger.info(`Applied dynamic rules: ${rules.ruleId} v${rules.version}`);\n\n if (this.agentHandler) {\n try {\n await this.agentHandler.sendEvent({\n eventType: 'dynamic_rule_applied',\n ipAddress: 'system',\n actionTaken: 'rules_updated',\n reason: `Applied rules ${rules.ruleId} v${rules.version}`,\n });\n } catch { /* never throw */ }\n }\n } catch (e) {\n this.logger.error(`Failed to fetch dynamic rules: ${e}`);\n }\n }\n\n getCurrentRules(): DynamicRules | null {\n return this.currentRules;\n }\n\n async forceUpdate(): Promise<void> {\n await this.updateRules();\n }\n\n async stop(): Promise<void> {\n if (this.updateTimer) {\n clearInterval(this.updateTimer);\n this.updateTimer = null;\n }\n }\n}\n","import type { Logger } from '../models/logger.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { RedisManager } from './redis.js';\n\ninterface BanEntry {\n expiresAt: number;\n reason: string;\n bannedAt: number;\n}\n\nexport class IPBanManager {\n private bannedIps = new Map<string, BanEntry>();\n private redisHandler: RedisManager | null = null;\n private agentHandler: AgentHandlerProtocol | null = null;\n private readonly maxSize = 10000;\n\n constructor(private readonly logger: Logger) {}\n\n async initializeRedis(redisHandler: RedisManager): Promise<void> {\n this.redisHandler = redisHandler;\n }\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n }\n\n async banIp(ip: string, duration: number, reason: string): Promise<void> {\n const now = Date.now() / 1000;\n const expiresAt = now + duration;\n\n if (this.bannedIps.size >= this.maxSize) {\n const oldestKey = this.bannedIps.keys().next().value;\n if (oldestKey) this.bannedIps.delete(oldestKey);\n }\n\n this.bannedIps.set(ip, { expiresAt, reason, bannedAt: now });\n\n if (this.redisHandler) {\n await this.redisHandler.setKey('banned_ips', ip, String(expiresAt), duration);\n }\n\n if (this.agentHandler) {\n try {\n await this.agentHandler.sendEvent({\n eventType: 'ip_banned',\n ipAddress: ip,\n actionTaken: 'ip_banned',\n reason,\n metadata: { duration, expiresAt },\n });\n } catch { /* never throw from event dispatch */ }\n }\n\n this.logger.info(`IP banned: ${ip} for ${duration}s - ${reason}`);\n }\n\n async isIpBanned(ip: string): Promise<boolean> {\n const now = Date.now() / 1000;\n\n const entry = this.bannedIps.get(ip);\n if (entry) {\n if (now <= entry.expiresAt) return true;\n this.bannedIps.delete(ip);\n }\n\n if (this.redisHandler) {\n const expiryStr = await this.redisHandler.getKey('banned_ips', ip);\n if (typeof expiryStr === 'string') {\n const expiresAt = parseFloat(expiryStr);\n if (now <= expiresAt) {\n this.bannedIps.set(ip, {\n expiresAt,\n reason: 'restored_from_redis',\n bannedAt: now,\n });\n return true;\n }\n await this.redisHandler.delete('banned_ips', ip);\n }\n }\n\n return false;\n }\n\n async unbanIp(ip: string): Promise<void> {\n this.bannedIps.delete(ip);\n\n if (this.redisHandler) {\n await this.redisHandler.delete('banned_ips', ip);\n }\n\n if (this.agentHandler) {\n try {\n await this.agentHandler.sendEvent({\n eventType: 'ip_unbanned',\n ipAddress: ip,\n actionTaken: 'ip_unbanned',\n reason: 'Manual unban',\n });\n } catch { /* never throw */ }\n }\n\n this.logger.info(`IP unbanned: ${ip}`);\n }\n\n async reset(): Promise<void> {\n this.bannedIps.clear();\n if (this.redisHandler) {\n await this.redisHandler.deletePattern('banned_ips:*');\n }\n }\n}\n","import type { Logger } from '../models/logger.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { GuardRequest } from '../protocols/request.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport type { RedisManager } from './redis.js';\n\nconst RATE_LIMIT_SCRIPT = `\nlocal key = KEYS[1]\nlocal now = tonumber(ARGV[1])\nlocal window = tonumber(ARGV[2])\nlocal limit = tonumber(ARGV[3])\nlocal window_start = now - window\n\nredis.call('ZADD', key, now, now)\nredis.call('ZREMRANGEBYSCORE', key, 0, window_start)\nlocal count = redis.call('ZCARD', key)\nredis.call('EXPIRE', key, window * 2)\n\nreturn count\n`;\n\nexport class RateLimitManager {\n private requestTimestamps = new Map<string, number[]>();\n private redisHandler: RedisManager | null = null;\n private agentHandler: AgentHandlerProtocol | null = null;\n private rateLimitScriptSha: string | null = null;\n\n constructor(private readonly logger: Logger) {}\n\n async initializeRedis(redisHandler: RedisManager): Promise<void> {\n this.redisHandler = redisHandler;\n const client = redisHandler.getRawClient();\n if (client) {\n try {\n this.rateLimitScriptSha = await client.script('load', RATE_LIMIT_SCRIPT) as string;\n } catch (e) {\n this.logger.warn(`Failed to load rate limit Lua script: ${e}`);\n }\n }\n }\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n }\n\n async checkRateLimit(\n request: GuardRequest,\n clientIp: string,\n createErrorResponse: (statusCode: number, message: string) => Promise<GuardResponse>,\n endpointPath: string | null = null,\n rateLimit: number = 10,\n rateLimitWindow: number = 60,\n ): Promise<GuardResponse | null> {\n const key = endpointPath ? `${clientIp}:${endpointPath}` : clientIp;\n const now = Date.now() / 1000;\n\n let count: number | null = null;\n\n if (this.redisHandler) {\n count = await this.getRedisRequestCount(key, now, rateLimitWindow, rateLimit);\n }\n\n if (count === null) {\n count = this.getInMemoryRequestCount(key, now, rateLimitWindow);\n }\n\n if (count > rateLimit) {\n return this.handleRateLimitExceeded(\n request, clientIp, count, createErrorResponse, rateLimitWindow,\n );\n }\n\n return null;\n }\n\n private async getRedisRequestCount(\n key: string,\n now: number,\n window: number,\n _limit: number,\n ): Promise<number | null> {\n const client = this.redisHandler?.getRawClient();\n if (!client) return null;\n\n const redisKey = `rate_limit:rate:${key}`;\n const prefix = this.redisHandler!['prefix'] as string;\n const fullKey = `${prefix}${redisKey}`;\n\n try {\n if (this.rateLimitScriptSha) {\n const count = await client.evalsha(\n this.rateLimitScriptSha, 1, fullKey, now, window, _limit,\n );\n return Number(count);\n }\n\n /* v8 ignore start -- Lua script fallback pipeline; only reached when Redis evalsha fails */\n await client.zadd(fullKey, now, String(now));\n await client.zremrangebyscore(fullKey, 0, now - window);\n const count = await client.zcard(fullKey);\n await client.eval('redis.call(\"EXPIRE\", KEYS[1], ARGV[1])', 1, fullKey, window * 2);\n return count;\n /* v8 ignore stop */\n } catch (e) {\n this.logger.warn(`Redis rate limit check failed, falling back to in-memory: ${e}`);\n return null;\n }\n }\n\n private getInMemoryRequestCount(key: string, now: number, window: number): number {\n let timestamps = this.requestTimestamps.get(key);\n if (!timestamps) {\n timestamps = [];\n this.requestTimestamps.set(key, timestamps);\n }\n\n const windowStart = now - window;\n const validIndex = timestamps.findIndex((t) => t > windowStart);\n /* v8 ignore start -- in-memory timestamp splice; branch-only gap in validIndex condition */\n if (validIndex > 0) {\n timestamps.splice(0, validIndex);\n /* v8 ignore stop */\n } else if (validIndex === -1) {\n timestamps.length = 0;\n }\n\n timestamps.push(now);\n return timestamps.length;\n }\n\n private async handleRateLimitExceeded(\n request: GuardRequest,\n clientIp: string,\n count: number,\n createErrorResponse: (statusCode: number, message: string) => Promise<GuardResponse>,\n window: number,\n ): Promise<GuardResponse> {\n this.logger.warn(`Rate limit exceeded for ${clientIp}: ${count} requests`);\n\n if (this.agentHandler) {\n try {\n await this.agentHandler.sendEvent({\n eventType: 'rate_limit_exceeded',\n ipAddress: clientIp,\n actionTaken: 'request_blocked',\n reason: `Rate limit exceeded: ${count} requests in ${window}s window`,\n metadata: {\n endpoint: request.urlPath,\n method: request.method,\n requestCount: count,\n window,\n },\n });\n } catch { /* never throw */ }\n }\n\n return createErrorResponse(429, 'Rate limit exceeded');\n }\n\n async reset(): Promise<void> {\n this.requestTimestamps.clear();\n if (this.redisHandler) {\n await this.redisHandler.deletePattern('rate_limit:rate:*');\n }\n }\n}\n","import type { ResolvedSecurityConfig } from '../models/config.js';\nimport type { Logger } from '../models/logger.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { RedisHandlerProtocol } from '../protocols/redis.js';\n\ntype RedisClient = {\n get(key: string): Promise<string | null>;\n set(key: string, value: string, ...args: unknown[]): Promise<unknown>;\n setex(key: string, ttl: number, value: string): Promise<unknown>;\n incr(key: string): Promise<number>;\n expire(key: string, seconds: number): Promise<number>;\n exists(key: string): Promise<number>;\n del(...keys: string[]): Promise<number>;\n keys(pattern: string): Promise<string[]>;\n ping(): Promise<string>;\n quit(): Promise<string>;\n eval(script: string, numkeys: number, ...args: unknown[]): Promise<unknown>;\n evalsha(sha: string, numkeys: number, ...args: unknown[]): Promise<unknown>;\n // eslint-disable-next-line @typescript-eslint/no-explicit-any\n script(cmd: string, ...args: unknown[]): Promise<any>;\n zadd(key: string, ...args: unknown[]): Promise<number>;\n zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;\n zcard(key: string): Promise<number>;\n};\n\nexport class RedisManager implements RedisHandlerProtocol {\n private client: RedisClient | null = null;\n private closed = false;\n private agentHandler: AgentHandlerProtocol | null = null;\n private readonly prefix: string;\n\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n ) {\n this.prefix = config.redisPrefix;\n }\n\n async initialize(): Promise<void> {\n if (!this.config.enableRedis || this.closed) return;\n\n try {\n const { default: Redis } = await import('ioredis');\n this.client = new Redis(this.config.redisUrl) as unknown as RedisClient;\n await this.client.ping();\n this.logger.info('Redis connection established');\n /* v8 ignore start -- requires real ioredis connection failure which cannot be triggered when module is mocked */\n } catch (e) {\n this.logger.error(`Redis connection failed: ${e}`);\n this.client = null;\n }\n /* v8 ignore stop */\n }\n\n async close(): Promise<void> {\n this.closed = true;\n if (this.client) {\n try { await this.client.quit(); } catch { /* ignore */ }\n this.client = null;\n }\n }\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n }\n\n /* v8 ignore start -- getConnection returns pooled disposable; V8 cannot track inline Symbol.asyncDispose */\n getConnection(): AsyncDisposable {\n const client = this.client;\n return {\n [Symbol.asyncDispose]: async () => {},\n get client() { return client; },\n } as AsyncDisposable;\n }\n /* v8 ignore stop */\n\n private formatKey(namespace: string, key: string): string {\n return `${this.prefix}${namespace}:${key}`;\n }\n\n async getKey(namespace: string, key: string): Promise<unknown> {\n if (!this.client) return null;\n try {\n return await this.client.get(this.formatKey(namespace, key));\n } catch (e) {\n this.logger.error(`Redis get failed: ${e}`);\n return null;\n }\n }\n\n async setKey(namespace: string, key: string, value: unknown, ttl?: number | null): Promise<boolean | null> {\n if (!this.client) return null;\n try {\n const fullKey = this.formatKey(namespace, key);\n const strValue = typeof value === 'string' ? value : JSON.stringify(value);\n if (ttl && ttl > 0) {\n await this.client.setex(fullKey, ttl, strValue);\n } else {\n await this.client.set(fullKey, strValue);\n }\n return true;\n } catch (e) {\n this.logger.error(`Redis set failed: ${e}`);\n return null;\n }\n }\n\n async incr(namespace: string, key: string, ttl?: number): Promise<number | null> {\n if (!this.client) return null;\n try {\n const fullKey = this.formatKey(namespace, key);\n const count = await this.client.incr(fullKey);\n if (ttl && ttl > 0) {\n await this.client.expire(fullKey, ttl);\n }\n return count;\n } catch (e) {\n this.logger.error(`Redis incr failed: ${e}`);\n return null;\n }\n }\n\n async exists(namespace: string, key: string): Promise<boolean | null> {\n if (!this.client) return null;\n try {\n const result = await this.client.exists(this.formatKey(namespace, key));\n return result > 0;\n } catch (e) {\n this.logger.error(`Redis exists failed: ${e}`);\n return null;\n }\n }\n\n async delete(namespace: string, key: string): Promise<number | null> {\n if (!this.client) return null;\n try {\n return await this.client.del(this.formatKey(namespace, key));\n } catch (e) {\n this.logger.error(`Redis delete failed: ${e}`);\n return null;\n }\n }\n\n async keys(pattern: string): Promise<string[] | null> {\n if (!this.client) return null;\n try {\n return await this.client.keys(`${this.prefix}${pattern}`);\n } catch (e) {\n this.logger.error(`Redis keys failed: ${e}`);\n return null;\n }\n }\n\n async deletePattern(pattern: string): Promise<number | null> {\n if (!this.client) return null;\n try {\n const matchedKeys = await this.client.keys(`${this.prefix}${pattern}`);\n if (matchedKeys.length === 0) return 0;\n return await this.client.del(...matchedKeys);\n } catch (e) {\n this.logger.error(`Redis deletePattern failed: ${e}`);\n return null;\n }\n }\n\n getRawClient(): RedisClient | null {\n return this.client;\n }\n}\n","import type { Logger } from '../models/logger.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { RedisManager } from './redis.js';\n\nconst DEFAULT_HEADERS: Record<string, string> = {\n 'X-Content-Type-Options': 'nosniff',\n 'X-Frame-Options': 'SAMEORIGIN',\n 'X-XSS-Protection': '1; mode=block',\n 'Referrer-Policy': 'strict-origin-when-cross-origin',\n 'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',\n 'X-Permitted-Cross-Domain-Policies': 'none',\n 'X-Download-Options': 'noopen',\n 'Cross-Origin-Embedder-Policy': 'require-corp',\n 'Cross-Origin-Opener-Policy': 'same-origin',\n 'Cross-Origin-Resource-Policy': 'same-origin',\n};\n\nconst MAX_HEADER_VALUE_LENGTH = 8192;\n\nfunction validateHeaderValue(value: string): string {\n if (value.includes('\\r') || value.includes('\\n')) {\n throw new Error('Header value must not contain CR or LF characters');\n }\n /* v8 ignore start -- header validation throw branch; requires header value exceeding 8192 chars with CRLF injection */\n if (value.length > MAX_HEADER_VALUE_LENGTH) {\n throw new Error(`Header value exceeds maximum length of ${MAX_HEADER_VALUE_LENGTH}`);\n }\n /* v8 ignore stop */\n return value.replace(/[\\x00-\\x08\\x0b\\x0c\\x0e-\\x1f]/g, '');\n}\n\nfunction generateCacheKey(requestPath: string): string {\n const normalized = requestPath.toLowerCase().replace(/\\/+$/, '');\n let hash = 0;\n for (let i = 0; i < normalized.length; i++) {\n hash = (hash << 5) - hash + normalized.charCodeAt(i);\n hash |= 0;\n }\n return String(Math.abs(hash)).padStart(16, '0').slice(0, 16);\n}\n\nexport class SecurityHeadersManager {\n private headersCache = new Map<string, Record<string, string>>();\n private defaultHeaders: Record<string, string> = { ...DEFAULT_HEADERS };\n private customHeaders: Record<string, string> = {};\n private cspConfig: Record<string, string[]> | null = null;\n private hstsConfig: { maxAge: number; includeSubdomains: boolean; preload: boolean } | null = null;\n private corsConfig: {\n origins: string[];\n allowCredentials: boolean;\n allowMethods: string[];\n allowHeaders: string[];\n } | null = null;\n private redisHandler: RedisManager | null = null;\n private agentHandler: AgentHandlerProtocol | null = null;\n private cacheMaxSize = 1000;\n private cacheTtlMs = 300_000;\n private cacheTimestamps = new Map<string, number>();\n\n constructor(private readonly logger: Logger) {}\n\n async initializeRedis(redisHandler: RedisManager): Promise<void> {\n this.redisHandler = redisHandler;\n await this.loadCachedConfig();\n }\n\n /* v8 ignore start -- initializeAgent assignment; tested via handler tests but V8 misses when called from mock */\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n }\n /* v8 ignore stop */\n\n private async loadCachedConfig(): Promise<void> {\n if (!this.redisHandler) return;\n\n const cspJson = await this.redisHandler.getKey('security_headers', 'csp_config');\n if (typeof cspJson === 'string') {\n try { this.cspConfig = JSON.parse(cspJson); } catch { /* ignore */ }\n }\n\n const hstsJson = await this.redisHandler.getKey('security_headers', 'hsts_config');\n if (typeof hstsJson === 'string') {\n try { this.hstsConfig = JSON.parse(hstsJson); } catch { /* ignore */ }\n }\n\n const customJson = await this.redisHandler.getKey('security_headers', 'custom_headers');\n if (typeof customJson === 'string') {\n try { this.customHeaders = JSON.parse(customJson); } catch { /* ignore */ }\n }\n }\n\n configure(options: {\n enabled?: boolean | undefined;\n csp?: Record<string, string[]> | null | undefined;\n hstsMaxAge?: number | undefined;\n hstsIncludeSubdomains?: boolean | undefined;\n hstsPreload?: boolean | undefined;\n frameOptions?: string | undefined;\n contentTypeOptions?: string | undefined;\n xssProtection?: string | undefined;\n referrerPolicy?: string | undefined;\n permissionsPolicy?: string | undefined;\n customHeaders?: Record<string, string> | null | undefined;\n corsOrigins?: string[] | undefined;\n corsAllowCredentials?: boolean | undefined;\n corsAllowMethods?: string[] | undefined;\n corsAllowHeaders?: string[] | undefined;\n }): void {\n if (options.enabled === false) {\n this.defaultHeaders = {};\n return;\n }\n\n if (options.csp) this.cspConfig = options.csp;\n if (options.hstsMaxAge !== undefined) {\n this.hstsConfig = {\n maxAge: options.hstsMaxAge,\n includeSubdomains: options.hstsIncludeSubdomains ?? true,\n preload: options.hstsPreload ?? false,\n };\n }\n if (options.frameOptions) this.defaultHeaders['X-Frame-Options'] = validateHeaderValue(options.frameOptions);\n if (options.contentTypeOptions) this.defaultHeaders['X-Content-Type-Options'] = validateHeaderValue(options.contentTypeOptions);\n if (options.xssProtection) this.defaultHeaders['X-XSS-Protection'] = validateHeaderValue(options.xssProtection);\n if (options.referrerPolicy) this.defaultHeaders['Referrer-Policy'] = validateHeaderValue(options.referrerPolicy);\n if (options.permissionsPolicy) this.defaultHeaders['Permissions-Policy'] = validateHeaderValue(options.permissionsPolicy);\n\n if (options.customHeaders) {\n for (const [key, value] of Object.entries(options.customHeaders)) {\n this.customHeaders[key] = validateHeaderValue(value);\n }\n }\n\n if (options.corsOrigins) {\n this.corsConfig = {\n origins: options.corsOrigins,\n allowCredentials: options.corsAllowCredentials ?? false,\n allowMethods: options.corsAllowMethods ?? ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],\n allowHeaders: options.corsAllowHeaders ?? ['*'],\n };\n }\n\n this.cacheConfiguration();\n }\n\n private async cacheConfiguration(): Promise<void> {\n if (!this.redisHandler) return;\n const ttl = 86400;\n if (this.cspConfig) await this.redisHandler.setKey('security_headers', 'csp_config', JSON.stringify(this.cspConfig), ttl);\n if (this.hstsConfig) await this.redisHandler.setKey('security_headers', 'hsts_config', JSON.stringify(this.hstsConfig), ttl);\n if (Object.keys(this.customHeaders).length > 0) {\n await this.redisHandler.setKey('security_headers', 'custom_headers', JSON.stringify(this.customHeaders), ttl);\n }\n }\n\n private buildCsp(): string | null {\n if (!this.cspConfig) return null;\n return Object.entries(this.cspConfig)\n .map(([directive, values]) => `${directive} ${values.join(' ')}`)\n .join('; ');\n }\n\n private buildHsts(): string | null {\n if (!this.hstsConfig) return null;\n let header = `max-age=${this.hstsConfig.maxAge}`;\n if (this.hstsConfig.includeSubdomains) header += '; includeSubDomains';\n if (this.hstsConfig.preload) header += '; preload';\n return header;\n }\n\n async getHeaders(requestPath: string): Promise<Record<string, string>> {\n const cacheKey = generateCacheKey(requestPath);\n const now = Date.now();\n\n const cachedTimestamp = this.cacheTimestamps.get(cacheKey);\n if (cachedTimestamp && now - cachedTimestamp < this.cacheTtlMs) {\n const cached = this.headersCache.get(cacheKey);\n if (cached) return { ...cached };\n }\n\n const headers: Record<string, string> = { ...this.defaultHeaders };\n\n const csp = this.buildCsp();\n if (csp) headers['Content-Security-Policy'] = csp;\n\n const hsts = this.buildHsts();\n if (hsts) headers['Strict-Transport-Security'] = hsts;\n\n for (const [key, value] of Object.entries(this.customHeaders)) {\n headers[key] = value;\n }\n\n if (this.headersCache.size >= this.cacheMaxSize) {\n const oldestKey = this.headersCache.keys().next().value;\n if (oldestKey) {\n this.headersCache.delete(oldestKey);\n this.cacheTimestamps.delete(oldestKey);\n }\n }\n\n this.headersCache.set(cacheKey, headers);\n this.cacheTimestamps.set(cacheKey, now);\n\n return { ...headers };\n }\n\n getCorsHeaders(origin: string): Record<string, string> {\n if (!this.corsConfig) return {};\n\n const isAllowed = this.corsConfig.origins.includes('*') ||\n this.corsConfig.origins.includes(origin);\n if (!isAllowed) return {};\n\n const headers: Record<string, string> = {\n 'Access-Control-Allow-Origin': this.corsConfig.origins.includes('*') ? '*' : origin,\n 'Access-Control-Allow-Methods': this.corsConfig.allowMethods.join(', '),\n 'Access-Control-Allow-Headers': this.corsConfig.allowHeaders.join(', '),\n };\n\n if (this.corsConfig.allowCredentials) {\n headers['Access-Control-Allow-Credentials'] = 'true';\n }\n\n return headers;\n }\n\n async reset(): Promise<void> {\n this.headersCache.clear();\n this.cacheTimestamps.clear();\n this.defaultHeaders = { ...DEFAULT_HEADERS };\n this.customHeaders = {};\n this.cspConfig = null;\n this.hstsConfig = null;\n this.corsConfig = null;\n if (this.redisHandler) {\n await this.redisHandler.deletePattern('security_headers:*');\n }\n }\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { AgentHandlerProtocol } from '../../protocols/agent.js';\nimport type { GeoIPHandler } from '../../protocols/geo-ip.js';\nimport { BehaviorTracker } from '../../handlers/behavior.js';\nimport { CloudHandler } from '../../handlers/cloud.js';\nimport { DynamicRuleManager } from '../../handlers/dynamic-rules.js';\nimport { IPBanManager } from '../../handlers/ip-ban.js';\nimport { RateLimitManager } from '../../handlers/rate-limit.js';\nimport { RedisManager } from '../../handlers/redis.js';\nimport { SecurityHeadersManager } from '../../handlers/security-headers.js';\nimport { SusPatternsManager } from '../../handlers/sus-patterns.js';\n\nexport interface HandlerRegistry {\n redisHandler: RedisManager | null;\n ipBanHandler: IPBanManager;\n rateLimitHandler: RateLimitManager;\n cloudHandler: CloudHandler;\n susPatternsHandler: SusPatternsManager;\n securityHeadersHandler: SecurityHeadersManager;\n behaviorTracker: BehaviorTracker;\n dynamicRuleHandler: DynamicRuleManager;\n geoIpHandler: GeoIPHandler | null;\n}\n\nexport class HandlerInitializer {\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n private readonly agentHandler: AgentHandlerProtocol | null = null,\n private readonly geoIpHandler: GeoIPHandler | null = null,\n private readonly guardDecorator: unknown = null,\n ) {}\n\n async initialize(): Promise<HandlerRegistry> {\n const ipBanHandler = new IPBanManager(this.logger);\n const rateLimitHandler = new RateLimitManager(this.logger);\n const cloudHandler = new CloudHandler(this.logger);\n const susPatternsHandler = new SusPatternsManager(this.config, this.logger);\n const securityHeadersHandler = new SecurityHeadersManager(this.logger);\n const behaviorTracker = new BehaviorTracker(this.config, this.logger);\n const dynamicRuleHandler = new DynamicRuleManager(this.config, this.logger);\n\n let redisHandler: RedisManager | null = null;\n\n if (this.config.enableRedis) {\n try {\n redisHandler = new RedisManager(this.config, this.logger);\n await redisHandler.initialize();\n\n await ipBanHandler.initializeRedis(redisHandler);\n await rateLimitHandler.initializeRedis(redisHandler);\n await susPatternsHandler.initializeRedis(redisHandler);\n await securityHeadersHandler.initializeRedis(redisHandler);\n await behaviorTracker.initializeRedis(redisHandler);\n await dynamicRuleHandler.initializeRedis(redisHandler);\n\n if (this.config.blockCloudProviders.size > 0) {\n await cloudHandler.initializeRedis(\n redisHandler,\n this.config.blockCloudProviders,\n this.config.cloudIpRefreshInterval,\n );\n }\n\n if (this.geoIpHandler) {\n await this.geoIpHandler.initializeRedis(redisHandler);\n }\n /* v8 ignore start -- requires actual ioredis connection failure which cannot be triggered when ioredis module is mocked */\n } catch (e) {\n this.logger.warn(`Redis initialization failed, falling back to in-memory: ${e}`);\n redisHandler = null;\n }\n /* v8 ignore stop */\n }\n\n if (this.geoIpHandler && !this.geoIpHandler.isInitialized) {\n await this.geoIpHandler.initialize();\n }\n\n if (this.agentHandler) {\n await this.initializeAgentIntegrations(\n ipBanHandler, rateLimitHandler, cloudHandler,\n susPatternsHandler, dynamicRuleHandler, redisHandler,\n );\n }\n\n this.configureSecurityHeaders(securityHeadersHandler);\n\n return {\n redisHandler,\n ipBanHandler,\n rateLimitHandler,\n cloudHandler,\n susPatternsHandler,\n securityHeadersHandler,\n behaviorTracker,\n dynamicRuleHandler,\n geoIpHandler: this.geoIpHandler,\n };\n }\n\n private async initializeAgentIntegrations(\n ipBanHandler: IPBanManager,\n rateLimitHandler: RateLimitManager,\n cloudHandler: CloudHandler,\n susPatternsHandler: SusPatternsManager,\n dynamicRuleHandler: DynamicRuleManager,\n redisHandler: RedisManager | null,\n ): Promise<void> {\n if (!this.agentHandler) return;\n\n await this.agentHandler.start();\n\n if (redisHandler) {\n await this.agentHandler.initializeRedis(redisHandler);\n await redisHandler.initializeAgent(this.agentHandler);\n }\n\n await ipBanHandler.initializeAgent(this.agentHandler);\n await rateLimitHandler.initializeAgent(this.agentHandler);\n await susPatternsHandler.initializeAgent(this.agentHandler);\n\n if (this.config.blockCloudProviders.size > 0) {\n await cloudHandler.initializeAgent(this.agentHandler);\n }\n\n if (this.geoIpHandler) {\n await this.geoIpHandler.initializeAgent(this.agentHandler);\n }\n\n if (this.config.enableDynamicRules) {\n await dynamicRuleHandler.initializeAgent(this.agentHandler);\n }\n\n if (this.guardDecorator && typeof (this.guardDecorator as Record<string, unknown>)['initializeAgent'] === 'function') {\n await (this.guardDecorator as { initializeAgent(a: AgentHandlerProtocol): Promise<void> }).initializeAgent(this.agentHandler);\n }\n }\n\n private configureSecurityHeaders(manager: SecurityHeadersManager): void {\n const headers = this.config.securityHeaders;\n if (!headers) return;\n\n manager.configure({\n enabled: headers.enabled,\n csp: headers.csp,\n hstsMaxAge: headers.hsts?.maxAge,\n hstsIncludeSubdomains: headers.hsts?.includeSubdomains,\n hstsPreload: headers.hsts?.preload,\n frameOptions: headers.frameOptions,\n contentTypeOptions: headers.contentTypeOptions,\n xssProtection: headers.xssProtection,\n referrerPolicy: headers.referrerPolicy,\n permissionsPolicy: headers.permissionsPolicy,\n customHeaders: headers.custom ?? undefined,\n corsOrigins: this.config.enableCors ? this.config.corsAllowOrigins : undefined,\n corsAllowCredentials: this.config.corsAllowCredentials,\n corsAllowMethods: this.config.corsAllowMethods,\n corsAllowHeaders: this.config.corsAllowHeaders,\n });\n }\n}\n","import * as ipaddr from 'ipaddr.js';\n\nimport type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { GuardRequest } from '../../protocols/request.js';\nimport type { SecurityEventBus } from '../events/event-bus.js';\n\nexport class RequestValidator {\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n private readonly eventBus: SecurityEventBus,\n ) {}\n\n isRequestHttps(request: GuardRequest): boolean {\n let isHttps = request.urlScheme === 'https';\n\n if (\n this.config.trustXForwardedProto &&\n this.config.trustedProxies.length > 0 &&\n request.clientHost\n ) {\n if (this.isTrustedProxy(request.clientHost)) {\n const forwardedProto = request.headers['x-forwarded-proto'] ?? '';\n isHttps = isHttps || forwardedProto.toLowerCase() === 'https';\n }\n }\n\n return isHttps;\n }\n\n isTrustedProxy(connectingIp: string): boolean {\n for (const proxy of this.config.trustedProxies) {\n if (!proxy.includes('/')) {\n if (connectingIp === proxy) return true;\n } else {\n try {\n const parsed = ipaddr.parse(connectingIp);\n const [addr, prefixLen] = ipaddr.parseCIDR(proxy);\n if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;\n } catch { continue; }\n }\n }\n return false;\n }\n\n async checkTimeWindow(timeRestrictions: { start: string; end: string }): Promise<boolean> {\n try {\n const { start, end } = timeRestrictions;\n const now = new Date();\n const currentTime = now.toISOString().slice(11, 16);\n\n if (start > end) {\n return currentTime >= start || currentTime <= end;\n }\n return currentTime >= start && currentTime <= end;\n /* v8 ignore start -- catch block for time string parsing errors; returns true for safety */\n } catch (e) {\n this.logger.error(`Error checking time window: ${e}`);\n return true;\n }\n /* v8 ignore stop */\n }\n\n async isPathExcluded(request: GuardRequest): Promise<boolean> {\n const excluded = this.config.excludePaths.some((path) =>\n request.urlPath.startsWith(path),\n );\n\n if (excluded) {\n await this.eventBus.sendMiddlewareEvent(\n 'path_excluded', request, 'security_checks_bypassed',\n `Path ${request.urlPath} excluded from security checks`,\n { excludedPath: request.urlPath, configuredExclusions: this.config.excludePaths },\n );\n }\n\n return excluded;\n }\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { RouteConfig } from '../../models/route-config.js';\nimport type { GuardRequest } from '../../protocols/request.js';\n\nexport class RouteConfigResolver {\n private guardDecorator: unknown = null;\n\n constructor(\n private readonly config: ResolvedSecurityConfig,\n ) {}\n\n setGuardDecorator(decorator: unknown): void {\n this.guardDecorator = decorator;\n }\n\n getRouteConfig(request: GuardRequest): RouteConfig | null {\n const decorator = this.guardDecorator ?? request.state.guardDecorator;\n if (!decorator) return null;\n\n const routeId = request.state.guardRouteId;\n if (!routeId) return null;\n\n const getConfig = (decorator as { getRouteConfig(id: string): RouteConfig | undefined }).getRouteConfig;\n if (typeof getConfig !== 'function') return null;\n\n return getConfig.call(decorator, routeId) ?? null;\n }\n\n shouldBypassCheck(checkName: string, routeConfig: RouteConfig | null): boolean {\n if (!routeConfig) return false;\n return routeConfig.bypassedChecks.has(checkName) || routeConfig.bypassedChecks.has('all');\n }\n\n getCloudProvidersToCheck(routeConfig: RouteConfig | null): string[] | null {\n if (routeConfig && routeConfig.blockCloudProviders.size > 0) {\n return [...routeConfig.blockCloudProviders];\n }\n if (this.config.blockCloudProviders.size > 0) {\n return [...this.config.blockCloudProviders];\n }\n return null;\n }\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { RouteConfig } from '../../models/route-config.js';\nimport type { GuardRequest } from '../../protocols/request.js';\nimport type { GuardResponse } from '../../protocols/response.js';\nimport type { SecurityEventBus } from '../events/event-bus.js';\nimport type { ErrorResponseFactory } from '../responses/factory.js';\nimport type { RouteConfigResolver } from '../routing/resolver.js';\nimport type { RequestValidator } from '../validation/validator.js';\n\nexport class BypassHandler {\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly eventBus: SecurityEventBus,\n private readonly routeResolver: RouteConfigResolver,\n private readonly responseFactory: ErrorResponseFactory,\n private readonly validator: RequestValidator,\n ) {}\n\n async handlePassthrough(\n request: GuardRequest,\n callNext: (req: GuardRequest) => Promise<GuardResponse>,\n ): Promise<GuardResponse | null> {\n if (!request.clientHost) {\n const response = await callNext(request);\n return this.responseFactory.applyModifier(response);\n }\n\n if (await this.validator.isPathExcluded(request)) {\n const response = await callNext(request);\n return this.responseFactory.applyModifier(response);\n }\n\n return null;\n }\n\n async handleSecurityBypass(\n request: GuardRequest,\n callNext: (req: GuardRequest) => Promise<GuardResponse>,\n routeConfig: RouteConfig | null,\n ): Promise<GuardResponse | null> {\n if (!routeConfig || !this.routeResolver.shouldBypassCheck('all', routeConfig)) {\n return null;\n }\n\n await this.eventBus.sendMiddlewareEvent(\n 'security_bypass', request, 'all_checks_bypassed',\n 'Route configured to bypass all security checks',\n { bypassedChecks: [...routeConfig.bypassedChecks], endpoint: request.urlPath },\n );\n\n if (!this.config.passiveMode) {\n const response = await callNext(request);\n return this.responseFactory.applyModifier(response);\n }\n\n return null;\n }\n}\n","import type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { RouteConfig } from '../../models/route-config.js';\nimport type { AgentHandlerProtocol } from '../../protocols/agent.js';\nimport type { GuardRequest } from '../../protocols/request.js';\nimport type { GuardResponse, GuardResponseFactory } from '../../protocols/response.js';\nimport type { SecurityHeadersManager } from '../../handlers/security-headers.js';\nimport type { MetricsCollector } from '../events/metrics.js';\n\nexport class ErrorResponseFactory {\n constructor(\n private readonly config: ResolvedSecurityConfig,\n private readonly logger: Logger,\n private readonly metricsCollector: MetricsCollector,\n private readonly guardResponseFactory: GuardResponseFactory,\n private readonly securityHeadersManager: SecurityHeadersManager,\n private readonly agentHandler: AgentHandlerProtocol | null = null,\n ) {}\n\n async createErrorResponse(statusCode: number, defaultMessage: string): Promise<GuardResponse> {\n const message = this.config.customErrorResponses[statusCode] ?? defaultMessage;\n const response = this.guardResponseFactory.createResponse(message, statusCode);\n\n await this.applySecurityHeaders(response, undefined);\n return this.applyModifier(response);\n }\n\n async createHttpsRedirect(request: GuardRequest): Promise<GuardResponse> {\n const httpsUrl = request.urlReplaceScheme('https');\n const response = this.guardResponseFactory.createRedirectResponse(httpsUrl, 301);\n return this.applyModifier(response);\n }\n\n async applySecurityHeaders(response: GuardResponse, requestPath?: string): Promise<GuardResponse> {\n const headersConfig = this.config.securityHeaders;\n if (headersConfig && headersConfig.enabled) {\n const securityHeaders = await this.securityHeadersManager.getHeaders(requestPath ?? '/');\n for (const [name, value] of Object.entries(securityHeaders)) {\n response.setHeader(name, value);\n }\n }\n return response;\n }\n\n async applyCorsHeaders(response: GuardResponse, origin: string): Promise<GuardResponse> {\n const corsHeaders = this.securityHeadersManager.getCorsHeaders(origin);\n for (const [name, value] of Object.entries(corsHeaders)) {\n response.setHeader(name, value);\n }\n return response;\n }\n\n async applyModifier(response: GuardResponse): Promise<GuardResponse> {\n if (this.config.customResponseModifier) {\n return this.config.customResponseModifier(response);\n }\n return response;\n }\n\n async processResponse(\n request: GuardRequest,\n response: GuardResponse,\n responseTime: number,\n routeConfig: RouteConfig | null,\n processBehavioralRules?: (\n request: GuardRequest,\n response: GuardResponse,\n clientIp: string,\n routeConfig: RouteConfig,\n ) => Promise<void>,\n ): Promise<GuardResponse> {\n /* v8 ignore next -- requires all 3 conditions (routeConfig, behaviorRules.length, callback) true simultaneously */\n if (routeConfig && routeConfig.behaviorRules.length > 0 && processBehavioralRules) {\n const clientIp = request.clientHost ?? 'unknown';\n await processBehavioralRules(request, response, clientIp, routeConfig);\n }\n\n await this.metricsCollector.collectRequestMetrics(request, responseTime, response.statusCode);\n\n await this.applySecurityHeaders(response, request.urlPath);\n\n const origin = request.headers['origin'];\n if (origin) {\n await this.applyCorsHeaders(response, origin);\n }\n\n return this.applyModifier(response);\n }\n}\n","import type { Logger } from '../../models/logger.js';\nimport type { RouteConfig } from '../../models/route-config.js';\nimport type { GuardRequest } from '../../protocols/request.js';\nimport type { GuardResponse } from '../../protocols/response.js';\nimport type { BehaviorTracker } from '../../handlers/behavior.js';\nimport type { SecurityEventBus } from '../events/event-bus.js';\n\nexport class BehavioralProcessor {\n private guardDecorator: { behaviorTracker: BehaviorTracker } | null = null;\n\n constructor(\n private readonly logger: Logger,\n private readonly eventBus: SecurityEventBus,\n ) {}\n\n setGuardDecorator(decorator: { behaviorTracker: BehaviorTracker }): void {\n this.guardDecorator = decorator;\n }\n\n async processUsageRules(\n request: GuardRequest,\n clientIp: string,\n routeConfig: RouteConfig,\n ): Promise<void> {\n if (!this.guardDecorator) return;\n\n const endpointId = this.getEndpointId(request);\n const tracker = this.guardDecorator.behaviorTracker;\n\n for (const rule of routeConfig.behaviorRules) {\n if (rule.ruleType === 'usage' || rule.ruleType === 'frequency') {\n const exceeded = await tracker.trackEndpointUsage(endpointId, clientIp, rule);\n if (exceeded) {\n const details = `${rule.threshold} calls in ${rule.window}s`;\n\n await this.eventBus.sendMiddlewareEvent(\n 'decorator_violation', request, 'behavioral_action_triggered',\n `Behavioral ${rule.ruleType} threshold exceeded: ${details}`,\n {\n decoratorType: 'behavioral',\n violationType: rule.ruleType,\n threshold: rule.threshold,\n window: rule.window,\n action: rule.action,\n endpointId,\n },\n );\n\n await tracker.applyAction(rule, clientIp, endpointId, `Usage threshold exceeded: ${details}`);\n }\n }\n }\n }\n\n async processReturnRules(\n request: GuardRequest,\n response: GuardResponse,\n clientIp: string,\n routeConfig: RouteConfig,\n ): Promise<void> {\n if (!this.guardDecorator) return;\n\n const endpointId = this.getEndpointId(request);\n const tracker = this.guardDecorator.behaviorTracker;\n\n for (const rule of routeConfig.behaviorRules) {\n if (rule.ruleType === 'return_pattern') {\n const detected = await tracker.trackReturnPattern(endpointId, clientIp, response, rule);\n if (detected) {\n const details = `${rule.threshold} for '${rule.pattern}' in ${rule.window}s`;\n\n await this.eventBus.sendMiddlewareEvent(\n 'decorator_violation', request, 'behavioral_action_triggered',\n `Return pattern threshold exceeded: ${details}`,\n {\n decoratorType: 'behavioral',\n violationType: 'return_pattern',\n threshold: rule.threshold,\n window: rule.window,\n pattern: rule.pattern,\n action: rule.action,\n endpointId,\n },\n );\n\n await tracker.applyAction(rule, clientIp, endpointId, `Return pattern threshold exceeded: ${details}`);\n }\n }\n }\n }\n\n getEndpointId(request: GuardRequest): string {\n const endpointId = request.state.guardEndpointId;\n if (typeof endpointId === 'string') return endpointId;\n return `${request.method}:${request.urlPath}`;\n }\n}\n","import type { GuardRequest } from '../../protocols/request.js';\nimport type { GuardResponse } from '../../protocols/response.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { SecurityCheck } from './base.js';\n\nexport class SecurityCheckPipeline {\n constructor(\n private checks: SecurityCheck[],\n private readonly logger: Logger,\n ) {}\n\n async execute(request: GuardRequest): Promise<GuardResponse | null> {\n for (const check of this.checks) {\n try {\n const response = await check.check(request);\n if (response !== null) return response;\n } catch (e) {\n this.logger.error(`Security check '${check.checkName}' failed: ${e}`);\n }\n }\n return null;\n }\n\n add(check: SecurityCheck): void {\n this.checks.push(check);\n }\n\n insert(index: number, check: SecurityCheck): void {\n this.checks.splice(index, 0, check);\n }\n\n remove(name: string): boolean {\n const idx = this.checks.findIndex((c) => c.checkName === name);\n if (idx === -1) return false;\n this.checks.splice(idx, 1);\n return true;\n }\n\n getCheckNames(): string[] {\n return this.checks.map((c) => c.checkName);\n }\n\n get length(): number {\n return this.checks.length;\n }\n}\n","import type { GuardMiddlewareProtocol } from '../../protocols/middleware.js';\nimport type { GuardRequest } from '../../protocols/request.js';\nimport type { GuardResponse } from '../../protocols/response.js';\nimport type { Logger } from '../../models/logger.js';\nimport type { ResolvedSecurityConfig } from '../../models/config.js';\n\nexport abstract class SecurityCheck {\n constructor(protected readonly middleware: GuardMiddlewareProtocol) {}\n\n abstract check(request: GuardRequest): Promise<GuardResponse | null>;\n abstract get checkName(): string;\n\n protected get config(): ResolvedSecurityConfig {\n return this.middleware.config;\n }\n\n protected get logger(): Logger {\n return this.middleware.logger;\n }\n\n async sendEvent(\n type: string,\n request: GuardRequest,\n action: string,\n reason: string,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n const eventBus = this.middleware.eventBus as {\n sendMiddlewareEvent(\n type: string,\n request: GuardRequest,\n action: string,\n reason: string,\n meta?: Record<string, unknown>,\n ): Promise<void>;\n };\n await eventBus.sendMiddlewareEvent(type, request, action, reason, meta);\n }\n\n async createErrorResponse(statusCode: number, message: string): Promise<GuardResponse> {\n return this.middleware.createErrorResponse(statusCode, message);\n }\n\n isPassiveMode(): boolean {\n return this.config.passiveMode;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class RouteConfigCheck extends SecurityCheck {\n get checkName(): string { return 'route_config'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeResolver = this.middleware.routeResolver as {\n getRouteConfig(request: GuardRequest): unknown;\n };\n const routeConfig = routeResolver.getRouteConfig(request);\n\n if (routeConfig) {\n (request.state as Record<string, unknown>)['_routeConfig'] = routeConfig;\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class EmergencyModeCheck extends SecurityCheck {\n get checkName(): string { return 'emergency_mode'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (!this.config.emergencyMode) return null;\n\n const clientIp = request.clientHost ?? '';\n if (this.config.emergencyWhitelist.includes(clientIp)) return null;\n\n await this.sendEvent('emergency_mode', request, 'request_blocked', 'Emergency mode active');\n return this.createErrorResponse(503, 'Service temporarily unavailable');\n }\n}\n","import type { GuardMiddlewareProtocol } from '../../../protocols/middleware.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RequestValidator } from '../../validation/validator.js';\nimport type { ErrorResponseFactory } from '../../responses/factory.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class HttpsEnforcementCheck extends SecurityCheck {\n private readonly validator: RequestValidator;\n private readonly responseFactory: ErrorResponseFactory;\n\n constructor(\n middleware: GuardMiddlewareProtocol,\n validator: RequestValidator,\n responseFactory: ErrorResponseFactory,\n ) {\n super(middleware);\n this.validator = validator;\n this.responseFactory = responseFactory;\n }\n\n get checkName(): string { return 'https_enforcement'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (!this.config.enforceHttps) return null;\n if (this.validator.isRequestHttps(request)) return null;\n\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Would redirect to HTTPS: ${request.urlPath}`);\n return null;\n }\n\n return this.responseFactory.createHttpsRedirect(request);\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { logActivity } from '../../../utils.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class RequestLoggingCheck extends SecurityCheck {\n get checkName(): string { return 'request_logging'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (this.config.logRequestLevel) {\n logActivity(request, this.logger, 'request', '', false, '', this.config.logRequestLevel);\n await this.sendEvent('request_logged', request, 'logged', 'Request logged');\n }\n return null;\n }\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class RequestSizeContentCheck extends SecurityCheck {\n get checkName(): string { return 'request_size_content'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig) return null;\n\n if (routeConfig.maxRequestSize !== null) {\n const contentLength = parseInt(request.headers['content-length'] ?? '0', 10);\n if (contentLength > routeConfig.maxRequestSize) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Request too large: ${contentLength} > ${routeConfig.maxRequestSize}`);\n return null;\n }\n return this.createErrorResponse(413, 'Request entity too large');\n }\n }\n\n if (routeConfig.allowedContentTypes !== null) {\n const contentType = request.headers['content-type'] ?? '';\n if (contentType && !routeConfig.allowedContentTypes.some((t) => contentType.includes(t))) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Invalid content type: ${contentType}`);\n return null;\n }\n return this.createErrorResponse(415, 'Unsupported media type');\n }\n }\n\n return null;\n }\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class RequiredHeadersCheck extends SecurityCheck {\n get checkName(): string { return 'required_headers'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig || Object.keys(routeConfig.requiredHeaders).length === 0) return null;\n\n for (const [headerName, expectedValue] of Object.entries(routeConfig.requiredHeaders)) {\n const actualValue = request.headers[headerName.toLowerCase()];\n if (!actualValue || (expectedValue && actualValue !== expectedValue)) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Missing required header: ${headerName}`);\n return null;\n }\n return this.createErrorResponse(400, `Missing or invalid required header: ${headerName}`);\n }\n }\n\n return null;\n }\n}\n","import * as ipaddr from 'ipaddr.js';\n\nimport type { ResolvedSecurityConfig } from '../../models/config.js';\nimport type { RouteConfig } from '../../models/route-config.js';\nimport type { GeoIPHandler } from '../../protocols/geo-ip.js';\nimport type { GuardMiddlewareProtocol } from '../../protocols/middleware.js';\nimport type { GuardRequest } from '../../protocols/request.js';\n\nexport function isIpInBlacklist(clientIp: string, blacklist: string[]): boolean {\n for (const blocked of blacklist) {\n if (blocked.includes('/')) {\n try {\n const parsed = ipaddr.parse(clientIp);\n const [addr, prefixLen] = ipaddr.parseCIDR(blocked);\n if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;\n } catch { continue; }\n } else if (clientIp === blocked) {\n return true;\n }\n }\n return false;\n}\n\nexport function isIpInWhitelist(clientIp: string, whitelist: string[]): boolean | null {\n if (whitelist.length === 0) return null;\n\n for (const allowed of whitelist) {\n if (allowed.includes('/')) {\n try {\n const parsed = ipaddr.parse(clientIp);\n const [addr, prefixLen] = ipaddr.parseCIDR(allowed);\n if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;\n } catch { continue; }\n } else if (clientIp === allowed) {\n return true;\n }\n }\n return false;\n}\n\nexport function checkCountryAccess(\n clientIp: string,\n routeConfig: RouteConfig,\n geoIpHandler: GeoIPHandler | null,\n): boolean | null {\n if (!geoIpHandler) return null;\n\n let country: string | null = null;\n\n if (routeConfig.blockedCountries && routeConfig.blockedCountries.length > 0) {\n country = geoIpHandler.getCountry(clientIp);\n if (country && routeConfig.blockedCountries.includes(country)) return false;\n }\n\n if (routeConfig.whitelistCountries && routeConfig.whitelistCountries.length > 0) {\n if (country === null) country = geoIpHandler.getCountry(clientIp);\n if (country) return routeConfig.whitelistCountries.includes(country);\n return false;\n }\n\n return null;\n}\n\nexport async function checkRouteIpAccess(\n clientIp: string,\n routeConfig: RouteConfig,\n middleware: GuardMiddlewareProtocol,\n): Promise<boolean | null> {\n try {\n if (routeConfig.ipBlacklist && routeConfig.ipBlacklist.length > 0) {\n if (isIpInBlacklist(clientIp, routeConfig.ipBlacklist)) return false;\n }\n\n if (routeConfig.ipWhitelist && routeConfig.ipWhitelist.length > 0) {\n const whitelistResult = isIpInWhitelist(clientIp, routeConfig.ipWhitelist);\n if (whitelistResult !== null) return whitelistResult;\n }\n\n const countryResult = checkCountryAccess(clientIp, routeConfig, middleware.geoIpHandler);\n if (countryResult !== null) return countryResult;\n\n return null;\n /* v8 ignore start -- catch block requires ipaddr.parse to throw on a value that already passed validation */\n } catch {\n return false;\n }\n /* v8 ignore stop */\n}\n\nexport async function checkUserAgentAllowed(\n userAgent: string,\n routeConfig: RouteConfig | null,\n config: ResolvedSecurityConfig,\n): Promise<boolean> {\n if (routeConfig && routeConfig.blockedUserAgents.length > 0) {\n for (const pattern of routeConfig.blockedUserAgents) {\n if (new RegExp(pattern, 'i').test(userAgent)) return false;\n }\n /* v8 ignore next -- empty blockedUserAgents on routeConfig branch; tests always set global blockedUserAgents */\n }\n\n for (const pattern of config.blockedUserAgents) {\n if (new RegExp(pattern, 'i').test(userAgent)) return false;\n }\n\n return true;\n}\n\nexport function validateAuthHeader(authHeader: string, authType: string): [boolean, string] {\n if (authType === 'bearer') {\n if (!authHeader.startsWith('Bearer ')) return [false, 'Missing or invalid Bearer token'];\n } else if (authType === 'basic') {\n if (!authHeader.startsWith('Basic ')) return [false, 'Missing or invalid Basic authentication'];\n } else {\n if (!authHeader) return [false, `Missing ${authType} authentication`];\n }\n return [true, ''];\n}\n\nexport function isReferrerDomainAllowed(referrer: string, allowedDomains: string[]): boolean {\n try {\n const url = new URL(referrer);\n const referrerDomain = url.hostname.toLowerCase();\n for (const allowed of allowedDomains) {\n const lowerAllowed = allowed.toLowerCase();\n if (referrerDomain === lowerAllowed || referrerDomain.endsWith(`.${lowerAllowed}`)) {\n return true;\n }\n }\n return false;\n } catch {\n return false;\n }\n}\n\nexport async function detectPenetrationPatterns(\n request: GuardRequest,\n routeConfig: RouteConfig | null,\n config: ResolvedSecurityConfig,\n shouldBypassCheckFn: (check: string, rc: RouteConfig | null) => boolean,\n): Promise<[boolean, string]> {\n let penetrationEnabled = config.enablePenetrationDetection;\n let routeSpecificDetection: boolean | null = null;\n\n if (routeConfig) {\n routeSpecificDetection = routeConfig.enableSuspiciousDetection;\n penetrationEnabled = routeSpecificDetection;\n }\n\n if (penetrationEnabled && !shouldBypassCheckFn('penetration', routeConfig)) {\n const { detectPenetrationAttempt } = await import('../../utils.js');\n return detectPenetrationAttempt(request);\n }\n\n const reason = routeSpecificDetection === false && config.enablePenetrationDetection\n ? 'disabled_by_decorator'\n : 'not_enabled';\n return [false, reason];\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { validateAuthHeader } from '../helpers.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class AuthenticationCheck extends SecurityCheck {\n get checkName(): string { return 'authentication'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig) return null;\n\n if (routeConfig.authRequired) {\n const authHeader = request.headers['authorization'] ?? '';\n const [isValid, message] = validateAuthHeader(authHeader, routeConfig.authRequired);\n if (!isValid) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Auth failed: ${message}`);\n return null;\n }\n await this.sendEvent('authentication_failed', request, 'request_blocked', message);\n return this.createErrorResponse(401, message);\n }\n }\n\n if (routeConfig.apiKeyRequired) {\n const apiKey = request.headers['x-api-key'] ?? '';\n if (!apiKey) {\n if (this.isPassiveMode()) {\n this.logger.info('[PASSIVE] Missing API key');\n return null;\n }\n return this.createErrorResponse(401, 'API key required');\n }\n }\n\n return null;\n }\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { isReferrerDomainAllowed } from '../helpers.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class ReferrerCheck extends SecurityCheck {\n get checkName(): string { return 'referrer'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig?.requireReferrer || routeConfig.requireReferrer.length === 0) return null;\n\n const referrer = request.headers['referer'] ?? request.headers['referrer'] ?? '';\n if (!referrer || !isReferrerDomainAllowed(referrer, routeConfig.requireReferrer)) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Invalid referrer: ${referrer}`);\n return null;\n }\n return this.createErrorResponse(403, 'Invalid referrer');\n }\n\n return null;\n }\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class CustomValidatorsCheck extends SecurityCheck {\n get checkName(): string { return 'custom_validators'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig || routeConfig.customValidators.length === 0) return null;\n\n for (const validator of routeConfig.customValidators) {\n const response = await validator(request);\n if (response !== null) return response;\n }\n\n return null;\n }\n}\n","import type { RouteConfig } from '../../../models/route-config.js';\nimport type { GuardMiddlewareProtocol } from '../../../protocols/middleware.js';\nimport type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RequestValidator } from '../../validation/validator.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class TimeWindowCheck extends SecurityCheck {\n private readonly validator: RequestValidator;\n\n constructor(middleware: GuardMiddlewareProtocol, validator: RequestValidator) {\n super(middleware);\n this.validator = validator;\n }\n\n get checkName(): string { return 'time_window'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n if (!routeConfig?.timeRestrictions) return null;\n\n const withinWindow = await this.validator.checkTimeWindow(routeConfig.timeRestrictions);\n if (!withinWindow) {\n if (this.isPassiveMode()) {\n this.logger.info('[PASSIVE] Request outside time window');\n return null;\n }\n return this.createErrorResponse(403, 'Access denied: outside allowed time window');\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class CloudIpRefreshCheck extends SecurityCheck {\n get checkName(): string { return 'cloud_ip_refresh'; }\n\n async check(_request: GuardRequest): Promise<GuardResponse | null> {\n if (this.config.blockCloudProviders.size === 0) return null;\n\n const now = Date.now() / 1000;\n const elapsed = now - this.middleware.lastCloudIpRefresh;\n\n if (elapsed >= this.config.cloudIpRefreshInterval) {\n this.middleware.lastCloudIpRefresh = now;\n try {\n await this.middleware.refreshCloudIpRanges();\n } catch (e) {\n this.logger.error(`Cloud IP refresh failed: ${e}`);\n }\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RouteConfig } from '../../../models/route-config.js';\nimport type { IPBanManager } from '../../../handlers/ip-ban.js';\nimport { isIpAllowed } from '../../../utils.js';\nimport { checkRouteIpAccess } from '../helpers.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class IpSecurityCheck extends SecurityCheck {\n get checkName(): string { return 'ip_security'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const clientIp = request.clientHost;\n if (!clientIp) return null;\n\n const ipBanHandler = this.middleware.rateLimitHandler as unknown as {\n ipBanHandler?: IPBanManager;\n };\n\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n\n if (routeConfig) {\n const routeResult = await checkRouteIpAccess(clientIp, routeConfig, this.middleware);\n if (routeResult === false) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] IP blocked by route config: ${clientIp}`);\n return null;\n }\n await this.sendEvent('ip_blocked', request, 'request_blocked', `IP ${clientIp} blocked by route config`);\n return this.createErrorResponse(403, 'Access denied');\n }\n }\n\n const allowed = await isIpAllowed(clientIp, this.config, this.middleware.geoIpHandler);\n if (!allowed) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] IP not allowed: ${clientIp}`);\n return null;\n }\n await this.sendEvent('ip_blocked', request, 'request_blocked', `IP ${clientIp} not allowed`);\n return this.createErrorResponse(403, 'Access denied');\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RouteConfig } from '../../../models/route-config.js';\nimport type { RouteConfigResolver } from '../../routing/resolver.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class CloudProviderCheck extends SecurityCheck {\n get checkName(): string { return 'cloud_provider'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const clientIp = request.clientHost;\n if (!clientIp) return null;\n\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n const resolver = this.middleware.routeResolver as RouteConfigResolver;\n const providers = resolver.getCloudProvidersToCheck(routeConfig ?? null);\n\n if (!providers || providers.length === 0) return null;\n\n const { CloudHandler } = await import('../../../handlers/cloud.js');\n // Access cloud handler from middleware — it's in the registry\n // For now, we check via a lightweight import\n // The actual middleware will wire this properly\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RouteConfig } from '../../../models/route-config.js';\nimport { checkUserAgentAllowed } from '../helpers.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class UserAgentCheck extends SecurityCheck {\n get checkName(): string { return 'user_agent'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n const userAgent = request.headers['user-agent'] ?? '';\n if (!userAgent) return null;\n\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n const allowed = await checkUserAgentAllowed(userAgent, routeConfig ?? null, this.config);\n\n if (!allowed) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Blocked user agent: ${userAgent}`);\n return null;\n }\n await this.sendEvent('ua_blocked', request, 'request_blocked', `Blocked user agent: ${userAgent}`);\n return this.createErrorResponse(403, 'Access denied');\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RouteConfig } from '../../../models/route-config.js';\nimport type { RateLimitManager } from '../../../handlers/rate-limit.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class RateLimitCheck extends SecurityCheck {\n get checkName(): string { return 'rate_limit'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (!this.config.enableRateLimiting) return null;\n\n const clientIp = request.clientHost;\n if (!clientIp) return null;\n\n const rateLimitHandler = this.middleware.rateLimitHandler as RateLimitManager;\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n const createError = this.createErrorResponse.bind(this);\n\n /* v8 ignore next -- routeConfig?.rateLimit null check; rateLimit is always set in test fixtures */\n if (routeConfig?.rateLimit !== null && routeConfig?.rateLimit !== undefined) {\n const response = await rateLimitHandler.checkRateLimit(\n request, clientIp, createError, request.urlPath,\n routeConfig.rateLimit, routeConfig.rateLimitWindow ?? this.config.rateLimitWindow,\n );\n if (response) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Route rate limit exceeded for ${clientIp}`);\n return null;\n }\n return response;\n }\n }\n\n const endpointLimit = this.config.endpointRateLimits[request.urlPath];\n if (endpointLimit) {\n const [limit, window] = endpointLimit;\n const response = await rateLimitHandler.checkRateLimit(\n request, clientIp, createError, request.urlPath, limit, window,\n );\n if (response) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Endpoint rate limit exceeded for ${clientIp}`);\n return null;\n }\n return response;\n }\n }\n\n const response = await rateLimitHandler.checkRateLimit(\n request, clientIp, createError, null,\n this.config.rateLimit, this.config.rateLimitWindow,\n );\n if (response) {\n if (this.isPassiveMode()) {\n this.logger.info(`[PASSIVE] Global rate limit exceeded for ${clientIp}`);\n return null;\n }\n return response;\n }\n\n return null;\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport type { RouteConfig } from '../../../models/route-config.js';\nimport type { RouteConfigResolver } from '../../routing/resolver.js';\nimport { detectPenetrationPatterns } from '../helpers.js';\nimport { logActivity } from '../../../utils.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class SuspiciousActivityCheck extends SecurityCheck {\n get checkName(): string { return 'suspicious_activity'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (!this.config.enablePenetrationDetection) return null;\n\n const clientIp = request.clientHost;\n if (!clientIp) return null;\n\n const routeConfig = (request.state as Record<string, unknown>)['_routeConfig'] as RouteConfig | undefined;\n const resolver = this.middleware.routeResolver as RouteConfigResolver;\n\n const [isThreat, triggerInfo] = await detectPenetrationPatterns(\n request,\n routeConfig ?? null,\n this.config,\n (check, rc) => resolver.shouldBypassCheck(check, rc),\n );\n\n if (!isThreat) return null;\n\n const counts = this.middleware.suspiciousRequestCounts;\n const currentCount = (counts.get(clientIp) ?? 0) + 1;\n counts.set(clientIp, currentCount);\n\n logActivity(request, this.logger, 'suspicious', 'Suspicious activity detected',\n this.config.passiveMode, triggerInfo, this.config.logSuspiciousLevel);\n\n await this.sendEvent('penetration_attempt', request, 'request_blocked',\n `Suspicious activity: ${triggerInfo}`, { triggerInfo, requestCount: currentCount });\n\n if (this.isPassiveMode()) return null;\n\n return this.createErrorResponse(403, 'Suspicious activity detected');\n }\n}\n","import type { GuardRequest } from '../../../protocols/request.js';\nimport type { GuardResponse } from '../../../protocols/response.js';\nimport { SecurityCheck } from '../base.js';\n\nexport class CustomRequestCheck extends SecurityCheck {\n get checkName(): string { return 'custom_request'; }\n\n async check(request: GuardRequest): Promise<GuardResponse | null> {\n if (!this.config.customRequestCheck) return null;\n return this.config.customRequestCheck(request);\n }\n}\n","import type { Logger } from './models/logger.js';\nimport type { ResolvedSecurityConfig } from './models/config.js';\nimport type { AgentHandlerProtocol } from './protocols/agent.js';\nimport type { GeoIPHandler } from './protocols/geo-ip.js';\nimport type { GuardMiddlewareProtocol } from './protocols/middleware.js';\nimport type { GuardRequest } from './protocols/request.js';\nimport type { GuardResponse, GuardResponseFactory } from './protocols/response.js';\nimport type { RouteConfig } from './models/route-config.js';\n\nimport { SecurityEventBus } from './core/events/event-bus.js';\nimport { MetricsCollector } from './core/events/metrics.js';\nimport { HandlerInitializer } from './core/initialization/handler-initializer.js';\nimport type { HandlerRegistry } from './core/initialization/handler-initializer.js';\nimport { RequestValidator } from './core/validation/validator.js';\nimport { RouteConfigResolver } from './core/routing/resolver.js';\nimport { BypassHandler } from './core/bypass/handler.js';\nimport { ErrorResponseFactory } from './core/responses/factory.js';\nimport { BehavioralProcessor } from './core/behavioral/processor.js';\nimport { SecurityCheckPipeline } from './core/checks/pipeline.js';\n\nimport { RouteConfigCheck } from './core/checks/implementations/route-config.js';\nimport { EmergencyModeCheck } from './core/checks/implementations/emergency-mode.js';\nimport { HttpsEnforcementCheck } from './core/checks/implementations/https-enforcement.js';\nimport { RequestLoggingCheck } from './core/checks/implementations/request-logging.js';\nimport { RequestSizeContentCheck } from './core/checks/implementations/request-size-content.js';\nimport { RequiredHeadersCheck } from './core/checks/implementations/required-headers.js';\nimport { AuthenticationCheck } from './core/checks/implementations/authentication.js';\nimport { ReferrerCheck } from './core/checks/implementations/referrer.js';\nimport { CustomValidatorsCheck } from './core/checks/implementations/custom-validators.js';\nimport { TimeWindowCheck } from './core/checks/implementations/time-window.js';\nimport { CloudIpRefreshCheck } from './core/checks/implementations/cloud-ip-refresh.js';\nimport { IpSecurityCheck } from './core/checks/implementations/ip-security.js';\nimport { CloudProviderCheck } from './core/checks/implementations/cloud-provider.js';\nimport { UserAgentCheck } from './core/checks/implementations/user-agent.js';\nimport { RateLimitCheck } from './core/checks/implementations/rate-limit.js';\nimport { SuspiciousActivityCheck } from './core/checks/implementations/suspicious-activity.js';\nimport { CustomRequestCheck } from './core/checks/implementations/custom-request.js';\n\nexport interface SecurityMiddlewareComponents {\n registry: HandlerRegistry;\n pipeline: SecurityCheckPipeline;\n eventBus: SecurityEventBus;\n metricsCollector: MetricsCollector;\n validator: RequestValidator;\n routeResolver: RouteConfigResolver;\n bypassHandler: BypassHandler;\n errorResponseFactory: ErrorResponseFactory;\n behavioralProcessor: BehavioralProcessor;\n middlewareProtocol: GuardMiddlewareProtocol;\n}\n\nexport async function initializeSecurityMiddleware(\n config: ResolvedSecurityConfig,\n logger: Logger,\n guardResponseFactory: GuardResponseFactory,\n agentHandler?: AgentHandlerProtocol | null,\n geoIpHandler?: GeoIPHandler | null,\n guardDecorator?: unknown,\n): Promise<SecurityMiddlewareComponents> {\n const initializer = new HandlerInitializer(\n config, logger, agentHandler ?? null, geoIpHandler ?? null, guardDecorator ?? null,\n );\n const registry = await initializer.initialize();\n\n const eventBus = new SecurityEventBus(\n agentHandler ?? null, config, logger, registry.geoIpHandler,\n );\n const metricsCollector = new MetricsCollector(\n agentHandler ?? null, config, logger,\n );\n const validator = new RequestValidator(config, logger, eventBus);\n const routeResolver = new RouteConfigResolver(config);\n if (guardDecorator) routeResolver.setGuardDecorator(guardDecorator);\n\n const errorResponseFactory = new ErrorResponseFactory(\n config, logger, metricsCollector, guardResponseFactory,\n registry.securityHeadersHandler, agentHandler ?? null,\n );\n const bypassHandler = new BypassHandler(\n config, eventBus, routeResolver, errorResponseFactory, validator,\n );\n const behavioralProcessor = new BehavioralProcessor(logger, eventBus);\n if (guardDecorator) {\n behavioralProcessor.setGuardDecorator(\n guardDecorator as { behaviorTracker: import('./handlers/behavior.js').BehaviorTracker },\n );\n }\n\n const middlewareProtocol: GuardMiddlewareProtocol = {\n get config() { return config; },\n get logger() { return logger; },\n lastCloudIpRefresh: 0,\n suspiciousRequestCounts: new Map(),\n get eventBus() { return eventBus; },\n get routeResolver() { return routeResolver; },\n get responseFactory() { return errorResponseFactory; },\n get rateLimitHandler() { return registry.rateLimitHandler; },\n get agentHandler() { return agentHandler ?? null; },\n get geoIpHandler() { return registry.geoIpHandler ?? null; },\n get guardResponseFactory() { return guardResponseFactory; },\n async createErrorResponse(statusCode: number, message: string) {\n return errorResponseFactory.createErrorResponse(statusCode, message);\n },\n async refreshCloudIpRanges() {\n if (registry.cloudHandler && config.blockCloudProviders.size > 0) {\n await registry.cloudHandler.refreshAsync(config.blockCloudProviders);\n }\n },\n };\n\n const pipeline = new SecurityCheckPipeline([\n new RouteConfigCheck(middlewareProtocol),\n new EmergencyModeCheck(middlewareProtocol),\n new HttpsEnforcementCheck(middlewareProtocol, validator, errorResponseFactory),\n new RequestLoggingCheck(middlewareProtocol),\n new RequestSizeContentCheck(middlewareProtocol),\n new RequiredHeadersCheck(middlewareProtocol),\n new AuthenticationCheck(middlewareProtocol),\n new ReferrerCheck(middlewareProtocol),\n new CustomValidatorsCheck(middlewareProtocol),\n new TimeWindowCheck(middlewareProtocol, validator),\n new CloudIpRefreshCheck(middlewareProtocol),\n new IpSecurityCheck(middlewareProtocol),\n new CloudProviderCheck(middlewareProtocol),\n new UserAgentCheck(middlewareProtocol),\n new RateLimitCheck(middlewareProtocol),\n new SuspiciousActivityCheck(middlewareProtocol),\n new CustomRequestCheck(middlewareProtocol),\n ], logger);\n\n return {\n registry,\n pipeline,\n eventBus,\n metricsCollector,\n validator,\n routeResolver,\n bypassHandler,\n errorResponseFactory,\n behavioralProcessor,\n middlewareProtocol,\n };\n}\n\nexport { SecurityCheckPipeline, SecurityEventBus, MetricsCollector, RequestValidator,\n RouteConfigResolver, BypassHandler, ErrorResponseFactory, BehavioralProcessor };\nexport type { HandlerRegistry };\n","import type { ResolvedSecurityConfig } from '../models/config.js';\nimport type { BehaviorRule } from '../models/behavior-rule.js';\nimport { RouteConfig } from '../models/route-config.js';\nimport type { AgentHandlerProtocol } from '../protocols/agent.js';\nimport type { RedisHandlerProtocol } from '../protocols/redis.js';\nimport type { GuardRequest } from '../protocols/request.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport { BehaviorTracker } from '../handlers/behavior.js';\nimport type { Logger } from '../models/logger.js';\nimport { defaultLogger } from '../models/logger.js';\n\ntype Constructor<T = object> = new (...args: unknown[]) => T;\n\nconst routeIdMap = new WeakMap<Function, string>();\nlet routeIdCounter = 0;\n\nexport class BaseSecurityDecorator {\n routeConfigs = new Map<string, RouteConfig>();\n behaviorTracker: BehaviorTracker;\n agentHandler: AgentHandlerProtocol | null = null;\n readonly config: ResolvedSecurityConfig;\n readonly logger: Logger;\n\n constructor(config: ResolvedSecurityConfig, logger?: Logger) {\n this.config = config;\n this.logger = logger ?? defaultLogger;\n this.behaviorTracker = new BehaviorTracker(config, this.logger);\n }\n\n getRouteConfig(routeId: string): RouteConfig | undefined {\n return this.routeConfigs.get(routeId);\n }\n\n ensureRouteConfig(fn: Function): RouteConfig {\n const id = this.getRouteId(fn);\n if (!this.routeConfigs.has(id)) {\n const rc = new RouteConfig();\n rc.enableSuspiciousDetection = this.config.enablePenetrationDetection;\n this.routeConfigs.set(id, rc);\n }\n return this.routeConfigs.get(id)!;\n }\n\n applyRouteConfig<T extends Function>(fn: T): T {\n (fn as Record<string, unknown>)['_guardRouteId'] = this.getRouteId(fn);\n return fn;\n }\n\n getRouteId(fn: Function): string {\n if (!routeIdMap.has(fn)) {\n routeIdMap.set(fn, `guard_route_${++routeIdCounter}`);\n }\n return routeIdMap.get(fn)!;\n }\n\n async initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void> {\n if (redisHandler) await this.behaviorTracker.initializeRedis(redisHandler as unknown as import('../handlers/redis.js').RedisManager);\n }\n\n async initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void> {\n this.agentHandler = agentHandler;\n await this.behaviorTracker.initializeAgent(agentHandler);\n }\n\n async sendDecoratorEvent(\n eventType: string,\n _request: GuardRequest,\n actionTaken: string,\n reason: string,\n decoratorType: string,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n if (!this.agentHandler) return;\n try {\n await this.agentHandler.sendEvent({\n timestamp: new Date(),\n eventType,\n actionTaken,\n reason,\n decoratorType,\n metadata: meta ?? {},\n });\n } catch { /* never throw */ }\n }\n\n async sendAccessDeniedEvent(\n request: GuardRequest,\n reason: string,\n decoratorType: string,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n await this.sendDecoratorEvent('access_denied', request, 'request_blocked', reason, decoratorType, meta);\n }\n\n async sendAuthenticationFailedEvent(\n request: GuardRequest,\n reason: string,\n authType: string,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n await this.sendDecoratorEvent('authentication_failed', request, 'request_blocked', reason, 'authentication', { authType, ...meta });\n }\n\n async sendRateLimitEvent(\n request: GuardRequest,\n limit: number,\n window: number,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n await this.sendDecoratorEvent('rate_limit_exceeded', request, 'request_blocked', `Rate limit ${limit}/${window}s exceeded`, 'rate_limit', { limit, window, ...meta });\n }\n\n async sendDecoratorViolationEvent(\n request: GuardRequest,\n violationType: string,\n reason: string,\n meta?: Record<string, unknown>,\n ): Promise<void> {\n await this.sendDecoratorEvent('decorator_violation', request, 'request_blocked', reason, violationType, meta);\n }\n}\n\nexport function getRouteDecoratorConfig(\n request: GuardRequest,\n decoratorHandler: BaseSecurityDecorator,\n): RouteConfig | undefined {\n const routeId = request.state.guardRouteId;\n if (!routeId || typeof routeId !== 'string') return undefined;\n return decoratorHandler.getRouteConfig(routeId);\n}\n","import type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function AccessControl<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n requireIp(whitelist?: string[], blacklist?: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n if (whitelist) rc.ipWhitelist = whitelist;\n if (blacklist) rc.ipBlacklist = blacklist;\n return this.applyRouteConfig(fn);\n };\n }\n\n blockCountries(countries: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.blockedCountries = countries;\n return this.applyRouteConfig(fn);\n };\n }\n\n allowCountries(countries: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.whitelistCountries = countries;\n return this.applyRouteConfig(fn);\n };\n }\n\n blockClouds(providers?: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.blockCloudProviders = new Set(providers ?? ['AWS', 'GCP', 'Azure']);\n return this.applyRouteConfig(fn);\n };\n }\n\n bypass(checks: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n for (const check of checks) rc.bypassedChecks.add(check);\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function RateLimiting<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n rateLimit(requests: number, window = 60) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.rateLimit = requests;\n rc.rateLimitWindow = window;\n return this.applyRouteConfig(fn);\n };\n }\n\n geoRateLimit(limits: Record<string, [number, number]>) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.geoRateLimits = limits;\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function Authentication<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n requireHttps() {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.requireHttps = true;\n return this.applyRouteConfig(fn);\n };\n }\n\n requireAuth(type = 'bearer') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.authRequired = type;\n return this.applyRouteConfig(fn);\n };\n }\n\n apiKeyAuth(headerName = 'X-API-Key') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.apiKeyRequired = true;\n rc.requiredHeaders[headerName] = '';\n return this.applyRouteConfig(fn);\n };\n }\n\n requireHeaders(headers: Record<string, string>) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n Object.assign(rc.requiredHeaders, headers);\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import type { GuardRequest } from '../protocols/request.js';\nimport type { GuardResponse } from '../protocols/response.js';\nimport type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function ContentFiltering<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n blockUserAgents(patterns: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.blockedUserAgents.push(...patterns);\n return this.applyRouteConfig(fn);\n };\n }\n\n contentTypeFilter(allowedTypes: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.allowedContentTypes = allowedTypes;\n return this.applyRouteConfig(fn);\n };\n }\n\n maxRequestSize(sizeBytes: number) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.maxRequestSize = sizeBytes;\n return this.applyRouteConfig(fn);\n };\n }\n\n requireReferrer(allowedDomains: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.requireReferrer = allowedDomains;\n return this.applyRouteConfig(fn);\n };\n }\n\n customValidation(validator: (request: GuardRequest) => Promise<GuardResponse | null>) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.customValidators.push(validator);\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import { BehaviorRule } from '../models/behavior-rule.js';\nimport type { BehaviorAction } from '../models/behavior-rule.js';\nimport type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function Behavioral<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n usageMonitor(maxCalls: number, window = 3600, action: BehaviorAction = 'ban') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.behaviorRules.push(new BehaviorRule('usage', maxCalls, window, null, action));\n return this.applyRouteConfig(fn);\n };\n }\n\n returnMonitor(pattern: string, maxOccurrences: number, window = 86400, action: BehaviorAction = 'ban') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.behaviorRules.push(new BehaviorRule('return_pattern', maxOccurrences, window, pattern, action));\n return this.applyRouteConfig(fn);\n };\n }\n\n behaviorAnalysis(rules: BehaviorRule[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.behaviorRules.push(...rules);\n return this.applyRouteConfig(fn);\n };\n }\n\n suspiciousFrequency(maxFrequency: number, window = 300, action: BehaviorAction = 'ban') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.behaviorRules.push(new BehaviorRule('frequency', maxFrequency, window, null, action));\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import type { BaseSecurityDecorator } from './base.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin pattern requires any[]\ntype AnyConstructor = new (...args: any[]) => BaseSecurityDecorator;\n\nexport function Advanced<T extends AnyConstructor>(Base: T) {\n return class extends Base {\n timeWindow(startTime: string, endTime: string, _timezone = 'UTC') {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.timeRestrictions = { start: startTime, end: endTime };\n return this.applyRouteConfig(fn);\n };\n }\n\n suspiciousDetection(enabled = true) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.enableSuspiciousDetection = enabled;\n return this.applyRouteConfig(fn);\n };\n }\n\n honeypotDetection(trapFields: string[]) {\n return <F extends Function>(fn: F): F => {\n const rc = this.ensureRouteConfig(fn);\n rc.customValidators.push(async (request) => {\n try {\n const bodyBytes = await request.body();\n if (bodyBytes.length === 0) return null;\n\n const bodyText = new TextDecoder().decode(bodyBytes);\n let data: Record<string, unknown> = {};\n\n const contentType = request.headers['content-type'] ?? '';\n if (contentType.includes('json')) {\n data = JSON.parse(bodyText);\n } else if (contentType.includes('form')) {\n for (const pair of bodyText.split('&')) {\n const [key, value] = pair.split('=');\n if (key && value) data[decodeURIComponent(key)] = decodeURIComponent(value);\n }\n }\n\n for (const field of trapFields) {\n if (data[field] !== undefined && data[field] !== '' && data[field] !== null) {\n return {\n statusCode: 403,\n headers: {},\n setHeader() {},\n body: new TextEncoder().encode('Forbidden'),\n bodyText: 'Forbidden',\n };\n }\n }\n /* v8 ignore start -- catch block function for honeypot body parsing; silently ignored */\n } catch { /* ignore */ }\n /* v8 ignore stop */\n return null;\n });\n return this.applyRouteConfig(fn);\n };\n }\n };\n}\n","import { BaseSecurityDecorator, getRouteDecoratorConfig } from './base.js';\nimport { AccessControl } from './access-control.js';\nimport { RateLimiting } from './rate-limiting.js';\nimport { Authentication } from './authentication.js';\nimport { ContentFiltering } from './content-filtering.js';\nimport { Behavioral } from './behavioral.js';\nimport { Advanced } from './advanced.js';\n\n// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin composition requires any[]\nexport const SecurityDecorator = Advanced(\n ContentFiltering(\n Behavioral(\n Authentication(\n RateLimiting(\n AccessControl(\n BaseSecurityDecorator as unknown as new (...args: any[]) => BaseSecurityDecorator,\n ),\n ),\n ),\n ),\n ),\n);\n\nexport type SecurityDecorator = InstanceType<typeof SecurityDecorator>;\n\nexport { BaseSecurityDecorator, getRouteDecoratorConfig };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAGO,IAAM,eAAN,MAAmB;AAAA,EACf;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAET,YACE,UACA,WACA,SAAS,MACT,UAAyB,MACzB,SAAyB,OACzB,eAAyD,MACzD;AACA,SAAK,WAAW;AAChB,SAAK,YAAY;AACjB,SAAK,SAAS;AACd,SAAK,UAAU;AACf,SAAK,SAAS;AACd,SAAK,eAAe;AAAA,EACtB;AACF;;;AC1BA,YAAY,YAAY;AACxB,SAAS,SAAS;AAOlB,SAAS,gBAAgB,OAAwB;AAC/C,MAAI,MAAM,SAAS,GAAG,GAAG;AACvB,QAAI;AACF,MAAO,iBAAU,KAAK;AACtB,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAc,eAAQ,KAAK;AAC7B;AAEA,IAAM,wBAAwB,CAAC,OAAO,OAAO,OAAO;AAEpD,IAAM,iBAAiB,EAAE,OAAO,EAAE,OAAO,iBAAiB,oBAAoB;AAE9E,IAAM,WAAW,EAAE,KAAK,CAAC,QAAQ,SAAS,WAAW,SAAS,UAAU,CAAC;AAElE,IAAM,uBAAuB,EAAE,OAAO;AAAA,EAC3C,gBAAgB,EAAE,MAAM,cAAc,EAAE,QAAQ,CAAC,CAAC;AAAA,EAClD,mBAAmB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC;AAAA,EACpD,sBAAsB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAE/C,aAAa,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAEtC,cAAc,EAAE,OAAqB,EAAE,SAAS;AAAA,EAChD,aAAa,EAAE,OAAsC,EAAE,SAAS;AAAA,EAEhE,aAAa,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EACrC,UAAU,EAAE,OAAO,EAAE,QAAQ,wBAAwB;AAAA,EACrD,aAAa,EAAE,OAAO,EAAE,QAAQ,aAAa;AAAA,EAE7C,WAAW,EAAE,MAAM,cAAc,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAC1D,WAAW,EAAE,MAAM,cAAc,EAAE,QAAQ,CAAC,CAAC;AAAA,EAE7C,oBAAoB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAC5D,kBAAkB,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAE1D,mBAAmB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAEjD,kBAAkB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EACxD,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAEzD,QAAQ,EAAE,OAAe,EAAE,SAAS;AAAA,EACpC,eAAe,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACjD,oBAAoB,SAAS,SAAS,EAAE,QAAQ,SAAS;AAAA,EACzD,iBAAiB,SAAS,SAAS,EAAE,QAAQ,IAAI;AAAA,EACjD,WAAW,EAAE,KAAK,CAAC,QAAQ,MAAM,CAAC,EAAE,QAAQ,MAAM;AAAA,EAElD,sBAAsB,EAAE,OAAO,EAAE,OAAO,OAAO,GAAG,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAExE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EACjD,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EAEvD,cAAc,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAEvC,iBAAiB,EAAE,OAAO;AAAA,IACxB,SAAS,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,IACjC,MAAM,EAAE,OAAO;AAAA,MACb,QAAQ,EAAE,OAAO,EAAE,QAAQ,OAAQ;AAAA,MACnC,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,MAC3C,SAAS,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,IACpC,CAAC,EAAE,SAAS;AAAA,IACZ,KAAK,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,IACtE,cAAc,EAAE,KAAK,CAAC,QAAQ,YAAY,CAAC,EAAE,QAAQ,YAAY;AAAA,IACjE,oBAAoB,EAAE,OAAO,EAAE,QAAQ,SAAS;AAAA,IAChD,eAAe,EAAE,OAAO,EAAE,QAAQ,eAAe;AAAA,IACjD,gBAAgB,EAAE,OAAO,EAAE,QAAQ,iCAAiC;AAAA,IACpE,mBAAmB,EAAE,OAAO,EAAE,QAAQ,0CAA0C;AAAA,IAChF,QAAQ,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAClE,CAAC,EAAE,SAAS,EAAE,QAAQ;AAAA,IACpB,SAAS;AAAA,IACT,MAAM,EAAE,QAAQ,SAAU,mBAAmB,MAAM,SAAS,MAAM;AAAA,IAClE,cAAc;AAAA,IACd,oBAAoB;AAAA,IACpB,eAAe;AAAA,IACf,gBAAgB;AAAA,IAChB,mBAAmB;AAAA,IACnB,KAAK;AAAA,IACL,QAAQ;AAAA,EACV,CAAC;AAAA,EAED,oBAAoB,EAAE,OAA6D,EAAE,SAAS;AAAA,EAC9F,wBAAwB,EAAE,OAAuD,EAAE,SAAS;AAAA,EAE5F,YAAY,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EACrC,kBAAkB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC;AAAA,EACnD,kBAAkB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,OAAO,QAAQ,OAAO,SAAS,UAAU,SAAS,CAAC;AAAA,EAClG,kBAAkB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC;AAAA,EACnD,sBAAsB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAC/C,mBAAmB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACjD,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,GAAG;AAAA,EAEnD,qBAAqB,EAClB,MAAM,EAAE,KAAK,qBAAqB,CAAC,EACnC,QAAQ,CAAC,CAAC,EACV,UAAU,CAAC,QAAQ,IAAI,IAAI,GAAG,CAAC;AAAA,EAClC,wBAAwB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,KAAK,EAAE,QAAQ,IAAI;AAAA,EAExE,cAAc,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAE5C,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EACzC,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAC5C,4BAA4B,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAEpD,eAAe,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EACxC,oBAAoB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAElD,oBAAoB,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAEtF,0BAA0B,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,IAAI,EAAE,EAAE,QAAQ,CAAG;AAAA,EACjE,2BAA2B,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAI,EAAE,IAAI,GAAM,EAAE,QAAQ,GAAK;AAAA,EAC/E,iCAAiC,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EACzD,4BAA4B,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAAA,EAChE,2BAA2B,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,CAAG;AAAA,EAChE,+BAA+B,EAAE,OAAO,EAAE,IAAI,IAAI,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAAA,EACtE,6BAA6B,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,IAAI,GAAK,EAAE,QAAQ,GAAI;AAAA,EAC9E,6BAA6B,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,IAAI,GAAI,EAAE,QAAQ,GAAI;AAAA,EAE7E,aAAa,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EACtC,aAAa,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAC/C,eAAe,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,+BAA+B;AAAA,EACvE,gBAAgB,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAClD,iBAAiB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,GAAG;AAAA,EACxD,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EAC1D,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAC3C,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,EAC5C,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE;AAAA,EACpD,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,CAAC;AAAA,EAE5D,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAC7C,qBAAqB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,GAAG;AAE9D,CAAC,EAAE,YAAY,CAAC,MAAM,QAAQ;AAC5B,MAAI,KAAK,eAAe,CAAC,KAAK,aAAa;AACzC,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,aAAa;AAAA,IACtB,CAAC;AAAA,EACH;AACA,MAAI,KAAK,sBAAsB,CAAC,KAAK,aAAa;AAChD,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,oBAAoB;AAAA,IAC7B,CAAC;AAAA,EACH;AACA,OACG,KAAK,iBAAiB,SAAS,KAAK,KAAK,mBAAmB,SAAS,MACtE,CAAC,KAAK,gBACN,CAAC,KAAK,aACN;AACA,QAAI,SAAS;AAAA,MACX,MAAM;AAAA,MACN,SAAS;AAAA,MACT,MAAM,CAAC,cAAc;AAAA,IACvB,CAAC;AAAA,EACH;AACF,CAAC;;;ACvKD,SAAS,KAAAA,UAAS;AAElB,IAAMC,yBAAwB,CAAC,OAAO,OAAO,OAAO;AAE7C,IAAM,qBAAqBD,GAAE,OAAO;AAAA,EACzC,QAAQA,GAAE,OAAO;AAAA,EACjB,SAASA,GAAE,OAAO,EAAE,IAAI;AAAA,EACxB,WAAWA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,WAAWA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACxD,KAAKA,GAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,GAAG;AAAA,EACjC,aAAaA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAC3C,aAAaA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAC3C,eAAeA,GAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,IAAI;AAAA,EAC5C,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAC1D,oBAAoBA,GAAE,MAAMA,GAAE,OAAO,EAAE,OAAO,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAC5D,iBAAiBA,GAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACzD,kBAAkBA,GAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAC1D,oBAAoBA,GAAE,OAAOA,GAAE,OAAO,GAAGA,GAAE,MAAM,CAACA,GAAE,OAAO,GAAGA,GAAE,OAAO,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACtF,uBAAuBA,GACpB,MAAMA,GAAE,KAAKC,sBAAqB,CAAC,EACnC,QAAQ,CAAC,CAAC,EACV,UAAU,CAAC,QAAQ,IAAI,IAAI,GAAG,CAAC;AAAA,EAClC,mBAAmBD,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EACjD,oBAAoBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,EAClD,4BAA4BA,GAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EAC/D,iBAAiBA,GAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACpD,oBAAoBA,GAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,IAAI;AAAA,EACvD,eAAeA,GAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EACxC,oBAAoBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AACpD,CAAC;;;ACtBM,IAAM,gBAAwB;AAAA,EACnC,MAAM,CAAC,QAAQ,SAAS,QAAQ,KAAK,gBAAgB,GAAG,IAAI,GAAG,IAAI;AAAA,EACnE,MAAM,CAAC,QAAQ,SAAS,QAAQ,KAAK,gBAAgB,GAAG,IAAI,GAAG,IAAI;AAAA,EACnE,OAAO,CAAC,QAAQ,SAAS,QAAQ,MAAM,gBAAgB,GAAG,IAAI,GAAG,IAAI;AAAA,EACrE,OAAO,CAAC,QAAQ,SAAS,QAAQ,MAAM,gBAAgB,GAAG,IAAI,GAAG,IAAI;AACvE;;;ACRO,IAAM,cAAN,MAAkB;AAAA,EACvB,YAA2B;AAAA,EAC3B,kBAAiC;AAAA,EACjC,cAA+B;AAAA,EAC/B,cAA+B;AAAA,EAC/B,mBAAoC;AAAA,EACpC,qBAAsC;AAAA,EACtC,iBAA8B,oBAAI,IAAI;AAAA,EACtC,eAAe;AAAA,EACf,eAA8B;AAAA,EAC9B,mBAAoF,CAAC;AAAA,EACrF,oBAA8B,CAAC;AAAA,EAC/B,kBAA0C,CAAC;AAAA,EAC3C,gBAAgC,CAAC;AAAA,EACjC,sBAAmC,oBAAI,IAAI;AAAA,EAC3C,iBAAgC;AAAA,EAChC,sBAAuC;AAAA,EACvC,mBAA0D;AAAA,EAC1D,4BAA4B;AAAA,EAC5B,kBAAmC;AAAA,EACnC,iBAAiB;AAAA,EACjB,gBAA+C;AAAA,EAC/C,gBAAyD;AAC3D;;;ACrBO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,YACmB,cACA,QACA,QACA,eAAoC,MACrD;AAJiB;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,oBACJ,WACA,SACA,aACA,QACA,UACe;AACf,QAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,OAAO,kBAAmB;AAE1D,QAAI;AACF,YAAM,WAAW,QAAQ,cAAc;AACvC,UAAI,UAAyB;AAE7B,UAAI,KAAK,cAAc;AACrB,YAAI;AAAE,oBAAU,KAAK,aAAa,WAAW,QAAQ;AAAA,QAAG,QAAQ;AAAA,QAAe;AAAA,MACjF;AAEA,YAAM,KAAK,aAAa,UAAU;AAAA,QAChC,WAAW,oBAAI,KAAK;AAAA,QACpB;AAAA,QACA,WAAW;AAAA,QACX;AAAA,QACA,WAAW,QAAQ,QAAQ,YAAY,KAAK;AAAA,QAC5C;AAAA,QACA;AAAA,QACA,UAAU,QAAQ;AAAA,QAClB,QAAQ,QAAQ;AAAA,QAChB,UAAU,YAAY,CAAC;AAAA,MACzB,CAAC;AAAA,IACH,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,kCAAkC,CAAC,EAAE;AAAA,IACzD;AAAA,EACF;AAAA,EAEA,MAAM,wBACJ,SACA,iBACe;AACf,UAAM,WAAW,QAAQ,iBAAiB,OAAO;AAEjD,QAAI,iBAAiB;AACnB,YAAM,KAAK;AAAA,QACT;AAAA,QAAuB;AAAA,QAAS;AAAA,QAChC;AAAA,QACA,EAAE,eAAe,kBAAkB,eAAe,iBAAiB,aAAa,SAAS;AAAA,MAC3F;AAAA,IACF,OAAO;AACL,YAAM,KAAK;AAAA,QACT;AAAA,QAAkB;AAAA,QAAS;AAAA,QAC3B;AAAA,QACA,EAAE,gBAAgB,QAAQ,WAAW,aAAa,SAAS;AAAA,MAC7D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,yBACJ,SACA,UACA,WACA,aACe;AACf,UAAM,KAAK;AAAA,MACT;AAAA,MAAmB;AAAA;AAAA,MAEnB,cAAc,gBAAgB;AAAA,MAC9B,qBAAqB,QAAQ;AAAA,MAC7B,EAAE,kBAAkB,UAAU;AAAA,IAChC;AAAA,EACF;AACF;;;AC9EO,IAAM,mBAAN,MAAuB;AAAA,EAC5B,YACmB,cACA,QACA,QACjB;AAHiB;AACA;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,WACJ,YACA,OACA,MACe;AACf,QAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,OAAO,mBAAoB;AAE3D,QAAI;AACF,YAAM,KAAK,aAAa,WAAW;AAAA,QACjC,WAAW,oBAAI,KAAK;AAAA,QACpB;AAAA,QACA;AAAA,QACA,MAAM,QAAQ,CAAC;AAAA,MACjB,CAAC;AAAA,IACH,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,0BAA0B,CAAC,EAAE;AAAA,IACjD;AAAA,EACF;AAAA,EAEA,MAAM,sBACJ,SACA,cACA,YACe;AACf,QAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,OAAO,mBAAoB;AAE3D,UAAM,WAAW,QAAQ;AACzB,UAAM,SAAS,QAAQ;AACvB,UAAM,OAAO,EAAE,UAAU,QAAQ,QAAQ,OAAO,UAAU,EAAE;AAE5D,UAAM,KAAK,WAAW,iBAAiB,cAAc,IAAI;AACzD,UAAM,KAAK,WAAW,iBAAiB,GAAK,EAAE,UAAU,OAAO,CAAC;AAEhE,QAAI,cAAc,KAAK;AACrB,YAAM,KAAK,WAAW,cAAc,GAAK,IAAI;AAAA,IAC/C;AAAA,EACF;AACF;;;AC1CO,IAAM,kBAAN,MAAsB;AAAA,EAM3B,YACmB,QACA,QACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EARK,cAAc,oBAAI,IAAmC;AAAA,EACrD,iBAAiB,oBAAI,IAAmC;AAAA,EACxD,eAAoC;AAAA,EACpC,eAA4C;AAAA,EAOpD,MAAM,gBAAgB,cAA2C;AAC/D,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,MAAM,mBAAmB,YAAoB,UAAkB,MAAsC;AACnG,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAM,cAAc,MAAM,KAAK;AAE/B,QAAI,CAAC,KAAK,YAAY,IAAI,UAAU,GAAG;AACrC,WAAK,YAAY,IAAI,YAAY,oBAAI,IAAI,CAAC;AAAA,IAC5C;AACA,UAAM,cAAc,KAAK,YAAY,IAAI,UAAU;AAEnD,QAAI,CAAC,YAAY,IAAI,QAAQ,GAAG;AAC9B,kBAAY,IAAI,UAAU,CAAC,CAAC;AAAA,IAC9B;AACA,UAAM,aAAa,YAAY,IAAI,QAAQ;AAE3C,UAAM,WAAW,WAAW,UAAU,CAAC,MAAM,IAAI,WAAW;AAE5D,QAAI,WAAW,EAAG,YAAW,OAAO,GAAG,QAAQ;AAAA,aACtC,aAAa,GAAI,YAAW,SAAS;AAE9C,eAAW,KAAK,GAAG;AAEnB,WAAO,WAAW,SAAS,KAAK;AAAA,EAClC;AAAA,EAEA,MAAM,mBACJ,YACA,UACA,UACA,MACkB;AAClB,QAAI,CAAC,KAAK,QAAS,QAAO;AAE1B,UAAM,UAAU,KAAK,qBAAqB,UAAU,KAAK,OAAO;AAChE,QAAI,CAAC,QAAS,QAAO;AAErB,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAM,cAAc,MAAM,KAAK;AAC/B,UAAM,MAAM,GAAG,UAAU,IAAI,KAAK,OAAO;AAEzC,QAAI,CAAC,KAAK,eAAe,IAAI,GAAG,GAAG;AACjC,WAAK,eAAe,IAAI,KAAK,oBAAI,IAAI,CAAC;AAAA,IACxC;AACA,UAAM,aAAa,KAAK,eAAe,IAAI,GAAG;AAE9C,QAAI,CAAC,WAAW,IAAI,QAAQ,GAAG;AAC7B,iBAAW,IAAI,UAAU,CAAC,CAAC;AAAA,IAC7B;AACA,UAAM,aAAa,WAAW,IAAI,QAAQ;AAE1C,UAAM,WAAW,WAAW,UAAU,CAAC,MAAM,IAAI,WAAW;AAE5D,QAAI,WAAW,EAAG,YAAW,OAAO,GAAG,QAAQ;AAAA,aACtC,aAAa,GAAI,YAAW,SAAS;AAE9C,eAAW,KAAK,GAAG;AAEnB,WAAO,WAAW,SAAS,KAAK;AAAA,EAClC;AAAA,EAEQ,qBAAqB,UAAyB,SAA0B;AAC9E,QAAI,QAAQ,WAAW,SAAS,GAAG;AACjC,YAAM,OAAO,SAAS,QAAQ,MAAM,CAAC,GAAG,EAAE;AAC1C,aAAO,SAAS,eAAe;AAAA,IACjC;AAEA,QAAI,QAAQ,WAAW,QAAQ,GAAG;AAChC,YAAM,KAAK,IAAI,OAAO,QAAQ,MAAM,CAAC,GAAG,GAAG;AAC3C,aAAO,SAAS,WAAW,GAAG,KAAK,SAAS,QAAQ,IAAI;AAAA,IAC1D;AAEA,QAAI,QAAQ,WAAW,OAAO,GAAG;AAC/B,UAAI,CAAC,SAAS,SAAU,QAAO;AAC/B,UAAI;AACF,cAAM,OAAO,KAAK,MAAM,SAAS,QAAQ;AACzC,cAAM,OAAO,QAAQ,MAAM,CAAC;AAC5B,cAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,YAAI,UAAmB;AACvB,mBAAW,QAAQ,OAAO;AAExB,cAAI,YAAY,QAAQ,YAAY,OAAW,QAAO;AACtD,oBAAW,QAAoC,IAAI;AAAA,QACrD;AACA,eAAO,YAAY,UAAa,YAAY;AAAA,MAC9C,QAAQ;AAAE,eAAO;AAAA,MAAO;AAAA,IAC1B;AAGA,WAAO,SAAS,WAAW,SAAS,SAAS,SAAS,OAAO,IAAI;AAAA,EACnE;AAAA,EAEA,MAAM,YACJ,MACA,UACA,YACA,SACe;AACf,QAAI,KAAK,OAAO,aAAa;AAC3B,WAAK,OAAO,KAAK,mBAAmB,KAAK,MAAM,IAAI,QAAQ,QAAQ,OAAO,EAAE;AAC5E;AAAA,IACF;AAEA,YAAQ,KAAK,QAAQ;AAAA,MACnB,KAAK;AACH,aAAK,OAAO,KAAK,mBAAmB,QAAQ,MAAM,OAAO,EAAE;AAC3D;AAAA,MACF,KAAK;AACH,aAAK,OAAO,KAAK,mBAAmB,QAAQ,MAAM,OAAO,EAAE;AAC3D;AAAA,MACF,KAAK;AACH,aAAK,OAAO,KAAK,wBAAwB,QAAQ,MAAM,OAAO,EAAE;AAChE;AAAA,MACF,KAAK;AACH,aAAK,OAAO,KAAK,qBAAqB,QAAQ,MAAM,OAAO,EAAE;AAC7D;AAAA,IACJ;AAEA,QAAI,KAAK,cAAc;AACrB,UAAI;AAAE,aAAK,aAAa,KAAK,QAAQ,UAAU,YAAY,OAAO;AAAA,MAAG,QAAQ;AAAA,MAAe;AAAA,IAC9F;AAEA,QAAI,KAAK,cAAc;AACrB,UAAI;AACF,cAAM,KAAK,aAAa,UAAU;AAAA,UAChC,WAAW;AAAA,UACX,WAAW;AAAA,UACX,aAAa,KAAK;AAAA,UAClB,QAAQ;AAAA,UACR,UAAU,EAAE,YAAY,UAAU,KAAK,UAAU,WAAW,KAAK,UAAU;AAAA,QAC7E,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAAA,EACF;AAAA,EAEA,MAAM,QAAuB;AAC3B,SAAK,YAAY,MAAM;AACvB,SAAK,eAAe,MAAM;AAAA,EAC5B;AACF;;;AC5JO,IAAM,qBAAN,MAAyB;AAAA,EAO9B,YACmB,QACA,QACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EATK,eAAoC;AAAA,EACpC,cAAqD;AAAA,EACrD,aAAa;AAAA,EACb,eAA4C;AAAA,EAC5C,eAAoC;AAAA,EAO5C,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AACpB,QAAI,KAAK,OAAO,oBAAoB;AAClC,WAAK,gBAAgB;AAAA,IACvB;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,cAA2C;AAC/D,SAAK,eAAe;AAAA,EACtB;AAAA,EAEQ,kBAAwB;AAC9B,QAAI,KAAK,YAAa;AAEtB,SAAK,cAAc;AAAA,MACjB,MAAM;AAAE,aAAK,YAAY,EAAE,MAAM,CAAC,MAAM,KAAK,OAAO,MAAM,uBAAuB,CAAC,EAAE,CAAC;AAAA,MAAG;AAAA,MACxF,KAAK,OAAO,sBAAsB;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,MAAM,cAA6B;AACjC,QAAI,CAAC,KAAK,aAAc;AAExB,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,aAAa,gBAAgB;AACzD,UAAI,CAAC,SAAU;AAEf,YAAM,SAAS,mBAAmB,UAAU,QAAQ;AACpD,UAAI,CAAC,OAAO,SAAS;AACnB,aAAK,OAAO,KAAK,0BAA0B,OAAO,MAAM,OAAO,EAAE;AACjE;AAAA,MACF;AAEA,YAAM,QAAQ,OAAO;AAErB,UAAI,KAAK,gBACL,KAAK,aAAa,WAAW,MAAM,UACnC,KAAK,aAAa,WAAW,MAAM,SAAS;AAC9C;AAAA,MACF;AAEA,WAAK,eAAe;AACpB,WAAK,aAAa,KAAK,IAAI,IAAI;AAE/B,WAAK,OAAO,KAAK,0BAA0B,MAAM,MAAM,KAAK,MAAM,OAAO,EAAE;AAE3E,UAAI,KAAK,cAAc;AACrB,YAAI;AACF,gBAAM,KAAK,aAAa,UAAU;AAAA,YAChC,WAAW;AAAA,YACX,WAAW;AAAA,YACX,aAAa;AAAA,YACb,QAAQ,iBAAiB,MAAM,MAAM,KAAK,MAAM,OAAO;AAAA,UACzD,CAAC;AAAA,QACH,QAAQ;AAAA,QAAoB;AAAA,MAC9B;AAAA,IACF,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,kCAAkC,CAAC,EAAE;AAAA,IACzD;AAAA,EACF;AAAA,EAEA,kBAAuC;AACrC,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAM,cAA6B;AACjC,UAAM,KAAK,YAAY;AAAA,EACzB;AAAA,EAEA,MAAM,OAAsB;AAC1B,QAAI,KAAK,aAAa;AACpB,oBAAc,KAAK,WAAW;AAC9B,WAAK,cAAc;AAAA,IACrB;AAAA,EACF;AACF;;;ACpFO,IAAM,eAAN,MAAmB;AAAA,EAMxB,YAA6B,QAAgB;AAAhB;AAAA,EAAiB;AAAA,EALtC,YAAY,oBAAI,IAAsB;AAAA,EACtC,eAAoC;AAAA,EACpC,eAA4C;AAAA,EACnC,UAAU;AAAA,EAI3B,MAAM,gBAAgB,cAA2C;AAC/D,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,MAAM,MAAM,IAAY,UAAkB,QAA+B;AACvE,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAM,YAAY,MAAM;AAExB,QAAI,KAAK,UAAU,QAAQ,KAAK,SAAS;AACvC,YAAM,YAAY,KAAK,UAAU,KAAK,EAAE,KAAK,EAAE;AAC/C,UAAI,UAAW,MAAK,UAAU,OAAO,SAAS;AAAA,IAChD;AAEA,SAAK,UAAU,IAAI,IAAI,EAAE,WAAW,QAAQ,UAAU,IAAI,CAAC;AAE3D,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,OAAO,cAAc,IAAI,OAAO,SAAS,GAAG,QAAQ;AAAA,IAC9E;AAEA,QAAI,KAAK,cAAc;AACrB,UAAI;AACF,cAAM,KAAK,aAAa,UAAU;AAAA,UAChC,WAAW;AAAA,UACX,WAAW;AAAA,UACX,aAAa;AAAA,UACb;AAAA,UACA,UAAU,EAAE,UAAU,UAAU;AAAA,QAClC,CAAC;AAAA,MACH,QAAQ;AAAA,MAAwC;AAAA,IAClD;AAEA,SAAK,OAAO,KAAK,cAAc,EAAE,QAAQ,QAAQ,OAAO,MAAM,EAAE;AAAA,EAClE;AAAA,EAEA,MAAM,WAAW,IAA8B;AAC7C,UAAM,MAAM,KAAK,IAAI,IAAI;AAEzB,UAAM,QAAQ,KAAK,UAAU,IAAI,EAAE;AACnC,QAAI,OAAO;AACT,UAAI,OAAO,MAAM,UAAW,QAAO;AACnC,WAAK,UAAU,OAAO,EAAE;AAAA,IAC1B;AAEA,QAAI,KAAK,cAAc;AACrB,YAAM,YAAY,MAAM,KAAK,aAAa,OAAO,cAAc,EAAE;AACjE,UAAI,OAAO,cAAc,UAAU;AACjC,cAAM,YAAY,WAAW,SAAS;AACtC,YAAI,OAAO,WAAW;AACpB,eAAK,UAAU,IAAI,IAAI;AAAA,YACrB;AAAA,YACA,QAAQ;AAAA,YACR,UAAU;AAAA,UACZ,CAAC;AACD,iBAAO;AAAA,QACT;AACA,cAAM,KAAK,aAAa,OAAO,cAAc,EAAE;AAAA,MACjD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,IAA2B;AACvC,SAAK,UAAU,OAAO,EAAE;AAExB,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,OAAO,cAAc,EAAE;AAAA,IACjD;AAEA,QAAI,KAAK,cAAc;AACrB,UAAI;AACF,cAAM,KAAK,aAAa,UAAU;AAAA,UAChC,WAAW;AAAA,UACX,WAAW;AAAA,UACX,aAAa;AAAA,UACb,QAAQ;AAAA,QACV,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,SAAK,OAAO,KAAK,gBAAgB,EAAE,EAAE;AAAA,EACvC;AAAA,EAEA,MAAM,QAAuB;AAC3B,SAAK,UAAU,MAAM;AACrB,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,cAAc,cAAc;AAAA,IACtD;AAAA,EACF;AACF;;;ACzGA,IAAM,oBAAoB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAenB,IAAM,mBAAN,MAAuB;AAAA,EAM5B,YAA6B,QAAgB;AAAhB;AAAA,EAAiB;AAAA,EALtC,oBAAoB,oBAAI,IAAsB;AAAA,EAC9C,eAAoC;AAAA,EACpC,eAA4C;AAAA,EAC5C,qBAAoC;AAAA,EAI5C,MAAM,gBAAgB,cAA2C;AAC/D,SAAK,eAAe;AACpB,UAAM,SAAS,aAAa,aAAa;AACzC,QAAI,QAAQ;AACV,UAAI;AACF,aAAK,qBAAqB,MAAM,OAAO,OAAO,QAAQ,iBAAiB;AAAA,MACzE,SAAS,GAAG;AACV,aAAK,OAAO,KAAK,yCAAyC,CAAC,EAAE;AAAA,MAC/D;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AAAA,EACtB;AAAA,EAEA,MAAM,eACJ,SACA,UACA,qBACA,eAA8B,MAC9B,YAAoB,IACpB,kBAA0B,IACK;AAC/B,UAAM,MAAM,eAAe,GAAG,QAAQ,IAAI,YAAY,KAAK;AAC3D,UAAM,MAAM,KAAK,IAAI,IAAI;AAEzB,QAAI,QAAuB;AAE3B,QAAI,KAAK,cAAc;AACrB,cAAQ,MAAM,KAAK,qBAAqB,KAAK,KAAK,iBAAiB,SAAS;AAAA,IAC9E;AAEA,QAAI,UAAU,MAAM;AAClB,cAAQ,KAAK,wBAAwB,KAAK,KAAK,eAAe;AAAA,IAChE;AAEA,QAAI,QAAQ,WAAW;AACrB,aAAO,KAAK;AAAA,QACV;AAAA,QAAS;AAAA,QAAU;AAAA,QAAO;AAAA,QAAqB;AAAA,MACjD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,qBACZ,KACA,KACA,QACA,QACwB;AACxB,UAAM,SAAS,KAAK,cAAc,aAAa;AAC/C,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,WAAW,mBAAmB,GAAG;AACvC,UAAM,SAAS,KAAK,aAAc,QAAQ;AAC1C,UAAM,UAAU,GAAG,MAAM,GAAG,QAAQ;AAEpC,QAAI;AACF,UAAI,KAAK,oBAAoB;AAC3B,cAAME,SAAQ,MAAM,OAAO;AAAA,UACzB,KAAK;AAAA,UAAoB;AAAA,UAAG;AAAA,UAAS;AAAA,UAAK;AAAA,UAAQ;AAAA,QACpD;AACA,eAAO,OAAOA,MAAK;AAAA,MACrB;AAGA,YAAM,OAAO,KAAK,SAAS,KAAK,OAAO,GAAG,CAAC;AAC3C,YAAM,OAAO,iBAAiB,SAAS,GAAG,MAAM,MAAM;AACtD,YAAM,QAAQ,MAAM,OAAO,MAAM,OAAO;AACxC,YAAM,OAAO,KAAK,0CAA0C,GAAG,SAAS,SAAS,CAAC;AAClF,aAAO;AAAA,IAET,SAAS,GAAG;AACV,WAAK,OAAO,KAAK,6DAA6D,CAAC,EAAE;AACjF,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,wBAAwB,KAAa,KAAa,QAAwB;AAChF,QAAI,aAAa,KAAK,kBAAkB,IAAI,GAAG;AAC/C,QAAI,CAAC,YAAY;AACf,mBAAa,CAAC;AACd,WAAK,kBAAkB,IAAI,KAAK,UAAU;AAAA,IAC5C;AAEA,UAAM,cAAc,MAAM;AAC1B,UAAM,aAAa,WAAW,UAAU,CAAC,MAAM,IAAI,WAAW;AAE9D,QAAI,aAAa,GAAG;AAClB,iBAAW,OAAO,GAAG,UAAU;AAAA,IAEjC,WAAW,eAAe,IAAI;AAC5B,iBAAW,SAAS;AAAA,IACtB;AAEA,eAAW,KAAK,GAAG;AACnB,WAAO,WAAW;AAAA,EACpB;AAAA,EAEA,MAAc,wBACZ,SACA,UACA,OACA,qBACA,QACwB;AACxB,SAAK,OAAO,KAAK,2BAA2B,QAAQ,KAAK,KAAK,WAAW;AAEzE,QAAI,KAAK,cAAc;AACrB,UAAI;AACF,cAAM,KAAK,aAAa,UAAU;AAAA,UAChC,WAAW;AAAA,UACX,WAAW;AAAA,UACX,aAAa;AAAA,UACb,QAAQ,wBAAwB,KAAK,gBAAgB,MAAM;AAAA,UAC3D,UAAU;AAAA,YACR,UAAU,QAAQ;AAAA,YAClB,QAAQ,QAAQ;AAAA,YAChB,cAAc;AAAA,YACd;AAAA,UACF;AAAA,QACF,CAAC;AAAA,MACH,QAAQ;AAAA,MAAoB;AAAA,IAC9B;AAEA,WAAO,oBAAoB,KAAK,qBAAqB;AAAA,EACvD;AAAA,EAEA,MAAM,QAAuB;AAC3B,SAAK,kBAAkB,MAAM;AAC7B,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,cAAc,mBAAmB;AAAA,IAC3D;AAAA,EACF;AACF;;;AC5IO,IAAM,eAAN,MAAmD;AAAA,EAMxD,YACmB,QACA,QACjB;AAFiB;AACA;AAEjB,SAAK,SAAS,OAAO;AAAA,EACvB;AAAA,EAVQ,SAA6B;AAAA,EAC7B,SAAS;AAAA,EACT,eAA4C;AAAA,EACnC;AAAA,EASjB,MAAM,aAA4B;AAChC,QAAI,CAAC,KAAK,OAAO,eAAe,KAAK,OAAQ;AAE7C,QAAI;AACF,YAAM,EAAE,SAAS,MAAM,IAAI,MAAM,OAAO,SAAS;AACjD,WAAK,SAAS,IAAI,MAAM,KAAK,OAAO,QAAQ;AAC5C,YAAM,KAAK,OAAO,KAAK;AACvB,WAAK,OAAO,KAAK,8BAA8B;AAAA,IAEjD,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,4BAA4B,CAAC,EAAE;AACjD,WAAK,SAAS;AAAA,IAChB;AAAA,EAEF;AAAA,EAEA,MAAM,QAAuB;AAC3B,SAAK,SAAS;AACd,QAAI,KAAK,QAAQ;AACf,UAAI;AAAE,cAAM,KAAK,OAAO,KAAK;AAAA,MAAG,QAAQ;AAAA,MAAe;AACvD,WAAK,SAAS;AAAA,IAChB;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA,EAGA,gBAAiC;AAC/B,UAAM,SAAS,KAAK;AACpB,WAAO;AAAA,MACL,CAAC,OAAO,YAAY,GAAG,YAAY;AAAA,MAAC;AAAA,MACpC,IAAI,SAAS;AAAE,eAAO;AAAA,MAAQ;AAAA,IAChC;AAAA,EACF;AAAA;AAAA,EAGQ,UAAU,WAAmB,KAAqB;AACxD,WAAO,GAAG,KAAK,MAAM,GAAG,SAAS,IAAI,GAAG;AAAA,EAC1C;AAAA,EAEA,MAAM,OAAO,WAAmB,KAA+B;AAC7D,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,IAAI,KAAK,UAAU,WAAW,GAAG,CAAC;AAAA,IAC7D,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,qBAAqB,CAAC,EAAE;AAC1C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,WAAmB,KAAa,OAAgB,KAA8C;AACzG,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,YAAM,UAAU,KAAK,UAAU,WAAW,GAAG;AAC7C,YAAM,WAAW,OAAO,UAAU,WAAW,QAAQ,KAAK,UAAU,KAAK;AACzE,UAAI,OAAO,MAAM,GAAG;AAClB,cAAM,KAAK,OAAO,MAAM,SAAS,KAAK,QAAQ;AAAA,MAChD,OAAO;AACL,cAAM,KAAK,OAAO,IAAI,SAAS,QAAQ;AAAA,MACzC;AACA,aAAO;AAAA,IACT,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,qBAAqB,CAAC,EAAE;AAC1C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,WAAmB,KAAa,KAAsC;AAC/E,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,YAAM,UAAU,KAAK,UAAU,WAAW,GAAG;AAC7C,YAAM,QAAQ,MAAM,KAAK,OAAO,KAAK,OAAO;AAC5C,UAAI,OAAO,MAAM,GAAG;AAClB,cAAM,KAAK,OAAO,OAAO,SAAS,GAAG;AAAA,MACvC;AACA,aAAO;AAAA,IACT,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,sBAAsB,CAAC,EAAE;AAC3C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,WAAmB,KAAsC;AACpE,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,OAAO,OAAO,KAAK,UAAU,WAAW,GAAG,CAAC;AACtE,aAAO,SAAS;AAAA,IAClB,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,wBAAwB,CAAC,EAAE;AAC7C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,WAAmB,KAAqC;AACnE,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,IAAI,KAAK,UAAU,WAAW,GAAG,CAAC;AAAA,IAC7D,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,wBAAwB,CAAC,EAAE;AAC7C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,SAA2C;AACpD,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,KAAK,GAAG,KAAK,MAAM,GAAG,OAAO,EAAE;AAAA,IAC1D,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,sBAAsB,CAAC,EAAE;AAC3C,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,cAAc,SAAyC;AAC3D,QAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,QAAI;AACF,YAAM,cAAc,MAAM,KAAK,OAAO,KAAK,GAAG,KAAK,MAAM,GAAG,OAAO,EAAE;AACrE,UAAI,YAAY,WAAW,EAAG,QAAO;AACrC,aAAO,MAAM,KAAK,OAAO,IAAI,GAAG,WAAW;AAAA,IAC7C,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,+BAA+B,CAAC,EAAE;AACpD,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,eAAmC;AACjC,WAAO,KAAK;AAAA,EACd;AACF;;;ACpKA,IAAM,kBAA0C;AAAA,EAC9C,0BAA0B;AAAA,EAC1B,mBAAmB;AAAA,EACnB,oBAAoB;AAAA,EACpB,mBAAmB;AAAA,EACnB,sBAAsB;AAAA,EACtB,qCAAqC;AAAA,EACrC,sBAAsB;AAAA,EACtB,gCAAgC;AAAA,EAChC,8BAA8B;AAAA,EAC9B,gCAAgC;AAClC;AAEA,IAAM,0BAA0B;AAEhC,SAAS,oBAAoB,OAAuB;AAClD,MAAI,MAAM,SAAS,IAAI,KAAK,MAAM,SAAS,IAAI,GAAG;AAChD,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,MAAM,SAAS,yBAAyB;AAC1C,UAAM,IAAI,MAAM,0CAA0C,uBAAuB,EAAE;AAAA,EACrF;AAEA,SAAO,MAAM,QAAQ,iCAAiC,EAAE;AAC1D;AAEA,SAAS,iBAAiB,aAA6B;AACrD,QAAM,aAAa,YAAY,YAAY,EAAE,QAAQ,QAAQ,EAAE;AAC/D,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,WAAW,QAAQ,KAAK;AAC1C,YAAQ,QAAQ,KAAK,OAAO,WAAW,WAAW,CAAC;AACnD,YAAQ;AAAA,EACV;AACA,SAAO,OAAO,KAAK,IAAI,IAAI,CAAC,EAAE,SAAS,IAAI,GAAG,EAAE,MAAM,GAAG,EAAE;AAC7D;AAEO,IAAM,yBAAN,MAA6B;AAAA,EAkBlC,YAA6B,QAAgB;AAAhB;AAAA,EAAiB;AAAA,EAjBtC,eAAe,oBAAI,IAAoC;AAAA,EACvD,iBAAyC,EAAE,GAAG,gBAAgB;AAAA,EAC9D,gBAAwC,CAAC;AAAA,EACzC,YAA6C;AAAA,EAC7C,aAAsF;AAAA,EACtF,aAKG;AAAA,EACH,eAAoC;AAAA,EACpC,eAA4C;AAAA,EAC5C,eAAe;AAAA,EACf,aAAa;AAAA,EACb,kBAAkB,oBAAI,IAAoB;AAAA,EAIlD,MAAM,gBAAgB,cAA2C;AAC/D,SAAK,eAAe;AACpB,UAAM,KAAK,iBAAiB;AAAA,EAC9B;AAAA;AAAA,EAGA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA,EAGA,MAAc,mBAAkC;AAC9C,QAAI,CAAC,KAAK,aAAc;AAExB,UAAM,UAAU,MAAM,KAAK,aAAa,OAAO,oBAAoB,YAAY;AAC/E,QAAI,OAAO,YAAY,UAAU;AAC/B,UAAI;AAAE,aAAK,YAAY,KAAK,MAAM,OAAO;AAAA,MAAG,QAAQ;AAAA,MAAe;AAAA,IACrE;AAEA,UAAM,WAAW,MAAM,KAAK,aAAa,OAAO,oBAAoB,aAAa;AACjF,QAAI,OAAO,aAAa,UAAU;AAChC,UAAI;AAAE,aAAK,aAAa,KAAK,MAAM,QAAQ;AAAA,MAAG,QAAQ;AAAA,MAAe;AAAA,IACvE;AAEA,UAAM,aAAa,MAAM,KAAK,aAAa,OAAO,oBAAoB,gBAAgB;AACtF,QAAI,OAAO,eAAe,UAAU;AAClC,UAAI;AAAE,aAAK,gBAAgB,KAAK,MAAM,UAAU;AAAA,MAAG,QAAQ;AAAA,MAAe;AAAA,IAC5E;AAAA,EACF;AAAA,EAEA,UAAU,SAgBD;AACP,QAAI,QAAQ,YAAY,OAAO;AAC7B,WAAK,iBAAiB,CAAC;AACvB;AAAA,IACF;AAEA,QAAI,QAAQ,IAAK,MAAK,YAAY,QAAQ;AAC1C,QAAI,QAAQ,eAAe,QAAW;AACpC,WAAK,aAAa;AAAA,QAChB,QAAQ,QAAQ;AAAA,QAChB,mBAAmB,QAAQ,yBAAyB;AAAA,QACpD,SAAS,QAAQ,eAAe;AAAA,MAClC;AAAA,IACF;AACA,QAAI,QAAQ,aAAc,MAAK,eAAe,iBAAiB,IAAI,oBAAoB,QAAQ,YAAY;AAC3G,QAAI,QAAQ,mBAAoB,MAAK,eAAe,wBAAwB,IAAI,oBAAoB,QAAQ,kBAAkB;AAC9H,QAAI,QAAQ,cAAe,MAAK,eAAe,kBAAkB,IAAI,oBAAoB,QAAQ,aAAa;AAC9G,QAAI,QAAQ,eAAgB,MAAK,eAAe,iBAAiB,IAAI,oBAAoB,QAAQ,cAAc;AAC/G,QAAI,QAAQ,kBAAmB,MAAK,eAAe,oBAAoB,IAAI,oBAAoB,QAAQ,iBAAiB;AAExH,QAAI,QAAQ,eAAe;AACzB,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,QAAQ,aAAa,GAAG;AAChE,aAAK,cAAc,GAAG,IAAI,oBAAoB,KAAK;AAAA,MACrD;AAAA,IACF;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,aAAa;AAAA,QAChB,SAAS,QAAQ;AAAA,QACjB,kBAAkB,QAAQ,wBAAwB;AAAA,QAClD,cAAc,QAAQ,oBAAoB,CAAC,OAAO,QAAQ,OAAO,UAAU,SAAS;AAAA,QACpF,cAAc,QAAQ,oBAAoB,CAAC,GAAG;AAAA,MAChD;AAAA,IACF;AAEA,SAAK,mBAAmB;AAAA,EAC1B;AAAA,EAEA,MAAc,qBAAoC;AAChD,QAAI,CAAC,KAAK,aAAc;AACxB,UAAM,MAAM;AACZ,QAAI,KAAK,UAAW,OAAM,KAAK,aAAa,OAAO,oBAAoB,cAAc,KAAK,UAAU,KAAK,SAAS,GAAG,GAAG;AACxH,QAAI,KAAK,WAAY,OAAM,KAAK,aAAa,OAAO,oBAAoB,eAAe,KAAK,UAAU,KAAK,UAAU,GAAG,GAAG;AAC3H,QAAI,OAAO,KAAK,KAAK,aAAa,EAAE,SAAS,GAAG;AAC9C,YAAM,KAAK,aAAa,OAAO,oBAAoB,kBAAkB,KAAK,UAAU,KAAK,aAAa,GAAG,GAAG;AAAA,IAC9G;AAAA,EACF;AAAA,EAEQ,WAA0B;AAChC,QAAI,CAAC,KAAK,UAAW,QAAO;AAC5B,WAAO,OAAO,QAAQ,KAAK,SAAS,EACjC,IAAI,CAAC,CAAC,WAAW,MAAM,MAAM,GAAG,SAAS,IAAI,OAAO,KAAK,GAAG,CAAC,EAAE,EAC/D,KAAK,IAAI;AAAA,EACd;AAAA,EAEQ,YAA2B;AACjC,QAAI,CAAC,KAAK,WAAY,QAAO;AAC7B,QAAI,SAAS,WAAW,KAAK,WAAW,MAAM;AAC9C,QAAI,KAAK,WAAW,kBAAmB,WAAU;AACjD,QAAI,KAAK,WAAW,QAAS,WAAU;AACvC,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,WAAW,aAAsD;AACrE,UAAM,WAAW,iBAAiB,WAAW;AAC7C,UAAM,MAAM,KAAK,IAAI;AAErB,UAAM,kBAAkB,KAAK,gBAAgB,IAAI,QAAQ;AACzD,QAAI,mBAAmB,MAAM,kBAAkB,KAAK,YAAY;AAC9D,YAAM,SAAS,KAAK,aAAa,IAAI,QAAQ;AAC7C,UAAI,OAAQ,QAAO,EAAE,GAAG,OAAO;AAAA,IACjC;AAEA,UAAM,UAAkC,EAAE,GAAG,KAAK,eAAe;AAEjE,UAAM,MAAM,KAAK,SAAS;AAC1B,QAAI,IAAK,SAAQ,yBAAyB,IAAI;AAE9C,UAAM,OAAO,KAAK,UAAU;AAC5B,QAAI,KAAM,SAAQ,2BAA2B,IAAI;AAEjD,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,KAAK,aAAa,GAAG;AAC7D,cAAQ,GAAG,IAAI;AAAA,IACjB;AAEA,QAAI,KAAK,aAAa,QAAQ,KAAK,cAAc;AAC/C,YAAM,YAAY,KAAK,aAAa,KAAK,EAAE,KAAK,EAAE;AAClD,UAAI,WAAW;AACb,aAAK,aAAa,OAAO,SAAS;AAClC,aAAK,gBAAgB,OAAO,SAAS;AAAA,MACvC;AAAA,IACF;AAEA,SAAK,aAAa,IAAI,UAAU,OAAO;AACvC,SAAK,gBAAgB,IAAI,UAAU,GAAG;AAEtC,WAAO,EAAE,GAAG,QAAQ;AAAA,EACtB;AAAA,EAEA,eAAe,QAAwC;AACrD,QAAI,CAAC,KAAK,WAAY,QAAO,CAAC;AAE9B,UAAM,YAAY,KAAK,WAAW,QAAQ,SAAS,GAAG,KACpD,KAAK,WAAW,QAAQ,SAAS,MAAM;AACzC,QAAI,CAAC,UAAW,QAAO,CAAC;AAExB,UAAM,UAAkC;AAAA,MACtC,+BAA+B,KAAK,WAAW,QAAQ,SAAS,GAAG,IAAI,MAAM;AAAA,MAC7E,gCAAgC,KAAK,WAAW,aAAa,KAAK,IAAI;AAAA,MACtE,gCAAgC,KAAK,WAAW,aAAa,KAAK,IAAI;AAAA,IACxE;AAEA,QAAI,KAAK,WAAW,kBAAkB;AACpC,cAAQ,kCAAkC,IAAI;AAAA,IAChD;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAuB;AAC3B,SAAK,aAAa,MAAM;AACxB,SAAK,gBAAgB,MAAM;AAC3B,SAAK,iBAAiB,EAAE,GAAG,gBAAgB;AAC3C,SAAK,gBAAgB,CAAC;AACtB,SAAK,YAAY;AACjB,SAAK,aAAa;AAClB,SAAK,aAAa;AAClB,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,cAAc,oBAAoB;AAAA,IAC5D;AAAA,EACF;AACF;;;ACrNO,IAAM,qBAAN,MAAyB;AAAA,EAC9B,YACmB,QACA,QACA,eAA4C,MAC5C,eAAoC,MACpC,iBAA0B,MAC3C;AALiB;AACA;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,aAAuC;AAC3C,UAAM,eAAe,IAAI,aAAa,KAAK,MAAM;AACjD,UAAM,mBAAmB,IAAI,iBAAiB,KAAK,MAAM;AACzD,UAAM,eAAe,IAAI,aAAa,KAAK,MAAM;AACjD,UAAM,qBAAqB,IAAI,mBAAmB,KAAK,QAAQ,KAAK,MAAM;AAC1E,UAAM,yBAAyB,IAAI,uBAAuB,KAAK,MAAM;AACrE,UAAM,kBAAkB,IAAI,gBAAgB,KAAK,QAAQ,KAAK,MAAM;AACpE,UAAM,qBAAqB,IAAI,mBAAmB,KAAK,QAAQ,KAAK,MAAM;AAE1E,QAAI,eAAoC;AAExC,QAAI,KAAK,OAAO,aAAa;AAC3B,UAAI;AACF,uBAAe,IAAI,aAAa,KAAK,QAAQ,KAAK,MAAM;AACxD,cAAM,aAAa,WAAW;AAE9B,cAAM,aAAa,gBAAgB,YAAY;AAC/C,cAAM,iBAAiB,gBAAgB,YAAY;AACnD,cAAM,mBAAmB,gBAAgB,YAAY;AACrD,cAAM,uBAAuB,gBAAgB,YAAY;AACzD,cAAM,gBAAgB,gBAAgB,YAAY;AAClD,cAAM,mBAAmB,gBAAgB,YAAY;AAErD,YAAI,KAAK,OAAO,oBAAoB,OAAO,GAAG;AAC5C,gBAAM,aAAa;AAAA,YACjB;AAAA,YACA,KAAK,OAAO;AAAA,YACZ,KAAK,OAAO;AAAA,UACd;AAAA,QACF;AAEA,YAAI,KAAK,cAAc;AACrB,gBAAM,KAAK,aAAa,gBAAgB,YAAY;AAAA,QACtD;AAAA,MAEF,SAAS,GAAG;AACV,aAAK,OAAO,KAAK,2DAA2D,CAAC,EAAE;AAC/E,uBAAe;AAAA,MACjB;AAAA,IAEF;AAEA,QAAI,KAAK,gBAAgB,CAAC,KAAK,aAAa,eAAe;AACzD,YAAM,KAAK,aAAa,WAAW;AAAA,IACrC;AAEA,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK;AAAA,QACT;AAAA,QAAc;AAAA,QAAkB;AAAA,QAChC;AAAA,QAAoB;AAAA,QAAoB;AAAA,MAC1C;AAAA,IACF;AAEA,SAAK,yBAAyB,sBAAsB;AAEpD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,cAAc,KAAK;AAAA,IACrB;AAAA,EACF;AAAA,EAEA,MAAc,4BACZ,cACA,kBACA,cACA,oBACA,oBACA,cACe;AACf,QAAI,CAAC,KAAK,aAAc;AAExB,UAAM,KAAK,aAAa,MAAM;AAE9B,QAAI,cAAc;AAChB,YAAM,KAAK,aAAa,gBAAgB,YAAY;AACpD,YAAM,aAAa,gBAAgB,KAAK,YAAY;AAAA,IACtD;AAEA,UAAM,aAAa,gBAAgB,KAAK,YAAY;AACpD,UAAM,iBAAiB,gBAAgB,KAAK,YAAY;AACxD,UAAM,mBAAmB,gBAAgB,KAAK,YAAY;AAE1D,QAAI,KAAK,OAAO,oBAAoB,OAAO,GAAG;AAC5C,YAAM,aAAa,gBAAgB,KAAK,YAAY;AAAA,IACtD;AAEA,QAAI,KAAK,cAAc;AACrB,YAAM,KAAK,aAAa,gBAAgB,KAAK,YAAY;AAAA,IAC3D;AAEA,QAAI,KAAK,OAAO,oBAAoB;AAClC,YAAM,mBAAmB,gBAAgB,KAAK,YAAY;AAAA,IAC5D;AAEA,QAAI,KAAK,kBAAkB,OAAQ,KAAK,eAA2C,iBAAiB,MAAM,YAAY;AACpH,YAAO,KAAK,eAA+E,gBAAgB,KAAK,YAAY;AAAA,IAC9H;AAAA,EACF;AAAA,EAEQ,yBAAyB,SAAuC;AACtE,UAAM,UAAU,KAAK,OAAO;AAC5B,QAAI,CAAC,QAAS;AAEd,YAAQ,UAAU;AAAA,MAChB,SAAS,QAAQ;AAAA,MACjB,KAAK,QAAQ;AAAA,MACb,YAAY,QAAQ,MAAM;AAAA,MAC1B,uBAAuB,QAAQ,MAAM;AAAA,MACrC,aAAa,QAAQ,MAAM;AAAA,MAC3B,cAAc,QAAQ;AAAA,MACtB,oBAAoB,QAAQ;AAAA,MAC5B,eAAe,QAAQ;AAAA,MACvB,gBAAgB,QAAQ;AAAA,MACxB,mBAAmB,QAAQ;AAAA,MAC3B,eAAe,QAAQ,UAAU;AAAA,MACjC,aAAa,KAAK,OAAO,aAAa,KAAK,OAAO,mBAAmB;AAAA,MACrE,sBAAsB,KAAK,OAAO;AAAA,MAClC,kBAAkB,KAAK,OAAO;AAAA,MAC9B,kBAAkB,KAAK,OAAO;AAAA,IAChC,CAAC;AAAA,EACH;AACF;;;AClKA,YAAYC,aAAY;AAOjB,IAAM,mBAAN,MAAuB;AAAA,EAC5B,YACmB,QACA,QACA,UACjB;AAHiB;AACA;AACA;AAAA,EAChB;AAAA,EAEH,eAAe,SAAgC;AAC7C,QAAI,UAAU,QAAQ,cAAc;AAEpC,QACE,KAAK,OAAO,wBACZ,KAAK,OAAO,eAAe,SAAS,KACpC,QAAQ,YACR;AACA,UAAI,KAAK,eAAe,QAAQ,UAAU,GAAG;AAC3C,cAAM,iBAAiB,QAAQ,QAAQ,mBAAmB,KAAK;AAC/D,kBAAU,WAAW,eAAe,YAAY,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,eAAe,cAA+B;AAC5C,eAAW,SAAS,KAAK,OAAO,gBAAgB;AAC9C,UAAI,CAAC,MAAM,SAAS,GAAG,GAAG;AACxB,YAAI,iBAAiB,MAAO,QAAO;AAAA,MACrC,OAAO;AACL,YAAI;AACF,gBAAM,SAAgB,cAAM,YAAY;AACxC,gBAAM,CAAC,MAAM,SAAS,IAAW,kBAAU,KAAK;AAChD,cAAI,OAAO,KAAK,MAAM,KAAK,KAAK,KAAK,OAAO,MAAM,CAAC,MAAM,SAAS,CAAC,EAAG,QAAO;AAAA,QAC/E,QAAQ;AAAE;AAAA,QAAU;AAAA,MACtB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBAAgB,kBAAoE;AACxF,QAAI;AACF,YAAM,EAAE,OAAO,IAAI,IAAI;AACvB,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,cAAc,IAAI,YAAY,EAAE,MAAM,IAAI,EAAE;AAElD,UAAI,QAAQ,KAAK;AACf,eAAO,eAAe,SAAS,eAAe;AAAA,MAChD;AACA,aAAO,eAAe,SAAS,eAAe;AAAA,IAEhD,SAAS,GAAG;AACV,WAAK,OAAO,MAAM,+BAA+B,CAAC,EAAE;AACpD,aAAO;AAAA,IACT;AAAA,EAEF;AAAA,EAEA,MAAM,eAAe,SAAyC;AAC5D,UAAM,WAAW,KAAK,OAAO,aAAa;AAAA,MAAK,CAAC,SAC9C,QAAQ,QAAQ,WAAW,IAAI;AAAA,IACjC;AAEA,QAAI,UAAU;AACZ,YAAM,KAAK,SAAS;AAAA,QAClB;AAAA,QAAiB;AAAA,QAAS;AAAA,QAC1B,QAAQ,QAAQ,OAAO;AAAA,QACvB,EAAE,cAAc,QAAQ,SAAS,sBAAsB,KAAK,OAAO,aAAa;AAAA,MAClF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AC3EO,IAAM,sBAAN,MAA0B;AAAA,EAG/B,YACmB,QACjB;AADiB;AAAA,EAChB;AAAA,EAJK,iBAA0B;AAAA,EAMlC,kBAAkB,WAA0B;AAC1C,SAAK,iBAAiB;AAAA,EACxB;AAAA,EAEA,eAAe,SAA2C;AACxD,UAAM,YAAY,KAAK,kBAAkB,QAAQ,MAAM;AACvD,QAAI,CAAC,UAAW,QAAO;AAEvB,UAAM,UAAU,QAAQ,MAAM;AAC9B,QAAI,CAAC,QAAS,QAAO;AAErB,UAAM,YAAa,UAAsE;AACzF,QAAI,OAAO,cAAc,WAAY,QAAO;AAE5C,WAAO,UAAU,KAAK,WAAW,OAAO,KAAK;AAAA,EAC/C;AAAA,EAEA,kBAAkB,WAAmB,aAA0C;AAC7E,QAAI,CAAC,YAAa,QAAO;AACzB,WAAO,YAAY,eAAe,IAAI,SAAS,KAAK,YAAY,eAAe,IAAI,KAAK;AAAA,EAC1F;AAAA,EAEA,yBAAyB,aAAkD;AACzE,QAAI,eAAe,YAAY,oBAAoB,OAAO,GAAG;AAC3D,aAAO,CAAC,GAAG,YAAY,mBAAmB;AAAA,IAC5C;AACA,QAAI,KAAK,OAAO,oBAAoB,OAAO,GAAG;AAC5C,aAAO,CAAC,GAAG,KAAK,OAAO,mBAAmB;AAAA,IAC5C;AACA,WAAO;AAAA,EACT;AACF;;;ACjCO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YACmB,QACA,UACA,eACA,iBACA,WACjB;AALiB;AACA;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,kBACJ,SACA,UAC+B;AAC/B,QAAI,CAAC,QAAQ,YAAY;AACvB,YAAM,WAAW,MAAM,SAAS,OAAO;AACvC,aAAO,KAAK,gBAAgB,cAAc,QAAQ;AAAA,IACpD;AAEA,QAAI,MAAM,KAAK,UAAU,eAAe,OAAO,GAAG;AAChD,YAAM,WAAW,MAAM,SAAS,OAAO;AACvC,aAAO,KAAK,gBAAgB,cAAc,QAAQ;AAAA,IACpD;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,qBACJ,SACA,UACA,aAC+B;AAC/B,QAAI,CAAC,eAAe,CAAC,KAAK,cAAc,kBAAkB,OAAO,WAAW,GAAG;AAC7E,aAAO;AAAA,IACT;AAEA,UAAM,KAAK,SAAS;AAAA,MAClB;AAAA,MAAmB;AAAA,MAAS;AAAA,MAC5B;AAAA,MACA,EAAE,gBAAgB,CAAC,GAAG,YAAY,cAAc,GAAG,UAAU,QAAQ,QAAQ;AAAA,IAC/E;AAEA,QAAI,CAAC,KAAK,OAAO,aAAa;AAC5B,YAAM,WAAW,MAAM,SAAS,OAAO;AACvC,aAAO,KAAK,gBAAgB,cAAc,QAAQ;AAAA,IACpD;AAEA,WAAO;AAAA,EACT;AACF;;;AChDO,IAAM,uBAAN,MAA2B;AAAA,EAChC,YACmB,QACA,QACA,kBACA,sBACA,wBACA,eAA4C,MAC7D;AANiB;AACA;AACA;AACA;AACA;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,oBAAoB,YAAoB,gBAAgD;AAC5F,UAAM,UAAU,KAAK,OAAO,qBAAqB,UAAU,KAAK;AAChE,UAAM,WAAW,KAAK,qBAAqB,eAAe,SAAS,UAAU;AAE7E,UAAM,KAAK,qBAAqB,UAAU,MAAS;AACnD,WAAO,KAAK,cAAc,QAAQ;AAAA,EACpC;AAAA,EAEA,MAAM,oBAAoB,SAA+C;AACvE,UAAM,WAAW,QAAQ,iBAAiB,OAAO;AACjD,UAAM,WAAW,KAAK,qBAAqB,uBAAuB,UAAU,GAAG;AAC/E,WAAO,KAAK,cAAc,QAAQ;AAAA,EACpC;AAAA,EAEA,MAAM,qBAAqB,UAAyB,aAA8C;AAChG,UAAM,gBAAgB,KAAK,OAAO;AAClC,QAAI,iBAAiB,cAAc,SAAS;AAC1C,YAAM,kBAAkB,MAAM,KAAK,uBAAuB,WAAW,eAAe,GAAG;AACvF,iBAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,eAAe,GAAG;AAC3D,iBAAS,UAAU,MAAM,KAAK;AAAA,MAChC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,iBAAiB,UAAyB,QAAwC;AACtF,UAAM,cAAc,KAAK,uBAAuB,eAAe,MAAM;AACrE,eAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,WAAW,GAAG;AACvD,eAAS,UAAU,MAAM,KAAK;AAAA,IAChC;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,UAAiD;AACnE,QAAI,KAAK,OAAO,wBAAwB;AACtC,aAAO,KAAK,OAAO,uBAAuB,QAAQ;AAAA,IACpD;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,gBACJ,SACA,UACA,cACA,aACA,wBAMwB;AAExB,QAAI,eAAe,YAAY,cAAc,SAAS,KAAK,wBAAwB;AACjF,YAAM,WAAW,QAAQ,cAAc;AACvC,YAAM,uBAAuB,SAAS,UAAU,UAAU,WAAW;AAAA,IACvE;AAEA,UAAM,KAAK,iBAAiB,sBAAsB,SAAS,cAAc,SAAS,UAAU;AAE5F,UAAM,KAAK,qBAAqB,UAAU,QAAQ,OAAO;AAEzD,UAAM,SAAS,QAAQ,QAAQ,QAAQ;AACvC,QAAI,QAAQ;AACV,YAAM,KAAK,iBAAiB,UAAU,MAAM;AAAA,IAC9C;AAEA,WAAO,KAAK,cAAc,QAAQ;AAAA,EACpC;AACF;;;ACjFO,IAAM,sBAAN,MAA0B;AAAA,EAG/B,YACmB,QACA,UACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EALK,iBAA8D;AAAA,EAOtE,kBAAkB,WAAuD;AACvE,SAAK,iBAAiB;AAAA,EACxB;AAAA,EAEA,MAAM,kBACJ,SACA,UACA,aACe;AACf,QAAI,CAAC,KAAK,eAAgB;AAE1B,UAAM,aAAa,KAAK,cAAc,OAAO;AAC7C,UAAM,UAAU,KAAK,eAAe;AAEpC,eAAW,QAAQ,YAAY,eAAe;AAC5C,UAAI,KAAK,aAAa,WAAW,KAAK,aAAa,aAAa;AAC9D,cAAM,WAAW,MAAM,QAAQ,mBAAmB,YAAY,UAAU,IAAI;AAC5E,YAAI,UAAU;AACZ,gBAAM,UAAU,GAAG,KAAK,SAAS,aAAa,KAAK,MAAM;AAEzD,gBAAM,KAAK,SAAS;AAAA,YAClB;AAAA,YAAuB;AAAA,YAAS;AAAA,YAChC,cAAc,KAAK,QAAQ,wBAAwB,OAAO;AAAA,YAC1D;AAAA,cACE,eAAe;AAAA,cACf,eAAe,KAAK;AAAA,cACpB,WAAW,KAAK;AAAA,cAChB,QAAQ,KAAK;AAAA,cACb,QAAQ,KAAK;AAAA,cACb;AAAA,YACF;AAAA,UACF;AAEA,gBAAM,QAAQ,YAAY,MAAM,UAAU,YAAY,6BAA6B,OAAO,EAAE;AAAA,QAC9F;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,mBACJ,SACA,UACA,UACA,aACe;AACf,QAAI,CAAC,KAAK,eAAgB;AAE1B,UAAM,aAAa,KAAK,cAAc,OAAO;AAC7C,UAAM,UAAU,KAAK,eAAe;AAEpC,eAAW,QAAQ,YAAY,eAAe;AAC5C,UAAI,KAAK,aAAa,kBAAkB;AACtC,cAAM,WAAW,MAAM,QAAQ,mBAAmB,YAAY,UAAU,UAAU,IAAI;AACtF,YAAI,UAAU;AACZ,gBAAM,UAAU,GAAG,KAAK,SAAS,SAAS,KAAK,OAAO,QAAQ,KAAK,MAAM;AAEzE,gBAAM,KAAK,SAAS;AAAA,YAClB;AAAA,YAAuB;AAAA,YAAS;AAAA,YAChC,sCAAsC,OAAO;AAAA,YAC7C;AAAA,cACE,eAAe;AAAA,cACf,eAAe;AAAA,cACf,WAAW,KAAK;AAAA,cAChB,QAAQ,KAAK;AAAA,cACb,SAAS,KAAK;AAAA,cACd,QAAQ,KAAK;AAAA,cACb;AAAA,YACF;AAAA,UACF;AAEA,gBAAM,QAAQ,YAAY,MAAM,UAAU,YAAY,sCAAsC,OAAO,EAAE;AAAA,QACvG;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,cAAc,SAA+B;AAC3C,UAAM,aAAa,QAAQ,MAAM;AACjC,QAAI,OAAO,eAAe,SAAU,QAAO;AAC3C,WAAO,GAAG,QAAQ,MAAM,IAAI,QAAQ,OAAO;AAAA,EAC7C;AACF;;;AC3FO,IAAM,wBAAN,MAA4B;AAAA,EACjC,YACU,QACS,QACjB;AAFQ;AACS;AAAA,EAChB;AAAA,EAEH,MAAM,QAAQ,SAAsD;AAClE,eAAW,SAAS,KAAK,QAAQ;AAC/B,UAAI;AACF,cAAM,WAAW,MAAM,MAAM,MAAM,OAAO;AAC1C,YAAI,aAAa,KAAM,QAAO;AAAA,MAChC,SAAS,GAAG;AACV,aAAK,OAAO,MAAM,mBAAmB,MAAM,SAAS,aAAa,CAAC,EAAE;AAAA,MACtE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEA,IAAI,OAA4B;AAC9B,SAAK,OAAO,KAAK,KAAK;AAAA,EACxB;AAAA,EAEA,OAAO,OAAe,OAA4B;AAChD,SAAK,OAAO,OAAO,OAAO,GAAG,KAAK;AAAA,EACpC;AAAA,EAEA,OAAO,MAAuB;AAC5B,UAAM,MAAM,KAAK,OAAO,UAAU,CAAC,MAAM,EAAE,cAAc,IAAI;AAC7D,QAAI,QAAQ,GAAI,QAAO;AACvB,SAAK,OAAO,OAAO,KAAK,CAAC;AACzB,WAAO;AAAA,EACT;AAAA,EAEA,gBAA0B;AACxB,WAAO,KAAK,OAAO,IAAI,CAAC,MAAM,EAAE,SAAS;AAAA,EAC3C;AAAA,EAEA,IAAI,SAAiB;AACnB,WAAO,KAAK,OAAO;AAAA,EACrB;AACF;;;ACvCO,IAAe,gBAAf,MAA6B;AAAA,EAClC,YAA+B,YAAqC;AAArC;AAAA,EAAsC;AAAA,EAKrE,IAAc,SAAiC;AAC7C,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA,EAEA,IAAc,SAAiB;AAC7B,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA,EAEA,MAAM,UACJ,MACA,SACA,QACA,QACA,MACe;AACf,UAAM,WAAW,KAAK,WAAW;AASjC,UAAM,SAAS,oBAAoB,MAAM,SAAS,QAAQ,QAAQ,IAAI;AAAA,EACxE;AAAA,EAEA,MAAM,oBAAoB,YAAoB,SAAyC;AACrF,WAAO,KAAK,WAAW,oBAAoB,YAAY,OAAO;AAAA,EAChE;AAAA,EAEA,gBAAyB;AACvB,WAAO,KAAK,OAAO;AAAA,EACrB;AACF;;;AC1CO,IAAM,mBAAN,cAA+B,cAAc;AAAA,EAClD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAgB;AAAA,EAEjD,MAAM,MAAM,SAAsD;AAChE,UAAM,gBAAgB,KAAK,WAAW;AAGtC,UAAM,cAAc,cAAc,eAAe,OAAO;AAExD,QAAI,aAAa;AACf,MAAC,QAAQ,MAAkC,cAAc,IAAI;AAAA,IAC/D;AAEA,WAAO;AAAA,EACT;AACF;;;ACfO,IAAM,qBAAN,cAAiC,cAAc;AAAA,EACpD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAkB;AAAA,EAEnD,MAAM,MAAM,SAAsD;AAChE,QAAI,CAAC,KAAK,OAAO,cAAe,QAAO;AAEvC,UAAM,WAAW,QAAQ,cAAc;AACvC,QAAI,KAAK,OAAO,mBAAmB,SAAS,QAAQ,EAAG,QAAO;AAE9D,UAAM,KAAK,UAAU,kBAAkB,SAAS,mBAAmB,uBAAuB;AAC1F,WAAO,KAAK,oBAAoB,KAAK,iCAAiC;AAAA,EACxE;AACF;;;ACTO,IAAM,wBAAN,cAAoC,cAAc;AAAA,EACtC;AAAA,EACA;AAAA,EAEjB,YACE,YACA,WACA,iBACA;AACA,UAAM,UAAU;AAChB,SAAK,YAAY;AACjB,SAAK,kBAAkB;AAAA,EACzB;AAAA,EAEA,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAqB;AAAA,EAEtD,MAAM,MAAM,SAAsD;AAChE,QAAI,CAAC,KAAK,OAAO,aAAc,QAAO;AACtC,QAAI,KAAK,UAAU,eAAe,OAAO,EAAG,QAAO;AAEnD,QAAI,KAAK,cAAc,GAAG;AACxB,WAAK,OAAO,KAAK,sCAAsC,QAAQ,OAAO,EAAE;AACxE,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,gBAAgB,oBAAoB,OAAO;AAAA,EACzD;AACF;;;AC7BO,IAAM,sBAAN,cAAkC,cAAc;AAAA,EACrD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAmB;AAAA,EAEpD,MAAM,MAAM,SAAsD;AAChE,QAAI,KAAK,OAAO,iBAAiB;AAC/B,kBAAY,SAAS,KAAK,QAAQ,WAAW,IAAI,OAAO,IAAI,KAAK,OAAO,eAAe;AACvF,YAAM,KAAK,UAAU,kBAAkB,SAAS,UAAU,gBAAgB;AAAA,IAC5E;AACA,WAAO;AAAA,EACT;AACF;;;ACVO,IAAM,0BAAN,cAAsC,cAAc;AAAA,EACzD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAwB;AAAA,EAEzD,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,YAAa,QAAO;AAEzB,QAAI,YAAY,mBAAmB,MAAM;AACvC,YAAM,gBAAgB,SAAS,QAAQ,QAAQ,gBAAgB,KAAK,KAAK,EAAE;AAC3E,UAAI,gBAAgB,YAAY,gBAAgB;AAC9C,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,gCAAgC,aAAa,MAAM,YAAY,cAAc,EAAE;AAChG,iBAAO;AAAA,QACT;AACA,eAAO,KAAK,oBAAoB,KAAK,0BAA0B;AAAA,MACjE;AAAA,IACF;AAEA,QAAI,YAAY,wBAAwB,MAAM;AAC5C,YAAM,cAAc,QAAQ,QAAQ,cAAc,KAAK;AACvD,UAAI,eAAe,CAAC,YAAY,oBAAoB,KAAK,CAAC,MAAM,YAAY,SAAS,CAAC,CAAC,GAAG;AACxF,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,mCAAmC,WAAW,EAAE;AACjE,iBAAO;AAAA,QACT;AACA,eAAO,KAAK,oBAAoB,KAAK,wBAAwB;AAAA,MAC/D;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AC/BO,IAAM,uBAAN,cAAmC,cAAc;AAAA,EACtD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAoB;AAAA,EAErD,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,eAAe,OAAO,KAAK,YAAY,eAAe,EAAE,WAAW,EAAG,QAAO;AAElF,eAAW,CAAC,YAAY,aAAa,KAAK,OAAO,QAAQ,YAAY,eAAe,GAAG;AACrF,YAAM,cAAc,QAAQ,QAAQ,WAAW,YAAY,CAAC;AAC5D,UAAI,CAAC,eAAgB,iBAAiB,gBAAgB,eAAgB;AACpE,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,sCAAsC,UAAU,EAAE;AACnE,iBAAO;AAAA,QACT;AACA,eAAO,KAAK,oBAAoB,KAAK,uCAAuC,UAAU,EAAE;AAAA,MAC1F;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;ACzBA,YAAYC,aAAY;AAQjB,SAAS,gBAAgB,UAAkB,WAA8B;AAC9E,aAAW,WAAW,WAAW;AAC/B,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,UAAI;AACF,cAAM,SAAgB,cAAM,QAAQ;AACpC,cAAM,CAAC,MAAM,SAAS,IAAW,kBAAU,OAAO;AAClD,YAAI,OAAO,KAAK,MAAM,KAAK,KAAK,KAAK,OAAO,MAAM,CAAC,MAAM,SAAS,CAAC,EAAG,QAAO;AAAA,MAC/E,QAAQ;AAAE;AAAA,MAAU;AAAA,IACtB,WAAW,aAAa,SAAS;AAC/B,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,UAAkB,WAAqC;AACrF,MAAI,UAAU,WAAW,EAAG,QAAO;AAEnC,aAAW,WAAW,WAAW;AAC/B,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,UAAI;AACF,cAAM,SAAgB,cAAM,QAAQ;AACpC,cAAM,CAAC,MAAM,SAAS,IAAW,kBAAU,OAAO;AAClD,YAAI,OAAO,KAAK,MAAM,KAAK,KAAK,KAAK,OAAO,MAAM,CAAC,MAAM,SAAS,CAAC,EAAG,QAAO;AAAA,MAC/E,QAAQ;AAAE;AAAA,MAAU;AAAA,IACtB,WAAW,aAAa,SAAS;AAC/B,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,mBACd,UACA,aACA,cACgB;AAChB,MAAI,CAAC,aAAc,QAAO;AAE1B,MAAI,UAAyB;AAE7B,MAAI,YAAY,oBAAoB,YAAY,iBAAiB,SAAS,GAAG;AAC3E,cAAU,aAAa,WAAW,QAAQ;AAC1C,QAAI,WAAW,YAAY,iBAAiB,SAAS,OAAO,EAAG,QAAO;AAAA,EACxE;AAEA,MAAI,YAAY,sBAAsB,YAAY,mBAAmB,SAAS,GAAG;AAC/E,QAAI,YAAY,KAAM,WAAU,aAAa,WAAW,QAAQ;AAChE,QAAI,QAAS,QAAO,YAAY,mBAAmB,SAAS,OAAO;AACnE,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,eAAsB,mBACpB,UACA,aACA,YACyB;AACzB,MAAI;AACF,QAAI,YAAY,eAAe,YAAY,YAAY,SAAS,GAAG;AACjE,UAAI,gBAAgB,UAAU,YAAY,WAAW,EAAG,QAAO;AAAA,IACjE;AAEA,QAAI,YAAY,eAAe,YAAY,YAAY,SAAS,GAAG;AACjE,YAAM,kBAAkB,gBAAgB,UAAU,YAAY,WAAW;AACzE,UAAI,oBAAoB,KAAM,QAAO;AAAA,IACvC;AAEA,UAAM,gBAAgB,mBAAmB,UAAU,aAAa,WAAW,YAAY;AACvF,QAAI,kBAAkB,KAAM,QAAO;AAEnC,WAAO;AAAA,EAET,QAAQ;AACN,WAAO;AAAA,EACT;AAEF;AAEA,eAAsB,sBACpB,WACA,aACA,QACkB;AAClB,MAAI,eAAe,YAAY,kBAAkB,SAAS,GAAG;AAC3D,eAAW,WAAW,YAAY,mBAAmB;AACnD,UAAI,IAAI,OAAO,SAAS,GAAG,EAAE,KAAK,SAAS,EAAG,QAAO;AAAA,IACvD;AAAA,EAEF;AAEA,aAAW,WAAW,OAAO,mBAAmB;AAC9C,QAAI,IAAI,OAAO,SAAS,GAAG,EAAE,KAAK,SAAS,EAAG,QAAO;AAAA,EACvD;AAEA,SAAO;AACT;AAEO,SAAS,mBAAmB,YAAoB,UAAqC;AAC1F,MAAI,aAAa,UAAU;AACzB,QAAI,CAAC,WAAW,WAAW,SAAS,EAAG,QAAO,CAAC,OAAO,iCAAiC;AAAA,EACzF,WAAW,aAAa,SAAS;AAC/B,QAAI,CAAC,WAAW,WAAW,QAAQ,EAAG,QAAO,CAAC,OAAO,yCAAyC;AAAA,EAChG,OAAO;AACL,QAAI,CAAC,WAAY,QAAO,CAAC,OAAO,WAAW,QAAQ,iBAAiB;AAAA,EACtE;AACA,SAAO,CAAC,MAAM,EAAE;AAClB;AAEO,SAAS,wBAAwB,UAAkB,gBAAmC;AAC3F,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,QAAQ;AAC5B,UAAM,iBAAiB,IAAI,SAAS,YAAY;AAChD,eAAW,WAAW,gBAAgB;AACpC,YAAM,eAAe,QAAQ,YAAY;AACzC,UAAI,mBAAmB,gBAAgB,eAAe,SAAS,IAAI,YAAY,EAAE,GAAG;AAClF,eAAO;AAAA,MACT;AAAA,IACF;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,0BACpB,SACA,aACA,QACA,qBAC4B;AAC5B,MAAI,qBAAqB,OAAO;AAChC,MAAI,yBAAyC;AAE7C,MAAI,aAAa;AACf,6BAAyB,YAAY;AACrC,yBAAqB;AAAA,EACvB;AAEA,MAAI,sBAAsB,CAAC,oBAAoB,eAAe,WAAW,GAAG;AAC1E,UAAM,EAAE,0BAAAC,0BAAyB,IAAI,MAAM,OAAO,qBAAgB;AAClE,WAAOA,0BAAyB,OAAO;AAAA,EACzC;AAEA,QAAM,SAAS,2BAA2B,SAAS,OAAO,6BACtD,0BACA;AACJ,SAAO,CAAC,OAAO,MAAM;AACvB;;;ACxJO,IAAM,sBAAN,cAAkC,cAAc;AAAA,EACrD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAkB;AAAA,EAEnD,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,YAAa,QAAO;AAEzB,QAAI,YAAY,cAAc;AAC5B,YAAM,aAAa,QAAQ,QAAQ,eAAe,KAAK;AACvD,YAAM,CAACC,UAAS,OAAO,IAAI,mBAAmB,YAAY,YAAY,YAAY;AAClF,UAAI,CAACA,UAAS;AACZ,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,0BAA0B,OAAO,EAAE;AACpD,iBAAO;AAAA,QACT;AACA,cAAM,KAAK,UAAU,yBAAyB,SAAS,mBAAmB,OAAO;AACjF,eAAO,KAAK,oBAAoB,KAAK,OAAO;AAAA,MAC9C;AAAA,IACF;AAEA,QAAI,YAAY,gBAAgB;AAC9B,YAAM,SAAS,QAAQ,QAAQ,WAAW,KAAK;AAC/C,UAAI,CAAC,QAAQ;AACX,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,2BAA2B;AAC5C,iBAAO;AAAA,QACT;AACA,eAAO,KAAK,oBAAoB,KAAK,kBAAkB;AAAA,MACzD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;ACjCO,IAAM,gBAAN,cAA4B,cAAc;AAAA,EAC/C,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAY;AAAA,EAE7C,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,aAAa,mBAAmB,YAAY,gBAAgB,WAAW,EAAG,QAAO;AAEtF,UAAM,WAAW,QAAQ,QAAQ,SAAS,KAAK,QAAQ,QAAQ,UAAU,KAAK;AAC9E,QAAI,CAAC,YAAY,CAAC,wBAAwB,UAAU,YAAY,eAAe,GAAG;AAChF,UAAI,KAAK,cAAc,GAAG;AACxB,aAAK,OAAO,KAAK,+BAA+B,QAAQ,EAAE;AAC1D,eAAO;AAAA,MACT;AACA,aAAO,KAAK,oBAAoB,KAAK,kBAAkB;AAAA,IACzD;AAEA,WAAO;AAAA,EACT;AACF;;;ACnBO,IAAM,wBAAN,cAAoC,cAAc;AAAA,EACvD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAqB;AAAA,EAEtD,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,eAAe,YAAY,iBAAiB,WAAW,EAAG,QAAO;AAEtE,eAAW,aAAa,YAAY,kBAAkB;AACpD,YAAM,WAAW,MAAM,UAAU,OAAO;AACxC,UAAI,aAAa,KAAM,QAAO;AAAA,IAChC;AAEA,WAAO;AAAA,EACT;AACF;;;ACZO,IAAM,kBAAN,cAA8B,cAAc;AAAA,EAChC;AAAA,EAEjB,YAAY,YAAqC,WAA6B;AAC5E,UAAM,UAAU;AAChB,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAe;AAAA,EAEhD,MAAM,MAAM,SAAsD;AAChE,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,QAAI,CAAC,aAAa,iBAAkB,QAAO;AAE3C,UAAM,eAAe,MAAM,KAAK,UAAU,gBAAgB,YAAY,gBAAgB;AACtF,QAAI,CAAC,cAAc;AACjB,UAAI,KAAK,cAAc,GAAG;AACxB,aAAK,OAAO,KAAK,uCAAuC;AACxD,eAAO;AAAA,MACT;AACA,aAAO,KAAK,oBAAoB,KAAK,4CAA4C;AAAA,IACnF;AAEA,WAAO;AAAA,EACT;AACF;;;AC5BO,IAAM,sBAAN,cAAkC,cAAc;AAAA,EACrD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAoB;AAAA,EAErD,MAAM,MAAM,UAAuD;AACjE,QAAI,KAAK,OAAO,oBAAoB,SAAS,EAAG,QAAO;AAEvD,UAAM,MAAM,KAAK,IAAI,IAAI;AACzB,UAAM,UAAU,MAAM,KAAK,WAAW;AAEtC,QAAI,WAAW,KAAK,OAAO,wBAAwB;AACjD,WAAK,WAAW,qBAAqB;AACrC,UAAI;AACF,cAAM,KAAK,WAAW,qBAAqB;AAAA,MAC7C,SAAS,GAAG;AACV,aAAK,OAAO,MAAM,4BAA4B,CAAC,EAAE;AAAA,MACnD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;;;AChBO,IAAM,kBAAN,cAA8B,cAAc;AAAA,EACjD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAe;AAAA,EAEhD,MAAM,MAAM,SAAsD;AAChE,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,eAAe,KAAK,WAAW;AAIrC,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAE7E,QAAI,aAAa;AACf,YAAM,cAAc,MAAM,mBAAmB,UAAU,aAAa,KAAK,UAAU;AACnF,UAAI,gBAAgB,OAAO;AACzB,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,yCAAyC,QAAQ,EAAE;AACpE,iBAAO;AAAA,QACT;AACA,cAAM,KAAK,UAAU,cAAc,SAAS,mBAAmB,MAAM,QAAQ,0BAA0B;AACvG,eAAO,KAAK,oBAAoB,KAAK,eAAe;AAAA,MACtD;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,YAAY,UAAU,KAAK,QAAQ,KAAK,WAAW,YAAY;AACrF,QAAI,CAAC,SAAS;AACZ,UAAI,KAAK,cAAc,GAAG;AACxB,aAAK,OAAO,KAAK,6BAA6B,QAAQ,EAAE;AACxD,eAAO;AAAA,MACT;AACA,YAAM,KAAK,UAAU,cAAc,SAAS,mBAAmB,MAAM,QAAQ,cAAc;AAC3F,aAAO,KAAK,oBAAoB,KAAK,eAAe;AAAA,IACtD;AAEA,WAAO;AAAA,EACT;AACF;;;ACvCO,IAAM,qBAAN,cAAiC,cAAc;AAAA,EACpD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAkB;AAAA,EAEnD,MAAM,MAAM,SAAsD;AAChE,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,UAAM,WAAW,KAAK,WAAW;AACjC,UAAM,YAAY,SAAS,yBAAyB,eAAe,IAAI;AAEvE,QAAI,CAAC,aAAa,UAAU,WAAW,EAAG,QAAO;AAEjD,UAAM,EAAE,cAAAC,cAAa,IAAI,MAAM,OAAO,qBAA4B;AAKlE,WAAO;AAAA,EACT;AACF;;;ACpBO,IAAM,iBAAN,cAA6B,cAAc;AAAA,EAChD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAc;AAAA,EAE/C,MAAM,MAAM,SAAsD;AAChE,UAAM,YAAY,QAAQ,QAAQ,YAAY,KAAK;AACnD,QAAI,CAAC,UAAW,QAAO;AAEvB,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,UAAM,UAAU,MAAM,sBAAsB,WAAW,eAAe,MAAM,KAAK,MAAM;AAEvF,QAAI,CAAC,SAAS;AACZ,UAAI,KAAK,cAAc,GAAG;AACxB,aAAK,OAAO,KAAK,iCAAiC,SAAS,EAAE;AAC7D,eAAO;AAAA,MACT;AACA,YAAM,KAAK,UAAU,cAAc,SAAS,mBAAmB,uBAAuB,SAAS,EAAE;AACjG,aAAO,KAAK,oBAAoB,KAAK,eAAe;AAAA,IACtD;AAEA,WAAO;AAAA,EACT;AACF;;;ACrBO,IAAM,iBAAN,cAA6B,cAAc;AAAA,EAChD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAc;AAAA,EAE/C,MAAM,MAAM,SAAsD;AAChE,QAAI,CAAC,KAAK,OAAO,mBAAoB,QAAO;AAE5C,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,mBAAmB,KAAK,WAAW;AACzC,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,UAAM,cAAc,KAAK,oBAAoB,KAAK,IAAI;AAGtD,QAAI,aAAa,cAAc,QAAQ,aAAa,cAAc,QAAW;AAC3E,YAAMC,YAAW,MAAM,iBAAiB;AAAA,QACtC;AAAA,QAAS;AAAA,QAAU;AAAA,QAAa,QAAQ;AAAA,QACxC,YAAY;AAAA,QAAW,YAAY,mBAAmB,KAAK,OAAO;AAAA,MACpE;AACA,UAAIA,WAAU;AACZ,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,2CAA2C,QAAQ,EAAE;AACtE,iBAAO;AAAA,QACT;AACA,eAAOA;AAAA,MACT;AAAA,IACF;AAEA,UAAM,gBAAgB,KAAK,OAAO,mBAAmB,QAAQ,OAAO;AACpE,QAAI,eAAe;AACjB,YAAM,CAAC,OAAO,MAAM,IAAI;AACxB,YAAMA,YAAW,MAAM,iBAAiB;AAAA,QACtC;AAAA,QAAS;AAAA,QAAU;AAAA,QAAa,QAAQ;AAAA,QAAS;AAAA,QAAO;AAAA,MAC1D;AACA,UAAIA,WAAU;AACZ,YAAI,KAAK,cAAc,GAAG;AACxB,eAAK,OAAO,KAAK,8CAA8C,QAAQ,EAAE;AACzE,iBAAO;AAAA,QACT;AACA,eAAOA;AAAA,MACT;AAAA,IACF;AAEA,UAAM,WAAW,MAAM,iBAAiB;AAAA,MACtC;AAAA,MAAS;AAAA,MAAU;AAAA,MAAa;AAAA,MAChC,KAAK,OAAO;AAAA,MAAW,KAAK,OAAO;AAAA,IACrC;AACA,QAAI,UAAU;AACZ,UAAI,KAAK,cAAc,GAAG;AACxB,aAAK,OAAO,KAAK,4CAA4C,QAAQ,EAAE;AACvE,eAAO;AAAA,MACT;AACA,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AACF;;;ACvDO,IAAM,0BAAN,cAAsC,cAAc;AAAA,EACzD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAuB;AAAA,EAExD,MAAM,MAAM,SAAsD;AAChE,QAAI,CAAC,KAAK,OAAO,2BAA4B,QAAO;AAEpD,UAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,cAAe,QAAQ,MAAkC,cAAc;AAC7E,UAAM,WAAW,KAAK,WAAW;AAEjC,UAAM,CAAC,UAAU,WAAW,IAAI,MAAM;AAAA,MACpC;AAAA,MACA,eAAe;AAAA,MACf,KAAK;AAAA,MACL,CAAC,OAAO,OAAO,SAAS,kBAAkB,OAAO,EAAE;AAAA,IACrD;AAEA,QAAI,CAAC,SAAU,QAAO;AAEtB,UAAM,SAAS,KAAK,WAAW;AAC/B,UAAM,gBAAgB,OAAO,IAAI,QAAQ,KAAK,KAAK;AACnD,WAAO,IAAI,UAAU,YAAY;AAEjC;AAAA,MAAY;AAAA,MAAS,KAAK;AAAA,MAAQ;AAAA,MAAc;AAAA,MAC9C,KAAK,OAAO;AAAA,MAAa;AAAA,MAAa,KAAK,OAAO;AAAA,IAAkB;AAEtE,UAAM,KAAK;AAAA,MAAU;AAAA,MAAuB;AAAA,MAAS;AAAA,MACnD,wBAAwB,WAAW;AAAA,MAAI,EAAE,aAAa,cAAc,aAAa;AAAA,IAAC;AAEpF,QAAI,KAAK,cAAc,EAAG,QAAO;AAEjC,WAAO,KAAK,oBAAoB,KAAK,8BAA8B;AAAA,EACrE;AACF;;;ACvCO,IAAM,qBAAN,cAAiC,cAAc;AAAA,EACpD,IAAI,YAAoB;AAAE,WAAO;AAAA,EAAkB;AAAA,EAEnD,MAAM,MAAM,SAAsD;AAChE,QAAI,CAAC,KAAK,OAAO,mBAAoB,QAAO;AAC5C,WAAO,KAAK,OAAO,mBAAmB,OAAO;AAAA,EAC/C;AACF;;;ACwCA,eAAsB,6BACpB,QACA,QACA,sBACA,cACA,cACA,gBACuC;AACvC,QAAM,cAAc,IAAI;AAAA,IACtB;AAAA,IAAQ;AAAA,IAAQ,gBAAgB;AAAA,IAAM,gBAAgB;AAAA,IAAM,kBAAkB;AAAA,EAChF;AACA,QAAM,WAAW,MAAM,YAAY,WAAW;AAE9C,QAAM,WAAW,IAAI;AAAA,IACnB,gBAAgB;AAAA,IAAM;AAAA,IAAQ;AAAA,IAAQ,SAAS;AAAA,EACjD;AACA,QAAM,mBAAmB,IAAI;AAAA,IAC3B,gBAAgB;AAAA,IAAM;AAAA,IAAQ;AAAA,EAChC;AACA,QAAM,YAAY,IAAI,iBAAiB,QAAQ,QAAQ,QAAQ;AAC/D,QAAM,gBAAgB,IAAI,oBAAoB,MAAM;AACpD,MAAI,eAAgB,eAAc,kBAAkB,cAAc;AAElE,QAAM,uBAAuB,IAAI;AAAA,IAC/B;AAAA,IAAQ;AAAA,IAAQ;AAAA,IAAkB;AAAA,IAClC,SAAS;AAAA,IAAwB,gBAAgB;AAAA,EACnD;AACA,QAAM,gBAAgB,IAAI;AAAA,IACxB;AAAA,IAAQ;AAAA,IAAU;AAAA,IAAe;AAAA,IAAsB;AAAA,EACzD;AACA,QAAM,sBAAsB,IAAI,oBAAoB,QAAQ,QAAQ;AACpE,MAAI,gBAAgB;AAClB,wBAAoB;AAAA,MAClB;AAAA,IACF;AAAA,EACF;AAEA,QAAM,qBAA8C;AAAA,IAClD,IAAI,SAAS;AAAE,aAAO;AAAA,IAAQ;AAAA,IAC9B,IAAI,SAAS;AAAE,aAAO;AAAA,IAAQ;AAAA,IAC9B,oBAAoB;AAAA,IACpB,yBAAyB,oBAAI,IAAI;AAAA,IACjC,IAAI,WAAW;AAAE,aAAO;AAAA,IAAU;AAAA,IAClC,IAAI,gBAAgB;AAAE,aAAO;AAAA,IAAe;AAAA,IAC5C,IAAI,kBAAkB;AAAE,aAAO;AAAA,IAAsB;AAAA,IACrD,IAAI,mBAAmB;AAAE,aAAO,SAAS;AAAA,IAAkB;AAAA,IAC3D,IAAI,eAAe;AAAE,aAAO,gBAAgB;AAAA,IAAM;AAAA,IAClD,IAAI,eAAe;AAAE,aAAO,SAAS,gBAAgB;AAAA,IAAM;AAAA,IAC3D,IAAI,uBAAuB;AAAE,aAAO;AAAA,IAAsB;AAAA,IAC1D,MAAM,oBAAoB,YAAoB,SAAiB;AAC7D,aAAO,qBAAqB,oBAAoB,YAAY,OAAO;AAAA,IACrE;AAAA,IACA,MAAM,uBAAuB;AAC3B,UAAI,SAAS,gBAAgB,OAAO,oBAAoB,OAAO,GAAG;AAChE,cAAM,SAAS,aAAa,aAAa,OAAO,mBAAmB;AAAA,MACrE;AAAA,IACF;AAAA,EACF;AAEA,QAAM,WAAW,IAAI,sBAAsB;AAAA,IACzC,IAAI,iBAAiB,kBAAkB;AAAA,IACvC,IAAI,mBAAmB,kBAAkB;AAAA,IACzC,IAAI,sBAAsB,oBAAoB,WAAW,oBAAoB;AAAA,IAC7E,IAAI,oBAAoB,kBAAkB;AAAA,IAC1C,IAAI,wBAAwB,kBAAkB;AAAA,IAC9C,IAAI,qBAAqB,kBAAkB;AAAA,IAC3C,IAAI,oBAAoB,kBAAkB;AAAA,IAC1C,IAAI,cAAc,kBAAkB;AAAA,IACpC,IAAI,sBAAsB,kBAAkB;AAAA,IAC5C,IAAI,gBAAgB,oBAAoB,SAAS;AAAA,IACjD,IAAI,oBAAoB,kBAAkB;AAAA,IAC1C,IAAI,gBAAgB,kBAAkB;AAAA,IACtC,IAAI,mBAAmB,kBAAkB;AAAA,IACzC,IAAI,eAAe,kBAAkB;AAAA,IACrC,IAAI,eAAe,kBAAkB;AAAA,IACrC,IAAI,wBAAwB,kBAAkB;AAAA,IAC9C,IAAI,mBAAmB,kBAAkB;AAAA,EAC3C,GAAG,MAAM;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACjIA,IAAM,aAAa,oBAAI,QAA0B;AACjD,IAAI,iBAAiB;AAEd,IAAM,wBAAN,MAA4B;AAAA,EACjC,eAAe,oBAAI,IAAyB;AAAA,EAC5C;AAAA,EACA,eAA4C;AAAA,EACnC;AAAA,EACA;AAAA,EAET,YAAY,QAAgC,QAAiB;AAC3D,SAAK,SAAS;AACd,SAAK,SAAS,UAAU;AACxB,SAAK,kBAAkB,IAAI,gBAAgB,QAAQ,KAAK,MAAM;AAAA,EAChE;AAAA,EAEA,eAAe,SAA0C;AACvD,WAAO,KAAK,aAAa,IAAI,OAAO;AAAA,EACtC;AAAA,EAEA,kBAAkB,IAA2B;AAC3C,UAAM,KAAK,KAAK,WAAW,EAAE;AAC7B,QAAI,CAAC,KAAK,aAAa,IAAI,EAAE,GAAG;AAC9B,YAAM,KAAK,IAAI,YAAY;AAC3B,SAAG,4BAA4B,KAAK,OAAO;AAC3C,WAAK,aAAa,IAAI,IAAI,EAAE;AAAA,IAC9B;AACA,WAAO,KAAK,aAAa,IAAI,EAAE;AAAA,EACjC;AAAA,EAEA,iBAAqC,IAAU;AAC7C,IAAC,GAA+B,eAAe,IAAI,KAAK,WAAW,EAAE;AACrE,WAAO;AAAA,EACT;AAAA,EAEA,WAAW,IAAsB;AAC/B,QAAI,CAAC,WAAW,IAAI,EAAE,GAAG;AACvB,iBAAW,IAAI,IAAI,eAAe,EAAE,cAAc,EAAE;AAAA,IACtD;AACA,WAAO,WAAW,IAAI,EAAE;AAAA,EAC1B;AAAA,EAEA,MAAM,2BAA2B,cAAoD;AACnF,QAAI,aAAc,OAAM,KAAK,gBAAgB,gBAAgB,YAAsE;AAAA,EACrI;AAAA,EAEA,MAAM,gBAAgB,cAAmD;AACvE,SAAK,eAAe;AACpB,UAAM,KAAK,gBAAgB,gBAAgB,YAAY;AAAA,EACzD;AAAA,EAEA,MAAM,mBACJ,WACA,UACA,aACA,QACA,eACA,MACe;AACf,QAAI,CAAC,KAAK,aAAc;AACxB,QAAI;AACF,YAAM,KAAK,aAAa,UAAU;AAAA,QAChC,WAAW,oBAAI,KAAK;AAAA,QACpB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA,UAAU,QAAQ,CAAC;AAAA,MACrB,CAAC;AAAA,IACH,QAAQ;AAAA,IAAoB;AAAA,EAC9B;AAAA,EAEA,MAAM,sBACJ,SACA,QACA,eACA,MACe;AACf,UAAM,KAAK,mBAAmB,iBAAiB,SAAS,mBAAmB,QAAQ,eAAe,IAAI;AAAA,EACxG;AAAA,EAEA,MAAM,8BACJ,SACA,QACA,UACA,MACe;AACf,UAAM,KAAK,mBAAmB,yBAAyB,SAAS,mBAAmB,QAAQ,kBAAkB,EAAE,UAAU,GAAG,KAAK,CAAC;AAAA,EACpI;AAAA,EAEA,MAAM,mBACJ,SACA,OACA,QACA,MACe;AACf,UAAM,KAAK,mBAAmB,uBAAuB,SAAS,mBAAmB,cAAc,KAAK,IAAI,MAAM,cAAc,cAAc,EAAE,OAAO,QAAQ,GAAG,KAAK,CAAC;AAAA,EACtK;AAAA,EAEA,MAAM,4BACJ,SACA,eACA,QACA,MACe;AACf,UAAM,KAAK,mBAAmB,uBAAuB,SAAS,mBAAmB,QAAQ,eAAe,IAAI;AAAA,EAC9G;AACF;AAEO,SAAS,wBACd,SACA,kBACyB;AACzB,QAAM,UAAU,QAAQ,MAAM;AAC9B,MAAI,CAAC,WAAW,OAAO,YAAY,SAAU,QAAO;AACpD,SAAO,iBAAiB,eAAe,OAAO;AAChD;;;AC5HO,SAAS,cAAwC,MAAS;AAC/D,SAAO,cAAc,KAAK;AAAA,IACxB,UAAU,WAAsB,WAAsB;AACpD,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,YAAI,UAAW,IAAG,cAAc;AAChC,YAAI,UAAW,IAAG,cAAc;AAChC,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,eAAe,WAAqB;AAClC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,mBAAmB;AACtB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,eAAe,WAAqB;AAClC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,qBAAqB;AACxB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,YAAY,WAAsB;AAChC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,sBAAsB,IAAI,IAAI,aAAa,CAAC,OAAO,OAAO,OAAO,CAAC;AACrE,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,OAAO,QAAkB;AACvB,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,mBAAW,SAAS,OAAQ,IAAG,eAAe,IAAI,KAAK;AACvD,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;AC3CO,SAAS,aAAuC,MAAS;AAC9D,SAAO,cAAc,KAAK;AAAA,IACxB,UAAU,UAAkB,SAAS,IAAI;AACvC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,YAAY;AACf,WAAG,kBAAkB;AACrB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,aAAa,QAA0C;AACrD,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,gBAAgB;AACnB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;ACnBO,SAAS,eAAyC,MAAS;AAChE,SAAO,cAAc,KAAK;AAAA,IACxB,eAAe;AACb,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,eAAe;AAClB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,YAAY,OAAO,UAAU;AAC3B,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,eAAe;AAClB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,WAAW,aAAa,aAAa;AACnC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,iBAAiB;AACpB,WAAG,gBAAgB,UAAU,IAAI;AACjC,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,eAAe,SAAiC;AAC9C,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,eAAO,OAAO,GAAG,iBAAiB,OAAO;AACzC,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;ACjCO,SAAS,iBAA2C,MAAS;AAClE,SAAO,cAAc,KAAK;AAAA,IACxB,gBAAgB,UAAoB;AAClC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,kBAAkB,KAAK,GAAG,QAAQ;AACrC,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,kBAAkB,cAAwB;AACxC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,sBAAsB;AACzB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,eAAe,WAAmB;AAChC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,iBAAiB;AACpB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,gBAAgB,gBAA0B;AACxC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,kBAAkB;AACrB,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,iBAAiB,WAAqE;AACpF,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,iBAAiB,KAAK,SAAS;AAClC,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;AC1CO,SAAS,WAAqC,MAAS;AAC5D,SAAO,cAAc,KAAK;AAAA,IACxB,aAAa,UAAkB,SAAS,MAAM,SAAyB,OAAO;AAC5E,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,cAAc,KAAK,IAAI,aAAa,SAAS,UAAU,QAAQ,MAAM,MAAM,CAAC;AAC/E,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,cAAc,SAAiB,gBAAwB,SAAS,OAAO,SAAyB,OAAO;AACrG,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,cAAc,KAAK,IAAI,aAAa,kBAAkB,gBAAgB,QAAQ,SAAS,MAAM,CAAC;AACjG,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,iBAAiB,OAAuB;AACtC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,cAAc,KAAK,GAAG,KAAK;AAC9B,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,oBAAoB,cAAsB,SAAS,KAAK,SAAyB,OAAO;AACtF,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,cAAc,KAAK,IAAI,aAAa,aAAa,cAAc,QAAQ,MAAM,MAAM,CAAC;AACvF,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;ACpCO,SAAS,SAAmC,MAAS;AAC1D,SAAO,cAAc,KAAK;AAAA,IACxB,WAAW,WAAmB,SAAiB,YAAY,OAAO;AAChE,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,mBAAmB,EAAE,OAAO,WAAW,KAAK,QAAQ;AACvD,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,oBAAoB,UAAU,MAAM;AAClC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,4BAA4B;AAC/B,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,IAEA,kBAAkB,YAAsB;AACtC,aAAO,CAAqB,OAAa;AACvC,cAAM,KAAK,KAAK,kBAAkB,EAAE;AACpC,WAAG,iBAAiB,KAAK,OAAO,YAAY;AAC1C,cAAI;AACF,kBAAM,YAAY,MAAM,QAAQ,KAAK;AACrC,gBAAI,UAAU,WAAW,EAAG,QAAO;AAEnC,kBAAM,WAAW,IAAI,YAAY,EAAE,OAAO,SAAS;AACnD,gBAAI,OAAgC,CAAC;AAErC,kBAAM,cAAc,QAAQ,QAAQ,cAAc,KAAK;AACvD,gBAAI,YAAY,SAAS,MAAM,GAAG;AAChC,qBAAO,KAAK,MAAM,QAAQ;AAAA,YAC5B,WAAW,YAAY,SAAS,MAAM,GAAG;AACvC,yBAAW,QAAQ,SAAS,MAAM,GAAG,GAAG;AACtC,sBAAM,CAAC,KAAK,KAAK,IAAI,KAAK,MAAM,GAAG;AACnC,oBAAI,OAAO,MAAO,MAAK,mBAAmB,GAAG,CAAC,IAAI,mBAAmB,KAAK;AAAA,cAC5E;AAAA,YACF;AAEA,uBAAW,SAAS,YAAY;AAC9B,kBAAI,KAAK,KAAK,MAAM,UAAa,KAAK,KAAK,MAAM,MAAM,KAAK,KAAK,MAAM,MAAM;AAC3E,uBAAO;AAAA,kBACL,YAAY;AAAA,kBACZ,SAAS,CAAC;AAAA,kBACV,YAAY;AAAA,kBAAC;AAAA,kBACb,MAAM,IAAI,YAAY,EAAE,OAAO,WAAW;AAAA,kBAC1C,UAAU;AAAA,gBACZ;AAAA,cACF;AAAA,YACF;AAAA,UAEF,QAAQ;AAAA,UAAe;AAEvB,iBAAO;AAAA,QACT,CAAC;AACD,eAAO,KAAK,iBAAiB,EAAE;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;;;ACvDO,IAAM,oBAAoB;AAAA,EAC/B;AAAA,IACE;AAAA,MACE;AAAA,QACE;AAAA,UACE;AAAA,YACE;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;","names":["z","VALID_CLOUD_PROVIDERS","count","ipaddr","ipaddr","detectPenetrationAttempt","isValid","CloudHandler","response"]}
package/dist/sus-patterns-YZFPGJEF.js ADDED
@@ -0,0 +1,8 @@
1
+ import {
2
+ SusPatternsManager
3
+ } from "./chunk-I634N6VV.js";
4
+ import "./chunk-DGUM43GV.js";
5
+ export {
6
+ SusPatternsManager
7
+ };
8
+ //# sourceMappingURL=sus-patterns-YZFPGJEF.js.map
package/dist/sus-patterns-YZFPGJEF.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
package/dist/utils-5L6SNIYK.js ADDED
@@ -0,0 +1,22 @@
1
+ import {
2
+ checkIpCountry,
3
+ detectPenetrationAttempt,
4
+ extractClientIp,
5
+ isIpAllowed,
6
+ isUserAgentAllowed,
7
+ logActivity,
8
+ sanitizeForLog,
9
+ sendAgentEvent
10
+ } from "./chunk-4HBVN5N7.js";
11
+ import "./chunk-DGUM43GV.js";
12
+ export {
13
+ checkIpCountry,
14
+ detectPenetrationAttempt,
15
+ extractClientIp,
16
+ isIpAllowed,
17
+ isUserAgentAllowed,
18
+ logActivity,
19
+ sanitizeForLog,
20
+ sendAgentEvent
21
+ };
22
+ //# sourceMappingURL=utils-5L6SNIYK.js.map
package/dist/utils-5L6SNIYK.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
package/package.json ADDED
@@ -0,0 +1,76 @@
1
+ {
2
+ "name": "@guardcore/core",
3
+ "version": "1.0.0",
4
+ "description": "Framework-agnostic security middleware engine for Node.js and edge runtimes",
5
+ "type": "module",
6
+ "main": "./dist/index.cjs",
7
+ "module": "./dist/index.js",
8
+ "types": "./dist/index.d.ts",
9
+ "exports": {
10
+ ".": {
11
+ "types": "./dist/index.d.ts",
12
+ "import": "./dist/index.js",
13
+ "require": "./dist/index.cjs"
14
+ }
15
+ },
16
+ "files": [
17
+ "dist"
18
+ ],
19
+ "scripts": {
20
+ "build": "tsup",
21
+ "test": "vitest run",
22
+ "test:watch": "vitest",
23
+ "lint": "tsc --noEmit",
24
+ "clean": "rm -rf dist"
25
+ },
26
+ "dependencies": {
27
+ "ipaddr.js": "^2.2",
28
+ "zod": "^4.3"
29
+ },
30
+ "devDependencies": {
31
+ "@vitest/coverage-v8": "^4.1.2",
32
+ "tsup": "^8",
33
+ "typescript": "~5.9",
34
+ "vitest": "^4"
35
+ },
36
+ "peerDependencies": {
37
+ "acorn": "^8",
38
+ "he": "^1",
39
+ "ioredis": "^5",
40
+ "lru-cache": "^11",
41
+ "maxmind": "^4",
42
+ "re2-wasm": "^1"
43
+ },
44
+ "peerDependenciesMeta": {
45
+ "ioredis": {
46
+ "optional": true
47
+ },
48
+ "re2-wasm": {
49
+ "optional": true
50
+ },
51
+ "maxmind": {
52
+ "optional": true
53
+ },
54
+ "lru-cache": {
55
+ "optional": true
56
+ },
57
+ "he": {
58
+ "optional": true
59
+ },
60
+ "acorn": {
61
+ "optional": true
62
+ }
63
+ },
64
+ "license": "MIT",
65
+ "engines": {
66
+ "node": ">=18"
67
+ },
68
+ "repository": {
69
+ "type": "git",
70
+ "url": "git+https://github.com/rennf93/guard-core-ts.git",
71
+ "directory": "packages/core"
72
+ },
73
+ "publishConfig": {
74
+ "access": "public"
75
+ }
76
+ }